Risk Analysis
KIM, JIN-YUL

Agenda
Backgrounds - Why?, What?, How?
Relationship – Assets, Risk, Threats, etc
Risk Analysis Practices
Models
Techniques
Approaches
Procedures
Considerations
Conclusions

Terms
Risk
The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.
Threat
A potential cause of an unwanted incident which may result in harm to a system or organization.
Risk – 위협이 자산을 공격함으로써 조직에 해를 끼칠 수 있는 잠재력
Threat – 시스템 혹은 조직에 해를 가져올 수 있는 원치않는 사건의 잠재적 원인

Terms
Vulnerability
A weakness of an asset or group of assets which can be exploited by one or more threats.
Impact
The result of an unwanted incident.
Asset
Anything that has value to the organization.
Vulnerability - 하나 이상의 위협에 의해 공격당할 수 있는 자산 혹은 자산의 그룹의 약점
Impact – 원치 않는 사건의 결과
Asset – 조직에 가치를 지닌 모든 것

Terms
Risk Analysis
The process of identifying security risks, determining their magnitude, and identifying areas needing safeguards.
Risk Management
The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect IT system resources.
Risk Analysis – 보안위험을 식별하고, 위험의 강도를 결정하고, 보안대책이 필요한 영역을 식별하는 과정
Risk Management – IT 시스템 자원에 영향을 미칠수 있는 불확실한 사건을 식별, 통제, 제거 혹은 감소시키는 전 과정

Backgrounds: Why ?
공격추적 및 대응의 어려움
공격위협/욕구의 증대
E-Biz 환경의 새로운 사업전략 지원요구
막대한 손실발생
공격기술의 전문화/고도화
정보자산의 가치증대
취약성(CIA)의 증대
정보시스템 의존도 증가 – 업무나 Business Impact가 그 만큼 크다.
정보자산의 가치 증대 – 공격욕구의 증대로 인한 위협 증가
개방형 정보통신망 확대 – 접근, 변조, 갈취의 취약성 증대
공격기술의 전문화, 고도화 – 공격추적 및 대응이 어려움
비용 효과적인 대응책의 필요성 – 무엇을 어떻게 보호해야할지 정확한 분석이 필요하다.
정보시스템 의존도 증가
개방형 정보통신망 확대

Backgrounds: Why ?
85% of respondents to Computer Security Institute/FBI 2001 survey reported security breaches (70%, 2000; 62% 1999)*
186 organizations (35%) able to quantify financial loss reported $377.8M (273 organizations [51%], $265.6M in 2000 survey)
theft of proprietary information and financial fraud most serious
70% cited their Internet connection as a frequent point of attack (59% in 2000 survey)

Backgrounds: What ?
IT Assets - Bottom-Up Approach

Threats & Vulnerabilities

Backgrounds: How ?
Objectives

Threats
Vulnerabilities
increase
increase
Safeguards
Risks
Assets
reduce
increase
indicate
increase
Protection Requirements
Impacts
자료출처: TR 13335(GMITS) Part 1

Risks
Assets
Impacts
Protection Requirements
자료출처: TR 13335(GMITS) Part 1

Risks
Assets
Impacts
Protection Requirements
자료출처: TR 13335(GMITS) Part 1

Risks
Assets
Impacts
Protection Requirements
자료출처: TR 13335(GMITS) Part 1

Threats
Vulnerabilities
Safeguards
Risks
Assets
Protection Requirements

종료/ 사후관리
대책 수립
위험 분석
현상 분석
기본/상세위험분석
계획 수립
사전위험분석

Business Continuity Planning
Change Management
Configuration Management
Monitoring
Security Awareness
Safeguard Selection
Risk Analysis
자료출처: TR 13335(GMITS) Part 1

IT Security Objectives, Strategy and Policy
IT Security Objectives and Strategy
Corporate IT Security Policy
Corporate Risk Analysis Strategy
Options
Baseline Approach
Informal
Detailed Risk Analysis
Combined
Combined Approach
High Level Risk Analysis
Detailed Risk
Selection of Safeguards
Risk Acceptance
IT Security Plan
IT System Security Policy
Implementation of the IT Security Plan
Training
Awareness
Safeguards
Accreditation
Follow-Up
Security Compliance Checking
Monitoring
Maintenance
Incident Handling
Change Management
자료출처: TR 13335(GMITS) Part 3

Risk Analysis
IT Security Management
Risk Management

Security Practices Structures

Risk Analysis Practices
Risk Analysis Models ?
Risk Analysis Techniques ?
Risk Analysis Approaches ?
Risk Analysis Procedures ?

