Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
4
1 Introduction
The purpose of this document is to analyze the security of information system (Trading System) presented in the paper [1]. During this analysis, we follow the steps in the security risk management process, which include: identification of assets and contexts, possible security objectives (confidentiality, integrity, and availability of assets), risk assessment (cost, likelihood, impact etc.), determination and prioritization of security requirements on the system, proposition of selected security requirements and controls to be implemented in the system. We make it in two iterations.
At the very end, we suggest and give incentives whether the system (with implemented security controls) is reasonable.
2 Description of the System
2.1 Parties Table 1. Stakeholders and their goals
Stakeholder Goal
Cashier Process sale (scan the goods using Bar Code Scanner or insert manually using Cash Desk PC, receive payment from the customer by either credit card or cash, print receipt)
Customer Get purchased goods (pay for the goods using either credit card or cash, get receipt for the payment)
Store Manager Manage inventory (order products, change price, view inventory reports)
Stock Manager Receive/decline ordered products
Enterprise Manager
View delivery reports
Supplier Sell goods, receive product orders
2.2 Business assets Table 2. Business assets, their value and security criterion
ID Business asset Value Security criterion
BA_01 List of completed sales
Ability to generate reports, long term inventory planning, plan sales strategy
Confidentiality of completed sales, integrity of stored sale records, availability of sale records to use for strategic planning
5
BA_02 Process of managing express checkouts
Increased customer throughput Integrity of the mechanism to switch into express checkout mode, availability of the express checkout mode
BA_03 Card payment process
Accurate and trustworthy payment (automatic calculation by the Trading System, verification of the available funds of the customer, authentication of the customer when inserting the PIN code, electronic payment transaction)
Confidentiality of the payment process, integrity of the payment details and accounts during transaction, availability of the card payment service.
BA_04 Inventory reports Real-time inventory tracking and reports, statistics about the store
Integrity of the information about the goods (and their amounts) stored in the inventory, availability of the inventory data (goods and their details)
BA_05 Product exchange process among stores
Efficient enterprise inventory management, faster delivery
Integrity of the heuristics determining the deliveries, integrity of the data retrieved about the Store servers through the synchronization process, availability of the Store servers.
BA_06 Synchronization of Stores and Enterprise Server
Central and up to date Enterprise inventory Availability of the Store servers and Enterprise server, integrity of sent and received Store inventory data
BA_07 Suppliers list
Ability to choose suppliers to order products from
Integrity of the suppliers list, availability of the suppliers list
BA_08 Product list Ability to choose different products from different suppliers
Integrity of the product list, confidentiality of the product list, availability of the product list
BA_09 Receive ordered products process
Complete and correct delivery Integrity of the product orders, received ordered products
BA_10 Inventory management
Ability to change and view details of the goods in the inventory (e.g. price, quantity), ordering products to have sufficient amount goods in the inventory
Availability and integrity of the information describing the inventory status
BA_11 Delivery reports Statistics about the enterprise, generating reports.
Integrity of the statistics about the enterprise
6
BA_12 Sale process Selling goods and receiving money, possibly fast and accurate (profit)
Availability of the sale process (Cash Desk and Store server up and running), integrity of the payment details
BA_13 Barcode Identify items Integrity of the statistics
BA_14 Cash payment process
Accurate payment with authentic and valid money
Availability of the cash payment process, integrity of the payment
2.3 Information System (IS) asset Table 3. Information System assets
ID IS asset How does it support business asset?
