reliability engineering in information security a novel
play

Reliability Engineering in Information Security: A Novel Approach - PowerPoint PPT Presentation

Oct 14, 2023 •342 likes •765 views

Reliability Engineering in Information Security: A Novel Approach to Risk Assessment Chris Woods, CISSP Mount Holyoke College Disclaimer This talk is: Speculative Additive Not intended to replace the advice of a competent

  1. Reliability Engineering in Information Security: A Novel Approach to Risk Assessment Chris Woods, CISSP Mount Holyoke College

  2. Disclaimer This talk is: ● Speculative ● Additive ● Not intended to replace the advice of a competent information security professional that understands your infrastructure and needs.

  3. Securing the Infrastructure But how? ● Vulnerability Management ● Threat Hunting ● Intel Sharing ● Machine Learning and AI ● OS Hardening ● Identity Management ● Patching and Updating ● Etc

  4. Risk Assessment and Management

  5. NIST SP 800-30 Rev.1 There are no specific requirements with regard to: ● (i) the formality, rigor, or level of detail that characterizes any particular risk assessment; ● (ii) the methodologies, tools, and techniques used to conduct such risk assessments; or ● (iii) the format and content of assessment results and any associated reporting mechanisms. Organizations have maximum flexibility on how risk assessments are conducted and are encouraged to apply the guidance in this document so that the various needs of organizations can be addressed and the risk assessment activities can be integrated into broader organizational risk management processes.

  6. Annualized Loss Expectancy (ALE) ALE = V * F where V is the value of the incident expressed in monetary units and F is the expected frequency at which the loss realized.

  7. ALE Calculation for Low Frequency/High Impact Event ALE = $1,000,000 * .01 = $10,000

  8. ALE Calculation for High Frequency/Low Impact Event ALE = $100 * 100 = $10,000

  9. Common Dilemmas Standard risk analysis identifies assets requiring protection and this, in turn, defines how organizations : ● deploy resources ● procure infrastructure ● task personnel Resource-constrained organizations often cannot effectively secure all assets within their infrastructure.

  10. Limitations to Predicting the Frequency of Loss Events (or Anything Really) ● Humans are subject to an array of biases (e.g. Dunning-Kruger) and so are bad at this. ● Humans are subject to an array of biases (e.g. Gambler’s Fallacy) and so are bad at this. ● Humans are subject to an array of biases (e.g. Bandwagon Effect) and so are bad at this. ● Etc.

  11. RCM methodology can help organizations make appropriate decisions to extend adequate and effective levels of security to all assets even when resources and information are constrained.

  12. Benefits of RCM ● Eliminate unnecessary controls without compromising confidentiality, integrity, or availability. ● Identify applicable and effective controls to maintain confidentiality, integrity, or availability. ● Establish framework for asymmetric decision- making for selection of controls.

  13. Origins of Reliability Engineering ● In the 50s and 60s wide-spread belief that reliability decreased with age. ● This belief was re-examined as jet transport came into common use. ● Aviation hardware showed typical failure curve with failure clustered at start-of-service (infant mortality) followed by a long period of stable performance for the duration of a part's life.

  14. Origins of Reliability Engineering ● In the 1960’s commercial aviation was adapting to the operational requirements of jet-propelled aircraft. ● Failures (crashes) were common. ● Airlines applied decision tree logic to identify maintenance tasks. ● Boeing based the initial maintenance of the 747 on decision- tree methodology. ● This was making jet flight commercially infeasible. Source: Reliability-Centered Maintenance Handbook NAVSEA.

  15. https://commons.wikimedia.org/wiki/File:Manual_decision_tree.jpg

  16. Origins of Reliability Engineering ● F. Stanley Nowlan, United Airlines ● Howard Heap, United Airlines ● Authored 1978 report: Reliability-Centered Maintenance .

  17. Reliability refers to the expectation that a given system will continue to perform its function(s).

  18. RCM asks: What proof is there that an action taken prevents a given failure?* * (and is that failure worth preventing?)

  19. http://www.nationalgalleries.org/collection/simple-search/R/6240/artist_name/Allan%20Ramsay/record_id/22933

  20. An Information Technologist (Mis)Uses Humean Causation ● Nature may cease to be regular at some point ● Past uniformity is no proof of future uniformity

  21. How RCM Handles Uncertainty ● Understand systems in terms of functions ● Understand failures as loss of functions ● Understand effects of lost functions ● Utilizes maintenance tasks to prevent and redundancy to mitigate.

  22. "The driving element in all maintenance decisions is not the failure of a given item, but the consequences of that failure for the equipment as a whole." (Nowlan & Heap, p.29)

  23. What is a Failure? An unsatisfactory condition.

  24. What is a Failure? In information security terms it is a loss of: ● Confidentiality. ● Integrity. ● Availability.

  25. Evaluation of a given control starts with identification of the functional failure and consequence (severity) it is intended to prevent.

