Documentos de Académico
Documentos de Profesional
Documentos de Cultura
ry
o
e
Th
e
c
i
ct
a
Pr
Le
ar
n
by ing
Do
in
g
IST 515
Objectives
This module will familiarize you with the following:
The basic terminology used in risk management
The role and importance of risk management
practices.
The identification of asset, threat, and vulnerability.
Risk assessment methodologies.
Risk assessment process.
Risk management principles.
Controls to identify, rate, and reduce the risk to
specific information assets.
Readings
Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the
CISSP CBK, Auerbach, 2007. Domain 1 (Required).
Stoneburner, G., Goguen, A. and Feringa, A., Risk Management
Guide for Information Technology Systems, NIST SP 800-30,
July 2002. (Required)
Stine, K., Kissel, R., Barker, W. C., Fahlsing, J. and Gulick, J.,
Guide for Mapping Types of Information and Information
Systems to Security Categories, NIST SP 800-60, August 2008.
Wikipedia, Failure Mode and Effects Analysis,
http://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis
Marquis, H., Ten Steps to Do It Yourself CRAMM, 2006.
http://www.itsmsolutions.com/newsletters/DITYvol2iss8.htm
Readings - Examples
Tan, D., Quantitative Risk Analysis Step-By-Step, SANS
Institute, 2002.
R. Marchany, Conducting a Risk Analysis, in Mark Luker
and Rodney Petersen (Eds), Computer and Network Security
in Higher Education, Chapter 3, EDUCAUSE. (STAR
Project).
H. P. In, Y.-G. Kim, T. Lee, C.-J. Moon, Y. J., and I. Kim, "A
Security Risk Analysis Model for Information Systems," D.-K.
Baik (Ed.): AsiaSim 2004, LNAI 3398, Springer, pp.
505513, 2005. (Quantitative Method)
Essential Terminologies
Vulnerability:
Threat:
Threat-Source:
Risk Assessment
Assets
Safeguards
at
e
r
h
T
Risk Management
Data
Facilities
Hardware
Software
Vulnerability
Risk
Threat
Th
re
at
(NIST-SP-800-12)
Safeguards
Vulnerability
Risk avoidance.
Risk transfer.
Risk mitigation.
Risk acceptance.
Essential Terminologies
Risk:
Risk Management:
Logical
Asset
Value
Physical
Asset
Human Threats
Threat-Source
Motivation
Threat Actions
Hacker
Cracker
Challenge
Ego
Rebellion
Hacking
Social engineering
System intrusion, break-ins
Unauthorized system access
Computer
criminal
Destruction of information
Illegal information
disclosure
Monetary gain
Unauthorized data alteration
Computer crime
Fraudulent act
Information bribery
Spoofing
System intrusion
Bomb/Terrorism
Information warfare
System attack
System penetration
System tampering
Terrorist
Blackmail
Destruction
Exploitation
Revenge
Threat-Source
Industrial
espionage
Insider
Motivation
Threat Actions
Competitive advantage
Economic espionage
Assault on an employee
Blackmail
Browsing of proprietary
information
Computer abuse
Fraud and theft
Information bribery
Input of falsified, corrupted data
Interception
Malicious code
Sale of personal information
System bugs
System intrusion
System sabotage
Unauthorized system access
Curiosity
Ego
Intelligence
Monetary gain
Revenge
Unintentional errors and
omissions
Economic exploitation
Information theft
Intrusion on personal privacy
Social engineering
System penetration
Unauthorized system access
Vulnerabilities
Flaw or weakness in system that can be exploited
to violate system integrity.
Security Procedures
Design
Implementation
Threats trigger vulnerabilities:
Accidental
Malicious
Vulnerability Sources
Vulnerability/Threat Pairs
Vulnerability
Terminated employees
system ID are not removed
from the system
Company firewall allows
inbound telnet and guest ID
enabled on XYZ server
The vendor has identified
flaws in the security design
of the system
Threat-Source
Threat Action
Terminated employees
Unauthorized users
Unauthorized users
Obtaining unauthorized
access to sensitive system
files based on known
system vulnerabilities
Threat
Vulnerability
1. Information/Data
1. Human/Non-human
2. Documents
2. Network/Physical
Documents, Personnel,
3. Hardware
3.Technical/Environment
Regulation
4. Software
4. Inside/Outside
5. Human Resource
5. Accidental/Deliberate
6. Circumstances
1. Administering
2. Physical Circumstances
or Facilities
3. Technical Hardware,
Software, Communication/
Network
Mitigation Method
Vulnerability Model
Vaccine
Smart Card
Firewall
0.2
0.6
0.1*
0.6
0.5
0.5
0.3
0.2
0.1
Mitigation Effect
Applying a risk mitigation method to some
vulnerabilities can reduce the rate of not only one
vulnerability but also several related vulnerabilities
simultaneously.
We can get the rate of risk reduction effectively with
considering which vulnerabilities can be affected by
selecting some risk mitigation methods.
Risk reduction after applying firewall
= 100 * (0.1 * 0.5 + 0.5 * 0.7 + 0.1 * 0.4) / 3
= 100 * 0.44 / 3 = 14.7
Risk Analysis
What kind of threats can be reduced?
What are residual risks if the risk mitigations are
applied?
What is the ROI of each risk mitigation?
