Transcription
Security AnalysisPart I: BasicsKetil Stølen, SINTEF & UiOOctober 2, 20151
Objectives for Lectures onSecurity Analysis Classify security concepts Introduce, motivate and explain a basic apparatusfor risk management in general and risk analysisin particular Relate risk management to system development Describe the different processes that riskmanagement involve Motivate and illustrate model-driven security riskanalysis (or security analysis, for short) Demonstrate the use of risk analysis techniques2
Overview of today What is security?What is risk?What is risk management?What is the relationship to cyber security?What is CORAS?3
What is Security Analysis? Security analysis is a specialized form ofrisk analysis focusing on security risks4
What is rs haveaccess toinformationintegrityOnly authorisedactors canchange, createor deleteinformationavailabilityAuthorisedactors haveaccess toinformationthey need whenthey need itaccountabilityIt is possibleto audit thesequence ofevents inthe system5
Security is more than Technology Security solutions are available – but whatgood is security if no one can use thesystems? Security requires more than technicalunderstanding Incidents often of non-technical origin Requires a uniform description of the systemas a whole how it is used, the surrounding organisation, etc.6
Security – Part of System Development Security is traditionally added as an“afterthought” Solutions often reactive rather than proactiveSecurity issues often solved in isolationCostly redesignSecurity not completely integratedEnforcing security only at the end of the development process “by preventing certainbehaviors.may result in a so useless system that the complete development effortwould be wasted” [Mantel'01].“It would be desirable to consider security aspects already in the design phase, beforea system is actually implemented, since removing security flaws in the design phasesaves cost and time” [Jürjens'02].7
Oversettelse av Terminologiassetaktivum (noe med verdi)threattrusselunwanted incidentuønsket ens/hyppighettreatmentbehandling8
What is Risk? Many kinds of risk Contractual riskEconomic riskOperational riskEnvironmental riskHealth riskPolitical riskLegal riskSecurity risk9
Definition of Risk from ISO 31000 Risk: Effect of uncertainty on objectives NOTE 1 An effect is a deviation from the expected — positive and/ornegative NOTE 2 Objectives can have different aspects (such as financial, healthand safety, and environmental goals) and can apply at different levels(such as strategic, organization-wide, project, product and process) NOTE 3 Risk is often characterized by reference to potential eventsand consequences, or a combination of these NOTE 4 Risk is often expressed in terms of a combination of theconsequences of an event (including changes in circumstances) and theassociated likelihood of occurrence NOTE 5 Uncertainty is the state, even partial, of deficiency ofinformation related to, understanding or knowledge of an event, itsconsequence, or likelihood10
What is Risk Management?Establish the contextEstimate risksMonitor and reviewIdentify risksRisk assessmentCommunicate and consult Risk management:Coordinated activitiesto direct and controlan organization withregard to risk[ISO 31000:2009]Evaluate risksTreat risks11
Risk Analysis InvolvesEstablish the contextEstimate risksMonitor and reviewIdentify risksRisk assessmentCommunicate and consult Determining what canhappen, why and how Systematic use ofavailable information todetermine the level of risk Prioritization bycomparing the level ofrisk againstpredetermined criteria Selection andimplementation ofappropriate options fordealing with riskEvaluate risksTreat risks12
TermsVulnerabilityAssetReduced riskThreatRiskNeed to introduce risk treatment13
InternetTermsInfected PCComputer running OutlookUnwantedincidentVulnerability- Infected twice per year- Infected mail send to allcontactsWormThreatVRiskInstall virus scannerTreatment14
Definitions Asset: Something to which a party assigns value and hence for which theparty requires protectionConsequence: The impact of an unwanted incident on an asset in terms ofharm or reduced asset valueLikelihood: The frequency or probability of something to occurParty: An organization, company, person, group or other body on whosebehalf a risk analysis is conductedRisk: The likelihood of an unwanted incident and its consequence for aspecific assetRisk level: The level or value of a risk as derived from its likelihood andconsequenceThreat: A potential cause of an unwanted incidentTreatment: An appropriate measure to reduce risk levelUnwanted incident: An event that harms or reduces the value of an assetVulnerability: A weakness, flaw or deficiency that opens for, or may beexploited by, a threat to cause harm to or reduce the value of an asset15
Cyberspace, Cybersecurityand Cyber-riskWhat is new and what are the realchallenges?16
Background There are no established definitions of cyberspace or cybersecurityMany authoritative organizations have their own definitions EU, ISO, IEC, ITU-T, NIST, CNSS, The various definitions typically reflect different purposes or interests Information securityCritical infrastructure protectionPrivacy and data protectionSocietal securityCombating of cyber-crime and terrorism17
Motivation and Goals Cybersecurity is a hot topic and a frequently used buzzwordStakeholders want to ensure cybersecurity and protection from cyberriskAt the same time there is lack of terminology consensus and methodsupportOur aim: Define a terminology and identify challenges18
CyberspaceThe term cyberspace first appeared in science fiction(novel by William Gibson)19
Cyber-system20
Cyber-physical system21
Summary22
Cybersecurity23
Cybersecurity is related to information security andinfrastructure security But cybersecurity is not simply the combination of the two Information security is the protection of confidentiality, integrity andavailability of informationInfrastructure security and CIP is to prevent the disruption, disabling,destruction or malicious control of critical infrastructures 24
Summary25
Cyber-risk26
SummaryCORAS27
The Challenge of Measurement28
The Challenge of Uncertainty29
The Challenge of Aggregation30
The Challenge of Black-swans(Nassim N. Taleb)31
Security Analysis UsingCORAS32
Overview What is CORAS?Main conceptsProcess of eight stepsRisk modelingSemanticsCalculusTool supportFurther reading33
What is CORAS? CORAS consists of Method for risk analysis Language for risk modeling Tool for editing diagrams Stepwise, structured and systematic process Directed by assets Concrete tasks with practical guidelines Model-driven Models as basis for analysis Models as documentation of results Based on international standards34
Mandatory Reading Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Chapter 3"A Guided Tour of the CORAS Method" in the book "ModelDriven Risk Analysis: The CORAS Approach", 2011. Springer.The chapter can be downloaded freely. Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: RiskAnalysis of Changing and Evolving Systems Using CORAS,2011. LNCS 6858, Springer. Pages 231-274. Le Minh Sang Tran, Bjørnar Solhaug, Ketil Stølen. Anapproach to select cost-effective risk countermeasuresexemplified in CORAS. SINTEF A24343, SINTEF ICT, July2013.35
for risk management in general and risk analysis in particular Relate risk management to system development Describe the different processes that risk management involve Motivate and illustrate model-driven security risk analysis (or security analysis, for short) Demonstrate the use of risk analysis techniques 2
