1 / 21

Unit Outline Quantitative Risk Analysis

Unit Outline Quantitative Risk Analysis. Module 1: Quantitative Risk Analysis and ALE  Module 2: Case Study Module 3: Cost Benefit Analysis and Regression Testing Module 4: Modeling Uncertainties Module 5: Summary. Module 2 Case Study. Case Study Learning Objectives.

sylvie
Télécharger la présentation

Unit Outline Quantitative Risk Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unit OutlineQuantitative Risk Analysis Module 1: Quantitative Risk Analysis and ALE  Module 2:Case Study Module 3: Cost Benefit Analysis and Regression Testing Module 4: Modeling Uncertainties Module 5: Summary

  2. Module 2Case Study

  3. Case StudyLearning Objectives • Students should be able to: • Understand the case. • Derive the assets, vulnerabilities, threats, and controls relevant to the case. • Fill in the Asset/Vulnerability, Vulnerability/Threat, and Threat/Control matrices based on the case in a quantitative manner.

  4. Case StudyExample • Use the information that you have learned in the lecture in the following case study of a government organization. • Remember these key steps for determining ALE • Identify and determine the value of assets • Determine vulnerabilities • Estimate likelihood of exploitation • Compute ALE • Survey applicable controls and their costs • Perform a cost-benefit analysis

  5. Case StudyCase An organization delivers service throughout New York State. As part of the planning process to prepare the annual budget, the Commissioner has asked the Information Technology Director to perform a risk analysis to determine the organization’s vulnerability to threats against its information assets, and to determine the appropriate level of expenditures to protect against these vulnerabilities. The organization consists of 4,000 employees working in 200 locations, which are organized into 10 regions. The average rate of pay for the employees is $20/hr. Cost benefit analysis has been done on the IT resource deployment, and the current structure is the most beneficial to the organization, so all security recommendations should be based on the current asset deployment. Each of the 200 locations has approximately 20 employees using an equal number of desktop and laptop computers for their fieldwork. These computers are used to collect information related to the people served by the organization, including personally identifying information. Half of each employee’s time is spent collecting information from the clients using shared laptop computers, and half is spent processing the client information at the field office using desktop computers. Replacement cost for the laptops is $2,500 and for the desktop is $1,500.

  6. Case StudyCase Each of the 10 regions has a network server, which stores all of the work activities of the employees in that region. Each server will cost $30,000 to replace, plus 80 hours of staff time. Each incident involving a server costs the organization approximately $1,600 in IT staff resources for recovery. Each incident where financial records or personal information is compromised costs the organization $15,000 in lawyers time and settlement payouts. Assume that the total assets of the organization are worth 10 million dollars. The organization has begun charging fees for the public records it collects. This information is sold from the organization website at headquarters, via credit card transactions. All of the regional computers are linked to the headquarters via an internal network, and the headquarters has one connection to the Internet. The headquarters servers query the regional servers to fulfill the transactions. The fees collected are approximately $10,000 per day distributed equally from each region, and the transactions are uniformly spread out over a 24-hour period.

  7. Case StudyExample- Assets (Tangible) • Transaction Revenue- amount of profit from transactions • Data- client information • Laptops- shared, used for collecting information • Desktops- shared, used for processing client information • Regional Servers- stores all work activities of employees in region • HQ Server- query regional servers to fulfill transactions

  8. Case StudyExample- Asset Valuations Transaction Revenue $10,000 per day Data (Liability) $10 million (total assets of organization) Laptops ½ x 200 (locations) x 20 (employees) x $2,500 (laptop cost) = $5,000,000 Desktops ½ x 200 (locations) x 20 (employees) x $1,500 (desktop cost) = $3,000,000 Regional Servers $30,000 (server cost)x 10 (regions) + 80 (hours) x $20 (pay rate) x 10 (regions)+ $10,000 (transaction revenue) = $326,000 HQ Server $10,000 (transaction revenue) + $100,000 (cost of HQ server) + 80 (hours) x $20 (pay rate) x 10 (regions) = $126,000

  9. Case StudyExample- Vulnerabilities • Vulnerabilities are weaknesses that can be exploited • Vulnerabilities • Laptop Computers • Desktop Computers • Regional Servers • HQ server • Network Infrastructure • Software • Computers and Servers are vulnerable • to network attacks such as viruses/ • worms, intrusion & hardware failures • Laptops are especially vulnerable to theft

  10. Case StudyExample- Threats • Threats are malicious & benign events that can exploit vulnerabilities • Several threats exist • Hardware Failure • Software Failure • Theft • Denial of Service • Viruses/Worms • Insider Attacks • Intrusion and Theft of Information

  11. Case StudyExample- Controls • Intrusion detection and firewall upgrades on HQ Server • mitigate HQ server failure and recovery • Anti-Virus Software • mitigates threat of worms, viruses, DOS attacks, and some intrusions • Firewall upgrades • mitigates threats of DOS attacks and some intrusions, worms and viruses • Redundant HQ Server • reduces loss of transaction revenue • Spare laptop computers at each location • reduces loss of transaction revenue and productivity • Warranties • reduces loss of transaction revenue and cost of procuring replacements • Insurance • offset cost of liability • Physical Controls • reduce probability of theft • Security Policy • can be used to reduce most threats.

