security planning and risk analysis
play

Security Planning and Risk Analysis CS461/ECE422 Computer Security - PowerPoint PPT Presentation

Oct 31, 2023 •375 likes •706 views

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1 Overview Elements of Risk Analysis Quantitative vs Qualitative Analysis One Risk Analysis framework Slide #2 Reading Material Chapter

  1. Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1

  2. Overview • Elements of Risk Analysis • Quantitative vs Qualitative Analysis • One Risk Analysis framework Slide #2

  3. Reading Material • Chapter 1.6 of Computer Security • Information Security Risk Analysis , by Thomas R. Peltier – On reserve at the library – Chapters 1 and 2 on compass site – Identifies basic elements of risk analysis and reviews several variants of qualitative approaches Slide #3

  4. What is Risk? • The probability that a particular threat will exploit a particular vulnerability – Not a certainty. – Risk impact – loss associated with exploit • Need to systematically understand risks to a system and decide how to control them. Slide #4

  5. What is Risk Analysis? • The process of identifying, assessing, and reducing risks to an acceptable level – Defines and controls threats and vulnerabilities – Implements risk reduction measures • An analytic discipline with three parts: – Risk assessment: determine what the risks are – Risk management: evaluating alternatives for mitigating the risk – Risk communication: presenting this material in an understandable way to decision makers and/or the public Slide #5

  6. Risk Management Cycle From GAO/AIMD-99-139 Slide #6

  7. Basic Risk Analysis Structure • Evaluate – Value of computing and information assets – Vulnerabilities of the system – Threats from inside and outside – Risk priorities • Examine – Availability of security countermeasures – Effectiveness of countermeasures – Costs (installation, operation, etc.) of countermeasures • Implement and Monitor Slide #7

  8. Who should be Involved? • Security Experts • Internal domain experts – Knows best how things really work • Managers responsible for implementing controls Slide #8

  9. Identify Assets • Asset – Anything of value – Physical Assets • Buildings, computers – Logical Assets • Intellectual property, reputation Slide #9

  10. Example Critical Assets • People and skills • Goodwill • Hardware/Software • Data • Documentation • Supplies • Physical plant • Money Slide #10

  11. Vulnerabilities • Flaw or weakness in system that can be exploited to violate system integrity. Slide #11

  12. Example Vulnerabilities • V47 Inadequate/no emergency Communications • Physical action plan • V01 Susceptible to • V87 Inadequate communications unauthorized building • (and 7 more) system access • Personnel • V88 Lack of encryption • V02 Computer Room susceptible to unauthorized • V56 Inadequate personnel • V89 Potential for disruptions access screening • ... • V03 Media Library susceptible • V57 Personnel not adequately • Hardware to unauthorized trained in job • V92 Lack of hardware inventory access • ... • V04 Inadequate visitor control • V93 Inadequate monitoring of procedures • Software maintenance • (and 36 more) • V62 Inadequate/missing audit personnel • Administrative trail capability • V94 No preventive maintenance • V41 Lack of management • V63 Audit trail log not program support for security reviewed weekly • V42 No separation of duties • … policy • V64 Inadequate control over • V100 Susceptible to electronic • V43 Inadequate/no computer application/program emanations security plan policy Slide #12 changes

  13. Threats • Set of circumstances that has the potential to cause loss or harm • Attacks against key security services – Confidentiality, integrity, availability • Threats trigger vulnerabilities – Accidental – Malicious Slide #13

  14. Example Threat List • T35 Operating System • T17 Errors (All Types) • T01 Access (Unauthorized to Penetration/Alteration • T18 Electro-Magnetic System - logical) Interference • T36 Operator Error • T02 Access (Unauthorized to • T19 Emanations Detection Area - physical) • T37 Power Fluctuation • T20 Explosion (Internal) • T03 Airborne Particles (Dust) (Brown/Transients) • T21 Fire, Catastrophic • T04 Air Conditioning Failure • T38 Power Loss • T22 Fire, Major • T05 Application Program • T39 Programming Error/Bug Change • T23 Fire, Minor (Unauthorized) • T24 Floods/Water Damage • T40 Sabotage • T06 Bomb Threat • T25 Fraud/Embezzlement • T41 Static Electricity • T07 Chemical Spill • T26 Hardware • T42 Storms (Snow/Ice/Wind) Failure/Malfunction • T08 Civil Disturbance • T43 System Software Alteration • T27 Hurricanes • T09 Communications Failure • T28 Injury/Illness (Personal) • T44 Terrorist Actions • T10 Data Alteration (Error) • T29 Lightning Storm • T11 Data Alteration (Deliberate) • T45 Theft • T30 Liquid Leaking (Any) • T12 Data Destruction (Error) (Data/Hardware/Software) • T31 Loss of Data/Software • T13 Data Destruction • T46 Tornado (Deliberate) • T32 Marking of Data/Media • T47 Tsunami (Pacific area only) Improperly • T14 Data Disclosure (Unauthorized) • T33 Misuse of • T48 Vandalism Computer/Resource • T15 Disgruntled Employee • T49 Virus/Worm (Computer) • T34 Nuclear Mishap Slide #14 • T16 Earthquakes • T50 Volcanic Eruption

