Business Continuity Management

Transcription

1 University of Oslo INF3510 Information Security Autumn 2018 Workshop Questions and s Lecture 8: Risk Management and Business Continuity Management Question 1: Risk factors A possible definition of information security risk is: risk = likelihood impact a. Explain what is meant by likelihood and impact in this definition. b. Discuss, e.g. with a relevant example, whether this is a reasonable definition. c. Mention factors that contribute to likelihood of a security incident (threat occurrence). d. Discuss whether it is meaningful to analyse risk based on detailed factors (such as threat agent motivation and capacity) during a practical risk analysis. a. The likelihood is the frequency (or probability) that a threat occurs. The impact is the consequence of a threat, i.e. the expected cost of a threat occurrence. b. Many examples are possible. One could consider the threat of DDoS (Distributed Denial of Service) attack against a company web site. The likelihood is the expected probability of an actual DDoS attack taking place. The impact may be measured in terms of financial loss to the company due to customers not being able to make orders. When combined, the risk level increases as a conjunction of the likelihood and impact levels. c. Factors are e.g. threat agent strength, and vulnerability severity. This is because the likelihood of a threat occurrence increases with the strength of the threat agent. Similarly, the likelihood increased with the severity of vulnerabilities. The factor threat agent strength can further be decomposed into motivation and capacity. This is because the threat agent strength increases with motivation and capacity. An agent with the capacity (skills and technology) to execute an attack still needs the motivation to do it. Similarly, a motivated agent still needs the capacity to execute the attack. d. It can be useful for analysing specific threats in more detail, but it would take more time. For example, the likelihood/frequency of specific threats can be decomposed in terms of threat agent strength and vulnerability severity. Some frameworks explicitly take into account threat agent strength as well as vulnerability severity when estimating risk levels, e.g.: NS 5831 Samfunnssikkerhet Beskyttelse mot tilsiktede uønskede handlinger Risikohåndtering NS 5832 Samfunnssikkerhet Beskyttelse mot tilsiktede uønskede handlinger Risikoanalyse

2 Question 2: Risk management decisions The Risk Management Process specified in ISO indicates two decision points. a. Describe a situation where the answer to risk decision point 1 (after the risk assessment) could be negative, thereby requiring a revision of the context establishment and risk assessment phases. b. Describe a situation where the answer to risk decision point 2 (after the risk treatment plan) could be negative, thereby requiring a possible revision of all the previous risk management phases. a. It is possible that the computed risks have a very skewed distribution, e.g. most risks have the same level (e.g. either very low or very high), which makes the risk ranking meaningless. b. It is possible that the proposed risk treatment plan in judged unacceptable by the management, e.g. i. Because the treatment plan is too expensive or too ambitious. If the plan is judged by management as too expensive or too ambitious, then the level of acceptable risk can be increased, so that fewer and less ambitious security controls are needed. ii. Because the risk level of planned retained risk is too high to be accepted. If the level of retained risk is too high, more controls could be proposed. iii. Because the estimated cost of treatment plan is considered misleading due to wrong assessment of risk levels, so that the risk assessment and risk ranking needs to be revised. Question 3: Risk description How should each risk be described? A risk consists of a threat and its risk level which must be described. The risk description should also include assessments of potential threat agents, relevant vulnerabilities and existing security controls, justification for estimating probability and impact, and identification of assets that can be negatively affected. Question 4: Qualitative risk a) Assume that a risk assessment uses three levels of likelihood (low, medium, high) and three levels of impact/consequence level (minor, moderate, major). Draw an appropriate table of qualitative risk that uses 5 qualitative risk levels. b) What is the basis for specifying the qualitative risk levels in the table? c) How is the table used to determine risk levels?

