1. Information Security Threat Assessment

2. The C-I-A Triad Confidentiality (sensitivity, secrecy)
Integrity (accuracy, authenticity, etc)
Availability (fault tolerance, recovery, etc)
Authentication
Non-Repudiation
Confidentiality refers to the areas affecting the need to keep information private or secret and to prevent disclosure of information to those who do not need to see it.
Integrity: is the notion that information should be complete and unaltered as it is used and that any changes are made only by authorized people and properly recorded.
Availability: refers to the need to have information available for use when its needed and in a form that is usable.
These three items are often interrelated.
Authentication: process of confirming or validating that something is the “real thing”.
Non-repudiation: is the ability to prove that the originator of the information, did, in fact, send the information. It also means that the sender can not deny having sent the information.

3. Basic Overview Value of information Threats Vulnerabilities Risk
Risk Analysis

4. The Value of Information
Information has value
May be defined or perceived
Value may change
Business model (way its used..)
Different reasons to target information
Value
Use
Destruction

5. Threats Activity that represents possible danger
Can come in different forms
Can come from different places
Can’t protect from all threats
Protect against most likely or most worrisome such as:
Business mission
Data (integrity, confidentiality, availability)

6. The Concept of Threats and Threat Agents*
Threat elements
Natural threats and accidents
Malicious threats
Malicious threat agents
Capability
Ability to mount and sustain an effective attack
Motivation
Political, secular, personal gain, religious, revenge, power, curiosity, etc.
Access
Physical or logical access to the target
Catalyst
Something that causes the threat agent to select the target
Inhibitors
Events, actions, countermeasures, etc. that prevent the threat agent from mounting an attack
Amplifiers
Events, actions, etc. that encourage a threat agent to mount an attack

7. Relationships of Malicious Threats
threat agent
capability
catalysts
motivation
access
inhibitors
amplifiers
threat

8. Threat Agents Nation-states Terrorists Pressure groups
Commercial organizations
Criminal groups
Hacker groups
Disaffected staff

9. Vulnerabilities
A condition, weakness, or absence of security procedures, technical controls, physical controls, or other controls that could be exploited by a threat.
Often analyzed in terms of missing safeguards
Contribute to risk because they allow a threat to harm a system

10. Classes of Vulnerabilities
Hard vulnerabilities -
bugs,
misconfigurations, etc.
Soft vulnerabilities -
Systems not configured to company policy
Lack of underlying policies, procedures or configuration/change management
Insufficient logging
Company policies go against best practices

11. Vulnerabilities Hardware Software Infrastructure Processes
Vulnerabilities can be found in many different ways-

12. Known Vulnerabilities
Design Flaws
Software Development (SDLC)
Innovative Misuse
Incorrect Implementation
Documentation
Social Engineering

13. Risk A potential for loss or harm An exposure to a threat
Risk is Subjective
Dependent on situation and circumstances
Impossible to fully measure

14. Concepts of Risk Generalized risk model – components of risk
Assets
Threats
Vulnerabilities
Impacts
Countermeasures
Many types of risk analysis
Qualitative
Quantitative
Hybrid
Simple risk analysis model
ALE = VL
Annualized Loss Expectancy = Value of the Asset times Likelihood of the Threat
Too simplistic for most practical uses

15. Concepts of Risk - Definitions
Assets –
Things to be protected
Physical, logical, human
Threats –
Events with the potential to cause unauthorized access, modification, disclosure or destruction of an asset
Vulnerabilities –
Weaknesses in an asset or associated countermeasure that can be exploited to realize upon a threat
Impacts –
Outcome of a threat acting upon a vulnerability
Usually measured as money losses
Countermeasure (safeguards) –
Protective measures implemented to counter threats and mitigate vulnerabilities
Risk –
The probability that a threat will exploit a particular set of vulnerabilities successfully – Peltier
The likelihood that a threat agent will successfully exploit a vulnerability to create and unwanted or adverse impact – Jones
Exposure Factor (EF)
Percentage of loss a successful threat event would have on a single specific asset
Single Loss Expectancy (SLE)
Dollar figure assigned to single event: SLE = AV ( Asset Value in $) X EF
Annualized Rate of Occurrence (ARO)
Estimated frequency in which a threat is expected to occur
Annualized Loss Expectancy (ALE)
Total computed estimated loss per year (ALE=AV X ARO)

