Risk Analysis using open FAIR and Adoption of right Security Controls
6 likes6,595 views
Introduction to O-RA Security challenges in E-Commerce Control considerations Data Breaches in Retail Environment Risk Analysis & Taxonomy
Ad
More Related Content
Viewers also liked (20)
Similar to Risk Analysis using open FAIR and Adoption of right Security Controls (20)
Ad
More from Priyanka Aash (20)
Ad
Recently uploaded (20)
Risk Analysis using open FAIR and Adoption of right Security Controls
- 1. 1 | Copyright © 2015 Tata Consultancy Services Limited Adoption of O-RA for Secure Architecture of an E-commerce Platform Satish K Sreenivasaiah Lead Architect Tata Consultancy Services February 16, 2015
- 2. 2 Agenda Introduction to O-RA1 Security challenges in E-commerce2 Control considerations3 Summary4
- 3. 3 Click to edit Master title styleIntroduction to O-RA Standard
- 4. 4 O-RA (Risk Analysis) A Standard that is intended to be applied toward the problem of managing the frequency and magnitude of loss that arises from a threat (whether human, animal, or natural event) Coupled with the Risk Taxonomy (O-RT) Standard, it provides risk analysts the specific processes necessary to perform effective FAIR-based information security risk analysis
- 5. 5 Risk Analysis Risk Assessment Risk Analysis Identify Evaluate Report Determines the significance of the identified risk concerns Risk-related concerns Identified risk concerns Managing ‘How often bad things happen, and how bad they are when they occur‘
- 6. 6 A Few Key Objectives of O-RA Used with companion O-RT standard to, Establish a common language for the information security and risk management profession Introduce rigor and consistency into analysis for more effective risk modeling Educate information security, risk and audit professionals
- 7. 7 Click to edit Master title styleIntroduction to O-RT Standard
- 8. 8 O-RT (Risk Taxonomy) A Standard to provide a single logical and rational taxonomical framework to understand and/or analyze information security risk Each factor that drives risk is identified and defined Limited to describing the factors that drive risk and their relationships to one another
- 9. 9 Risk Why do we Need a Taxonomy for Risk? Software Flaws or Faults So , Is Risk = (Threat * Vulnerability) / Controls? If not, what are the factors that drive risk?
- 10. 10 Risk Taxonomy – High Level Estimates probable frequency and magnitude of future loss Probable frequency within a given timeframe that a threat agent can inflict harm on asset Probable magnitude of loss resulting from a loss event TCap RSPoACF Risk Loss Magnitude Loss Event Frequency Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Secondary Loss Event Frequency Secondary Loss Magnitude LEF LM TEF Vuln
- 11. 11 Risk Taxonomy – Loss Event Frequency Threat Event Frequency Vulnerability Probable frequency within a given timeframe that a threat agent will act against an asset Probability that a threat event can become a loss event Contact Frequency Probability of Action Threat Capability Resistance Strength Probable frequency within a given timeframe that a threat agent will come into contact with an asset Probability that a threat agent will act against the asset once the contact occurs Probable level of force that a threat agent is capable of applying against an asset Strength of a control as compared to a baseline measure of force
- 12. 12 Risk Taxonomy – Loss Magnitude Primary Loss Secondary Loss Occurs directly as a result of threat agent’s action on the asset Occurs due to secondary stakeholders Secondary Loss Event Frequency Secondary Loss Magnitude Allows analyst to estimate percentage of time a scenario is expected to have secondary effects Losses that are expected dealing with secondary stakeholders (e.g. fines, loss of market share)
- 13. 13 Click to edit Master title styleRisk Analysis – Deep Dive
- 14. 14 Risk Analysis Stages 01 02 03 04 Scope the Analysis Evaluate Loss Magnitude Evaluate Loss Event Frequency Derive and Articulate Risk
- 15. 15 FAIR Basic Risk Analysis Methodology Identify the asset at risk Identify the threat community under consideration Define the loss event Estimate the Threat Event Frequency Estimate the Threat Capability Estimate Resistance Strength Derive Vulnerability Derive Loss Event Frequency Estimate Primary Loss Evaluate Secondary Loss Estimate Secondary Loss Event Frequency Estimate Secondary Loss Magnitude Derive Primary Risk Derive Secondary Risk Derive Total Risk So, why apply risk analysis for E-commerce? Scoping Evaluate LEF Evaluate LM Derive Risk
- 16. 16 Click to edit Master title styleData Breaches in Retail Environment
- 17. 17 Categories of Data Breach Year 2013 may be remembered as the “year of the retailer breach” *Source – Verizon 2014 Data Breach investigations Report
- 18. 18 Breaches Per Asset *Source – Verizon 2014 Data Breach investigations Report
- 19. 19 Incident Classification *Source – Verizon 2014 Data Breach investigations Report
- 20. 20 Click to edit Master title styleMapping of O-RA to E-commerce Domain
- 21. 21 The Scenario An E-commerce portal specialized in selling gift items such as fragrance, books, watches, sunglasses, bags, wallets etc. across the globe. Customer personal information is stored in the portal whereas his/her credit and debit card details are stored with external payment gateways and not within the portal. Portal is available for all the registered and guest users, 24X7.
