Download - Information Security Threat Assessment
![Page 1: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/1.jpg)
Information Security Threat
Assessment
![Page 2: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/2.jpg)
The C-I-A Triad
Confidentiality (sensitivity, secrecy)Integrity (accuracy, authenticity, etc)Availability (fault tolerance, recovery, etc)
AuthenticationNon-Repudiation
![Page 3: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/3.jpg)
Basic Overview
Value of information Threats Vulnerabilities Risk Risk Analysis
![Page 4: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/4.jpg)
The Value of Information
Information has value May be defined or perceived Value may change Business model (way its used..) Different reasons to target information
– Value– Use– Destruction
![Page 5: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/5.jpg)
Threats
Activity that represents possible danger Can come in different forms Can come from different places Can’t protect from all threats Protect against most likely or most worrisome
such as:– Business mission– Data (integrity, confidentiality, availability)
![Page 6: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/6.jpg)
The Concept of Threats and Threat Agents* Threat elements
– Natural threats and accidents– Malicious threats
Malicious threat agents– Capability
Ability to mount and sustain an effective attack– Motivation
Political, secular, personal gain, religious, revenge, power, curiosity, etc.– Access
Physical or logical access to the target– Catalyst
Something that causes the threat agent to select the target– Inhibitors
Events, actions, countermeasures, etc. that prevent the threat agent from mounting an attack
– Amplifiers– Events, actions, etc. that encourage a threat agent to mount an attack
![Page 7: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/7.jpg)
Relationships of Malicious Threats
threat agent capability
motivation
access
inhibitors amplifiers
catalysts
threat
![Page 8: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/8.jpg)
Threat Agents
Nation-states Terrorists Pressure groups Commercial organizations Criminal groups Hacker groups Disaffected staff
![Page 9: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/9.jpg)
Vulnerabilities
A condition, weakness, or absence of security procedures, technical controls, physical controls, or other controls that could be exploited by a threat.
Often analyzed in terms of missing safeguards Contribute to risk because they allow a threat
to harm a system
![Page 10: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/10.jpg)
Classes of Vulnerabilities
Hard vulnerabilities - – bugs,
– misconfigurations, etc.
Soft vulnerabilities - – Systems not configured to company policy
– Lack of underlying policies, procedures or configuration/change management
– Insufficient logging
– Company policies go against best practices
![Page 11: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/11.jpg)
Vulnerabilities
Hardware Software Infrastructure Processes
![Page 12: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/12.jpg)
Known Vulnerabilities
Design Flaws Software Development (SDLC) Innovative Misuse Incorrect Implementation Documentation Social Engineering
![Page 13: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/13.jpg)
Risk
A potential for loss or harm An exposure to a threat Risk is Subjective Dependent on situation and circumstances Impossible to fully measure
![Page 14: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/14.jpg)
Concepts of Risk Generalized risk model – components of risk
– Assets– Threats– Vulnerabilities– Impacts– Countermeasures
Many types of risk analysis– Qualitative– Quantitative– Hybrid
Simple risk analysis model– ALE = VL
Annualized Loss Expectancy = Value of the Asset times Likelihood of the Threat
Too simplistic for most practical uses
![Page 15: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/15.jpg)
Concepts of Risk - Definitions Assets –
– Things to be protected Physical, logical, human
Threats – – Events with the potential to cause unauthorized access, modification, disclosure or destruction of
an asset Vulnerabilities –
– Weaknesses in an asset or associated countermeasure that can be exploited to realize upon a threat Impacts –
– Outcome of a threat acting upon a vulnerability– Usually measured as money losses
Countermeasure (safeguards) –– Protective measures implemented to counter threats and mitigate vulnerabilities
Risk –– The probability that a threat will exploit a particular set of vulnerabilities successfully – Peltier– The likelihood that a threat agent will successfully exploit a vulnerability to create and unwanted
or adverse impact – Jones Exposure Factor (EF)
– Percentage of loss a successful threat event would have on a single specific asset Single Loss Expectancy (SLE)
– Dollar figure assigned to single event: SLE = AV ( Asset Value in $) X EF Annualized Rate of Occurrence (ARO)
– Estimated frequency in which a threat is expected to occur Annualized Loss Expectancy (ALE)
– Total computed estimated loss per year (ALE=AV X ARO)
![Page 16: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/16.jpg)
Handling Risk
Eliminate it Minimize It Accept it Transfer it
![Page 17: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/17.jpg)
Common Risk Analysis Fallacies Vulnerabilities = Risks
– The Truth: vulnerabilities = vulnerabilities– Vulnerability assessment or penetration testing does not, by
itself, identify or quantify risk Threats are not an element of risk
– The Truth: threats are (arguably) the most important element of risk
Tools = Countermeasures– The Truth: tools are just tools. Many countermeasures are
administrative or a combination of tools and administration– The best countermeasures are layered (defense in depth)
All risks must be mitigated– The Truth: don’t waste money protecting garbage. There is a
valid concept of “acceptable risk”.
