Risk Analysis (RA) and Security Planning

1
Risk Analysis (RA) and Security
Planning

• The slides are derived from John Carpenters notes

2
Risk Analysis (RA) and Security Planning

• Risk Analysis (RA)
• Benefits of Risk Analysis
• Some Homely Examples
• Steps to Complete a RA
• Security Planning
• Content of a Security PlanPfleeger(2ed) Ch
  10.4 10.5 10.6Pfleeger(3ed) Ch 8.1 8.2
  8.3

3
Computer Security and Industries
Government and private intelligence communities
Internal threats (dishonest employees, software
failures etc.)
Business partners(customers, competitors,suppli
ers, etc.)
Hackers, investigator,reporters etc.
4
Security facts believe it or not!

• Bank robbery through computers
• Industrial espionage on corporate information
• Loss of individual privacy (files, emails, chats,
  video conferencing, ...)
• Information vandalism (destroy backup, delete
  files, vandalise web pages, )
• Computer viruses
• (more can be found in comp.risks and other
  websites)

5
Is Computer Threat Real?

• 1997 survey of 61 large companies that had
  firewalls (site had gt 1000 pcs Internet
  servers)
• 44 reported probes by outsiders
• 23 IP spoofing (used to break in hosts on the
  Internet)
• 10 email bombs
• 8 denial of service attacks
• 8 sendmail probes
• 89 reported that the firewall responded
  adequately

Internet sources
6
Computer Threat

• Computer Security Institute/FBI Survey
• 35 annual increases in data sabotage incidents
  from 1997 to 1999
• 25 annual increases in financial fraud
  penetrated on-line
• Abuse of network access increased over 20
  resulting losses of 8 millions
• Security breaches caused US15 billions losses in
  2000

Internet sources
7
Other Surveys

• Poll of 1,400 companies with gt 100 employees
• About 90 are confident with their firms network
  security
• But 50 failed to report break-ins
• 58 increased in spending on security
• 1997-2001,fortune firms lost US45 billions
  high-tech firms most vulnerable

Internet sources
8
Risk Analysis
Vulnerabilities
Threats
Assets
Analysis
Risks
Management
Counter Measures
9
Risk Analysis (RA-1)

• A study of the risk that a business or system is
  subject to.
• A process to determine exposure and potential
  loss
• RISK the probability that a specific threat will
  successfully exploit a vulnerability causing a
  loss

10
Risk Analysis (RA-2)

• Suppose an event is associated with a loss -this
  loss is the risk impact (sometime simply called
  risk), measured in s
• There is a probability (risk probability) of
  occurrence, a number in the range 0 (if not
  possible) to 1 (if certain)
• Risk exposure is the amount Risk-exposure
  Risk-impact x Risk-probability
• As things change, so can these values (!)

11
Risk Analysis (RA-3)

• For risk analysis RISK LOSS () x
  PROBABILITY Usually measured as per annum.
• Expressed as Annual Loss Expectancy (ALE)
  expressed as per annum
• By quantifying the risk, we can justify the
  benefit of spending money to implement controls

12
Benefits of Risk Analysis

• Improved awareness by users and management
• Documentation of assets and their vulnerabilities
  and possible controls
• Provides an accountable basis for decision making
• Provides accountable justification for
  expenditure on counter measures

13
Example (1)

• Hard Disk Failure on your PC
• Hard Disks fail about every three
  yearsProbability of failure is 1/3 per year
• Intrinsic cost say 600 to buy a new disk
• But also, say 10 hours of your effort to reload
  O/sys and software and
• Say 4 hours to re-key assignments from last
  backup.
• Assume 10.00 per hour for your effort
• Total loss 600 10 x( 10 4) 740
• Annual loss expectancy (740 x 1/3) pa
  246.66 pa

14
Example (2)

• What about a virus attack on the same system?
  
• You frequently swap stuff with other people, but
  have no ant-viral software running.
• Assume an attack every 6 months Probability is 2
  per annum
• No need to buy a new disk
• Assume the same rebuild effort (10 4)hours,
  Total loss 10 x(104) 140
• ALE ( 140 x 2 ) pa 280 pa

15
Steps to Complete a RA

• List the Assets
• Determine their value, including costs of
  recreating data files
• Vulnerabilities
• Probability of Loss
• Computation
• Possible Controls
• Cost of Applied Controls
• Cost/Benefit

16
Assets and their value

• Asset Valuation Worksheet
• Asset (name, serial number)
• Asset Intrinsic value
• Which value is the intrinsic value ?
• physical, insured, depreciated, replacement,
  value or
• Asset Acquired value which includes the cost of
  the loss of
• Integrity
• Availability
• Confidentiality

17
Valuations

• Work quickly, using scale values (1,10,100,100 or
  1, 2, 5, 10, 20, 50, 100, 200, 500, 1000 etc) or
  use scale (1 to 5) or low, medium or high scales.
• Completeness is most important.ALL the assets
  and ALL the acquired values, and cost of loss of
  acquired values
• Let others argue over the detail and accuracy.

