Download presentation
Presentation is loading. Please wait.
Published byPeter Logan Modified over 9 years ago
1
1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig Wright GSE May 2012 GIAC GSE, GSM, GSC
2
SANS Technology Institute - Candidate for Master of Science Degree 2 Controls are countermeasures for vulnerabilities Controls need to be economically viable to be effective. There are four types: 1.Deterrent controls 2.Preventative controls 3.Corrective controls 4.Detective controls
3
System Survival Network reliability requires us to model the various access paths and survival times for not only each system, but for each path to the system. SANS Technology Institute - Candidate for Master of Science Degree 3
4
Mapping Vulnerabilities within Software Now let E stand for the event where a vulnerability is discovered within the Times T and T+h for n vulnerabilities in the software SANS Technology Institute - Candidate for Master of Science Degree 4
5
Mapping Vulnerabilities within Software Where a vulnerability is discovered between time T and T+h use Bayes’ Theorem to compute the probability that n bugs exist in the software: SANS Technology Institute - Candidate for Master of Science Degree 5
6
Mapping Vulnerabilities within Software From this it can be seen that: SANS Technology Institute - Candidate for Master of Science Degree 6
7
Exponential Failure The reliability function (also called the survival function) represents the probability that a system will survive a specified time t. SANS Technology Institute - Candidate for Master of Science Degree 7
8
Exponential Failure The reliability function is a probabilistic calculation. –We cannot forecast the exact time of any compromise. –We can estimate the behaviour of systems that are constructed of many components. SANS Technology Institute - Candidate for Master of Science Degree 8
9
Reliability Reliability is expressed as either MTBF (Mean time between failures) and MTTF (Mean time to failure). –The choice of terms is related to the system being analyzed. –For system security, it relates to the time that the system can be expected to survive when exposed to attack. SANS Technology Institute - Candidate for Master of Science Degree 9
10
Modelling Failure Rate The failure rate for a specific time interval can also be expressed as: SANS Technology Institute - Candidate for Master of Science Degree 10
11
Modelling Failure Rate The time to failure of a system under attack can be expressed as an exponential density function: SANS Technology Institute - Candidate for Master of Science Degree 11
12
Modelling Failure Rate Here is the mean survival time of the system when in the hostile environment t is the time of interest Reliability function, R(t) can be expressed as: SANS Technology Institute - Candidate for Master of Science Degree 12
13
Modelling Failure Rate The mean ( ) or expected life of the system under hostile conditions can hence be expressed as: SANS Technology Institute - Candidate for Master of Science Degree 13
14
No Absolutes There are no absolutes but data can be modelled. –Security remains a risk and economic function. –No comparison to levels of security can be made other than to a relative measure (no absolute level of security). SANS Technology Institute - Candidate for Master of Science Degree 14
15
Conclusion Before we invest our valuable resources into protecting the information assets it is vital to address concerns such as: –the importance of information or the resource being protected, –the potential impact if the security is breached, –the skills and resources of the attacker and –the controls available to implement the security. SANS Technology Institute - Candidate for Master of Science Degree 15
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.