  26. Define Failures as Loss of Function Functions can be provided at any layer of the stack: ● Broken wire leads to loss of availability. ● Misconfigured switch leads to loss of confidentiality. ● Incorrect application settings leads to loss of integrity.

  27. Applying RCM Methodology to Information Security Four basic questions asked by RCM modified for application to information security: ● What does a system do? ● What failures can occur? ● What are the consequences/impact of a given failure? ● What can be done to prevent/mitigate the failure?

  28. Defining a Functional Failure ● Identify the functions a given system provides ● Use ‘fails to...’ construction (e.g. System fails to log all user sessions.) ● Failure effects are roughly analogous to loss of one or more of the CIA triad. ● Generally, it is more useful to think in terms of layers or systems than of a single entity.

  29. Should Failures be Prevented? ● Only when feasible. ● All other failures are mitigated or accepted according to risk analysis. ● Failures that cannot be prevented or mitigated must be accepted. ● Abandon the activity if failure cannot be prevented/mitigated and is unacceptable.

  30. Failure Modes ● Simple systems have a few evident failure modes (cables break, power fails, etc). ● Complex systems have multiple failure modes that often have no evident effect but usually have a dominant failure mode (backups fails because disk is full of logs). ● When you hear hoofbeats think horses not zebras.

  31. Risk Asessment with RCM Evaluate the consequences of failure and classify according to severity of the consequences: (e.g. critical data is unavailable...) ● High severity rankings (greatest concern): Legal/Regulatory, Health and Safety, Major Economic/Reputational (existential risk to org). ● Medium severity rankings (less concern): Economic/Reputational - cost can be born by organization or transferred. ● Low severity rankings (least concern): Economic/Reputational - cost can be born by operations budget or transferred.

  32. Risk Assessment with RCM Risk can be: ● Mitigated with appropriate controls ● Accepted (if severity is least concern) ● Transferred (if cost-effective). ● If risk/failure severity is low and cost of preventing failure exceeds consequence of failure: accept it. ● If risk/failure cannot be mitigated by controls, transferred, or accepted: don't do it.

  33. Cost of failure includes cost of the loss of the service. Losing a service mid-summer may not be a big deal. Losing it during acceptance notification could be existential risk. Assign the correct severity based on the maximum expected loss.

  34. Applicability Requires that each security control be implemented for an identifiable and explicit reason (e.g. hourly file backup to ensure availability of critical data).

  35. Effectiveness Requires that each security control implemented for an identifiable and explicit reason does so at a cost that is lower than the ALE (or suitable metric) of the event it is intended to prevent or mitigate.

  36. Conjoined Parallelograms of Risk Assessment Wizardry TM

  37. Control Selection Select controls to prevent or mitigate failure. Controls might be: ● Setting or modes within an application ● Rules or policies governing system use ● Physical security ● Network routing and firewall rules ● Etc

  38. If a given control cannot reduce the risk of a failure to an acceptable level, a new control must be implemented or the system redesigned to reduce its severity.

  39. "Control means the ability to keep the state of a system within some preferred subset of all its possible states" (Quigley, et al. 2017, p. 50)

  40. Giving Up ● Be mindful that the information you hold implies the a certain type of infrastructure to protect that asset. ● It is worth asking: is the information held worth the effort to secure it? ● Sometimes it is. ● If it isn’t then give up.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reliability Engineering - Discussions and Clarifications Reliability Engineering VS.

Reliability Engineering - Discussions and Clarifications Reliability Engineering VS.

Mission Success Starts with Safety Reliability Engineering - Discussions and Clarifications Reliability Engineering VS. Probabilistic Risk Assessment (PRA) Reliability Prediction VS. Reliability Demonstration Design Reliability VS. Process

783 views • 20 slides
Multiplicity Computing Engineering Software for Reliability, Performance, and Security Alexander

Multiplicity Computing Engineering Software for Reliability, Performance, and Security Alexander

Multiplicity Computing Engineering Software for Reliability, Performance, and Security Alexander Wolf Department of Computing Imperial College London in collaboration with Cristian Cadar, Paolo Costa, and Peter Pietzuch An inspiring example

243 views • 13 slides
Reliability Engineering Overview Reliability engineering measures and improves resistance to

Reliability Engineering Overview Reliability engineering measures and improves resistance to

Reliability Engineering: A Brief Overview Mohammad Modarres Reliability Engineering Overview Reliability engineering measures and improves resistance to failure over time, estimates expended life, and predicts time-to-failure What