ISA_01 Store server Stores sales, stock items, orders (BA_01, BA_04, BA_06, BA_09, BA_10)
ISA_02 Enterprise server Product and supplier list, also inventory information about different Stores (BA_05 - BA_08, BA_11)
ISA_03 Store client Provides environment to carry out different processes (BA_04, BA_09, BA_10)
ISA_04 Enterprise client Generate delivery report (BA_11)
ISA_05 Cash desk PC Wires all the Cash Desk components with each other, software which is responsible for handling the sale process and for the communication with the Bank is running on that machine (BA_03, BA_12)
ISA_06 Bar Code Scanner Identify item (BA_12, BA_13)
ISA_07 Card Reader Card payment (BA_03, BA_12)
ISA_08 Cash Box Starts and finished sale, initiate card payment, register purchase (BA_02, BA_03, BA_12, BA_14)
ISA_09 Printer Prints receipt (BA_12)
ISA_10 Light Display Indicate Express Checkout mode (BA_03)
ISA_11 Ethernet network Provide means to communicate between parties (servers, Bank, card reader, clients, Cash Desk PC, Supplier IS) (BA_02, BA_03, BA_05, BA_06, BA_09- BA_12)
ISA_12 Store Manager Order products (BA_10)
ISA_13 Stock Manager Receive ordered products (BA_09)
ISA_14 Express Cash Desk Algorithm
Turns on Express Checkout Mode (BA_02)
7
ISA_15 Product Exchange algorithm
Manages low stock in Store (BA_05)
ISA_16 Software responsible for handling the sale process/ communication with the Bank
Responsible for handling the sale process/communication with the Bank (BA_03, BA_12)
2.4 Relationship between IS assets and business assets
The relationship between IS assets and business assets is presented in Relationship between business assets and IS assetsTable 4. The mark “X” indicates that the corresponding IS asset supports the corresponding business asset. More details are presented in Table 2 and 3.
Table 4. Relationship between business assets and IS assets.
BUSINESS ASSETS
IS ASSETS BA_0
1
BA_0
2
BA_0
3
BA_0
4
BA_0
5
BA_0
6
BA_0
7
BA_0
8
BA_0
9
BA_1
0
BA_1
1
BA_1
2
BA_1
3
BA_1
4
ISA_01 X X X X X ISA_02 X X X X X ISA_03 X X X ISA_04 X ISA_05 X X ISA_06 X X ISA_07 X X ISA_08 X X X X ISA_09 X ISA_10 X ISA_11 X X X X X X X X ISA_12 X ISA_13 X ISA_14 X ISA_15 X ISA_16 X X
8
3 System Analysis – First Iteration
The system security analysis is focused on organization’s Store systems. The Enterprise Server and the communication with Store servers are left out of the scope. During this analysis risks are identified highlighting the possible asset-related, risk-related, and risk-treatment related concepts. Every risk includes also quantitative assessment.
3.1 Identified risks
3.1.1 Risk 1 – Changing barcode
Asset-related concepts
Asse
t Business asset
Sale process
IS asset Barcode
Security criterion Integrity of the sale process
Risk-related concepts
Risk Attacker pays less than original value for a product because products barcode can be altered leading to loss of integrity of barcode
Impact Loss of integrity of barcode
Event Attacker replaces products barcode with a cheaper product barcode and pays less than original value for a product
Vulnerability Products barcode can be altered
Threat Attacker pays less than original value for a product
Threat agent Attacker with means to create a barcode
Attack method Attacker creates a barcode of a cheaper product and replaces the original barcode with it
Risk treatment-related concepts
Risk treatment decision
Acceptance
Security requirement
-
Control -
9
ASSET VALUE
Asset Value
Barcode Depending on the price of the product
MEASURING ASSET
Security need for availability Security need for confidentiality
Security need for integrity
2 0 2
MEASURING RISK
Threat likelihood Level of vulnerability Potentiality (likelihood + vulnerability
level – 1)
Impact
1 – unlikely, not a common attack (a lot of work for little gain)
3 – barcode is not protected in any way
3 2
RISK LEVEL
6
MEASURING RISK TREATMENT
Risk Treatment Risk acceptance
Security Requirement
New vulnerability level
- 3
New Risk level 6
Risk reduction 0
Cost €0
Return on Security Investment (ROSI):
x The ROSI cannot be calculated as the Risk exposure is hard to quantify.
10
3.1.2 Risk 2 – Paying with counterfeit money
Asset-related concepts As
set Business
asset Sales process
IS asset Cash Box
Security criterion Integrity of sales process
Risk-related concepts
Risk A person paying with counterfeit money because banknote’s authenticity is not checked
Impact Loss of integrity of sales process
Event A person paying with counterfeit money because banknote’s authenticity is not checked
Vulnerability Bank note’s authenticity is not checked
Threat A person paying with counterfeit banknotes
Threat agent A person with skills and knowledge to produce counterfeit money
Attack method Counterfeit banknotes
Risk treatment-related concepts
Risk treatment decision
Risk reduction
Security requirement
All Cash Desks must be equipped with a banknote authenticity checker and cashiers have monetary responsibility for accepted banknotes authenticity.
