Risk Analysis

1
Risk Analysis
Dr Chez Ciechanowicz Information Security
Group Room 343, McCrea Tel 01784 443112 E-mail
Z.Ciechanowicz_at_rhul.ac.uk
2
ISACA Auditing Guidelines
The responsibility for the prevention and
detection of irregularities and fraud rests with
the management, who may obtain reasonable
assurance that this responsibility will be
discharged by instituting an adequate system of
internal control. Internal Control System - the
whole system of controls, financial and
otherwise, established by the management in order
to carry on the business of the enterprise in an
orderly and efficient manner, ensure adherence to
management policies, safeguard the assets and
secure as far as possible the completeness and
accuracy of the records.
3
Risk Analysis
Quote from NIST Document - An Introduction to
Computer Security Managers are faced with risks
which arise from the organisations use of
computers which are vulnerable to a wide range of
threats. Computer security helps an organisation
analyse threats and vulnerabilities and make
appropriate steps to reduce or manage the
associated risks in a cost-effective
manner. Whilst computer security helps to manage
risk, it does not eliminate it. In addition, the
exact level of risk can never be known since
there is always some degree of uncertainty.
Ultimately, management must decide on the level
of risk it is willing to accept. Judging what
level can be tolerated, particularly when weighed
against the costs of security controls, can be a
difficult management decision.
4
Risk Assessment
Business Objectives

• FOCUS on key assets
• PROTECT against likely threats
• PRIORITISE future actions
• BALANCE cost with benefits
• IDENTIFY / JUSTIFY appropriate

5
Risk Assessment
Positive Factors

• Enables security risks to be managed
• Maximises cost effectiveness
• Safeguards information assets
• Enables IT risks to be taken more safely

6
Balancing the Risk
Cost of Security
Cost of Insecurity
7
Risks

• Unauthorised or accidental disclosure
• Unauthorised or accidental modification
• Unavailability of facilities / services
• Destruction of assets

8
Risk Impact

• Monetary losses
• Loss of personal privacy
• Loss of commercial confidentiality
• Legal actions
• Public embarrassment
• Danger to personal safety

9
Risk Control Strategy

• Risk prevention
• Reduction of impact
• Reduction of likelihood
• Early detection
• Recovery
• Risk transfer

10
Risk Assessment
11
Risk Assessment
Recap.

• Risk Assessment is a business requirement
• Risk Assessment is part of overall security
  management
• Can be complex
• Methods exist
• Approach must suit your organisation

12
Why Risk Assessment Methodologies?

• Quality
• Consistency
• It makes you think through the problem
• Credibility
• Ability to justify recommendations
• Trusted results

13
General Requirements

• Fits company culture
• Flexible
• Easy and quick to use
• Modelling capability
• Secure

14
Specific Requirements

• Use at any stage of Project Life Cycle
• Identify all or selected risks
• Classify systems and projects
• Countermeasure guidance
• Audit trail

15
Potential Users of Methodology

• Project Managers
• Systems Developers
• Systems Managers
• Systems Audit
• Business Managers
• Security Managers

16
Choosing Methodologies

• Assumed expertise of reviewer
• Complexity of environment
• When to apply Risk Analysis
• Consideration of existing controls
• Level of detail
• Scope

17
Methods - (1)
Manual v Automated
18
Methods - (2)
Quantitative v Qualitative
19
ALE Approach

• Enumerate all (potential) threats to systems
• Estimate annual probability of each event (p)
• Estimate average loss per event (L)
• Annual loss expectancy equals p x L
• Choose controls to reduce ALEs

20
Disadvantages of the ALE Approach

• Some events may be totally unacceptable
• Cost values for certain data valuations may be
  too contrived
• Subject attribution of cost values and
  frequencies
• Assume all existing countermeasures justified
• Need security expert to choose countermeasures
• Onerous and time consuming