484 views • 5 slides
Challenges and opportunities in reliability engineering: the big KID (Knowledge, Information and

Challenges and opportunities in reliability engineering: the big KID (Knowledge, Information and

Challenges and opportunities in reliability engineering: the big KID (Knowledge, Information and Data) Enrico Zio Chair on Systems Science and the Energy Challenge CentraleSupelec, Fondation Electricit de France (EDF), France Energy

712 views • 59 slides
Bayesian Methods in Reliability Engineering ASQ Reliability Division Webinar Program Nov 15 th

Bayesian Methods in Reliability Engineering ASQ Reliability Division Webinar Program Nov 15 th

Bayesian Methods in Reliability Engineering ASQ Reliability Division Webinar Program Nov 15 th 2012 Charles H. Recchia, MBA, PhD Quality Support Group, Inc http://www.qualitysupportgroup.com/ B AYESIAN M ETHODS IN R ELIABILITY E NGINEERING With

759 views • 49 slides
Software Reliability Categorizing and specifying the reliability of software systems CS 422

Software Reliability Categorizing and specifying the reliability of software systems CS 422

Chapter 18 Chapter 18 Software Reliability Learning Objective ... Define the basic principles underlying software reliability engineering (metrics, measurement, and prediction) Frederick T Sheldon Assistant Professor of Computer Science

435 views • 14 slides
CASHWIZARD THE SMART SOLUTION SECURITY I N N O V A T I O N RELIABILITY 1 Who is AMSEC?

CASHWIZARD THE SMART SOLUTION SECURITY I N N O V A T I O N RELIABILITY 1 Who is AMSEC?

CASHWIZARD THE SMART SOLUTION SECURITY I N N O V A T I O N RELIABILITY 1 Who is AMSEC? American Security Products [AMSEC] located in worlds Fontana, California is the best known provider of security safes. For over 70+ years, we

814 views • 21 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Software Reliability Engineering: An Introduction SE 350 Software Process & Product Quality

Software Reliability Engineering: An Introduction SE 350 Software Process & Product Quality

Software Reliability Engineering: An Introduction SE 350 Software Process & Product Quality Objectives Introduce some concepts of software reliability engineering Focus on failures, not defects Operational profiles Measuring

141 views • 12 slides
Reliability Engineering Training Course for Beginners by Online Distance Education Module 3 content

Reliability Engineering Training Course for Beginners by Online Distance Education Module 3 content

Cell/Mob: +61 (0) 402 731 563 Office: +61 (8) 9457 6297 Email: info@lifetime-reliability.com Website: www.lifetime-reliability.com Reliability Engineering Training Course for Beginners by Online Distance Education Module 1 Content Sample Slides

353 views • 3 slides
Reliability and Security Committee Mark Lauby Senior Vice President and Chief Engineer WECC

Reliability and Security Committee Mark Lauby Senior Vice President and Chief Engineer WECC

Reliability and Security Committee Mark Lauby Senior Vice President and Chief Engineer WECC Annual Meeting September 10, 2019 RELIABILITY | RESILIENCE | SECURITY Objectives and Approach Objectives Enhance ERO effectiveness in executing

3.22k views • 26 slides
Security Engineering Security Engineering Wallace Hopp Industrial Engineering Department

Security Engineering Security Engineering Wallace Hopp Industrial Engineering Department

Security Engineering Security Engineering Wallace Hopp Industrial Engineering Department McCormick School of Engineering A Flat World is an exciting but dangerous world Technology Opportunity Advances Reduced Risk Political Barriers

449 views • 17 slides
Information Theory and Security: Quantitative Information Flow Pasquale Malacaria

Information Theory and Security: Quantitative Information Flow Pasquale Malacaria

Information Theory and Security: Quantitative Information Flow Pasquale Malacaria pm@dcs.qmul.ac.uk School of Electronic Engineering and Computer Science Queen Mary University of London Information Theory and Security: Quantitative Information

835 views • 54 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Overview of reliability engineering Eric Marsden <eric.marsden@risk-engineering.org> I

Overview of reliability engineering Eric Marsden <eric.marsden@risk-engineering.org> I

Overview of reliability engineering Eric Marsden <eric.marsden@risk-engineering.org> I am purchasing pumps for my refjnery and want to understand the MTBF, lambda etc. provided by the manufacturers I want to compare difgerent system

372 views • 34 slides
Security in Malicious Environments: NSF Programs in Information-Theoretic Network Security Phil

Security in Malicious Environments: NSF Programs in Information-Theoretic Network Security Phil

Background Classical Tools Beyond Cryptography NSF Security in Malicious Environments: NSF Programs in Information-Theoretic Network Security Phil Regalia Program Director Directorate for Computer & Information Science & Engineering

