Professional Documents
Culture Documents
Rass English Version
Rass English Version
Contents
Real world
Terms and definitions
Reference moments that highlight the need of security
Attacks and organization losses
Risk and company
Risk management and risk analysis
Threat, Vulnerability and Risk mitigation
Qualitative risk analysis
Quantitative risk analysis
Vulnerability analysis/workstation risk analysis
Countermeasures - Decisional process coordination
Costs and profitability economic indicator of securitys investment
Security outsourcing
Question .
Another questions .
s
n
a
e
m
n os
o
i
t
a
a
h
iz g c
n
a
n
i
g
g
r na
o
n ma
a
n
)
i
s
h
e
t
i
s
a
w
c
y ny
t
i
r
a
u
c
m
Se (in
Good/asset
- Anything that represents a value within an organization. Here we include the buildings, hardware and software
components, data, personnel, plans and documentations etc.
Vulnerability
- A weakness concerning system procedures, system architecture, system implementation, internal control and other
causes that can be exploited to bypass the security system and to have unauthorized access to information.
- Any weakness, administrative process, act or statement that makes a piece of information about an asset likely to
be exploited by a threat.
- A flaw or weakness in sistem security procedures, design, implementations, or internal controls that could be
exercised (accidentally triggered or intentionally exploited) and result in a security breanch or a violation of the
systems security policy (NIST SP 800-3).
Threat
- Potential cause of an undesired impact over a system or organization (ISO 13335-1).
- An undesired event (intentional or accidental) that can damage the assets of the organization.
- The potential for a person pr thing to exercise (accidentally trigger or intentionally exploit) a specific
vulnerability (NIST SP 800-3).
Impact - the overall expected loss of the business when a threat exploits a vulnerability against an asset.
Exploit - a means of using vulnerability to cause a malfunction of the organization activities or a failure of
information security services within the organization.
Exposure - a threat action through which the senzitive information is released directly to an unauthorized entity
(RFC2828).
Integrity - te property through wich the data was not altered or destroyed through an unauthorized manner
(ISO 7498-2).
Accesibility (availability) - the property of a system to ensure it accesibility and availability for use at the request
of a user or authorized process within the system.
Confidentiality - the property that the information is not made available or disclosed to persons, entities or
unauthorized processes(ISO 7498-2).
Annual Loss Expectancy (ALE) - the total amount of money that an organization will lose in a year if it will not
take measures for minimizing or eliminating the risk.
Annual Loss Expectancy per Asset (ALEa) - the total amount of money related to a good that the organization
will lose in a year if it will not take measures fo minimizing or eliminating the risk that affects that certain good.
Annual Loss Expectancy per Threat (ALEt) - the total amount of money created by a threat, the organization will
lose in a year if it will not take measures for minimizing or eliminating the risk that affects the goods.
Annual production/occurrence (of an event) rate - value which quantifies the number of times an event may
occur during one year.
Cost-benefit analysis - estimation and comparison of the relative value and cost related to each proposed control.
Efficiency criterion used to choose the control that will be implemented.
The return on investment (the profit from investing in security) - the total amount of money that an organization
expects to save in one year by implementing security measures.
User
A person who uses a computer system.
User = expert / novice.
End user
A person/user who runs a program application.
Need of security
1970
1980
Germany, managing to penetrate 30 of them. Initially accused of unauthorized access, after it came out that he has sold
secrets to the KGB, he was charged for espionage.
2. In 1990, an australian student, who called himself Phoenix, was blamed for causing the 24-hour shutdown of NASA
computers in Norfolk, Virginia. He has also altered the information from Lawrence Livemore National Laboratory in
California.
3. In 1988, at a number of air transport agencies it is discovered that somebody managed to penetrate the system and print
illegal plane ticket reservations. For the first time the question of whether the terrorist organizations did so in order to have
access to the passengers list appeared. The question reappeared when the members of the Kuweit royal family were taken
hostages on board of a plane. The same question was asked even after the attacks of September 11 th, 2001.
4. In April 1986, an intruder, known as Captain Midnight manages to increase the transmission power of an HBO channel
transmitting his own message to millions of viewers. This action brought the eventual use for terrorist purposes of these
actions.
5. The event recorded as Constitution Loss may be the most serious human error and of implementing the security. In
1991, before the final vote for the Constitution of Columbia, a user who had to make the last changes to the online version
does a mistake that has as effect loss of data. With no backup, data has been restored after a laborious work, using the drafts
of the Committee members for the new Columbian Constitution.
6. In January 1988, at the Hebrew University in Jerusalem it is found that hundreds of computers are infected with a virus.
The virus was active in every day of 13 every month, which was Friday, was slowing down the processes and erased the data
from that day of 13th. The virus was also named Columbus Day or Datacrime.
7. A 14 year old kid from Kansas manages in 1989, using an Apple computer to penetrate the positioning system of the
satellites belonging to Air Force, to speak internationally and to access confidential files.
8. Flamble virus can be included in a special category of viruses. It acts also on the hardware equipment by increasing the
horizontal scanning frequency of the monitors electron beam beyond the admitted limits. As effect, the monitor is set on
fire. This virus has affected in 1988 a consulting company in San Jose, California.
100
80
Unauthorized access
Service Denial (DoS)
System Penetration
60
Financial fraud
Sabotage
Wireless networks abuse
20
2000
2001
2002
2003
2004
2005
2006
Sursa: Computer Security Institute, CSI/FBI 2006 Computer Crime and Security Survey
2004
2005
2006
2007
2008
Denial of service
39%
32%
25%
25%
21%
Laptop theft
49%
48%
47%
50%
42%
Telecom fraud
10%
10%
8%
5%
5%
Unauthorized access
37%
32%
32%
25%
29%
Virus
78%
74%
65%
52%
50%
8%
7%
9%
12%
12%
Insider abuse
59%
48%
42%
59%
44%
System penetration
17%
14%
15%
13%
13%
5%
2%
3%
4%
2%
10%
9%
9%
8%
9%
Financial fraud
Sabotage
Theft/loss of proprietary info
from mobile devices
4%
5%
15%
16%
14%
17%
14%
7%
5%
6%
10%
6%
10%
5%
6%
9%
11%
21%
20%
6%
8%
25%
21%
Password sniffing
10%
9%
17%
1700%
8%
8%
2008: 433 respondents
Sursa: Computer Security Institute, CSI/FBI 2008 Computer Crime and Security Survey
Sursa: Computer Security Institute, CSI/FBI 2005 Computer Crime and Security Survey
respondeni
521
Sursa: Computer Security Institute, CSI/FBI 2003 Computer Crime and Security Survey
2003: 488 rspunsuri/92%
2002: 414 rspunsuri/82%
2001: 484 rspunsuri/91%
2000: 583 rspunsuri/90%
Sursa: Computer Security Institute, CSI/FBI 2008 Computer Crime and Security Survey
respondeni
2008: 496
Sursa: Computer Security Institute, CSI/FBI 2008 Computer Crime and Security Survey
respondeni
2008: 295
Sursa: Computer Security Institute, CSI/FBI 2008 Computer Crime and Security Survey
respondeni
2008: 233
Sursa: Computer Security Institute, CSI/FBI 2010 Computer Crime and Security Survey
(continuation)
Sursa: Computer Security Institute, CSI/FBI 2010 Computer Crime and Security Survey
(continuation)
Sursa: Computer Security Institute, CSI/FBI 2010 Computer Crime and Security Survey
(continuation)
Sursa: Computer Security Institute, CSI/FBI 2010 Computer Crime and Security Survey
(continuation)
Sursa: Computer Security Institute, CSI/FBI 2010 Computer Crime and Security Survey
S E C U R I T Y
Secrecy
Accuracy
Prohibiting
unauthorized
access of persons
to information
which is not
intended for them.
Basement
Confirms the
authenticity of an
electronic message.
-Awareness (program)
-Executive communication (program)
People
- Training
- Responsibilities
- Knowledge
- Organization
COMPANY
Processes
- Policies
- Procedures
- Standards
Technologies
- Infrastructure
- Aplications
Risk analysis
Determination of needs
Policy implementation
Monitoring
Convergence point
Control implementation
Assistance
Awareness
Evaluation
Source http://www.noweco.com/
At http://www.noweco.com/downe.htm one can find material referring to risk management (Trial software, brochures, presentations)
Assesing risk/
Measuring program
effectiveness
Implementing
controls
Risk evaluation
2
Conducting decision
support
http://technet.microsoft.com/en-us/library/cc163143.aspx
Risk evaluation Identifying and classifying the risks that can affect the business.
