HackersLab, Consulting Team Risk Analysis 2001. 7. 5 HackersLab, Consulting Team KIM, JIN-YUL
HackersLab, Consulting Team Agenda Backgrounds - Why?, What?, How? Relationship – Assets, Risk, Threats, etc Risk Analysis Practices Models Techniques Approaches Procedures Considerations Conclusions HackersLab, Consulting Team
HackersLab, Consulting Team Terms Risk The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. Threat A potential cause of an unwanted incident which may result in harm to a system or organization. Risk – 위협이 자산을 공격함으로써 조직에 해를 끼칠 수 있는 잠재력 Threat – 시스템 혹은 조직에 해를 가져올 수 있는 원치않는 사건의 잠재적 원인 HackersLab, Consulting Team
HackersLab, Consulting Team Terms Vulnerability A weakness of an asset or group of assets which can be exploited by one or more threats. Impact The result of an unwanted incident. Asset Anything that has value to the organization. Vulnerability - 하나 이상의 위협에 의해 공격당할 수 있는 자산 혹은 자산의 그룹의 약점 Impact – 원치 않는 사건의 결과 Asset – 조직에 가치를 지닌 모든 것 HackersLab, Consulting Team
HackersLab, Consulting Team Terms Risk Analysis The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. Risk Management The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect IT system resources. Risk Analysis – 보안위험을 식별하고, 위험의 강도를 결정하고, 보안대책이 필요한 영역을 식별하는 과정 Risk Management – IT 시스템 자원에 영향을 미칠수 있는 불확실한 사건을 식별, 통제, 제거 혹은 감소시키는 전 과정 HackersLab, Consulting Team
HackersLab, Consulting Team Backgrounds: Why ? 공격추적 및 대응의 어려움 공격위협/욕구의 증대 E-Biz 환경의 새로운 사업전략 지원요구 막대한 손실발생 공격기술의 전문화/고도화 정보자산의 가치증대 취약성(CIA)의 증대 정보시스템 의존도 증가 – 업무나 Business Impact가 그 만큼 크다. 정보자산의 가치 증대 – 공격욕구의 증대로 인한 위협 증가 개방형 정보통신망 확대 – 접근, 변조, 갈취의 취약성 증대 공격기술의 전문화, 고도화 – 공격추적 및 대응이 어려움 비용 효과적인 대응책의 필요성 – 무엇을 어떻게 보호해야할지 정확한 분석이 필요하다. 정보시스템 의존도 증가 개방형 정보통신망 확대 HackersLab, Consulting Team
HackersLab, Consulting Team Backgrounds: Why ? 85% of respondents to Computer Security Institute/FBI 2001 survey reported security breaches (70%, 2000; 62% 1999)* 186 organizations (35%) able to quantify financial loss reported $377.8M (273 organizations [51%], $265.6M in 2000 survey) theft of proprietary information and financial fraud most serious 70% cited their Internet connection as a frequent point of attack (59% in 2000 survey) HackersLab, Consulting Team http://www.gocsi.com/prelea_000321.htm
HackersLab, Consulting Team Backgrounds: What ? IT Assets - Bottom-Up Approach HackersLab, Consulting Team
Backgrounds: What from/by ? Threats & Vulnerabilities HackersLab, Consulting Team
HackersLab, Consulting Team Backgrounds: How ? Objectives HackersLab, Consulting Team
Relationship: Risk Relationship Model Threats Vulnerabilities increase increase Safeguards Risks Assets reduce increase indicate increase Protection Requirements Impacts HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Relationship: Assets/Impacts View Risks Assets Impacts Protection Requirements HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Relationship: Threats View Risks Assets Impacts Protection Requirements HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Relationship: Vulnerabilities View Risks Assets Impacts Protection Requirements HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Relationship: Safeguards View Threats Vulnerabilities Safeguards Risks Assets Protection Requirements HackersLab, Consulting Team
Relationship: Risk Analysis vs Security Consulting 종료/ 사후관리 대책 수립 위험 분석 현상 분석 기본/상세위험분석 계획 수립 사전위험분석 HackersLab, Consulting Team
Relationship: Risk Analysis vs Risk Management Business Continuity Planning Change Management Configuration Management Monitoring Security Awareness Safeguard Selection Risk Analysis HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Relationship: RA vs SM Combined Approach Follow-Up IT Security Objectives, Strategy and Policy IT Security Objectives and Strategy Corporate IT Security Policy Corporate Risk Analysis Strategy Options Baseline Approach Informal Detailed Risk Analysis Combined Combined Approach High Level Risk Analysis Detailed Risk Selection of Safeguards Risk Acceptance IT Security Plan IT System Security Policy Implementation of the IT Security Plan Training Awareness Safeguards Accreditation Follow-Up Security Compliance Checking Monitoring Maintenance Incident Handling Change Management HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 3
