Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.

Published byDeirdre King Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion."— Presentation transcript:

1 1 Oppliger: Ch. 15 Risk Management

2 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion detection True or false? Risks are everywhere! A new risk may be introduced (or triggered) by a solution.

3 3 Risk A risk is an expectation of loss. –Usually represented as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result Risk = prob (T, V, R) Example: –Let T = “port scanning” –Let V = “No firewall exists between the public Internet and the private network” –Let R = “An unauthorized connection is established between a computer in the private network and a remote (potentially malicious) computer” Other examples of risk?

4 4 Risk Analysis Aka. Risk Assessment A systematical process that a)identifies valuable system resources and threats to those resources; b)quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence; c)(optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure A process that identifies risks and their respective potential cost (and countermeasures)

5 5 Risk Analysis (cont.) Example of risk analysis ? –Let T = “port scanning” –Let V = “No firewall exists between the public Internet and the private network” –Let R = “An unauthorized connection is established between a computer in the private network and a remote (potentially malicious) computer” –Factors affecting the potential cost ? Cost per incident, frequency of incident Other examples of risk analysis? Other definitions of risk analysis ?

6 6 Risk Analysis (cont.) Other definitions of risk analysis ? –Risk analysis (in business) is a technique to identify and assess factors that may jeopardize the success of a project or achieving a goal. source: http://en.wikipedia.org/wiki/Risk_analysis_(Business)http://en.wikipedia.org/wiki/Risk_analysis_(Business) –Risk analysis (in engineering) is the science of risks and their probability and evaluation. Source: http://en.wikipedia.org/wiki/Risk_analysis_(engineering)http://en.wikipedia.org/wiki/Risk_analysis_(engineering) c.f., Risks with respect to project failure; Risks with respect to a system’s being breached; Other risks ??

7 7 Risk Management A process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources Threat model The attackers (who) The attacks (how) The resources (what) …

8 8 Formal Risk Analysis A formal process/tool(s) for performing risk analysis Examples: –British CCTA’s CRAMM (CCTA Risk Analysis & Management Methodology) –French CLUSIF’s MARION Steps: –Establish an inventory of all assets –Quantifying loss exposures based on estimated frequencies and costs of occurrence Quantitative risk analysis is complex! It’s difficult to quantify (due to complexities and lack of models).

9 9 Qualitative risk analysis Differs from formal/quantitative risk analysis in the quantification step Qualitative risk analysis only identifies the existence of risks, but does not try to quantify the estimated frequency and the costs of occurrence in order to calculate the loss potential. Examples: –A Web site connected to the Internet could be hacked. –A computer connected to the Internet is subject to port scanning. Note: The definition may be arguable. See http://www.anticlue.net/archives/000817.htm, for example.http://www.anticlue.net/archives/000817.htm The qualitative risk analysis outlined in that article include a quantification step.

10 10 Other approaches of risk analysis Security scanning –The process of performing vulnerability analyses using a security scanner. –Security scanner: a tool that scans the system to identify vulnerabilities Intrusion Detection –The process of identifying and responding to intrusions to a system. –An intrusion is “a sequence of related actions by a malicious adversary that results in the occurrence of unauthorized security threats …”

11 The Network Security Process model 11

Download ppt "1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Introducing Computer and Network Security

Introducing Computer and Network Security
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Information Security Risk.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Information Security Risk.
1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007.

1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007.
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.

Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Similar presentations

Ads by Google