Control Banknote authenticity checker
11
ASSET VALUE
Asset Value
Cash payment process €250001 x 200 stores x 365 days x 50% cash payments = €912,5 million
MEASURING ASSET
Security need for availability Security need for confidentiality
Security need for integrity
3 0 3
MEASURING RISK
Threat likelihood Level of vulnerability Potentiality (likelihood + vulnerability
level – 1)
Impact
1 – unlikely due to the security measures implemented in a bank note
2 – no certain measures for checking authenticity
2 3
RISK LEVEL
6
MEASURING RISK TREATMENT
Risk Treatment Risk reduction
Security Requirement
New vulnerability level
banknote authenticity checker
0
New Risk level 0
Risk reduction 6
Cost 200 stores x 8 cash desk/store x €992 = €154800
Return on Security Investment (ROSI):
x Risk exposure = €912,5 million x Risk mitigated = Risk reduction / Risk level = 6 / 6 x Solution cost = €154800 x ROSI = 589370%
1 http://www.epl.ee/news/eesti/pirita-selverile-tehti-taas-pommiahvardus.d?id=50831000 2 http://www.byroomaailm.ee/index.php?page=shop.product_details&flypage=flypage.tpl&product_id=25513 &category_id=317256&vmcchk=1&option=com_virtuemart&Itemid=1
12
3.1.3 Risk 3 – Multiple insertion into system
Asset-related concepts As
set Business
asset Sale process
IS asset Cash box
Security criterion Integrity of the sale process
Risk-related concepts
Risk Cashier enters some of the products bought by customer into cash box more times than there are actual items as the customer does not have an overview of the products the cashier enters into cash box leading to loss of integrity of a sale harming the store’s reputation
Impact Loss of integrity of the sale
Event Cashier enters some of the products bought by customer into cash box more times than there are actual items as the customer does not have an overview of the products the cashier enters into cash box
Vulnerability Customer does not have an overview of the products entered by cashier before receiving check
Threat Cashier enters some of the products bought by customer into cash box more times than there are actual items
Threat agent Employee of the store who wants to increase the sales done by him/her
Attack method Theft of money
Risk treatment-related concepts
Risk treatment decision
Risk reduction
Security requirement
Customer will have an overview of the items entered into the cash box
Control A small screen showing the current item entered, the amount and price will be displayed so that the customer can see it
13
ASSET VALUE
Asset Value
Sale process Depending on the price of the product (€0,01 - €1000 approx.) and the amount of occurrences of the attack
MEASURING ASSET
Security need for availability Security need for confidentiality
Security need for integrity
3 0 3
MEASURING RISK
Threat likelihood Level of vulnerability Potentiality (likelihood + vulnerability
level – 1)
Impact
2 – Possible to happen as some cashiers may want to have a surplus in their cashbox
1 – Customer can check the amounts from a receipt but this usually is not done
2 3
RISK LEVEL
6
MEASURING RISK TREATMENT
Risk Treatment Risk reduction
Security Requirement
New vulnerability level
Customer to have an overview of the items entered into the cash box
0
New Risk level 3
Risk reduction 3
Cost 200 stores x 8 cash desks x €1493 = €238400
Return on Security Investment (ROSI):
x Risk exposure = €100000 x Risk mitigated = Risk reduction / Risk level = 3 / 6 x Solution cost = €238400 x ROSI = -79%
3 http://hlt.ee/tooted/kliendinaidik
14
3.1.4 Risk 4 – Infecting Cash Desk PC with malware
Asset-related concepts As
set Business
asset Sale process
IS asset Cash Desk PC
Security criterion
x Availability of the sale process x Integrity of the data exchanged during sale process x Confidentiality of data being handled using Cash Desk PC
Also some other information that is not presented in the paper.
