Security Risk Assessment

Slides:



Advertisements
Similar presentations
OCTAVESM Process 4 Create Threat Profiles
Advertisements

Ranking of security controlling strategies driven by quantitative threat analysis. Tavolo 2: "Big data security evaluation" UNIFI-CNR Nicola Nostro, Andrea.
Engineering Secure Software. Does Security Even Matter?  At your table, introduce yourselves: Your name, degree, & app domain What is your favorite software.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Engineering Secure Software. The Power of Source Code  White box testing Testers have intimate knowledge of the specifications, design, Often done by.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Engineering Secure Software. Risk Management  Beyond assessment Assess: Enumerate, Prioritize, Discuss Manage: Act on those discussions  Mitigate risk.
Engineering Secure Software. Why do we study risk?  Many outcomes are possible, not all are probable  Enumeration  Prioritization  Discussion.
Let’s Play Poker: Effort and Software Security Risk Estimation in Software Engineering Laurie Williams 1 Picture from
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Chapter 11: Project Risk Management
Risk management in Software Engineering T erm Paper By By Praveenkumar Sammita Praveenkumar Sammita CSC532 CSC532.
Conostix S.A. Sensible defence.
Security Risk Assessment Applied Risk Management July 2002.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Risk Management Project Management Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Chapter 11: Project Risk Management
Risk Analysis & Management
Lecture 7 Risk Analysis CSCI – 3350 Software Engineering II Fall 2014 Bill Pine.
South Wales Cyber Security Cluster A networking group with a purpose Membership Open to anyone with an interest in Cyber Security.
Protection Poker James Walden Northern Kentucky University.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
Computer Security By Duncan Hall.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
IT Security CS5493(74293). IT Security Q: Why do you need security? A: To protect assets.
COST BENEFITS OF IMPLEMENTING CREDIT CARD DATABASE TOKENIZATION USING FAIR CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
Engineering Secure Software. Does Security Even Matter?  Find two other people near you Introduce yourself What is your favorite software development.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Lecture 16 Page 1 CS 236 Online Evaluating Program Security What if your task isn’t writing secure code? It’s determining if someone else’s code is secure?
Session 2: Risk Management Principles and Practices Objectives Session 2: Participants will be introduced to the basic elements of risk management (RM),
Information Security, Theory and Practice.
Risk management.
ISSeG Integrated Site Security for Grids WP2 - Methodology
HOW MUCH RISK IS ASSOCIATED WITH IT HYGIENE USING FAIR?
Risk Assessment.
Engineering Secure Software
Understand mechanisms to control organisational IT security
Evaluating Existing Systems
Software Engineering B.Tech Ii csE Sem-II
Evaluating Existing Systems
A Security Review Process for Existing Software Applications
COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR
Security Engineering.
Evaluating Program Security
Engineering Secure Software
Engineering Secure Software
INFORMATION SYSTEMS SECURITY and CONTROL
Engineering Secure Software
Security Risk Assessment
Engineering Secure Software
Engineering Secure Software
Engineering Secure Software
White Box testing & Inspections
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Information Security Risks; All-in-One Terminology
Engineering Secure Software
LECTURE 3: Requirements Engineering
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions
Presentation transcript:

Security Risk Assessment Engineering Secure Software Security Risk Assessment

Why do we study risk? Many outcomes are possible, not all are probable Enumeration Prioritization Discussion

Naïve Security Risk Assessment The naïve approach Write down your worst fears for the system Try to avoid those things Cons Requires a big “bag of tricks” Easily overwhelming for security

What is risk? p(occurrence)*impact The risk associated with an event is the probability that the event will happen times the impact magnitude of the event For the math-oriented… expected value Matches how people generally think Low p(occ), high impact … terrorist attacks, struck by lightning High p(occ), low impact … credit card theft, keeping my old truck unlocked © 2011-2012 Andrew Meneely

What is security risk? p(exploit)*value of an asset p(exploit) Asset The probability that an exploit will occur on your system Asset A [tangible or intangible] resource of the system that has value in confidentiality, integrity, availability

p(exploit) Increased by more vulnerabilities Increased by a far-reaching vulnerability Increased by discoverable vulnerabilities …although you cannot rely on security through obscurity alone … Increased by scope of the project …although sometimes that is unavoidable… Other factors that we cannot control Market share  exposure New malicious actors (e.g. activism spike) Many, many other factors that we must ignore for the sake of simplicity Thus, we generally assume p(vulnerability) is proportional to p(exploit)

Assets Every software system has assets Domain-specific e.g. patient records Domain-independent e.g. passwords Intangible properties e.g. availability These can be identified at the requirements and design stages Assets exist in the deployed system, so source code is not (necessarily) an asset

Places where assets live Database tables Logs User-supplied data Sandboxing features Configuration files Built-in examples Configuration consoles Network traffic File systems Cookies Security feature inputs User interfaces

Risk Assessment in Process From: http://www.cigital.com/papers/download/bsi3-risk.pdf

The Planning > The Plan One of the most important elements of risk analysis is the process itself Discussions that are brought up Fighting over the mitigation strategies Communication is very important at this stage Assessing the change in risk is more sound than the final numbers New assets? Increased p(exploit)?

Abuse Cases vs. Risk Assessment Abuse & Misuse Cases Involves planning Potentially infinite Emphasize domain Scenario-driven Originates from abusing functionality What if? Risk Assessment Involves planning Potentially infinite Emphasize all risks Quantitative Originates from CIA, assets, p(exploit) What might?

Protection Poker A combination of product & process risk Trace stories to assets Quantify the risk for prioritization Ease of attack Value of the asset Discuss the elements of the risk Originally designed for agile processes Assumes we are in a sprint Not comprehensive, but just-in-time

Story Points Estimation In PP, we use story points Dimensionless (unit-less) Should not translate to hours, effort, etc. Limited to a few choices Why argue over 51 vs. 50? Exponential in scale (~Fibonacci) Ease of attack ~ p(vulnerability)

Protection Poker in Action Identify some assets Calibrate your asset values Calibrate your ease of attack For each item Trace the item to the assets affected Vote on affected asset values, as needed Vote on ease of attack Examine two rankings Ease*Max(value) Ease*Sum(value)