1 / 15

A Preamble into Aligning Systems Engineering and Information Security Risk

A Preamble into Aligning Systems Engineering and Information Security Risk. Dr. Craig Wright GSE May 2012 GIAC GSE, GSM, GSC. Controls are countermeasures for vulnerabilities. Controls need to be economically viable to be effective. There are four types: Deterrent controls

reba
Download Presentation

A Preamble into Aligning Systems Engineering and Information Security Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig Wright GSE May 2012 GIAC GSE, GSM, GSC SANS Technology Institute - Candidate for Master of Science Degree

  2. Controls are countermeasures for vulnerabilities Controls need to be economically viable to be effective. There are four types: • Deterrent controls • Preventative controls • Corrective controls • Detective controls SANS Technology Institute - Candidate for Master of Science Degree

  3. System Survival • Network reliability requires us to model the various access paths and survival times for not only each system, but for each path to the system. SANS Technology Institute - Candidate for Master of Science Degree

  4. Mapping Vulnerabilities within Software • Now let E stand for the event where a vulnerability is discovered within the Times T and T+h for n vulnerabilities in the software SANS Technology Institute - Candidate for Master of Science Degree

  5. Mapping Vulnerabilities within Software • Where a vulnerability is discovered between time T and T+h use Bayes’ Theorem to compute the probability that n bugs exist in the software: SANS Technology Institute - Candidate for Master of Science Degree

  6. Mapping Vulnerabilities within Software • From this it can be seen that: SANS Technology Institute - Candidate for Master of Science Degree

  7. Exponential Failure • The reliability function (also called the survival function) represents the probability that a system will survive a specified time t. SANS Technology Institute - Candidate for Master of Science Degree

  8. Exponential Failure • The reliability function is a probabilistic calculation. • We cannot forecast the exact time of any compromise. • We can estimate the behaviour of systems that are constructed of many components. SANS Technology Institute - Candidate for Master of Science Degree

  9. Reliability • Reliability is expressed as either MTBF (Mean time between failures) and MTTF (Mean time to failure). • The choice of terms is related to the system being analyzed. • For system security, it relates to the time that the system can be expected to survive when exposed to attack. SANS Technology Institute - Candidate for Master of Science Degree

  10. Modelling Failure Rate • The failure rate for a specific time interval can also be expressed as: SANS Technology Institute - Candidate for Master of Science Degree

  11. Modelling Failure Rate • The time to failure of a system under attack can be expressed as an exponential density function: SANS Technology Institute - Candidate for Master of Science Degree

  12. Modelling Failure Rate • Here is the mean survival time of the system when in the hostile environment • t is the time of interest • Reliability function, R(t) can be expressed as: SANS Technology Institute - Candidate for Master of Science Degree

  13. Modelling Failure Rate • The mean ( ) or expected life of the system under hostile conditions can hence be expressed as: SANS Technology Institute - Candidate for Master of Science Degree

  14. No Absolutes • There are no absolutes but data can be modelled. • Security remains a risk and economic function. • No comparison to levels of security can be made other than to a relative measure (no absolute level of security). SANS Technology Institute - Candidate for Master of Science Degree

  15. Conclusion • Before we invest our valuable resources into protecting the information assets it is vital to address concerns such as: • the importance of information or the resource being protected, • the potential impact if the security is breached, • the skills and resources of the attacker and • the controls available to implement the security. SANS Technology Institute - Candidate for Master of Science Degree

More Related