Assessing and Managing Security Risk in IT Systems

1
Assessing and Managing Security Risk in IT Systems
John McCumber AUD-10 November 16, 2005
2
Assessing and Managing Security Risk in IT Systems

• A Structured Methodology

John McCumber
3
IT Risk Assessment
Find out the cause of this effect, Or rather say,
the cause of this defect, For this effect
defective comes by cause. - William
Shakespeare, Hamlet
4
Why is Risk Management Necessary?
"When you can measure what you are speaking
about, and express it in numbers, you know
something about it But when you cannot measure
it, when you cannot express it in numbers, your
knowledge is of a meager and unsatisfactory kind
It may be the beginning of knowledge, but you
have scarcely in your thoughts advanced to the
stage of science."
William Thomson Lord Kelvin 1824 - 1907
5
IT Risk Management

• The process of designing, developing, sustaining,
  and modifying operational processes and systems
  in consideration of applicable risks to asset
  confidentiality, integrity, and availability.
• Applicable risks are those reasonably expected
  to be realized and to cause an unacceptable
  impact.

6
IT Risk Management

• Incorporates an analytical, systems approach into
  the entire operational and support cycle.
• Provides systems and operational leaders a
  reliable decision support process.
• Encourages protection of only that which requires
  protection.
• Manages cost while achieving significant
  performance benefits.

7
Key Information Security Challenges

• Blurring lines securing IT assets vs.
  managing them who ultimately has the
  responsibility?
• Too much information deluge of security news
  (i.e. viruses, new patches) must be custom
  formatted for my environment takes time!
• Shortage of trained and experienced personnel
• Need to wrap protection around evolving
  architectures and business models (i.e. wireless
  LANs, remote access)
• Investment in new security tools necessitates a
  new console to manage, alerts to correlate
• Undesired ranks are expanding blended threats,
  P2P, spam, spyware, insider threats together
  require more than traditional server and desktop
  solutions

8
World-Wide Attack Trends
Blended Threats (CodeRed, Nimda, Slammer)
Denial of Service (Yahoo!, eBay)
Infection Attempts
Malicious Code Infection Attempts
Network Intrusion Attempts
Mass Mailer Viruses (Love Letter/Melissa)
Zombies
Network Intrusion Attempts
Polymorphic Viruses (Tequila)
0
0
Analysis by Symantec Security Response using
data from Symantec, IDC ICSA 2003 estimated
Source CERT
9
Vulnerability TrendsVolume 2001 - 2005

• Between July 1 - December 31, 2005, the total
  number of vulnerabilities grew by 1 over the
  previous reporting period and 34 over the same
  period last year. The total number of
  vulnerabilities reported this period is the
  highest ever recorded.

10
Vulnerability Management

• Vulnerabilities are specific technical weaknesses
  which can be exploited to impact an asset
• System and network hardware
• System and network operating systems
• System and network applications
• Network protocol
• Connectivity
• Current safeguards
• Physical environment
• Necessary to identify and rank vulnerabilities

11
Empirical Objective
Cost
Performance
Risk
Applying Safeguards
12
Uses and Types of Models
13
McCumber Cube Model
14
Information States versus Technology

• Transmission
• -Data in motion
• Storage
• Data at rest
• Processing
• Determinant characteristic
• Pre-computer only available via human interaction
• No other states
• Common misconceptions

15
PC Information States
Transmission
Processing
Storage
16
Component State Mapping
17
Modeling Information Systems
18
Information State Mapping Example
19
Security Attributes

• Confidentiality
• Preserving authorized restrictions on information
  access and disclosure, including means for
  protecting personal privacy and proprietary
  information.
• Integrity
• Guarding against improper information
  modification or destruction, and includes
  ensuring information non-repudiation and
  authenticity.
• Availability
• Ensuring timely and reliable access to and use of
  information.

20
Safeguards and Countermeasures

• Technology
• Policy and Procedures
• Human Factors

21
Hierarchical Dependency of Safeguards
22
Hierarchical Dependency Example
23
Vulnerability-Safeguard Pairing
24
Expanded Vulnerability-Safeguard Pairing
25
Layered Security Analysis
Security functionality
Security assessment
Internet
Policy enforcement
26
Layered Security Analysis
Britain
Japan
United States
Security assessment
Policy enforcement
Security functionality
27
Essential Elements of Risk

• Threats
• Assets
• Vulnerabilities
• Safeguards
• Products
• Procedures
• People

28
The Risk Equations
29
Measuring Security Risk
Residual Risk after Countermeasures Applied
Baseline Risk
30
Risk Assessment Process
Threat Assessment
Asset Valuation
Risk Determination
Safeguard Assessment
Decision Support Analysis
Vulnerability Assessment
31
McCumber Cube Model
32
Conclusion

• If you can measure, you can
• justify
• target
• control
• predict
• If you can measure, you can manage, and move
  information assurance from art to science.

33
Thank You!
John McCumberAssessing and Managing
SecurityRisk in IT Systems a Structured
MethodologyAuerbach, New York, NY 2004