Risk-related concepts
Risk A bad person having (possibly unauthorized) access to the Cash Desk PC and infecting the PC with malware, which leads to unavailability of sale process and/or a loss of integrity and confidentiality of data exchanged during sale process
Impact Store PC infected with malware may become non-operational or exploited., which leads to: x A loss of availability of the sale process.
If already having access to the PC, then also: x A loss of integrity of the data exchanged during sale process x A loss of confidentiality of the data exchanged during sale process
Event One (or more) Store PC’s gets infected with malware
Vulnerability x Unauthorized personnel can access to the Cash Desk PC x Cash Desk PC is not equipped with anti-malware software
Threat Cash Desk PC gets infected by malware
Threat agent Anyone with bad intentions and access to the Store Cash Desk PC, also with knowledge and means to plant the malware into the PC (e.g. using USB infected malware)
Attack method Infecting the Cash Desk PC with malware which can spread into all the Store PCs using internal network. Malware can cause damage and/or modify/collect data
Risk treatment-related concepts
Risk treatment decision
Risk reduction Risk reduction Risk retention
Security requirement
All the Store PCs should be equipped with proper anti-malware software
All the Store PCs should use appropriate authentication methods
-
Control Installing anti-malware software on every PC
More secure authentication method (combination), e.g. ID-card.
The insurance covers the loss
15
ASSET VALUE
Asset Value
Sale process €25000 x 200 stores x 365 days =€1,825 billion
MEASURING ASSET
Security need for availability Security need for confidentiality
Security need for integrity
3 2 3
MEASURING RISK
Threat likelihood Level of vulnerability Potentiality (likelihood + vulnerability
level – 1)
Impact
1 – unlikely that Cash Desk PC is left unattended
3 – possible harm is very big 3 3
RISK LEVEL
9
MEASURING RISK TREATMENT
Risk Treatment Risk reduction Risk reduction
Security Requirement
New vulnerability level
Anti-malware software
2 Access to the PC only with ID-card
2
New Risk level 6 6
Risk reduction 3 3
Cost €250000 (enterprise version, installment)
€100000 (architecture, installment)
Return on Security Investment (ROSI):
Anti-malware software x Risk exposure = €1,825 billion x Risk mitigated = Risk reduction / Risk level = 3 / 9 x Solution cost = €2500000 x ROSI = 243233%
Access to the PC only with ID-card x Risk exposure = €1,825 billion x Risk mitigated = Risk reduction / Risk level = 3 / 9 x Solution cost = €100000 x ROSI = 608233%
16
3.1.5 Risk 5 – Paying with stolen card
Asset-related concepts As
set Business
asset Card payment process
IS asset Card Reader
Security criterion Integrity of the card payment process
Risk-related concepts
Risk An attacker paying with stolen bank card using a flaw in the PIN verification protocol4 leading to loss in store reputation, loss of card owner money and loss of integrity of the card payment process
Impact Loss in store reputation, loss of card owner money
Event An attacker paying with stolen bank card using a flaw in the PIN verification protocol
Vulnerability A flaw in the PIN verification protocol
Threat An attacker paying with stolen bank card
Threat agent An attacker with a special rig and stolen bank card
Attack method Man-in-the middle device
Risk treatment-related concepts
Risk treatment decision
Risk acceptance Risk avoidance
Security requirement
- No card payments allowed
Control - No card payments allowed
4 http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
17
ASSET VALUE
Asset Value
Card payment process €25000 x 200 stores x 365 days x 50% cash payments = €912,5 million
MEASURING ASSET
Security need for availability Security need for confidentiality Security need for integrity
3 3 3
MEASURING RISK
Threat likelihood Level of vulnerability Potentiality (likelihood + vulnerability
level – 1)
Impact
1 – requires extensive knowledge and special rig
3 – very hard to discover and can cause a lot of harm
3 3
RISK LEVEL
9
MEASURING RISK TREATMENT
Risk Treatment Risk acceptance Risk avoidance
Security Requirement
New vulnerability level
- 3 No card payments allowed
0
New Risk level 9 0
Risk reduction 0 9
Cost 0€ €912,5 million (loss in revenue from card payments)
Return on Security Investment (ROSI):
ROSI will not be calculated as there is no return on investment.
