1. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature  Module 3: Security Risk Assessment Module 4-5: Methodology and Objectives Module 6: Case Study Module 7: Summary

2. Module 3 Security Risk Assessment

3. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Students should be able to: –Define security risk assessment –Understand and choose between assessment types –Types of risk reduction –Metrics of effective security –Understand limitations to security risk assessment Security Risk Assessment Learning Objectives

4. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 4 Definition –Security risk assessment identifies existing IT vulnerabilities and recommends countermeasures for mitigating potential risks Goal –Make the infrastructure more secure –Identify risks and reduce them Consequences of Failure –Loss of services –Financial loss –Loss of reputation –Legal consequences Security Risk Assessment Overview

5. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 Non-Intrusive 1.Security Audit 2.Vulnerability Assessment 3.Risk Analysis Security Risk Assessment Types Intrusive 1.Vulnerability Scan 2.Penetration Testing (Ethical Hacking) All have the goal of identifying vulnerabilities and improving security –Differ in rules of engagement and limited purpose of the specific engagement (what is allowed, legal liability, purpose of analysis, etc.).

6. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 6 Security Audit - Independent review and examination of system records & activities to determine adequacy of system controls, ensure compliance of security policy & operational procedures, detect breaches in security, and recommend changes in these processes. 1 Features –Formal Process –Paper Oriented (Review Policies for Compliance and Best Practices) –Review System Configurations (Questionnaire, or Console based) –Automated Scanning –Checklists 1 http://www.atis.org/tg2k/_security_audit.htmlhttp://www.atis.org/tg2k/_security_audit.html Security Risk Assessment: Non-Intrusive 1. Security Audit

7. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 7 Vulnerability Assessment is: –determination of state of risk associated with a system based upon thorough analysis –includes recommendations to support subsequent security controls/decisions. –takes into account business, as well as legal constraints. Involves more testing than traditional paper audit Primarily required to identify weaknesses in the information system Steps –Identify security holes in the infrastructure –Look but not intrude into the systems –Focus on best practices (company policy is secondary) Security Risk Assessment: Non-Intrusive 2. Vulnerability Assessment

8. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 8 Risk Analysis – identification or study of: –an organization’s assets –threats to these assets –system’s vulnerability to the threats Risk Analysis is done in order to determine exposure of the assets and potential loss. Computationally intensive & requires data to: –Compute probabilities of attack –Valuation of assets –Efficacy of the controls Security Risk Assessment: Non-Intrusive 3. Risk Analysis More cumbersome than audit or assessment and usually requires an analytically trained person

9. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Security Risk Assessment Various Types Vulnerability Assessment Risk Analysis Security Audit ObjectiveBaselineDetermine Exposure and Potential Loss Measure against a Standard MethodQualitative (Intrusive & non-intrusive) Quantitative & Qualitative (non- intrusive) Qualitative (Audit Program/ Checklists) DeliverablesGaps and Recommendations Identification of Assets, Threats, Vulnerabilities & suggested controls Audit Report Performed by:Internal or External Auditors ValueIdentification of Weaknesses Weakness Assessment & Strategy Development Compliance

10. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 10 Security audit, vulnerability assessment and risk analysis have similar goals. The method is selected based on –Organizational Objectives –Available Resources –Time Horizon Process –Capability Matrix –Resource Matrix –Cost/Asset Analysis In general the cost of the analysis should not be more that the perceived benefits Security Risk Assessment How to Choose

11. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 11 Capability matrix matches the methods to their capabilities –Expand the matrix to include all the requirements of the organization –Match the capabilities to the requirement Security Risk Assessment How to Choose: Capability Matrix Capability/Method AssessmentAnalysisAudit Baselinexx Compliancexx Protection of Assetsx Security Strategyxxx

12. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 12 Resource matrix matches the resources available to resources required –Data, Manpower Organizations differ in the resources required (and available) based on its specific needs Security Risk Assessment How to Choose: Resource Matrix ResourceAssessmentAnalysisAudit Data Requiredxx Internal Staffxx External Staffxxx Data Availablexxx

13. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 13 Definition –Scan the network using automated tools to identify security holes in the network Usually a highly automated process –Fast and cheap Limitations –False findings –System disruptions (due to improperly run tools) Differences in regular scans can often identify new vulnerabilities Security Risk Assessment: Intrusive 1. Vulnerability Scan

14. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 14 Definition (Ethical Hacking) –Simulated attacks on computer networks to identify weaknesses in the network. Steps –Find a vulnerability –Exploit the vulnerability to get deeper access –Explore the potential damage that the hacker can cause Example –Scan web server: Exploit buffer overflow to get account –Scan database (from web server) –Find weakness in database: Retrieve password –Use password to compromise firewall Security Risk Assessment: Intrusive 2. Penetration Testing

15. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 15 Three strategies for risk reduction: Avoiding the risk –by changing requirements for security or other system characteristics Transferring the risk –by allocating risk to other systems, people, organizations assets or by buying insurance Assuming the risk –by accepting and controlling it with available resources Security Risk Assessment Risk Reduction

16. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 16 Effective security relies on several factors –Security Risk Assessments –Policies & Procedures –Education (of IT staff, users, & managers) –Configuration Standards/Guidelines OS Hardening Network Design Firewall Configuration Router Configuration Web Server Configuration –Secure Coding Practices Security Risk Assessment Effective Security

17. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 17 Often locates previously known issues –Provides false sense of security Just the first step –Needs due diligence in applying the recommendation of the assessment Becomes obsolete rapidly –Needs to be repeated periodically Security Risk Assessment Limitations

18. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 18 What is Security Risk Assessment? Case Consider the three cases that are provided to you and determine the type of security analysis approach you would choose. A worksheet is provided with the matrices that you can fill out. An example solution is in the following slides.

19. Solution

20. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 20 Security Risk Assessment Small Business Case The Natural Soap case has been given the following assessment in the capability and resource matrices: Capability/MethodAssessmentAnalysisAuditCase Baselinexxx Compliancexx Protection of Assetsx Security Strategyxxxx ResourceAssessmentAnalysisAuditCase Data Requiredxxx Internal Staffxxx External Staffxx Data Availablexxxx

21. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 21 Security Risk Assessment Large Corporation Case The GE Energy case has been given the following assessment in the capability and resource matrices: Capability/MethodAssessmentAnalysisAuditCase Baselinexx Compliancexxx Protection of Assetsx Security Strategyxxxx ResourceAssessmentAnalysisAuditCase Data Requiredxx Internal Staffxxx External Staffxxx Data Availablexxxx

22. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 22 Security Risk Assessment Government Agency Case The State Agency case has been given the following assessment in the capability and resource matrices: Capability/MethodAssessmentAnalysisAuditCase Baselinexxx Compliancexxx Protection of Assetsxx Security Strategyxxxx ResourceAssessmentAnalysisAuditCase Data Requiredxxx Internal Staffxxx External Staffxxx Data Availablexxxx

23. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 23 Security risk assessment is the process of identifying vulnerabilities in order to determine controls and can be intrusive or non-intrusive. Intrusive methods involve actual testing of the system (e.g. vulnerability scanning and penetration testing). Non-intrusive methods are security audit, risk analysis, and vulnerability assessment. To determine when to use a particular non-intrusive method, it is important to consider the goals of the assessment as well as the resources necessary. Security Risk Assessment Summary