Security Threats Severity Analysis

Slides:

Advertisements

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Advertisements

Security+ All-In-One Edition Chapter 17 – Risk Management

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.

Introducing Computer and Network Security

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Unit # 3: Information Security and Risk Management

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Introduction to Network Defense

SEC835 Database and Web application security Information Security Architecture.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

Conostix S.A. Sensible defence.

Security Risk Assessment Applied Risk Management July 2002.

Information Systems Risk Management

1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.

Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.

Security Risk Management

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

1 Figure 1-17: Security Management Security is a Primarily a Management Issue, not a Technology Issue Top-to-Bottom Commitment  Top-management commitment.

Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,

Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.

The State of Computer & Data Security in Corporations Independent Survey.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Introduction to Information Security

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Cyber Security Management Lesson Introduction ●Understand organizational context for cyber security ●Understand the people, process and technology dimensions.

1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit. All rights reserved. Making Economics a Cyber-Security Weapon Scott Borg Director (CEO) and Chief.

Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)

Computer Security By Duncan Hall.

Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.

CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)

Information Security Management Goes Global

Information Systems Security

Chapter 7. Identifying Assets and Activities to Be Protected

Risk management «Once we know our weaknesses, they cease to do us any harm.» G.C. Lichtenberg.

Identifying and Assessing Risk

Chapter 5 Electronic Commerce | Security Threats - Solution

Risk management.

Insiders are Today’s Biggest Security Threat

INFORMATION RISK MANAGEMENT

TOPIC 3 RISK MANAGEMENT.

COMP3357 Managing Cyber Risk

Chapter 5 Electronic Commerce | Security Threats - Solution

Security Management Practices

Using MIS 2e Chapter 12 Information Security Management

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

Business Impact Analysis 101

Chapter 9 E-Commerce Security and Fraud Protection

Introduction to Systems Security

Business Continuity Plan

Cybersecurity Threat Assessment

Mohammad Alauthman Computer Security Mohammad Alauthman

Basic Security Concepts

Presentation transcript:

Security Threats Severity Analysis January 20, 2016 © Abdou Illia – Spring 2016

What is Severity Analysis? Accessing security threats occurrence likelihood Accessing threats’ potential damage

Key Questions to be asked What resources do I need to protect? What is the risk associated with potential threats? How do I protect valuable resources? At what cost?

What resources do I need to protect? Do an inventory Do risk assessment Quantitative risk assessment NIST Guide: http://www.nist.gov/itl/csd/risk-092011.cfm Assessment Template: http://www.eiu.edu/~a_illia/MIS4850/RiskAssmt_Template_07112007.doc Qualitative risk assessment External server using internal SQL database to provide sales over the internet Internal email server Remote Access server for dial-up Backup/File server Internal eCommerce Web server Domain controller Sales, customers, inventory, HR data Company’s network including routers, firewalls, etc. …………………….

Accessing potential damage Determining extent to which a threat could Modify critical corporate data Delete critical corporate data Allow unauthorized access to confidential info. Allow misdirection of confidential info. Allow message alteration Slow down network services Jeopardize network service availability Lead to loss of customers’ faith and trust Lead to loss of employees or customers’ privacy

Example: Risk assessment Treat Vulnerability Damage Loss of power High Loss of data access Possible data loss Computer virus Loss of access to system Possible data loss Natural disaster Low Loss of access to system Loss of data, hardware Denial of service attack Loss of access to system Eavesdropping Medium Access to customers info ………

How do I protect valuable resources? Policies Acceptable use policy Firewall policies Confidential info policy Password policy Remote Access policy Security Awareness policy … Methods of protection Antivirus 128-key encryption Two-factor authentication …..

Threat Severity Analysis Step Threat 1 2 3 4 5 Cost if attack succeeds Probability of occurrence Threat severity Countermeasure cost Value of protection Apply countermeasure? Priority 6 7 A $500,000 80% $400,000 $100,000 $300,000 Yes B $10,000 20% $2,000 $3,000 ($1,000) No NA C 5% $5,000 D 70% $7,000 $20,000 ($13,000)

A complete In-class Exercise will be given in class with more details. Visit the www.sophos.com web site in order to gather information about a worm called W32/SillyFDC-FA and answer the following two questions. Using bullets, list specific malicious actions that W32/SillyFDC-FA could take to potentially damage or disturb a computer system. Use the questionnaire provided by the instructor to access the potential risk posed by W32/SillyFDC-FA. A complete In-class Exercise will be given in class with more details.

