Dipartimento di Scienze - 19 giugno Pamela Peretti Dottorato di ricerca in Scienze XXI° ciclo scrutinio annuale a.a 2007/2008 Dipartimento di Scienze Università degli Studi “G. d’Annunzio” Pescara tutor: Prof. Stefano Bistarelli

My PhD thesis Dipartimento di Scienze - 19 giugno

Risk management is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk. Dipartimento di Scienze - 19 giugno

4 Terminology An asset is any tangible or intangible item owned by an organization that has a value for an enterprise and that needs protection.

Dipartimento di Scienze - 19 giugno Terminology Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset is a threat.

Dipartimento di Scienze - 19 giugno Terminology The absence or the weakness of a countermeasure or safeguard is a vulnerability. An attack is any intentional attempt to exploit a vulnerability of an organization's security infrastructure to cause damage, loss, or disclosure of assets.

Dipartimento di Scienze - 19 giugno Terminology Exposure is being susceptible to asset loss because of an attack; there is the possibility that a vulnerability can or will be exploited by an attacker or event.

Dipartimento di Scienze - 19 giugno Terminology Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset.

Dipartimento di Scienze - 19 giugno Terminology A countermeasure is anything that removes a vulnerability or protects against one or more specific attacks.

select the appropriate countermeasures Identify the possible countermeasures Identify the possible threats Dipartimento di Scienze - 19 giugno Assessment methodology Quantitative approaches  Assigns absolute numeric attribute values to assets, threats, vulnerabilities and countermeasures. Qualitative approaches  Qualitative risk analysis is a scenario-based approach. You rank threats on a scale to evaluate their risks, costs, and effects. Instruments: brainstorming, Delphi technique, focus groups, surveys, questionnaires, checklists and interviews. Identify asset

Dipartimento di Scienze - 19 giugno  Assign the AV select the appropriate countermeasures Identify the possible countermeasures Identify the possible threats Identify asset Quantitative approaches The Asset Value (AV) is a synthetic measure of the cost of creation, development support, replacement and ownership value of an asset.

Dipartimento di Scienze - 19 giugno  Calculate the EF and the SLE  Calculate the ARO  Calculate the ALE select the appropriate countermeasures Identify the possible countermeasures Identify the possible threats Identify asset Quantitative approaches The Exposure factor (EF) represents the percentage of loss that an organization would experience if a specific asset were violated by an attack. The Single Loss Exposure (SLE) represents a measure of an organization's loss from a single threat against a specific asset and can be computed by using the following formula:

Dipartimento di Scienze - 19 giugno  Calculate the EF and the SLE  Calculate the ARO  Calculate the ALE select the appropriate countermeasures Identify the possible countermeasures Identify the possible threats Identify asset Quantitative approaches The Annualized Rate of Occurrence (ARO) is the expected frequency with which a specific threat or attack will occur within a single year. The Annualized Loss Expectancy (ALE) is the annually expected financial loss of an organization which can be ascribed to a threat and can be computed by using the following formula:

 Evaluate the RM and the CSI Dipartimento di Scienze - 19 giugno select the appropriate countermeasures Identify the possible countermeasures Identify the possible threats Identify asset Quantitative approaches The Risk Mitigated by a countermeasure (RM) represents the effectiveness of a countermeasure in mitigating the risk of loss deriving from exploiting a vulnerability. It is a numeric value between 0 and 1. The Cost of a Security Investment (CSI) is the cost that an organization must face for implementing a given countermeasure.

Dipartimento di Scienze - 19 giugno  Calculate the ROI select the appropriate countermeasures Identify the possible countermeasures Identify the possible threats Identify asset Quantitative approaches Given an attack a and a countermeasure c which is able to mitigate a, the Return on Investment (ROI) is the benefit that a defender of an IT system expects from the introduction of c into the system over the costs for implementing that countermeasure.

Dipartimento di Scienze - 19 giugno  Calculate the ROI  Calculate the ROA select the appropriate countermeasures Identify the possible countermeasures Identify the possible threats Identify asset Quantitative approaches The Return on Attack (ROA) is the gain that an attacker expects from a successful attack a over the costs he sustains due to the adoption of a countermeasure c by its target. where GI is the expected gain of the attack, GI  RM c is the lost profit produced by c and cost a is the cost associated to an attack strategy a.

Dipartimento di Scienze - 19 giugno Qualitative approaches Qualitative risk analysis is a scenario-based approach. A scenario is a written description of a single major threat. The description focuses on how a threat would be instigated and what effects it could have on the organization, the IT infrastructure, and specific assets.