![Page 18: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/18.jpg)
Assessment
Takes a security “snapshot” of a computing environment at any given time.
Evaluates the information security policies and procedures
Establishes a baseline for operations Can be “Formal” or Informal” Can be “Quantitative” or “Qualitative” in
nature
![Page 19: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/19.jpg)
The Name Game
Risk Assessments go by many names:– Security Baseline Assessment– Penetration Study (“Ethical Hacking)– Vulnerability Scan– Policy consulting– Audits
![Page 20: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/20.jpg)
Why use a Risk Assessment?
To gauge the security posture of a given resource- Division, Department, or Organization
Help Justify cost of security controls To understand shortcomings in current
technology environment To prepare for doing business on the Internet
![Page 21: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/21.jpg)
Quantitative Characteristics
Relies on statistical measurement for rationality
Generally used on mature environments Security posture is “rated” based on
collection of weighted data findings
![Page 22: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/22.jpg)
Qualitative Characteristics
Subjective in Nature Generally used on Immature environments Interviews and observation key part of
assessment Recommendations based on “best practices”
![Page 23: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/23.jpg)
Audit vs. Assessment
An audit is a formal process used to measure the high-level aspects of an infrastructure’s security from an organizational point of view.
Limited in scope No low-level technical details Check-list style methodology
![Page 24: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/24.jpg)
Risk Based Audit Approach
Audit risk can be defined as the risk that the information / financial report may contain material error or that the IS Auditor may not detect an error that has occurred.– Inherent Risk– Control Risk– Detection Risk– Overall Audit Risk
![Page 25: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/25.jpg)
Audit vs. Assessment
Security Assessments are attempts to measure as many technical details of an infrastructure’s security posture as possible.
Less formal More detailed / broader in scope Considered an “Art form”
![Page 26: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/26.jpg)
Why use Quantitative?
If your organization has implemented basic security countermeasures, and wants to improve its posture
If upper management respond well to presentations of findings based on numerical representation
If statistically-based facts will help “Sell” security to executives
![Page 27: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/27.jpg)
Why use Qualitative?
If your security policy is brand new If your culture works well with “consulting”
type approaches If “best practices” can be used to sell upper
management on the proper security controls If your expectations involve a shorter
assessment cycle
![Page 28: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/28.jpg)
Do Not use an Assessment…
If your organization does not have a security policy defined
If your organization is experiencing high turn-over
If upper management does not “sponsor” security expenditures
![Page 29: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/29.jpg)
Network Security Assessment
Expected results: Identify security vulnerabilities Provide corrective action knowledge base Recommend corrective action Continuous “realtime” monitoring Repeatable and measurable Used to justify security controls to upper
management
![Page 30: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/30.jpg)
Basic Formula
Threat x VulnerabilityRisk = -------------------------------- x Value Countermeasures Asset Value x exposure factor = Single Loss Expectancy (SLE) SLE x annualized rate of occurrence (ARO) = Annualized Loss Expectancy (ALE)
![Page 31: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/31.jpg)
RA methodology Examples
Qualitative: CRAMM RAM-X IAM OSG
Quantitative:
• Courtney
• RAM-X
![Page 32: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/32.jpg)
Representative Risk Analysis Methods
Courtney – quantitative– L=annualized loss expectancy– i= impact rating– f= Threat frequency
CRAMM – qualitative– “CCTA Risk Analysis and
Management Methodology”– Not mathematical – subjective– Attempts to take a holistic view– Gathers information through
structured interviews
L = 10(i+f-3)