  12. Case StudyAsset/Vulnerability Matrix • The coefficients of this matrix are usually based on internal data as well as financial loss organizations • For the current example we will assume data for illustration of the concept • Transactions are mostly associated with the regional servers which store the data, the HQ server which takes all requests, and the network infrastructure with which clients access the data. (.30 each) • Laptops, desktops and software is only associated with the remaining 10% (.033 each) • Data that is located on laptops and desktops make up only 10% of total data because they are only used for collecting and processing. • The regional servers contain all other data. • Other assets are associated at 100% with their • respective vulnerabilities. (e.g. laptops with laptops, • desktops with desktops, etc.)

  13. Case StudyAsset/Vulnerability Matrix, cont’d. • Customize matrix to assets & vulnerabilities applicable to case • Compute cost of each asset and put them in the value row • Determine correlation with vulnerability and asset • Compute the sum of product of vulnerability & asset values; add to impact column

  14. Case StudyVulnerability/Threat Matrix • The coefficients of this matrix are usually based on data from the literature • For the current example we will assume data for illustration of the concept • Failure rate of laptops is .001 per day (i.e., one in a thousand • laptops encounter hardware failure during a day) • Similarly failure rate of a desktop is .0002 • (i.e. 2 in ten thousand desktops would • encounter hardware failure in a given day. • Hardware failure can cause loss of software, • however, our assumption is that all • software is replaceable from backups

  15. Case StudyVulnerability/Threat Matrix, cont’d. • We assume that the hardware failure will disrupt the network once every one hundred days • There is 0.3 percent chance that software failure can lead to failure of desktops • We assume that there is a .01 chance of a laptop being stolen, .001 for a desktop, and .0002 for servers.There is a very low chance that network equipment is stolen since it is kept in secure rooms (.0002). When equipment is stolen some software may have been stolen as well (.05). Servers are less likely to be stolen (.0001).Network infrastructure would also have a .01 chance of being stolen. • We assume that the denial-of-service can disable machines as well as cause destruction of software. Denial-of-service would likely target the servers (.01) more than the desktops or laptops (.001).

  16. Case StudyVulnerability/Threat Matrix, cont’d. • Insider attacks are primarily meant to exploit data & disable machines so it is more likely (.01 chance for laptops and desktops), less for regional servers (.001) and even less for headquarter servers (.0005) due to less accessibility. Network infrastructure has a medium chance of being affected by insider attacks (.001) because it is present in all parts of the organization. Software also has a .005 chance of being affected by insider attacks. • Viruses and worms would be more likely to affect laptops and desktops (.01) was they would be more user-controlled and less likely to be patched and protected. The regional servers are more secure (.005). • Intrusions are more likely to occur at the user level (.01) for desktops and laptops. The regional level would occur less (.005) and HQ servers even less (.001).

  17. Case StudyVulnerability/Threat Matrix, cont’d. • Complete matrix based on the specific case • Add values from the Impact column of the previous matrix • Determine association between threat and vulnerability • Compute aggregate exposure values by multiplying impact and the associations and adding across vulnerabilities

  18. Case StudyThreat/Control Matrix • Some of these controls have threats associated with them. However, these are secondary considerations and we will be focusing on primary threats. • We assume that IDS systems will control 30% of the DOS attacks, 30% of Viruses and Worms and 90% of intrusions • In addition, IDS systems do not impact insider attacks • Anti-Virus Software will prevent 90% of Viruses and Worms. • That upgrades to a firewall will greatly control (90% each) of DOS attacks, as well as Viruses and Worms. It will control 30% of intrusions, and about 10% of insider attacks and intrusions. • A redundant HQ server will control 10% of hardware failure (when the original HQ server fails). This is the same percentage for theft and insider attacks. Also, a redundant HQ server will help with 80% in cases of DOS attacks on the HQ server. • Spare laptops will assist in cases of theft (30% because of volume) and 10% in all cases of hardware and software failure, and denial of service.

  19. Case StudyThreat/Control Matrix, cont’d. • We assume that warranties will help with 70% of both hardware failure and software failure. While it will assist with the cost of new hardware or software, will not reduce employee time. • It is determined that insurance will be able to control 90% of impacts from the threats of theft, DOS attacks, Virus/Worm attacks, Insider Attacks, and Intrusion. • Physical controls (locks, key cards, biometrics, etc.) will control 90% of theft and 10% of insider attacks. • Also, it is assumed that a security policy will assist with 20% of all threats since every policy can have procedures which can assist in prevention. • Customize matrix based on the specific case • Add values from the threat importance column of the • previous matrix • Determine impact of different controls on different threats • Compute the sum of the products of the threat • importance by the impact of controls to determine values.

  20. Case StudyThreat/Control Matrix, cont’d.

  21. Case StudyAssignment • Given the matrices and the example case provided, use this same methodology in application to determine the information security risk in your own organization.

More Related