Interruption of service Diffusion of reserved information Loss of data A security scenario Dipartimento di Scienze - 19 giugno

Defence trees are an extension of attack trees [Schneier00]. Attack tree :  the root is an asset of an IT system  paths from a leaf to the root represent attacks to the asset  the non-leaf nodes can be:  and-nodes  or-nodes Defence tree :  attack tree  a set of countermeasures root and -nodes or -nodes Defence trees Dipartimento di Scienze - 19 giugno

Dipartimento di Scienze - 19 giugno c7 c6 c9 c8 a3a4 c2 c3 c1 c4 c5 c3 a1a2 c11 c10 c13 c12 a5a6 Steal data stored in a server Obtain root privileges Attack the system with a remote login Steal the server Defence trees

Quantitative evaluation 1.An economic evaluation of threats  Considering multiple attacks and countermeasures  Combining the defender's and the attacker's points of view 2.Three novel indexes  The Exposure Factor during Critical Time  The Exposure Factor under Retaliation  The Risk Mitigated against Collusion 3.Interaction between attackers and defender  Defence tree as strategic game  Using economic indexes as payoffs Dipartimento di Scienze - 19 giugno

Quantitative evaluation 1.An economic evaluation of threats  Considering multiple attacks and countermeasures  Combining the defender's and the attacker's points of view 2.Three novel indexes  The Exposure Factor during Critical Time  The Exposure Factor under Retaliation  The Risk Mitigated against Collusion 3.Interaction between attackers and defender  Defence tree as strategic game  Using economic indexes as payoffs Dipartimento di Scienze - 19 giugno

An economic evaluation of threats Dipartimento di Scienze - 19 giugno The Return on Investment (ROI)The Return on Attack (ROA)

1 2 3 Multiple attacks and countermeasures Dipartimento di Scienze - 19 giugno single attack multiple countermeasures multiple attacks single countermeasure multiple attacks multiple countermeasures

Multiple attacks and countermeasures Dipartimento di Scienze - 19 giugno

Multiple attacks and countermeasures Dipartimento di Scienze - 19 giugno

Quantitative evaluation 1.An economic evaluation of threats  Considering multiple attacks and countermeasures  Combining the defender's and the attacker's points of view 2.Three novel indexes  The Exposure Factor during Critical Time  The Exposure Factor under Retaliation  The Risk Mitigated against Collusion 3.Interaction between attackers and defender  Defence tree as strategic game  Using economic indexes as payoffs Dipartimento di Scienze - 19 giugno

Three novel indexes Dipartimento di Scienze - 19 giugno The Exposure Factor during critical time (EFCT) expresses the influence that the criticality of a specific time instance plays on the EF. The Exposure Factor under retaliation (EFR) expresses the influence that the chance of retaliating an attack to an asset plays on the EF. The Risk Mitigated against collusion (RMC) expresses the influence that collusion of attackers plays on the RM.

Quantitative evaluation 1.An economic evaluation of threats  Considering multiple attacks and countermeasures  Combining the defender's and the attacker's points of view 2.Three novel indexes  The Exposure Factor during Critical Time  The Exposure Factor under Retaliation  The Risk Mitigated against Collusion 3.Interaction between attackers and defender  Defence tree as strategic game  Using economic indexes as payoffs Dipartimento di Scienze - 19 giugno

We consider a strategic game:  2 players: the defender and the attacker of a system.  S d : the set of defender's strategies (the countermeasures)  S a : the set of attacker's strategies (the vulnerability)  ROI and ROA: payoff functions for the defender and the attacker Strategic game Dipartimento di Scienze - 19 giugno a1 a2 c2 c3 c1 U d =1 U a =1 U d =0 U a =2 U d =1 U a =2 U d =1 U a =0

Selection of a single countermeasure/attack 16 ! The set of strategies for the defender and the attacker is composed by a single action. Install a security door Install a video surveillance equipment c4c2 c3 Assume a security guard Install a safety lock Install a video surveillance equipment c2 c3 Assume a security guard c1 Go out unobserved a1 a2 Have the keys Break down the door Go out unobserved Steal the server Strategic game: example Dipartimento di Scienze - 19 giugno

Selection of a single countermeasure/attack 16 ! The set of strategies for the defender and the attacker is composed by a single action. Strategic game: example Dipartimento di Scienze - 19 giugno

Qualitative evaluation  Cp-defence trees  AND-composition of preference  OR-composition of preference  Translation of AND/OR attacks into ASO programs  AND attacks  OR attacks Dipartimento di Scienze - 19 giugno

Qualitative evaluation  Cp-defence trees  AND-composition of preference  OR-composition of preference  Translation of AND/OR attacks into ASO programs  AND attacks  OR attacks Dipartimento di Scienze - 19 giugno