16. Handling Risk Eliminate it Minimize It Accept it Transfer it
Eliminate: Eliminate the cause of the risk or decrease your vulnerability to the risk.
Transfer: insurance is an example

17. Common Risk Analysis Fallacies
Vulnerabilities = Risks
The Truth: vulnerabilities = vulnerabilities
Vulnerability assessment or penetration testing does not, by itself, identify or quantify risk
Threats are not an element of risk
The Truth: threats are (arguably) the most important element of risk
Tools = Countermeasures
The Truth: tools are just tools. Many countermeasures are administrative or a combination of tools and administration
The best countermeasures are layered (defense in depth)
All risks must be mitigated
The Truth: don’t waste money protecting garbage. There is a valid concept of “acceptable risk”.

18. Assessment
Takes a security “snapshot” of a computing environment at any given time.
Evaluates the information security policies and procedures
Establishes a baseline for operations
Can be “Formal” or Informal”
Can be “Quantitative” or “Qualitative” in nature
A “Formal” Assessment tests adherence to the established security policies. An “Informal” assessment does not use policies- or is performed utilizing a baseline of “best practices” in place of a lack of security policies.
A “Quantitative” assessment uses measurement to give more weight to certain criteria, and make calculated measurements of a security posture. A “Qualitative” assessment focuses on an examination that takes into consideration “soft” elements, such as culture, goodwill, and various “hard” vulnerabilities and best practices to arrive at a judgment for action.

19. The Name Game Risk Assessments go by many names:
Security Baseline Assessment
Penetration Study (“Ethical Hacking)
Vulnerability Scan
Policy consulting
Audits

20. Why use a Risk Assessment?
To gauge the security posture of a given resource- Division, Department, or Organization
Help Justify cost of security controls
To understand shortcomings in current technology environment
To prepare for doing business on the Internet

21. Quantitative Characteristics
Relies on statistical measurement for rationality
Generally used on mature environments
Security posture is “rated” based on collection of weighted data findings

22. Qualitative Characteristics
Subjective in Nature
Generally used on Immature environments
Interviews and observation key part of assessment
Recommendations based on “best practices”

23. Audit vs. Assessment
An audit is a formal process used to measure the high-level aspects of an infrastructure’s security from an organizational point of view.
Limited in scope
No low-level technical details
Check-list style methodology

24. Risk Based Audit Approach
Audit risk can be defined as the risk that the information / financial report may contain material error or that the IS Auditor may not detect an error that has occurred.
Inherent Risk
Control Risk
Detection Risk
Overall Audit Risk

25. Audit vs. Assessment
Security Assessments are attempts to measure as many technical details of an infrastructure’s security posture as possible.
Less formal
More detailed / broader in scope
Considered an “Art form”

26. Why use Quantitative?
If your organization has implemented basic security countermeasures, and wants to improve its posture
If upper management respond well to presentations of findings based on numerical representation
If statistically-based facts will help “Sell” security to executives

27. Why use Qualitative? If your security policy is brand new
If your culture works well with “consulting” type approaches
If “best practices” can be used to sell upper management on the proper security controls
If your expectations involve a shorter assessment cycle

28. Do Not use an Assessment…
If your organization does not have a security policy defined
If your organization is experiencing high turn-over
If upper management does not “sponsor” security expenditures

29. Network Security Assessment
Expected results:
Identify security vulnerabilities
Provide corrective action knowledge base
Recommend corrective action
Continuous “realtime” monitoring
Repeatable and measurable
Used to justify security controls to upper management

30. Basic Formula Risk = -------------------------------- x Value
Threat x Vulnerability
Risk = x Value
Countermeasures
Asset Value x exposure factor = Single Loss Expectancy (SLE)
SLE x annualized rate of occurrence (ARO) = Annualized Loss Expectancy (ALE)
This formula should be used as an aid to guide your thinking rather than an absolute mathematical calculation

