120 likes | 307 Views
Oppliger: Ch. 15 Risk Management. Outline. Introduction Formal risk analysis Alternative risk analysis approaches/technologies Security scanning Intrusion detection. True or false? Risks are everywhere! A new risk may be introduced (or triggered) by a solution. Risk.
E N D
Outline • Introduction • Formal risk analysis • Alternative risk analysis approaches/technologies • Security scanning • Intrusion detection • True or false? • Risks are everywhere! • A new risk may be introduced (or triggered) by a solution.
Risk • A risk is an expectation of loss. • Usually represented as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result • Risk = prob (T, V, R) • Example: • Let T = “port scanning” • Let V = “No firewall exists between the public Internet and the private network” • Let R = “An unauthorized connection is established between a computer in the private network and a remote (potentially malicious) computer” • Other examples of risk?
Risk Analysis • Aka. Risk Assessment • A systematical process that • identifies valuable system resources and threats to those resources; • quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence; • (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure • A process that identifies risks and their respective potential cost (and countermeasures)
Risk Analysis (cont.) • Example of risk analysis ? • Let T = “port scanning” • Let V = “No firewall exists between the public Internet and the private network” • Let R = “An unauthorized connection is established between a computer in the private network and a remote (potentially malicious) computer” • Factors affecting the potential cost ? Cost per incident, frequency of incident • Other examples of risk analysis? • Other definitions of risk analysis ?
Risk Analysis (cont.) • Other definitions of risk analysis ? • Risk analysis (in business) is a technique to identify and assess factors that may jeopardize the success of a project or achieving a goal. source: http://en.wikipedia.org/wiki/Risk_analysis_(Business) • Risk analysis (in engineering) is the science of risks and their probability and evaluation. Source: http://en.wikipedia.org/wiki/Risk_analysis_(engineering) c.f., Risks with respect to project failure; Risks with respect to a system’s being breached; Other risks ??
Risk Management • A process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources • Threat model • The attackers (who) • The attacks (how) • The resources (what) • …
Formal Risk Analysis • A formal process/tool(s) for performing risk analysis • Examples: • British CCTA’s CRAMM (CCTA Risk Analysis & Management Methodology) • French CLUSIF’s MARION • Steps: • Establish an inventory of all assets • Quantifying loss exposures based on estimated frequencies and costs of occurrence • Quantitative risk analysis is complex! • It’s difficult to quantify (due to complexities and lack of models).
Qualitative risk analysis • Differs from formal/quantitative risk analysis in the quantification step • Qualitative risk analysis only identifies the existence of risks, but does not try to quantify the estimated frequency and the costs of occurrence in order to calculate the loss potential. • Examples: • A Web site connected to the Internet could be hacked. • A computer connected to the Internet is subject to port scanning. Note: The definition may be arguable. See http://www.anticlue.net/archives/000817.htm, for example. The qualitative risk analysis outlined in that article include a quantification step.
Other approaches of risk analysis • Security scanning • The process of performing vulnerability analyses using a security scanner. • Security scanner: a tool that scans the system to identify vulnerabilities • Intrusion Detection • The process of identifying and responding to intrusions to a system. • An intrusion is “a sequence of related actions by a malicious adversary that results in the occurrence of unauthorized security threats …”