Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Threats Severity Analysis

Published byArnold Logan Modified over 5 years ago

Similar presentations

Presentation on theme: "Security Threats Severity Analysis"— Presentation transcript:

1 Security Threats Severity Analysis
January 20, 2016 © Abdou Illia – Spring 2016

2 What is Severity Analysis?
Accessing security threats occurrence likelihood Accessing threats’ potential damage

3 Key Questions to be asked
What resources do I need to protect? What is the risk associated with potential threats? How do I protect valuable resources? At what cost?

4 What resources do I need to protect?
Do an inventory Do risk assessment Quantitative risk assessment NIST Guide: Assessment Template: Qualitative risk assessment External server using internal SQL database to provide sales over the internet Internal server Remote Access server for dial-up Backup/File server Internal eCommerce Web server Domain controller Sales, customers, inventory, HR data Company’s network including routers, firewalls, etc. …………………….

5 Accessing potential damage
Determining extent to which a threat could Modify critical corporate data Delete critical corporate data Allow unauthorized access to confidential info. Allow misdirection of confidential info. Allow message alteration Slow down network services Jeopardize network service availability Lead to loss of customers’ faith and trust Lead to loss of employees or customers’ privacy

6 Example: Risk assessment
Treat Vulnerability Damage Loss of power High Loss of data access Possible data loss Computer virus Loss of access to system Possible data loss Natural disaster Low Loss of access to system Loss of data, hardware Denial of service attack Loss of access to system Eavesdropping Medium Access to customers info ………

7 How do I protect valuable resources?
Policies Acceptable use policy Firewall policies Confidential info policy Password policy Remote Access policy Security Awareness policy Methods of protection Antivirus 128-key encryption Two-factor authentication …..

8 Threat Severity Analysis
Step Threat 1 2 3 4 5 Cost if attack succeeds Probability of occurrence Threat severity Countermeasure cost Value of protection Apply countermeasure? Priority 6 7 A $500,000 80% $400,000 $100,000 $300,000 Yes B $10,000 20% $2,000 $3,000 ($1,000) No NA C 5% $5,000 D 70% $7,000 $20,000 ($13,000)

9 A complete In-class Exercise will be given in class with more details.
Visit the web site in order to gather information about a worm called W32/SillyFDC-FA and answer the following two questions. Using bullets, list specific malicious actions that W32/SillyFDC-FA could take to potentially damage or disturb a computer system. Use the questionnaire provided by the instructor to access the potential risk posed by W32/SillyFDC-FA. A complete In-class Exercise will be given in class with more details.

10 Realities Risk Analysis Can never eliminate risk
“Information assurance” is impossible Risk Analysis Goal is reasonable risk Risk analysis weighs the probable cost of compromises against the costs of countermeasures Also, security has negative side effects that must be weighed Copyright Pearson Prentice Hall 2013

11 X Annualized Rate of Occurrence (ARO)
SLE X Annualized Rate of Occurrence (ARO) Annual probability of a compromise = Annualized Loss Expectancy (ALE) Expected loss per year from this type of compromise Asset Value (AV) X Exposure Factor (EF) Percentage loss in asset value if a compromise occurs = Single Loss Expectancy (SLE) Expected loss in case of a compromise Single Loss Expectancy (SLE) Annualized Loss Expectancy (ALE) Copyright Pearson Prentice Hall 2013

12 Countermeasure A should reduce the exposure factor by 75%
Base Case Countermeasure A Asset Value (AV) $100,000 Exposure Factor (EF) 80% 20% Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000 Annualized Rate of Occurrence (ARO) 50% Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $10,000 ALE Reduction for Countermeasure NA $30,000 Annualized Countermeasure Cost $17,000 Annualized Net Countermeasure Value $13,000 Countermeasure A should reduce the exposure factor by 75% Copyright Pearson Prentice Hall 2013

13 2.4: Classic Risk Analysis Calculation (Figure 2-14) (continued)
Base Case Countermeasure B Asset Value (AV) $100,000 Exposure Factor (EF) 80% Single Loss Expectancy (SLE): = AV*EF $80,000 Annualized Rate of Occurrence (ARO) 50% 25% Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $20,000 ALE Reduction for Countermeasure NA Annualized Countermeasure Cost $4,000 Annualized Net Countermeasure Value $16,000 Countermeasure B should cut the frequency of compromises in half Copyright Pearson Prentice Hall 2013