21
Dealing with Risk
Contractual
Protection
Accept it!
Insurance
22
Baseline Models
23
CRAMM Objectives

• Cope with technical AND non-technical IT security
• Compatible with government IT security guidance
• Quick reviews
• Automated tool
• Understandable results
• Full threat checklist
• Non-specialist
• Immature security

24
Risk Analysis and Risk Management

ASSETS
THREATS
VULNERABILITIES
ANALYSIS
RISKS
MANAGEMENT
COUNTERMEASURES
25
The Three Stages of CRAMM

• Stage 1 Scope the security problem (value the
  assets)
• Stage 2 Evaluate the risk
• Stage 3 Select suitable countermeasures

26
Stage 1 Value the Assets - (1)
Unavailability Impacts

• Less than 15 minutes
• 1 hour
• 3 hours
• 12 hours
• 1 day

• 2 days
• 1 week
• 2 weeks
• 1 month
• 2 months and over

27
Stage 1 Value the Assets - (2)

• Physical destruction impact
• Destruction (of data) impact- Loss of data since
  last successful backup- Total loss of data
  including backups
• Disclosure impact- Disclosure to insiders-
  Disclosure to contracted service providers-
  Disclosure to outsiders

28
Stage 1 Value the Assets - (3)
Modification Impacts

• Small scale errors
• Widespread errors
• Deliberate modification
• Repudiation of origin
• Repudiation of receipt
• Non-delivery

• Replay
• Mis-routing
• Traffic monitoring
• Out-of-sequence
• Insertion of false messages

29
Stage 1 Value the Assets - (4)

• Value the Physical Assets- Type in the cost
• Value the Data Assets- Worst case realistic
  scenarios- Use questionnaires and tables-
  Ignore existing countermeasures

30
Stage 1 Value the Assets - (5)

• Personal safety
• Personal information
• Legal and regulatory obligations
• Law enforcement
• Commercial and economic interests
• Financial loss / disruption to activities

• Public order
• International relations
• Defence
• Security and intelligence
• Policy and operations of public service
• Loss of goodwill

31
Stage 1 Value the Assets - (6)
Legal and Regulatory Obligations Assignment of
Values
32
Stage 1 Value the Assets - (7)
Financial Loss / Disruption to Activities Assignm
ent of Values
33
Assets, Threats and Vulnerabilities
LAN
Dial-in
Vulnerability
Hacker Threat
34
Theoretical Model
There are 36 generic threats ( T1 .. T36
) There are 27 impacts ( I1 .. I27 ) Value
each asset / impact pair Ai Ij Identify valid
triples Ti Ij Ak Evaluate threats (Very Low,
Low, Medium, High, Very High) and vulnerabilities
(Low, Medium, High) Calculate the measure of
risk for each triple Ti Vi Ij Ak
35
Stage 2 Evaluate the Risk

• Step 1 Identify threat, asset, and impact
  relationships (and group together assets)
• Step 2 Measure threats and vulnerabilities
• Step 3 Calculate the measures of risk
• Step 4 Review the measures of risk

36
Stage 3 Select Appropriate Countermeasures

• Step 1 Identify required countermeasures
• Step 2 Compare required with installed
  countermeasures
• Step 3 Recommend and confirm new
  countermeasures

37
The Three Stages of CRAMM

• Stage 1 Scope the security problem (value the
  assets)
• Stage 2 Evaluate the risk
• Stage 3 Select suitable countermeasures

38
Stage 1 Scope the Security Problem

• Step 1 Prepare the project framework
• Step 2 Value the assets
• Step 3 Review data results

39
Stage 1 Step 1
Prepare Project Framework

• Arrange initial management meeting
• Prepare functional description of system
• Agree review boundary
• Document system assets and configuration
• Document organisational structure
• Identify data users
• Prepare project schedule