18
3.1.6 Risk 6 – PIN code logger
Asset-related concepts As
set Business
asset Card payment process
IS asset Card reader
Security criterion Confidentiality of card payment process
Risk-related concepts
Risk An attacker places a key logger on top of the buttons of the card reader as it is left unattended and gets to know the PIN codes of the customers leading to loss of confidentiality of card payment process and harming the store’s reputation
Impact Loss of confidentiality of card payment process
Event An attacker places a key logger on top of the buttons of the card reader as it is left unattended and gets to know the PIN codes of the customers
Vulnerability Card reader buttons are not checked and once in a while they are left unattended
Threat Attacker places a key logger on top of the buttons of the card reader and gets to know the PIN codes of the customers
Threat agent Anyone who has knowledge about key loggers and access to the card readers used in stores
Attack method Man-in-the-middle device
Risk treatment-related concepts
Risk treatment decision
Risk reduction
Security requirement
Card reader will not be left into public space unattended
Control Working procedure requiring to place the card readers into a lock box when cash desk is left unattended by the employee
19
ASSET VALUE
Asset Value
Card payment process This can lead to customers losing money and the company losing some part of their customers and therefore revenue because of loss of reputation after this news came out. For example given that the daily revenue is €25000 and 30% of the customers are lost for the year. The value could be
€25000 x 365 days x 200 stores x 0,3 = €547,5 million
MEASURING ASSET
Security need for availability Security need for confidentiality
Security need for integrity
3 3 3
MEASURING RISK
Threat likelihood Level of vulnerability Potentiality (likelihood + vulnerability
level – 1)
Impact
2 – Can happen because this attack has been quite frequent in some cases
2 – Very high there are no security measures in place
3 3
RISK LEVEL
9
MEASURING RISK TREATMENT
Risk Treatment Risk reduction
Security Requirement
New vulnerability level
Card reader will not be left into public space unattended
0
New Risk level 3
Risk reduction 6
Cost 200 stores x 8 cash desks x €345 = €54400
Return on Security Investment (ROSI):
x Risk exposure = €547,5 million x Risk mitigated = Risk reduction / Risk level = 3 / 9 x Solution cost = €54400 x ROSI = 335400%
5 http://www.on24.ee/kodu/varia_k/seifid_rahalaekad_votmekapid/20163
20
3.1.7 Risk 7 – Logger in internal network
Asset-related concepts As
set Business
asset List of completed sales, inventory reports, suppliers list, product list, delivery reports
IS asset Ethernet network
Security criterion Confidentiality of data
Risk-related concepts
Risk An attacker places a device into the intranet because he has access to Ethernet wall socket which leads to loss of confidentiality of data
Impact Loss of confidentiality of data
Event An attacker places a device into the intranet because he has access to Ethernet wall socket
Vulnerability Access to Ethernet wall socket
Threat An attacker places a device into the intranet
Threat agent An attacker with a hardware internet traffic sniffer
Attack method Man-in-middle device
Risk treatment-related concepts
Risk treatment decision
Risk avoidance Risk reduction
Security requirement
No public Ethernet wall sockets All devices must authenticate themselves before gaining access to intranet.
Control No public Ethernet wall sockets Intranet authentication
21
ASSET VALUE
Asset Value
List of completed sales, inventory reports, suppliers list, product list, delivery reports
€4,9 million6
MEASURING ASSET
Security need for availability Security need for confidentiality
Security need for integrity
2 3 3
MEASURING RISK
Threat likelihood Level of vulnerability Potentiality (likelihood + vulnerability
level – 1)
Impact
1 – usually Ethernet socket not at random places, requires special device
2 – hard to detect, easily planted 2 2
RISK LEVEL
4
MEASURING RISK TREATMENT
Risk Treatment Risk reduction Risk avoidance
Security Requirement
New vulnerability level
All devices must authenticate themselves before gaining access to intranet.