  15. Characterize Threat-Sources Threat Method Opportunity Motive Source Standard scripts, new Challenge, ego , Cracker Network access tools rebellion Ideological, Access to talented Terrorist Network, infiltration destruction, fund crackers raising Insider Knowledge Complete access Ego, revenge, money Slide #15

  16. Dealing with Risk • Avoid risk – Implement a control or change design • Transfer risk – Change design to introduce different risk – Buy insurance • Assume risk – Detect, recover – Plan for the fall out Slide #16

  17. Controls • Mechanisms or procedures for mitigating vulnerabilities – Prevent – Detect – Recover • Understand cost and coverage of control • Controls follow vulnerability and threat analysis Slide #17

  18. Example Controls • C01 Access control devices - physical • C27 Make password changes mandatory • C02 Access control lists - physical • C28 Encrypt password file • C03 Access control - software • C29 Encrypt data/files • C04 Assign ADP security and assistant • C30 Hardware/software training for in writing personnel • C05 Install-/review audit trails • C31Prohibit outside software on system • C06 Conduct risk analysis • ... • C07Develop backup plan • C47 Develop software life cycle • C08 Develop emergency action plan development • C09 Develop disaster recovery plan program • ... • C48 Conduct hardware/software inventory • C21 Install walls from true floor to true • C49 Designate critical programs/files ceiling • C50 Lock PCs/terminals to desks • C22 Develop visitor sip-in/escort • C51 Update communications procedures system/hardware • C23 Investigate backgrounds of new • C52 Monitor maintenance personnel employees • C53 Shield equipment from • C24 Restrict numbers of privileged users electromagnetic • C25 Develop separation of duties policy Slide #18 interference/emanations • C26 Require use of unique passwords for logon • C54Identify terminals

  19. Risk/Control Trade Offs • Only Safe Asset is a Dead Asset – Asset that is completely locked away is safe, but useless – Trade-off between safety and availability • Do not waste effort on efforts with low loss value – Don’t spend resources to protect garbage • Control only has to be good enough, not absolute – Make it tough enough to discourage enemy Slide #19

  20. Types of Risk Analysis • Quantitative – Assigns real numbers to costs of safeguards and damage – Annual loss exposure (ALE) – Probability of event occurring – Can be unreliable/inaccurate • Qualitative – Judges an organization’s relative risk to threats – Based on judgment, intuition, and experience – Ranks the seriousness of the threats for the sensitivity of the asserts – Subjective, lacks hard numbers to justify return on investment Slide #20

  21. Quantitative Analysis Outline 1. Identify and value assets 2. Determine vulnerabilities and impact 3. Estimate likelihood of exploitation 4. Compute Annual Loss Exposure (ALE) 5. Survey applicable controls and their costs 6. Project annual savings from control Slide #21

  22. Quantitative • Risk exposure = Risk-impact x Risk- Probability – Loss of car: risk-impact is cost to replace car, e.g. $10,000 – Probability of car loss: 0.10 – Risk exposure or expected loss = 10,000 x 0.10 = 1,000 • General measured per year – Annual Loss Exposure (ALE) Slide #22

  23. Quantitative • Cost benefits analysis of controls • Risk Leverage to evaluate value of control – ((risk exp. before control) – (risk exp. after))/ (cost of control) • Example of trade offs between different deductibles and insurance premiums Slide #23

  24. Qualitative Risk Analysis • Generally used in Information Security – Hard to make meaningful valuations and meaningful probabilities – Relative ordering is faster and more important • Many approaches to performing qualitative risk analysis • Same basic steps as quantitative analysis – Still identifying asserts, threats, vulnerabilities, and controls – Just evaluating importance differently Slide #24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1 Overview Elements of Risk Analysis Quantitative vs Qualitative Analysis One Risk Analysis framework Slide #2 Reading Material Chapter

793 views • 32 slides
Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the Security of International Spent Nuclear Fuel Transportation Adam D. Williams Global Security Research & Analysis Sandia National Laboratories