40
Stage 1 Step 1
Prepare Project Framework (continued) Identify
Physical Assets and Location Identify Data Assets

• Gather together related data
• Identify software assets
• Create asset model

41
End-User Services
Types of Services

• Electronic Mail
• Application to Application Messaging
• Electronic Document Interchange
• Ad-hoc file transfer

• Interactive Session
• Batch Processing
• Voice
• Video
• Other

42
Asset Models - An Example
STOCK ORDER DATA
Order Processing Facilities
Central Server
Server Room
Central Disk Driver
Server Room
Laser Printers
Order Processing PCs
Orders Room
Ethernet LAN
Ordering Application Software
Central Server
Server Room
43
Valuing Data - (1)
Realistic Scenarios

• Last day of the month network down, cant do our
  CHAPS payment - big interest charges say
• Malicious software modifications to crucial
  software, lose confidence in software, rewrite
  software (meanwhile the business has gone down
  the plug)
• LAN down for two hours, cant deal with telephone
  enquiries efficiently, possibly lose one sale
  ()

44
Valuing Data - (2)
Unrealistic Scenarios

• If all our Operations Staff simultaneously went
  sick - go out of business
• If everybody had free access to the cheque
  printing machine
• If all 300 of our PCs suddenly blew up
• If we couldnt use a telephone for three months -
  go out of business

45
An Impact Assessment Report
46
Management Review

• Generate some CRAMM reports
• Dont give any to management
• Write your own report
• Agree all asset valuations

47
Problems with Stage 1

• Takes time
• Bad data grouping possible
• Relies on good interviewees
• Relies on skilled interviewers
• Can get bogged down in detail

48
Stage 2 Evaluate the Risk

• Stage 1 Identify threat asset and impact
  relationships (and group together assets)
• Stage 2 Measure threats and vulnerabilities
• Stage 3 Calculate the measures of risk
• Stage 4 Review the measures of risk

49
Stage 2 Step 1
CRAMM has 35 generic threats Find all meaningful
Threat / Asset combinations Save time by
grouping together assets
50
Threat Scenarios - (1)

• Masquerading of user identify by insiders
• Masquerading of user identity by contracted
  service providers
• Masquerading of user identity by outsiders
• Unauthorised use of an application
• Introduction of damaging or disruptive software
• Misuse of system resources
• Communications infiltration by insiders

• Communications infiltration by contracted service
  providers
• Communications infiltration by outsiders
• Accidental misrouting
• Technical failure of non-network host
• Technical failure of network host
• Technical failure of storage facility
• Technical failure of print facility
• Technical failure of network distribution
  component

51
Threat Scenarios - (2)

• Technical failure of network gateway
• Technical failure of network management or
  operation host
• Technical failure of network interface
• Technical failure of network services
• Power failure
• Air conditioning failure
• Systems or network software failure
• Application software failure
• Operations error

• Hardware maintenance error
• Software maintenance error
• User error
• Fire
• Water damage
• Natural disaster
• Staff shortage
• Theft by insiders / outsiders
• Wilful damage by insiders
• Wilful damage by outsiders
• Terrorism

52
Threat / Impact Table
53
Stage 2 Step 2
Measure Threats and Vulnerabilities Threat
Rating The likelihood it will occur e.g. Has
it happened before? Who is interested? etc.
Vulnerability Rating Does the system make a
successful threat occurrence any easier or
increase the extent of likely
damage? e.g. How easy is it to
eavesdrop? What redundancy is there? etc.
54
Example Questionnaire
55
Example Questionnaire
56
Example Questionnaire
57
Example Questionnaire
58
Example Questionnaire
59
Calculating Measures of Risk
Risk Matrix
60
Calculation of the Measure of Risk
61
Problems with Stage 2

• Large number of questions (approximately 800)
• Bored interviewees
• Answers are sometimes subjective

62
Stage 3
Select Appropriate Countermeasures

• Step 1 Identify required countermeasures
• Step 2 Compare required with installed
  countermeasures
• Step 3 Recommend and confirm new
  countermeasures

