University of Tartu Estonia, rma@ut · Chapter 2: Domain Model for Information Systems Security Risk Management Raimundas Matulevičius University of Tartu, Estonia, [email protected] Fundamentals

Chapter 2: Domain Model for

Information Systems Security Risk Management

Raimundas Matulevičius University of Tartu, Estonia, [email protected]

Fundamentals of

Secure System Modelling Springer, 2017

Goal

•  To understand domain terminology •  To introduce guidelines for determining

–  Business and system assets –  Security risks –  Security countermeasures

2

Outline •  Domain model

–  Asset-Related concepts –  Risk-Related Concepts –  Risk Treatment-Related Concepts

•  Relationships and multiplicities •  Metrics •  Process •  Example •  Further reading

3




4

Domain Model

5




6

Asset-Related Concepts

7

•  Specify important assets to protect, Define criteria to guarantee asset security

Asset

8

•  Anything that has value to the organisation and is necessary for achieving its objectives

•  Technical plan •  Structure calculation process •  Architectural competence •  Operating system •  Ethernet network •  People encoding data •  System administrator •  Air conditioning of server room

•  This concept is the generalisation of the business asset and IS asset concepts

Business Asset

9

•  Information, process, skill inherent to the business of the organisation that has value to the organisation in terms of its business model and is necessary for achieving its objectives

•  Technical plan •  Structure calculation process •  Architectural competence

•  Business assets are immaterial

System Asset

10

•  A component or part of the IS that has value to the organisation and is necessary for achieving its objectives and supporting business assets

•  Operating system •  Ethernet network •  People encoding data •  System administrator •  Air conditioning of server room

•  System assets are material –  Exception – software

Security Criterion

11

•  Property or constraint on business assets

–  Characterise security needs •  Confidentiality •  Integrity •  Availability

–  Act as indicators to assess the significance of a risk

•  The Security objective of the system is defined using security criteria on business assets

•  Confidentiality of the technical plans •  Integrity of the structure calculation process




12

Risk-Related Concepts

13

•  Describe how the risk itself and its immediate components are defined

Threat Agent

14

•  An agent that can potentially cause harm to system assets –  triggers a threat and is

the source of a risk •  Staff members with little technical

skills and time and possibly a strong motivation to carry out an attack;

•  Hacker with considerable technical skills, well equipped and strongly motivated by the money he could make

•  A threat agent is characterised by –  Opportunity –  Capability –  Motivation –  Expertise

Attack Method

15

•  Standard means by which a threat agent carries out a threat

•  System intrusion

•  Theft of media or documents

Threat

16

•  Potential attack, carried out by an agent that targets one or more IS assets and that may lead to harm to assets

–  A hacker using social engineering on a member of the company

–  A thief entering a company building and stealing media or documents

Vulnerability

17

•  Characteristic of a system asset or group of system assets that can constitute a weakness or a flaw in terms of system security

•  Weak awareness of the staff

•  Deficient physical access control

•  Lack of fire detection

Event

18

•  Combination of a threat and one or more vulnerabilities

–  A hacker using social engineering on a member of the company, exploiting weak awareness of the staff

–  A thief entering a company building thanks to deficient physical access control

Impact

19

•  Potential negative consequence of a risk that may harm assets of a system or an organisation, when a threat is accomplished

•  Password discovery (impact on IS assets) •  Data destruction •  Failure of a component •  A loss of confidentiality of technical

plans (impact on business assets) •  A loss of confidentiality of an information •  A loss of integrity of a process

•  An impact can provoke a chain reaction of impacts (or indirect impacts) –  A loss of confidentiality on sensitive information leads to

a loss of customer confidence

Risk

20

•  Combination of a threat with one or more vulnerabilities leading to a negative impact harming at least two or more of the assets

•  A hacker using social engineering on a member of the company, because of weak awareness of the staff, leading to unauthorised access to personal computers and loss of integrity of the structure calculation process

•  Threat and vulnerabilities are part of the risk event and impact is the consequence of the risk




21

Risk Treatment-Related Concepts

22

•  Characterise what decisions, requirements and controls should be defined and implemented in order to mitigate possible risks

Risk Treatment Decision

•  Decision of how to treat the identified risks

–  satisfies a security need, expressed in generic and functional terms, and can lead to security requirements

•  Risk avoidance •  Risk reduction •  Risk transfer •  Risk retention

23


Risk Avoidance

•  Decision not to become involved in, or to withdraw from, a risk

–  Functionality of the IS are modified or discarded for avoiding the risk

•  Not connecting the IS to the Internet

24

Risk Treatment Decision Risk Reduction

•  Action to lessen the probability, negative consequences, or both, associated with a risk

–  Security requirements are selected for reducing the risk

•  Taking measures to avoid network intrusions

25


Risk Transfer

•  Sharing with another party the burden of loss from a risk

–  A third party is thus related to the (or part of the) IS, ensuing sometimes some additional security requirements about third parties

•  Taking an insurance for covering a loss of service

26


Risk Retention

•  Accepting the burden of loss from a risk

–  No design decision is necessary in this case

•  Accepting that the service could be unavailable for 1 hour

27

Security Requirement

•  A condition over the phenomena of the environment that we wish to make true by installing the system, in order to mitigate risks

•  Appropriate authentication methods shall be used to control access by remote users

•  System documentation shall be protected against unauthorised access

28

Control

•  Designed means to improve security, specified by a security requirement, and implemented to comply with it