505 views • 13 slides
Adversarial Risk Analysis Models for Urban Security Resource Allocation Urban Security Resource

Adversarial Risk Analysis Models for Urban Security Resource Allocation Urban Security Resource

Adversarial Risk Analysis Models for Urban Security Resource Allocation Urban Security Resource Allocation David Ros Insua, Royal Academy Cesar Gil, U. Rey Juan Carlos Jess Ros, IBM Research YH COST Smart Cities Wshop Paris, September

507 views • 22 slides
Bowtie and Hazard Mitigation (HMA) as a Visual Means for Risk Analysis and Incident Planning DOE

Bowtie and Hazard Mitigation (HMA) as a Visual Means for Risk Analysis and Incident Planning DOE

Bowtie and Hazard Mitigation (HMA) as a Visual Means for Risk Analysis and Incident Planning DOE ESS Safety Forum March 7th, 2019 Albuquerque, New Mexico Warner Energy Storage Solutions 1 Warner ESS and risk analysis Warner ESS and DNV GL

366 views • 13 slides
Risk Assessment Reduce the workers and Biosafety is an inexact science, and

Risk Assessment Reduce the workers and Biosafety is an inexact science, and

Risk Analysis Biosafety Risk assessment, Risk Risk analysis encom passes Management & risk risk assessm ent, risk communication m anagem ent, and risk com m unication. Ephy Khaemba International Livestock Research Institute

506 views • 11 slides
ISO New Englands Operational Fuel-Security Analysis Shows Growing Fuel-Security Risk

ISO New Englands Operational Fuel-Security Analysis Shows Growing Fuel-Security Risk

M A R C H 1 6 , 2 0 1 8 | B O S T O N , M A ISO New Englands Operational Fuel-Security Analysis Shows Growing Fuel-Security Risk Restructuring Roundtable Gordon van Welie P R E S I D E N T & C E O ISO-NE PUBLIC KEY MESSAGES

288 views • 12 slides
Risk Analysis Methodology for New IT Service IT Infrastructure Protection Division IT

Risk Analysis Methodology for New IT Service IT Infrastructure Protection Division IT

Risk Analysis Methodology for New IT Service IT Infrastructure Protection Division IT Infrastructure Protection Division IT Infrastructure Protection Planning Team IT Infrastructure Protection Planning Team Korea Information Security Agency

407 views • 12 slides
Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk Assessment the Heart of Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz Introduction to our security challenge What is Risk-based Security? The language of risk some

787 views • 53 slides
The Risk of Financial Hardship in Retirement: A Cohort Analysis Jason Brown Social Security

The Risk of Financial Hardship in Retirement: A Cohort Analysis Jason Brown Social Security

The Risk of Financial Hardship in Retirement: A Cohort Analysis Jason Brown Social Security Administration Karen Dynan Harvard University Theodore Figinski U.S. Department of Treasury Pension Research Council 2019 Symposium Remaking

311 views • 16 slides
Research & Education Challenges in Risk Analysis & Risk Management Improved

Research & Education Challenges in Risk Analysis & Risk Management Improved

Research & Education Challenges in Risk Analysis & Risk Management Improved Understanding of Risk Management Type Matching Risks, Risk Analysis & Risk Response Maritime Risk Symposium 2011 Rutgers University 9 November, 2011

1.18k views • 82 slides
RISK AND PLANNING FOR RISK AND PLANNING FOR MISTAKES MISTAKES Christian Kaestner With slides

RISK AND PLANNING FOR RISK AND PLANNING FOR MISTAKES MISTAKES Christian Kaestner With slides

RISK AND PLANNING FOR RISK AND PLANNING FOR MISTAKES MISTAKES Christian Kaestner With slides adopted from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning Engineering."

1.27k views • 84 slides
Applied Quantitative Cyber Risk Analysis Michael Rich, OSCP, CISSP Director of IT Security,

Applied Quantitative Cyber Risk Analysis Michael Rich, OSCP, CISSP Director of IT Security,

Applied Quantitative Cyber Risk Analysis Michael Rich, OSCP, CISSP Director of IT Security, Infrastructure & Operations Motion Picture Industries Pension & Health Care Plan | 2 | Disclaimer for those reading from the ISACA link My

816 views • 34 slides
TWIC - Navigating Deployment Challenges DIMACS Workshop on Port Security/Safety, Risk Analysis and

TWIC - Navigating Deployment Challenges DIMACS Workshop on Port Security/Safety, Risk Analysis and