Conducting decision support Identifying and evaluating the control measures and solutions
taking into account the cost-benefits report.
Measuring the programs efficiency Analyzing the efficiency of the adopted control
measures and checking if the applied controls ensure the established protection level.
http://technet.microsoft.com/en-us/library/cc163143.aspx
Effort
level
Effort curve
Data
gattering
Summary
risk
analysis
Detailed
risk
analysis
Decision
support
Implement
controls
Operate
controls
Process stages
Relative Level of Effort During the Microsoft Security Risk Management Process
http://technet.microsoft.com/en-us/library/cc163143.aspx
Status
Description
NonExistent
The company does not have the security policy well documented
Ad-hoc
The company is aware of the risk. The risk management efforts are done in a hurry and
chaotic. Policies and processes are not well documented. Risk management projects are
chaotic and non- coordinated, and the results can not be measured and evaluated.
Repeatable The company has knowledge about risk management. The risk management process is
repeatable but immature. The risk management processes are not sufficiently documented, but
the company is taking actions in this sense. There is no formal training or communication
regarding risk management, the responsibility being to the choice of the employee.
Defined
The company adopts a formal decision for implementing the risk management. The objectives
and the ways of measuring the results are clearly defined. The employees are formally trained
at a base level.
Managed
Risk management is well understood in all compartments and levels of the company. There
are well defined procedures of control and risk reduction. Efficiency can be measured. The
personnel is trained. The allocated resources are enough. The benefits are visible. The risk
management team work to permanently improve the processes and the instruments they use. A
great deal of the risk evaluation processes, of control identification, of cost-benefits anlaysis
are non-automatic (manual).
Optimized
The organization has committed significant resources to security risk management, and staff
members are looking toward the future trying to ascertain what the issues and solutions will
be in the months and years ahead. The risk management process is well understood and
significantly automated through the use of tools (either developed in-house or acquired from
independent software vendors).
http://technet.microsoft.com/en-us/library/cc163143.aspx
Questions
Score
05
2. All posts which have responsibilities regarding information security have clear
and well-understood their roles and responsibilities.
05
3. The policies and procedures of securing the companys partners access to the
companys data are well documented.
05
05
5. The existent control systems are adquate and work on the correct parameters to
protect the companys data against inside or outside unauthorized access.
05
6. The policies and practices for data security insurance are known by the users, and
they are periodically trained and informed about the latest news.
05
05
8. The computers are equipped according to the security standards in the field,
having automatic instruments for assuring data security.
05
http://technet.microsoft.com/en-us/library/cc163143.aspx
05
05
05
05
05
http://technet.microsoft.com/en-us/library/cc163143.aspx
14. The ones that deal with application development are given a periodical training
and they are aware of the security standards for creating the software but also of
testing the quality.
15. The fluency of the business (of the activity) and the programs that offer this
standard are clearly defined, well documented and periodically tested through
simulations and repetitions.
05
05
16. Programs have been launched (they are efficient) in order to be sure that all
employees accomplish their tasks in a manner according to the legal provisions.
05
17. Reviews and audits (official examinations) are used to verify the compliance to
the standard procedures to obtain security benefits.
05
Final score
0 ... 85
http://technet.microsoft.com/en-us/library/cc163143.aspx
Score
obtained
Stage
51 ... 85
34 ... 50
k
s
i
r
t
inen tions
m
r im menda
o
s
.
s
mnecessary
resto
ne stages
i
o
u
s
s
c
a
e
u
The company has to go through
several
the risk control
r
e
b
e
m
n
h
i
t
y
t
t
ore ofsenew
uri control processes.
oinintroduction
c
n
and to gradually
J
g
i
0 ... 33
The company in this cateogry must first create a nucleus of a risk analysis management team.
The team will concentrate its efforts for a period of several months on one of the departments.
After the viability of the applied risk reduction measures is proved,
they will extend the measures at the next two or three departments.
http://technet.microsoft.com/en-us/library/cc163143.aspx
Other questions that will define the security level of your organization and will guide you to
the subsequent actions are available at:
http://csrc.nist.gov/
http://csrc.nist.gov/ publications/nistpub/index.html
NIST
National Institute of Standatds and Technology
Security Self-Assessment Guide for Information Technology Systems
Title
Responsibility
Executive director
Business owner
IT group
Title
Responsibility
Secretary
Stakeholders
Owner
Establishes
Determine
acceptable risk
what is important
Security
Group
Prioritize risks
IT Group
Best
control solution
Assess risk/
Risk evaluation
Defining
security
requirements
Design and
build security
solutions
Measure
security solutions
http://technet.microsoft.com/en-us/library/cc163143.aspx
Developing a risk level evolution diagramUndrstanding the risk level and its evolutions
Assesing risk/
Risk evaluation
Measuring program
effectiveness
1
Defining functional requirements - defining functional requirements for
reducing the risk
3
Implementing
controls
Looking for an integrated approach correlation between people, processes and
technologies for risk attenuation.
Organizing control solutions - organizing the
solutions of risk reduction on the companys
activities.
support
Risk management
Objectives
Process type
Risk analysis/assessment
Identifies and prioritize risks
within the company.
Implementing
controls
Risk evaluation
Assesing risk/
Risk evaluation
Measuring
program
effectiveness
2
Conducting
decision support
1. Planning
Alignment
Purpose
Acceptance
3. Risk prioritizing
Coordinating a summary prioritization of the risk level
Summary of the risk level prioritization
Review together with the owner
Detail analysis of the risk level prioritization
Detailing the risk level prioritization
Qualitative analysis
Works with less complex data.
Quantitative analysis
Work with statistical data in the field.
Risk
Risk
- Threat that can exploit eventual system weaknesses.
- Combination between the probability of an event and its consequences (ISO Guide 73).
- A vulnerability triggered or exploited by a threat (NIST SP 800-3).
http://technet.microsoft.com/en-us/library/cc163143.aspx
Asset
Threat
Vulnerability
Mitigation
What do we want
to protect?
Impact
What is the impact to the business?
Probability
How likely is the threat given
the control?
Risk categories
A risk categorization can be done taking into account the risk sources. A first categorization may be:
1.
2.
3.
4.
5.
6.
7.
1.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Goods management
Management of change
Understanding
Environment
Financial
General management
Responsibilities
Personnel
Services and production
Technology
1/2
Risk categories
The standards in the field offer the following risk categorization:
No.
Category
Examples/ Description
Diseases
Economic
Environment
Financial
Human
Natural disasters
Safety measures
Productivity
Professional
10
Property damage
11
Public
Public relations.
12
Security
13
Technological
2/2
Events !!!!!!
Risk categories
Summary
Natural threat
The
company
People
Human threat
Environment threat
Processes
Technologies
Control
Applying countermeasures
that means
Implementing controls
Really ?
Is it so easy ?
si
a
eb
i
a
e
de
i
c
Countermeasures
Th
Risk
but
In
al
e
r
e
lif
Countermeasures
Risk
Risk level > 0 (zero)
Residual risk
Vulnerability- Threat
Vulnerability
- A weakness concerning system procedures, system architecture, system implementation, internal control and other
causes that can be exploited to bypass the security system and to have unauthorized access to information.
- Any weakness, administrative process, act or statement that makes a piece of information about an asset likely to
be exploited by a threat.
- A flaw or weakness in sistem security procedures, design, implementations, or internal controls that could be
exercised (accidentally triggered or intentionally exploited) and result in a security breanch or a violation of the
systems security policy (NIST SP 800-3).
Factors that determine vulnerability:
physical;
natural;
hardware;
software;
hard drives;
radiation;
communication;
human.
Intentional threats are the most frequent ones. These threats can be
categorized in:
internal;
external.
The internal threats come from its own employees.
