Information Systems Risk Analysis and Management

1
Information Systems Risk Analysis and Management

• Spyros Kokolakis
• University of the Aegean
• IPICS 2005, Chios, 18-29 July 2005

2
Much about technology

• Information and Communication Technologies
  Security
• Networks
• Wireless
• Databases
• Internet
• Smart cards
• Keys
• Cryptography
• Intrusion detection
• ..

3
Real world
4
IS or ICT Security?

• Information and Communication Technologies
  Security
• Confidentiality, Integrity, Availability etc.
• Information System
• An Information System comprises five
  interdependent elements hardware, software,
  data, procedures, and people. These elements
  interact for the purpose of processing data and
  delivering information.
• An IS exists to serve an enterprise or
  organization and, consequently, it may only be
  studied in the context of the organization it
  serves.

5
Information Systems overview
6
How to fit security in the picture

• Having people as part of the system we can forget
  any simple solutions.
• IS security has no strict definition
• Security is a kind of feeling
• Are you secure? or Do you feel secure?
  Whats the right question?

7
Example Airport security
8
List of possible measures

1. Scissors etc. not allowed
2. ID check (photo ID must be presented)
3. Only the person named on the ticket can travel
4. X-rays
5. Lighters are not allowed anywhere in the airport
   (its time to quit smoking)
6. Biometrics
7. Boot your laptop to see if it has a battery
8. Lock the captains cabin
9. Armed guards on board
10. Interview all passengers before boarding

9
In such a complex environment

• Total security is out of the question
• Peoples behaviour is unpredictable
• We cannot account for all possible threats and we
  cannot detect all vulnerabilities.
• Security costs money and also time, people and
  other resources.
• So, what shall we do?

10
Risk analysis management

• We need to employ methods that will allow us to
  measure the risk associated with the operation of
  an IS, in order to take measures analogous to the
  level of risk.
• We need risk analysis and management methods

11
What is Risk and how to measure it

• Risk is determined by the following factors
• Assets (A)
• Impact (I)
• Threats (T)
• Vulnerabilities (V)

R f(A, I, T, V)
12
Assets, Impacts, Threats Vulnerabilities

• Assets what needs protection
• Business impact is the outcome of a failure to
  protect the assets of the IS.
• Threat is any action or event that may cause
  damage to an Information System.
• Vulnerability is a characteristic of the IS that
  may allow a threat to succeed.

13
Conceptualisation of IS Sec
14
Risk analysis management
15
Risk management methods

• There are more than 100 methods
• CRAMM
• MARION
• SBA
• OCTAVE

16
SBA (Security By Analysis)

• Developed in Sweden in the early 80s
• Very popular in Sweden and other Scandinavian
  countries
• Focus on people
• People involved in every day operations have a
  better chance to identify problems
• A set of methods
• SBA check
• SBA scenario

17
CRAMM

• CCTA Risk Analysis and Management Method
• Developed in the UK in the late 80s
• Used in many countries it has been applied in
  many hundreds of cases
• It includes a countermeasures library

18
CRAMM overview

• Stage 1 Initiation and asset valuation
• Model the IS Valuate the assets Management
  review
• Stage 2 Risk assessment
• Identify threats Assess threats and
  vulnerabilities Calculate risks Management
  review
• Stage 3 Risk management
• Select countermeasures Prioritise
  countermeasures and schedule implementation
  Obtain management approval Monitor

19
Octave

Operationally Critical Threat, Asset, and
Vulnerability Evaluation
20
What is OCTAVE?

• A comprehensive, repeatable methodology for
  identifying risks in networked systems through
  organizational self-assessment.
• Helps organizations apply information security
  risk management to secure their existing
  information infrastructure and to protect their
  critical information assets.

21
Goal of OCTAVE

• Plan how to apply good security practices to
  address organizational and technical
  vulnerabilities that could impact critical assets
• Two versions One for large organisations (gt 300
  employees) and one for small organisations
• Organizational issues
• Policies or security practices
• Technical issues
• Technology infrastructure

22
Information Security Risk Management Framework
23
Mind the gap

• Security Practices Gaps Result From an
  Organizational Communication Gap

24
Octave is the bridge

• OCTAVE is an Organizational Approach to Security
  Risk Management

25
The process
26
OCTAVE Analysis Team

• An interdisciplinary team (4-6)
• consisting of
• business or mission-related staff
• information technology staff

27
(No Transcript)
28
Phase 1 Organizational View

• Data gathering of the organizational perspectives
  on
• assets
• threats to the assets
• security requirements of the assets
• current protection strategy practices
• organizational vulnerabilities
• The perspectives will come from
• senior managers
• operational area managers (including IT)
• staff (from the operational areas and IT)

29
Phase 1 Questions

• What are your organizations critical
  information-related assets?
• What is important about each critical asset?
• Who or what threatens each critical asset?
• What is your organization currently doing to
  protect its critical assets?
• What weaknesses in policy and practice currently
  exist in your organization?

