security risk analysis

Corso di Sicurezza e Privacy - 25 aprile 2023 1Dipartimento di Scienze - 25 aprile 2023

Pamela Peretti

Corso di Sicurezza e Privacymercoledì 7 novembre 2007

Security Risk Analysis

PhD student in Computer ScienceDipartimento di Scienze

Università degli Studi “G. d’Annunzio”Pescara

Corso di Sicurezza e Privacy - 25 aprile 2023 22

Il processo di risk management è l'insieme di attività coordinate per gestire un'organizzazione con riferimento ai rischi.Tipicamente include l'identificazione, la misurazione e la mitigazione delle varie esposizioni al rischio.

Risk Management Process


Risk Management Process

Il rischio è l'incertezza che eventi inaspettati possano manifestarsi producendo effetti negativi per l'organizzazione.


Risk Management ProcessIl rischio di Information Technology: il pericolo di interruzione di servizio, diffusione di informazioni riservate o di perdita di dati rilevanti archiviati tramite mezzi computerizzati.

Information Security Risk Management


1. Risk AssessmentIl processo di risk assessment è usato per determinare l'ampiezza delle potenziali minacce ad un sistema IT ed identificare tutte le possibili contromisure per ridurre o eliminare tali voci di rischio.

Vengono identificati: asset minacce vulnerabilità contromisure

Vengono determinati: impatto prodotto dalle minacce, fattibilità delle minacce, complessivo livello di rischio.


2. Risk MitigationNel processo di risk mitigation vengono analizzati le contromisure raccomandati dal team di assessment, e vengono selezionati e implementate le contromisure che presentano il miglior rapporto costi/benefici.


3. MonitoringAll'interno di grandi imprese i sistemi IT subiscono frequenti modifiche dovuti ad aggiornamenti, cambiamento dei componenti, modifica dei software, cambio del personale, ecc.

Mutano le condizioni del sistema, modificando anche gli effetti delle contromisure adottate.

approcci


ApprocciApprocci qualitativi

Analisi degli scenari che possono realizzarsi all’interno di un sistema. Lo scopo è quello di individuare le possibili minacce e il livello di rischio associato ad ogni risorsa che compone il sistema.

Attack tree

Indici economici

Approcci quantitativi Quantificazione di tutte le grandezze necessarie per una

valutazione dei rischi con l'obiettivo di determinare, attraverso l’uso di una serie d’indici, la convenienza economica di un investimento in sicurezza.


ApprocciApprocci qualitativi

Analisi degli scenari che possono realizzarsi all’interno di un sistema. Lo scopo è quello di individuare le possibili minacce e il livello di rischio associato ad ogni risorsa che compone il sistema.



analisi di uno scenario


A security scenario


Defence treesDefence trees are an extension of attack trees [Schneier00].

Attack tree: the root is an asset of an IT system paths from a leaf to the root represent attacks to the asset the non-leaf nodes can be:

and-nodes or-nodes

Defence tree: attack tree a set of countermeasures

root

and-nodes

or-nodes


Defence trees (example)

Steal datastored in a server

Stealing access

a1

Corrupting a user

$$$a2

Obtain root privileges




Exploit an on-line vulnerability

a3

Exploit a web server vulnerability

a4

Attack the system with a remote login

a1 a2




a5 a6

Go outunobserved

Access to the server’s room

a1 a2 a3 a4

Steal theserver




a1 a2 a3 a4 a5 a6


c11

c10

c13

c12

c7

c6

c9

c8

c2

c3

c1

c4

c5

c3


a1 a2 a3 a4 a5 a6


metodi di scelta


I prefer red wine to white wine if a meat dish is served.

20

Cp-netsConditional preference networks [Boutiliet99] are a graphical formalism to specify and representing conditional preference relations.

D

W

D is a parent of W: Pa(W)=D

Two variables: the dish D, the wine W.

preference

condition


Cp-nets (example)I prefer red wine to white wine

if a meat dish is served.

