comp3441 lecture 10: risk/case studiesmeyden/3441/w10.pdf · comp3441 lecture 10: risk/case studies...

COMP3441 Lecture 10: Risk/Case Studies

Ron van der Meyden

(University of New South WalesSydney, Australia)

May 20, 2013

R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies

Overview

I Risk

I Case Study: Banking


Risk

If you are afraid that

I crooks might try to rip you off

I your staff might try to cheat you

I customers might sue you

... then don’t go into business!


Risk versus reward

Business/investors accept risk as inevitable.

What matters is the risk/reward tradeoff:

I low risk/low reward (e.g., cash in the bank, governmentbonds)

I moderate risk/moderate reward (stock of slow growthmultinational, e.g. IBM)

I high risk/high reward (stock in a potentially high growthstartup company)

What type of business/investor are you?


Business Risk Concepts

I Exposure - what could be lost in the worst case?

I Volatility - how predictable and variable are losses?

I Probability - how likely is a particular type of loss event?

I Severity - what is the amount of loss likely to happen?

I Time Horizon - how long will the exposure last?

I Correlation - how are different risks related to each other?

I Capital - how much should I set aside for a rainy day?

Some types of business risks are well understood andquantifiable, particularly in finance.


Example: credit risk

The risk that a borrower will default on the loan.

I exposure: amount of the loan

I volatility: default more likely in a recession

I probability: can be estimated based on borrower’s: credithistory, age, employment, level of borrowings

I severity = exposure * probability of default

I time horizon: term of loan

I correlation: recession based defaults highly correlated

I capital: increase at time of recession


Risk Assessment

Identifying degree of risk/severity can be quantitative:

I quantify exposure and probability

I calculate severity


Example: Quantitative Risk Assessment

Consider a system with a random 4 digit password, and userslocked out for one day after 3 failed login attempts within asingle day.

Question: What is the probability that a brute force attackwill break in within k days?

Answer:

P(success after k days) =3k104


Quantitative risk assessment is often not feasible:

I Hard to get the numbers.

I How credible are the numbers when you can get them?

I Hard to get a model that captures all relevant detail.

An alternative is a qualititative approach:

High Exposure /Low Probability

Low Exposure /High Probability

Low Exposure /Low Probability

High Exposure/High Probability

0 <---------------Probability------------------>1

Exposure

High

Low


Limits of Risk Assessment

A “poem” by Donald Rumsfeld, US secretary of State 2003,on war on terror

As we knowThere are known knownsThere are things we know we knowWe also knowThere are known unknownsThat is to sayWe know there are some thingsWe do not knowBut there are also unknown unknownsThe ones we don’t know we don’t know


Risk Management

I Deny it: “that would never happen to us!”

I Carry it: accept as part of the game

I mitigate it: e.g., make a borrower post collateral

I balance it: e.g., create a portfolio of uncorrelated risks

I transfer it:I buy insurance against the lossesI cook it into a derivative and sell it (e.g.,

mortgage-backed securities)

Which of these to apply? Depends on your risk profile, cost ofstrategy.

Still more of an art than a science, even in finance.


Even mitigation and transfer leave residual risk:

I loss of market value of collateral

I counter-party risk: default of the insurer

I moral hazard: people with insurance are more likely toengage in risky behavior


Risk Mitigation: Security Example

I Risk: Virus borne attacks

I Mitigation Strategy: antivirus on firewall, on desktop

I residual risk: zero-day attacks


Balancing Risks: Security example

A major company runs its web servers on a variety ofplatforms:

I Apache on Linux machines

I Windows Server on Windows

I MacHTTP on Macintosh

Vulnerabilities on these platforms are unlikely to be correlated,leading to increased reliability overall.

(Cf. genetic diversity in biological populations.)


Moral Hazard: Security Example

This issue not much studied yet, but there is some evidence ofit:

E.g., users who believe they are protected by a firewall aremore likely to choose weak passwords.


Transfer of Risk: Security example

Insurance companies are starting to

I remove IT security risks from business insurance policies

I create new type of policy to cover these risks

One example:http://www.chubb.com/businesses/csi/chubb822.html

Early days for this:

I how to quantify these risks, build actuarial models

I rapidly changing technology (cf. life expectancy models)


http://www.chubb.com/businesses/csi/chubb822.html

Case Study: The Credit Card Arms Race

The history of credit card security illustrates an arms racebetween banks & the crooks.