3 a) Different assignments of qualitative risk levels to the entries in the table are possible, but the most natural one is as indicated in the table below. The important rule is that qualitative levels of risk should increase when moving upwards or to the right in the table. It is also typical to have isometric diagonals from top-left to bottom-right, but non-isometric diagonals are of course possible. Impact Minor Moderate Major Likelihood Risk High Moderate High Extreme Medium Low Moderate High Low Negligible Low Moderate b) The assignment of qualitative risk levels in the table is in principle ad hoc, meaning that the risk assessment team can decide how they want to populate the table. The matrix is simply a look-up table. For each threat the team must estimate the likelihood and impact. c) The risk level is determined by direct look-up in the table. Question 5: Relative / Semi-quantitative risk a) Assume a risk assessment method with four relative levels of likelihood: 0 (extremely rare), 1 (rare), 5 (likely), 10 (very likely), and four relative levels of impact/consequence level: 0 (negligible), 1 (minor), 5 (moderate), 10 (major). Draw an appropriate table of relative / semi-quantitative risk that uses 7 numerical relative risk levels. b) What is the basis for specifying the relative risk levels in the table? c) How is the table used to determine risk levels? a) A relative / semi-quantitative risk table defines risk levels as the product of relative likelihood and impact levels. The product gives is a set of relative risk levels. Impact 0 (Negligible) 1 (Minor) 5 (Moderate) 10 (Major) Likelihood Risk 10 (Very Likely) (Relatively likely) (Rare) (Extremely rare) b) The assignment of the relative risk levels in the table is simply based on the product rule. The risk assessment team must decide which numerical relative values to use for the likelihood and impact levels, which is an ad hoc decision. c) The matrix is a look-up table which directly determines the relative risk level for each threat.

4 Question 6: Quantitative risk Consider a quantitative risk analysis for a business. A specific threat is expected to result in a security incident every two months at a cost of $3 000 per incident. a. Compute the single loss expectancy (SLE) and the annualised loss expectancy (ALE). b. How should the ALE be used in deciding how to treat this risk? c. Once controls are put in place, how will they change a later risk analysis? d. Instead of reducing the risk, name two alternative ways to treat a risk. a. SLE = $ ALE = SLE x 6 = $ b. Security controls with a cost up to $ (per year) may be implemented. However, it also needs to be estimated to what extent the risk is reduced as a result of the controls. For example, if the frequency is reduced to once per 4 months as a result of a control costing $ per year, then the controls are not justified. c. The SLE and/or frequency normally decrease. These are computed with consideration of security controls that are used. d. Any of: avoid the risk (cease the activity), share the risk (for example, by insurance), retain the risk (be prepared to tolerate the consequence). Question 7: Qualitative vs. quantitative risk In what way are qualitative and quantitative risk analysis different? Explain one significant drawback of each type. Qualitative risk assessment uses words to describe the likelihood of incidents and the magnitude of potential negative impacts, whereas quantitative risk assessment uses numerical values for likelihood and impact. qualitative scale could be: unlikely, relatively likely, highly likely. quantitative scale could be probability values in the range [0, 1]. Major drawbacks of qualitative risk analysis are that the results are hard to justify objectively and that an exact value is not available for cost/benefit analysis. Major drawbacks of quantitative risk analysis are that the calculations are ad hoc, it can be difficult to explain how the exact figures are obtained and the process can be very labour intensive (although tools are available).

5 Question 8: Threat modelling Consider the case of an online pharmacy, where the diagram below illustrates the main elements in the e-commerce architecture, as well as abstract threats. It can e.g. be assumed that the attacker (threat agent) has as goal to 1) get control of user accounts and their purchasing history, 2) steal the user database (and passwords), 3) sabotage, DDoS or deface the website, or 4) store malware (XSS, malware, exploits) on the website to attack users. You can also consider other attack goals. a. Describe relevant threat scenarios for each attack goal you want to consider. Don t get stuck by the lack of detail in this case description, you can make any assumption you want. The important thing is to be able to identify and articulate relevant threat scenarios, i.e. steps the attacker must take to reach a specific goal. b. For each threat scenario, suggest security controls that can block or mitigate the threat. 1) Threat scenario 1: Spam phishing to hijack user accounts a. A possible threat scenario to get control of a user account is to send phishing to users of the online pharmacy. A challenge for the attackers is to find addresses of customers of the online pharmacy. A possible method for getting user names could be to search online discussion groups for medical issues, where the online pharmacy is mentioned. The phishing could present a link to a fake web page pretending to be the online pharmacy, and asking the user to log in. This would give the attackers account names and corresponding passwords. If the online pharmacy allows federated login e.g. through facebook, then the attackers would get the facebook credentials, which could then be exploited for man other attack scenarios, and have serious impact. b. Controls to prevent this threat could be through security awareness, such as by informing customers that the pharmacy will never send an asking the customers to log in. Another control could be to use a 2 nd authentication factor such as by sending an authorization code by SMS, or having an OTP (onetime-password) app from the service provider. Since an SMS or OTP is dynamic, the attackers could not simply steal a password to take over the account.

