1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.

Slides:



Advertisements
Similar presentations
ETHICAL HACKING A LICENCE TO HACK
Advertisements

Security+ All-In-One Edition Chapter 17 – Risk Management
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.
Lecture 1: Overview modified from slides of Lawrie Brown.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Introducing Computer and Network Security
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Information Security Risk.
1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007.
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.
Lecture 11 Reliability and Security in IT infrastructure.
By: Ashwin Vignesh Madhu
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Application Threat Modeling Workshop
Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
SEC835 Database and Web application security Information Security Architecture.
Information Security Threat Assessment
G53SEC Computer Security Introduction to G53SEC 1.
Chapter 11: Project Risk Management
Security Risk Assessment Applied Risk Management July 2002.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
IS Network and Telecommunications Risks Chapter Six.
Information Security What is Information Security?
Network Perimeter Defense Josef Pojsl, Martin Macháček, Trusted Network Solutions, Inc.
Lesson 20-Risk Management. Background  Risk management can be described as a decision-making process.  Effective risk management avoids costly oversights.
HP World September 2002 Scott S. Blake, CISSP Vice President, Information Security BindView Corporation Vulnerability Assessment and Action.
Introduction to Information Security
1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:
Csci5233 Computer Security & Integrity 1 Overview of Security & Java (based on GS: Ch. 1)
karRKb;RKghaniP½yrbs;KMerag Project Risks Management
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Computer Security By Duncan Hall.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
1 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security.
NETWORK INTRUSION SECURITY BREACHES, THAT MAKE NETWORKS VULNERABLE TO UNAUTHORIZED ATTACKS.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
BTEC NAT Unit 15 - Organisational Systems Security ORGANISATIONAL SYSTEMS SECURITY Unit 15 Lecture 3 OTHER DAMAGING THREATS.
Title: Port Security Risk Assessment Tool (PSRAT) Author:Tony Regalbuto Chief, Office of International & Domestic Port Security Assessments United States.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Department of Computer Science Introduction to Information Security Chapter 7 Activity Security Assessment Semester 1.
Information Systems Security
CS457 Introduction to Information Security Systems
Risk management.
ISSeG Integrated Site Security for Grids WP2 - Methodology
Network Security Research Presentation
CNET334 - Network Security
Security in Networking
Security Threats Severity Analysis
Home Internet Vulnerabilities
Cybersecurity Threat Assessment
Chapter 1 Key Security Terms.
ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions
Presentation transcript:

1 Oppliger: Ch. 15 Risk Management

2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion detection True or false? Risks are everywhere! A new risk may be introduced (or triggered) by a solution.

3 Risk A risk is an expectation of loss. –Usually represented as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result Risk = prob (T, V, R) Example: –Let T = “port scanning” –Let V = “No firewall exists between the public Internet and the private network” –Let R = “An unauthorized connection is established between a computer in the private network and a remote (potentially malicious) computer” Other examples of risk?

4 Risk Analysis Aka. Risk Assessment A systematical process that a)identifies valuable system resources and threats to those resources; b)quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence; c)(optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure A process that identifies risks and their respective potential cost (and countermeasures)

5 Risk Analysis (cont.) Example of risk analysis ? –Let T = “port scanning” –Let V = “No firewall exists between the public Internet and the private network” –Let R = “An unauthorized connection is established between a computer in the private network and a remote (potentially malicious) computer” –Factors affecting the potential cost ? Cost per incident, frequency of incident Other examples of risk analysis? Other definitions of risk analysis ?

6 Risk Analysis (cont.) Other definitions of risk analysis ? –Risk analysis (in business) is a technique to identify and assess factors that may jeopardize the success of a project or achieving a goal. source: –Risk analysis (in engineering) is the science of risks and their probability and evaluation. Source: c.f., Risks with respect to project failure; Risks with respect to a system’s being breached; Other risks ??

7 Risk Management A process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources Threat model The attackers (who) The attacks (how) The resources (what) …

8 Formal Risk Analysis A formal process/tool(s) for performing risk analysis Examples: –British CCTA’s CRAMM (CCTA Risk Analysis & Management Methodology) –French CLUSIF’s MARION Steps: –Establish an inventory of all assets –Quantifying loss exposures based on estimated frequencies and costs of occurrence Quantitative risk analysis is complex! It’s difficult to quantify (due to complexities and lack of models).

9 Qualitative risk analysis Differs from formal/quantitative risk analysis in the quantification step Qualitative risk analysis only identifies the existence of risks, but does not try to quantify the estimated frequency and the costs of occurrence in order to calculate the loss potential. Examples: –A Web site connected to the Internet could be hacked. –A computer connected to the Internet is subject to port scanning. Note: The definition may be arguable. See for example. The qualitative risk analysis outlined in that article include a quantification step.

10 Other approaches of risk analysis Security scanning –The process of performing vulnerability analyses using a security scanner. –Security scanner: a tool that scans the system to identify vulnerabilities Intrusion Detection –The process of identifying and responding to intrusions to a system. –An intrusion is “a sequence of related actions by a malicious adversary that results in the occurrence of unauthorized security threats …”

The Network Security Process model 11

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.