Relationship: RA vs RM vs SM Risk Analysis IT Security Management Risk Management HackersLab, Consulting Team
Security Practices Structures HackersLab, Consulting Team
Risk Analysis Practices Risk Analysis Models ? Risk Analysis Techniques ? Risk Analysis Approaches ? Risk Analysis Procedures ? HackersLab, Consulting Team
Risk Analysis Model: TR 13335(GMITS) Establishment of Review Boundary Risk Analysis Identification of Assets Valuation of Assets and Establishment of Dependencies Between Assets Threat Assessment Vulnerability Assessment Identification Of Existing/ Planned Safeguards Assessment of Risks HackersLab, Consulting Team
Risk Analysis Model: TTA(한국정보통신기술협회) 사전위험분석 보안 정책 방법론선택 및 분석기준 기본통제로 가능한가? Y 기본통제 상세위험분석 N 자산분석 위협분석 취약성분석 대응책분석 보안정책반영 위험산출 보안상의 각종 제약,규제적용 대응책도출 위험분석 잔류위험평가 HackersLab, Consulting Team N Y
Risk Analysis Techniques Quantitative Techniques Qualitative Techniques Level(Ranking) 설명 Very High (Scale: 5) 중요도가 가장 높은 경우 High (Scale: 4) 중요도가 비교적 높은 경우 Medium (Scale: 3) 중요도가 보통인 경우 Low (Scale: 2) 그다지 중요하지 않은 경우 Negligible(Scale: 1) 중요하지 않은 경우 HackersLab, Consulting Team
Risk Analysis Techniques: Quantitative ALE(Annual Loss Expectancy Value) = Value X Exposure Factors X Tf Scoring(Ranking) Present Value(PV) Analysis NPV = PV(Benefits) – PV(Costs) Benefit-Cost Ratio = IRR(Internal Rate of Return) Payback Method PV(Benefits) PV(Costs) HackersLab, Consulting Team
Example: Ranking of Threats by Measures of Risk Threat descriptor Impact value Likelihood of threat occurrence Measure of Risk Threat ranking Threat A 5 2 10 Threat B 4 8 3 Threat C 15 1 Threat D Threat E Threat F HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 3
Risk Analysis Techniques: Qualitative Questionnaire Delphi Matrix Ranking Matrix = Matrix + Delphi + Ranking Fuzzy Tree Analysis HackersLab, Consulting Team
Example: Matrix with predefined values Levels of Threat Low Medium High Levels of Vulnerability L M H Asset Value 1 2 3 4 5 6 7 8 HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 3
Risk Analysis Approaches Combined Approach Methods Pre-Risk Analysis Post-Risk Analysis Baseline Detailed HackersLab, Consulting Team
HackersLab, Consulting Team Baseline Approach Apply baseline security to all IT systems by selecting standard safeguards. Advantages Only a minimum amount of resource is needed for RA and RM for each safeguard implementation. Less time and effort, and cost-effective Disadvantages If the baseline level is set too high or too low,… Difficulties in managing security relevant changes. HackersLab, Consulting Team
HackersLab, Consulting Team Detailed Approach Conduct detailed risk analysis reviews for all IT system in the organization. Advantages Appropriate safeguards are identified for all systems. Used in the management of security changes. Disadvantages Requires a considerable amount of time and effort, and expertise to obtain results. HackersLab, Consulting Team
HackersLab, Consulting Team Combined Approach First conduct an initial high level risk analysis (pre-risk analysis) for all IT systems: business value and risk level. Advantages An initial quick and simple approach is likely to gain acceptance of the risk analysis programme. Resources and money can be applied where they are most beneficial. The only potential disadvantage is If the initial risk analyses are at a high level, and potentially less accurate, some systems may not be identified as requiring detailed risk analysis. HackersLab, Consulting Team
