1. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Qualitative Risk Analysis Sanjay Goel University at Albany, SUNY Fall 2004

2. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 2 Course Outline > Unit 1: What is a Security Assessment? –Definitions and Nomenclature Unit 2: What kinds of threats exist? –Malicious Threats (Viruses & Worms) and Unintentional Threats Unit 3: What kinds of threats exist? (cont’d) –Malicious Threats (Spoofing, Session Hijacking, Miscellaneous) Unit 4: How to perform security assessment? –Risk Analysis: Qualitative Risk Analysis Unit 5: Remediation of risks? –Risk Analysis: Quantitative Risk Analysis

3. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Module 1: Qualitative Risk Analysis Module 2: Matrix Based Approach Module 3: Determine Assets and Vulnerabilities Module 4: Determine Threats and Controls Module 5: Case Study Qualitative Risk Analysis Outline for this unit

4. Module 1 Risk Analysis: Qualitative Risk Analysis

5. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 What are the difficulties with risk analysis? What are the two different approaches? What is the methodology for qualitative risk analysis? Risk Analysis Outline

6. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 6 Risk analysis involves the identification and assessment of the levels of risks calculated from the known values of assets and the levels of threats to, and vulnerabilities of, those assets. It involves the interaction of the following elements: –Assets –Vulnerabilities –Threats –Impacts –Likelihoods –Controls Risk Analysis Risk Analysis Definition

7. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 7 Risk Analysis Concept Map Source: Australian Standard Handbook of Information Security Risk Management – HB231-2000 Threats exploit system vulnerabilities which expose system assets. Security controls protect against threats by meeting security requirements established on the basis of asset values.

8. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 8 Relatively new field Lack of formal models Lack of data Evolving threats Constantly changing information systems and vulnerabilities Human factors related to security No standard of practice Risk Analysis Difficulties with Information Security Risk Analysis

9. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Two Risk Analysis Approaches –Qualitative: Based on literal description of risk factors and risk is expressed in terms of its potential. Threats and vulnerabilities are identified and analyzed using subjective judgment. Uses checklists to determine if recommended controls are implemented and if different information systems or organizations are secure. –Quantitative: Relating to, concerning, or based on the amount or number of something, capable of being measured or expressed in numerical terms. Risk Analysis Approaches

10. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 10 Qualitative risk analysis methodologies involve relative comparison of risks and prioritization of controls Usually associate relationships between interrelated factors –Things of value for the organization –Threats: things that can go wrong –Vulnerabilities: Weaknesses that make a system more prone to attack or make an attack more likely to succeed –Controls: These are the countermeasures for vulnerabilities More practical since it is based on user inference and follows current processes better. It capitalizes on user experience and doesn’t resort to extensive data gathering. Probability data is not required and only estimated potential loss may be used Risk Analysis: Qualitative Methodology

11. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 11 1)What is the difference between quantitative and qualitative risk analysis? 2)Why would one be performed instead of another? 3)What are the benefits to using a matrix based methodology for qualitative risk analysis? Risk Analysis: Qualitative Questions 1, 2, and 3

12. Module 2 Determine Assets and Vulnerabilities

13. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 13 What are tangible assets? What are non-tangible assets? How to assign value to assets? What questions should be asked? Example –Lemonade Stand How to determine vulnerabilities? What questions should be asked? Determine Assets and Vulnerabilities Outline

14. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 14 Assets- Something that the agency values and has to protect. Assets include all information and supporting items that an agency requires to conduct business. Hardware –Processors, boards, monitors, keyboards, terminals, drives, cables, connections, controllers, communications media, etc. Software –Source programs, object programs, purchased programs, operating systems, systems programs, diagnostic programs, etc. Information/Data –Data used during execution, stored data on various media, archival records, audit data, files with payment details, voice records, image files, product information, continuity plans. Services –Provided by the company. (e.g. computing and communication services, service providers and utilities) Documentation –On programs, hardware, systems, administrative procedures and the entire system, contracts, completed forms. Determine Assets Tangible

15. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 15 People and their knowledge (Employees) –Integral function/skills which the employee provides (e.g. technical, operational, marketing, legal, financial, contractors/consultants, outsourced providers) Reputation and Image –Value attributed to an organization as a result of its general estimation in the public eye. (e.g. political standing in the case of government agencies) Trust –Value consistent with public opinion on the integrity and character of an organization. Intellectual Property –Any product of the human intellect that is unique, novel, and unobvious (and has some value in the marketplace) Source: http://www.uta.edu/tto/ip-defs.htmhttp://www.uta.edu/tto/ip-defs.htm Determine Assets Non-Tangible

16. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 16 Asset values are used to identify the appropriate protection of assets and to determine the importance of the assets to the business. Values can be expressed in terms of: –Potential business impacts affecting loss of confidentiality, integrity and availability. Valuation of some assets different for small and large organizations Intangible assets hard to quantify Hidden costs of damages to recovery (often underestimated) Borrow from litigation Iterative to find ways of valuation Determine Assets Valuation

17. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 17 In this step, ramifications of computer security failure on organization are determined. Often inaccurate –Costs of human capital required to recover from failure undervalued e.g. cost of restoring data –Indirect consequences of an event unknown until the event actually happens –Catastrophic events that cause heavy damage are so infrequent that correct data unavailable –Non-tangible assets hard to quantify The questions on the next slide prompt us to think about issues of explicit and hidden cost related to security. –The answers may not produce precise cost figures, but help identify sources of various types of costs. Determine Assets Valuation, cont’d.

18. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 18 What are the legal obligations in preserving confidentiality or integrity of data? What business requirements and agreements cover the situation? Could release of a data item cause harm to a person or organization? Could unauthorized access to data cause loss of future business opportunity? What is the psychological effect of lack of computer service? What is the value of access to data or programs? What is the value of having access to data or programs to someone else? What other problems would arise from loss of data? Determine Assets Guiding Questions to Reflect on Intangible Assets

19. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 19 Billy sells lemonade outside of his house every weekend for 3 hours a day. Every week he makes about $40. The wooden stand has a cardboard sign which reads, “Lemonade for SALE, 25 cents each”. Supplies he receives from his mother are paper cups and a glass pitcher and spoon to stir with. For one pitcher of lemonade, he needs 4 lemons, 2 cups of sugar, 1 quart of water, and a secret ingredient and 10 minutes. The special recipe is located in a small space within the lemonade stand. He has a general crowd of about 10 neighbors who buy from him because they enjoy the taste of his lemonade and his personality. Determine Assets General Example #1: Lemonade Stand

20. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 20 Listing of Tangible Assets: Establishment –Lemonade stand: $5 Advertising –Sign: $1 Supplies –Pitcher: $7 –Paper cups: $2/25 pack –Spoon: $1.50 –Lemons: $3/10 pack –Sugar: $1/1 lb. –Water: $1/gallon –Secret ingredient: $1/1 lb. Determine Assets General Example #1: Lemonade Stand, cont’d. Listing of Intangible Assets: People –Billy –Billy’s Mother Intellectual Property –Special recipe Trust Reputation Customer base

21. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 21 Predict damage that might occur and source of damage Information –is an asset that has a value to an agency and must therefore be appropriately protected. The objective of information security is to preserve the agency’s information assets and the business processes they support in the context of: –Confidentiality Information is only available to authorized individuals –Integrity Information can only be entered, changed or destroyed by authorized individuals. –Availability Information is provided to authorized users when it is requested or needed. Determine Vulnerabilities Specific to Organizations

22. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 22 AssetConfidentialityIntegrityAvailability HardwareX Overloaded, destroyed, Tampered with Failed, Stolen, Destroyed, Unavailable Software Stolen, copied, pirated Impaired by Trojan horse, Modified, tampered with Deleted, Misplaced, Usage expired Data Disclosed, accessed by outsider, inferred Damaged (software error, hardware error, user error) Deleted, Misplaced, Destroyed PeopleXX Terminated, Quit, Retired, Vacation DocumentationXXLost, Stolen, Destroyed SuppliesXXLost, Stolen, Damaged Determine Vulnerabilities Impact to Assets Vulnerability- A weak characteristic of an information asset or group of assets which can be exploited by a threat. Consequence of weaknesses in controls. To organize threats & assets use the following matrix: –Harder to determine impact to non-tangible assets

23. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 23 Each vulnerability may affect more than one asset or cause more than one type of loss While completing the matrix, answer the following questions: –What are the effects of unintentional errors? e.g. accidental deletion, use of incorrect data –What are the effects of willful malicious insiders? e.g. disgruntled employees, bribery, espionage –What are the effects of outsiders? e.g. hackers, dial-in access, people sifting through trash –What are the effects of natural and physical disasters? e.g. fire, storms, floods, power outage, component failures Determine Vulnerabilities Guiding Questions

24. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 24 Using your own organization, determine the assets and vulnerabilities and fill them into the appropriate matrices. Determine Assets and Vulnerabilities Assignment

25. Module 3 Determine Threats and Controls

26. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 26 How do you identify threats? What types of controls are there? –Organizational and Management –Physical and Environmental –Operational –Technical What are the functions of controls? Determine Threats and Controls Outline

27. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 27 Threat- Potential cause of an unwanted event that may result in harm to the agency and its assets. A threat is a manifestation of vulnerability. Malicious –Malicious Software (Viruses, worms, trojan horses, time bomb logic bomb, rabbit, bacterium) –Spoofing or Masquerading –Sequential or Dictionary Scanning –Snooping (electronic monitoring or “shoulder surfing”) –Scavenging (“dumpster diving” or automated scanning of data) –Spamming –Tunneling Unintentional –Equipment or Software Malfunction –Human error (back door or user error) Physical –Power loss, vandalism, fire/flood/lightning damage, destruction Determine Threats and Controls Identification of Threats Source: http://www.caci.com/business/ia/threats.htmlhttp://www.caci.com/business/ia/threats.html

28. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 28 Security Controls- Implementations to reduce overall risk and vulnerability Deter –Avoid or prevent the occurrence of an undesirable event Protect –Safeguard the information assets from adverse events Detect –Identify the occurrence of an undesirable event Respond –React to or counter an adverse effect Recover –Restore integrity, availability and confidentiality of information assets Determine Threats and Controls Functions of Controls Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

29. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 29 Organizational & Management Controls –Information security policy, information security infrastructure, third party access, outsourcing, mobile computing, telecommuting, asset classification and control, personnel practices, job descriptions, segregation of duties, recruitment, terms and conditions of employment, employee monitoring, job terminations and changes, security awareness and training, compliance with legal and regulatory requirements, compliancy with security policies and standards, incident handling, disciplinary process, business continuity management, system audits Physical & Environmental Controls –Secure areas, equipment security, clear desk and screen policy, removal of property Determine Threats and Controls Controls Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

30. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 30 Operational Controls –Documentation, configuration and change management, incident management, software development and test environment, outsourced facilities, systems planning, systems and acceptance testing, protection against malicious code, data backup, logging, software and information exchange, security of media in transit, electronic commerce security, electronic data interchange, internet commerce, email security, electronic services, electronic publishing, media Determine Threats and Controls Operational Controls Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

31. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 31 Technical Controls –Identification and authentication, passwords, tokens, biometric devices, logical access control, review of access rights, unattended user hardware, network management, operational procedures, predefined user access paths, dial-in access controls, network planning, network configuration, segregation of networks, firewalls, monitoring of network, intrusion detection, internet connection policies, operating system access control, identification of terminals and workstations, secure logon practices, system utilities, duress alarm, time restriction, application access control and restriction, isolation of sensitive applications, audit trails and logs Determine Threats and Controls Technical Controls Source: Information Security Guidelines for NSW Government Agencies Part 3 Information Security Baseline Controls

32. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 32 Using your own organization, determine the vulnerabilities and threats and fill them into the appropriate matrices. Determine Assets and Vulnerabilities Assignment

33. Module 4 Matrix Based Approach

34. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 34 What are the steps involved? How do you fill in the matrices? –Asset/Vulnerability Matrix –Vulnerability/Threat Matrix –Threat/Control Matrix Matrix Based Approach Outline

35. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 35 Consists of three matrices –Vulnerability Matrix: Links assets to vulnerabilities –Threat Matrix: Links vulnerabilities to threats –Control Matrix: Links threats to the controls Step 1 –Identify the assets & compute the relative importance of assets Step 2 –List assets in the columns of the matrix. –List vulnerabilities in the rows within the matrix. –The value row should contain asset values. –Rank the assets based on the impact to the organization. –Compute the aggregate value of relative importance of different vulnerabilities Matrix Based Approach Methodology

36. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 36 Step 3 –Add aggregate values of vulnerabilities from vulnerability matrix to the column side of the threat matrix –Identify the threats and add them to the row side of the threat matrix –Determine the relative influence of threats on the vulnerabilities –Compute aggregate values of importance of different threats Step 4 –Add aggregate values of threats from the threat matrix to the column side of control matrix –Identify the controls and add them to the row side of the control matrix –Compute aggregate values of importance of different controls Matrix Based Approach Methodology

37. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 37 There needs to be a threshold for determining the correlations within the matrices. For each matrix, the thresholds can be different. This can be done in two ways: Qualitatively –determined relative to other correlations –e.g. asset1/vulnerability1 (L) is much lower than asset3/vulnerability3 (H) correlation. asset2/vulnerability2 correlation is in-between (M) Quantitatively –determined by setting limits –e.g. if no correlation (0), if lower than 10% correlation (L), if lower than 35% medium (M), if greater than 35% (H) Matrix Based Approach Determining L/M/H

38. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 38 Although the example provided gives 4 different levels (Not Relevant, Low, Medium, and High), organizations may choose to have more levels for finer grained evaluation. For example: –Not Relevant (0) –Very Low (1) –Low (2) –Medium-Low (3) –Medium (4) –Medium-High (5) –High (6) Matrix Based Approach Extension of L/M/H

39. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 39 Customize matrix to assets & vulnerabilities applicable to case –Compute cost of each asset and put them in the value row –Determine correlation with vulnerability and asset (L/M/H) –Compute the sum of product of vulnerability & asset values; add to impact column Matrix Based Approach Assets and Vulnerabilities Scale Not Relevant - 0 Low – 1 Medium – 3 High – 9 Critical Infrastructure Trade Secrets (IP)Client SecretsReputation (Trust)Lost Sales/RevenueCleanup CostsInfo/ IntegrityHardwareSoftwareServices Web Servers Compute Servers Firewalls Routers Client Nodes Databases Value Vulnerabilities Assets & Costs Relative Impact

40. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 40 Complete matrix based on the specific case –Add values from the Impact column of the previous matrix –Determine association between threat and vulnerability –Compute aggregate exposure values by multiplying impact and the associations Matrix Based Approach Vulnerabilities and Threats Scale Not Relevant - 0 Low– 1 Medium – 3 High – 9 Web Servers Compute ServersFirewallsRoutersClient NodesDatabases………… Denial of Service Spoofing and Masquerading Malicious Code Human Errors Insider Attacks Intrusion … Value Threats Vulnerabilities Relative ThreatImportance

41. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 41 Customize matrix based on the specific case –Add values from the relative exposure column of the previous matrix –Determine impact of different controls on different threats –Compute the aggregate value of benefit of each control Matrix Based Approach Threats and Controls Scale Not Relevant - 0 Low – 1 Medium – 3 High – 9 Denial of Service SpoofingMalicious CodeHuman ErrorsInsider AttacksIntrusionSpamPhysical Damage…… Firewalls IDS Single Sign-On DMZ Training Security Policy Value Controls Threats Value of Control Network Configuration Hardening of Environment

42. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 42 This methodology used for qualitative analysis is a matrix-based approach. The Matrix-based approach: –Brings transparency to risk analysis process –Provides a comprehensive methodology –Easy to use –Allows organizations to work with partial data –More data can be added as made available –Risk posture can be compared to other organization's –Determines controls needed to improve security Matrix-Based Approach Review

43. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 43 Go through the next modules in the unit to appropriately fill in the matrices presented in this module. Matrix Based Approach Assignment

44. Module 5 Case Study

45. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 45 What is the case about? What would fit into the categories of: –Assets –Vulnerabilities –Threats –Controls Filling in the matrices –Asset/Vulnerability –Vulnerability/Threat –Threat/Control Case Study Outline

46. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 46 Case Study Example Use the information that you have learned in the lecture in the following case study of a government organization. Remember these key steps for determining ALE – Identify and determine the value of assets – Determine vulnerabilities – Estimate likelihood of exploitation – Compute ALE – Survey applicable controls and their costs – Perform a cost-benefit analysis

47. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 47 Case Study Case An organization delivers service throughout New York State. As part of the planning process to prepare the annual budget, the Commissioner has asked the Information Technology Director to perform a risk analysis to determine the organization’s vulnerability to threats against its information assets, and to determine the appropriate level of expenditures to protect against these vulnerabilities. The organization consists of 4,000 employees working in 200 locations, which are organized into 10 regions. The average rate of pay for the employees is $20/hr. Cost benefit analysis has been done on the IT resource deployment, and the current structure is the most beneficial to the organization, so all security recommendations should be based on the current asset deployment. Each of the 200 locations has approximately 20 employees using an equal number of desktop and laptop computers for their fieldwork. These computers are used to collect information related to the people served by the organization, including personally identifying information. Half of each employee’s time is spent collecting information from the clients using shared laptop computers, and half is spent processing the client information at the field office using desktop computers. Replacement cost for the laptops is $2,500 and for the desktop is $1,500. Each of the 10 regions has a network server, which stores all of the work activities of the employees in that region. Each server will cost $30,000 to replace, plus 80 hours of staff time. Each incident involving a server costs the organization approximately $1,600 in IT staff resources for recovery. Each incident where financial records or personal information is compromised costs the organization $15,000 in lawyers time and settlement payouts. Assume that the total assets of the organization are worth 10 million dollars. The organization has begun charging fees for the public records it collects. This information is sold from the organization website at headquarters, via credit card transactions. All of the regional computers are linked to the headquarters via an internal network, and the headquarters has one connection to the Internet. The headquarters servers query the regional servers to fulfill the transactions. The fees collected are approximately $10,000 per day distributed equally from each region, and the transactions are uniformly spread out over a 24-hour period.

48. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 48 Case Study Example- Assets (Tangible) Transaction Revenue- amount of profit from transactions Data- client information Laptops- shared, used for collecting information Desktops- shared, used for processing client information Regional Servers- stores all work activities of employees in region HQ Server- query regional servers to fulfill transactions

49. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 49 Case Study Example- Asset Valuations (Cost per Day) Transaction Revenue$10,000 per day Data (Liability)$10 million (total assets of organization) Laptops ½ x 200 (locations) x 20 (employees) x $2,500 (laptop cost) = $5,000,000 Desktops½ x 200 (locations) x 20 (employees) x $1,500 (desktop cost) = $3,000,000 Regional Servers$30,000 (server cost)x 10 (regions) + 80 (hours) x $20 (pay rate) x 10 (regions)+ $10,000 (transaction revenue) = $326,000 HQ Server$10,000 (transaction revenue) + $100,000 (cost of HQ server) + 80 (hours) x $20 (pay rate) x 10 (regions) = $126,000

50. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 50 Case Study Example- Vulnerabilities Vulnerabilities are weaknesses that can be exploited Vulnerabilities –Laptop Computers –Desktop Computers –Regional Servers –HQ server –Network Infrastructure –Software Computers and Servers are vulnerable to network attacks such as viruses/worms, intrusion & hardware failures Laptops are especially vulnerable to theft

51. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 51 Case Study Example- Threats Threats are malicious & benign events that can exploit vulnerabilities Several Threats exist –Hardware Failure – Software Failure – Theft – Denial of Service – Viruses/Worms – Insider Attacks – Intrusion and Theft of Information

52. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 52 Case Study Example- Controls Intrusion detection and firewall upgrades on HQ Server – mitigate HQ server failure and recovery Anti-Virus Software – mitigates threat of worms, viruses, DOS attacks, and some intrusions Firewall upgrades – mitigates threats of DOS attacks and some intrusions, worms and viruses Redundant HQ Server – reduces loss of transaction revenue Spare laptop computers at each location – reduces loss of transaction revenue and productivity Warranties – reduces loss of transaction revenue and cost of procuring replacements Insurance – offset cost of liability Physical Controls – reduce probability of theft Security Policy – can be used to reduce most threats.

53. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 53 Case Study Asset/Vulnerability Matrix The coefficients of this matrix are usually based on internal data as well as financial loss organizations For the current example we will assume data for illustration of the concept –Transactions are mostly associated with the regional servers which store the data, the HQ server which takes all requests, and the network infrastructure with which clients access the data. (.30 each) –Laptops, desktops and software is only associated with the remaining 10% (.033 each) –Data that is located on laptops and desktops make up only 10% of total data because they are only used for collecting and processing. –The regional servers contain all other data. –Other assets are associated at 100% with their respective vulnerabilities. (e.g. laptops with laptops, desktops with desktops, etc.) The threshold for this matrix will be: –Not Relevant: 0 –Low: 0 < x <= 0.01 –Medium: 0.01 < x <= 0.05 –High: 0.05 < x < 1

54. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 54 Case Study Asset/Vulnerability Matrix, cont’d. Assets Vulnerabilities Transaction Revenue Data (Liability) LaptopsDesktopsRegional Servers HQ ServerAggregates (Impact) Input Asset Values  10,00010,000,0005,000,0003,000,000326,000126,000  asset value x vulnerability) Laptops 11300025,010,000 Desktops 11030019,010,000 Regional Servers 23003030,998,000 HQ Servers 200003398,000 Network Infrast. 20000020,000 Software 10000010,000 Customize matrix to assets & vulnerabilities applicable to case – Compute cost of each asset and put them in the value row – Determine correlation with vulnerability and asset (0 for Not Relevant, 1 for Low, 2 for Medium and 3 for High) – Compute the sum of product of vulnerability & asset values; add to impact column 0 – Not Relevant 1 – Low 2 – Medium 3 – High

55. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 55 Case Study Vulnerability/Threat Matrix The coefficients of this matrix are usually based on data from the literature, e.g., –if rate of failure of hardware is r f (per unit time) –the number of pieces of hardware is n then –the total number of failed components during a time period is r f *n –the fraction of hardware that fails is r f *n/n= r f For the current example we will assume data for illustration of the concept –Failure rate of laptops is.001 per day (i.e., one in a thousand laptops encounters hardware failure during a day) –Similarly failure rate of a desktop is.0002 (i.e. 2 in ten thousand desktops would encounter hardware failure in a given day. –Hardware failure can cause loss of software, however, our assumption is that all software is replaceable from backups

56. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 56 Case Study Vulnerability/Threat Matrix, cont’d. Vulnerabilities Threats LaptopsDesktopsRegional Servers HQ Servers Network Infrast. SoftwareAggregates (Threat Importance) Input Impact Aggregates  25,010,00019,010,00030,998,000398,00020,00010,000  impact value x threat value) Hardware Failure 211130100,486,000 Software Failure 222200150,832,000 Equipment Theft 321112144,486,000 Denial of Service 112200106,812,000 Viruses/Worms 222202150,852,000 Insider Attacks 221112119,476,000 Intrusion 222202150,852,000 Complete matrix based on the specific case –Add values from the Impact column of the previous matrix –Determine association between threat and vulnerability –Compute aggregate exposure values by multiplying impact and the associations and adding across vulnerabilities 0 – Not Relevant 1 – Low 2 – Medium 3 – High

57. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 57 Case Study Vulnerability/Threat Matrix, cont’d. –We assume that the hardware failure will disrupt the network once every one hundred days –There is 0.3 percent chance that software failure can lead to failure of desktops –We assume that there is a.01 chance of a laptop being stolen,.001 for a desktop, and.0002 for servers. –There is a very low chance that network equipment is stolen since it is kept in secure rooms (.0001) –When equipment is stolen some software may have been stolen as well –We assume that denial-of-service is primarily targeted at servers and not individual machines –We assume that the denial-of-service can disable machines as well as cause destruction of software –Insider attacks are primarily meant to exploit data & disable machines –We assume that the servers have less access thus are less vulnerable to insider attacks The threshold for this matrix will be: –Not Relevant: 0 –Low: 0 < x <= 0.001 –Medium: 0.001 < x <= 0.01 –High: 0.01 < x < 1

58. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 58 Case Study Threat/Control Matrix Some of these controls have threats associated with them. However, these are secondary considerations and we will be focusing on primary threats. We assume that IDS systems will control 30% of the DOS attacks, 30% of Viruses and Worms and 90% of intrusions –In addition, IDS systems do not impact insider attacks Anti-Virus Software will prevent 90% of Viruses and Worms. That upgrades to a firewall will greatly control (90% each) of DOS attacks, as well as Viruses and Worms. It will control 30% of intrusions, but not insider attacks. A redundant HQ server will control 10% of hardware failure (when the original HQ server fails). This is the same percentage for theft and insider attacks. Also, a redundant HQ server will help with 80% in cases of DOS attacks on the HQ server. Spare laptops will assist in cases of hardware failure and theft (30% because of volume).

59. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 59 Case Study Threat/Control Matrix, cont’d. We assume that warranties will help with 70% of both hardware failure and software failure. While it will assist with the cost of new hardware or software, will not reduce employee time. It is determined that insurance will be able to control 90% of impacts from the threats of theft, DOS attacks, Virus/Worm attacks, Insider Attacks, and Intrusion. Physical controls (locks, key cards, biometrics, etc.) will control 90% of theft. Also, it is assumed that a security policy will assist with 20% of all threats since every policy can have procedures which can assist in prevention. Customize matrix based on the specific case –Add values from the threat importance column of the previous matrix –Determine impact of different controls on different threats –Compute the sum of the products of the threat importance by the impact of controls to determine values. The threshold for this matrix will be: –Not Relevant: 0 –Low: 0 < x <= 0.01 –Medium: 0.01 < x <= 0.05 –High: 0.05 < x < 1

60. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 60 Case Study Threat/Control Matrix, cont’d. Threats Controls Hardware Failure Software Failure TheftDenial of Service Viruses/ Worms Insider Attacks Intrusion Aggregates (Value of Control) Input Threat Importance Values  100,486,000150,832,000144,486,000106,812,000150,852,000119,476,000150,852,000  threat importance x impact of controls) Intrusion Detection 0000000 $967,884,000.00 Anti-Virus0000000 $452,556,000.00 Firewall Upgrades 0000000 $1,074,696,000.00 Redundant HQ Server 2222222 $684,884,000.00 Spare Laptops2222222 $489,944,000.00 Warranties0000000 $753,954,000.00 Insurance3333333 $2,017,434,000.00 Physical Controls 0000000 $433,458,000.00 Security Policy0000000 $923,796,000.00 0 – Not Relevant 1 – Low 2 – Medium 3 – High

61. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 61 Given the matrices and the example case provided, use this same methodology in application to determine the information security risk in your own organization. Case Study Assignment

62. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 62 Appendix

63. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 63 Qualitative Risk Analysis Summary Qualitative risk analysis involves using relative values of assets, threats, vulnerabilities to: – Determine the relative exposure of different assets of the organization – Determine the relative effectiveness of different controls The methodology developed here uses a series of matrices to collect the data on assets, vulnerabilities, threats and controls Data from the matrices is integrated to determine the relative importance of controls This approach is suitable when precise data for different elements is unavailable Most organizations start with a qualitative analysis and gradually migrate to a quantitative analysis

64. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 64 Qualitative Risk Analysis Summary Cont’d. Risk Aggregation: Optimization – simple formulation Cost Benefit Analysis LEVERAGE = (RISK EXPOSURE before reduction – RISK EXPOSURE after reduction ) ________________________________________________ COST OF REDUCTION Regression Testing –Used for comparing risk impact Monte Carlo Simulation – 1)Develop risk model, 2) Define the shape and parameters, 3)Run simulation, 4)Build histogram, 5)Compute summary statistics, 6)Perform sensitivity analysis, 7)Analyze potential dependency relationship

65. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 65 Acknowledgements Grants & Personnel Support for this work has been provided through the following grants –NSF 0210379 –FIPSE P116B020477 Damira Pon, from the Center of Information Forensics and Assurance contributed extensively by reviewing and editing the material Robert Bangert-Drowns from the School of Education provided extensive review of the material from a pedagogical view.