Title: Diapositiva 1
1Dipartimento di ScienzeUniversità degli Studi
G. dAnnunzioPescara
Dottorato di ricerca in ScienzeXXI
cicloscrutinio annualea.a 2007/2008
Pamela Peretti
tutor Prof. Stefano Bistarelli
2My PhD thesis
Dipartimento di Scienze - 16 giugno 2015
2
3- Risk management is a detailed process of
identifying factors that could damage or disclose
data, evaluating those factors in light of data
value and countermeasure cost, and implementing
cost-effective solutions for mitigating or
reducing risk.
Dipartimento di Scienze - 16 giugno 2015
3
4Terminology
- An asset is any tangible or intangible item owned
by an organization that has a value for an
enterprise and that needs protection.
5Terminology
- Any potential occurrence that may cause an
undesirable or unwanted outcome for an
organization or for a specific asset is a threat.
Dipartimento di Scienze - 16 giugno 2015
5
6Terminology
- The absence or the weakness of a countermeasure
or safeguard is a vulnerability.
An attack is any intentional attempt to exploit a
vulnerability of an organization's security
infrastructure to cause damage, loss, or
disclosure of assets.
Dipartimento di Scienze - 16 giugno 2015
6
7Terminology
- Exposure is being susceptible to asset loss
because of an attack there is the possibility
that a vulnerability can or will be exploited by
an attacker or event.
Dipartimento di Scienze - 16 giugno 2015
7
8Terminology
- Risk is the possibility or likelihood that a
threat will exploit a vulnerability to cause harm
to an asset.
Dipartimento di Scienze - 16 giugno 2015
8
9Terminology
- A countermeasure is anything that removes a
vulnerability or protects against one or more
specific attacks.
Dipartimento di Scienze - 16 giugno 2015
9
10Assessment methodology
select the appropriate countermeasures
Identify the possible countermeasures
Identify the possible threats
Identify asset
- Quantitative approaches
- Assigns absolute numeric attribute values to
assets, threats, vulnerabilities and
countermeasures. - Qualitative approaches
- Qualitative risk analysis is a scenario-based
approach. You rank threats on a scale to evaluate
their risks, costs, and effects. Instruments
brainstorming, Delphi technique, focus groups,
surveys, questionnaires, checklists and
interviews.
11Quantitative approaches
select the appropriate countermeasures
Identify the possible countermeasures
Identify the possible threats
Identify asset
- The Asset Value (AV) is a synthetic measure of
the cost of creation, development support,
replacement and ownership value of an asset.
Dipartimento di Scienze - 16 giugno 2015
11
12Quantitative approaches
- Calculate the EF and the SLE
- Calculate the ARO
- Calculate the ALE
select the appropriate countermeasures
Identify the possible countermeasures
Identify the possible threats
Identify asset
The Exposure factor (EF) represents the
percentage of loss that an organization would
experience if a specific asset were violated by
an attack. The Single Loss Exposure (SLE)
represents a measure of an organization's loss
from a single threat against a specific asset and
can be computed by using the following formula
Dipartimento di Scienze - 16 giugno 2015
12
13Quantitative approaches
select the appropriate countermeasures
Identify the possible countermeasures
Identify the possible threats
Identify asset
- Calculate the EF and the SLE
- Calculate the ARO
- Calculate the ALE
The Annualized Rate of Occurrence (ARO) is the
expected frequency with which a specific threat
or attack will occur within a single year. The
Annualized Loss Expectancy (ALE) is the annually
expected financial loss of an organization which
can be ascribed to a threat and can be computed
by using the following formula
Dipartimento di Scienze - 16 giugno 2015
13
14Quantitative approaches
select the appropriate countermeasures
Identify the possible countermeasures
Identify the possible threats
Identify asset
- Evaluate the RM and the CSI
The Risk Mitigated by a countermeasure (RM)
represents the effectiveness of a countermeasure
in mitigating the risk of loss deriving from
exploiting a vulnerability. It is a numeric value
between 0 and 1. The Cost of a Security
Investment (CSI) is the cost that an organization
must face for implementing a given countermeasure.
Dipartimento di Scienze - 16 giugno 2015
14
15Quantitative approaches
select the appropriate countermeasures
Identify the possible countermeasures
Identify the possible threats
Identify asset
Given an attack a and a countermeasure c which is
able to mitigate a, the Return on Investment
(ROI) is the benefit that a defender of an IT
system expects from the introduction of c into
the system over the costs for implementing that
countermeasure.
Dipartimento di Scienze - 16 giugno 2015
15
16Quantitative approaches
select the appropriate countermeasures
Identify the possible countermeasures
Identify the possible threats
Identify asset
- Calculate the ROI
- Calculate the ROA
The Return on Attack (ROA) is the gain that an
attacker expects from a successful attack a over
the costs he sustains due to the adoption of a
countermeasure c by its target.
where GI is the expected gain of the attack, GI ?