Realities Risk Analysis Can never eliminate risk “Information assurance” is impossible Risk Analysis Goal is reasonable risk Risk analysis weighs the probable cost of compromises against the costs of countermeasures Also, security has negative side effects that must be weighed Copyright Pearson Prentice Hall 2013

X Annualized Rate of Occurrence (ARO) SLE X Annualized Rate of Occurrence (ARO) Annual probability of a compromise = Annualized Loss Expectancy (ALE) Expected loss per year from this type of compromise Asset Value (AV) X Exposure Factor (EF) Percentage loss in asset value if a compromise occurs = Single Loss Expectancy (SLE) Expected loss in case of a compromise Single Loss Expectancy (SLE) Annualized Loss Expectancy (ALE) Copyright Pearson Prentice Hall 2013

Countermeasure A should reduce the exposure factor by 75% Base Case Countermeasure A Asset Value (AV) $100,000 Exposure Factor (EF) 80% 20% Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000 Annualized Rate of Occurrence (ARO) 50% Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $10,000 ALE Reduction for Countermeasure NA $30,000 Annualized Countermeasure Cost $17,000 Annualized Net Countermeasure Value $13,000 Countermeasure A should reduce the exposure factor by 75% Copyright Pearson Prentice Hall 2013

2.4: Classic Risk Analysis Calculation (Figure 2-14) (continued) Base Case Countermeasure B Asset Value (AV) $100,000 Exposure Factor (EF) 80% Single Loss Expectancy (SLE): = AV*EF $80,000 Annualized Rate of Occurrence (ARO) 50% 25% Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $20,000 ALE Reduction for Countermeasure NA Annualized Countermeasure Cost $4,000 Annualized Net Countermeasure Value $16,000 Countermeasure B should cut the frequency of compromises in half Copyright Pearson Prentice Hall 2013

2.4: Classic Risk Analysis Calculation (Figure 2-14) (continued) Base Case Countermeasure A B Asset Value (AV) $100,000 Exposure Factor (EF) 80% 20% Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000 Annualized Rate of Occurrence (ARO) 50% 25% Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $10,000 ALE Reduction for Countermeasure NA $30,000 Annualized Countermeasure Cost $17,000 $4,000 Annualized Net Countermeasure Value $13,000 $16,000 Although Countermeasure A reduces the ALE more, Countermeasure B is much less expensive. The annualized net countermeasure value for B is larger. The company should select countermeasure B. Copyright Pearson Prentice Hall 2013

2.4: Problems with Classic Risk Analysis Calculations Uneven Multiyear Cash Flows For both attack costs and defense costs Must compute the return on investment (ROI) using discounted cash flows Net present value (NPV) or internal rate of return (ROI) Copyright Pearson Prentice Hall 2013

Total Cost of Incident (TCI) Exposure factor in classic risk analysis assumes that a percentage of the asset is lost In most cases, damage does not come from asset loss For instance, if personally identifiable information is stolen, the cost is enormous but the asset remains Must compute the total cost of incident (TCI) Include the cost of repairs, lawsuits, and many other factors Copyright Pearson Prentice Hall 2013

2.4: Problems with Classic Risk Analysis Calculations Many-to-Many Relationships between Countermeasures and Resources Classic risk analysis assumes that one countermeasure protects one resource Single countermeasures, such as a firewall, often protect many resources Single resources, such as data on a server, are often protected by multiple countermeasures Extending classic risk analysis is difficult Copyright Pearson Prentice Hall 2013

2.4: Problems with Classic Risk Analysis Calculations Impossibility of Knowing the Annualized Rate of Occurrence There simply is no way to estimate this This is the worst problem with classic risk analysis As a consequence, firms often merely rate their resources by risk level Copyright Pearson Prentice Hall 2013

2.4: Problems with Classic Risk Analysis Calculations Problems with “Hard-Headed Thinking” Security benefits are difficult to quantify If only support “hard numbers” may underinvest in security Copyright Pearson Prentice Hall 2013

2.4: Problems with Classic Risk Analysis Calculations Perspective Impossible to do perfectly Must be done as well as possible Identifies key considerations Works if countermeasure value is very large or very negative But never take classic risk analysis seriously Copyright Pearson Prentice Hall 2013

Risk Reduction Risk Acceptance The approach most people consider Install countermeasures to reduce harm Makes sense only if risk analysis justifies the countermeasure Risk Acceptance If protecting against a loss would be too expensive, accept losses when they occur Good for small, unlikely losses Good for large but rare losses Copyright Pearson Prentice Hall 2013

2.4: Responding to Risk Risk Transference Buy insurance against security-related losses Especially good for rare but extremely damaging attacks Does not mean a company can avoid working on IT security If bad security, will not be insurable With better security, will pay lower premiums Copyright Pearson Prentice Hall 2013

2.4: Responding to Risk Risk Avoidance Not to take a risky action Lose the benefits of the action May cause anger against IT security Recap: Four Choices when You Face Risk Risk reduction Risk acceptance Risk transference Risk avoidance Copyright Pearson Prentice Hall 2013