63
Stage 3 Step 1
Identify Required Countermeasures

• Security requirement is a pointer to a set of
  applicable countermeasures
• Select sufficiently powerful countermeasures

64
CRAMM Countermeasure Database - (1)

• 60 countermeasure groups
• Categorised according to- Category- Security
  level range- Cost- Security aspect- Type of
  countermeasure

65
CRAMM Countermeasure Database - (2)
Countermeasure Hierarchy Category 1 High level
security objectives Category 2 Detailed
security functions that help achieve the
security objective Category 3 Implementation
examples
66
CRAMM Countermeasure Database - (3)
Security Aspect

• Hardware
• Software
• Communications
• Procedural

• Physical
• Personnel
• Environmental

67
CRAMM Countermeasure Database - (4)
Type of Countermeasures

• Reduce threat
• Reduce vulnerability
• Reduce impact
• Detect
• Recover

68
Countermeasure Groups

• Identification and authentication
• Logical Access Control
• Accounting
• Audit
• Object Reuse
• System Testing
• Natural Disaster Protection
• Power Protection
• Environmental Protection
• Personnel
• Security Education and Training
• Security Policy
• Security Infrastructure
• Incident Handling
• Compliance Checks
• Media Controls

• Physical Media Transportation
• Recovery Option for Hosts
• Recovery Options for Network Interfaces
• Recovery Options for Network Services
• Recovery Options for Accommodation
• Recovery Options for Media
• Business Continuity Planning
• Back-up data
• Capacity Planning
• Equipment Failure Protection
• Site / Building Physical Security
• Accommodation Moves
• Room / Zone Physical Security
• Theft Protection
• Physical Equipment Protection
• Terrorist / Extremist Warnings
• Delivered Item (DI) Protection

69
Countermeasure Groups - (continued)

• Improvised Explosive Device (IED) Protection
• Internal and External Improvised Explosive Device
• Fire Protection
• Water Protection
• Software Integrity
• Protection against Malicious Software
• Software Change Controls
• Software Distribution
• System Input / Output Controls
• Network Security Management
• Non-repudiation
• Data Confidentiality over Networks
• Network Access Controls

• Physical Network Protection
• Message Security
• Data Integrity over Network
• Preservation of Message Sequencing
• Traffic Padding
• Operations Controls
• System Administration Controls
• Application Development Controls
• Application Programmer Controls
• Software Maintenance Controls
• Hardware Maintenance Controls
• User Control
• Application Input / Output Controls
• Financial Accounting

70
Countermeasure Library - (1)
71
Countermeasure Library - (2)
72
Countermeasure Library - (3)
73
Countermeasure Library - (4)
74
Countermeasure Library - (5)
75
Problems with Stage 3

• Generates a lot of output
• Hard to Identify installed countermeasures-
  Interviewees knowledge inadequate- Not truly
  installed
• Recommended list needs further analysis

76
Typical Timescales - (1)
Assuming Small Small network, 1
Application - Single Site Medium Mini
with 5 Applications - Single Site Large
Mainframe, 5 different geographical locations
77
Typical Timescales - (2)

Figures (in days) depend on chosen granularity
78
Problems with CRAMM - (1)

• Does require expert knowledge
• Time consuming
• Not very green!
• Reports need tailoring
• Movable goalposts
• Idiots can generate impressive results

79
Problems with CRAMM - (2)
Does not take account of

• Security policy
• Existing products
• Cost of product
• Organisation culture

80
Avoiding Some Common Pitfalls

• Dont let CRAMM drive you
• Identify the right people
• Obtain useful information
• Dont get bogged down in detail
• Identify key equipment
• Start threats and vulnerabilities early
• Start countermeasure process early

81
The Strengths of CRAMM

• Rigorous methodology
• Applicable to most systems
• Regularly updated
• Quality of countermeasure database
• De facto standard?