Presentation is loading. Please wait.

Presentation is loading. Please wait.

Georgia Institute of Technology

Published byErnst Lund Modified over 5 years ago

Similar presentations

Presentation on theme: "Georgia Institute of Technology"— Presentation transcript:

1 Georgia Institute of Technology
Assessing Damages of Information Security Incidents and Selecting Control Measures, a Case Study Approach Fariborz Farahmand Shamkant B. Navathe Gunter Sharp Philip H. Enslow Georgia Institute of Technology June 2004 Good afternoon! Thank you for being here and your interest in developing a risk management system for information system security incidents

2 Introduction Identifying sources of information
Developing the questionnaire Analyzing/evaluating the usefulness of answers Testing and confirming the results at the second round 6 information security experts from: 1- Consumer advertising services, 2- Public domain law enforcement agencies, 3- Information security consulting services, 4- Network service providers, 5- Online payment services, and 6- Public educational services Round I: 4 experts Round II: 2 experts who participated in Round external expert In part 7 of this presentation I discuss my case study. This task was done in 4 stages: 1- Identifying sources of information 2- Developing the questionnaire 3- Analyzing/evaluating the usefulness of answers 4- Testing and confirming the results at the second round 6 distinguished information security experts from: 1- Consumer advertising services, 2- Public domain law enforcement agencies, 3- Information security consulting services, 4- Network service providers, 5- Online payment services, and 6- Public educational services based this important task of this research in 2 rounds.

3 Case Studies: Round I Summary of answers:
All The respondents listed disclosure and theft of proprietary information as a major threat Virus, DOS, Disgruntled Employees , Improper password security, hardware failures were also mentioned as threats (Zero-one major attack)/month and average of one intrusion every six months, All the respondents said they expect at least one major attack during the coming months The damage of such an attack would first depend on publicity of the attack, and second on costs of system downtime, notification, consulting, and re-design Here is the summary of answers to 13 questions: All The respondents listed disclosure and theft of proprietary information as a major threat Virus, DOS, Disgruntled Employees , Improper password security, hardware failures were also mentioned as threats An average of: (Zero-one major attack)/month and one intrusion every six months has been the experience of our experts in their organizations Their companies expect at least one major attack during the coming months The damage of such an attack first depends on publicity thet the attack receives, and second on costs of system downtime, notification, consulting, and re-design

4 Case Studies: Round I Summary of answers (cont.):
Unauthorized users were identified as the source of the most important threats to an organization which can be caused by software techniques Most respondents could not describe what exact control measure they had in place. Some listed scanners for viruses, and passwords, firewalls, IDS systems for break-ins Background checks, was mentioned as a control measures which do not fall in the category of our model All respondents mentioned access control as the most effective control measure to threat Except one who estimated a 70% effectiveness as an overall effectiveness for the control measures, the rest were not able to evaluate the effectiveness of the control measures Our information security experts have stated that: Unauthorized users are the source of the most important threats to an organization which can be caused by software techniques Most respondents could not describe what exact control measure they had in place. Some listed scanners for viruses, and passwords, firewalls, IDS systems for break-ins Background checks, was mentioned as a control measures which do not fall in the category of our model All respondents mentioned access control as the most effective control measure to threat Except one who estimated a 70% effectiveness as an overall effectiveness for the control measures, the rest were not able to evaluate the effectiveness of the control measures

5 Case Studies: Round I Summary of answers (cont.):
Dissatisfaction of users on using passwords and authentication and a 25 second tolerance by users for completing a transaction were reported. All respondents emphasized the need for a formal methodology in evaluating intangible damages. Only one respondent provides an approach for evaluating damages to reputation : “We spend XX dollars to advertise our brand. If it is damaged then we need to spend YY additional to bring the image back to where it was. Therefore the cost of the attack was equal to the cost of the additional advertising. This should be added man power and cost of managing incident” A 25 second tolerance by users for completing a transaction was mentioned All respondents emphasized the need for a formal methodology in evaluating intangible damages. Only one of our experts provided an approach for evaluating this kind of damages as: “We spend XX dollars to advertise our brand. If it is damaged then we need to spend YY additional to bring the image back to where it was. Therefore the cost of the attack was equal to the cost of the additional advertising. We also should add man power and cost of managing incident to this”

6 Case Studies: Round I Summary of answers:
Although most of respondents were interested in transferring risks to insurance companies, but they had concerns about issues such as: lack of formal methods for damage assessment, deductibles, covered items, and above all confusing policies. Most respondents were interested in transferring risks to insurance companies, but they had concerns about: lack of formal methods for damage assessment, deductibles, covered items, and above all confusing policies

7 Case Studies: Round II Summary of results:
All the respondents agreed with the following ranking of threats in the order of importance: 1- Theft of proprietary/ disclosure of information 2- Virus/worm attacks 3- Denial of service attacks as the three most important threats to information systems. “I agree, number one could be very costly to a business, while two and three can be managed to a degree” Sample comment by experts Also, a major concern about potential threats from insiders was identified (This is consistent with CSI/FBI Annual Reports) All the respondents agreed with the ranking of: 1- Theft of proprietary/ disclosure of information 2- Virus/worm attacks 3- Denial of service attacks As the order of importance for their organization in specific, and companies utilizing electronic access in general. In confirming this result, one of our expert says: “I agree, number one (meaning disclosure of information) could be very costly to a business, while two and three (meaning virus and DOS attacks) can be managed to a degree” This result is also consistent with the CSI/FBI reports