The external threats come from more categories, which are the following:
Threat
(types and examples)
Type of threat
Example
Example
Fire
Non-standard voltage
Flood
Hardware flaw
Earthquake
Catastrophic
Type of threat
1/2
Accident
Mechanical disconnections
Landslide
Avalanche
Construction accident
Storm/ hurricane
Non- informed
employee/collaborator
Terrorist attack
Non-trained employee/
collaborator
Riots
Explosion (industrial)
Nonintentional acts
Negligent employee/
collaborator
Threat
(types and examples)
Type of threat
2/2
Example
Hacker, cracker
Espionage (business partners, competition)
Espionage (foreign governments)
Criminal PC
Social engineering
Intentional acts
Disgruntled employee
Disgruntled ex-employee
Terrorist
Black-mailed employee
Fake employee
Vulnerability
(Types and examples)
Vulnerability type
Vulnerability
Unlocked/unsecured rooms
Unlocked/unsecured windows
Building design flaws
Physical
1/7
Vulnerability
(types and examples)
Type of
vulnerability
Vulnerability
Construction in flood-danger areas
Construction in unsuitable areas
Natural
2/7
Vulnerability
(types and examples) 3/7
Type of
vulnerability
Vulnerability
Inappropriate configuration
Physically uninsured computer system
Hardware
Missing patches
Old equipment
Inadequate protocols
Vulnerability
(types and examples) 4/7
Type of
vulnerability
Software
Vulnerability
Non-updated antivirus software
Non-updated firewall software
Missing patches/fixes.
Non-professional applications
Backdoor-written applications
Improper software configuration
Vulnerability
(types and examples) 5/7
Type of
vulnerability
Vulnerability
Defective storage boxes
Hard drives
Vulnerability
(types and examples) 6/7
Type of
vulnerability
Vulnerability
Radio interference
Electrical interference
Unencrypted communications
Communications
Vulnerability
(types and examples) 7/7
Type of
vulnerability
Vulnerability
Failure to report attacks
Weak response to attacks
Human
Phyisical
Network
Host
Applications
Data
http://technet.microsoft.com/en-us/library/cc163143.aspx
Data collection
Data collection
How certain you can be.
Precision.
Margin of error.
http://www.macorr.com/ss_calculator.htm
Good
DB server
LAN printer
What are we
afraid of?
(Threat)
How is may
happen?
(Vulnerabilities)
Exposure
level
(H, M, L)
Current
control
description
Probability
(H, M, L)
Potential
controls
Physical
Network
Host
Applications
Data
http://technet.microsoft.com/en-us/library/cc163143.aspx
Exposure
Identified
data
Asset/
description
Asset
class
Applicability
level
Threat
description
Vulnerability
description
Exposure
rate
(H, M, L)
Impact rate
(H, M, L)
Data
Client data
Host
Unauthoriz
ed access
Theft or
password
guess
Data
Client data
Host
Alteration
Viruses.
Improper
configuration.
http://technet.microsoft.com/en-us/library/cc163143.aspx
Employer
Security group
Interrogations
Discussions
Employees
http://technet.microsoft.com/en-us/library/cc163143.aspx
Qualitative analysis
Works with less complex data
Quantitative analysis
Works with statistical data in the field
This method is more often used than the quantitative method, this referring mainly to small companies.
This method does not use statistical data. Instead it uses the loss potential as input.
The method operates with terms such as:
Often/ high, medium, seldom/reduced- referring to the possibility of risk occurrence and their
impact.
Vital, critic, important, general and informational - referring to the type and classification of
information.
numbers, 1, 2, 3.
This has as immediate effect reducing the amount of work and of consumed time.
This method also has disadvantages:
Hard to quantify certain terms (important - is a hard term to define in management)
Numbers are this time even more subjective. If on the previous method the data were statistical, now
the data is subjective.
Qu
a
3. Prioritizing risks
coordinating a short prioritization of the risk level
summary of the risk level prioritization
analysis together with the owner
detail analysis of the risk level prioritization
detailing the risk level prioritization.
lit
at i
ve
a
na
For coordinating a short prioritization of the risk level the following steps are followed:
3. Establishing a short list or risk level by combining the impact and the occurrence probability for every good
lys
is
a
Qu
e
t iv
a
t
li
is
lys
a
n
Qu
a
Losses (USD)*
Points
< 2.500
2.501 8.000
8.001 10.000.000
10.000.001 15.000.000
15.000.001 20.000.000
20.000.001 25.000.000
25.000.001 37.500.000
37.500.001 50.000.000
> 50.000.000
lit
ati
ve
an
al y
sis
10
* The value of losses can differ according to the size of the company.
A high level of losses for a small company can be a small level for a large company.
A minimum and maximum level of losses for every company is imposed and then the establishment of the
related point scales.
http://technet.microsoft.com/en-us/library/cc163143.aspx
Qu
a
Type of
company
Number of
servers
Annual income
(USD)
Number
of
employees
Other characteristics
>1.000
>1 mld.
>2.000
Medium
>100
>100 ml.
>500
- A few sites
Small
<100
<100 ml.
<100
Large
lit
at i
ve
a
- a multitude of sites;
- special management
na
lys
is
1.
Qu
a
lit
at i
ve
a
na
lys
is
Rate of impact
Impact
class
High
Medium
High
High
Medium
Low
Medium
High
Low
Low
Low
Medium
Low
Medium
High
Exposure factor
http://technet.microsoft.com/en-us/library/cc163143.aspx
2.
Qu
a
Probability of occurrence
(Probability rate)
High
Medium
Low
lit
at i
ve
a
na
lys
is
Description
Certain. It occurs one or more times per year
Probable. Event that can occur at least one, two or three times per year.
Unlikely. Event that can not occur in the following three years.
http://technet.microsoft.com/en-us/library/cc163143.aspx
3. Establishing a short list or risk level by combining the impact and the occurrence probability for every
asset
Risk level
Impact rate
High
Medium
High
High
Medium
Low
Medium
High
Low
Low
Low
Medium
Low
Medium
High
Probability of occurrence
Q
ua
lit
e
tiv
an
y
al
si s
http://technet.microsoft.com/en-us/library/cc163143.aspx
Qu
a
3. Prioritizing risks
coordinating a short prioritization of the risk level
summary of the risk level prioritization
analysis together with the owner
detail analysis of the risk level prioritization
detailing the risk level prioritization
For detailing the risk level the following steps are to be followed
lit
at i
ve
a
na
lys
is
Qu
a
1.
lit
at i
ve
a
na
lys
is
Exposure
rate
Consequences
Description
Insignificant
Minor
Moderate
Major
Catastrophic
Qu
a
lit
at i
ve
a
na
lys
is
Determining the value of the impact is done by multiplying the impact class value (V) by the corresponding exposure factor (EF).
Exposure rate
Exposure factor
(EF)
Impact H(igh)
10
100%
Impact M(edium)
80%
Impact L(ow)
60%
40%
20%
Impact class
x
Values of the impact rate
Level
Impact rate
7- 10
High
4-6
Medium
0-3
Low
http://technet.microsoft.com/en-us/library/cc163143.aspx
Qu
a
2.
lit
at i
ve
a
na
lys
is
Qu
a
3.
lit
at i
ve
a
-Assumes determining the existence of a certain vulnerability and the possibility of exploiting it.
-Assumes determining the probability of a certain vulnerability to be diminished by using controls
1. Number of attackers.
The vulnerability will grow if the number of persons who produce an attack is increasing.
Vulnerability will grow if the training level of the attackers is high.
2. Local or remote attack.
Vulnerability will grow if certain security flaws can be remotely exploited.
3. Knowledge
Vulnerability will grow if a certain type of attack is known and documented.
4. Automation
Vulnerability will grow if a certain type of attack can be automated in such way that it would find and
exploit the security flaws by itself.
na
lys
is
Qu
a
3.
Vulnerability
level
High
Medium
Redusa
Conditions
-Great number of attackers - script-kiddie/hobbyist
-Remote attack
-anonymous privilege
-very well known and documented exploiting methods
-Automation
-medium number of specialists - expert-specialist
-local attack
-requires access rights
-Undocumented methods of attack
-Non- automation
-Low number of attackers internal architecture knowledge
-Local attack
-Requires Administrator privileges
-Undocumented attack methods
-Non- automation
lit
at i
ve
a
Grade
5
if at least one of the
conditions is satisfied
3
if at least one of the
conditions is satisfied
1
if at least one of the
conditions is satisfied
na
lys
is
Qu
a
3.
Questions
lit
at i
ve
a
na
lys
is
Note
0 - Yes, 1 - No
Qu
a
3.
lit
at i
ve
a
na
lys
is
Vulnerability level
Note
0 - Yes, 1 - No
Does the existent technology or the existent control reduce the threat?
Are the current audit practices enough for detecting abuses or for controlling deficiencies?
http://technet.microsoft.com/en-us/library/cc163143.aspx
http://technet.microsoft.com/en-us/library/cc163143.aspx
4.
