Georgia Institute of Technology Assessing Damages of Information Security Incidents and Selecting Control Measures, a Case Study Approach Fariborz Farahmand Shamkant B. Navathe Gunter Sharp Philip H. Enslow Georgia Institute of Technology June 2004 Good afternoon! Thank you for being here and your interest in developing a risk management system for information system security incidents

Introduction Identifying sources of information Developing the questionnaire Analyzing/evaluating the usefulness of answers Testing and confirming the results at the second round 6 information security experts from: 1- Consumer advertising services, 2- Public domain law enforcement agencies, 3- Information security consulting services, 4- Network service providers, 5- Online payment services, and 6- Public educational services Round I: 4 experts Round II: 2 experts who participated in Round 1 + 1 external expert In part 7 of this presentation I discuss my case study. This task was done in 4 stages: 1- Identifying sources of information 2- Developing the questionnaire 3- Analyzing/evaluating the usefulness of answers 4- Testing and confirming the results at the second round 6 distinguished information security experts from: 1- Consumer advertising services, 2- Public domain law enforcement agencies, 3- Information security consulting services, 4- Network service providers, 5- Online payment services, and 6- Public educational services based this important task of this research in 2 rounds.

Case Studies: Round I Summary of answers: All The respondents listed disclosure and theft of proprietary information as a major threat Virus, DOS, Disgruntled Employees , Improper password security, hardware failures were also mentioned as threats (Zero-one major attack)/month and average of one intrusion every six months, All the respondents said they expect at least one major attack during the coming 12-24 months The damage of such an attack would first depend on publicity of the attack, and second on costs of system downtime, notification, consulting, and re-design Here is the summary of answers to 13 questions: All The respondents listed disclosure and theft of proprietary information as a major threat Virus, DOS, Disgruntled Employees , Improper password security, hardware failures were also mentioned as threats An average of: (Zero-one major attack)/month and one intrusion every six months has been the experience of our experts in their organizations Their companies expect at least one major attack during the coming 12-24 months The damage of such an attack first depends on publicity thet the attack receives, and second on costs of system downtime, notification, consulting, and re-design

Case Studies: Round I Summary of answers (cont.): Unauthorized users were identified as the source of the most important threats to an organization which can be caused by software techniques Most respondents could not describe what exact control measure they had in place. Some listed scanners for viruses, and passwords, firewalls, IDS systems for break-ins Background checks, was mentioned as a control measures which do not fall in the category of our model All respondents mentioned access control as the most effective control measure to threat Except one who estimated a 70% effectiveness as an overall effectiveness for the control measures, the rest were not able to evaluate the effectiveness of the control measures Our information security experts have stated that: Unauthorized users are the source of the most important threats to an organization which can be caused by software techniques Most respondents could not describe what exact control measure they had in place. Some listed scanners for viruses, and passwords, firewalls, IDS systems for break-ins Background checks, was mentioned as a control measures which do not fall in the category of our model All respondents mentioned access control as the most effective control measure to threat Except one who estimated a 70% effectiveness as an overall effectiveness for the control measures, the rest were not able to evaluate the effectiveness of the control measures

Case Studies: Round I Summary of answers (cont.): Dissatisfaction of users on using passwords and authentication and a 25 second tolerance by users for completing a transaction were reported. All respondents emphasized the need for a formal methodology in evaluating intangible damages. Only one respondent provides an approach for evaluating damages to reputation : “We spend XX dollars to advertise our brand. If it is damaged then we need to spend YY additional to bring the image back to where it was. Therefore the cost of the attack was equal to the cost of the additional advertising. This should be added man power and cost of managing incident” A 25 second tolerance by users for completing a transaction was mentioned All respondents emphasized the need for a formal methodology in evaluating intangible damages. Only one of our experts provided an approach for evaluating this kind of damages as: “We spend XX dollars to advertise our brand. If it is damaged then we need to spend YY additional to bring the image back to where it was. Therefore the cost of the attack was equal to the cost of the additional advertising. We also should add man power and cost of managing incident to this”

Case Studies: Round I Summary of answers: Although most of respondents were interested in transferring risks to insurance companies, but they had concerns about issues such as: lack of formal methods for damage assessment, deductibles, covered items, and above all confusing policies. Most respondents were interested in transferring risks to insurance companies, but they had concerns about: lack of formal methods for damage assessment, deductibles, covered items, and above all confusing policies