1 No public Ethernet wall sockets
0
New Risk level 2 0
Risk reduction 2 4
Cost €100000 €0
Return on Security Investment (ROSI):
x Risk exposure = €4,9 million x Risk mitigated = Risk reduction / Risk level = 2 / 4 x Solution cost = €100000 x ROSI = 2350%
6 http://www.pwc.com/en_US/us/increasing-it-effectiveness/assets/data_loss_prevention.pdf
22
3.1.8 Risk 8 – Intercept communication
Asset-related concepts
Asse
t Business asset
Inventory data
IS asset Store Client (which has access to the Store Server)
Security criterion
x Confidentiality of the data exchanged x Integrity of the data being exchanged
Also some other information that is not presented in the paper (e.g. user credentials to access to the Store Server)
Risk-related concepts
Risk A hacker using to tools to intercept the unencrypted communication between Store Client and Server, which results in a loss of confidentiality of inventory data
Impact x A loss of confidentiality of inventory data x A loss of integrity of inventory data
Event A hacker is intercepting the data exchanged using over insecure remote connection between Store Client and Server
Vulnerability Unencrypted communication between Store Client and Server when using Java RMI (Remote Method Invocation)7
Threat Hacker who has tools and knowledge how to intercept the communication between the Client and Server
Threat agent Hacker connected to the network (i.e. needs to be connected to the internal network) acting as intermediate node and having proper tools which can collect and analyze messages sent and received
Attack method Intercepting (and possibly altering) the data exchanged between Store Client and Server
Risk treatment-related concepts
Risk treatment decision
Risk reduction
Security requirement
Appropriate connection or channel between Store Client and Server should be used
Control x SSH tunneling for Java RMI (Figure 3) x RMI over SSL (more expensive/complex when dealing with X.509 certificates)
(Figure 3)
7 http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136424.html
23
ASSET VALUE
Asset Value
Inventory data (list of completed sales)
€1 million
MEASURING ASSET
Security need for availability Security need for confidentiality
Security need for integrity
3 1 3
MEASURING RISK
Threat likelihood Level of vulnerability Potentiality (likelihood + vulnerability level – 1)
Impact
2 – not a very rare attack, technical level not too high
2 - no effective security measures in place
3 3
RISK LEVEL
9
MEASURING RISK TREATMENT
Risk Treatment Risk reduction Risk reduction
Security Requirement
New vulnerability level
SSH tunneling 1 RMI over SSL 1
New Risk level 6 6
Risk reduction 3 3
Cost €40000 (SSH client free, installment cost)
€1000000 (architecture, installment)
Return on Security Investment (ROSI):
SSH tunneling x Risk exposure = €1 million x Risk mitigated = Risk reduction / Risk level = 3 / 9 x Solution cost = €40000 x ROSI = 733%
RMI over SSL x Risk exposure = €1 million x Risk mitigated = Risk reduction / Risk level = 3 / 9 x Solution cost = €1000000
24
x ROSI = -66%
3.1.9 Risk 9 – Intrusion to the Store Server
Asset-related concepts
Asse
t Business asset
Inventory data
IS asset Store Server
Security criterion
x Availability of the inventory data x Integrity of the inventory data x Confidentiality of the inventory data
Also some other information that is not presented in the paper (e.g. login credentials).
Risk-related concepts
Risk An attacker makes an intrusion to the Store Server using loop holes in the system (open port, weak username/password, and root login allowed) which leads to a loss of confidentiality, integrity, and availability of inventory data
Impact A loss of confidentiality, integrity, and availability of inventory data.
Event An attacker gets access to the Store Server using possible loop holes in the system (open port, weak username/password, and root login allowed)
Vulnerability x Open ports x Weak username/password x Root login allowed
Threat An attacker who can make an intrusion to the Store Server in order to get (unauthorized) access to the inventory (or other data)
Threat agent An attacker with appropriate tools and motivation to perform intrusion into the Store Server.
Attack method x Listening at ports (possibly some services which may open the door for the
attackers from the outside of the world); x Using brute-force account login (more easily if root login is enabled)
Risk treatment-related concepts
Risk treatment decision
Risk reduction Risk reduction Risk reduction Risk reduction
Security requirement
System should allow access to the system only with appropriate privileges
Username and password should be with appropriate complexity
System should run only service which is needed.
System needs to handle incoming requests
Control ACL (Access Control List) needs to be specified in the system.
The password for user to log in has to have at least 6 characters with mixture of 3 out of 4 character classes: number [0-9], uppercase [A-Z], lowercase letters [a-z], and symbols.