3
Stage 1: Establish boundaries of the review (assets)
Stage 2: Establish threat context
Stage 3: Establish necessary countermeasures
![Page 33: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/33.jpg)
Risk Management Cycle
Assess Riskand Determine Needs
Monitorand
Evaluate
PromoteAwareness
Implement Policiesand Controls
CentralFocalPoint
InitialEntry Point
![Page 34: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/34.jpg)
Basic Risk Analysis Steps
Estimate potential losses to assets by determining their value(s)
Analyze potential threats to the assets Define the Annualized Loss Expectancy
(ALE)
![Page 35: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/35.jpg)
10-Step Qualitative Risk Analysis Approach
Develop scope Assemble team Identify threats Prioritize threats Estimate impact priority Calculate total threat impact Identify safeguards Cost-benefit analysis Rank safeguards by priority Write the report
![Page 36: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/36.jpg)
The CRAMM Qualitative Method
CRAMM analysis may be done using a packaged software application
cost is about $4,200 plus about $1,200 per year maintenance
Interview format tool with large databases of questions, threats, vulnerabilities and impacts
A qualitative approach that is useful both for risk analysis and risk management
![Page 37: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/37.jpg)
The CRAMM Qualitative Method – Risk Model
Assets Threats Vulnerabilities Impacts
– Information disclosure– Accidental or intentional destruction of data– Data modification– Denial of service
Countermeasures– Reduction of threat– Reduction of vulnerability– Reduction of impact– Detection– Recovery
Risks– A risk arises when a threat is able to exploit a vulnerability in an
important asset to cause an unacceptable impact
![Page 38: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/38.jpg)
The CRAMM Qualitative Method - Stages
Three stages– Establish scope – asset based– Establish threat context and vulnerabilities for
assets identified in stage 1 Identifies security requirements for each relevant group of
assets
– Establish countermeasures Output is a security plan Good idea to perform a cost-benefit analysis in this stage
although this is not part of the formal CRAMM method
Baseline review approach curtails CRAMM activities in unimportant areas
![Page 39: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/39.jpg)
Courtney Quantitative Method
Asset based Uses loss expectancy formula: Impact categories
– Disclosure– Modification– Destruction– Lack of availability
Impact $ (i) taken from an impact rating table Threat frequency (f) taken from a threat frequency
table
L = 10(i+f-3)
3
![Page 40: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/40.jpg)
Courtney Impact Rating Table (i)
Impact ($) Rating
10100
1,00010,000
100,0001,000,000
123456
![Page 41: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/41.jpg)
Courtney Threat Frequency Table (f)
Frequency Frequency RatingOnce in:
300 years 30 years 3 years 100 days 10 days 1 day10 times per day100 times per day
12345678
![Page 42: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/42.jpg)
Typical Courtney Collection Form
Accidental Disclosure Modification DestructionDeliberate Disclosure Modification DestructionExposure if unable toProcess for: 2 hours 4 hours 8 hours 12 hours 18 hours
Asset Under Review: i f L
4 3 L = 10(4+3-3)
3
L = 104
3
L = 10,0003
L = $3,333
$3,333
![Page 43: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/43.jpg)
NSA IAM
Qualitative project management framework
PreAssessment
Contact
Project Coordination
DataCollection
AnalysisRecommendations
Final Report
Post-AssessmentOn-SitePre-Assessment
![Page 44: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/44.jpg)
RAM-X
Put together by Sandia Labs, along with the FBI, Military, Corps of Engineers, and others
Designed to be a quantitative measurement of risks associated with Critical Infrastructure
![Page 45: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/45.jpg)
RAM-X Formula
PA * C * (1-PE) = R
PA= Analyze Threat
C = Critical Assets
PE = System Effectiveness
PE < 1
C < 1
![Page 46: Information Security Threat Assessment](https://reader036.vdocument.in/reader036/viewer/2022062322/5681448b550346895db12436/html5/thumbnails/46.jpg)
OSG
Developed a way to utilize Qualitative and quantitative methods through its “Thessaly” framework
Current State Desired State Gap Analysis Solution recommendations Security Maturity Grid