Establishment of Review Boundary
Risk Analysis
Identification of Assets
Valuation of Assets and Establishment of Dependencies Between Assets
Threat Assessment
Vulnerability Assessment
Identification Of Existing/ Planned Safeguards
Assessment of Risks

사전위험분석
보안 정책
방법론선택 및 분석기준
기본통제로 가능한가?
Y
기본통제
상세위험분석
N
자산분석
위협분석
취약성분석
대응책분석
보안정책반영
위험산출
보안상의 각종 제약,규제적용
대응책도출
위험분석
잔류위험평가
N
Y

Quantitative Techniques
Qualitative Techniques
Level(Ranking)	설명
Very High (Scale: 5)	중요도가 가장 높은 경우
High (Scale: 4)	중요도가 비교적 높은 경우
Medium (Scale: 3)	중요도가 보통인 경우
Low (Scale: 2)	그다지 중요하지 않은 경우
Negligible(Scale: 1)	중요하지 않은 경우

ALE(Annual Loss Expectancy Value) = Value X Exposure Factors X Tf
Scoring(Ranking)
Present Value(PV) Analysis
NPV = PV(Benefits) – PV(Costs)
Benefit-Cost Ratio =
IRR(Internal Rate of Return)
Payback Method
PV(Benefits)
PV(Costs)

26 Example: Ranking of Threats by Measures of Risk
Threat descriptor	Impact value	Likelihood of threat occurrence	Measure of Risk	Threat ranking
Threat A	5	2	10	
Threat B	4		8	3
Threat C			15	1
Threat D				
Threat E				
Threat F				
자료출처: TR 13335(GMITS) Part 3

27 Risk Analysis Techniques: Qualitative
Questionnaire
Delphi
Matrix
Ranking
Matrix = Matrix + Delphi + Ranking
Fuzzy
Tree Analysis

28 Example: Matrix with predefined values
Levels of Threat
Low	Medium	High
Levels of Vulnerability	L	M	H	L	M	H	L	M	H
Asset Value	1	2	3	4	5	6	7	8	
자료출처: TR 13335(GMITS) Part 3

29 Risk Analysis Approaches
Combined Approach
Methods
Pre-Risk Analysis
Post-Risk Analysis
Baseline
Detailed

Baseline Approach
Apply baseline security to all IT systems by selecting standard safeguards.
Advantages
Only a minimum amount of resource is needed for RA and RM for each safeguard implementation.
Less time and effort, and cost-effective
Disadvantages
If the baseline level is set too high or too low,…
Difficulties in managing security relevant changes.

Detailed Approach
Conduct detailed risk analysis reviews for all IT system in the organization.
Advantages
Appropriate safeguards are identified for all systems.
Used in the management of security changes.
Disadvantages
Requires a considerable amount of time and effort, and expertise to obtain results.

Combined Approach
First conduct an initial high level risk analysis (pre-risk analysis) for all IT systems: business value and risk level.
Advantages
An initial quick and simple approach is likely to gain acceptance of the risk analysis programme.
Resources and money can be applied where they are most beneficial.
The only potential disadvantage is
If the initial risk analyses are at a high level, and potentially less accurate, some systems may not be identified as requiring detailed risk analysis.

33 Risk Analysis Procedures
Documents Produced
(1) Analyze/Assess Assets
Statement of Sensitivity Report
(2) Analyze /Assess Threats
Threat Analysis Report
(3) Analyze/Assess Vulnerabilities
Vulnerability Analysis Report
(4) Analyze/Assess Safeguards
Safeguards Analysis Report
(5) Assess Risks
Risk Analysis Report

34 Risk Analysis Procedures: (1) Assets Assessment
핵심업무도출
자산범위설정
범위설정기준
자산식별
자산항목별분류
자산목록작성
업무처리별분류
자산분석
가치산정기준
자산가치산정
정량산정
정성산정
자료출처: TTAS.KO

