1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.

Slides:

Advertisements

Similar presentations

Module 1 Evaluation Overview © Crown Copyright (2000)

Advertisements

Řešení vybraných modelů s obnovou Radim Briš VŠB - Technical University of Ostrava (TUO), Ostrava, The Czech Republic

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Optimal redundancy allocation for information technology disaster recovery in the network economy Benjamin B.M. Shao IEEE Transaction on Dependable and.

1 Measuring Network Security Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Lecture 1: Overview modified from slides of Lawrie Brown.

Reliable System Design 2011 by: Amir M. Rahmani

Helicopter System Reliability Analysis Statistical Methods for Reliability Engineering Mark Andersen.

Dependability Evaluation. Techniques for Dependability Evaluation The dependability evaluation of a system can be carried out either:  experimentally.

Risk Management Strategies in an Uncertain World April 12-13, 2002 Objectives of Roundtable Agenda for Roundtable.

CSE 221: Probabilistic Analysis of Computer Systems Topics covered: Exponential distribution Reliability and failure rate (Sec )

1 Fundamentals of Reliability Engineering and Applications Dr. E. A. Elsayed Department of Industrial and Systems Engineering Rutgers University

THE MANAGEMENT AND CONTROL OF QUALITY, 5e, © 2002 South-Western/Thomson Learning TM 1 Chapter 13 Reliability.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

March 24, 2003Upadhyaya – IWIA A Tamper-resistant Framework for Unambiguous Detection of Attacks in User Space Using Process Monitors R. Chinchani.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.

1 Reliability Application Dr. Jerrell T. Stracener, SAE Fellow Leadership in Engineering EMIS 7370/5370 STAT 5340 : PROBABILITY AND STATISTICS FOR SCIENTISTS.

SEC835 Database and Web application security Information Security Architecture.

Storage Security and Management: Security Framework

CSCE 548 Secure Software Development Risk-Based Security Testing.

Architecting secure software systems

1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.

On Model Validation Techniques Alex Karagrigoriou University of Cyprus "Quality - Theory and Practice”, ORT Braude College of Engineering, Karmiel, May.

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

CSCE 548 Secure Software Development Test 1 Review.

Resisting Denial-of-Service Attacks Using Overlay Networks Ju Wang Advisor: Andrew A. Chien Department of Computer Science and Engineering, University.

The Science of Cyber Security Laurie Williams 1 Figure from IEEE Security and Privacy, May-June 2011 issue.

Dr. Benjamin Khoo New York Institute of Technology School of Management.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 3 Slide 1 Critical Systems 1.

Chapter VII Security Management for an E-Enterprise -Ramyah Rammohan.

Lecture 2: Combinatorial Modeling CS 7040 Trustworthy System Design, Implementation, and Analysis Spring 2015, Dr. Rozier Adapted from slides by WHS at.

Stracener_EMIS 7305/5305_Spr08_ System Reliability Analysis - Concepts and Metrics Dr. Jerrell T. Stracener, SAE Fellow Leadership in Engineering.

Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Remote Access Tools Policy John Jarocki May 2010 GIAC GSEC, GCIA, GCIH, GCFW, GPEN.

TOP 10 TECHNOLOGY INITIATIVES © Robert G. Parker S-1 Issues Loss or theft of mobile devices Lack of MDM (mobile device management) software Cloud.

On the Definition of Survivability J. C. Knight and K. J. Sullivan, Department of Computer Science, University of Virginia, December 2000.

Analyzing the Vulnerability of Superpeer Networks Against Attack Niloy Ganguly Department of Computer Science & Engineering Indian Institute of Technology,

CIP 2015 Smart Grid Vulnerability Assessment Using National Testbed Networks IHAB DARWISHOBINNA IGBETAREQ SAADAWI.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Introduction.

Author: Tadeusz Sawik Decision Support Systems Volume 55, Issue 1, April 2013, Pages 156–164 Adviser: Frank, Yeong-Sung Lin Presenter: Yi-Cin Lin.

1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:

Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.

The Lockwood Analytic Method for Prediction (LAMP): 15 January 2002 The Lockwood Analytic Method for Prediction (LAMP): 15 January 2002 An Innovative Methodological.

