Lecture No.

Computer and Information Security

Principles

Risk Analysis

Note: The first step in establishing the security

needs of an organisation is to identify likely threats
and perform a risk analysis. 1
Underlying Security Concepts

 Key concepts include:

◦ Confidentiality
◦ Integrity
◦ Availability
◦ Accountability
◦ Nonrepudiation

2
 What Is Information Security?

 Before defense is possible,

one must understand:

◦ What information security is?

◦ Why it is important?
◦ Who the attackers are?

3
 Going digital
Investigating in the digital age

Ben Russell
Cyber & Forensics

“I can do more damage on my laptop, in my

pyjamas, before my first cup of Earl Grey
than you can do in a year in the field.”
Q - Skyfall
© Copyright SOCA

Slide 4 RESTRICTED
Security Defined
 Security
◦ Concerned with intentional failures, not accidents
or unintentional technical mistakes

◦“People” problem, cannot be solved by technology

alone
- Requires:
Defining boundaries of acceptable behaviour
Data protection and computer misuse laws
Enforcement by managers
User compliance, cooperation
Correct deployment, operation of technical measures

5
Underlying Security Concepts

 Key concepts include:

◦ Confidentiality
◦ Integrity CIA Triad
◦ Availability

◦ Accountability
◦ Non-repudiation

6
Key concepts include:

◦ Confidentiality • Prevention of unauthorised

disclosure of information
◦ Integrity
Includes:
◦ Availability • Privacy: Protection of
◦ Accountability personal data
◦ Non-repudiation • Secrecy: Protection of data
belonging to the
organisation
• Concerns both stored data
and data in transmission
over network - GDPR
 Key concepts include:
 Preserving source documents and
◦ Confidentiality making sure that they have not been
◦ Integrity exposed to accidental or malicious
◦ Availability alteration or destruction
– e.g., BLOCKCHAIN
◦ Accountability
◦ Non-repudiation Integrity of the participants and the
process …
e.g.
 Man-in-middle attack: When
attacker intercepts and alters
network packet data
Man-in-the-Middle (MITM)
Attack

9
Key concepts include:

• Ensure that malicious attacker

◦ Confidentiality cannot prevent legitimate
◦ Integrity users from having reasonable
access to systems
◦ Availability
i.e., Preventing denial of
◦ Accountability service (DOS) attack
◦ Non-repudiation
Note: Mechanisms that are
too restrictive or too
expansive can lead to denial
of service
Denial of Service Attacks (DOS)
 Key concepts include:

 Users should be held

◦ Confidentiality
accountable for their actions
◦ Integrity
◦ Availability  To provide accountability,
◦ Accountability system must:
◦ Non-repudiation • Identify and authenticate
users
• Keep audit trail of security-
related events
 Key concepts include:
• Provides undeniable
◦ Confidentiality evidence that specific action
◦ Integrity occurred
• Non-repudiation of origin:
◦ Availability Provides evidence about
◦ Accountability sender of document
◦ Non-repudiation - For network, use of digital
signatures
• Non-repudiation of delivery:
Provides evidence of
message delivery
- For mail, use of return
receipts
 RISK ANALYSIS

Risk management: process of discovering and assessing the

risks to an organisation’s operations. Also determining how
those risks can be controlled or mitigated
Risk analysis: the identification and assessment of levels of
risk in the organisation. A major component of risk management

14
Risks and Countermeasures
 Risk: Possibility that incident or attack will
cause damage to computer/network/system
 Risk assessment involves:
◦ Evaluating amount of potential damage
◦ Likelihood of attack (motivation, ease of mounting
attack)
 Within IT security, risk analysis is applied:
◦ Comprehensively for all information assets of the
enterprise
◦ Specifically for IT infrastructure
◦ During development of new products or systems

15
 Risk Analysis
 Risk analysis is the systematic study of uncertainties and risks.
◦ It identifies the risks, determines how and when those risks
might arise, and estimates the impact (financial or otherwise) of
adverse outcomes.
 After the threats are evaluated for severity and likelihood, the
information is used in a risk analysis.
Assessing Assets, Vulnerabilities,
Threats

 First step of risk analysis

◦ Identify assets, vulnerabilities, threats
◦ Rank according to value, impact, and likelihood

1. Assets
◦ Hardware
◦ Software
◦ Data and information
◦ Reputation

17
Assessing Assets, Vulnerabilities, Threats

2. Vulnerabilities
◦ Weaknesses that can be exploited to damage assets,
e.g.:
 Accounts with default passwords
 Programs with unnecessary privileges
 Weak access control settings on resources
 Weak firewall configurations
◦ Can be rated according to level of impact
 Vulnerability scanners
◦ Risk analysis tools
◦ Systematic, automated way of identifying
vulnerabilities
◦ Give rating for detected vulnerabilities
e.g., Wireshark, Nessus, nmap, Metasploit, OpenVas, Burpsuite,
Acunetix, Netsparker, Secunia Software Inspector etc…

18
Assessing Assets, Vulnerabilities,
Threats

3. Threats: Actions by adversaries to exploit

vulnerabilities in order to damage assets
 Various ways to identify, categorise threats
◦ Microsoft’s STRIDE threat model
 Spoofing identities
 Tampering with data
 Repudiation
 Information disclosure
 Denial of service
 Elevation of privilege
◦ Source of threat (internal, outside/remote, etc.)

