COMP2700 - Week 2 - Security Management

Table of Contents

• Security Management
• Management Standards
• Security Policies
• Measuring Security
• Security Metrics
• Risk Analysis
• Attacks
• Quantitative or Qualitative Risk Analysis
• Assets
• Valuation
• Vulnerabilities
• Rating
• Threats
• Attack Tree
• Rating
• Risk Mitigation
• Strategies

---

Security Management

• Security is a people problem as it cannot be solved by technology alone

• Management must define clear objectives and proper security-awareness training must be implemented

Management Standards

Standards which state what security measures have to be implemented in an organisation

---

Security Policies

• Security policy -> A statement that defines the security objectives of an organisation
  • Must state what exactly must be protected + (optionally how)

Measuring Security

• Security measurements essential for decision making

1. Obtain values for security relevant factors (Security measurerment)
2. Consolidate measurements into single value for comparison against a baseline or past state (Security metrics)

Security Metrics

• A quantitative statement about security of a product or system

• Secure products can be deployed in insecure ways

• Cost of the attack can also be measured, i.e:

  • Time + expenses
  • Knowledge

---

Risk Analysis

A situation involving exposure to danger. Analysis of probability of occurence

• Analysis applied to assets, infrastructure and new products/systems

Attacks

Attacks are just a sequence of actions exploiting weak points in the system until attacker has achieved their goals

• Damange must be factored into risk analysis

Risk = Assets x Threats x Vulnerabilities

Quantitative or Qualitative Risk Analysis

• Quantitative -> Values taken from a mathematic domain, i.e. probability space

  • E.g. Monetary values to assets

• Qualitative -> Values taken from domains that don't have an underlying mathematical structure

  • E.g. Values based on rules from security experts

Assets

• Assets should be identified and valued
  • E.g. Hardware, Software, Data & Information, Services, Reputation

Valuation

• Look at monetary replacement costs

• Assets can be valued according to their importance

How long could your business survive if a asset is damaged??

Vulnerabilities

• Weaknesses in a system could be accidentally or intentionally exploited

Rating

• Rate vulnerabilities according to impact or level of criticality

• Vulnerability scanner can be used

Threats

• Actions taken by adversaries trying to exploit vulnerabilities
  • ID threats:
    • Categorise threats by damage/potential damage
    • ID source of attacks
      • Insider
      • Outsider

Attack Tree

• Allows for analysis of attack steps in detail

Rating

• Rated based on likelihood or potential damange

• Likelihood depends on:

  • Difficulty
  • Motivation
  • Potential attackers

Risk Mitigation

• Analysis of prioritised list of threats, with recommended countermeasures

Strategies

• Accept risk -> May be good reasons to do so

• Avoid risk -> Eliminate vulnerability or drop feature(s) until it can be mitigated

• Limit risk -> Use control measures for mitigation

• Transfer risk -> Buy insurance