6 2) Threat scenario 2: Steal the user database through SQL injection a. A possible threat scenario to get the user database could be through SQL injection through the web interface, if it can be assumed that the web interface has no input filtering and sanitation before input data gets sent to the back-end SQL database. b. Input filtering and sanitation of input from the web would prevent SQL injection. 3) Threat scenario 3: DDoS attack to block customers from purchasing a. DDoS attack capability using botnets can be bought online relatively cheaply. This is a typical way for hackers to monetise botnets which they control. While a DDoS attack is ongoing it will be difficult or impossible for customers to access the online pharmacy, so customers might go to a competitor instead. b. Possible controls to mitigate against DDoS attacks could be to have loadsharing between multiple servers so that a moderate DDoS attack would have limited effect. Another control could be to use a powerful NGF (Next Generation Firewall) which is able to dynamically detect DDoS attack patterns and set up filtering rules to remove the DDoS traffic. Both these controls could be relatively expensive. 4) Threat scenario 4: Store malware on the website to attack the customers/users. a. Assuming that the online pharmacy has pages for discussion or feedback from customers, it could be possible for attackers to store malicious java scripts (disguised as a discussion comment) on the website, which would be downloaded to customer browsers when they access the online pharmacy. This is the principle for typical stored XSS (Cross Side Scripting) attacks. The malicious java script could be used to attack customers e.g. for identity theft or for infecting client machines and turn them into bots in the attacker s bot net. b. The best control for preventing storing malware on the web server, and for preventing XSS, is by filtering data from users to be stored on a web server, and filtering data from web servers on the client browser. Question 9: The misnomer: ROS-analyse a. What is the problem with the concept of Risk and Vulnerability Analysis typically used in a Norwegian risk management context (ROS-analyse)? b. Why is Threat and Risk Analysis (TOR-analyse) a better term? a. The concept of risk and vulnerability analysis (ROS-analyse) puts a strong emphasis on vulnerability analysis. However, there is no vulnerability without threats, hence the threat modelling is the most important part of a risk analysis. The problem with the concept of risk and vulnerability analysis is that it takes focus away from threat modelling which can lead to dysfunctional risk assessment and risk management. b. Since threat modelling is a prerequisite for understanding and analysing risk, it is more meaningful to use the concept of threat and risk analysis (TOR-analyse).

7 Question 10: Business impact analysis c. What is special about risks related to disasters, in terms of likelihood and impact? d. As part of business continuity planning, a BIA (Business Impact Analysis) is often performed. Briefly explain the purpose of a BIA. e. Why is BIA often more meaningful than a traditional risk assessment in case of BCM and planning for disaster recovery. c. The likelihood of disasters is very low, but the impacts are extreme. A risk analysis of disasters can therefor become very unreliable. d. A BIA is performed at the beginning of business continuity planning to identify critical functions that in the event of a disruption would cause the greatest financial or otherwise negative impact. e. The risk levels for disasters are difficult to assess because of the extreme levels (very low likelihood and very large impact), hence qualitative and quantitative risk assessment methods become unreliable. Threats considered in BCM are typically considered too strong for effective prevention (e.g. earthquake, terrorist attack), in contrast to risk management where security controls can block or mitigate threats. The focus of BIA is to identify essential business processes, so that BCM can be used make plans for restoring them in case they get disrupted by serious events. Question 11: Maximum tolerable downtime a. Specify the typical MTD (Maximum Tolerable Downtime) for a business function that is defined as (i) critical; (ii) non-essential. b. Assume that the information processing facilities of an organisation has suffered considerable damage, seriously impacting the business functions. How is the MTD taken into account when deciding whether business recovery at an alternative site should be invoked? a. MTDs: - For critical business functions: Minutes to hours, - Non-essential business functions: Weeks to months b. The estimated time to re-establish the business functions at the existing site is estimated is compared with the MTD. The business recovery plan must be invoked if the estimated time exceeds the MTD.