Df Wr

Df Ww

Dm Ww

Dm Wr

Less preferred

Most preferred

Dm Â Df

Dm Wr ÂWw

Df WwÂWr


Cp-nets can be used to model conditional preferences over attacks and countermeasures

Cp-nets on defence trees

A

C

a1 c1Â c2Â c3

a2 c5Â c3Â c4

a3 c6Â c7

a4 c8Â c9

a5 c11Â c10

a6 c13Â c12

a4Âa3Âa5Âa6Âa1Âa2

less dangerous…


Exploit an on-line vulnerability

a4 a3

…… more dangerous




less expensive…

Obtain root privileges stealing access

a1

:

Change the password periodically

c1 c2

Log out the pc after the use

c3

Add an identification token

A

C

a1 c1Â c2Â c3

a2 c5Â c3Â c4

a3 c6Â c7

a4 c8Â c9

a5 c11Â c10

a6 c13Â c12

a4Âa3Âa5Âa6Âa1Âa2

…more expensive


?c11

c10

c13

c12?c7

c6

c9

c8?

ÆÇ



c2

c3

c1

c4

c5

c3

A

C

a1 c1Â c2Â c3

a2 c5Â c3Â c4

a3 c6Â c7

a4 c8Â c9

a5 c11Â c10

a6 c13Â c12

a4Âa3Âa5Âa6Âa1Âa2Ç

a5 a6a3 a4a1 a2


An and-attack is an attack composed by a set of actions that an attacker has to successfully achieve to obtain his goal.

and-composition

?How to combine the preferences for the countermeasure associated to each attack action?


and-composition (example)

a

b

x Æ y Æ z

x a Â b Â c

y b Â c

z a Â b c

a

b

c

x

c

b

y

a

b

z

A countermeasure is preferred to another one if it is preferred in, at least, one of the partial orders.

A = {x,y,z}C = {a,b,c}

: a Â b Â c

and-composition


and-composition (example 2)

a

b

x Æ y

x a Â b

y c Â dc

a

b

x

d

c

y

We have also to consider the preferences over the value of the parent variable

A = {x,y}C = {a,b,c,d}

d

x Â y

: c Â d Â a Â b

and-composition


or-composition

?

An or-attack is an attack that can be performed with different and alternative actions: the attacker can complete successfully any of its actions to obtain his goal

How to combine the preferences associated to each action that compose the attack and determine sets of countermeasures?


or-composition (example)

x Ç y Ç z

a

b

c

x

c

a

y

a

b

z

a,b,c

b,c

a

a,b

a,c

x a Â b Â c

y c Â a

z a Â b

<b,a,a>

<b,c,b>

A = {x,y,z}C = {a,b,c}

b b a c a b

[b,c] [a,b]

<a,a,a> <a,a,b><a,c,a> <a,c,b><b,a,a> <b,a,b><b,c,a> <b,c,b><c,a,a> <c,a,b><c,c,a> <c,c,b>

[a][a,b] [a,c] [b,c][a,b,c]

or-composition


or-composition: example

c1 Æ c5

c3 Æ c4c1 Æ c3

c1 Æ c4

c2 Æ c5

c2 Æ c3 c2 Æ c4

c3 Æ c5

c3

c2

c3

c1

c4

c5

c3

a1 a2

a1 Ç a2


Approcci

32

Approcci qualitativi Analisi degli scenari che possono realizzarsi all’interno di un

sistema. Lo scopo è quello di individuare le possibili minacce e il livello di rischio associato ad ogni risorsa che compone il sistema.



indici


Indici: SLE

34

The Single Loss Exposure (SLE) represents a measure of an enterprise's loss from a single threat event and can be computed by using the following formula:

where: the Asset Value (AV) is the cost of creation, development, support, replacement and ownership values of an asset, the Exposure Factor (EF) represents a measure of the magnitude of loss or impact on the value of an asset arising from a threat event.


Indici: ALE

35

The Annualized Loss Expectancy (ALE) is the annually expected financial loss of an enterprise that can be ascribed to a threat and can be computed by using the following formula:

where: the Annualized Rate of Occurrence, (ARO) is a number that represents the estimated number of annual occurrences of a threat.


Indici: ROI

36

The Return on Investment (ROI) indicator can be computed by using the following formula:

where: RM is the risk mitigated by a countermeasure and represents the effectiveness of a countermeasure in mitigating the risk of loss deriving from exploiting a vulnerability CSI is the cost of security investment that an enterprise must face for implementing a given countermeasure.


where: GI is the expected gain from the successful attack on the specified

target costa is the cost sustained by the attacker to succeed, costac is the additional cost brought by the countermeasure c

adopted by the defender to mitigate the attack a.