Qu
a
lit
at i
ve
a
Impact
Probability rate
High
Result (product)
10 7
41 100
High
Medium
64
20 40
Medium
30
Low
30
0 19
Low
Mediu
lys
is
Risk level
64
High
na
10
10
20
30
40
50
60
70
80
90
100
18
27
36
45
56
63
72
81
90
16
24
32
40
48
56
64
72
80
14
21
28
35
42
49
56
63
70
12
18
24
30
36
42
48
54
60
10
15
20
25
30
35
40
45
50
12
16
20
24
28
32
36
40
12
15
18
21
24
27
30
10
12
14
16
18
20
10
10
Low
Low
Mediu
m
Probability
High
Qu
a
Occurrence level
Occurrence
probability
Description
Almost certain
Likely
Moderate
Unlikely
Rare
lit
at i
ve
a
na
lys
is
Qu
a
lit
at i
ve
a
Consequenc
es level
Description/
consequences
Consequences example
Insignificant
Minor
Medium financial losses. Low material damages, first aid is imposed to be given to
personnel.
Moderate
Major
Catastrophic
Enormous financial losses. Dead people. Total loss of the production capacity.
na
lys
is
Qu
a
lit
at i
ve
a
na
lys
is
Consecine
Occurrence
probability
Insignificant
Minor
Moderate
Major
Catastrophic
A (almost certain)
B (likely)
C (moderate)
D (unlikely)
E (rare)
E - Extreme risk. Immediate actions are imposed for its diminishing. A detail review on goods and risk
reduction management plans is imposed. Strategies must be imposed.
H - High risk. The manager must take them immediately into consideration. Management strategies will be
identified. As the previous case, risk must be minimized.
M - Moderate risk. The manager must take them into consideration
L - Low risk. Actions specified in the routine procedures.
The tables used in qualitative analysis of risk must be custom for the specific activities and places.
Qualitative analysis
Works with less complex data
Quantitative Analysis
Works with statistical data in the field
1.
2.
3.
4.
5.
6.
Qu
a
nt
ita
tiv
e
an
a
lys
is
1. a. Identifying goods
It assumes the identification of software and hardware components, the data, the personnel involved in processes, the afferent
documentation, support etc.
Data
Physical
Financial
Administrative
Documentations
Logistic/ managerial
Software
Planning
Hardware
Statistical
Files
Operational
Programs
Personal
Systems
Buildings
Operational
Offices
Programs
Auxiliary systems
Operating guidelines
Audit documents
Procedures
Lighting systems
Damage plans
Security plans
I/E Procedures
Drives/ backup
Control measures
Communication procedures
Modems
Cables
Terminals
Antennas
nt
it a
tiv
ea
na
ly
sis
Switch/hub/multiplexers
Q
ua
Communication
Qu
a
1. b. Goods evaluation
When we evaluate goods it is preferred to use a scale of goods values.
Value in USD
Number
0
<1
110
11 100
100.001 1.000.000
1.000.00110.000.000
>10.000.000
nt
ita
tiv
e
an
a
lys
is
Case 1
Replacement costs
Case 2
Recovery costs
1. b. Good evaluation
Qu
a
nt
ita
It assumes the establishment of replacement costs for the cases when a certain good is destroyed.
For this we have to ask ourselves some questions that would help us evaluate these goods.
Some of these questions might be found in the following lines.
Regarding the hardware components the following questions must be asked:
- What is the replacement cost for the good at the present prices?
- How long does it last until the destroyed good/component is replaced?
- If the operation/operations can be done manually, how many people do we need? How much additional time is needed.
- What are the losses in the customer relations in case of non- functionality?
For data:
- Can data be restored?
- How much time is lost while restoring the data in case of losing it?
- Is the disaster caused by a deliberate action or by a random action?
For personnel:
- How many people do we need to work for disaster recovery?
- How much does it cost to train a new personnel?
- What are the psychological effects of disasters?
tiv
e
an
a
lys
is
Value b Impact i
i 1
Impact area
Secret
5.000
Integrity
Availability
10 + 15 = 25
Q
ua
nt
ita
tiv
e
an
al
ys
is
We consider a file which stores the personal data of 200 employees of one company. After an undesired event (intentionally,
unintentionally, accident, natural phenomena), both the data from the file and also its structure are lost. There is no backup copy for them.
Restoring the files structure can be done by a qualified person, working 4 hours for restoration (during the schedule). The salary is 2,5 USD/
hour. Restoring the data will be done outside the schedule by the same person or by a different person. This operation lasts 5 hours and its paid
with 3 USD/ hour (work is done outside the schedule - overtime).
Losing the secret, not knowing the nature of the disaster causes losses estimated at 5. 000 USD, this being the area with the highest impact
regarding restoration costs.
4 (hours) x 2,5 (USD/hour) + 5(hours) x 3 (USD/hour supplementary) = 25 USD.
Qu
a
2. Determining vulnerabilities
. Assumes establishing the threats to goods and the frequency with which these threats can occur.
The possible threats to the companys goods are exemplified in the following lines:
Natural
Accidents
Earthquakes
Intentional acts
Disclosures
Floods
Employee blackmail
Hurricanes
Fraud
Landslides
Theft
Snow storms
Strikes
Sand storms
Unauthorized use
Tornados
Vandalism
Tsunami
Intrusions
Thunderstorm
Bomb attacks
Volcanic eruptions
Riots
Disclosures
Electrical disturbances
Electrical malfunction
Fire
Leakage of liquid
Errors in transmissions- telecommunication.
Operators/ users errors
Organizational errors
Hardware errors
Software errors
nt
ita
tiv
e
an
a
lys
is
Qu
a
Value
Never
0,0
1/300
0,00333
1/200
0,005
1/100
0,01
Every 50 years
1/50
0,02
Every 25 years
1/25
0,04
Every 5 years
1/5
0,2
Every 2 years
1/ 2
0,5
Every year
1/1
1,0
Twice a year
2/1
2,0
Once a month
12/1
12,0
Once a week
52/1
52
Once a day
365/1
365
nt
ita
tiv
e
an
a
lys
is
Threats
Natural
Accidents
Intentional acts
Occurrence rate
Earthquakes
0,005 - 0,2
Floods
0,01- 0,5
Hurricanes
0, 05 - 0,5
Landslides
0 - 0,1
Snow storms
0,07 - 50
Sand storms
0,01 - 0,5
Tornado
0 - 10
Tsunami
0,00001 - 2
Electrical discharges
0 - 0,125
Volcanic eruptions
0 - 0,01
Disclosures
0,2 - 5
Electric disturbances
0, 1 - 30
Electric malfunctions
0,1 -10
Fire
0,1 - 10
Leakage of liquid
0,02 - 3
0,5 - 100
10 - 200
Hardware errors
10 - 200
Software errors
1 - 200
Disclosures
0,2 - 5
Employee blackmail
0,1 - 5
Fraud
0,09 - 0,5
Theft
0,015 - 1
Strikes
0,1 - 5
Unauthorized use
0,009 - 5
Vandalism
0,008 - 1,0
Intrusions
Bomb attacks
0, 01 - 100
Riots
0 - 0,29
Qu
a
nt
ita
tiv
e
an
a
lys
is
Qu
a
nt
ita
tiv
e
an
a
ALE t Va xOt
a o
where
ALE t = Annual Loss Expectancy per threat t,
Va = Value of asset a (0 to n assets),
Ot = Estimating the number of occurrences of threat t (0 to m threats).
Asset = Computer (local)
Asset = Printer
lys
is
Qu
a
nt
ita
tiv
e
an
a
ALEa Va xOt
t o
where
ALE a = Annual Loss Expectancy per asset a,
Va = Value of asset a (0 to n assets),
Ot = Estimating the number of occurrences of threat t (0 to m threats).
Asset = Server centre
Threat = Earthquake
Threat = Flood
lys
is
ALE ALEt
t o
where
ALE t = Annual Loss Expectancy per threat t.
ALE ALEa
a o
where
ALE a = Annual Loss Expectancy per asset a.
