Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.

Slides:



Advertisements
Similar presentations
OCTAVESM Process 4 Create Threat Profiles
Advertisements

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information Security EDU IT Security Terms EDU
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Is There a Security Problem in Computing? Network Security / G. Steffen1.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Lecture 1: Overview modified from slides of Lawrie Brown.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
1 An Overview of Computer Security computer security.
Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
By: Ashwin Vignesh Madhu
Computer Security: Principles and Practice
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Introduction to Network Defense
SEC835 Database and Web application security Information Security Architecture.
Computer Crime and Information Technology Security
Information Systems Security Computer System Life Cycle Security.
Security Security is a measure of the system’s ability to protect data and information from unauthorized access while still providing access to people.
Software Assurance Session 15 INFM 603. Bug hunting vs. vulnerability spotting Bugs are your code not behaving as you designed it. Many can be found by.
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Lecture 1: Overview modified from slides of Lawrie Brown.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
Prepared by: Dinesh Bajracharya Nepal Security and Control.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Engineering Essential Characteristics Security Engineering Process Overview.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id #
Computer Concepts 2014 Chapter 10 Information Systems Analysis and Design.
Alaa Mubaied Risk Management Alaa Mubaied
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Chap1: Is there a Security Problem in Computing?.
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
Computer Security By Duncan Hall.
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.
1 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security.
Lecture1.1(Chapter 1) Prepared by Dr. Lamiaa M. Elshenawy 1.
Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________.
CST 312 Pablo Breuer. measures to deter, prevent, detect, and correct security violations that involve the transmission of information.
Risk Assessment What is good about the Microsoft approach to threat modeling? OCTAVE…  Advantage: ___________  Disadvantage: ___________ What is bad.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
ISO17799 / BS ISO / BS Introduction Information security has always been a major challenge to most organizations. Computer infections.
CS457 Introduction to Information Security Systems
Risk management.
ISSeG Integrated Site Security for Grids WP2 - Methodology
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
Securing Information Systems
Risk Assessment Richard Newman
How to Mitigate the Consequences What are the Countermeasures?
Chapter # 3 COMPUTER AND INTERNET CRIME
Presentation transcript:

Risk Assessment Richard Newman

Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement defenses 5. Monitor defenses 6. Recover from attacks Continuous Improvement Model – use 5 and 6 to update, revise, improve all phases

Systems Engineering Process 1. Planning – – requirements, resources, expectations 2. Trade-off analysis - – Solution development – Solution analysis – Solution comparisons – Solution selection 3. Development and implementation – Realize selected solution 4. Verification – Formal verification, validation, testing 5. Iteration – Use feedback from each stage and from deployment to improve

Deming Cycle (PDCA) 1. Plan – – Objectives, processes 2. Do - – Implement process 3. Check - – Measure results vs. expected results 4. Act - – Analyze differences, find causes, revise processes ISO 27002, used with ISO for IT A.k.a. Shewhart Cycle (father of statistical quality control) Motorola “Six Sigma” Boyd's OODA Cycle (Observe, Orient, Decide, Act) - Military

Threats Potential source of harm – Knowledge – Resources – Motive Threat classes – Script kiddies/ankle biters – Cracker – Phone phreak – Hacker – Black hat/white hat – Organized crime – Corporate crime – Government group

Risk Level Risk level changes over time – Asset visibility – Asset owner visibility – Resource availability – Access to assets – Motivation changes – Knowledge of vulnerabilities Requires continuous re-evaluation Must also consider consequences of breach

Identifying Assets 1. Hardware – Off-the shelf replacement cost/customization 2. Purchased software – Cost/installation/customization 4. Developed software 5. Statutorily protected data – Health/Financial/Academic/ Organizational data – Work products (designs/analyses/reports/...) – Planning (marketing/engineering/financial/...) – Contacts (customers/vendors/associates/etc.) 7. Activities – Production/communication/...

Implementing Protection Controls - – Hardware – Software – Processes Costs - – Up front cost to buy/develop/train/install/configure – On-going operational costs – inconvenience/monitoring/reconfiguration – Performance costs – CPU slowdown/human delay Cost vs. Effectiveness

Risk Assessment Identify Risks - – Identify assets – Identify threat agents – Identify attacks Prioritize Risks - – Estimate likelihood of attacks – Estimate impact of attacks – Calculate relative significance of attacks

Threat agents revisited Outsiders – Property thieves – Vandals – Identity thieves – Botnet operators – Con artists – Competitors Insiders – Embezzlers – Housemates/coworkers – Malicious acquaintances – Maintenance crews – Administrators “Natural” threats – Hurricane/tornado/earthquake/hail/rain/flooding/terrorism/war/...

Security Properties/Goals Confidentiality – All disclosures only reveal information to authorized recipients in accordance with policy Integrity – All changes are are performed by authorized entities, and are consistent with integrity policy Availability – Assets available to authorized users when needed with performance required

Security Services Confidentiality – Restrict access to information to authorized recipients in accordance with policy Integrity – Only allow changes that are are performed by authorized entities, and are consistent with integrity policy Availability – Ensure assets are available to authorized users when needed with performance required Authentication – Establish that entity that sent message/made access is correctly identified Non-repudiation – Ensure that an entity that performs action/makes statement cannot deny it later

Information Attacks Physical theft – Computing resource physically removed Denial of Service – Use of computing resource is lost Subversion/Modification – Asset modified to act on behalf of attacker (trojan horse) – Authentic artifact modified to suit attacker Masquerade/spoofing – Attacker takes on identity of another when accessing resources Disclosure – Information revealed contrary to policy (passive attack) Forgery/Replay – Attacker produces artifact that appears authentic – Attacker repeats authentic message

NIST Recommendations 1. System Characterization 2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Documentation

SEI OCTAVE Process Phase 1 – Build Asset-based Threat Profiles – Identify assets, threats, organizational risks Phase 2 – Identify Infrastructure Vulnerabilities – Analyze infrastructure resources for vulnerabilities Phase 3 – Develop Security Strategy and Plans – Recommend and implement controls

OCTAVE Allegro 1. Establish risk measurement criteria 2. Develop information asset profile 3. Identify information asset containers 4. Identify areas of concern 5. Identify threat scenarios 6. Identify risks 7. Analyze risks 8. Select mitigation approach

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.