8 Case Studies: Round II Summary of results (cont.):
Frequency of theft of proprietary/ disclosure of information was estimated more than just once a year. It was also stated that under several circumstances most of these attacks do not receive publicity. Virus attacks are also expected by respondents on a daily basis. “I think you are correct in your response, only because this is about how often the above incidents are reported. The first incident is very rarely reported, while the second is known due to the publicity that is reported throughout the industry. As to a Dos attack, with better security and equipment, we don't hear from the victims as much as we used to. This may also be due to the fact that Internet providers are more proactive in stopping Dos attacks” Sample comment by experts Frequency of violation of confidentiality of information was estimated more than just once a year. It was also revealed that the main reason that the attacks to the confidentiality of data, which despite of their importance, have not received a great attention is that companies do NOT give publicity to such an intrusion. Again, in confirming this result, our expert state that: I” think you are correct in your response, only because this is about how often the above incidents are reported. The first incident (meaning disclosure of information) is very rarely reported, while the second is known due to the publicity that is reported throughout the industry.

9 Case Studies: Round II Summary of results (cont.):
The following control measures were approved as effective control measures: For the theft of proprietary/ disclosure of information threat: 1- Perimeter router 2- Multiple intrusion detection systems 3- Access control 4- Firewall 5- Syslog (Encryption, IDS, Separation of duties, and web content filtering were also suggested by some respondents) The following were approved as effective control measures: For the disclosure of information threat: 1- Perimeter router 2- Multiple intrusion detection systems 3- Access control 4- Firewall 5- Syslog (Encryption, IDS, Separation of duties, and web content filtering were also suggested by some respondents)

10 Case Studies: Round II Summary of results (cont.): For virus
1- Access Control 2- Virus scanner (Inline IDS was also recommended) For Denial of service 1- Access control 2- Firewall 3- Proactive methods such as application software (Application Firewall running along side the perimeter routers, border routers, and bandwidth shapers were also suggested by some respondents) For virus 1- Access Control 2- Virus scanner (Inline IDS was also recommended) For Denial of service 1- Access control 2- Firewall 3- Proactive methods such as application software (Application Firewall running along side the perimeter routers, border routers, and bandwidth shapers were also suggested by some respondents)

11 Case Studies: Round II Summary of results (cont.):
Results of research also indicate that stronger control measures can cause dissatisfaction on the part of clients and the maximum response time to a mouse click should be les than 25 seconds. “I agree 100 percent; the stronger the control measures, the more dissatisfied the client. People are very impatient, and their time is very valuable. Client's days are very busy and complicated, and in order to generate a good work product, they cannot be frustrated by security controls that have been put in place. Installing complicated security measures, it slows down the system, and distracts the client. As to a reasonable time, I do not know, but we both know the faster the better” Sample comment by experts I argue that the stronger control measures can cause dissatisfaction on the part of clients and the maximum response time to a mouse click should be les than 25 seconds. I recommend the “good-enough-security” instead of just stronger security. One of our experts in confirming this result states that: “I agree 100 percent; the stronger the control measures, the more dissatisfied the client. People are very impatient, and their time is very valuable. Client's days are very busy and complicated, and in order to generate a good work product, they cannot be frustrated by security controls that have been put in place. Installing complicated security measures, slows down the system, and distracts the client. As to a reasonable time, I do not know, but we both know the faster the better”

12 Future Work Introducing the level of countermeasure, (L), effectiveness (E), and cost (C) as components of each countermeasure and introducing them into our 5-stage risk analysis system A tradeoff analysis between the cost of security measures and incident rate and reliability as a measure of safety. A multi-objective optimization approach could be used here to find the Pareto set of solutions. Future work includes introducing level of control rmeasures, effectiveness, and cost as components of each control measure in the risk management system And also a tradeoff analysis between the cost of security measures and incident rate and reliability as a measure of safety

Download ppt "Georgia Institute of Technology"

Similar presentations

A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.

A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
CSI 2005 Computer Crime Survey Put together by J. Scott, 2006 Using Graphics and Text from the Published CSI/FBI 2005 Crime Survey.

CSI 2005 Computer Crime Survey Put together by J. Scott, 2006 Using Graphics and Text from the Published CSI/FBI 2005 Crime Survey.
Ethical and Social...J.M.Kizza 1 Module 5: Anonymity, Security, Privacy and Civil Liberties IntroductionAnonymitySecurityPrivacy Ethical and Social Issues.

Ethical and Social...J.M.Kizza 1 Module 5: Anonymity, Security, Privacy and Civil Liberties IntroductionAnonymitySecurityPrivacy Ethical and Social Issues.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security Controls – What Works

Security Controls – What Works
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Introducing Computer and Network Security

Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.

Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) =.00625 * 5,349.44 = $33.434 What happens to the.004?.004+.004+.004=.012.004.

Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.

1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Similar presentations

Ads by Google