Visibility. Intelligence. response Information Security: Risk Management or Business Enablement? Mike Childs Vice President Rook Security.

Increased Reliability Through Failure Predictive Scheduling with Temperature Sensor Feedback Wesley Emeneker CSE 534 Dr. Sandeep Gupta.

IT Security CS5493(74293). IT Security Q: Why do you need security? A: To protect assets.

Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________.

Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.1.1 FAULT TOLERANT SYSTEMS Fault tolerant Measures.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,

Database Security Threats. Database An essential corporate resource Data is a valuable resource Must be strictly controlled, managed and secured May have.

CSCE 548 Secure Software Development Risk-Based Security Testing

Critical systems design

Chapter Three Objectives

Complexity Time: 2 Hours.

Software Reliability PPT BY:Dr. R. Mall 7/5/2018.

An EXCEL Add-In for Comparing Two Exponential Distributions

CSCE 548 Secure Software Development Test 1 Review

Information Security: Risk Management or Business Enablement?

Charakteristiky kvality

Authors: Ing-Ray Chen; Yating Wang Present by: Kaiqun Fu

THE MANAGEMENT AND CONTROL OF QUALITY, 5e, © 2002 South-Western/Thomson Learning TM 1 Chapter 13 Reliability.

Definitions Cumulative time to failure (T): Mean life:

Chapter 1 Key Security Terms.

Presentation transcript:

1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig Wright GSE May 2012 GIAC GSE, GSM, GSC

SANS Technology Institute - Candidate for Master of Science Degree 2 Controls are countermeasures for vulnerabilities Controls need to be economically viable to be effective. There are four types: 1.Deterrent controls 2.Preventative controls 3.Corrective controls 4.Detective controls

System Survival Network reliability requires us to model the various access paths and survival times for not only each system, but for each path to the system. SANS Technology Institute - Candidate for Master of Science Degree 3

Mapping Vulnerabilities within Software Now let E stand for the event where a vulnerability is discovered within the Times T and T+h for n vulnerabilities in the software SANS Technology Institute - Candidate for Master of Science Degree 4

Mapping Vulnerabilities within Software Where a vulnerability is discovered between time T and T+h use Bayes’ Theorem to compute the probability that n bugs exist in the software: SANS Technology Institute - Candidate for Master of Science Degree 5

Mapping Vulnerabilities within Software From this it can be seen that: SANS Technology Institute - Candidate for Master of Science Degree 6

Exponential Failure The reliability function (also called the survival function) represents the probability that a system will survive a specified time t. SANS Technology Institute - Candidate for Master of Science Degree 7

Exponential Failure The reliability function is a probabilistic calculation. –We cannot forecast the exact time of any compromise. –We can estimate the behaviour of systems that are constructed of many components. SANS Technology Institute - Candidate for Master of Science Degree 8

Reliability Reliability is expressed as either MTBF (Mean time between failures) and MTTF (Mean time to failure). –The choice of terms is related to the system being analyzed. –For system security, it relates to the time that the system can be expected to survive when exposed to attack. SANS Technology Institute - Candidate for Master of Science Degree 9

Modelling Failure Rate The failure rate for a specific time interval can also be expressed as: SANS Technology Institute - Candidate for Master of Science Degree 10

Modelling Failure Rate The time to failure of a system under attack can be expressed as an exponential density function: SANS Technology Institute - Candidate for Master of Science Degree 11

Modelling Failure Rate Here is the mean survival time of the system when in the hostile environment t is the time of interest Reliability function, R(t) can be expressed as: SANS Technology Institute - Candidate for Master of Science Degree 12

Modelling Failure Rate The mean ( ) or expected life of the system under hostile conditions can hence be expressed as: SANS Technology Institute - Candidate for Master of Science Degree 13

No Absolutes There are no absolutes but data can be modelled. –Security remains a risk and economic function. –No comparison to levels of security can be made other than to a relative measure (no absolute level of security). SANS Technology Institute - Candidate for Master of Science Degree 14

Conclusion Before we invest our valuable resources into protecting the information assets it is vital to address concerns such as: –the importance of information or the resource being protected, –the potential impact if the security is breached, –the skills and resources of the attacker and –the controls available to implement the security. SANS Technology Institute - Candidate for Master of Science Degree 15