Case Studies: Round II Summary of results: All the respondents agreed with the following ranking of threats in the order of importance: 1- Theft of proprietary/ disclosure of information 2- Virus/worm attacks 3- Denial of service attacks as the three most important threats to information systems. “I agree, number one could be very costly to a business, while two and three can be managed to a degree” Sample comment by experts Also, a major concern about potential threats from insiders was identified (This is consistent with CSI/FBI Annual Reports) All the respondents agreed with the ranking of: 1- Theft of proprietary/ disclosure of information 2- Virus/worm attacks 3- Denial of service attacks As the order of importance for their organization in specific, and companies utilizing electronic access in general. In confirming this result, one of our expert says: “I agree, number one (meaning disclosure of information) could be very costly to a business, while two and three (meaning virus and DOS attacks) can be managed to a degree” This result is also consistent with the CSI/FBI reports

Case Studies: Round II Summary of results (cont.): Frequency of theft of proprietary/ disclosure of information was estimated more than just once a year. It was also stated that under several circumstances most of these attacks do not receive publicity. Virus attacks are also expected by respondents on a daily basis. “I think you are correct in your response, only because this is about how often the above incidents are reported. The first incident is very rarely reported, while the second is known due to the publicity that is reported throughout the industry. As to a Dos attack, with better security and equipment, we don't hear from the victims as much as we used to. This may also be due to the fact that Internet providers are more proactive in stopping Dos attacks” Sample comment by experts Frequency of violation of confidentiality of information was estimated more than just once a year. It was also revealed that the main reason that the attacks to the confidentiality of data, which despite of their importance, have not received a great attention is that companies do NOT give publicity to such an intrusion. Again, in confirming this result, our expert state that: I” think you are correct in your response, only because this is about how often the above incidents are reported. The first incident (meaning disclosure of information) is very rarely reported, while the second is known due to the publicity that is reported throughout the industry.

Case Studies: Round II Summary of results (cont.): The following control measures were approved as effective control measures: For the theft of proprietary/ disclosure of information threat: 1- Perimeter router 2- Multiple intrusion detection systems 3- Access control 4- Firewall 5- Syslog (Encryption, IDS, Separation of duties, and web content filtering were also suggested by some respondents) The following were approved as effective control measures: For the disclosure of information threat: 1- Perimeter router 2- Multiple intrusion detection systems 3- Access control 4- Firewall 5- Syslog (Encryption, IDS, Separation of duties, and web content filtering were also suggested by some respondents)

Case Studies: Round II Summary of results (cont.): For virus 1- Access Control 2- Virus scanner (Inline IDS was also recommended) For Denial of service 1- Access control 2- Firewall 3- Proactive methods such as application software (Application Firewall running along side the perimeter routers, border routers, and bandwidth shapers were also suggested by some respondents) For virus 1- Access Control 2- Virus scanner (Inline IDS was also recommended) For Denial of service 1- Access control 2- Firewall 3- Proactive methods such as application software (Application Firewall running along side the perimeter routers, border routers, and bandwidth shapers were also suggested by some respondents)

Case Studies: Round II Summary of results (cont.): Results of research also indicate that stronger control measures can cause dissatisfaction on the part of clients and the maximum response time to a mouse click should be les than 25 seconds. “I agree 100 percent; the stronger the control measures, the more dissatisfied the client. People are very impatient, and their time is very valuable. Client's days are very busy and complicated, and in order to generate a good work product, they cannot be frustrated by security controls that have been put in place. Installing complicated security measures, it slows down the system, and distracts the client. As to a reasonable time, I do not know, but we both know the faster the better” Sample comment by experts I argue that the stronger control measures can cause dissatisfaction on the part of clients and the maximum response time to a mouse click should be les than 25 seconds. I recommend the “good-enough-security” instead of just stronger security. One of our experts in confirming this result states that: “I agree 100 percent; the stronger the control measures, the more dissatisfied the client. People are very impatient, and their time is very valuable. Client's days are very busy and complicated, and in order to generate a good work product, they cannot be frustrated by security controls that have been put in place. Installing complicated security measures, slows down the system, and distracts the client. As to a reasonable time, I do not know, but we both know the faster the better”

Future Work Introducing the level of countermeasure, (L), effectiveness (E), and cost (C) as components of each countermeasure and introducing them into our 5-stage risk analysis system A tradeoff analysis between the cost of security measures and incident rate and reliability as a measure of safety. A multi-objective optimization approach could be used here to find the Pareto set of solutions. Future work includes introducing level of control rmeasures, effectiveness, and cost as components of each control measure in the risk management system And also a tradeoff analysis between the cost of security measures and incident rate and reliability as a measure of safety