2 Security in System Development Risk Analysis & Management needs to be a part of system development, not tacked on afterwardsBaskerville's three generations of methods1st Generation: ChecklistsExample: BS 7799 Part 12nd Generation: Mechanistic engineering methodsExample: this risk analysis method3rd Generation: Integrated designNot yet achieved[Baskerville, R. (1993). Information Systems Security Design Methods: Implications for Information Systems Development. ACM Computing Surveys 25(4): ]
4 Definitions 1The meanings of terms in this area is not universally agreed. We will use the followingThreat: Harm that can happen to an assetImpact: A measure of the seriousness of a threatAttack: A threatening eventAttacker: The agent causing an attack (not necessarily human)Vulnerability: a weakness in the system that makes an attack more likely to succeedRisk: a quantified measure of the likelihood of a threat being realised
5 Definitions 2Risk Analysis involves the identification and assessment of the levels of risk, calculated from theValues of assetsThreats to the assetsTheir vulnerabilities and likelihood of exploitationRisk Management involves the identification, selection and adoption of security measures justified byThe identified risks to assetsThe reduction of these risks to acceptable levels
6 Goals of Risk Analysis All assets have been identified All threats have been identifiedTheir impact on assets has been valuedAll vulnerabilities have been identified and assessed
7 Problems of Measuring Risk Businesses normally wish to measure in money, butMany of the entities do not allow thisValuation of assetsValue of data and in-house software - no market valueValue of goodwill and customer confidenceLikelihood of threatsHow relevant is past data to the calculation of future probabilities?The nature of future attacks is unpredictableThe actions of future attackers are unpredictableMeasurement of benefit from security measuresProblems with the difference of two approximate quantitiesHow does an extra security measure affect a ~10-5 probability of attack?
8 Risk Levels Precise monetary values give a false precision Better to use levels, e.g.High, Medium, LowHigh: major impact on the organisationMedium: noticeable impact (“material” in auditing terms)Low: can be absorbed without difficulty1 - 10Express money values in levels, e.g.For a large University Department a possibility isHighMediumLow£1,000,000+£1,000+< £1,000
9 Risk Analysis Steps Decide on scope of analysis Set the system boundaryIdentification of assets & business processesIdentification of threats and valuation of their impact on assets (impact valuation)Identification and assessment of vulnerabilities to threatsRisk assessment
10 Risk Analysis – Defining the Scope Draw a context diagramDecide on the boundaryIt will rarely be the computer!Make explicit assumptions about the security of neighbouring domainsVerify them!
11 Risk Analysis - Identification of Assets Types of assetHardwareSoftware: purchased or developed programsDataPeople: who run the systemDocumentation: manuals, administrative procedures, etcSupplies: paper forms, magnetic media, printer liquid, etcMoneyIntangiblesGoodwillOrganisation confidenceOrganisation image
12 Risk Analysis – Impact Valuation Identification and valuation of threats - for each group of assetsIdentify threats, e.g. for stored dataLoss of confidentialityLoss of integrityLoss of completenessLoss of availability (Denial of Service)For many asset types the only threat is loss of availabilityAssess impact of threatAssess in levels, e.g H-M-L orThis gives the valuation of the asset in the face of the threat
13 Risk Analysis – Process Analysis Every company or organisation has some processes that are critical to its operationThe criticality of a process may increase the impact valuation of one or more assets identifiedSoIdentify critical processesReview assets needed for critical processesRevise impact valuation of these assets
14 Risk Analysis – Vulnerabilities 1 Identify vulnerabilities against a baseline systemFor risk analysis of an existing systemExisting system with its known security measures and weaknessesFor development of a new systemSecurity facilities of the envisaged software, e.g. Windows NTStandard good practice, e.g. BS 7799 recommendations of good practice
