Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.

Published byMarjorie Baker Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement."— Presentation transcript:

1 Risk Assessment Richard Newman

2 Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement defenses 5. Monitor defenses 6. Recover from attacks Continuous Improvement Model – use 5 and 6 to update, revise, improve all phases

3 Systems Engineering Process 1. Planning – – requirements, resources, expectations 2. Trade-off analysis - – Solution development – Solution analysis – Solution comparisons – Solution selection 3. Development and implementation – Realize selected solution 4. Verification – Formal verification, validation, testing 5. Iteration – Use feedback from each stage and from deployment to improve

4 Deming Cycle (PDCA) 1. Plan – – Objectives, processes 2. Do - – Implement process 3. Check - – Measure results vs. expected results 4. Act - – Analyze differences, find causes, revise processes ISO 27002, used with ISO 27001 for IT A.k.a. Shewhart Cycle (father of statistical quality control) Motorola “Six Sigma” Boyd's OODA Cycle (Observe, Orient, Decide, Act) - Military

5 Threats Potential source of harm – Knowledge – Resources – Motive Threat classes – Script kiddies/ankle biters – Cracker – Phone phreak – Hacker – Black hat/white hat – Organized crime – Corporate crime – Government group

6 Risk Level Risk level changes over time – Asset visibility – Asset owner visibility – Resource availability – Access to assets – Motivation changes – Knowledge of vulnerabilities Requires continuous re-evaluation Must also consider consequences of breach

7 Identifying Assets 1. Hardware – Off-the shelf replacement cost/customization 2. Purchased software – Cost/installation/customization 4. Developed software 5. Statutorily protected data – Health/Financial/Academic/... 6. Organizational data – Work products (designs/analyses/reports/...) – Planning (marketing/engineering/financial/...) – Contacts (customers/vendors/associates/etc.) 7. Activities – Production/communication/...

8 Implementing Protection Controls - – Hardware – Software – Processes Costs - – Up front cost to buy/develop/train/install/configure – On-going operational costs – inconvenience/monitoring/reconfiguration – Performance costs – CPU slowdown/human delay Cost vs. Effectiveness

9 Risk Assessment Identify Risks - – Identify assets – Identify threat agents – Identify attacks Prioritize Risks - – Estimate likelihood of attacks – Estimate impact of attacks – Calculate relative significance of attacks

10 Threat agents revisited Outsiders – Property thieves – Vandals – Identity thieves – Botnet operators – Con artists – Competitors Insiders – Embezzlers – Housemates/coworkers – Malicious acquaintances – Maintenance crews – Administrators “Natural” threats – Hurricane/tornado/earthquake/hail/rain/flooding/terrorism/war/...

11 Security Properties/Goals Confidentiality – All disclosures only reveal information to authorized recipients in accordance with policy Integrity – All changes are are performed by authorized entities, and are consistent with integrity policy Availability – Assets available to authorized users when needed with performance required

12 Security Services Confidentiality – Restrict access to information to authorized recipients in accordance with policy Integrity – Only allow changes that are are performed by authorized entities, and are consistent with integrity policy Availability – Ensure assets are available to authorized users when needed with performance required Authentication – Establish that entity that sent message/made access is correctly identified Non-repudiation – Ensure that an entity that performs action/makes statement cannot deny it later

13 Information Attacks Physical theft – Computing resource physically removed Denial of Service – Use of computing resource is lost Subversion/Modification – Asset modified to act on behalf of attacker (trojan horse) – Authentic artifact modified to suit attacker Masquerade/spoofing – Attacker takes on identity of another when accessing resources Disclosure – Information revealed contrary to policy (passive attack) Forgery/Replay – Attacker produces artifact that appears authentic – Attacker repeats authentic message

14 NIST Recommendations 1. System Characterization 2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Documentation http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf

15 SEI OCTAVE Process Phase 1 – Build Asset-based Threat Profiles – Identify assets, threats, organizational risks Phase 2 – Identify Infrastructure Vulnerabilities – Analyze infrastructure resources for vulnerabilities Phase 3 – Develop Security Strategy and Plans – Recommend and implement controls http://www.cert.org/octave/

16 OCTAVE Allegro 1. Establish risk measurement criteria 2. Develop information asset profile 3. Identify information asset containers 4. Identify areas of concern 5. Identify threat scenarios 6. Identify risks 7. Analyze risks 8. Select mitigation approach http://www.cert.org/octave/allegro.html

Download ppt "Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement."

Similar presentations

OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information Security EDU 5815 1. IT Security Terms EDU 5815 2.

Information Security EDU IT Security Terms EDU
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Introducing Computer and Network Security

Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Introduction to Network Defense

Introduction to Network Defense
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Computer Crime and Information Technology Security

Computer Crime and Information Technology Security

Similar presentations

Ads by Google