35 Review: Assets/Impacts View
Risks
Assets
Impacts
Protection Requirements
자료출처: TR 13335(GMITS) Part 1

36 Risk Analyis Procedures: (2) Threats Assessment
위협유형
알려진위협
위협파악
위협조사
위협시나리오
위협주기조사
자산과의관계
위협분석
위협속성
취약성과의관계
대응책과의관계
위협순위
자료출처: TTAS.KO

Review: Threat View
Threats
Risks
Assets
Impacts
Protection Requirements
자료출처: TR 13335(GMITS) Part 1

38 Risk Analysis Procedures: (3) Vulnerabilities Assessment
취약성유형
취약성파악
취약성조사
자산과의관계
취약성분석
취약성속성
위협과의관계
대응책과의관계
취약성수준산출
자료출처: TTAS.KO

39 Review: Vulnerabilities View
Risks
Assets
Impacts
Protection Requirements
자료출처: TR 13335(GMITS) Part 1

40 Risk Analysis Procedures: (4) Safeguards Assessment
대응책유형
대응책파악
대응책조사
자산과의관계
대응책분석
대응책속성
취약성과의관계
위협과의관계
대응책수준
자료출처: TTAS.KO

41 Review: Safeguards View
Threats
Vulnerabilities
Safeguards
Risks
Assets

42 Risk Analysis Procedures: (5) Risks Assessment
취약성수준산출
ALE 산출
위험순위
위험평가
필요대응책도출
비용효과분석
종합평가
자료출처: TTAS.KO

43 Review: Risk Relationship Model
Threats
Vulnerabilities
increase
increase
Safeguards
Risks
Assets
reduce
increase
indicate
increase
Protection Requirements
Impacts
자료출처: TR 13335(GMITS) Part 1

44 Automated RA Tools: RA(BSI)
단계(modules)	수행절차
1 : Information Gathering	ISMS 의 경계를 정의하고 자산을 식별 및 자산가치 평가
2 : Gap Analysis	BS7799의 통제항목과의 GAP을 분석한다.
3 : Identification of Security Requirement	위협과 취약성, 법적/계약적인 의무사항을 파악한다.
4 : Decision for Baseline or Detailed Risk Assessment	위험평가 방법을 결정한다.
5 : Baseline Assessment	위협 및 취약성, 법적/계약적 의무사항을 통제한다.
6 : Detailed Risk Assessment	위험을 산정하

45 Post-Risk Analysis Procecures
시스템 보안정책 작성 부문별 보안계획 수립 대응책 구현 관련교육 결과평가 재분석여부결정 HackersLab, Consulting Team 자료출처: TTAS.KO

46 Review: Risk Management
Business Continuity Planning Change Management Configuration Management Monitoring Security Awareness Safeguard Selection Risk Analysis HackersLab, Consulting Team 자료출처: TR 13335(GMITS) Part 1

47 Security Consulting Methodology
계획수립 현상분석 위험분석 대책수립 사후관리 요구사항 분석 업무현황 분석 자산 식별 단기대책수립 보안교육/ 기술이전 위협 파악 정보보호 체계설계 보안요구수준 보안관리 체계분석 보안시스템 구축 취약성 파악 보안시스템 구축계획 추진전략수립 보안수준 분석 위험 평가 마스터플랜 수립 보안관리 HackersLab, Consulting Team

Conclusions Objectives HackersLab, Consulting Team

49 Questions The less questions, the better !
HackersLab, Consulting Team

References 한국정보통신기술협회, “공공정보시스템 보안을 위한 위험분석 표준 – 위험분석 방법론 모델”, 한국정보통신기술협회, “공공기관 정보시스템을 위한 비상계획 및 재해복구에 관한 지침서”, BSI, “Guide to BS Risk Assessment and Risk Management”, 1999 CSE, “Threat and Risk Assessment Working Guide”, 1999 ISO/IEC JTC 1/SC 27 TR 13335, “GMITS – Part 1: Concepts and models for IT Security”, ISO/IEC JTC 1/SC 27 TR 13335, “GMITS – Part 3: Techniques for the Management of IT Security”, SRV, “CISSP Exam: Theory”, SRV Professional Publication, 2000 Harold F. Tipton, “Information Security Management HandBook, 4th ed.”, AUERBACH Publications, 2000 HackersLab, Consulting Team

Baseline Control HackersLab, Consulting Team 자료출처: TTAS.KO