Cp-defence trees Cp-defence tree is a defence tree enriched with conditional preference over attack and countermeasures. A C c11 c10 c13 c12 c7 c6 c9 c8 c2 c3 c1 c4 c5 c3 a5a6 a3a4 a1a2 a1a1 c1Â c2Â c3c1Â c2Â c3 a2a2 c5Â c3Â c4c5Â c3Â c4 a3a3 c6Â c7c6Â c7 a4a4 c8Â c9c8Â c9 a5a5 c 11 Â c 10 a6a6 c 13 Â c 12 a2Âa1Âa6Âa5Âa3Âa4a2Âa1Âa6Âa5Âa3Âa4 Cp-net [Boutiliet99] are a graphical formalism to specify and representing conditional preference relations. Dipartimento di Scienze - 19 giugno

An and -attack is an attack composed by a set of actions that an attacker has to successfully achieve to obtain his goal. AND-composition of preference ab x Æ y Æ z xa  b  c yb  c za  b c a b c x c b y a b z A = {x,y,z} C = {a,b,c} : a  b  c and-composition Dipartimento di Scienze - 19 giugno

An and -attack is an attack composed by a set of actions that an attacker has to successfully achieve to obtain his goal. AND-composition of preference ab x Æ y xa  b yc  d c a b x d c y A = {x,y} C = {a,b,c,d} d x  y : c  d  a  b and-composition Dipartimento di Scienze - 19 giugno

OR-composition of preference An or -attack is an attack composed by different and alternative actions that an attacker has to successfully achieve to obtain his goal. x Ç y Ç z a,b,c b,c a a,b a,c xa  b  c yc  a za  b A = {x,y,z} C = {a,b,c} b a ca b [b,c] [a,b] [a] [a,b] [a,c] [b,c] [a,b,c] or-composition Dipartimento di Scienze - 19 giugno

Qualitative evaluation  Cp-defence trees  AND-composition of preference  OR-composition of preference  Translation of AND/OR attacks into ASO programs  AND attacks  OR attacks Dipartimento di Scienze - 19 giugno

Translation of AND-attacks The optimal answer set associated to is the set M 4 ={root, x,a} The preferred set of countermeasures is the set {a}. a b c x a b y r x1 : x à r x2 : a Ç b Ç c à x  x1 : a > b > c à x PxPx PyPy r x1 : x à r x2 : a Ç b Ç c à x  x1 : a > b > c à x r y1 : y à r y2 : a Ç b à y  y1 : a > b à y r y1 : y à r y2 : a Ç b à y  y1 : a > b à y r 1 : root ÃP and  r 2 : x Ç y à root AND Dipartimento di Scienze - 19 giugno

Translation of OR-attacks The optimal answer set associated to is M’ 1 ={root’, x, y, a} The preferred set of countermeasures is the set {a}. a b c x a b y r x1 : x à r x2 : a Ç b Ç c à x  x1 : a > b > c à x PxPx PyPy r x1 : x à r x2 : a Ç b Ç c à x  x1 : a > b > c à x r y1 : y à r y2 : a Ç b à y  y1 : a > b à y r y1 : y à r y2 : a Ç b à y  y1 : a > b à y r 1 : root’ ÃP or  r 3 : y à root’ OR r 2 : x à root’ OR Dipartimento di Scienze - 19 giugno

Dipartimento di Scienze - 19 giugno ASO and Cp-defence tree root  a 12  root a 34  root a 56  root a 1  a 12 a 2  a 12 a 3  a 34 a 4  a 34 a 5 v a 6  a 56 c 1 v c 2 v c 3  a 1 c 3 v c 4 v c 5  a 2 c 6 v c 7  a 3 c 8 v c 9  a 4 c 10 v c 11  a 5 c 12 v c 13  a 6 c 1 > c 2 > c 3  a 1 c 5 > c 3 > c 4  a 2 c 6 > c 7  a 3 c 8 > c 9  a 4 c 11 > c 10  a 5 c 13 > c 12  a 6 Logic programming Conditional preference rules

Dipartimento di Scienze - 19 giugno ASO and Cp-defence tree root  a 12  root a 34  root a 56  root a 1  a 12 a 2  a 12 a 3  a 34 a 4  a 34 a 5 v a 6  a 56  1 : c 5 > c 3 > c 4  a 2  2 : c 1 > c 2 > c 3  a 1  3 : c 13 > c 12  a 6  4 : c 11 > c 10  a 5  5 : c 6 > c 7  a 3  6 : c 8 > c 9  a 4 c 1 v c 2 v c 3  a 1 c 3 v c 4 v c 5  a 2 c 6 v c 7  a 3 c 8 v c 9  a 4 c 10 v c 11  a 5 c 12 v c 13  a 6 Logic programming Ranking of preference rules

Dipartimento di Scienze - 19 giugno Pamela Peretti Dottorato di ricerca in Scienze XXI° ciclo scrutinio annuale a.a 2007/2008 Dipartimento di Scienze Università degli Studi “G. d’Annunzio” Pescara tutor: Prof. Stefano Bistarelli