Title: Risk Analysis (RA) and Security Planning
1 Risk Analysis (RA) and Security
Planning
- The slides are derived from John Carpenters notes
2Risk Analysis (RA) and Security Planning
- Risk Analysis (RA)
- Benefits of Risk Analysis
- Some Homely Examples
- Steps to Complete a RA
- Security Planning
- Content of a Security PlanPfleeger(2ed) Ch
10.4 10.5 10.6Pfleeger(3ed) Ch 8.1 8.2
8.3
3Computer Security and Industries
Government and private intelligence communities
Internal threats (dishonest employees, software
failures etc.)
Business partners(customers, competitors,suppli
ers, etc.)
Hackers, investigator,reporters etc.
4Security facts believe it or not!
- Bank robbery through computers
- Industrial espionage on corporate information
- Loss of individual privacy (files, emails, chats,
video conferencing, ...) - Information vandalism (destroy backup, delete
files, vandalise web pages, ) - Computer viruses
- (more can be found in comp.risks and other
websites)
5Is Computer Threat Real?
- 1997 survey of 61 large companies that had
firewalls (site had gt 1000 pcs Internet
servers) - 44 reported probes by outsiders
- 23 IP spoofing (used to break in hosts on the
Internet) - 10 email bombs
- 8 denial of service attacks
- 8 sendmail probes
- 89 reported that the firewall responded
adequately
Internet sources
6Computer Threat
- Computer Security Institute/FBI Survey
- 35 annual increases in data sabotage incidents
from 1997 to 1999 - 25 annual increases in financial fraud
penetrated on-line - Abuse of network access increased over 20
resulting losses of 8 millions - Security breaches caused US15 billions losses in
2000
Internet sources
7Other Surveys
- Poll of 1,400 companies with gt 100 employees
- About 90 are confident with their firms network
security - But 50 failed to report break-ins
- 58 increased in spending on security
- 1997-2001,fortune firms lost US45 billions
high-tech firms most vulnerable
Internet sources
8Risk Analysis
Vulnerabilities
Threats
Assets
Analysis
Risks
Management
Counter Measures
9Risk Analysis (RA-1)
- A study of the risk that a business or system is
subject to. - A process to determine exposure and potential
loss - RISK the probability that a specific threat will
successfully exploit a vulnerability causing a
loss
10Risk Analysis (RA-2)
- Suppose an event is associated with a loss -this
loss is the risk impact (sometime simply called
risk), measured in s - There is a probability (risk probability) of
occurrence, a number in the range 0 (if not
possible) to 1 (if certain) - Risk exposure is the amount Risk-exposure
Risk-impact x Risk-probability - As things change, so can these values (!)
11Risk Analysis (RA-3)
- For risk analysis RISK LOSS () x
PROBABILITY Usually measured as per annum. - Expressed as Annual Loss Expectancy (ALE)
expressed as per annum - By quantifying the risk, we can justify the
benefit of spending money to implement controls
12Benefits of Risk Analysis
- Improved awareness by users and management
- Documentation of assets and their vulnerabilities
and possible controls - Provides an accountable basis for decision making
- Provides accountable justification for
expenditure on counter measures
13Example (1)
- Hard Disk Failure on your PC
- Hard Disks fail about every three
yearsProbability of failure is 1/3 per year - Intrinsic cost say 600 to buy a new disk
- But also, say 10 hours of your effort to reload
O/sys and software and - Say 4 hours to re-key assignments from last
backup. - Assume 10.00 per hour for your effort
- Total loss 600 10 x( 10 4) 740
- Annual loss expectancy (740 x 1/3) pa
246.66 pa
14 Example (2)
- What about a virus attack on the same system?
- You frequently swap stuff with other people, but
have no ant-viral software running. - Assume an attack every 6 months Probability is 2
per annum - No need to buy a new disk
- Assume the same rebuild effort (10 4)hours,
Total loss 10 x(104) 140 - ALE ( 140 x 2 ) pa 280 pa
15Steps to Complete a RA
- List the Assets
- Determine their value, including costs of
recreating data files - Vulnerabilities
- Probability of Loss
- Computation
- Possible Controls
- Cost of Applied Controls
- Cost/Benefit
16Assets and their value
- Asset Valuation Worksheet
- Asset (name, serial number)
- Asset Intrinsic value
- Which value is the intrinsic value ?
