Lesson 3

Information Security Risk

Learning Outcomes
At the end of the lesson, you should be able to:

•Protect data and respond to threats that occur over the

internet
•Design and implement risk analysis, security policies and
damage assessment
•Plan, implement and audit operating systems’ security in a
networked, mutil-platform and cross platform environment
•Provide contingency operations that include administrative
planning process for incident response, disaster recovery,
and business continuity planning within information security
Risk Management Framework

One particular risk management procedure (from Viega and McGraw)

consists of six steps:
1 Assess assets
2
Assess threats
3 Assess vulnerabilities
4 Assess risks
5
Prioritize countermeasure options
6
Make risk management decisions
Thought experiment: try to follow this procedure to manage risks to your
material possessions stored at your home or apartment.
Risk Treatments

Once the risk has been identified and assessed, managing the risk can be
done through one of four techniques:
Risk acceptance: risks not avoided or transferred are retained by the
organization. E.g. sometimes the cost of insurance is greater than the
potential loss. Sometimes the loss is improbable, though catastrophic.
Risk avoidance: not performing an activity that would incur risk.
E.g. disallow remote login.
Risk mitigation: taking actions to reduce the losses due to a risk; many
technical countermeasures fall into this category.
Risk transfer: shift the risk to someone else. E.g.most insurance contracts,
home security systems.
Risk Management

The risk treatments—acceptance, avoidance, mitigation, transfer—are with

respect to a specific risk for a specific pary.

E.g., buying insurance is risk transfer for you, not for the insurance company.
For the insurance company, it’s risk acceptance. But they may require you to
take measures to avoid or mitigate their risk.

There is generally more money in a bank than in a convenience store; but

which is more likely to be robbed? Why? Of which risk management
technique(s) is this an instance?
Mitigation versus Avoidance

There is often a confusion about the difference between risk avoidance and
risk mitigation.

Risk avoidance is about preventing the risk from being actualized. E.g., not
parking in a high crime area.

Risk mitigation is about limiting the damage should the risk be actualized.
E.g., having a LoJack or cheap car stereo.

Note the risk in this case is that your car will be broken into.
Terms:Trust and Assurance
Trust is a generic term that implies a mechanism in place to provide a basis
for confidence in the reliability/security of the system. Failure of the
mechanism may destroy the basis for trust.
Trust mechanisms are the security features of a system that provide
enforcement of a security policy.
The trusted computing base (TCB) is a collection of all the trust mechanisms
of a computer system which collectively enforce the policy.
Assurance is a measure of confidence that the security features, practices,
procedures, and architecture of a system accurately mediates and enforces
the security policy.
Trust Management

The concept of trust management provides a unified approach to conceptualizing

(parts of) IA. That is, a big part of IA is about controlling interactions among:
actions principals policies credentials
Various policy management systems have been built with the goal of formalizing and
describing these relationships:
KeyNote (1999) and Extensible Access Control Markup Language (XACML) (2009).
These provide formal mechanisms for defining policy languages.
Why do you think that trust is a vital component of IA?
Lifecycle

A lifecycle is the process by which an asset is managed from its arrival or

creation to its termination or destruction.
Software engineering defines several lifecycle models for the development
or acquisition of computer software. in a waterfall model, the process is
divided into stages performed sequentially:
•Requirements
•Design
•Coding
•Testing
•Deployment
•Production
•Decommission
Security Systems Lifecycle Management
Security systems lifecycle management is a process by which the project
managers for a system will ensure that appropriate information assurance
safeguards are incorporated into a system.
The stages leading to acquisition by the government of a secured system
might be:
1 evaluation of sensitivity of the application based on risk analysis
determination of security specifications
2
design review and perform system tests to ensure safeguards are
3
adequate, through testing and validation that the product meets
specifications
4 system certification and accreditation, issuance of a certificate that the
system meets the need and can be procured.
Assurance Requirements
Some indication of various types of lifecycle concerns appear in the Common
Criteria “Assurance requirements”, including:
Class APE, ASE: System Evaluation.
Class ACM: Configuration Management, includes CM automation,
capabilities, and scope.
Class ADO: Delivery and Operations, includes delivery and installation, and
generation and set-up.
Class ADV: Development, includes functional specification,
low-level design, implementation representation, TSF internals, high-level
design, representation correspondence, and security policy modeling.
Assurance Requirements (2)

Class AGC: Guidance Documentation, includes administrator guidance,

and user guidance.
Class ALC: Life Cycle, includes development security, flaw remediation,
tools and techniques, and life cycle definition.
Class ATE: Tests, includes test coverage, test depth, functional tests, and
independent testing.
Class AVA: Vulnerability Assessment, includes covert channel analysis,
misuses, strength of functions, and vulnerability analysis.
Class AMA: Maintenance of Assurance, includes assurance maintenance
plan, component categorization, evidence of assurance
maintenance, and security impact analysis.