14 2.4: Classic Risk Analysis Calculation (Figure 2-14) (continued)
Base Case Countermeasure A B Asset Value (AV) $100,000 Exposure Factor (EF) 80% 20% Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000 Annualized Rate of Occurrence (ARO) 50% 25% Annualized Loss Expectancy (ALE): = SLE*ARO $40,000 $10,000 ALE Reduction for Countermeasure NA $30,000 Annualized Countermeasure Cost $17,000 $4,000 Annualized Net Countermeasure Value $13,000 $16,000 Although Countermeasure A reduces the ALE more, Countermeasure B is much less expensive. The annualized net countermeasure value for B is larger. The company should select countermeasure B. Copyright Pearson Prentice Hall 2013

15 2.4: Problems with Classic Risk Analysis Calculations
Uneven Multiyear Cash Flows For both attack costs and defense costs Must compute the return on investment (ROI) using discounted cash flows Net present value (NPV) or internal rate of return (ROI) Copyright Pearson Prentice Hall 2013

16 Total Cost of Incident (TCI)
Exposure factor in classic risk analysis assumes that a percentage of the asset is lost In most cases, damage does not come from asset loss For instance, if personally identifiable information is stolen, the cost is enormous but the asset remains Must compute the total cost of incident (TCI) Include the cost of repairs, lawsuits, and many other factors Copyright Pearson Prentice Hall 2013

17 2.4: Problems with Classic Risk Analysis Calculations
Many-to-Many Relationships between Countermeasures and Resources Classic risk analysis assumes that one countermeasure protects one resource Single countermeasures, such as a firewall, often protect many resources Single resources, such as data on a server, are often protected by multiple countermeasures Extending classic risk analysis is difficult Copyright Pearson Prentice Hall 2013

18 2.4: Problems with Classic Risk Analysis Calculations
Impossibility of Knowing the Annualized Rate of Occurrence There simply is no way to estimate this This is the worst problem with classic risk analysis As a consequence, firms often merely rate their resources by risk level Copyright Pearson Prentice Hall 2013

19 2.4: Problems with Classic Risk Analysis Calculations
Problems with “Hard-Headed Thinking” Security benefits are difficult to quantify If only support “hard numbers” may underinvest in security Copyright Pearson Prentice Hall 2013

20 2.4: Problems with Classic Risk Analysis Calculations
Perspective Impossible to do perfectly Must be done as well as possible Identifies key considerations Works if countermeasure value is very large or very negative But never take classic risk analysis seriously Copyright Pearson Prentice Hall 2013

21 Risk Reduction Risk Acceptance The approach most people consider
Install countermeasures to reduce harm Makes sense only if risk analysis justifies the countermeasure Risk Acceptance If protecting against a loss would be too expensive, accept losses when they occur Good for small, unlikely losses Good for large but rare losses Copyright Pearson Prentice Hall 2013

22 2.4: Responding to Risk Risk Transference
Buy insurance against security-related losses Especially good for rare but extremely damaging attacks Does not mean a company can avoid working on IT security If bad security, will not be insurable With better security, will pay lower premiums Copyright Pearson Prentice Hall 2013

23 2.4: Responding to Risk Risk Avoidance
Not to take a risky action Lose the benefits of the action May cause anger against IT security Recap: Four Choices when You Face Risk Risk reduction Risk acceptance Risk transference Risk avoidance Copyright Pearson Prentice Hall 2013

Download ppt "Security Threats Severity Analysis"

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.

Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.
Introducing Computer and Network Security

Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Unit # 3: Information Security and Risk Management

Unit # 3: Information Security and Risk Management
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Introduction to Network Defense

Introduction to Network Defense
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
Conostix S.A. Sensible defence.

Conostix S.A. Sensible defence.
Security Risk Assessment Applied Risk Management July 2002.

Security Risk Assessment Applied Risk Management July 2002.

Similar presentations

Ads by Google