Qu
a
nt
ita
tiv
e
an
a
lys
is
Qu
a
nt
ita
tiv
e
an
a
lys
is
(V1 x O1) +
Threat 2
(V1 x O2) +
Asset 2
(V2 x O1) +
(V2 x O2) +
Asset n
+ (Vn x O1)
ALE t, 1
+ (Vn x O2)
ALE t, 2
Sum
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Threat m
(V1 x O m) +
(V2 x O m) +
+ (Vn x O m)
ALE t, m
ALE a, 1
ALE a, 2
ALE a, n
Sum
ALE
Qu
a
nt
ita
tiv
e
an
a
lys
is
Asset 2
(V2 x O1) +
Asset n
+ (Vn x O1)
ALE t, 1
+ (Vn x O2)
ALE t, 2
Threat 1
(V1 x O1) +
Threat 2
(V1 x O2) +
(V2 x O2) +
.
.
.
.
.
.
.
.
.
Threat m
(V1 x O m) +
(V2 x O m) +
+ (Vn x O m)
ALE a, 1
ALE a, 2
ALE a, n
.
.
.
MAX
.
.
.
ALE t, m
ALE
Identify possible controls which may reduce vulnerability (some may apply several
vulnerabilities).
Qu
a
Natural
Accidents
Intentional actions
Control measures
Earthquakes
Sensors, emplacement
Floods
Sensors, emplacement
Hurricanes
Emplacement
Landslides
Emplacement
Snow storms
Emplacement
Sand storms
Emplacement
Tornado
Emplacement
Tsunami
Emplacement
Electrical discharges
Volcanic eruptions
Emplacement
Disclosures
Encryption
Electrical disturbances
Voltage stabilizers
Electrical malfunction
Uninterruptible sources
Fire
Fluid leakage
Telecommunication error
Personnel training
Hardware errors
Software errors
Software testing
Disclosures
Data encryption
Employee blackmail
Data encryption
Fraud
Theft
Strikes
Unauthorized use
Passwords, encryption
Vandalism
Bomb attacks
Riots
Intrusions
nt
ita
tiv
e
an
a
lys
is
The quantitative method of calculating the risk analysis is mainly used in medium or/and large
companies.
The shown quantitative method has some drawbacks. Among these we can mention:
- The difficulty in finding a number that would quantify as exactly as possible the occurrence
frequency of an event.
- The difficulty in quantifying certain values. For example the availability of information and the
calculus of losses are very hard to define when this characteristic is missing.
- The method does not distinguish between rare threats that produce great disasters as value (fire,
earthquakes, tornado etc.) and the frequent threats that produce small disasters as value (operating
errors), in both cases the financial effects being almost the same.
- Choosing the used numbers can be considered as being subjective, laborious work that takes time
and resources.
Benefits
Quantitative analysis
Advantages
Qualitative analysis
Drawbacks
Quantitative analysis
Qualitative analysis
2
Assesing risk/
Risk evaluation
Measuring
program
effectiveness
Implementing
controls
2
Conducting
decision support
http://technet.microsoft.com/en-us/library/cc163143.aspx
Security risk
management
team
Mitigation
group
http://technet.microsoft.com/en-us/library/cc163143.aspx
Responsibilities
Business operators
Business owner
Financial group
IT architecture
IT - engineering
IT performers
Internal auditor
Jurist
Description
At what level has the risk to be done for every major risk. All
major risks must be accepted. Certain major risks can be
avoided.
Functional demands
The degree of risk reduction for every Evaluation of every proposed control measure to determine
control solution
how much it reduces the risk level for goods.
The estimated cost for every control
solution.
In the phase of decisional process coordination, certain questions must be asked in order to choose the controls
meant to reduce the risks:
How many person hours per year will be required to monitor and maintain the control ?
Defining some functional requirements necessary for ensuring security represents in fact declarations/
exposure regarding the description of the necessary controls for risk attenuation.
Controls must be expressed more as a functional demand and less as a functional status.
The functional demands define WHAT we assume must be done for identifying and reducing the
risk but doesnt specify HOW the risk can be attenuated or to indicate the specific controls.
HOW can the risk be attenuated by identifying the control solutions is a task for the risk
control/ /mitigation/attenuation group.
Identifying the control measures assumes that the team which has this task to have experience in the field. If the
personnel is not specialized in this purpose then one can appeal to specialists or consultants from outside the
company (outsourcing). These can take all the tasks or to assure assistance in the field.
Informal Brainstorming
http://technet.microsoft.com/en-us/library/cc163143.aspx
Informal Brainstorming
Coordinator
Risk evaluation team
??
Answer
(= proposed control)
Secretary
Proposed control
(= UPS)
Questions:
-What are the stages which the company has to go through for preventing a risk or to control it ?
-A. Implementarea autentificrii multi-factor pentru reducerea riscului de compromitere a parolelor. Implementing the multi- factor authentication for
reducing the risk of password compromise.
-What can the company do for recovery (disaster recovery) when the event triggered ?
-A. Backup, backup, backup.
-A. Teams and action procedures in case of disasters.
-A. Auxiliary systems.
-How can the company check that a control is placed where it is supposed to, that it works and can be monitored ?
-A. Expert in field.
-How can the company declare the effectiveness of an adopted control as being correct ?
-A. Specialization and periodical training of internal personnel or collaboration with a specialized company (person).
-Are there other measures that can be taken for risk control ?
-A. Insurances (in the case of inventory objects)
http://technet.microsoft.com/en-us/library/cc163143.aspx
Each category is split in three subcategories with the following purposes: prevention, detection and answer (management).
Type of control
Organizational
Description
Subcategories
Prevention
Detection
Answer (management)
Operational
(Processes)
Tehnological
Prevention
Prevention
Detection
Detection
Answer (management)
http://technet.microsoft.com/en-us/library/cc163143.aspx
Type of control:
Subcategory:
Organizational
Prevention
Clear roles and responsibilities. Their clear defining and documenting will make the managers and employees
understand the responsibilities on each work station.
Separating the duties and less privileges. This will ensure the fact that every work station is permitted only the
operations that would ensure the development of the working tasks.
Well documented plans and security procedures. These are developed to explain how the control systems were
implemented and how they must be maintained.
Training and information campaigns. Training is necessary so that the personnel to be always up to date with the
technology and the information campaigns are necessary to warn the personnel on the changes that were made.
Systems and processes of user activation/ deactivation. These are necessary in order for a new personnel, when
its hired to become productive as fast s possible, and the one that is not working in the company anymore to
immediately lose its rights. The same principles must be stipulated at the personnel transfer between two different
departments. The classification change for a post or department must also be taken into consideration.
Establishing the processes for providing access to business partners. All business partners are included:
suppliers, clients, distributors, subcontractors etc. The principles are similar to the ones mentioned before.
Type of control:
Subcategory:
Organizational
Detection
Continuous risk control programs for evaluating and controlling the risk in the key departments of the
company.
Recurrent reviews of the control systems to verify their efficiency.
Periodical system audit for assuring that the control systems were not compromised or poorly configured.
References security and records for new employers.
Establishing a work rotation system. This will allow the discovery of dishonest activities amongst the IT
teams and amongst the employees who have access to sensitive data.
Type of control:
Subcategory:
Organizational
Answer
(management)
Plans of response to incidents. These plans will include fast reaction measures for recovery in case of security
violation and minimization of impact for preventing the spreading to other systems. The plans of response to
incidents must allow the gathering of evidence that would eventually allow the prosecution of the guilty person.
Plan of business continuation. Contains plans meant to maintain the company in function, total or partial, in the
case of catastrophic events that affect the greatest part of the IT infrastructure.
Type of control:
Subcategory:
Operational
Prevention
System protection through physical means. Protection perimeters, room dividers, electronic locks, biometric
identifiers etc are included.
Physical protection for end-user systems (workstation). Systems of computer and mobile systems blocking in
case of theft, encrypting the files stocked on mobile hard drives are included..
Providing electricity when needed. These will provide electricity necessary for computer functioning when the
primary energy source is not available. Also, they will ensure the normal shutdown of the applications and operating
systems that run on the system, in this way avoiding gata loss.
Anti- fire systems. Include the automatic fire warning systems, fire fighting and also the extinguishers.
Systems of temperature and humidity control. These systems are meant to assure the functioning of systems
within the parameters indicated by the manufacturer, extending their life.
Procedures of access to data stocked on external hard drives. These will facilitate only the access of authorized
personnel to these data.
Backup systems. These will allow the immediate recovery of lost data. In some cases it is imposed that the backup
files are kept outside the company in order to be used on case of major disasters.
Type of control :
Subcategory :
Operational
Detection
Physical security. Systems that will protect the company from persons who want to break into it. Sensors, alarms,
surveillance cameras, perimeter and movements sensors are included.