Each new defensive measure met with a new type of attack.

The banks’ management of this reflects not just technologicalresponse, but also risk management practice.


Credit card transaction process

Merchant Merchant'sbank

switching centre (e.g. Visa)

Customer'sbank

(merchantdiscount 4-5%)

(commission)

(interest,loyalty)


First security approach

Hot card lists

I paper local hot card list sent to merchants

I for transactions > limit1, merchant to call Visa

I for transactions > limit2, Visa to check with customerbank


Improved communications networks now allow mosttransactions to be verified back to customers’ bank.

But not all:

I cost of ensuring 100% network uptime too high,dimishing returns

I approval on network failure risk: example of accepting risk


1970’s: rise of mail order

Attack: use of credit card number acquired by crookDefenses:

I lower limits for calls to check cards (mitigate & acceptrisk)

I use expiry date as password (mitigate)

I require delivery to customer card address (mitigate)

I increase merchant discount (mitigate by increased capital)

I in case of customer complaint, debit amount back tomerchant

I transfer risk to merchantI insurance to customers (against card & merchant fraud,

goods return), so attracts customer business

Residual risk: the system won’t be viable for merchants (sobanks still need to ensure system is secure!)


1980’s: Card Forgery

With rise of electronic terminals for authorization, crooks turnto faking cards:

I fish receipts with card number and expiry date fromgarbage

I encode card number and expiry date on a stolen/forgedcard’s magnetic strip

Defense: Card verification values (CVV) printed on card butnot encoded on magnetic strip


1990’s: Skimming

Attack: Criminal gangs run businesses (or plant membersthere as stafff), e.g. restaurants, to swipe cards through extraterminal to collect card data (and copy CVV) for fake cardmanufacture.

Defense: Intrusion detection systems (mitigation) to

I identify merchants used preceding fraud

I detect unusual customer purchase patterns (e.g., out oftown, higher rate of charge than usual)


Late 90’s: Invisible Skimming

Attack: (hide from intrusion detection systems)

I Criminal merchants omit charging for transactions inwhich data was skimmed (carry loss)

I Wait (e.g. one year) for customer to forget about use ofthat merchant

I Manufacture fake card and use for large transaction(s)(recoop loss)


Mid 90’s-2000’s: E-commerce

Original expected attack: theft of card data from plain-textemail, web traffic

Defense: SSL/TLS, encryption of card data.

Actual attacks:

I phishing

I theft of card data from hacked merchant websites


PIN based vulnerabilities

Attack Example:

I crook working at merchant observes customer enter PINon terminal

I crook returns fake card to customer: retains customercard

I or, crook’s friend subsequently does grab and run oncustomer handbag.

I crook uses stolen card and PIN


2000’s: Automated Teller Machine skimming

(images from http://krebsonsecurity.com/category/

all-about-skimmers/)

(pinhole contains camera to capture PIN)


http://krebsonsecurity.com/category/all-about-skimmers/

http://krebsonsecurity.com/category/all-about-skimmers/

ATM skimming


Point-of-Sale terminal skimming

Oct 2012: found inside POS terminals at an (undisclosed)“major US retailer”:


Current Defenses

Visa/Mastercard requirements on merchants:

I Payment Card Industry Data Security Standard

I https://www.pcisecuritystandards.org/

security_standards/pci_dss.shtml

Security Breach disclosure Laws:

I legal requirement to publicly report theft of CC data frommerchant machines

I report can affect merchant stock price, customer loyalty


https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Smart-card based credit cards

PIN + cryptography based cards

Several technologies:

I Static Data Authentication (shared key cryptography)

I Dynamic Data Authentication (+ digital signatures)

I Combined Data Authentication (+ digital signatures)

I Contactless cards (RFID)

All with vulnerabilities, depending on overall design of thesystem.


Summary: Risk Management

I Identify exposure (assets)

I Identify risks (threats)

I Measure/qualify risk parameters

I Quantify response costs

I Prioritise responses

I Implement responses in order of priority

I monitor and adjust as needed

I watch out for unknown unknowns!


comp3441 lecture 10: risk/case studiesmeyden/3441/w10.pdf · comp3441 lecture 10: risk/case studies...

Documents