TWIC - Navigating Deployment Challenges DIMACS Workshop on Port Security/Safety, Risk Analysis and Modeling 17 November, 2008 Proprietary & Confidential Agenda Framing Statistics Challenge Spotlight Enrollment

530 views • 10 slides
GA10 People and Security Lecture 3: Biometrics Applying risk analysis Goals of this lecture

GA10 People and Security Lecture 3: Biometrics Applying risk analysis Goals of this lecture

GA10 People and Security Lecture 3: Biometrics Applying risk analysis Goals of this lecture Brief introduction to biometrics Context: ICAO,US Visit and the ID cards programme Issues with current equipment Performance

654 views • 52 slides
CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis and Threat Model Basic security properties CIA Threat model A. We want perfect security B. Security is about risk analysis and

426 views • 29 slides
Policies & Risk Analysis CS461/ECE422 Spring 2012 Readings

Policies & Risk Analysis CS461/ECE422 Spring 2012 Readings

Policies & Risk Analysis CS461/ECE422 Spring 2012 Readings Chapters 14 and 15 of Computer Security Informa(on Security Policies and Procedures ,

641 views • 46 slides
Intro to Life Cycle Analysis 2.83/2.813 Manufacturing End of Life Mining Use Phase Life Cycle

Intro to Life Cycle Analysis 2.83/2.813 Manufacturing End of Life Mining Use Phase Life Cycle

Intro to Life Cycle Analysis 2.83/2.813 Manufacturing End of Life Mining Use Phase Life Cycle Assessment LCA is a methodology to account for and assess the environmental impacts from all phases / stages of a product life cycle Mining

993 views • 72 slides
OIG Audits A Grantees Perspective Whats the process for an OIG Audit? OIG notifies grantee

OIG Audits A Grantees Perspective Whats the process for an OIG Audit? OIG notifies grantee

OIG Audits A Grantees Perspective Whats the process for an OIG Audit? OIG notifies grantee of upcoming audit OIG review files may visit a community Exit conference (grantee can provide verbal comments) OIG issues draft

89 views • 7 slides
Presenter Kelly Berger-Davis Quality Assurance & Technical Specialist Center for Audit

Presenter Kelly Berger-Davis Quality Assurance & Technical Specialist Center for Audit

4/8/2015 Changes to Federal Grants & Single Audits (A-87, A-21, A-122, A-102, A-110, A-89, A-133 & A-50) The New OMB Uniform Guidance Presenter Kelly Berger-Davis Quality Assurance & Technical Specialist Center for Audit

722 views • 55 slides
9/7/2011 Overview of Proposed International Audit Quality Framework Jon Grant, Chair, IAASB

9/7/2011 Overview of Proposed International Audit Quality Framework Jon Grant, Chair, IAASB

IAASB CAG PAPER IAASB CAG Agenda (September 2011) Agenda Item C - Slides to Introduce AQ Presentation 9/7/2011 Overview of Proposed International Audit Quality Framework Jon Grant, Chair, IAASB Audit Quality Task Force IAASB CAG Meeting

460 views • 6 slides
Stocks and Options and Bonds, Oh My! A corporation has this great idea Capital is required to

Stocks and Options and Bonds, Oh My! A corporation has this great idea Capital is required to

Stocks and Options and Bonds, Oh My! A corporation has this great idea Capital is required to see it through Ill let you guess how much he wants Option 1: Borrow the money From a bank From bonds Option 2: Issue stocks on an

952 views • 44 slides
Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides:

Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides:

Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides: http://p42.us/ie8xss/ About Us Eduardo Vela Nava aka sirdarckcat http://sirdarckcat.net http://twitter.com/sirdarckcat David Lindsay aka

1.1k views • 73 slides
The post-quantum Internet Risk management Daniel J. Bernstein Combining congruences:

The post-quantum Internet Risk management Daniel J. Bernstein Combining congruences:

1 2 The post-quantum Internet Risk management Daniel J. Bernstein Combining congruences: state-of-the-art pre-quantum University of Illinois at Chicago & attack against original DH, Technische Universiteit Eindhoven RSA, and some

2.34k views • 171 slides
Chaucer and The Canterbury Tales P . S. Langeslag Chaucer Anglo-Saxon Bureaucracy Laws

Chaucer and The Canterbury Tales P . S. Langeslag Chaucer Anglo-Saxon Bureaucracy Laws

Chaucer and The Canterbury Tales P . S. Langeslag Chaucer Anglo-Saxon Bureaucracy Laws Charters Writs Annals Anglo-Norman Bureaucracy Laws Charters Writs (Chancery) Annals Balance sheets Figure 1: Domesday

601 views • 31 slides

More recommend