Security from the environment. Systems that will protect the company from the threats that come from the
environment. Smoke and fire detectors, flood detectors, atmospheric overload detectors, spark gaps etc are included.
Type of control :
Subcategory :
Tehnological
Prevention
Access control
Identification
Authentication
Authorization
Type of control :
Subcategory :
Tehnological
Detection
Audit systems. These system make possible the monitoring and following the evolution of a system in order to see
if it works within the configured parameters. The audit systems represent a basic instrument for detecting,
understanding and recovering in case of events.
Antivirus programs. Antivirus programs are built to detect and respond to a series of malicious programs (viruses,
worms, trojan horses etc). The answer consists in blocking the users access to the infected files, cleaning the infected
files and systems and also informing the user about the infected components.
Instruments for maintaining the systems integrity. These instruments help the IT personnel which is responsible
with security to determine where has an unauthorized modification been done. (Ex. File Chechsum).
Type of control :
Subcategory :
Tehnological
Answer
(Management)
Tools for security administration. These instruments are included in the operating systems, programs and devices
meant to ensure security on a certain segment.
Cryptography. Creating, stocking and distributing the cryptographic keys in safe conditions gave birth to
technologies such as Virtual Private Network (VPN), authentication in safe conditions and also data encryption on
certain hard drives.
Identification. Allows the facility to identify in a unique way a certain entity. With the help of this facility some
others can also be created: accounting, discretionary access control, role- based access control and mandatory access
control.
Inherent protections in the system. These are facilities implemented in systems that ensure the security of the
information which is subject to processing or which is stored in that system. Amongst these we have: object reuse, the
use of NX memory zone (Non-Execute) and process separation.
Does the proposed control prevent a specific attack or a specific category of attacks?
Does the proposed control reduce/ minimize the risk for a certain class of attacks?
Is the proposed control capable of recognizing an attack/ exploit when it is happening at the moment?
If the proposed control recognizes an attack/ exploit which is happening at the moment, is it capable of resisting and
following the attack?
Can the proposed control help at the recovery of goods (data) after an attack?
Proposed control can help to data restore ?
Does the proposed control offer any other benefits?
What is the value of the proposed control related to the value of the good?
Acquisition costs
Contain software and hardware costs or services necessary for the acquisition of a
control.
Contain costs necessary for the development and the update of the existent ones.
Implementation costs
Contain costs necessary for the own teams or consultants to install and
configurethe proposed controls.
Subsequent costs
These are costs difficult to estimate. We include here the costs associated to the
new controls on a certain period of time. These are management, monitoring and
maintenance costs. Sometimes they are 24/7 (24/7/365) costs.
Communication costs
Contain the necessary costs for informing the personnel about the new policies and
procedures of ensuring the implemented security within the company.
Contain the necessary costs for training the IT personnel for implementing,
managing, monitoring and maintaining the new controls.
Contain the necessary costs for training the personnel in order to incorporate the
new controls in the usual procedures.
Productivity costs
Audit and verification costs
They actually contain the productivity losses (initial) until the use of the new
controls becomes routine. In many cases these losses are due to the lack of
communication and personnel training.
Contain costs the company will periodically support for auditing and verifying the
effectiveness of the adopted controls. In some cases these costs go to specialized
companies.
In this stage the risk level achieved after adopting the new controls will be compared with the control solution costs.
Both the risks (risk level) and the costs of adopted solution contain subjective values that
make a financial quantification rather difficult.
The security policy is made from a set of measures accepted by the leading staff,
which provides clear but flexible rules for determining the standard operations
and technologies necessary for ensuring security.
A security policy represents a document that emphasizes the main demands or rules that must be known and applied
for ensuring security. A security policy will seize the security demands in a company and will describe the steps to
ensuring security.
The following items are aimed to be protected:
memory;
an electronic device;
data structure;
operating system;
instructions;
passwords;
3
Assesing risk/
Risk evaluation
Measuring
program
effectiveness
Implementing
controls
2
Conducting
decision support
Controls implementation
http://technet.microsoft.com/en-us/library/cc163143.aspx
Participant
IT engineers
IT architecture designers
Responsibilities
Determines the way of implementing control
solutions
Define the way if implementing control
solutions in such way that they are according
to the existent systems
Implement the technical control solutions
IT operators
Financial personnel
4
Assesing risk/
Risk evaluation
Measuring
program
effectiveness
Implementing
controls
2
Conducting
decision support
http://technet.microsoft.com/en-us/library/cc163143.aspx
Participant
Responsibilities
Creates a report for the Committee of
Security Coordination regarding the
effectiveness of the adopted controls and the
changes occurred in the risk level. In
addition, it will create and maintain a risk
level evolution diagram.
Internal auditor
IT engineers
IT architecture designers
IT operators
!
Physical
Network
Host
!
Applications
Data
Low risk
December
November
October
September
August
July
June
May
April
March
Medium risk
February
High risk
January
Legend:
Data warehouse
Data Mining
Life protection
2
Damage limitation
3
Damage evaluation
4
Cause determination
5
Damage repair
6
Verification/review of
countermeasures,
review of policies and update
Quantitative analysis
Works with statistical data in the field
Qualitative analysis
Works with less complex data
Vu
ln
er
ab
il
it y
/w
or
ks
ta
tio
na
The method follows the analysis of vulnerabilities in a department prioritizing the human element as a main
factor of vulnerability.
This method analyses risks starting from the work station and its characteristics.
The following facts are analyzed:
The working conditions specific to each group of posts.
The features specific to each post in the posts group.
na
lys
is
Vu
ln
er
ab
il
it y
/w
Metoda implic parcurgerea urmtorilor pai: The method implies following the next
steps:
1.
Identifying the goods and the threats to which they are exposed to.
2.
3.
4.
or
ks
ta
tio
na
na
lys
is
Vu
ln
er
Probability
ab
il
it y
/w
Exposure
Low
Medium
High
Low
Medium
High
or
ks
ta
tio
na
Risk level
Voltage drop
Personnel errors
.....
.....
.....
.....
Unauthorized use
Floods
na
lys
is
Sursa: Computer Security Institute, CSI/FBI 2003 Computer Crime and Security Survey
2003: 488 rspunsuri/92%
2002: 414 rspunsuri/82%
2001: 484 rspunsuri/91%
2000: 583 rspunsuri/90%
Vu
ln
er
ab
il i
ty
/w
or
ks
ta
tio
n
an
al
ys
is
High
High
High
Medium
High
Medium
ti o
Low
rk
s ta
Medium
wo
Low
y/
Low
Low
is
Unwilled
bi
lit
Deliberate
Losses
an
al
ys
Vu
ln
er
a
Type of company
Employee
training/
knowledge
Vu
ln
er
Phone
ab
il
it y
/w
or
ks
ta
tio
na
Hoax applications
IM/IRC
Company employee
na
lys
is
Vu
ln
er
ab
il
it y
/w
or
ks
ta
tio
na
na
lys
A study made in 1999 by Net-Partners Internet Solutions showed that at the level of the United States, the
employers have had productivity losses estimated at 500. 000. 000 USD due to the fact that almost 13.500.000
employees have read or downloaded at work the Starr report. The Starr report contains data referring to the scandal
in which the US President Bill Clinton and the employee of White House Monica Lewinsky were involved.
?Howcanthistypeoflossesbeeliminated?
Another category of actions that have as effect productivity losses are represented by unsolicited e-mails, the socalled spam e-mails. According to Yankee Group (www.yankeegroup.com), spam messages create annually
productivity losses estimated at 4 billion USD.
In 2003 (feb.) 42% of the e-mails were spam.
In 2004 (feb.) 62% of the e-mails were spam.
?Whatcanbedoneinthiscase?
is
Vu
ln
er
Data collection
Professional training
ab
il
it y
/w
or
ks
ta
tio
na
IT training
Risk level
Conduct
Employee/ partner
High
References
Workstation customization
Workstation customization detailing
Quantification
Processing
(+/- 05/010)
Medium
Low
na
lys
is
Ot
he
rm
M. Kaeo, DesigningNetworkSecurity, Cisco Press, Indianapolis, Indiana 46290 USA, 1999.
eth
Values
Occurrence
rate
Explanation
Unlikely
2
3
Values
Low losses
Likely
Moderate losses
Most likely
Critical losses
Occurrence rate
Volume of losses
Risk value
Low risk
Low risk
Medium risk
Low risk
Medium risk
High risk
Low risk
High risk
High risk
Values
Explanation
Risk
level
Explanation
Volume of losses
od
Explanation
1, 2
Low risk
3, 4
Medium
risk
6, 9
High risk
Available
Availability
Confidentiality
[D]
[I]
Administrative
Technical
Financial
LAN
Ot
he
rm
eth
od
Incident
prevention
[IP]
Damage
prevention
[DP]
Relative risk
[RR]
[C]
Network
importance
[NI]
0,1
0,3
3,78
12
0,5
0,5
3,00
18
0,3
0,3
8,82
IR = D * I * C
Very low
0,1
PI
Low
0,3
PD
Moderate
0,5
High
0,7
Very high
0,9
RR Tehnical
RR Financial
Risks
?