18
DSTO Model

• This DSTO paper provides guidelines for assessing
  information security risk within a computer
  system. This risk is primarily a function of
• the sensitivity of the information to be
  processed
• the architecture of the computer system
• and the clearance levels of the systems users.

19
DSTO Model
The DSTO Risk Analysis model is primarily
directed at accidental and deliberate actions by
authorised users. It is also possible to include
deliberate acts by unauthorised users, however in
a number of Defence installations, physical and
administrative security safeguards are used to
counter these threats.
20
Vulnerabilities

• A vulnerability is a weakness.
• The way things work indicate the ways they are
  likely to fail
• Computers need electricity - so they are
  vulnerable to power failures
• Hard disks are easy to overwrite, so they are
  vulnerable to been inappropriately overwritten

21
Probability of Loss

• Directly not computable, but either
• apply frequency probability by using observed
  data for a specific system
• Estimate (by an expert based on his knowledge)
  the number of occurrences of each security
  breaches in a given time period.

22
Compute the expected loss

• For each asset, (total) risk ? (risks)
  Sum(risks)Sum( Loss x Probability per annum)
  pa
• For ALL assets we can derive a total sum,the
  Annual Loss Expectancy, per annum
• Price-Waterhouse study For Australian
  organisations with no security plan in place, 8
  of turnover is lost each year (!)

23
Making sense ?

• REALITY CHECK If a company is still in
  business, the Annual Loss Expectancy (ALE) has to
  be a lot less than the annual turnover

24
Possible Controls

• Match each vulnerability with at least one
  appropriate security technique
• Use the expected loss estimate to decide which
  controls, alone or in concert with others are the
  most effective for a given situation
• Example Risk of losing data
• several controls such as periodic backups,
  redundant data storage, access control to prevent
  unauthorised deletion, physical security from
  stealing disks, program development standards to
  limit the effect of programs on the data.
• Probably periodic backup may override redundant
  data storage on cost and operational
  considerations.

25
Cost of Applying Controls

• Actual cost of control include
• software purchase price
• Installation cost
• training cost
• Effective cost of a control actual cost any
  expected loss from using the control (such as
  admin or maintenance costs)
• e.g Cost to reconstruct data 1M at 10
  probability of loss 100K
  Effectiveness of access control software (say)
  60 60K Cost of the access
  control software
  25K Expected annual cost due to
  loss and controls (4025) 65K
  Effective cost the control (100-65) -35K
• Note that the effective cost of a control can be
  positive (when the control is expensive to
  administer or introduces new risks in another
  area) or negative (when the reduction in risk is
  greater than the cost of the control)

26
But
Control are not inherently desirable most of
them either cost money, impair function, reduce
performance. degrade useability or
maintainability or some combination of both
27
Some Criticisms of Risk Analysis

• Although many large organisations use RA, there
  are some criticisms of both the idea and the
  methods of RA
• It may not appear sensible to talk of a probable
  loss of a specific number of dollars,
• only when the loss occurs will we know how much
  it costs to fix, and bringing that cost to a
  one-year base is artificial.
• There is so much uncertainty in the method of
  calculation, that any numerical figure is
  meaningless
• However, Risk Management is seen as a valid
  undertaking, and using figures to attempt to
  quantify risk does give us an accountable basis
  for spending resources on controls

28
Security Planning
29
Security Plan

• A document that describes how an organisation
  will address its security needs.
• As the needs of the organisation evolve, ongoing
  review and revision of the security plan is
  important.
• Everything we see is transient (Buddha)
• Mission, Strategy, Tactics, Personnel,
  Environmentcan all change
• An effective security plan is a living document.

30
Content of a Security Plan (1)

• Policy
• Current Situation
• Requirements
• Recommendations
• Accountable Personnel
• Plans and Schedules
• Evaluation and Review

31
Policy

• Policy (what are we on about)
• State goals
• State responsibilities - who is responsible for
  what
• State resources to be committed
• To answer the question Who can access What
  resources in What manner

32
Current Situation

• Present the Risk Analysis and assumptions
• May need the latest status, including who is
  responsible for what
• Comment on the status of current controls

33
Requirements

• What should be accomplished, not How to do it?
• We seek
• Completeness
• Consistency
• Correctness(as for all types of Requirement
  analysis)

34
Recommendations

• From the Risk Analysis, at least consider
• greatest risk
• largest potential loss
• loss of greatest frequency
• Identify controls
• Comment on status of existing controls
• which to maintain?
• which to enhance?