RMc is the lost profit produced by c and costa is
the cost associated to an attack strategy a.
Dipartimento di Scienze - 16 giugno 2015
16
17Qualitative approaches
- Qualitative risk analysis is a scenario-based
approach. - A scenario is a written description of a single
major threat. The description focuses on how a
threat would be instigated and what effects it
could have on the organization, the IT
infrastructure, and specific assets.
Dipartimento di Scienze - 16 giugno 2015
17
18A security scenario
Diffusion of reserved information
Interruption of service
Loss of data
Dipartimento di Scienze - 16 giugno 2015
18
19Defence trees
- Defence trees are an extension of attack trees
Schneier00.
- Attack tree
- the root is an asset of an IT system
- paths from a leaf to the root represent
attacks to the asset - the non-leaf nodes can be
- and-nodes
- or-nodes
root
or-nodes
and-nodes
- Defence tree
- attack tree
- a set of countermeasures
Dipartimento di Scienze - 16 giugno 2015
19
20Defence trees
Steal datastored in a server
21Quantitative evaluation
- An economic evaluation of threats
- Considering multiple attacks and countermeasures
- Combining the defender's and the attacker's
points of view - Three novel indexes
- The Exposure Factor during Critical Time
- The Exposure Factor under Retaliation
- The Risk Mitigated against Collusion
- Interaction between attackers and defender
- Defence tree as strategic game
- Using economic indexes as payoffs
Dipartimento di Scienze - 16 giugno 2015
21
22Quantitative evaluation
- An economic evaluation of threats
- Considering multiple attacks and countermeasures
- Combining the defender's and the attacker's
points of view - Three novel indexes
- The Exposure Factor during Critical Time
- The Exposure Factor under Retaliation
- The Risk Mitigated against Collusion
- Interaction between attackers and defender
- Defence tree as strategic game
- Using economic indexes as payoffs
Dipartimento di Scienze - 16 giugno 2015
22
23An economic evaluation of threats
The Return on Investment (ROI)
The Return on Attack (ROA)
24Multiple attacks and countermeasures
1
3
2
Dipartimento di Scienze - 16 giugno 2015
24
25Multiple attacks and countermeasures
Dipartimento di Scienze - 16 giugno 2015
25
26Multiple attacks and countermeasures
Dipartimento di Scienze - 16 giugno 2015
26
27Quantitative evaluation
- An economic evaluation of threats
- Considering multiple attacks and countermeasures
- Combining the defender's and the attacker's
points of view - Three novel indexes
- The Exposure Factor during Critical Time
- The Exposure Factor under Retaliation
- The Risk Mitigated against Collusion
- Interaction between attackers and defender
- Defence tree as strategic game
- Using economic indexes as payoffs
Dipartimento di Scienze - 16 giugno 2015
27
28Three novel indexes
29Quantitative evaluation
- An economic evaluation of threats
- Considering multiple attacks and countermeasures
- Combining the defender's and the attacker's
points of view - Three novel indexes
- The Exposure Factor during Critical Time
- The Exposure Factor under Retaliation
- The Risk Mitigated against Collusion
- Interaction between attackers and defender
- Defence tree as strategic game
- Using economic indexes as payoffs
Dipartimento di Scienze - 16 giugno 2015
29
30Strategic game
- We consider a strategic game
- 2 players the defender and the attacker of a
system. - Sd the set of defender's strategies (the
countermeasures) - Sa the set of attacker's strategies (the
vulnerability) - ROI and ROA payoff functions for the defender
and the attacker
a1
a2
Ud1 Ua1
c2
Ud0 Ua2
c3
Ud1 Ua0
c3
c1
Ud1 Ua2
31Strategic game example
Selection of a single countermeasure/attack
!
The set of strategies for the defender and the
attacker is composed by a single action.
Dipartimento di Scienze - 16 giugno 2015
31
16
32Strategic game example
Selection of a single countermeasure/attack
!
The set of strategies for the defender and the
attacker is composed by a single action.
Dipartimento di Scienze - 16 giugno 2015
32
16
33Qualitative evaluation
- Cp-defence trees
- AND-composition of preference
- OR-composition of preference
- Translation of AND/OR attacks into ASO programs
- AND attacks
- OR attacks
Dipartimento di Scienze - 16 giugno 2015
33
34Qualitative evaluation
- Cp-defence trees
- AND-composition of preference
- OR-composition of preference
- Translation of AND/OR attacks into ASO programs
- AND attacks
- OR attacks
Dipartimento di Scienze - 16 giugno 2015
34
35Cp-defence trees
Cp-net Boutiliet99 are a graphical formalism to
specify and representing conditional preference
relations.