ROI = Benefit / Cost
Benefit = (initial risk) - (residual risk after the risk
mitigation method is applied)
Total Cost = Acquisition Cost + Operation Cost +
Business Opportunity Cost
Likelihood Definitions
Likelihood
Level
Likelihood Definition
High
Medium
Low
Impact Definition
High
Medium
Low
Risk-Level Matrix
Threat
Likelihood
Impact
Low
(10)
Medium
(50)
High
(100)
High (1.0)
Low
10 x 1.0 = 10
Medium
50 x 1.0 = 50
High
100 x 1.0 = 100
Medium (0.5)
Low
10 x 0.5 = 5
Medium
50 x 0.5 = 25
Medium
100 x 0.5 = 50
Low (0.1)
Low
10 x 0.1 = 1
Low
50 x 0.1 =5
Low
100 x 0.1 = 10
High
Medium
Low
5. Extreme
4. Very High
3. Medium
2. Low
1. Negligible
1
Rare
2
Unlikely
3
Moderate
4
Likely
5
Almost
Certain
Comments
Because of the time constraint, I will not
continue to cover the remaining slides. As you
can see, there are more materials and examples
that we can cover in a class lesson. If you are
interested in the topic, please read the materials
by yourself or consider to take an in-depth
course like IST 564 or SRA 330. Both courses
cover extensively on risk management.
STAR Project
Definition of Priority
Critical: If the loss of its function would result
in the university ceasing to function as a
business entity.
Essential: The loss of asset would cripple the
universitys capacity to function, but it could
survive for a week or so without the asset. All
effort would be made to restore the function
within a week.
Normal: If the loss of asset resulted in some
inconvenience.
STAR Project
DNS(p)
Plant
DNS(s) Network
4.5
4.5
Physical plant,
environmental Servers
DNS name server
(secondary)
Network (routers, servers,
modems, etc.)
3.5
3.5
7.5
22
28.5
10.5
45
HR database server
Total Votes
HR
19.5
STAR Project
Description
Clear text data moving among our systems and networks
Natural disaster
Passwords
Spoofing
Data disclosure
Inappropriate acquisition or release of university data
System administration practices Adequacy of knowledge, skills, and procedures
Operational policies
STAR Project
STAR Project
Source
Feature
Industry
NIST
Qualitative
Healthcare;
HIPAA
OCAVE
Qualitative
Software
Qualitative
General
Qualitative
NATO; Unisys;
RAC
Quantitative
US Military, 1940
Quantitative
Hardware &
software systems
Aerospace;
Automotive
System characterization.
Vulnerability identification.
Threat identification.
Countermeasure identification.
Likelihood determination.
Impact determination.
Risk determination.
Additional countermeasures recommendations.
Document results.
Input
Output
Hardware/software
System interfaces
Data & information
People
System mission
1. System Characterization
System boundary
System functions
Systems and data
criticality
System and data
sensitivity
History of attack
Data from intelligence
agencies
2. Threat Identification
Threat statement
3. Vulnerability Identification
List of potential
vulnerabilities
Current controls
Planned controls
Threat-source motivation
Threat capacity
Nature of vulnerability
Current controls
4. Control Analysis
5. Likelihood Determination
Likelihood rating
Input
6. Impact Analysis
Likelihood of threat
exploitation
Magnitude of impact
Adequacy of planned or
current controls
Loss of integrity
Loss of availability
Loss of confidentiality
Output
Impact rating
7. Risk Determination
Risk and
associated risk
levels
8. Control Recommendation
Recommended
controls
9. Result Documentation
Risk assessment
report
System
Design
Vulnerable
Yes
Exploitable
No
No
No Risk
No Risk
Risk
Exists
Attackers
Cost < Gain
No
Accept Risk
Yes
Yes
Vulnerability
to attack exists
Loss
Anticipated
> Threshold
No
Accept Risk
Yes
&
Unacceptable
Risk
Define
Boundaries,
Scope, and
methodology
in
a
t
r
e
tain
r
e
nc
USelect
y
Safeguard*
c
Un
Collect and
y
Synthesize
Data
rta
e
c
Un
y
Risk Mitigation
Interpret
Results
Implement
Accept
Residual
Risk
Control
int
tain
r
e
c
Un
y
From GAO/AIMD-99-139
Impact
Likelihood
Low
Medium
High
Significant
Considerable
management
required
Must manage
and monitor risks
Extensive
management
essential
Moderate
Risks may be
worth accepting
with monitoring
Management
effort worthwhile
Management
effort required
Minor
Accept risks
Accept, but
monitor risks
Manage and
monitor risks
Controls
Mechanisms or procedures for mitigating
vulnerabilities
Prevent
Detect
Recover
Understand cost and coverage of control
Controls follow vulnerability and threat
analysis
Input
Risk levels from
the risk assessment
report
Risk assessment
report
Output
1. Prioritize Actions
Actions ranking
from high to low
2. Evaluate Recommended
Control Options
List of possible
controls
Feasibility
Effectiveness
Impact of implementing
Impact of not implementing
Associated costs
4. Select Controls
Selected controls
5. Assign Responsibility
List of responsible
persons
Cost-benefit
analysis
6. Develop Safeguard
Implementation Plan
Safeguard
implementation
plan
Residual risks
Authentication
Nonrepudiation
Authorization
Audit
Access Control
Enforcement
Proof of
Wholeness
Intrusion Detection
and Containment
Resource
State Restore
Protected Communications
(Safe from disclosure, substitution, modifications & replay)
Identification
Cryptographic Key Management
Security Administration
System Protections
(least privilege, object reuse, process separation)
Prevent
Detect, Recover
Support
Potential Projects