Understand mechanisms to control organisational IT security Unit 48 I.T. Security Management HND in Computing and Systems Development
Understand mechanisms to control organisational IT security Risk assessment Data protection Physical security
Information Security Risk Information Security Risk Analysis or risk assessment, fundamental to the security of any organization. Information Security in any system should be commensurate with its risks. the process to determine which security controls are appropriate and cost effective is quite often complex sometimes a subjective matter. It is essential to ensure that controls and expenditure are fully commensurate with the risks to which the organization is exposed.
Questions to ask! What are the resources that need protecting? What is the value of those resources, monetary or otherwise? What are the all the possible threats that that those resources face? What is the likelihood of those threats being realized? What would be the impact of those threats if they were realized?
Information Asset Definition Information Assets are the resources of a computing system that once compromised will release sensitive, not disclosed system information to the threat agent. physical, hardware, software, data, communications, administrative personnel
Defining Risk The term risk is used to describe the possibility of a threat taking advantage of an asset’s vulnerability
Risk Management Risk management Risk control Risk assessment Reduce risks, provide contingency Risk assessment Identify and analyse risks
Defining Risk Management Risk management is the process of Establishing and maintaining information system security within an organization The identification and management of opportunities and threats
Risk Management Approaches Quantitative Approach This approach employs two fundamental elements – the probability of an event occurring the likely loss should it occur requires probabilities which are rarely precise thus data may be unreliable and inaccurate time consuming and expensive exercise Qualitative Approach most widely used approach to risk analysis (COBRA) involves less uncertainty (no probabilities) uses interrelated elements of threats, vulnerabilities & controls based on expert knowledge parameters are: high, medium, low 3 possibilities read slide and enlarge
Problems of Measuring Risk Businesses wish to measure in money, but many of the entities don’t permit this - Valuation of assets Value of data and in-house software - no market value Value of goodwill and customer confidence Likelihood of threats How relevant is past data to the calculation of future probabilities? The nature of future attacks is unpredictable The actions of future attackers are unpredictable Measurement of benefit from security measures
Risk vs Threat Reference point Impact Relationship Risk : you examine the system Threat: you examine the environment around it Impact Sometimes a major threat may correspond in the context of the business to a minor risk Relationship Risks and threats do not have a one-to-one relationship. Some threats may contribute to more than one risk, and some risks have properties that are not directly related to individual threats?
Risk Analysis Steps Decide on scope of analysis Set the system boundary Identification of assets & business processes Identification of threats and valuation of their impact on assets Identification and assessment of vulnerabilities to threats Risk assessment
1. Risk Analysis – Defining the Scope Draw a context diagram Decide on the boundary It will rarely be the computer! Make explicit assumptions about the security of neighbouring domains Verify them!
2. Risk Analysis - Identification of Assets Hardware Software: purchased or developed programs Data Users Documentation: manuals, admin procedures Supplies: paper, printer cartridges, pens, etc Money Intangibles Goodwill Reputation
3. Risk Analysis – Impact Valuation Identification and valuation of threats for assets Identify threats, e.g. for stored data Loss of confidentiality Loss of integrity Loss of completeness Loss of availability (Denial of Service) For many asset types the only threat is loss of availability Assess impact of threat in levels, e.g H-M-L This gives the valuation of the asset in the face of the threat
4. Risk Analysis – Process Analysis Every company or organisation has some processes that are critical to its operation The criticality of a process may increase the impact valuation of one or more assets identified So Identify critical processes Review assets needed for critical processes Revise impact valuation of these assets
5. Risk Analysis – Vulnerabilities 1 Identify vulnerabilities against a baseline system For risk analysis of an existing system Existing system with its known security measures and weaknesses For development of a new system Security facilities of the envisaged software, e.g. Windows NT Standard good practice, e.g. BS 7799 recommendations of good practice
5. Risk Analysis – Vulnerabilities 2 For each threat – Identify vulnerabilities How likely to exploit a threat successfully; Assess levels of likelihood - High, Medium, Low Of attempt Expensive attacks are less likely (e.g. brute-force attacks on encryption keys) Successful exploitation of vulnerability; Combine them
6. Risk Assessment & Response Should have all the information to produce the Risk Assessment Responses to risk Avoid it completely by withdrawing from an activity Accept it and do nothing Reduce it with security measures
Example Asset: Risk Impact Estimate examples - Internal mailbox of Bill Gates Risk Impact Estimate examples - Risk of loss: Medium impact Risk of access by staff: High impact Risk of access by press: Catastrophic impact Risk of access by a competitor: High impact Risk of temporary no access by Bill: Low impact Risk of change of content: Medium impact
Some examples of UK real life risks Chances are your death will be by: being shot by a stranger… 1 in 22,500 drowning in the bath… 1 in 17,500 plane crash… 1 in 800,000 car accident… 1 in 300 suicide… 1 in 160 accidental fall… 1 in 150 cancer… 1 in 4 This year in England and Wales: 130,000 will die of heart disease 24 due to adverse weather conditions 1 from lightning
Risk assessment - Task Based on a case-study of a very small business
Risk ratings Some useful (?) principles: (using qualitative terms) Nothing has a higher risk rating than its impact If something does not have a huge impact, it is not a huge risk Anything that that has a high impact must be at least a medium risk
Assessing risk – 2 approaches Vulnerability-driven Identify all possible vulnerabilities in the system Asset-driven Look at each asset and identify what could threaten the: Confidentiality Integrity Availability of the data.
Assess responses to the risks Too much security: very restrictive use high cost Too little security unrestricted use low visible cost high danger Need to know: Value of the information Value of processes
Risk assessment potential loss probability of occurrence data intellectual property hardware and software probability of occurrence disaster, Theft staff responsibilities “Impact measures the level of ‘pain’ to the organization,” “Likelihood measures the probability of feeling the impact.” Kimmelman, Jeff. “Risk Assessment and Management.” April 17, 2002. URL: http://www.issa-ne.org/documents/IT_Risk_Assessment_Methodology%20.pdf (September 6, 2003) (now 404) quoted in file:///S:/HNDUnits/Unit%2048%20I.T.%20Security%20Management/REsources/case-study-risk-audit-small-business-1243complete.pdf (19th October 2015)
Possible responses Ignore – accept the risk and focus on other things Very low risks Risks which are beyond any reasonable counter-measure Mitigate Reduce impact Reduce likelihood Reduce both Transfer E.g. insurance Avoid Don’t do the activity! Some counter-measures may be effective against multiple potential threats
Risk assessment - Task Read: A Risk Audit of a Very Small Business Respond to the task brief, write a report which gives your solutions to the following: Determine what must be protected (assets) Identify and define possible threats to those assets Determine and prioritize the risks
Task – report back Major findings Further information Comments Did you use vulnerability-driven or asset-driven to assess the risks?
Read the rest of the case study – including the appendices Task: Add to your report. Do you agree with the recommendations the author makes? This was written in 2003, what would be different about this business today? What implications would that have for security? This business is based in the US. What difference would it make if it was based in the UK?