- physical, insured, depreciated, replacement,
value or - Asset Acquired value which includes the cost of
the loss of - Integrity
- Availability
- Confidentiality
17Valuations
- Work quickly, using scale values (1,10,100,100 or
1, 2, 5, 10, 20, 50, 100, 200, 500, 1000 etc) or
use scale (1 to 5) or low, medium or high scales. - Completeness is most important.ALL the assets
and ALL the acquired values, and cost of loss of
acquired values - Let others argue over the detail and accuracy.
18DSTO Model
- This DSTO paper provides guidelines for assessing
information security risk within a computer
system. This risk is primarily a function of - the sensitivity of the information to be
processed - the architecture of the computer system
- and the clearance levels of the systems users.
19DSTO Model
The DSTO Risk Analysis model is primarily
directed at accidental and deliberate actions by
authorised users. It is also possible to include
deliberate acts by unauthorised users, however in
a number of Defence installations, physical and
administrative security safeguards are used to
counter these threats.
20Vulnerabilities
- A vulnerability is a weakness.
- The way things work indicate the ways they are
likely to fail - Computers need electricity - so they are
vulnerable to power failures - Hard disks are easy to overwrite, so they are
vulnerable to been inappropriately overwritten
21Probability of Loss
- Directly not computable, but either
- apply frequency probability by using observed
data for a specific system - Estimate (by an expert based on his knowledge)
the number of occurrences of each security
breaches in a given time period.
22Compute the expected loss
- For each asset, (total) risk ? (risks)
Sum(risks)Sum( Loss x Probability per annum)
pa - For ALL assets we can derive a total sum,the
Annual Loss Expectancy, per annum - Price-Waterhouse study For Australian
organisations with no security plan in place, 8
of turnover is lost each year (!)
23Making sense ?
- REALITY CHECK If a company is still in
business, the Annual Loss Expectancy (ALE) has to
be a lot less than the annual turnover
24Possible Controls
- Match each vulnerability with at least one
appropriate security technique - Use the expected loss estimate to decide which
controls, alone or in concert with others are the
most effective for a given situation - Example Risk of losing data
- several controls such as periodic backups,
redundant data storage, access control to prevent
unauthorised deletion, physical security from
stealing disks, program development standards to
limit the effect of programs on the data. - Probably periodic backup may override redundant
data storage on cost and operational
considerations.
25Cost of Applying Controls
- Actual cost of control include
- software purchase price
- Installation cost
- training cost
- Effective cost of a control actual cost any
expected loss from using the control (such as
admin or maintenance costs) - e.g Cost to reconstruct data 1M at 10
probability of loss 100K
Effectiveness of access control software (say)
60 60K Cost of the access
control software
25K Expected annual cost due to
loss and controls (4025) 65K
Effective cost the control (100-65) -35K - Note that the effective cost of a control can be
positive (when the control is expensive to
administer or introduces new risks in another
area) or negative (when the reduction in risk is
greater than the cost of the control)
26But
Control are not inherently desirable most of
them either cost money, impair function, reduce
performance. degrade useability or
maintainability or some combination of both
27Some Criticisms of Risk Analysis
- Although many large organisations use RA, there
are some criticisms of both the idea and the
methods of RA - It may not appear sensible to talk of a probable
loss of a specific number of dollars, - only when the loss occurs will we know how much
it costs to fix, and bringing that cost to a
one-year base is artificial. - There is so much uncertainty in the method of
calculation, that any numerical figure is
meaningless - However, Risk Management is seen as a valid
undertaking, and using figures to attempt to
quantify risk does give us an accountable basis
for spending resources on controls
28Security Planning
29Security Plan
- A document that describes how an organisation
will address its security needs. - As the needs of the organisation evolve, ongoing
review and revision of the security plan is
important. - Everything we see is transient (Buddha)
- Mission, Strategy, Tactics, Personnel,
Environmentcan all change - An effective security plan is a living document.
30Content of a Security Plan (1)
- Policy
- Current Situation
- Requirements
- Recommendations
- Accountable Personnel
- Plans and Schedules
- Evaluation and Review
31Policy
- Policy (what are we on about)
- State goals
- State responsibilities - who is responsible for
what - State resources to be committed
- To answer the question Who can access What
resources in What manner
32Current Situation
- Present the Risk Analysis and assumptions
- May need the latest status, including who is
responsible for what - Comment on the status of current controls
33Requirements
- What should be accomplished, not How to do it?
- We seek
- Completeness
- Consistency
- Correctness(as for all types of Requirement
analysis)
34Recommendations
- From the Risk Analysis, at least consider
- greatest risk
- largest potential loss
- loss of greatest frequency
- Identify controls
- Comment on status of existing controls
- which to maintain?
- which to enhance?