31. RA methodology Examples
Qualitative:
CRAMM
RAM-X
IAM
OSG
Quantitative:
Courtney
RAM-X

32. Representative Risk Analysis Methods
Courtney – quantitative
L=annualized loss expectancy
i= impact rating
f= Threat frequency
CRAMM – qualitative
“CCTA Risk Analysis and Management Methodology”
Not mathematical – subjective
Attempts to take a holistic view
Gathers information through structured interviews
L = 10(i+f-3) 3
Stage 1: Establish boundaries of the review (assets)
Stage 2: Establish threat context
Stage 3: Establish necessary countermeasures

33. Risk Management Cycle Assess Risk and Determine Needs Monitor Central
Focal
Point
Monitor
and
Evaluate
Implement Policies
and Controls
Promote
Awareness
Initial
Entry Point

34. Basic Risk Analysis Steps
Estimate potential losses to assets by determining their value(s)
Analyze potential threats to the assets
Define the Annualized Loss Expectancy (ALE)

35. 10-Step Qualitative Risk Analysis Approach
Develop scope
Assemble team
Identify threats
Prioritize threats
Estimate impact priority
Calculate total threat impact
Identify safeguards
Cost-benefit analysis
Rank safeguards by priority
Write the report

36. The CRAMM Qualitative Method
CRAMM analysis may be done using a packaged software application
cost is about $4,200 plus about $1,200 per year maintenance
Interview format tool with large databases of questions, threats, vulnerabilities and impacts
A qualitative approach that is useful both for risk analysis and risk management

37. The CRAMM Qualitative Method – Risk Model
Assets
Threats
Vulnerabilities
Impacts
Information disclosure
Accidental or intentional destruction of data
Data modification
Denial of service
Countermeasures
Reduction of threat
Reduction of vulnerability
Reduction of impact
Detection
Recovery
Risks
A risk arises when a threat is able to exploit a vulnerability in an important asset to cause an unacceptable impact

38. The CRAMM Qualitative Method - Stages
Three stages
Establish scope – asset based
Establish threat context and vulnerabilities for assets identified in stage 1
Identifies security requirements for each relevant group of assets
Establish countermeasures
Output is a security plan
Good idea to perform a cost-benefit analysis in this stage although this is not part of the formal CRAMM method
Baseline review approach curtails CRAMM activities in unimportant areas

39. Courtney Quantitative Method
Asset based
Uses loss expectancy formula:
Impact categories
Disclosure
Modification
Destruction
Lack of availability
Impact $ (i) taken from an impact rating table
Threat frequency (f) taken from a threat frequency table
L = 10(i+f-3) 3

40. Courtney Impact Rating Table (i)10
100
1,000
10,000
100,000
1,000,000 1 2 3 4 5 6

41. Courtney Threat Frequency Table (f)
Frequency Frequency Rating
Once in:
300 years
30 years
3 years
100 days
10 days
1 day
10 times per day
100 times per day 1 2 3 4 5 6 7 8

42. Typical Courtney Collection Form
Accidental
Disclosure
Modification
Destruction
Deliberate
Exposure if unable to
Process for:
2 hours
4 hours
8 hours
12 hours
18 hours
Asset Under Review:
i f L
L = 10(4+3-3) 3
L = 104
L = 10,000
L = $3,333 4 3
$3,333

43. NSA IAM Qualitative project management framework Pre-Assessment
On-Site
Post-Assessment
Pre
Assessment
Contact
Analysis
Recommendations
Final Report
Project
Coordination
Data
Collection

44. RAM-X
Put together by Sandia Labs, along with the FBI, Military, Corps of Engineers, and others
Designed to be a quantitative measurement of risks associated with Critical Infrastructure

45. RAM-X Formula PA * C * (1-PE) = R PA= Analyze Threat
C = Critical Assets
PE = System Effectiveness
PE < 1
C < 1

46. OSG
Developed a way to utilize Qualitative and quantitative methods through its “Thessaly” framework
Current State
Desired State
Gap Analysis
Solution recommendations
Security Maturity Grid