CSE 3482

Introduction to Computer Security

Security
Risk Management

Instructor: N. Vlajic, Winter 2017

Required Reading

Computer Security, Stallings: Section 14.3 & 14.4

 Learning Objectives

Upon completion of this material, you should be able to:

• Define risk management and its role in an organization.
• Use risk management techniques to identify and
prioritize risk factors for information assets.
• Asses risk based on the likelihood of adverse events and
the effect on information assets when events occur.
• Document the results of risk identification.
• Detail risk treatment alternatives.
 True Story
A company suffered a catastrophic
loss one night when its office burned
to the ground.
As the employees gathered around the charred remains
the next morning, the president asked the secretary if
she had been performing the daily computer backups.
To his relief she replied that yes, each day before she went
home she backed up all of the financial information,
invoices, orders ...
The president then asked the secretary to retrieve the
backup so they could begin to determine their current
financial status.
“Well”, the secretary said, “I guess I cannot do that. You
see, I put those backups in the desk drawer next to the
computer in the office.”
M. Ciampa, “Security+ Guide to Network Sec. Fundamentals”, 3rd Edition, pp. 303
Introduction

“Investing in stocks carries a risk …”

“Bad hand hygiene (not washing hands) carries a risk …”

“Car speeding carries a risk …”

“An outdate (not updated) anti-virus software

carries a risk …”
Definition of Risk
• Risk – likelihood that a chosen action or activity
(including the choice of inaction) will lead to a
loss (un undesired outcome)

• Risk Management – identification, assessment,

and prioritization of risks followed by coordinated
use of resources to monitor, control or minimize
the impact of risk-related events or to maximize
the gains.
 examples: finances, industrial processes, public health
and safety, insurance, etc.
 one of the key responsibilities of every manager within
an organization
http://en.wikipedia.org/wiki/Risk_management
 Risk in Information Security
• Risks in Info. Security – risks which arise from an
organization’s use of info. technology (IT)
 related concepts: asset, vulnerability, threat

http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter7.html
Risk in Information Security (cont.)
• Asset – anything that needs to be protected because it
has value and/or contributes to the successful
achievement of the organization’s objectives

• Threat – any circumstance or event with the potential

to cause harm to an asset and/or result in harm
to organization

• Vulnerability – a weakness in an asset that can be

exploited by threat

• Risk – probability of a threat acting upon a vulnerability

causing harm to an asset
Risk in Information Security (cont.)
• Interplay between Risk & other Info. Sec. Concepts
http://blog.patriot-tech.com/
 Risk in Information Security (cont.)
• Asset, Threat, Vulnerability & Risk in Info. Sec.
http://en.wikipedia.org/wiki/File:2010-T10-ArchitectureDiagram.png
 Risk in Information Security (cont.)
• Key Risk-Related Question: Which vulnerabilities,
in which assets, should we worry about (i.e., remove)?

Asset 1
vulnerability 1
vulnerability 2
…
vulnerability n
Agent 1 Event 1
Threats
Agent 2 Event 2
… …
Agent m Event k
 Security Risk Management
• Security Risk Management – process of identifying
vulnerabilities in an organization’s info. system
and taking steps to protect the CIA of all of its
components.
 two major sub-processes: Identify
the
Risk Areas
Risk Identification &
Assessment
Risk Control (Mitigation) Re-evaluate
the Risks Assess the
Risk Risks

Management
Cycle
Implement Risk
Management Develop Risk
Actions Management
Plan
12
Security Risk Management (cont.)

Risk Management
Risk Identification Risk Control

Identify & Prioritize Assets

Cost-Benefit Analysis

Identify & Prioritize Threats

Avoid
Identify Vulnerabilities
Control
between Assets and Threats
(Vulnerability Analysis)
Transfer
Risk Assessment
Mitigate
Calculate Relative Risk
of Each Vulnerability Accept
Risk Identification
Risk Identification:
Asset Inventory
 Risk Identification: Asset Inventory

• Risk identification begins with identification of all

information assets, including:
1) Which
traffic is let
into intranet.
2) Backup
procedure.

 No prejudging of asset values should be done at this stage

– values are assigned later!
 Risk Identification: Asset Inventory (cont.)

• Identifying Hardware, Software & Networking Assets

 Can be done automatically (using specialized software)
or manually.
 Needs certain planning – e.g. which attributes of each
asset should be tracked, such as:
 name – tip: naming should not convey critical info to potential attackers
 asset tag – unique number assigned during acquisition process
 IP address
 MAC address
 software version
 serial number
 manufacturer name
 manufacturer model or part number
Risk Identification: Asset Inventory (cont.)

