Subject : COMP6179 INTRODUCTION TO INFORMATION SECURITY

Year : 2015

Risk Management

Learning Outcomes

COMP6047 - Algorithm and Programming

At the end of this session, student will be able to:•)

Sub Topics

COMP6047 - Algorithm and Programming

•Risk management, risk identification, and risk control•How risk is identified and assessed•Risk based on probability of occurrence and likely impact•The fundamental aspects of documenting risk via the process of risk assessment•The various risk mitigation strategy options•The categories that can be used to classify controls•The existing conceptual frameworks for evaluating risk controls and formulate a cost•benefit analysis•How to maintain and perpetuate risk controls

Risk Management

Strategy War of Sun Tzu

Know Your Self

Self-Evident

Know your Asset

Know your control

mechanism

Know Your Enemy

Threat Facing

Security Breach Affect

Environment

Enemy

Risk Identification

Information System Component

Asset Identification and Inventory

This iterative process begins with the enumeration of assets, including all of the elements of an organization’s system, such as people, procedures, data and information, software, hardware, and networking elements

People: Employee & Non Employee

IT Procedures & Business Procedure

Data components account for the management of information in all its states

Software components are assigned to one of three categories: applications, operating systems, or security components

Hardware is assigned to one of two categories: the usual systems devices and their peripherals,

and those devices that are part of information security control systems

People, Procedures, and Data Asset Identification

People: Position name/number/ID (avoid names and stick to identifying positions, roles, or functions); supervisor; security clearance level; special skills

Procedures: Description; intended purpose; relationship to software, hardware, and networking elements; storage location for reference; storage location for update

Data: Classification; owner, creator, and manager; size of data structure; data structure used (sequential or relational); online or offline; location; backup procedures employed

Hardware, Software, and Network Asset Identification

Name: Use the most common device or program name. Organizations may have several names for the same product

IP address: This can be a useful identifier for network devices and servers, but does not usually apply to software

Media access control (MAC) address: MAC addresses are sometimes called electronic serial numbers or hardware addresses

Element type: For hardware, you can develop a list of element types, such as servers, desktops, networking devices, or test equipment, to whatever degree of detail you require

Serial number: For hardware devices, the serial number can uniquely identify a specific device. Some software vendors also assign a software serial number to each instance of the program licensed by the organization.

Manufacturer name: Record the manufacturer of the device or software component

Manufacturer’s model number or part number: Record the model or part number of the element

Software version, update revision, or FCO number: Whenever possible, document the specific software or firmware revision number and, for hardware devices, the current field change order (FCO) number

Physical location: Note where this element is located physically

Logical location: Note where this element can be found on the organization’s network.

Controlling entity: Identify which organizational unit controls the element

Hardware, Software, and Network Asset Identification

Automated Asset Inventory

Automated tools can sometimes identify the system elements that make up hardware, software, and network components

The inventory listing is usually available in a database or can be exported to a database for custom information on security assets

Data Classification & Management

Confidential: Used for the most sensitive corporate information that must be tightly controlled, even within the company

Internal: Used for all internal information that does not meet the criteria for the confidential category and is to be viewed only by corporate employees, authorized contractors, and other third parties

External: All information that has been approved by management for public release

U.S Military Data Classification

Unclassified data: Information that can generally be distributed to the public without any threat to U.S. national interests.

Sensitive But Unclassified data (SBU): “Any information of which the loss, misuse, or unauthorized access to, or modification of might adversely affect U.S. national interests, the conduct of Department of Defense (DoD) programs, or the privacy of DoD personnel.

Confidential data: “Any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security

Secret data: “Any information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security

Top Secret data: “Any information or material the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security

Security Clearances

Corresponding to the data classification scheme is the personnel security clearance structure

In organizations that require security clearances, each user of data must be assigned a single authorization level that indicates the level of classification he or she is authorized to view

This is usually accomplished by assigning each employee to a named role, such as data entry clerk, development programmer, information security analyst, or even CIO

U.S Military Data Classification Cover Sheet

Management of Classified Data

Management of classified data includes its storage, distribution, portability, and destruction

The military also uses color-coordinated cover sheets to protect classified information from the casual observer

When classified data is stored, it must be available only to authorized individuals

This usually requires locking file cabinets, safes, or other protective devices for hard copies and systems

Classifying and Prioritizing Information Asset

Information Asset Valuation

Information Asset Valuation

Which information asset is the most critical to the success of the organization?

Which information asset generates the most revenue?

Which information asset generates the most profitability?

Which information asset would be the most expensive to replace?

Which information asset would be the most expensive to protect?

Which information asset would most expose the company to liability or embarrassment if revealed?

Calculate Value of Information Asset

Value retained from the cost of creating the information asset: Information is created or acquired at some cost to the organization

Value retained from past maintenance of the information asset: It is estimated that for every dollar spent developing an application or acquiring and processing data

Value implied by the cost of replacing the information: Another important cost associated with the loss or damage to information is the cost associated with replacing or restoring the information

Value from providing the information: Different from the cost of developing or maintaining the information is the cost of providing the information to the users who need it

Value to owners: How much is your Social Security number worth to you? Or your telephone number? It can be quite a daunting task to place a value on information

Value of intellectual property: Related to the value of information is the specific consideration of the value of intellectual property

Value to adversaries: How much would it be worth to an organization to know what the competition is up to?

Information Asset Prioritization

Identifying and Prioritizing Threat

Which threats present a danger to an organization’s assets in the given environment?

Which threats represent the most danger to the organization’s information?

How much would it cost to recover from a successful attack?

Which of the threats would require the greatest expenditure to prevent?

