Risk Assessment Richard Newman

Slides:



Advertisements
Similar presentations
OCTAVESM Process 4 Create Threat Profiles
Advertisements

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Information Security EDU IT Security Terms EDU
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Is There a Security Problem in Computing? Network Security / G. Steffen1.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Lecture 1: Overview modified from slides of Lawrie Brown.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
1 An Overview of Computer Security computer security.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Computer Security: Principles and Practice
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Fraud Prevention and Risk Management
Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.
Computer Crime and Information Technology Security
Information Systems Security Computer System Life Cycle Security.
Software Assurance Session 15 INFM 603. Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by.
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
Prepared by: Dinesh Bajracharya Nepal Security and Control.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id #
Alaa Mubaied Risk Management Alaa Mubaied
Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Introduction to Information Security
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
Chap1: Is there a Security Problem in Computing?.
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
The Digital Crime Scene: A Software Perspective Written By: David Aucsmith Presented By: Maria Baron.
1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.
1 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security.
Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________.
Risk Assessment What is good about the Microsoft approach to threat modeling? OCTAVE…  Advantage: ___________  Disadvantage: ___________ What is bad.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
CS457 Introduction to Information Security Systems
Information Security, Theory and Practice.
Risk management.
ISSeG Integrated Site Security for Grids WP2 - Methodology
Design for Security Pepper.
Threats By Dr. Shadi Masadeh.
Security SIG in MTS 05th November 2013 DEG/MTS RISK-BASED SECURITY TESTING Fraunhofer FOKUS.
COMP3357 Managing Cyber Risk
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Securing Information Systems
How to Mitigate the Consequences What are the Countermeasures?
Chapter # 3 COMPUTER AND INTERNET CRIME
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

Risk Assessment Richard Newman

Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement defenses 5. Monitor defenses 6. Recover from attacks Continuous Improvement Model – use 5 and 6 to update, revise, improve all phases

Systems Engineering Process 1. Planning – requirements, resources, expectations 2. Trade-off analysis - Solution development Solution analysis Solution comparisons Solution selection 3. Development and implementation Realize selected solution 4. Verification Formal verification, validation, testing 5. Iteration Use feedback from each stage and from deployment to improve

Deming Cycle (PDCA) 1. Plan – 2. Do - 3. Check - 4. Act - Objectives, processes 2. Do - Implement process 3. Check - Measure results vs. expected results 4. Act - Analyze differences, find causes, revise processes ISO 27002, used with ISO 27001 for IT A.k.a. Shewhart Cycle (father of statistical quality control) Motorola “Six Sigma” Boyd's OODA Cycle (Observe, Orient, Decide, Act) - Military

Threats Potential source of harm Threat classes Knowledge Resources Motive Threat classes Script kiddies/ankle biters Cracker Phone phreak Hacker – Black hat/white hat Organized crime Corporate crime Government group

Risk Level Risk level changes over time Asset visibility Asset owner visibility Resource availability Access to assets Motivation changes Knowledge of vulnerabilities Requires continuous re-evaluation Must also consider consequences of breach

Identifying Assets 1. Hardware 2. Purchased software Off-the shelf replacement cost/customization 2. Purchased software Cost/installation/customization 4. Developed software 5. Statutorily protected data Health/Financial/Academic/... 6. Organizational data Work products (designs/analyses/reports/...) Planning (marketing/engineering/financial/...) Contacts (customers/vendors/associates/etc.) 7. Activities Production/communication/...

Implementing Protection Controls - Hardware Software Processes Costs - Up front cost to buy/develop/train/install/configure On-going operational costs – inconvenience/monitoring/reconfiguration Performance costs – CPU slowdown/human delay Cost vs. Effectiveness

Risk Assessment Identify Risks - Prioritize Risks - Identify assets Identify threat agents Identify attacks Prioritize Risks - Estimate likelihood of attacks Estimate impact of attacks Calculate relative significance of attacks

Threat agents revisited Outsiders Property thieves Vandals Identity thieves Botnet operators Con artists Competitors Insiders Embezzlers Housemates/coworkers Malicious acquaintances Maintenance crews Administrators “Natural” threats Hurricane/tornado/earthquake/hail/rain/flooding/terrorism/war/...

Security Properties/Goals Confidentiality All disclosures only reveal information to authorized recipients in accordance with policy Integrity All changes are are performed by authorized entities, and are consistent with integrity policy Availability Assets available to authorized users when needed with performance required

Security Services Confidentiality Integrity Availability Restrict access to information to authorized recipients in accordance with policy Integrity Only allow changes that are are performed by authorized entities, and are consistent with integrity policy Availability Ensure assets are available to authorized users when needed with performance required Authentication Establish that entity that sent message/made access is correctly identified Non-repudiation Ensure that an entity that performs action/makes statement cannot deny it later

Information Attacks Physical theft Denial of Service Computing resource physically removed Denial of Service Use of computing resource is lost Subversion/Modification Asset modified to act on behalf of attacker (trojan horse) Authentic artifact modified to suit attacker Masquerade/spoofing Attacker takes on identity of another when accessing resources Disclosure Information revealed contrary to policy (passive attack) Forgery/Replay Attacker produces artifact that appears authentic Attacker repeats authentic message

NIST Recommendations 1. System Characterization 2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Documentation http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf

SEI OCTAVE Process Phase 1 – Build Asset-based Threat Profiles Identify assets, threats, organizational risks Phase 2 – Identify Infrastructure Vulnerabilities Analyze infrastructure resources for vulnerabilities Phase 3 – Develop Security Strategy and Plans Recommend and implement controls http://www.cert.org/octave/

OCTAVE Allegro 1. Establish risk measurement criteria 2. Develop information asset profile 3. Identify information asset containers 4. Identify areas of concern 5. Identify threat scenarios 6. Identify risks 7. Analyze risks 8. Select mitigation approach http://www.cert.org/octave/allegro.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.