205 - information security and cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... ·...
TRANSCRIPT
![Page 1: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/1.jpg)
Risk Management for Systems
Security
205 - Information Security and
Cryptography
![Page 2: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/2.jpg)
Areas of IT Risk
![Page 3: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/3.jpg)
Information Security Risk • Information Security Risk Analysis or risk
assessment, is fundamental to the security of any organization.
• Information Security in any system should be commensurate with its risks. However, the process to determine which security controls are appropriate and cost effective, is quite often a complex and sometimes a subjective matter.
• It is essential to ensure that controls and expenditure are fully commensurate with the risks to which the organization is exposed.
![Page 4: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/4.jpg)
Questions to ask!
• What are the resources that need protecting?
• What is the value of those resources, monetary or otherwise?
• What are the all the possible threats that that those resources face?
• What is the likelihood of those threats being realized?
• What would be the impact of those threats if they were realized?
![Page 5: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/5.jpg)
Information Asset Definition
Information Assets are the physical,
hardware, software, data, communications,
administrative and personnel resources of a
computing system that once compromised
will release sensitive, not disclosed system
information to the threat agent.
![Page 6: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/6.jpg)
Defining Risk
The term risk is used to
describe the possibility of a
threat taking advantage of an
asset’s vulnerability
![Page 7: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/7.jpg)
Risk management
Risk
assessment Identify and
analyse risks
Risk
control Reduce risks,
provide contingency
Risk Management
![Page 8: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/8.jpg)
Defining Risk Management
Risk management is the process of
– Establishing and maintaining
information system security within an
organization
– The identification and management of
opportunities and threats
![Page 9: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/9.jpg)
Risk Management Approaches
• Quantitative Approach – This approach employs two fundamental elements –
• the probability of an event occurring
• the likely loss should it occur
– requires probabilities which are rarely precise
– thus data may be unreliable and inaccurate
– time consuming and expensive exercise
• Qualitative Approach – most widely used approach to risk analysis (COBRA)
– involves less uncertainty (no probabilities)
– uses interrelated elements of threats, vulnerabilities & controls
– based on expert knowledge
– parameters are: high, medium, low
![Page 10: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/10.jpg)
Risk Management Approaches
• Knowledge-Based Approach:
– based on reusing “best practice” from similar
systems
– obsolete
• Model-Based Approach:
– based on OO modeling
– describes target of assessment at right level of
abstraction
– Brings together all stakeholders
![Page 11: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/11.jpg)
Problems of Measuring Risk
• Businesses wish to measure in money, but many of the entities don’t permit this - – Valuation of assets
• Value of data and in-house software - no market value
• Value of goodwill and customer confidence
– Likelihood of threats • How relevant is past data to the calculation of future
probabilities? – The nature of future attacks is unpredictable
– The actions of future attackers are unpredictable
– Measurement of benefit from security measures
![Page 12: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/12.jpg)
Risk vs Threat • Reference point
– Risk : you examine the system
– Threat: you examine the environment around it
• Impact
– Sometimes a major threat may correspond in the
context of the business to a minor risk
• Relationship
– Risks and threats do not have a one-to-one
relationship. Some threats may contribute to more
than one risk, and some risks have properties that
are not directly related to individual threats?
![Page 13: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/13.jpg)
Risk Analysis Framework
Assets Threats Vulnerabilities
Risks
Security Measures
}
}
Analysis
Control
![Page 14: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/14.jpg)
Goals of Risk Analysis
• All assets have been identified
• All threats have been identified
– Their impact on assets has been valued
• All vulnerabilities have been identified
and assessed
![Page 15: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/15.jpg)
Risk Analysis Steps
1. Decide on scope of analysis – Set the system boundary
2. Identification of assets & business processes
3. Identification of threats and valuation of their impact on assets
4. Identification and assessment of vulnerabilities to threats
5. Risk assessment
![Page 16: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/16.jpg)
1. Risk Analysis – Defining the Scope
• Draw a context diagram
• Decide on the boundary
– It will rarely be the computer!
• Make explicit assumptions about the
security of neighbouring domains
– Verify them!
![Page 17: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/17.jpg)
2. Risk Analysis - Identification of Assets
• Hardware
• Software: purchased or developed programs
• Data
• Users
• Documentation: manuals, admin procedures
• Supplies: paper, printer cartridges, pens, etc
• Money
• Intangibles – Goodwill
– Reputation
![Page 18: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/18.jpg)
3. Risk Analysis – Impact Valuation
Identification and valuation of threats for assets
• Identify threats, e.g. for stored data – Loss of confidentiality
– Loss of integrity
– Loss of completeness
– Loss of availability (Denial of Service)
• For many asset types the only threat is loss of availability
• Assess impact of threat in levels, e.g H-M-L – This gives the valuation of the asset in the face of
the threat
![Page 19: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/19.jpg)
4. Risk Analysis – Process Analysis
• Every company or organisation has some processes
that are critical to its operation
• The criticality of a process may increase the impact
valuation of one or more assets identified
So
• Identify critical processes
• Review assets needed for critical processes
• Revise impact valuation of these assets
![Page 20: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/20.jpg)
5. Risk Analysis – Vulnerabilities 1
• Identify vulnerabilities against a baseline
system
– For risk analysis of an existing system
• Existing system with its known security measures and
weaknesses
– For development of a new system
• Security facilities of the envisaged software, e.g.
Windows NT
• Standard good practice, e.g. BS 7799 recommendations
of good practice
![Page 21: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/21.jpg)
5. Risk Analysis – Vulnerabilities 2
• For each threat –
– Identify vulnerabilities
• How to exploit a threat successfully;
– Assess levels of likelihood - High, Medium, Low
• Of attempt
– Expensive attacks are less likely (e.g. brute-force attacks on
encryption keys)
• Successful exploitation of vulnerability;
– Combine them
![Page 22: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/22.jpg)
6. Risk Assessment & Response
• Should have all the information to produce the
Risk Assessment
• Responses to risk
– Avoid it completely by withdrawing from an activity
– Accept it and do nothing
– Reduce it with security measures
![Page 23: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/23.jpg)
Example • Asset:
– Internal mailbox of Bill Gates
• Risk Impact Estimate examples -
– Risk of loss: Medium impact
– Risk of access by staff: High impact
– Risk of access by press: Catastrophic impact
– Risk of access by a competitor: High impact
– Risk of temporary no access by Bill: Low impact
– Risk of change of content: Medium impact
![Page 24: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/24.jpg)
Some examples of UK real life risks
• Chances are your death will be by: – being shot by a stranger… 1 in 22,500
– drowning in the bath… 1 in 17,500
– plane crash… 1 in 800,000
– car accident… 1 in 300
– suicide… 1 in 160
– accidental fall… 1 in 150
– cancer… 1 in 4
• This year in England and Wales: – 130,000 will die of heart disease
– 24 due to adverse weather conditions
– 1 from lightning
![Page 25: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/25.jpg)
![Page 26: 205 - Information Security and Cryptographywiki.computing.hct.ac.uk/_media/computing/fdsc/... · 205 - Information Security and Cryptography . Areas of IT Risk . Information Security](https://reader033.vdocuments.net/reader033/viewer/2022042306/5ed1c00b83dbc53727516347/html5/thumbnails/26.jpg)
Questions