19
Risk identification Steps
action
Asset identification 1. Inventory the assets
2. Determine the asset’s relative value
Threat identification 1. Classify threats by category
2. Design attack tree
Vulnerability appraisal 1. Determine current weaknesses in
assets
2. Use vulnerability assessment tools
Risk assessment 1. Estimate impact of vulnerability on
organisation
2. Calculate loss expectancy
3. Estimate probability the vulnerability
will occur
Risk identification steps
Risk mitigation 1. Decide what to do with the risk:
 CALCULATING RISKS - Method 1
Risk = Assets x Vulnerability x Threats
1. Quantitative risk analysis
- Mathematical values used to calculate expected loss
e.g., assign monetary values to assets and probabilities to threats

2. Qualitative risk analysis

- Following Principles are used
Assets: Critical; very important; important; not important
Criticality of vulnerabilities: Fix immediately; fix soon;
fix if convenient
Threat level: Very likely; likely; unlikely; very unlikely

- Based on advice of security experts, uses value scale

or a 1-10 rating to assess assets, criticality of
vulnerabilities, and threat level.

21
 CALCULATING RISK
 DREAD methodology
◦ Complements Microsoft’s STRIDE threat model
◦ Provides scheme for qualitative risk analysis
 Damage potential: relates to the values of the assets
being affected
 Reproducibility: one aspect of how difficult it is to launch
an attack
 Exploitability: relates to the effort, expertise, and resources
required to launch an attack.
 Affected users: for software vendors, another important
contributing factor to damage potential
 Discoverability: when will the attack be detected? In the
most damaging case, you will never know that your system
has been compromised. If you don’t know you’ve been
attacked, then you don’t know to take steps to recover.

22
THREATS
Procedure: Determine the threats using the STRIDE model (Spoofing;
Tampering; Repudiation; Information Disclosure; Denial of Service;
Elevation of Privileges), then rating, these threats using the DREAD
(Damage potential; Reproducibility; Exploitability; Affected users;
Discoverability) methodology.
D R E A D Rank

S - Attacker spoofs Mac address to gain access to AP 2 5 4 3 3 3

- Attacker illegally uses another user's name and Password 5 4 3 1 2 3
T - Emails altered as they flow across the internet 5 2 1 2 2 2
- Attacker gains access to the laptop and modifies existing 5 4 3 3 2 3
data
R - User denies performing illegal operation within the system 3 2 2 1 2 2

I - Un-authenticated user gains access to private data 5 3 2 2 3 3

- Attacker reads sensitive data in transit between two 5 2 1 2 4 3
computers
D - Attacker initiates an ICMP flood (ping of death) against a 4 3 4 5 1 4
network device
E - Malicious code executed whilst logged in with high-level 5 4 3 1 3 3
privileges due to wrong access control allocation

23
Example of qualitative risk analysis - 1
After identifying some of your organisation’s documents
at risk:
 You take a more formal approach to your investigation.

 You decide to use qualitative risk analysis to determine

where the highest risks to the company lie.

 You identify your company’s assets and assign them

values (see Table 1).

 You identify the vulnerabilities and rate them on how

critical they are (see Table 2).

 You identify the threats and rate them on their

likelihood (see Table 3).

NB: In order to carry out the risk analysis assign a value of 1 for low,
5 for Medium and 10 for High.

24
Table 1: Data Assets and values
Asset Value
Payroll records Medium (5)
Product design specifications High (10)
Health insurance claims High
Customer list High
Account Receivable records Medium
Sales records Low (1)
Employee reviews Low
“InventoryAndOrder” database Medium

25
Table 2: Vulnerabilities
Vulnerabilities Criticality
Un-patched software Medium
Internet connection with no firewall High
Antivirus protection missing or not updated High
Weak passwords Medium
Common password sharing High
Employees make decisions about who has High
access

26
Table 3: Threats
Threats Likelihood
A denial-of-service attack against the server with Medium
the “InventoryAndOrders” database

A denial-of-service attack the payroll server Low

Internal employee reading or modifying payroll High

data without authorisation
Internal employee accessing employee review Medium
records
Internal employee selling customer lists High
External person obtaining customer lists or High
product design

27
 Performing a risk analysis - 1
The risk of denial of service (DOS) attack against the
“InventoryAndOrders” database due to:
1. Un-patched software is:
5 x 5 x 5 = 125
2. Lack of a firewall is:
5 x 10 x 5 = 250
3. The risk of an attack due to the likelihood of an employee
reading or modifying (high) payroll (medium) information
exploiting the vulnerability of a weak password (medium) is:
5 x 5 x 10 = 250
4. However, if the vulnerability exploited is password sharing
(high), the risk is:
5 x 10 x 10 = 500

Conclusion: Use centralised security and establish password

policies to mitigate the worst security threats. Baseline
strategy will also include a firewall on the computer that
shares the internet connection and virus protection on all
computers.

28
 COUNTERMEASURES – RISK MITIGATION

 Result of risk analysis

◦ Prioritised list of threats with recommended countermeasures
to mitigate (reduce the likelihood or impact of) risk
 Drawbacks to full risk analysis
◦ Time needed to complete may render analysis out of date
◦ Potentially high costs
 Alternatives
◦ Baseline protection: this approach analyses the security
requirements for typical cases and recommends security
measures deemed adequate.
◦ Using software that is secure by default i.e., known
vulnerabilities are closed when the software is installed with
default setting.

29
EXTENDED LEARNING

https://catalogue.pearsoned.co.uk/edu
cator/product/Computer-Security-Princ
iples-and-Practice-Global-Edition/9781
292220611.page
Some Useful Links

 Using a VPN whilst travelling

 Session Hijacking - SecureBlitz

 Sophos – 8 tips to tighten up your home network

 Why Dyslexics make top spies

 Deepfakes and potential influence / mitigation - NCSC

 Apple's T2 custom secure boot chip is not only insecure –

it cannot be fixed without replacing the silicon

 Valak Malware makes ‘Most Wanted’ list – State of Security