Example: Network Asset Tracker

http://www.misutilities.com/
http://www.misutilities.com/network-asset-tracker/howtouse.html
Risk Identification: Asset Inventory (cont.)
• Identifying People, Procedures and Data Assets
 Not as readily identifiable as other assets – require that
experience and judgment be used.
 Possible attributes:
 people – avoid personal names, as they may change, use:
∗ position name
∗ position number/ID
∗ computer/network access privileges
 procedures
∗ description
∗ intended purpose
∗ software/hardware/networking elements to which it is tied
∗ location of reference-document, …
 data
∗ owner
∗ creator
∗ manager
∗ location, …
 Risk Identification:
Asset Ranking/Prioritization
Risk Identification: Asset Ranking

• Assets should be ranked so that most valuable assets

get highest priority when managing risks.

 Questions to consider when determining asset value/rank:

1) Which info. asset is most critical to overall success of
organization?

Example: Amazon’s ranking assets

Amazon’s network consists of regular desktops and web servers.
Web servers that advertise company’s products and receive orders
24/7 - critical.
Desktops used by customer service department – not so critical.
 Risk Identification: Asset Ranking (cont.)

2) Which info. asset generates most revenue?

3) Which info. asset generates highest profitability?

Example: Amazon’s ranking assets

At Amazon.com, some servers support book sales (resulting in
highest revenue), while others support sales of beauty products
(resulting in highest profit).

4) Which info. asset is most expensive to replace?

5) Which info. asset’s loss or compromise would be most

embarrassing or cause greatest liability?
Risk Identification: Asset Ranking (cont.)
 Risk Identification: Asset Ranking (cont.)

Example: Weighted asset ranking (NIST SP 800-30)

Not all asset ranking questions/categories may be equally important
to the company.
A weighting scheme could be used to account for this …
Each criteria is assigned a weight (0 – 100), must total 100!
information transmitted:

Each asset is
assigned a
Data asset /

score (0.1-1.0)
for each critical
factor.
 Risk Identification:
Threat Identification
& Prioritization
Risk Identification: Threat Identification

• Now that assets are known, we should see if threats

to those assets exist …

Asset 1
vulnerability 1
vulnerability 2
vulnerability 3
…
vulnerability n
Agent 1 Event 1
Threats
Agent 2 Event 2
… …
Agent m Event k
Risk Identification: Threat Identification

• Any organization faces a wide variety of threats.

• To keep risk management ‘manageable’ …
 realistic threats must be identified and further investigated,
while unimportant threats should be set aside

Example: CSI/FBI survey of types of threats/attacks

Risk Identification: Threat Identification

Example: PwC Report “US Cybercrime: Rising Risks,

Reduced Readiness” (2014)
http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.pdf

Significant Detected Incidents Across Industries:

Risk Identification: Threat Identification

Example: PwC Report “US Cybercrime: Rising Risks,

Reduced Readiness” (2014)
http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.pdf

Significant Detected Incidents Across Industries:

Risk Identification: Threat Identification (cont.)

• Threat Modeling/Assessment – practice of building

an abstract model of how an attack may proceed and
cause damage [attacker-, system-, or asset- centric]

 Attacker-centric – starts from attackers, evaluates their

motivations and goals, and how they might achieve them
through attack tree.

http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Identification (cont.)

• Threat Modeling/Assessment
 System-centric – starts from model of system, and
attempts to follow model dynamics and logic, looking
for types of attacks against each element of the model.

http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Identification (cont.)

• Threat Modeling/Assessment
 Asset-centric – starts from assets entrusted to a system,
such as a collection of sensitive personal information, and
attempts to identify how CIA security breaches can happen.

http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Prioritization

• Questions used to prioritize threats:

 Which threats present a danger to organization’s assets
in its current environment? ( ‘pre-step’ )
 Goal: reduce the risk management’s scope and cost.
 Examine each category from CSI/FBI list, or as identified
through threat assessment process, and eliminate any that
do not apply to your organization.

 Which threats represent the most danger … ?

 Goal: provide a rough assessment of each threat’s potential
impact given current level of organization’s preparedness.
 ‘Danger’ might be a measured of:
1) probability that the threat attacks organization
2) severity, i.e. overall damage that the threat could create
Risk Identification: Threat Prioritization (cont.)

• Other questions used to assess/prioritize threats:

 How much would it cost to recover from a successful
attack?
 Which threats would require greatest expenditure
to prevent?

• Threat ranking can be quantitative or qualitative.

• Once threats are prioritized, each asset should be reviewed

against each threat to create a specific list of vulnerabilities.