1 / 107

TEL382 Information Assurance Policies and Disaster Recovery

TEL382 Information Assurance Policies and Disaster Recovery. Week 2. Outline. Risk Analysis Background Risk Analysis Benefits and Goals Risk Analysis Team Quantitative vs. Qualitative Steps Assets Threat Analysis/Risk Assessment Controls/Risk Management Example.

mholiday
Télécharger la présentation

TEL382 Information Assurance Policies and Disaster Recovery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TEL382Information Assurance Policies and Disaster Recovery Week 2

  2. Outline • Risk Analysis Background • Risk Analysis Benefits and Goals • Risk Analysis Team • Quantitative vs. Qualitative • Steps • Assets • Threat Analysis/Risk Assessment • Controls/Risk Management • Example

  3. Risk Management Objectives • Maintain customer, constituent, stockholder, or taxpayer confidence in organization • Protect confidentiality of sensitive information (personal, financial, trade secret, etc.) • Protect sensitive operational data from inappropriate disclosure • Avoid third-party liability for illegal or malicious acts committed with organization’s systems • Ensure that organization computer, network, and data are not misused or wasted • Avoid fraud • Avoid expensive and disruptive incidents • Comply with pertinent laws and regulations • Avoid a hostile workplace atmosphere

  4. Information Security Telecommunications Network Administration System Users System Administrator Systems Analysis Systems Programming Applications Programming Database Administration Physical Security Functional Owner Service Provider Executive Management Business/Project Management Auditing Legal HRM Labor Relations Risk Analysis/Policy Development Team

  5. Introduction to Risk Analysis • Security in any system should be commensurate with its risks. • Process to determine which security controls are appropriate and cost effective is quite often complex and subjective • Several distinct approaches to risk analysis that can be broken down into two types: quantitative and qualitative.

  6. Two Types of Risk Analysis • Quantitative: Assigns independently objective numeric values (e.g., monetary values) to the components of the risk analysis and to the level of potential losses. When all elements (asset value, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability) are quantified, the process is considered to be fully quantitative • Qualitative: Is subjective in nature. Does not attempt to assign numeric values to all components. Relies on scenarios or ‘what if” questions

  7. Standard Risk Analysis Methodology • Identify asset to be reviewed • Ascertain threats, risks, concerns or issues to asset • Prioritize risk or determine vulnerability of threat to asset • Implement corrective measures, controls, safeguards, or accept risk • Monitor effectiveness of controls and assess effectiveness

  8. Risk Assessment Steps • Set parameters for risk analysis • Define system’s assets • Determine relevant threat profiles • Survey all system users to discover vulnerabilities • Analyze all data • Write the report

  9. Qualitative Steps • Develop a Scope Statement • Assemble a Competent Team • Identify Threats • Prioritize Threats • Calculate Impact Priority • Calculate Total Threat Impact • Identify Safeguards • Cost-Benefit Analysis • Rank Safeguards in Priority Order • Write Risk Analysis Report

  10. Risk Analysis Process Steps • Assign responsibilities for risk assessment • Identify information assets that are at risk • Identify threats to information assets • Assess vulnerabilities to information assets • Determine probable loss or consequences, based upon quantitative/qualitative evaluation, threat and likelihood of such occurrence • Identify and estimate cost of protective measures that could eliminate or reduce vulnerability to an acceptable level • Select cost-effective security management measures to be implemented • Prepare report for submittal to executive or senior management that documents findings and recommendations

  11. Risk Analysis & Management Scope Define what the task will encompass DEFINITION PHASE Identify what/who will be surveyed and who will be otherwise involved Participants Procedure Define the procedure for data collection and risk analysis. Collect Data Collect data on items included in scope. Set time frame for completion ANALYSIS PHASE Analyze completed surveys; “what-if” modeling; compliance measurements Analysis Create and edit reports; submit same to management; revise as necessary Reporting

  12. DECISION PHASE Submit Risk Analysis Report Advise management of analysis results and recommendations Management Decision Obtain concurrence with analyst recommendations and trade-offs Assign/Track Actions Cause the approved actions to be implemented RISK MANAGEMENT PHASE Report when actions are complete A final report to management shows the updated security posture Continuously Monitor Once a desirable security posture is attained, it must be monitored

  13. Step 1: Identify Assets Assets are anything with value and worth protecting or preserving. • Identify Assets

  14. Asset Details • Determine value • If shared with other resources • If critical to the organization or function • Ownership • Physical location • Part of inventory?

  15. Step 2: Identify Threats • Identify Applicable Threats and their frequency of occurrence Threats are events or actions with the potential to cause an impact upon assets.

  16. Threat Examples • Natural hazards • Human error • Fire • Theft • Unstable power • Hardware failure • Software failure • Masquerading as authorized employee

  17. Threat Details • Justification • Why applicable • Why the frequency • Frequency of occurrence • historical records • empirical knowledge

  18. Identify In-Place Countermeasures Countermeasures are devices, processes, actions and/or procedures which have the propensity to reduce vulnerability Step 3: In-place Countermeasures They only count if they’re in-place!

  19. Countermeasure Examples • Procedures • Management support • Contingency plan • Metal Detector • Virus software • Perimeter Fences • Training • Power conditioning • Backup procedures • Access controls • CCTV • Guards

  20. Step 4: Vulnerabilities • Determine Vulnerabilities Vulnerabilities are a condition of weakness. A weakness might allow threats to have an impact on assets.