Risk Analysis Procedures Documents Produced (1) Analyze/Assess Assets Statement of Sensitivity Report (2) Analyze /Assess Threats Threat Analysis Report (3) Analyze/Assess Vulnerabilities Vulnerability Analysis Report (4) Analyze/Assess Safeguards Safeguards Analysis Report (5) Assess Risks Risk Analysis Report HackersLab, Consulting Team
Risk Analysis Procedures: (1) Assets Assessment 핵심업무도출 자산범위설정 범위설정기준 자산식별 자산항목별분류 자산목록작성 업무처리별분류 자산분석 가치산정기준 자산가치산정 정량산정 정성산정 HackersLab, Consulting Team 자료출처: TTAS.KO-12.0007
Review: Assets/Impacts View Risks Assets Impacts Protection Requirements HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Risk Analyis Procedures: (2) Threats Assessment 위협유형 알려진위협 위협파악 위협조사 위협시나리오 위협주기조사 자산과의관계 위협분석 위협속성 취약성과의관계 대응책과의관계 위협순위 HackersLab, Consulting Team 자료출처: TTAS.KO-12.0007
HackersLab, Consulting Team Review: Threat View Threats Risks Assets Impacts Protection Requirements HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Risk Analysis Procedures: (3) Vulnerabilities Assessment 취약성유형 취약성파악 취약성조사 자산과의관계 취약성분석 취약성속성 위협과의관계 대응책과의관계 취약성수준산출 HackersLab, Consulting Team 자료출처: TTAS.KO-12.0007
Review: Vulnerabilities View Risks Assets Impacts Protection Requirements HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Risk Analysis Procedures: (4) Safeguards Assessment 대응책유형 대응책파악 대응책조사 자산과의관계 대응책분석 대응책속성 취약성과의관계 위협과의관계 대응책수준 HackersLab, Consulting Team 자료출처: TTAS.KO-12.0007
Review: Safeguards View Threats Vulnerabilities Safeguards Risks Assets HackersLab, Consulting Team
Risk Analysis Procedures: (5) Risks Assessment 취약성수준산출 ALE 산출 위험순위 위험평가 필요대응책도출 비용효과분석 종합평가 HackersLab, Consulting Team 자료출처: TTAS.KO-12.0007
Review: Risk Relationship Model Threats Vulnerabilities increase increase Safeguards Risks Assets reduce increase indicate increase Protection Requirements Impacts HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Automated RA Tools: RA(BSI) 단계(modules) 수행절차 1 : Information Gathering ISMS 의 경계를 정의하고 자산을 식별 및 자산가치 평가 2 : Gap Analysis BS7799의 통제항목과의 GAP을 분석한다. 3 : Identification of Security Requirement 위협과 취약성, 법적/계약적인 의무사항을 파악한다. 4 : Decision for Baseline or Detailed Risk Assessment 위험평가 방법을 결정한다. 5 : Baseline Assessment 위협 및 취약성, 법적/계약적 의무사항을 통제한다. 6 : Detailed Risk Assessment 위험을 산정하고 위험을 줄이기 위한 통제항목을 선정한다. 7 : Selection of Controls 통제항목 선정 및 구현 8 : Certification ISMS 요구사항 평가 및 적용보고서 작성 HackersLab, Consulting Team
Post-Risk Analysis Procecures 시스템 보안정책 작성 부문별 보안계획 수립 대응책 구현 관련교육 결과평가 재분석여부결정 HackersLab, Consulting Team 자료출처: TTAS.KO-12.0007
Review: Risk Management Business Continuity Planning Change Management Configuration Management Monitoring Security Awareness Safeguard Selection Risk Analysis HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1
Security Consulting Methodology 계획수립 현상분석 위험분석 대책수립 사후관리 요구사항 분석 업무현황 분석 자산 식별 단기대책수립 보안교육/ 기술이전 지 속 적 인 보 안 관 리 중 장 기 대 책 수 립 추 진 계 획 수 립 해 결 과 제 도 출 보 안 수 준 측 정 위협 파악 정보보호 체계설계 위 험 도 측 정 보안요구수준 보안관리 체계분석 보안시스템 구축 취약성 파악 보안시스템 구축계획 추진전략수립 보안수준 분석 위험 평가 마스터플랜 수립 보안관리 HackersLab, Consulting Team
HackersLab, Consulting Team Conclusions Objectives HackersLab, Consulting Team
Questions The less questions, the better ! HackersLab, Consulting Team
HackersLab, Consulting Team References 한국정보통신기술협회, “공공정보시스템 보안을 위한 위험분석 표준 – 위험분석 방법론 모델”, 2000.3 한국정보통신기술협회, “공공기관 정보시스템을 위한 비상계획 및 재해복구에 관한 지침서”, 2000.3 BSI, “Guide to BS Risk Assessment and Risk Management”, 1999 CSE, “Threat and Risk Assessment Working Guide”, 1999 ISO/IEC JTC 1/SC 27 TR 13335, “GMITS – Part 1: Concepts and models for IT Security”, 2001.4 ISO/IEC JTC 1/SC 27 TR 13335, “GMITS – Part 3: Techniques for the Management of IT Security”, 2001.4 SRV, “CISSP Exam: Theory”, SRV Professional Publication, 2000 Harold F. Tipton, “Information Security Management HandBook, 4th ed.”, AUERBACH Publications, 2000 HackersLab, Consulting Team
HackersLab, Consulting Team Baseline Control HackersLab, Consulting Team 자료출처: TTAS.KO-12.0007