•  Firewall •  Backup procedure •  Building guard

29




30

Relationships and Multiplicities

31




32

Metrics

33

•  Security needs –  Security objective that characterizes

the application of a security criterion on a business asset

•  Business asset Value –  Only business assets are estimated in

terms of value –  Business assets are involved to define

and estimate security objectives and to assess the significance of risk

Metrics

•  Risk level –  Depends on event

potentiality and impact level

•  Potentiality –  Is estimated through

threat likelihood and vulnerability level

3434

Metrics

3535

•  Cost –  Cost of buying a firewall –  Cost of maintaining it by a security officer

•  Risk reduction –  Risk reduction, avoidance and transfer

treatment –  For risk retention risk reduction equals 0




36

Context and Asset Identification

•  Description of organisation and its environment –  sensitive activities related to

information security

–  Example: •  Design of technical plans •  The technical plans are created by

drawers and engineers on computers connected to the Internet

37

Security Objective Determination

•  Determine the security objectives to be reached –  Confidentiality –  Integrity –  Availability

–  Example: •  During their design, the technical

plans should be kept confidential

38

Risk Analysis and Assessment

•  Identify risks and estimate them qualitatively or quantitatively –  Example:

•  A rival of tries to use common operating system and network protocol weaknesses to penetrate on the personal computer of an employee, where confidential technical plans are stored

•  Estimated level: sufficiently high

39

Risk Treatment

•  Risk treatment measures –  Risk avoidance –  Risk reduction –  Risk transfer –  Risk retention –  Example:

•  Reduce the preceding risk with some security controls implemented in the system

40

Security Requirements Definition

•  Security requirements - security solutions to mitigate the risks

•  If security requirements are unsatisfactory –  Revise the risk treatment step –  Revise all of the preceding steps –  Example:

•  Procedures for monitoring the use of information processing facilities should be established and the results of the monitoring activities reviewed regularly

41

Security Control Selection and Implementation

•  Implement system countermeasures within organisation –  Example:

•  A firewall and an Intrusion Detection System are selected and implemented

42




43

Example Asset-Related Concepts

44

Asset-Related Concepts

Assets

Business assets Game report data submitted at the frame to Submit game report and stored in the Game storage

System assets Frame to Submit game report used by umpire Transmission medium that transfers game report Game storage to store ERIS data

Security criteria Confidentiality of game report Integrity of game report

45


Threat An attacker intercepts the transmission medium, and captures, modifies and passes Game report to Game storage

Threat Agent An attacker with means to intercept transmission medium by acting as a proxy

Attack Method 1.  Intercept the transmission medium between the frame to

Submit game report and Game storage 2.  Capture, modify and pass data to the Game storage

Example Threat Definition


Event

An attacker intercepts the transmission medium due to its characteristics to be intercepted, captures Game report due to the lack of crypto-functionality at the frame to Submit game report, and modifies and passes data to Game storage due to the lack of crypto-functionality at the Game storage

Vulnerability •  Characteristics of transmission medium to be intercepted •  Lack of crypto-functionality at the frame to Submit game report

and Game storage

Threat An attacker intercepts the transmission medium, and captures, modifies and passes Game report to Game storage

Example Event Definition

46


Risk

An attacker intercepts the transmission medium, and captures, modifies and passes Game report due to the transmission medium characteristic to be intercepted and due to the lack of crypto-functionality at the frame to Submit game report and Game storage, leading to loss of Game report integrity.

Impact •  Loss of Game report integrity •  Game report is not securely submitted and stored •  Loss of transmission medium reliability

Event

An attacker intercepts the transmission medium due to its characteristics to be intercepted, captures Game report due to the lack of crypto-functionality at the frame to Submit game report, and modifies and passes data to Game storage due to the lack of crypto-functionality at the Game storage

Example Risk Definition

47

Example

48

Risk Treatment-Related Concepts Risk Treatment Decision Risk reduction Risk avoidance

Security Requirement

Verify the received Game report with the original

Change the transmission medium that does not have the ability to be intercepted

Control Checksum algorithm

•  Physically delivers the Game report to the football federation

•  Game report saved to Game storage by entering it manually



•  Relationships and multiplicities •  Metrics •  Process •  Example •  Further Reading

49

Further Reading •  AURUM: Automated Risk and Utility Management

–  Ekelhart, A., Fenz, S., Neubauer, T.: AURUM: a framework for information security risk management. In: Proceedings of the 42nd Hawaii International Conference on System Sciences (2009)

•  CORAS –  Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach.

Springer, Heidelberg (2011)

•  CRAMM: CCTA Risk Analysis and Management Method –  Yazar, Z.: A qualitative risk analysis and management tool: CRAMM. Technical Report, SANS

Institute (2002)

•  EBIOS: Expression des Besoinset Identification des Objectifs de Sécurite ́ –  DCSSI Advisory Office: EBIOS 2010: Expression of Needs and Identification of Security

Objectives. Technical Report, Secrétariat général de la défense nationale, Direction centrale de la sécurite ́ des systèmes d’information (2010)

•  MEHARI: Methode Harmoniséed’ Analyse du Risque Informatique –  CLUSIF: MEHARI 2010: Fundamental concepts and principles-specifications. Technical Report,

Club de la Securite de L’Information Francais (2010)

•  OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation –  Alberts, C.J., Dorofee, A.J., Stevens, J., Wooky, C.: Introduction to the OCTAVE approach.

Technical Report, Software Engineering Institute, Carnegie Mellon University (2003) 50

Summary •  Domain model



51

Documents

University of Tartu Estonia, rma@ut · Chapter 2: Domain Model for Information Systems Security Risk Management Raimundas Matulevičius University of Tartu, Estonia, [email protected] Fundamentals