  21. Vulnerability Examples • Unauthorized access • Natural hazards • Unstable power • Terrorist Activity Susceptibility to: • Key person dependency • User or operator errors • Fire • Theft of Resources

  22. Quantify Vulnerabilities A risk analysis process must identify areas of vulnerabilities and their levels. • Vulnerability levels are calculated • Based on in-place countermeasures

  23. Step 5: Calculate Loss • Calculate Estimated Loss:(VL*Asset Cost * TV) = SLE And, SLE * Threat Multiplier = ALE Where: VL= Vulnerability level Tv= Threat Value SLE= Single Loss Expectancy ALE= Annual Loss Expectancy Loss is a measure of the impact upon assets by one or more manifested threats. Impact is a calculated value.

  24. Impact? Manifested Threats + Vulnerability =IMPACT This is called risk.

  25. Impact Categories • Disclosure (Confidentiality lost) • Destruction (Complete loss) • Distrust (Available but questionable) • Denial of Service (Not available) Which category(ies) should be avoided?

  26. How Does it all Fit Together? THREAT THREAT THREAT THREAT THREAT VULNERABILITY COUNTERMEASURES ASSET DESTRUCTION DENIAL OF SERVICE IMPACT DISTRUST MODIFICATION

  27. Step 6: Recommendations • Recommend Corrective Action There are many ways to reduce expected loss from threat activity. Each corrective action is a countermeasure.

  28. Types of Action • Operational trade-off • Some countermeasures required by regulation • contingency plan • security training • Discretionary countermeasures

  29. Reports Should... • Show procedures used • Be management oriented • Be concise • Contain no jargon • Show conclusions • Include recommendations • Show appropriate references • Provide trade-off justification

  30. Critical Asset Examples • Information • People • Software • Hardware • Facilities • etc.

  31. Asset Categories • Physical • Logical • Critical Applications or Data • Confidential Information • Sensitive Information • Public Information

  32. Value of an Information Asset • Cost to produce • Value of info on open market • cost of reproducing if destroyed • benefit info brings to enterprise • repercussion if info not available • advantage to competitor if used, changed or destroyed • cost if released, altered or destroyed • loss of client or customer confidence if info not held • loss of public credibility and embarrassment if info not secure

  33. Networks FEPs Workstations Modems Comm Lines Data Encryption Tools SAT Links Remote Access Security Software OS Utilities Compilers Database SW Application SW Procedure Libraries Assets: Networks and Software

  34. Physical Buildings HVAC Furniture Supplies Machinery Fire Control Systems Other Employees Policies Procedures Customer Confidence Assets: Physical and Other

  35. Threat Analysis/Risk Assessment

  36. The Variable Nature of the Elements of Risk

  37. Risk is Commonplace

  38. Never Ending Cycle ASSESSING MITIGATING RISK

  39. Evaluate the Risks as to Consequences & Likelihoods • A risk consists of a likelihood and consequences. • Derived from mathematical concept of “expectation” • Expectation for some event is defined as the product of its probability of occurrence and its value if it occurs. • Thus, a one-in-forty million lottery ticket for a prize of $20,000,000 has an expectation of fifty cents. • Our work is more fuzzy than the lottery example, and there is usually very little precision in either the metrics for probability of occurrence or consequences • Therefore, possibility expressed as a combination of probability and consequences is subject to debate • Use whatever tools are available and meaningful in a given situation, but do not get hung up on mathematics that do not really have any more precision than a judgment • There may be situations in which effectiveness analyses, engineering analyses, bean counting of interfaces, etc. may be desirable, but these are sideline issues to the exercising of judgment about the risks

  40. Threat • Webster: “an indication of an impending undesirable event” or “an expression of intention to inflict evil, injury or damage”

  41. Threat Characteristics Conditional Likelihood An Adversary Can Succeed Capability (Given Capable) Likelihood of Success Likelihood of Attack (Threat Value) (Given Attempted and Capable) Motivation Willingness

  42. Threat Sources • Nature - Historical • Unintentional human error - Historical • Technological failure - Historical • Adversarial - Threat Assessment

  43. Adversarial Threat Characteristics • Objectives - As opposed to ours • Intentions • Motivation to act • Willingness to accept risk • Willingness to accept cost • Technical capability • Resources

  44. Threat • The capabilities and intentions of adversaries to exploit an information system; or any natural or unintentional event with the potential to cause harm to an information system, resulting in a degradation of an organization’s ability to fully perform its mission

  45. Adversarial Terrorists Foreign States Disgruntled Employees Criminals Recreational Hackers Commercial Competitors Non-Adversarial Nature Unintentional Human Acts Threat Examples

  46. Attack • A well-defined set of actions by the threat (an active agent) that, if successful, would damage a critical asset -- cause an undesirable state of affairs -- resulting in harm to an organization’s ability to perform its mission

  47. Vulnerability Examples • Inadequate password management • Easy access to a facility • Weak cryptography • Software flaw • Open port SECURITY

  48. Consequence/Impact • The harmful result of a successful attack, degrading an organization’s ability to perform its mission

  49. Consequence Examples • Harm to organization mission • Loss of information confidentiality • Loss of information integrity • Loss of availability of information or system functions • Inability to correctly authenticate sender of information • Inability to verify receipt of information by the intended recipient

  50. Threat Elements • Agent: catalyst that performs the threat. May be human, machine, or nature • Motive: something causing agent to act. May be either accidental or intentional. • Results: Outcome of applied threat. May lead to loss of access, unauthorized access, modification, disclosure, or destruction of the information asset.

More Related