Professional Documents
Culture Documents
Risk Analysis
2
What Is Information Security?
3
Going digital
Investigating in the digital age
Ben Russell
Cyber & Forensics
Slide 4 RESTRICTED
Security Defined
Security
◦ Concerned with intentional failures, not accidents
or unintentional technical mistakes
5
Underlying Security Concepts
◦ Confidentiality
◦ Integrity CIA Triad
◦ Availability
◦ Accountability
◦ Non-repudiation
6
Key concepts include:
9
Key concepts include:
14
Risks and Countermeasures
Risk: Possibility that incident or attack will
cause damage to computer/network/system
Risk assessment involves:
◦ Evaluating amount of potential damage
◦ Likelihood of attack (motivation, ease of mounting
attack)
Within IT security, risk analysis is applied:
◦ Comprehensively for all information assets of the
enterprise
◦ Specifically for IT infrastructure
◦ During development of new products or systems
15
Risk Analysis
Risk analysis is the systematic study of uncertainties and risks.
◦ It identifies the risks, determines how and when those risks
might arise, and estimates the impact (financial or otherwise) of
adverse outcomes.
After the threats are evaluated for severity and likelihood, the
information is used in a risk analysis.
Assessing Assets, Vulnerabilities,
Threats
1. Assets
◦ Hardware
◦ Software
◦ Data and information
◦ Reputation
17
Assessing Assets, Vulnerabilities, Threats
2. Vulnerabilities
◦ Weaknesses that can be exploited to damage assets,
e.g.:
Accounts with default passwords
Programs with unnecessary privileges
Weak access control settings on resources
Weak firewall configurations
◦ Can be rated according to level of impact
Vulnerability scanners
◦ Risk analysis tools
◦ Systematic, automated way of identifying
vulnerabilities
◦ Give rating for detected vulnerabilities
e.g., Wireshark, Nessus, nmap, Metasploit, OpenVas, Burpsuite,
Acunetix, Netsparker, Secunia Software Inspector etc…
18
Assessing Assets, Vulnerabilities,
Threats
19
Risk identification Steps
action
Asset identification 1. Inventory the assets
2. Determine the asset’s relative value
Threat identification 1. Classify threats by category
2. Design attack tree
Vulnerability appraisal 1. Determine current weaknesses in
assets
2. Use vulnerability assessment tools
Risk assessment 1. Estimate impact of vulnerability on
organisation
2. Calculate loss expectancy
3. Estimate probability the vulnerability
will occur
Risk identification steps
Risk mitigation 1. Decide what to do with the risk:
CALCULATING RISKS - Method 1
Risk = Assets x Vulnerability x Threats
1. Quantitative risk analysis
- Mathematical values used to calculate expected loss
e.g., assign monetary values to assets and probabilities to threats
21
CALCULATING RISK
DREAD methodology
◦ Complements Microsoft’s STRIDE threat model
◦ Provides scheme for qualitative risk analysis
Damage potential: relates to the values of the assets
being affected
Reproducibility: one aspect of how difficult it is to launch
an attack
Exploitability: relates to the effort, expertise, and resources
required to launch an attack.
Affected users: for software vendors, another important
contributing factor to damage potential
Discoverability: when will the attack be detected? In the
most damaging case, you will never know that your system
has been compromised. If you don’t know you’ve been
attacked, then you don’t know to take steps to recover.
22
THREATS
Procedure: Determine the threats using the STRIDE model (Spoofing;
Tampering; Repudiation; Information Disclosure; Denial of Service;
Elevation of Privileges), then rating, these threats using the DREAD
(Damage potential; Reproducibility; Exploitability; Affected users;
Discoverability) methodology.
D R E A D Rank
23
Example of qualitative risk analysis - 1
After identifying some of your organisation’s documents
at risk:
You take a more formal approach to your investigation.
24
Table 1: Data Assets and values
Asset Value
Payroll records Medium (5)
Product design specifications High (10)
Health insurance claims High
Customer list High
Account Receivable records Medium
Sales records Low (1)
Employee reviews Low
“InventoryAndOrder” database Medium
25
Table 2: Vulnerabilities
Vulnerabilities Criticality
Un-patched software Medium
Internet connection with no firewall High
Antivirus protection missing or not updated High
Weak passwords Medium
Common password sharing High
Employees make decisions about who has High
access
26
Table 3: Threats
Threats Likelihood
A denial-of-service attack against the server with Medium
the “InventoryAndOrders” database
27
Performing a risk analysis - 1
The risk of denial of service (DOS) attack against the
“InventoryAndOrders” database due to:
1. Un-patched software is:
5 x 5 x 5 = 125
2. Lack of a firewall is:
5 x 10 x 5 = 250
3. The risk of an attack due to the likelihood of an employee
reading or modifying (high) payroll (medium) information
exploiting the vulnerability of a weak password (medium) is:
5 x 5 x 10 = 250
4. However, if the vulnerability exploited is password sharing
(high), the risk is:
5 x 10 x 10 = 500
28
COUNTERMEASURES – RISK MITIGATION
29
EXTENDED LEARNING
https://catalogue.pearsoned.co.uk/edu
cator/product/Computer-Security-Princ
iples-and-Practice-Global-Edition/9781
292220611.page
Some Useful Links