?
?
?
Costs
90
80
70
60
50
40
30
20
10
10
20
30
40
50
60
70
80
90
100
This risk analysis is done esepcially within large companies and eventually within medium companies. Small
companies have no specialised personnel and no money to pay for such evaluation. Nevertheless a minimum of security
measures must be taken. The fact that company managers are hard to be convinced to invest in something that doesn;t
bring immediate profit is very well known. And when they are convinced about the necessity of the sums for ensuring
security, the alloted sums are under the imposed ones. In these conditions a security whose expenses should not exceed
a certain limit must be ensured. We can talk about a financial imposed security. The alternatives of solving this situation
are in number of two:
covering the most probable threats by keeping the initial control methods;
covering all threats and reducing the costs for control measures.
The first measure will allow a maximum of security for certain threats but will leave partially or totally uncovered
other threats.
Aceast a doua msur este de preferat primei, deoarece nu las vulnerabiliti neacoperite de msuri de control.
The second measure will impose reducing the expenses necessary for ensuring controls in order to cover all the
possible threats. This could reflect in the modification and configuration of the control measures. For example, two
uninterruptible sources APC UPS of 350VA will not be bought for the price of 95$ a piece for two computers, but a
single APC UPS source of 650 VA at 140$ a piece. The saving is of 50$ (95 x 2 140 = 50). In this case though, the
two computers will have to be powered from the same uninterruptible by extending the power cables or by placing
them very close.
YES
NO
Cs>As
Implementation
SI ( f )
where:
Ce Cost of computing equipment
Pi Participation/share of control
Cci Cost of controls.
Ce Pi xCci
i 1
Ce
SI ( f )
Ce Pi xCci
i 1
Ce
where:
Ce Cost of computing equipment
Pi Participation/share of control
Cci Cost of controls.
We have not evaluated the risks very well and/ or we have exaggerated with the control
measures.
The equipment (computer) is not of quality and needs additional equipment
The updated value of equipment is low comparing it to the costs of controls.
Station 1
UPS
Disk encryption
device
Station 1
Cc = 140 USD
Ce = 1.000 USD
Cc = 500 USD
P = 1/2 = 0,5
P= 1
Giving an optimal rate/ value for each peer of event/ control method.
Estimarea costurilor anuale pentru implementarea msurii de control respectiv. Estimating the annual costs for
implementing that certain control measure.
rk xALEt
ROI
Ck
Where:
Ck = Annual cost for control k
rk = Effectiveness rating of control k
ALEt = ALE of threat t
In selecting the additional control measures we must take into account the achievement of the following
objectives:
The value of ROI as high as possible will be obtained acting on the effectiveness index r, by raising
it to the maximum value (1), or on the annual cost for applying the control C, by diminishing the costs of
control implementation.
Example:
ROI
(0,7x155.000) 108.500
49,31/1
(2.200)
2.200
(continuation)
Sursa: Computer Security Institute, CSI/FBI 2010 Computer Crime and Security Survey
ROI
Return on Investment
Net benefit
ROI
x 100 %
Costs
Income year a
NPV C
(1 r) t
a 1
r Rate
The initial costs C have negative initial values
The investment is profitable if NPV > 0
IRR
Internal Rate of Return
VAN 0 C
...
(1 RIR)1
(1 RIR) 2
(1 RIR) n
A 1.000 USD uninterruptible power supply (UPS) is bought. It is considered that it has a warranty of good
functioning of 3 years. After this period of time the source is removed. Calculate ROI, NPV and IRR.
Initial costs = 1.000 USD
Income for year 1 = 1.500 USD
Income for year 2 = 2.000 USD
Income for year 3 = 3.000 USD. The values are increasing due to the increase of volume in the companys activity.
ROI
1.500
2.000
3.000
1.000
1
2
3
(1 0,1) (1 0,1) (1 0,1)
ROI
x 100% 4,3/1
1.000
1.500
2.000
3.000
NPV
1.000 4,3
1
2
3
(1 0,1) (1 0,1) (1 0,1)
NPV > 0 the investment is profitable
NPV
1.500
2.000
3.000
NPV
20,7 %
r /IRR
0
5
10
15
20
25
30
35
40
Profitable investment
Unprofitable investment
Business owner
Policies definition
Funds approval
Risk analysis
Time..
Timecannotbestored
Timecannotbebought
Timecannotbesold
Timecannotbetraded
Timecanonlybeused.
In order to reduce or to eliminate the risks the company must be capable of the following operations:
Prevention (the correct selection of products, updating the products and adapting them to the
imposed changes)
Detection (filtering and analyzing the information, analyzing the alerts, correlating with the needs
of the company)
Answer (taking the measures that are imposed, communication and constant training)
People
- Training ... continuous, updated ...
- Responsibilities ... brought to the attention and assumed ...
- Knowledge ... in the field ...
- Organization ... effective...
Processes
- Policies ... clear, updated, viable...
- Procedures ... tested ...
- Standards ... updated...
Technologies
- Infrastructure ... adequate, safe ...
- Aplications ... safe, adequate, tested, audited ...
Prevention
Preventing some events that can affect the companys security.
Reduction
Reducing the occurrence probability and the impact.
Avoidance
Avoiding a risk through an effective planning.
Transfer
Eliminating the risk by creating an insurance on that risk.
Alternative planning
In the case of unpredictable risks the implementation of alternative plans for reducing the impact is needed.
Reason description:
User errors
Errors of
system
managers
Hardware
failure
Software
failure
Attacks of
hackers and
other
intruders
The system crackers often delete or change the data in the system.
Unfortunately they erase any track that can lead to the finding of
the modifications.
Theft
Due to the high price, computers and especially the portable ones
are stolen. The insurance companies can compensate the financial
loss but not the loss of the stored data.
Natural
disasters
Data recovery.
Other
disasters
Data recovery
Archive
information
JBOD
RAID
Tape
Data backup is a data transfer process from the companys computers to a special storage device.
Data restore is a process of data restoration from the companys computers, from one or more backup copies.
Archive represents a long term backup copy which is stored outside the company.
File types
Daily
backup
Weekly
backup
Data files
Complete backup
Represents the copy of all the files in the system- system files, software files and data files.
Partial backup
Backup type
Incremental
(all new files or
modified ones from the
last partial or total
backup operation)
Diferential
(all the new or modified
files from the last total
backup operation)
Advantages
Fast backup because the number of
files is low.
Low wear of the backup devices and
of supports.
Disadvantages
Large amount of time for restoration
due to the existence of more than 2
supports (complete backup support
and each of the incremental
supports)
Backup type
Size
Time
Number of tapes
Friday
Complete
160 GB
4h
3 tapes
Monday
Differential
45 GB
1.1 h
1 tape
Tuesday
Differential
56 GB
1.4 h
1 tape
Wednesday
Differential
67 GB
1.7 h
2 tapes
Thursday
Differential
83 GB
2.1 h
2 tapes
411 GB
10.3 h
9 tapes
Total:
Backup type
Size
Time
Number of tapes
Friday
Complete
160 GB
4h
3 tapes
Monday
Incremental
45 GB
1.1 h
1 tape
Tuesday
Incremental
11 GB
0.3 h
1 tape
Wednesday
Incremental
11 GB
0.3 h
1 tape
Thursday
Incremental
16 GB
0.4 h
1 tape
243 GB
6.1 h
7 tapes
Total:
These examples are based on a weekly backup cycle with a tape drive that can transfer data at 40 gigabytes (GB) per hour on a 60gigabyte capacity tape.
