Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative Risk Analysis Module 1: Qualitative Risk Analysis  Module 2: Determine Assets and Vulnerabilities Module 3: Determine Threats and Controls Module 4: Matrix Based Approach Module 5: Case Study Module 6: Summary

Module 2 Determine Assets and Vulnerabilities

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Students should be able to: –Identify tangible and non-tangible assets. –Understand how to assign value to assets. –Recognize which questions should be asked. –Determine vulnerabilities. Determine Assets and Vulnerabilities Learning Objectives

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 4 Assets- Something that the agency values and has to protect. Assets include all information and supporting items that an agency requires to conduct business. Hardware –Processors, boards, monitors, keyboards, terminals, drives, cables, connections, controllers, communications media, etc. Software –Source programs, object programs, purchased programs, operating systems, systems programs, diagnostic programs, etc. Information/Data –Data used during execution, stored data on various media, archival records, audit data, files with payment details, voice records, image files, product information, continuity plans. Services –Provided by the company. (e.g. computing and communication services, service providers and utilities) Documentation –On programs, hardware, systems, administrative procedures and the entire system, contracts, completed forms. Determine Assets Tangible

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 People and their knowledge (Employees) –Integral function/skills which the employee provides (e.g. technical, operational, marketing, legal, financial, contractors/consultants, outsourced providers) Reputation and Image –Value attributed to an organization as a result of its general estimation in the public eye. (e.g. political standing in the case of government agencies) Trust –Value consistent with public opinion on the integrity and character of an organization. Intellectual Property –Any product of the human intellect that is unique, novel, and unobvious (and has some value in the marketplace) Source: Determine Assets Non-Tangible

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 6 Asset values are used to identify the appropriate protection of assets and to determine the importance of the assets to the business. Values can be expressed in terms of: –Potential business impacts affecting loss of confidentiality, integrity and availability. Valuation of some assets different for small and large organizations Intangible assets hard to quantify Hidden costs of damages to recovery (often underestimated) Borrow from litigation Iterative to find ways of valuation Determine Assets Valuation

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 7 In this step, ramifications of computer security failure on organization are determined. Often inaccurate –Costs of human capital required to recover from failure undervalued e.g. cost of restoring data –Indirect consequences of an event unknown until the event actually happens –Catastrophic events that cause heavy damage are so infrequent that correct data unavailable –Non-tangible assets hard to quantify The questions on the next slide prompt us to think about issues of explicit and hidden cost related to security. –The answers may not produce precise cost figures, but help identify sources of various types of costs. Determine Assets Valuation, cont’d.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 8 What are the legal obligations in preserving confidentiality or integrity of data? What business requirements and agreements cover the situation? Could release of a data item cause harm to a person or organization? Could unauthorized access to data cause loss of future business opportunity? What is the psychological effect of lack of computer service? What is the value of access to data or programs? What is the value of having access to data or programs to someone else? What other problems would arise from loss of data? Determine Assets Guiding Questions to Reflect on Intangible Assets

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Billy sells lemonade outside of his house every weekend for 3 hours a day. Every week he makes about $40. The wooden stand has a cardboard sign which reads, “Lemonade for SALE, 25 cents each”. Supplies he receives from his mother are paper cups and a glass pitcher and spoon to stir with. For one pitcher of lemonade, he needs 4 lemons, 2 cups of sugar, 1 quart of water, and a secret ingredient and 10 minutes. The special recipe is located in a small space within the lemonade stand. He has a general crowd of about 10 neighbors who buy from him because they enjoy the taste of his lemonade and his personality. Determine Assets General Example #1: Lemonade Stand

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 10 Billy isn’t old enough to collect all the data needed for a quantitative valuation. So, based on his business, we have separated out the tangible and the non-tangible assets and asked him to rank them on a scale of 1, 3, 9. 9 being very important, 3 being somewhat important, and 1 being not really important. Determine Assets General Example #1: Lemonade Stand