15 Risk Analysis – Vulnerabilities 2 For each threatIdentify vulnerabilitiesHow to exploit a threat successfully;Assess levels of likelihood - High, Medium, LowOf attemptExpensive attacks are less likely (e.g. brute-force attacks on encryption keys)Successful exploitation of vulnerability;Combine themVulnerabilityLikelihood of AttemptLikelihood of SuccessLowMedHigh
16 Risk Assessment Assess risk If we had accurate probabilities and values, risk would beImpact valuation x probability of threat x probability of exploitationPlus a correction factor for risk aversionSince we haven't, we construct matrices such asImpact valuationRiskLowMedHighLowLowLowMedVulnerabilityMedLowMedHighHighLowMedHigh
17 Responses to Risk Responses to risk Avoid it completely by withdrawing from an activityAccept it and do nothingReduce it with security measures
18 Security Measures Possible security measures Transfer the risk, e.g. insuranceReduce vulnerabilityReduce likelihood of attempte.g. publicise security measures in order to deter attackerse.g. competitive approach - the lion-hunter’s approach to securityReduce likelihood of success by preventive measurese.g. access control, encryption, firewallReduce impact, e.g. use fire extinguisher / firewallRecovery measures, e.g. restoration from backup
19 Risk Management Identify possible security measures Decide which to chooseEnsure complete coverage with confidence that:The selected security measures address all threatsThe results are consistentThe expenditure and its benefits are commensurate with the risksConsider doing less than the BS7799 recommendations?
20 Iterate Adding security measures changes the system Vulnerabilities may have been introducedAfter deciding on security measures, revisit the risk analysis and management processese.g. introduction of encryption of stored files may remove the threat to Confidentiality but introduce a threat to AvailabilityWhat happens if the secret key is lost?
21 Conclusion: Problems of Risk Analysis and Management Lack of precisionVolume of work and volume of outputIntegrating them into a ”normal” development process
23 Risk Management Techniques 1 Commercial toolsMostly rely on check listsCRAMM (CCTA Risk Assessment and Management Methodology):UK Government approachSupported by softwarePROTEUS (BSI) software:Gap analysis to identify necessary actions and existing strengthsComprehensive practical guidance and the text of BS 7799Reporting, for easy monitoring and maintenanceEvidence to customers and auditors
24 Risk Management Techniques 2 Generic processesThreat trees (see below):Threat analysisBased on fault treesOnly addresses the threat identification stageAttack trees (see below)Vulnerability analysis
25 Threat Trees 1 AT&T Bell Laboratories Categorisation of threats Disclosure / Integrity / Denial of serviceCategorisation of vulnerabilities by viewPersonnel viewPhysical viewOperational viewCommunications viewNetwork viewComputing viewInformation view[Amoroso, E., W.E. Kleppinger, and D. Majette, An Engineering Approach to Secure System Analysis, Design and Integration. AT&T Technical Journal, (5): p ]
26 Threat Trees 2 Model of system Calculate risks from Impact VulnerabilityThreats toElectronic MailMessageHandlingMOriginatorORecipientRDisclosureIntegrityDenial of ServiceORMSEORMSEORMSEOtherSubscribersSExternalEElectronicMail System
27 Attack Trees Tree Structure Goal is root nodeWays of achieving goals are leaf nodesCosts can be associated with nodes[Schneier, B, Secrets and Lies. 2000: John Wiley and Sons.]
28 Attack Tree Example Goal: Read a specific message … 1. Convince sender to reveal message (OR)1.1. Bribe user1.2. Blackmail user1.3 Threaten user1.4. Fool user2. Read message when it is being entered into the computer (OR)2.1. Monitor electromagnetic emanations from computer screen (Countermeasure: use a TEMPEST computer)2.2. Visually monitor computer screen2.3. Monitor video memory2.4. Monitor video cables3. Read message when it is being stored on sender's disk (Countermeasure: use SFS to encrypt hard drive) (AND)3.1 Get access to hard drive (Countermeasure: Put physical locks on all doors and windows)3.2. Read a file protected with SFS.4. …..