1 / 11

Oppliger: Ch. 15 Risk Management

Oppliger: Ch. 15 Risk Management. Outline. Introduction Formal risk analysis Alternative risk analysis approaches/technologies Security scanning Intrusion detection. True or false? Risks are everywhere! A new risk may be introduced (or triggered) by a solution. Risk.

jack
Télécharger la présentation

Oppliger: Ch. 15 Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oppliger: Ch. 15Risk Management

  2. Outline • Introduction • Formal risk analysis • Alternative risk analysis approaches/technologies • Security scanning • Intrusion detection • True or false? • Risks are everywhere! • A new risk may be introduced (or triggered) by a solution.

  3. Risk • A risk is an expectation of loss. • Usually represented as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result • Risk = prob (T, V, R) • Example: • Let T = “port scanning” • Let V = “No firewall exists between the public Internet and the private network” • Let R = “An unauthorized connection is established between a computer in the private network and a remote (potentially malicious) computer” • Other examples of risk?

  4. Risk Analysis • Aka. Risk Assessment • A systematical process that • identifies valuable system resources and threats to those resources; • quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence; • (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure • A process that identifies risks and their respective potential cost (and countermeasures)

  5. Risk Analysis (cont.) • Example of risk analysis ? • Let T = “port scanning” • Let V = “No firewall exists between the public Internet and the private network” • Let R = “An unauthorized connection is established between a computer in the private network and a remote (potentially malicious) computer” • Factors affecting the potential cost ? Cost per incident, frequency of incident • Other examples of risk analysis? • Other definitions of risk analysis ?

  6. Risk Analysis (cont.) • Other definitions of risk analysis ? • Risk analysis (in business) is a technique to identify and assess factors that may jeopardize the success of a project or achieving a goal. source: http://en.wikipedia.org/wiki/Risk_analysis_(Business) • Risk analysis (in engineering) is the science of risks and their probability and evaluation. Source: http://en.wikipedia.org/wiki/Risk_analysis_(engineering) c.f., Risks with respect to project failure; Risks with respect to a system’s being breached; Other risks ??

  7. Risk Management • A process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources • Threat model • The attackers (who) • The attacks (how) • The resources (what) • …

  8. Formal Risk Analysis • A formal process/tool(s) for performing risk analysis • Examples: • British CCTA’s CRAMM (CCTA Risk Analysis & Management Methodology) • French CLUSIF’s MARION • Steps: • Establish an inventory of all assets • Quantifying loss exposures based on estimated frequencies and costs of occurrence • Quantitative risk analysis is complex! • It’s difficult to quantify (due to complexities and lack of models).

  9. Qualitative risk analysis • Differs from formal/quantitative risk analysis in the quantification step • Qualitative risk analysis only identifies the existence of risks, but does not try to quantify the estimated frequency and the costs of occurrence in order to calculate the loss potential. • Examples: • A Web site connected to the Internet could be hacked. • A computer connected to the Internet is subject to port scanning. Note: The definition may be arguable. See http://www.anticlue.net/archives/000817.htm, for example. The qualitative risk analysis outlined in that article include a quantification step.

  10. Other approaches of risk analysis • Security scanning • The process of performing vulnerability analyses using a security scanner. • Security scanner: a tool that scans the system to identify vulnerabilities • Intrusion Detection • The process of identifying and responding to intrusions to a system. • An intrusion is “a sequence of related actions by a malicious adversary that results in the occurrence of unauthorized security threats …”

  11. The Network Security Process model

More Related