Threat and Risk Assessments in a Network Environment Ted Reinhardt Course 94.470 reinhardt@ncf.ca

Threat and Risk Assessment Overview An Evaluation of the Three Little Pigs Performance

Story Refresher Once upon a time there were three little pigs. They went out into the world. There was a big bad wolf who wanted to eat the pigs. The first pig built a house out of straw. The wolf blew down the house and ate the pig. The second pig built a house out of sticks. The wolf blew down the house and ate the second pig. The third pig built a house out of bricks. The wolf tried to blow down the house and the third pig survived.

Asset Value Dwelling Confidentiality, Integrity, Availability and Value

Threat Threat agent Threat Class Wolf f Destruction 25 km/h Blows House Down Threat Event

Threat Classes Destruction - Blows House Down Removal - Steals house by moving it off foundation Disclosure - Listens in to conversations in the house Interruption - Keeps knocking on the door preventing owner from doing work Modification - Redecorates house (like Trading Spaces) DR DIM

Little Pig #1 - Straw House Threat and Risk Assessment

Pig #1 Straw House Performance Evaluation One night the big bad wolf, who dearly loved to eat fat little piggies, came along and saw the first little pig in his house of straw. He said "Let me in, Let me in, little pig or I'll huff and I'll puff and I'll blow your house in!” "Not by the hair of my chinny chin chin", said the little pig. But of course the wolf did blow the house in and ate the first little pig. Threat Assessment was wrong. Likelihood was incorrectly assessed.

Little Pig #3 - Post Straw House Attack Threat Assessment

Safeguards Administrative, Procedural or Technical mechanism used to mitigate a threat. Safeguards Cost to Implement House made of Sticks (wind loading 10 km/h) $2.00/bundle House made of Bricks (wind loading 70 km/h) $1000/pallet

Management Risk Decision accept the risk mitigate the risk Risk Cost Balance is important

Re-evaluate Safeguards Periodically

Identify Threats Events Destruction Removal Disclosure Interruption Modification NETSEC Threat Classes

Typical Threat Events Eavesdropping Traffic Flow Analysis Masquerading Denial of service attacks Repudiation Replay Covert Channel

Select Safeguards Authentication Access Control Confidentiality Integrity Non-repudiation Availability -- redundancy,recovery,disaster

Layer Safeguards Filtering Routers & 2 feeds Web Server using TLS Hardened Server Firewall IPSEC VPN Gateway Firewall Server Network Filter Detection

How do you securely manage all these layers?

Security Continuum Protection Detection Response Recovery

Security Continuum Protection Detection Response Recovery Have a contingency for when things fail!