The Return On Attack (ROA) measures the gain that an attacker expects from a successful attack over the losses that he sustains due to the adoption of security measures by his target

Indici: ROA

scenari + indici


Etichettatura per ROI

39

SLEbAROb

RM3

Cost3

EFbAROb

RM4

Cost4RM5

Cost5

RM1

Cost1RM2

Cost2

EFdAROd

AV

EFeAROe

SLEeALEeSLEd

ALEd

A

B C

D E1

2

4

5

3


Etichettatura per ROA


A

B C

D E1

2

4

5

3

costb

GI

costc

RM3

costc,3RM4

costc,4RM5

costc,5

RM1

costb,1RM2

costb,2


Etichettatura

41


Stealing access

Corrupting a user

Change the password

periodically

Log out the pc after the

use

Add an identification

token


token

Distribute responsab.

among users

Motivate employees

Steal datastored in a

server


Exploit an on-line

vulnerability


Update the system

periodically

Separate the contents on the server

Use an antivirus software

Stop suspicious attachment

Steal the server


Go out unobserved

Install a security door

Install a safety lock

Install a video surveillance equipment

Employ a security guard


Etichettatura ROI

42


Stealing access

Corrupting a user

Change the password

periodically


use


token


token


among users

Motivate employees


server


Exploit an on-line

vulnerability


Update the system

periodically




Steal the server


Go out unobserve

d



Install a video survellaince equipment


AV=100.000 €

EF=100%ARO=0,09

SLE=90.000 €EF=100%

ARO=0,09

SLE=90.000 €

RM=60%CSI=500€

RM=10%CSI=100€

RM=80%CSI=3000€

RM=80%CSI=3000€

RM=50%CSI=15000€

RM=80%CSI=2000€

ROI=9.8

ROI=8

ROI=1.4

ROI=1.4

ROI=-0.7

ROI=2.6


Etichettatura ROA

43


Stealing access

Corrupting a user

Change the password

periodically


use


token


token


among users

Motivate employees


server


Exploit an on-line

vulnerability


Update the system

periodically




Steal the server


Go out unobserve

d



Install a video survellaince equipment


GI=30.000 €

RM=60%cost=1000€

RM=10%cost=500€

RM=80%cost=1.500€

RM=80%cost=1.500€

RM=50%cost=700€

RM=80%cost=2000€

Costa=3000 € Costb=10000 €

ROA=2

ROA=6.71

ROA=0.33

ROA=-0.48

ROA=0.40

ROA=0.50

varianti


Three novel indicators

Critical time

Retaliation

Collusion


Critical time


Exposure Factor during Critical Timeexpresses the influence that the criticality of a specific time instance plays on the EF .

Critical time


Annualized Rate of Occurrence, AROCT, is the rate of occurrence of an attack at a specific CTF per year. Single Loss Exposure, SLECT, is the cost of a single attack at a specific CTF:

Annualized Loss Expectancy, ALECT, is the cost per year of an attack at a specific CTF:

Return On Investment, ROICT, is the economic return of an enterprise's investment against an attack mounted at a specific CTF:

Critical time: the indicators


Retaliation


Exposure Factor under Retaliationexpresses the influence that the chance of retaliating an attack to an asset plays on the EF.

Retaliation


Annualized Rate of Occurrence, AROR, is the rate of occurrence per year of an attack that can be retaliated. Single Loss Exposure, SLER, is the cost of a single attack that can retaliated:

Annualized Loss Expectancy, ALER, is the cost per year of an attack that can be retaliated:

Return On Investment, ROIR, is the economic return of an enterprise's investment against an attack that can be retaliated:

Retaliation: the indicators


Collusion


Mitigated Risk against Collusionexpresses the influence that collusion of attackers plays on the MR (mitigated risk) as follows:

Collusion


The Return On Investment against Collusionis the economic return of an enterprise's investment against an attack mounted by one or more colluding attackers:

Collusion: the indicators

security risk analysis

Documents

corso di sicurezza

risk management linsieme

risk management processcorso

risk mitigationnel processo

risk assessmentil processo

possibili minacce

sistema it

voci di rischio