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 11 Listing of Tangible Assets: Establishment –Lemonade stand Advertising –Sign Supplies –Pitcher –Paper cups –Spoon –Lemons –Sugar –Water –Secret ingredient Determine Assets General Example #1: Lemonade Stand, cont’d. Listing of Intangible Assets: People –Billy –Billy’s Mother Intellectual Property –Special recipe Trust Reputation Customer base

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 12 For all of the listed assets, Billy gave the following values: Lemonade stand (3): Billy spent about two weeks making this lemonade stand out of wood planks and nails. Sign (1): The sign was easy to make. In fact, Billy makes a new one each day he sells lemonade out of paper and a marker. Pitcher (3): Billy knows his mom spent a lot of money on this pitcher and would be very upset with him if he broke it. Paper cups (1): If Billy ran out of paper cups, he knows his mother would have to go get more from the store or he would have to use the plastic cups in the cupboard. Determine Assets General Example #1: Valuation

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 13 Spoon (1): Billy likes this spoon because it can easily reach the bottom of the pitcher, but if it was gone he could always use something else. Lemons (3): Lemons are important for Billy’s lemonade, and his mom would have to go to the store to get more. Sugar (3): Sugar is also important for his lemonade, and his mom would have to go to the store to get more. Who likes sour lemonade? Water (1): Billy can easily get water from the tap or bottled water from the store. Secret ingredient (9): Billy can only get his secret ingredient in one place. If it was gone, he wouldn’t have as good lemonade. Determine Assets General Example #1: Valuation

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 14 Billy (9): Billy thinks he is very important. Without him there would be no lemonade stand! Billy’s Mom (9): Billy’s mom helps him out every step of the way by providing him with supplies and taking care of him. Special Recipe (9): Billy spent one month coming up with this secret recipe. Everyone loves his lemonade! Trust (9): Billy’s mom told him to never lie. He’d get into big trouble. Reputation (9): Billy knows the reason why he makes $40 a day is because people know that he is nice and has good lemonade. Customer Base (9): Without Mr. Wilson from up the road and Mrs. Baker from down the street, he wouldn’t have anyone to sell his lemonade to. Determine Assets General Example #1: Valuation

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 15 Predict damage that might occur and source of damage Information –is an asset that has a value to an agency and must therefore be appropriately protected. The objective of information security is to preserve the agency’s information assets and the business processes they support in the context of: –Confidentiality Information is only available to authorized individuals –Integrity Information can only be entered, changed or destroyed by authorized individuals. –Availability Information is provided to authorized users when it is requested or needed. Determine Vulnerabilities Specific to Organizations

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 16 AssetConfidentialityIntegrityAvailability HardwareX Overloaded, destroyed, Tampered with Failed, Stolen, Destroyed, Unavailable Software Stolen, copied, pirated Impaired by Trojan horse, Modified, tampered with Deleted, Misplaced, Usage expired Data Disclosed, accessed by outsider, inferred Damaged (software error, hardware error, user error) Deleted, Misplaced, Destroyed PeopleXX Terminated, Quit, Retired, Vacation DocumentationXXLost, Stolen, Destroyed SuppliesXXLost, Stolen, Damaged Determine Vulnerabilities Impact to Assets Vulnerability- A weak characteristic of an information asset or group of assets which can be exploited by a threat. Consequence of weaknesses in controls. To organize threats & assets use the following matrix: –Harder to determine impact to non-tangible assets

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 17 Each vulnerability may affect more than one asset or cause more than one type of loss While completing the matrix, answer the following questions: –What are the effects of unintentional errors? e.g. accidental deletion, use of incorrect data –What are the effects of willful malicious insiders? e.g. disgruntled employees, bribery, espionage –What are the effects of outsiders? e.g. hackers, dial-in access, people sifting through trash –What are the effects of natural and physical disasters? e.g. fire, storms, floods, power outage, component failures Determine Vulnerabilities Guiding Questions

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 18 Determine Assets and Vulnerabilities Summary Assets come in two forms: tangible and intangible Intangible assets are often difficult to quantify, but can be very important to assess Valuation of assets can be done quantitatively or qualitatively (e.g. L, M, H) Vulnerabilities are weak characteristics of assets which can be exploited. These are usually defined in terms of confidentiality, integrity, and availability.