1. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative Risk Analysis Module 1: Qualitative Risk Analysis Module 2: Determine Assets and Vulnerabilities Module 3: Determine Threats and Controls Module 4: Matrix Based Approach  Module 5: Case Study Module 6: Summary

2. Module 5 Case Study

3. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Students should be able to: –Understand the case. –Derive the assets, vulnerabilities, threats, and controls relevant to the case. –Fill in the Asset/Vulnerability, Vulnerability/Threat, and Threat/Control matrices based on the case in a qualitative manner. Case Study Learning Objectives

4. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 4 Case Study Example Use the information that you have learned in the lecture in the following case study of a government organization. Remember these key steps for determining ALE – Identify and determine the value of assets – Determine vulnerabilities – Estimate likelihood of exploitation – Compute ALE – Survey applicable controls and their costs – Perform a cost-benefit analysis

5. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 Case Study Case A government agency delivers service throughout New York State. As part of the planning process to prepare the annual budget, the Commissioner has asked the Information Technology Director to perform a risk analysis to determine the organization’s vulnerability to threats against its information assets, and to determine the appropriate level of expenditures to protect against these vulnerabilities. The organization consists of 4,000 employees working in 200 locations, which are organized into 10 regions. The average rate of pay for the employees is $20/hr. Cost benefit analysis has been done on the IT resource deployment, and the current structure is the most beneficial to the organization, so all security recommendations should be based on the current asset deployment Each of the 200 locations has approximately 20 employees using an equal number of desktop and laptop computers for their fieldwork. These computers are used to collect information related to the people served by the organization, including personally identifying information. Half of each employee’s time is spent collecting information from the clients using shared laptop computers, and half is spent processing the client information at the field office using desktop computers. Replacement cost for the laptops is $2,500 and for the desktop is $1,500.

6. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 6 Case Study Case Each of the 10 regions has a network server, which stores all of the work activities of the employees in that region. Each server will cost $30,000 to replace, plus 80 hours of staff time. Each incident involving a server costs the organization approximately $1,600 in IT staff resources for recovery. Each incident where financial records or personal information is compromised costs the organization $15,000 in lawyers time and settlement payouts. Assume that the total assets of the organization are worth 10 million dollars. The organization has begun charging fees for the public records it collects. This information is sold from the organization website at headquarters, via credit card transactions. All of the regional computers are linked to the headquarters via an internal network, and the headquarters has one connection to the Internet. The headquarters servers query the regional servers to fulfill the transactions. The fees collected are approximately $10,000 per day distributed equally from each region, and the transactions are uniformly spread out over a 24-hour period.

7. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 7 Case Study Example- Assets (Tangible) Transaction Revenue- amount of profit from transactions Data- client information Laptops- shared, used for collecting information Desktops- shared, used for processing client information Regional Servers- stores all work activities of employees in region HQ Server- query regional servers to fulfill transactions

8. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 8 Case Study Example- Asset Valuations We will rank the assets on a scale of 1 (Low), 3 (Medium), and 9 (High): –Transaction Revenue: This makes up the total revenue of the service/business. However, since this is a government agency, revenue is not a primary factor— goodwill and confidentiality of data is more important. (3) –Goodwill: This is how the agency is perceived in providing a positive service to other agencies and organizations. This is extremely important. (9) –Data (Liability): Release of any private information can result in liability for the total worth of the company. (9) –Laptops: Total worth of all laptops a lot, but only used for data collection. (1) –Desktops: Total worth of all desktops is a lot, but only used for data processing. (1) –Regional Servers: These hold all of the private client and financial information. (3) –HQ Server: needed to provide the services to the customers in terms of querying for results. This is an important service which leads to goodwill. (3)

9. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Case Study Example- Vulnerabilities Vulnerabilities are weaknesses that can be exploited Vulnerabilities –Laptop Computers –Desktop Computers –Regional Servers –HQ server –Network Infrastructure –Software Computers and Servers are vulnerable to network attacks such as viruses/worms, intrusion & hardware failures Laptops are especially vulnerable to theft

10. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 10 Case Study Example- Threats Threats are malicious & benign events that can exploit vulnerabilities Several Threats exist –Hardware Failure – Software Failure – Theft – Denial of Service – Viruses/Worms – Insider Attacks – Intrusion and Theft of Information

11. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 11 Case Study Example- Controls, Part 1 Intrusion detection and firewall upgrades on HQ Server – Mitigates HQ server failure and recovery Anti-Virus Software – Mitigates threat of worms, viruses, DOS attacks, and some intrusions Firewall upgrades – Mitigates threats of DOS attacks and some intrusions, worms and viruses Redundant HQ Server – Reduces loss of transaction revenue

12. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 12 Case Study Example- Controls, Part 2 Spare laptop computers at each location – Reduces loss of transaction revenue and productivity Warranties – Reduces loss of transaction revenue and cost of procuring replacements Insurance – Offset cost of liability Physical Controls – Reduce probability of theft Security Policy – Can be used to reduce most threats.

13. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 13 Case Study Asset/Vulnerability Matrix, Part 1 For the current example, we will assume this expert opinion for illustration of the concept –Transactions are mostly associated with the regional servers which store the data, the HQ server which takes all requests, and the network infrastructure with which clients access the data. (3) –Laptops, desktops and software is only associated with the collection and processing transactions. (1) –Goodwill is associated with the quality and availability of service provided. Therefore, the HQ server, regional servers, and network infrastructure are very important. (9)

14. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 14 Case Study Asset/Vulnerability Matrix, Part 2 –Laptops, desktops, and software are less important to the quality of service- yet still allow for more current information to be accessed which contribute somewhat to goodwill. (3) –Data that is located on laptops and desktops make up only a small percentage of total data because they are only used for collecting and processing. (1) –The regional servers contain all other data. (9) –Other assets are associated highly with their respective vulnerabilities, e.g. laptops with laptops, desktops with desktops, etc. (9)

15. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 15 Case Study Asset/Vulnerability Matrix, cont’d. Assets Vulnerabilities Transaction Revenue GoodwillData (Liability) LaptopsDesktopsRegional Servers HQ Server Aggregates (Impact) Input Asset Values  3991133  asset value x vulnerability) Laptops 131900048 Desktops 131090048 Regional Servers 3990090198 HQ Servers 3900009117 Network Infrast. 390000090 Software 130000030 Customize matrix to assets & vulnerabilities applicable to case – Determine the value of each asset and put them in the value row – Determine correlation with vulnerability and asset (0 for Not Relevant, 1 for Low, 2 for Medium and 3 for High) – Compute the sum of product of vulnerability & asset values; add to impact column 0 – Not Relevant 1 – Low 3 – Medium 9 – High

16. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 16 Case Study Vulnerability/Threat Matrix, Part 1 For the current example we will assume expert opinion for illustration of the concept: –Laptops will experience hardware failure slightly more often than desktops (1). –Regional servers and the HQ server will experience even less hardware failure as there should be more focus on maintenance on these servers (3). –Network infrastructure (e.g. switches, routers) will experience failure more often than desktops or laptops as there is no way to easily exchange hardware (9). –Hardware failure can cause loss of software, however, our assumption is that all software is replaceable from backups.

17. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 17 Case Study Vulnerability/Threat Matrix, Part 2 –Software failure is expected to occur equally throughout the laptops, desktops, regional and HQ servers (3). –It is less likely through network infrastructure as there is less software. However, it occurs always through software (9). –We assume that there is high chance of a laptop being stolen (9). –Less percentage of a desktop being stolen (3) and even less for the servers to be stolen (1). –There is a very low chance of network equipment being stolen since it is kept in secure rooms (1). –When equipment is stolen some software may have been stolen as well, but this should not affect much as there are probably backups (0).

18. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 18 Case Study Vulnerability/Threat Matrix, Part 3 –We assume that the denial-of-service can disable machines as well as cause destruction of software (1). –Denial-of-service would likely target the servers (3) more than the desktops or laptops (1). –Viruses and worms would be more likely to affect laptops and desktops (3) was they would be more user-controlled and less likely to be patched and protected. –The regional servers and HQ server are more secure (1). –Viruses and worms tend to exploit some sort of software vulnerability (9).

19. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 19 Case Study Vulnerability/Threat Matrix, Part 4 –Insider attacks are primarily meant to exploit data & disable machines. However, these are often perpetrated through laptops and desktops due to accessibility (3). –There is slightly less for regional servers although much of the data is located within the regional servers (9). There is less chance for headquarter servers (3). –Network infrastructure has a medium percent change of being affected by insider attacks because it is present in all parts of the organization (3). –Software also has a chance of being affected by insider attacks (1). –Intrusions are more likely to occur at the user level (9) for desktops and laptops. The regional level would occur less (3) and HQ servers even less (1).

20. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 20 Case Study Vulnerability/Threat Matrix, cont’d. Vulnerabilities Threats LaptopsDesktopsRegional Servers HQ Servers Network Infrast. SoftwareAggregates (Threat Importance) Input Impact Aggregates  48 1981179030  impact value x threat value) Hardware Failure 3311901,413 Software Failure 3333191,593 Equipment Theft 9331101,377 Denial of Service 1133011,071 Viruses/Worms 331109873 Insider Attacks 3393312,721 Intrusion 9931001,575 Complete matrix based on the specific case –Add values from the Impact column of the previous matrix –Determine association between threat and vulnerability –Compute aggregate exposure values by multiplying impact and the associations and adding across vulnerabilities 0 – Not Relevant 1 – Low 3 – Medium 9 – High

21. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 21 Case Study Threat/Control Matrix, Part 1 Some of these controls have threats associated with them. However, these are secondary considerations and we will be focusing on primary threats. We assume that IDS systems will control some of the DOS attacks (3) and Viruses and Worms (3) and most intrusions (9) –In addition, IDS systems do not impact insider attacks Anti-Virus Software will prevent most Viruses and Worms, but not all due to virus definition updates (9). That upgrades to a firewall will greatly control (9) of DOS attacks, as well as Viruses and Worms. It will control some intrusions (3), and about a lower amount of insider attacks and intrusions (1).

22. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 22 Case Study Threat/Control Matrix, Part 2 A redundant HQ server will control some hardware failure (when the original HQ server fails) (1). This is the same for theft and insider attacks (1). Also, a redundant HQ server will help a lot in cases of DOS attacks on the HQ server (9). This would also assist when software fails or viruses or worms affect the machine (3). Spare laptops will assist in cases of theft of laptops (3) and somewhat (1) in all cases of hardware and software failure and denial of service.

23. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 23 Case Study Threat/Control Matrix, Part 3 We assume that warranties will help with a lot (9) with of both hardware failure and software failure. While it will assist with the cost of new hardware or software, will not reduce employee time. It is determined that insurance will be able to control most impact from the threats of theft, DOS attacks, Virus/Worm attacks, Insider Attacks, and Intrusion (9).

24. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 24 Case Study Threat/Control Matrix, Part 4 Physical controls (locks, key cards, biometrics, etc.) will control much theft (9) and a small amount of insider attacks (1) Also, it is assumed that a security policy will assist with some of all threats since every policy can have procedures which can assist in prevention. Customize matrix based on the specific case –Add values from the threat importance column of the previous matrix –Determine impact of different controls on different threats –Compute the sum of the products of the threat importance by the impact of controls to determine values.

25. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 25 Case Study Threat/Control Matrix, cont’d. Threats Controls Hardware Failure Software Failure TheftDenial of Service Viruses/ Worms Insider Attacks Intrusion Aggregates (Value of Control) Input Threat Importance Values  1,4131,5931,3771,0718732,7211,575  threat importance x impact of controls) Intrusion Detection 000331922,728 Anti-Virus 00009007,857 Firewall Upgrades 000991121,792 Redundant HQ Server 131931124,123 Spare Laptops 11310008,208 Warranties 990000027,054 Insurance 009999968,553 Physical Controls 009001015,114 Security Policy 333333331,869

26. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 26 Given the matrices and the example case provided, use this same methodology in application to determine the information security risk in your own organization. Case Study Exercise