Cp-defence tree is a defence tree enriched with
conditional preference over attack and
countermeasures.
a2Âa1Âa6Âa5Âa3Âa4
a1 c1Â c2Â c3
a2 c5Â c3Â c4
a3 c6Â c7
a4 c8Â c9
a5 c11Â c10
a6 c13Â c12
Dipartimento di Scienze - 16 giugno 2015
35
36AND-composition of preference
- An and-attack is an attack composed by a set of
actions that an attacker has to successfully
achieve to obtain his goal.
A x,y,zC a,b,c
and-composition
x a  b  c
y b  c
z a  b
a  b  c
x Æ y Æ z
Dipartimento di Scienze - 16 giugno 2015
36
37AND-composition of preference
- An and-attack is an attack composed by a set of
actions that an attacker has to successfully
achieve to obtain his goal.
A x,yC a,b,c,d
and-composition
x a  b
y c  d
x Æ y
c  d  a  b
x  y
Dipartimento di Scienze - 16 giugno 2015
37
38OR-composition of preference
- An or-attack is an attack composed by different
and alternative actions that an attacker has to
successfully achieve to obtain his goal.
x a  b  c
y c  a
z a  b
A x,y,zC a,b,c
x Ç y Ç z
or-composition
lta,a,agt
lta,a,bgt
a a,b a,c b,c a,b,c
lta,c,agt
lta,c,bgt
ltb,a,agt
b,c a,b
ltb,a,agt
ltb,a,bgt
ltb,c,agt
ltb,c,bgt
ltb,c,bgt
ltc,a,agt
ltc,a,bgt
ltc,c,agt
ltc,c,bgt
b b
a c
a b
Dipartimento di Scienze - 16 giugno 2015
38
39Qualitative evaluation
- Cp-defence trees
- AND-composition of preference
- OR-composition of preference
- Translation of AND/OR attacks into ASO programs
- AND attacks
- OR attacks
Dipartimento di Scienze - 16 giugno 2015
39
40Translation of AND-attacks
AND
rx1 x à rx2 a Ç b Ç c à x ?x1 a gt b gt c à x
Px ?
rx1 x Ã
r1 root Ã
Pand ?
rx2 a Ç b Ç c à x
r2 x Ç y à root
?x1 a gt b gt c à x
Py ?
ry1 y à ry2 a Ç b à y ?y1 a gt b à y
ry1 y Ã
ry2 a Ç b à y
?y1 a gt b à y
The optimal answer set associated to ltPand,Fgt is
the set M4root, x,a The preferred set of
countermeasures is the set a.
Dipartimento di Scienze - 16 giugno 2015
40
41Translation of OR-attacks
OR
r1 root Ã
Por ?
rx1 x à rx2 a Ç b Ç c à x ?x1 a gt b gt c à x
Px ?
rx1 x Ã
rx2 a Ç b Ç c à x
r2 x à root
?x1 a gt b gt c à x
r3 y à root
Py ?
ry1 y à ry2 a Ç b à y ?y1 a gt b à y
ry1 y Ã
ry2 a Ç b à y
?y1 a gt b à y
The optimal answer set associated to ltPor,Fgt is
M1root, x, y, a The preferred set of
countermeasures is the set a.
Dipartimento di Scienze - 16 giugno 2015
41
42ASO and Cp-defence tree
Logic programming
Conditional preference rules
root ? a12 ? root a34 ? root a56 ? root a1 ?
a12 a2 ? a12 a3 ? a34 a4 ? a34 a5 v a6 ? a56
c1 v c2 v c3 ? a1 c3 v c4 v c5 ? a2 c6 v c7 ?
a3 c8 v c9 ? a4 c10 v c11 ? a5 c12 v c13 ? a6
c1 gt c2 gt c3 ? a1 c5 gt c3 gt c4 ? a2 c6 gt c7 ?
a3 c8 gt c9 ? a4 c11 gt c10 ? a5 c13 gt c12 ? a6
Dipartimento di Scienze - 16 giugno 2015
42
43ASO and Cp-defence tree
Logic programming
Ranking of preference rules
root ? a12 ? root a34 ? root a56 ? root a1 ?
a12 a2 ? a12 a3 ? a34 a4 ? a34 a5 v a6 ? a56
?1 c5 gt c3 gt c4 ? a2 ?2 c1 gt c2 gt c3 ? a1 ?3
c13 gt c12 ? a6 ?4 c11 gt c10 ? a5 ?5 c6 gt c7
? a3 ?6 c8 gt c9 ? a4
c1 v c2 v c3 ? a1 c3 v c4 v c5 ? a2 c6 v c7 ?
a3 c8 v c9 ? a4 c10 v c11 ? a5 c12 v c13 ? a6
Dipartimento di Scienze - 16 giugno 2015
43
44Dipartimento di ScienzeUniversità degli Studi
G. dAnnunzioPescara
Dottorato di ricerca in ScienzeXXI
cicloscrutinio annualea.a 2007/2008
Pamela Peretti
tutor Prof. Stefano Bistarelli
Dipartimento di Scienze - 16 giugno 2015
44