Backup type
Friday
Complet
Tapes 1, 2, 3
Monday
Diferential
Tape 4
Tuesday
Diferential
Tape 5
Wednesday
Diferential
Tapes 6, 7
Thursday
Diferential
Tapes 8, 9
Tapes 1, 2, 3, 8, 9
Backup type
Necessary tapes
Friday
Complet
Tapes 1, 2, 3
Monday
Diferential
Tape 4
Tuesday
Diferential
Tape 5
Wednesday
Diferential
Tape 6
Thursday
Diferential
Tape 7
All 7 tapes
6 tapes
2.
3.
Tower of Hanoi
FRI1
FRI2
MON
TUE
WED
Day
Monday
Tuesday
Wednesday
Thursday
Friday
FRI1
MON
TUE
WED
THU
FRI 2
MON
TUE
WED
THU
FRI 1
MON
TUE
WED
THU
FRI 2
MON
TUE
WED
THU
FRI 1
Complete
backup
THU
Backup and restore Grandfather Father Son (Grandfather - Father - Son (GFS))
MON
WEEK1
IAN
MAI
SEP
TUE
WEEK2
FEB
JUN
OCT
(SON)
(FATHER)
WED
WEEK3
MAR
JUL
THU
WEEK4
APR
AUG
(GRANDFATHER)
NOV
DEC
Day
Monday
Tuesday
Wednesday
Thursday
Friday
WEEK1
MON
TUE
WED
THU
WEEK2
MON
TUE
WED
THU
WEEK3
MON
TUE
WED
THU
WEEK4
MON
TUE
WED
THU
IAN
Complete
backup
Backup session
Used set
10
11
12
13
14
15
16
2
4
8
16
Luni
Mari
(continuation)
Miercuri
Joi
Vineri
Complete backup
Advantages
Six tapes
Requires a low number of tapes which
makes the method to be cheaper.
It is ideal for a low volume of data.
(Grandfather
-Father - Son
(GFS))
Tower of Hanoi
Disadvantages
It keeps the data only for one week, if
you do not archive the tapes with
complete backup regularly.
NFS
NFS
CIFS
CIFS
HTTP
HTTP
LAN
NAS
NAS
NFS (Network File System) for the UNIX
clients
CIFS (Common Internet File System) for
Microsoft Windows clients
HTTP (hypertext transfer protocol) for
WEB access
User 1
User 2
User 3
User n
SAN represents a dedicated network of storage devices and of servers that access them. SANs are created
based on the Fibre Channel technology. The data stored in SAN are accessed at the level of block.
SAN
Storage subsystem
LAN
User
1
User
2
User
3
User
n
NAS
SAN
Easy to use
Scalability
High availability
Heterogeneous platforms
Flexibility
High trust
Scalability
High availability
Heterogeneous platforms
Backup/ restoration
Low cost
File Sharing
WebSite Hosting
Remote replication
Limited DB applications
Striping (RAID 0)
Mirroring (RAID 1)
http://www.cluboc.net/reviews/hard_drives/raid_project1/index.asp
an
c
ow u s ?
h
d elp
n
t a ld h
a
e
ie
f
w
e
e
h
r
t
a in
e
g
s
a
e
t
i
s
t pan
a
Wh com
the
Virtual private
networks
Web content
filtering
Intrusion
detection
Vulnerability/
penetration test
evaluation.
Virus scan
Firewall/router
management
Antivirus
Organization
24/7
Response in case
of incident
Inside security services. We take into consideration a medium- size company. In order to create a firewall for this
connection hardware and software for the firewall must be bought at the price of approximately 10.000 USD. This
amount of money might be higher if the company has more connections to the Internet or its a large company. The
expenses in this case can vary from 50. 000 USD to 75.000 USD. Managing and monitoring the firewall must be done
by a qualified person. The wage of a specialist in the field varies between 40.000 and 60.000 USD per year. Buying
such an expensive firewall product offers no supplementation for the weak training of the administrator. Taking into
consideration the fact that a permanent coverage is requested (24/7 service) at least three men are needed with average
annual expenses of about 150.000 USD. The service personnel training( minimal) will cost 15.000 USD per year. This
last category of expenses is necessary so that the service personnel to be in touch with the latest news in the field.
Component/Expense
Sum (USD)
From inside
10.000
Wages
150.000
Training
15.000
Total costs
175.000
Outside security services. The hardware and software costs are still the same, the firewall/ router device and the
software are bought by the beneficiary - around 10.000 USD. The expenses with the wages of the three employees
who will manage the firewall will be null but they will be replaced by the monthly expenses for external management
which are around 2.000 USD. This leads to annual expenses of 24.000 USD. The initial cost if installation (payable
only once) is approximately 15.000 USD. There are no more training costs.
Component/Expense
Outsourcing
Sum (USD)
10.000
Management
24.000
Installation
15.000
Total costs
49.000
Making a difference:
Inside annual costs: 170.000 USD
Outside costs: 49.000 USD
Annual economies: 121.000 USD
securITree
Identify
technical and
informational
assets
Phase
Phase 22
Identify
operational
and
management
risks
Phase
Phase 33
Establish a
countermeasure plan
securITree
APLICAII
MarketMaturity
INFRASTRUCTURE
Authorisation
SmartCards
PKI
VPN
eWallet
Knowledge
Secure
Transactions
Intrusion
Detection
Authentication
Anti
Virus
Firewall
Portalsites
Encryption
Mailinglists
Standalone
LAN/WAN
Internet
Connectivity
Early
EBusiness
Mature
EBusiness
TIME
securITree
Security Standards
ISO 27001
This is the specification for an information security
management system (an ISMS) which replaced the old
BS7799-2 standard
ISO 27002
This is the 27000 series standard number of what was
originally the ISO 17799 standard (which itself was
formerly known as BS7799-1)..
ISO 27003
This will be the official number of a new standard intended
to offer guidance for the implementation of an ISMS (IS
Management System) .
ISO 27004
This standard covers information security system
management measurement and metrics, including
suggested ISO27002 aligned controls..
ISO 27005
This is the methodology independent ISO standard for
information security risk management..
ISO 27006
This standard provides guidelines for the accreditation of
organizations offering ISMS certification.
ISO27000 - Information technology: Information security management systems, Overview and vocabulary
ISO27007 - Guidelines for Information Security Management Systems Auditing
ISO27008 - Guidelines for ISM auditing with respect to security controls (approved April 2008)
ISO27011 - Information technology: Information security management guidelines for telecommunications
ISO27033 - Network Security
ISO27799 - Health Informatics: Information security management in health using ISO/IEC 17799
y
t
i
r
u
c
Se
t
o
sn
r
u
ap
,
e
s
po
y
t
i
r
u
c
e
c
a
s
s
u
o
u
n
ti
n
o
.
s
s
ce
o
pr
Prevention (the correct selection of products, updating the product and adapting them to the imposed changes).
Detection (filtering and analyzing the information, analyzing the alerts, correlating them with the needs of the company)
The answer (taking the measures that are imposed, communication, constant training)
We must punish the offenders. But we cannot slow down the curiosity of a 13 year old kid who, while experimenting today can develop tomorrow
an informational or telecommunication technology that will lead United States to the XXI century as leader in the domain. They represent our
chance to remain a technology competitive nation.
Patric Leahy, Vermont senator
Is security a merchandise?
References
[BURT05]
[BRHU02]
[BURK04]
[GROT02]
[HSST95]
S.B. Hsiao, R. Stemp, ComputerSecurity, course, CS 4601, Naval Postgraduate School, Monterey, California, 1995.
[HSST95]
S.B. Hsiao, R. Stemp, AdvancedComputerSecurity, course, CS 4602, Naval Postgraduate School, Monterey, California, 1995.
[KAEO99]
[LUAB00]
[LUSA03]
I. Lungu, Gh. Sabu, I. Velicanu, M. Muntean, S. Ionescu, E. Posdarie, D. Sandu, Sisteme informatice.Analiz, proiectare i
implementare, Ed. Economic, Bucureti, 2003.
[MCCA03]
[MIMI02]
[OGTE01]
[OPDU99]
[PRBY02]
[RUGA91]
D. Russel, G.T. Gangemi Sr., ComputerSecurityBasics, OReilly & Associates, Inc., 1991.
[SECU02]
[SECU99]
[STPE02]
***
http://csrc.nist.gov/
***
http://www.gecadnet.ro
***
http://www.idc.com
Applications
Thank you!
Contact
Conf. univ. dr.
Burtescu R. Emil
emil_burtescu@yahoo.com
eburtescu@yahoo.com
YM ID: eburtescu
www.burtescu.ro
(n construcie)