552 views • 36 slides
1. 2. 3. 4. ~ v 5. ~ v 6. ~ v 7. ~ v 8. ~ v 9. 10. ave us 11. _;-~~ L~' ~ u ~- . ,

1. 2. 3. 4. ~ v 5. ~ v 6. ~ v 7. ~ v 8. ~ v 9. 10. ave us 11. _;-~~ L~' ~ u ~- . ,

1. 2. 3. 4. ~ v 5. ~ v 6. ~ v 7. ~ v 8. ~ v 9. 10. ave us 11. _;-~~ L~' ~ u ~- . , ~ -~ WEARE ACCESSIBLE ""' ' ' t'. . ' . . -: ,. . -.,- ...... ' . 12. WEARE ACCESSIBLE 13. WEARE ACCESSIBLE

771 views • 46 slides
INVESTOR PRESENTATION INTRODUCTION Downers financial results for the 12 months to 30 June 2017

INVESTOR PRESENTATION INTRODUCTION Downers financial results for the 12 months to 30 June 2017

Downer Full Year Results | 29 August 2017 INVESTOR PRESENTATION INTRODUCTION Downers financial results for the 12 months to 30 June 2017 incorporate the financial statements of Spotless Group Holdings Limited (Spotless) as Downers interest

644 views • 28 slides
ACA Update RUSSELL HOLLRAH HOLLRAH LLC WASHINGTON, D.C. (202) 659 -0878

ACA Update RUSSELL HOLLRAH HOLLRAH LLC WASHINGTON, D.C. (202) 659 -0878

ACA Update RUSSELL HOLLRAH HOLLRAH LLC WASHINGTON, D.C. (202) 659 -0878 RHOLLRAH@HOLLRAHLLC.COM U.S. SUPREME COURT ACTION Burwell v. Hobby Lobby Stores, Inc. Held that the Religious Freedom Restoration Act of 1993 does not permit the U.S.

579 views • 21 slides
Benefits Compliance & Potential Changes to the ACA Presented by: Christopher K. Bao, Esq.

Benefits Compliance & Potential Changes to the ACA Presented by: Christopher K. Bao, Esq.

Benefits Compliance & Potential Changes to the ACA Presented by: Christopher K. Bao, Esq. Brittany D. Botterill, Esq. March 23, 2017 Agenda III. CHANGES TO THE ACA I. CALIFORNIA LEAVE LAWS Executive Order California Paid

927 views • 89 slides
68 ZIEGLER PARK ZIEGLER PARK SOURCES & USES USES Hard Costs $ 26,407,213 Soft

68 ZIEGLER PARK ZIEGLER PARK SOURCES & USES USES Hard Costs $ 26,407,213 Soft

68 ZIEGLER PARK ZIEGLER PARK SOURCES & USES USES Hard Costs $ 26,407,213 Soft Costs 5,493,712 TOTAL 31,900,925 SOURCES CEFII Mortgage 3,000,000 Ohio 166 Loan 5,000,000 NMTC Equity 10,632,000 Private Fundraising 3,268,925

656 views • 47 slides
Overcoming Legislative Gridlock: How Procedural Rules Affect Obstructionism Molly C. Jackman

Overcoming Legislative Gridlock: How Procedural Rules Affect Obstructionism Molly C. Jackman

Overcoming Legislative Gridlock: How Procedural Rules Affect Obstructionism Molly C. Jackman Governance Studies Brookings Institution Obama and gun control Acceptance speech, 2008: Dot tell e e at uphold the

346 views • 33 slides
Duke University Energy Initiative City of Farmington, New Mexico Rob Mayes, City Manager I.

Duke University Energy Initiative City of Farmington, New Mexico Rob Mayes, City Manager I.

Duke University Energy Initiative City of Farmington, New Mexico Rob Mayes, City Manager I. Provide a brief overview of Farmington and its economy 2 City of Farmington Trade Area According to the US Economic Development Agency,

289 views • 18 slides
ENHANCING STUDENT SUCCESS S CHOLARSHIP FOR E XCELLENCE IN T EACHING J OANNE C ARL B ROADCAST M

ENHANCING STUDENT SUCCESS S CHOLARSHIP FOR E XCELLENCE IN T EACHING J OANNE C ARL B ROADCAST M

ENHANCING STUDENT SUCCESS S CHOLARSHIP FOR E XCELLENCE IN T EACHING J OANNE C ARL B ROADCAST M EDIA P RODUCTION (TVRA) 2018 STUDENTS WANT TO ENJOY LEARNING BE INTRIGUED GENERATE THEIR OWN IDEAS & SOLUTIONS EXPLORE NEW CONCEPTS VOICE THEIR

349 views • 18 slides

More recommend