- 22. 22 Mapping of Stage 1 to E-commerce Platform Scoping E-commerce Platform Key Assets: Customer Data - personal details like name, contact details and address E-commerce server infrastructure such as Web, Application, Database servers Customer Credit and Debit card details (But this has been handled by external payment gateways which are PCI-DSS compliant) Hackers for gain and to cause disruption Script kiddies Internal employees of the organization The malicious access and misuse of sensitive customer data by Hackers using the vulnerabilities in the system Identify the asset at risk Identify the threat community under consideration Define the loss event What Asset is at risk? Risk associated with what threat? What does the loss event look like? Note that it excludes events by script kiddies, internal employees and stipulates the intent to be malicious and involves data misuse
- 23. 23 Mapping of Stage 2 to E-commerce Platform Evaluate LEF Estimate the Threat Event Frequency Estimate the Threat Capability (skills, resources) Rating Description Very High(VH) >100 times per year High(H) Between 1 and 100 times per year Medium(M) Between 1 and 10 times per year Low(L) Between 0.1 and 1 times per year Very Low(VL) Less than once every ten years Very High(VH) Top 2% as compared to overall threat population High(H) Top 16% as compared to overall threat population Medium(M) Average skill and resources (between bottom 16% and top 16%) Low(L) Bottom 16% as compared to overall threat population Very Low(VL) Bottom 2% as compared to overall threat population Probable motive factors are value of the asset, how vulnerable the asset is, versus the risk of being caught
- 24. 24 Mapping of Stage 2 to E-commerce Platform Evaluate LEF Estimate Resistance Strength Rating Description Very High(VH) Protects against all but the top 2% of an average threat population High(H) Protects against all but the top 16% of an average threat population Medium(M) Protects against the average threat agent Low(L) Only protects against bottom 16% of an average threat population Very Low(VL) Only protects against bottom 2% of an average threat population
- 25. 25 Deriving Vulnerability and LEF using Monte Carlo Simulation Loss Event frequency is Medium, meaning it can happen between 1 and 10 times per year Difference between likely force to be applied and assets ability to resist that force LEF > TEF and TEF > 100% as it is a %
- 26. 26 Possible set of ranges to characterize Loss Magnitude for customer data misuse Stage 3 – Loss Magnitude (Primary) Primary Loss Magnitude Loss Forms Productivity Response Replacement Fines/ Judgments Competitive Advantage Reputation L M L - - - Productivity Loss is considered Low as the Ecommerce portal is operational and Replacement Loss is Low as well. The primary loss magnitude cost associated here would be due to response
- 27. 27 Estimating Secondary Loss Probability Estimating SLEF Rating Description Very High(VH) 90% to 100% High(H) 70% to 90% Medium(M) 30% to 70% Low(L) 10% to 30% Very Low(VL) 0% to 10% Secondary Loss probability is Very High as primary LEF was M and SLEF is VH
- 28. 28 Stage 3 – Loss Magnitude (Secondary) Secondary Loss Magnitude Loss Forms Productivity Response Replacement Fines/ Judgments Competitive Advantage Reputation H M Possible set of ranges to characterize Loss Magnitude for customer data misuse Response is the time spent by the executives in meetings, notifications and expenses inside/outside legal counsel Response Activities Approx. cost Executive time 40 hours * $200/hr=$8000 Notification costs($5 per customer for ~50,000 customers) $250,000 USD Legal expenses $200,USD Total (approx.) $450,000 USD
- 29. 29 Stage 4 : Deriving Primary and Secondary Risk Primary Risk is derived as probable loss event frequency(Medium) and probable future loss Magnitude(Medium) Secondary Risk is very high as compared to primary risk due to the involvement of E-commerce customer’s data
- 30. 30 Stage 4 : Deriving Overall Risk Overall risk is very High based on the combination of Primary and Secondary risk Qualitatively Risk is derived to be very High, and Quantitatively, the magnitude of loss is Significant
- 31. 31 Click to edit Master title styleBasic Control Considerations in FAIR Analysis
- 32. 32 Risk Controls Risk Loss Magnitude Loss Event Frequency Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Secondary Loss Event Frequency Secondary Loss Magnitude Avoidance controls Deterrent controls Response controls Vulnerability controls Affect the frequency and/or likelihood of encountering threats Affect the likelihood of a threat acting in a manner that can result in harm Affect probability that a threat’s action will result in a loss Affect the amount of loss that results from a threat’s action
- 33. 33 Information Security Controls Mapping to E-commerce Platform Avoidance Controls Firewall Filters – datacenter as well as cloud, ̶ Enable VPN for communication in a hybrid cloud ̶ Virtual Private Clouds (preferable from Security stand-point) Physical barriers Reducing threat population – by implementing Fraud management systems(example EBS) Deterrent Controls Policies – IT Security compliance aligning to organizational policy Logging and Monitoring – Use infrastructure and application monitoring (example, Amazon CloudWatch and Pingdom) Asset hardening – Ensure infrastructure Vulnerability is assessed and ensure any issues are addressed
- 34. 34 Information Security Controls Mapping to E-commerce Platform (Contd..) Vulnerability Controls Confidentiality, Integrity, Availability (CIA) Industry bodies like OWASP, CWE and WebAppSec provide vulnerabilities and the resolutions to the known vulnerabilities to be applied at code and configuration levels Penetration Testing – VAPT for application and infrastructure. Plan for iterative SAST and DAST throughout the development and testing life cycle Response Controls Back up and Media restore process – have a real-time sync up between master and Slave DB and archival strategies Forensic capabilities Incident response process
- 35. 35 References Risk Taxonomy (O-RT), Version 2.0, Open Group Standard, C13K, published by The Open Group, October 2013; refer to: www.opengroup.org/boo kstore/catalog/c13k.htm Risk Analysis (O-RA), Open Group Standard, C13G, published by The Open Group, October 2013; refer to: www.opengroup.org/boo kstore/catalog/c13g.htm How to Measure Anything: Finding the Value of Intangibles in Business, Douglas W. Hubbard, John Wiley & Sons, 2010
- 36. Thank You IT Services Business Solutions Consulting