Not allow installing services which is not needed and may possibly open door for attacker.
Proxy server equipped with firewall
25
ASSET VALUE
Asset Value
Inventory data €1 million
MEASURING ASSET
Security need for availability Security need for confidentiality Security need for integrity
3 1 3
MEASURING RISK
Threat likelihood Level of vulnerability Potentiality (likelihood + vulnerability level – 1)
Impact
2 – can happen, but still technical skills needed
3 – very many loopholes 4 3
RISK LEVEL
12
MEASURING RISK TREATMENT
Risk Treatment Risk reduction Risk reduction Risk reduction Risk reduction
Security Requirement
New vulnerability level
Run Server services which only needed
2 Username and password with appropriate strength
2 Proxy Server with firewall
1 ACL lists 2
New Risk level 9 9 6 9
Risk reduction 3 3 6 3
Cost €4000 (Sys. admin)
€4000 (Sys. admin)
€1000000 (architecture, installment)
€10000 (Sys. admin, architecture, user list)
Return on Security Investment (ROSI):
ACL x Risk exposure = €1 million x Risk mitigated = Risk reduction / Risk level = 3 / 12 = 1 / 4 x Solution cost = €10000 x ROSI = 2400%
Username and password with appropriate strength x Risk exposure = €1 million
26
x Risk mitigated = Risk reduction / Risk level = 3 / 12 = 1 / 4 x Solution cost = €4000 x ROSI = 6150%
Run Server services which only needed
x Risk exposure = €1 million x Risk mitigated = Risk reduction / Risk level = 3 / 12 = 1 / 4 x Solution cost = €4000 x ROSI = 6150%
Proxy Server with firewall
x Risk exposure = €1 million x Risk mitigated = Risk reduction / Risk level = 6 / 12 = 1 / 2 x Solution cost = €1000000 x ROSI = -50% x Solution cost = €4000 x ROSI = 6150%
27
3.2 Security requirements and controls to be implemented The security requirements and controls to be implemented were selected to address the main risks to Cash Desk PC and Store Server (and also due to their high risk level).
Figure 1. Risk treatment prioritization
The figure above represents the prioritization basis and the choosing of treatments to be implemented. The treatments with the lowest cost for the Risks with highest level were implemented. Risk 4 treatment 1 was also included as using only treatment 2 was not seen adequate. As we concentrated on Cash Desk PC and Store server we decided not to implement controls for Risk 6.
3.2.1 Risk 4 – Infecting Cash Desk PC with malware
x Security requirement for Risk 4: o All the Store PCs should be equipped with proper anti-malware software o All the Store PCs should use appropriate authentication methods
x Control chosen: o Installing anti-malware software on every PC o More secure authentication method: ID-card
R2T1 R3T1
R4T1
R4T2
R6T1 R7T1 R8T1
R8T2
R9T1 R9T3 R9T2
R9T4
0
500000
1000000
1500000
2000000
2500000
3000000
3 4 5 6 7 8 9 10 11 12 13
Trea
tmen
t cos
t
Risk level
Risk level compared to treatment cost
28
Figure 2. Current Cash Desk sale process
Figure 3. Vulnerabilities in current Cash Desk sale process
29
Figure 4. Current Cash Desk sale process with security controls in place
3.2.2 Risk 8 – Intercept communication
x Security requirement for Risk 8: Appropriate connection or channel between Store Client and Server should be used
x Control chosen: SSH tunneling for Java RMI
30
Figure 5. Current communication process between Store Client and Store Server.
31
Figure 6. Possible vulnerabilities (interception) of the current communication.
32
Figure 7. Current process with security controls (SSH encryption) in place.
33
3.2.3 Risk 9 – Intrusion to the Store Server
x Security requirement for Risk 9: o Username and password should be with appropriate complexity o System should run only service which is needed.
x Controls chosen: o Not allow installing services which is not needed and may possibly open door for
attacker. o The password for user to log in has to have at least 6 characters with mixture of 3
out of 4 character classes: number [0-9], uppercase [A-Z], lowercase letters [a-z], and symbols.
Figure 8. Current process of using store server
Figure 7. Intrusion to Store server
34
Figure 8. Current process of using store server, with controls implemented