Identifying & Prioritizing Threats

Identifying & Prioritizing Threats

TVA Worksheet

Introduction to Risk Assessment

Introduction to Risk Assessment

Risk Likelihood

Likelihood is the probability that a specific vulnerability will be the object of a successful attack

The National Institute of Standards and Technology recommends in Special Publication 800-30 assigning a number between 0.1 (low) and 1.0 (high)

For example, the likelihood of an asset being struck by a meteorite while indoors would be rated 0.1. At the other extreme, receiving at least one e-mail containing a virus or worm in the next year would be rated 1.0

You could also choose to use a number between 1 and 100 (zero is not used, since vulnerabilities with a zero likelihood have been removed from the asset/vulnerability list)

Risk Likelihood Sources

The likelihood of a fire has been estimated actuarially for each type of structure

The likelihood that any given e-mail contains a virus or worm has been researched

The number of network attacks can be forecast based on how many assigned network addresses the organization has

Risk Determination

Information asset A has a value score of 50 and has one vulnerability. Vulnerability 1 has a likelihood of 1.0 with no current controls. You estimate that assumptions and data are 90 percent accurate

Information asset B has a value score of 100 and has two vulnerabilities: Vulnerability 2 has a likelihood of 0.5 with a current control that addresses 50 percent of its risk; vulnerability 3 has a likelihood of 0.1 with no current controls. You estimate that assumptions and data are 80 percent accurate

Risk Likelihood Sources

The likelihood of a fire has been estimated actuarially for each type of structure

The likelihood that any given e-mail contains a virus or worm has been researched

The number of network attacks can be forecast based on how many assigned network addresses the organization has

Identify Possible Control

There are three general categories of controls: policies, programs, and technologies

Policies are documents that specify an organization’s approach to security

The program security policy is a planning document that outlines the processof implementing security in the organization

Technologies policies address the particular use of certain systems

Documenting the Result of Risk Assessment

Asset: List each vulnerable asset

Asset Impact: Show the results for this asset from the weighted factor analysis worksheet. In the example, this is a number from 1 to 100.

Vulnerability: List each uncontrolled vulnerability.

Risk-Rating Factor: Enter the figure calculated from the asset impact multiplied by likelihood. In the example, the calculation yields a number from 1 to 100

Documenting the Result of Risk Assessment

Documenting the Result of Risk Assessment

Risk Control Strategy

Mitigation Plan

Risk Handling Decision Point

Cost Benefit Analysis (CBA)

Cost of development or acquisition (purchase cost) of hardware, software, and services

The likelihood that any given e-mail contains a virus or worm has been researched

Training fees (cost to train personnel)

Cost of implementation (cost to install, configure, and test hardware, software, and services)

Service costs (vendor fees for maintenance and upgrades)

Cost of maintenance (labor expense to verify and continually test, maintain, and update)

Single Loss Expectancy

A single loss expectancy (SLE) is the calculation of the value associated with the most likely loss from an attack. It is a calculation based on the value of the asset and the exposure factor (EF)

SLE = asset value x exposure factor (EF)

For example, if a Web site has an estimated value of $1,000,000 (value determined by asset valuation), and a deliberate act of sabotage or vandalism (hacker defacement) scenario indicates that 10 percent of the Web site would be damaged or destroyed after such an attack, then the SLE for this Web site would be $1,000,000 x 0.10 = $100,000.

The probability of a threat occurring is usually a loosely derived table indicating the probability of an attack from each threat type within agiven time frame (for example, once every 10 years) referred to as the annualized rate of occurrence (ARO)

For example, a successful deliberate act of sabotage or vandalism might occur about once every two years, in which case the ARO would be 50 percent (0.50), whereas some kinds of network attacks can occur multiple times per second

Annual Loss Expectancy

The probability of a threat occurring is usually a loosely derived table indicating the probability of an attack from each threat type within a given time frame (for example, once every 10 years) referred to as the annualized rate of occurrence (ARO)

For example, a successful deliberate act of sabotage or vandalism might occur about once every two years, in which case the ARO would be 50 percent (0.50), whereas some kinds of network attacks can occur multiple times per second

ALE Table Example

Asset Asset Value Threat EF SLE ARO ALE

Database Server

$200.000 Virus 50% $100.000 0.65 $65.000

File Server $12.000 Failure 100% $12.000 0.40 $4.800

Product Plan

$150.000 Disclosure 70% $105.000 0.65 $68.250

Infrastructure

$1.500.000 Fire 30% $450.000 0.10 $45.000

Cost Benefit Analysis Formula

CBA = ALE(prior) - ALE(post) - ACS

ALE(prior) is the annualized loss expectancy of the risk before the implementation of the control

ALE(post) is the ALE examined after the control has been in place for a period of time

ACS is the annual cost of the safeguard

Another Example Cost Benefit Analysis Formula

The cost per incident of a flood at the data center is estimated at $40,000 (downtime, recovery of systems, examination of info loss, sump pumps, etc.)a major flood attack occurs once every five years on average

The ARO is 0.2 (0.2 times per year)The ALE is $8,000!

Landscaping outside the Data Center will reduce the occurrence of a major flood event to once every 10 years

The landscaping costs $10,000 (but protects for 10 years!). Worth it?

Risk Control Cycle

Risk Appetite

Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility

For instance, a financial services company, regulated by government and conservative by nature, may seek to apply every reasonable control and even some invasive controls to protect itsinformation assets

Residual Risk

residual risk is a combined function of (1) a threat less the effect of threat-reducing safeguards, (2) a vulnerability less the effect of vulnerability-reducing safeguards, and (3) an asset less the effect of asset value-reducingsafeguards

Selected Reading

Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility

For instance, a financial services company, regulated by government and conservative by nature, may seek to apply every reasonable control and even some invasive controls to protect itsinformation assets