30
Asset

• Something of value to the organization that
  includes one or more of the following
• information
• systems
• services and applications
• people
• Critical when there will be a large adverse
  impact to the organization if
• the asset is disclosed to unauthorized people.
• the asset is modified without authorization.
• the asset is lost or destroyed.
• access to the asset is interrupted.

31
Asset protection requirements

• Prioritize the qualities of an asset that are
  important to the organization
• confidentiality
• integrity
• availability
• Example for availability Internet access should
  be provided 24x7x365, 97 of the time.

32
Threat

• An indication of a potential undesirable event
  involving a critical asset
• Examples
• A disappointed student could set a fire.
• A virus could interrupt access to the university
  network.
• An operator may set the firewall to deny all
  access without noticing

33
Threat Properties

• Critical Asset
• Actor (human, system, other)
• Motive (deliberate or accidental) human actor
  only
• Access (network or physical) human actor only
• Outcome
• Disclosure or viewing of sensitive information
• Modification of important or sensitive
  information
• Destruction or loss of important information,
  hardware, or software
• Interruption of access to important information,
  software, applications, or services

34
Asset-based risk profile
35
(No Transcript)
36
Phase 2 Technology View

• Identify technology vulnerabilities that provide
  opportunities for impacting critical assets

37
Methods / Tools

• You can use a variety of methods and tools
• Interviews with people
• Documentation analysis
• Network scanners
• Log analysers
• Vulnerability assessment tools
• etc.

38
Phase 2 Questions

• How do people access each critical asset?
• What infrastructure components are related to
  each critical asset?
• What technological weaknesses expose your
  critical assets to threats?

39
(No Transcript)
40
Phase 3 Risk Analysis

• Establish the risks to the organizations
  critical assets.
• Define mitigation plans to protect the critical
  assets.
• Characterize the organizations protection
  strategy.
• Identify the next steps to take after the
  evaluation to ensure progress is made.

41
Impact Evaluation Criteria

• Define the organizations tolerance for risk.
• Standard areas of impact considered include
• reputation/customer confidence
• life/health of customers
• productivity
• fines/legal penalties
• financial
• other

42
Expression of Risk

• A risk is expressed using
• a threat scenario (a branch on a threat tree)
• the resulting impact on the organization
• Example
• Viruses can interrupt staff members from
  accessing the network. They will not prepare
  their lectures on time.
• Impact value medium

43
Threat scenario
44
Phase 3 Questions

• What is the potential impact on your organization
  due to each threat? What are your organizations
  risks?
• Which are the highest priority risks to your
  organization?
• What policies and practices does your
  organization need to address?
• What actions can your organization take to
  mitigate its highest priority risks?
• Which technological weaknesses need to be
  addressed immediately?

45
Outputs of Octave
46
Protection Strategy

• Structured around the catalog of practices and
  addresses the following areas
• Security Awareness and Training
• Security Strategy
• Security Management
• Security Policies and Regulations
• Collaborative Security Management
• Contingency Planning/Disaster Recovery
• Physical Security
• Information Technology Security
• Staff Security

47
Mitigation Plan

• Defines the activities required to remove or
  reduce unacceptable risk to a critical asset.
• Focus is on activities to
• recognize or detect threats when they occur
• resist or prevent threats from occurring
• recover from threats if they occur
• Mitigations that cross many critical assets might
  be more cost effective as protection strategies

48
OCTAVE-S

• Defines a more structured method for evaluating
  risks in small (less than 100 employees) or
  simple organizations
• requires less security expertise in analysis team
• requires analysis team to have a full, or nearly
  full, understanding of the organization and what
  is important
• uses fill-in-the-blank as opposed to essay
  style
• Will also be defined with procedures, guidance,
  worksheets, information catalogs, and training

49
OCTAVE Information

• Visit http//www.cert.org/octave
• Introduction to the OCTAVE Approach
• OCTAVE Method Implementation Guide
• OCTAVE-S (version 0.9)
• Book Managing Information Security Risks The
  OCTAVE Approach by Christopher Alberts and Audrey
  Dorofee from Addison-Wesley.