![Page 1: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/1.jpg)
Security AnalysisPart I: Basics
Ketil Stølen, SINTEF & UiOOctober 2, 2015
1
![Page 2: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/2.jpg)
Objectives for Lectures on Security Analysis
Classify security concepts Introduce, motivate and explain a basic apparatus
for risk management in general and risk analysis in particular
Relate risk management to system development Describe the different processes that risk
management involve Motivate and illustrate model-driven security risk
analysis (or security analysis, for short) Demonstrate the use of risk analysis techniques
2
![Page 3: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/3.jpg)
Overview of today
What is security? What is risk? What is risk management? What is the relationship to cyber security? What is CORAS?
3
![Page 4: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/4.jpg)
What is Security Analysis?
Security analysis is a specialized form of risk analysis focusing on security risks
4
![Page 5: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/5.jpg)
What is Security?security
integrity availability accountabilityconfidentiality
Only authorised actors have access to information
Only authorised actors can change, create or delete information
Authorised actors haveaccess toinformation they need whenthey need it
It is possible to audit the sequence of events in the system
5
![Page 6: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/6.jpg)
Security is more than Technology
Security solutions are available – but what good is security if no one can use the systems?
Security requires more than technical understanding
Incidents often of non-technical origin Requires a uniform description of the system
as a whole how it is used, the surrounding organisation, etc.
6
![Page 7: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/7.jpg)
Security – Part of System Development
Security is traditionally added as an “afterthought” Solutions often reactive rather than proactive Security issues often solved in isolation Costly redesign Security not completely integrated
Enforcing security only at the end of the development process “by preventing certain behaviors...may result in a so useless system that the complete development effort would be wasted” [Mantel'01].
“It would be desirable to consider security aspects already in the design phase, before a system is actually implemented, since removing security flaws in the design phase saves cost and time” [Jürjens'02].
7
![Page 8: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/8.jpg)
Oversettelse av Terminologi
asset aktivum (noe med verdi)
threat trussel
unwanted incident uønsket hendelse
risk risiko
vulnerability sårbarhet
consequence konsekvens
probability sannsynlighet
frequency frekvens/hyppighet
treatment behandling
8
![Page 9: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/9.jpg)
What is Risk?
Many kinds of risk Contractual risk Economic risk Operational risk Environmental risk Health risk Political risk Legal risk Security risk
9
![Page 10: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/10.jpg)
Definition of Risk from ISO 31000
Risk: Effect of uncertainty on objectives NOTE 1 An effect is a deviation from the expected — positive and/or
negative NOTE 2 Objectives can have different aspects (such as financial, health
and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process)
NOTE 3 Risk is often characterized by reference to potential eventsand consequences, or a combination of these
NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence
NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood
10
![Page 11: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/11.jpg)
What is Risk Management? Risk management:
Coordinated activities to direct and control an organization with regard to risk[ISO 31000:2009]
11
Com
mun
icat
e an
d co
nsul
t
Establish the context
Identify risks
Estimate risks
Evaluate risks
Treat risks
Mon
itor a
nd re
view
Ris
k as
sess
men
t
![Page 12: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/12.jpg)
Risk Analysis Involves Determining what can
happen, why and how Systematic use of
available information to determine the level of risk
Prioritization by comparing the level of risk against predetermined criteria
Selection and implementation of appropriate options for dealing with risk
12
Com
mun
icat
e an
d co
nsul
t
Establish the context
Identify risks
Estimate risks
Evaluate risks
Treat risks
Mon
itor a
nd re
view
Ris
k as
sess
men
t
![Page 13: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/13.jpg)
Terms
13
Asset Vulnerability
Threat
Risk
Need to introduce risk treatment
Reduced risk
![Page 14: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/14.jpg)
14
Terms
Risk
Threat
Vulnerability
Unwanted incident
Worm
Computer running Outlook
Internet
- Infected twice per year- Infected mail send to all
contacts
Infected PC
V
Install virus scanner
Treatment
![Page 15: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/15.jpg)
Definitions Asset: Something to which a party assigns value and hence for which the
party requires protection Consequence: The impact of an unwanted incident on an asset in terms of
harm or reduced asset value Likelihood: The frequency or probability of something to occur Party: An organization, company, person, group or other body on whose
behalf a risk analysis is conducted Risk: The likelihood of an unwanted incident and its consequence for a
specific asset Risk level: The level or value of a risk as derived from its likelihood and
consequence Threat: A potential cause of an unwanted incident Treatment: An appropriate measure to reduce risk level Unwanted incident: An event that harms or reduces the value of an asset Vulnerability: A weakness, flaw or deficiency that opens for, or may be
exploited by, a threat to cause harm to or reduce the value of an asset
15
![Page 16: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/16.jpg)
16
Cyberspace, Cybersecurityand Cyber-risk
What is new and what are the real challenges?
![Page 17: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/17.jpg)
• There are no established definitions of cyberspace or cybersecurity• Many authoritative organizations have their own definitions
• EU, ISO, IEC, ITU-T, NIST, CNSS, …• The various definitions typically reflect different purposes or interests
• Information security• Critical infrastructure protection • Privacy and data protection• Societal security• Combating of cyber-crime and terrorism
17
Background
![Page 18: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/18.jpg)
• Cybersecurity is a hot topic and a frequently used buzzword • Stakeholders want to ensure cybersecurity and protection from cyber-
risk• At the same time there is lack of terminology consensus and method
support
• Our aim: Define a terminology and identify challenges
18
Motivation and Goals
![Page 19: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/19.jpg)
19
Cyberspace
The term cyberspace first appeared in science fiction (novel by William Gibson)
![Page 20: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/20.jpg)
20
Cyber-system
![Page 21: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/21.jpg)
21
Cyber-physical system
![Page 22: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/22.jpg)
22
Summary
![Page 23: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/23.jpg)
Cybersecurity
23
![Page 24: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/24.jpg)
• But cybersecurity is not simply the combination of the two
• Information security is the protection of confidentiality, integrity and availability of information
• Infrastructure security and CIP is to prevent the disruption, disabling, destruction or malicious control of critical infrastructures
24
Cybersecurity is related to information security and infrastructure security
![Page 25: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/25.jpg)
25
Summary
![Page 26: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/26.jpg)
Cyber-risk
26
![Page 27: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/27.jpg)
Summary
CORAS 27
![Page 28: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/28.jpg)
The Challenge of Measurement
28
![Page 29: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/29.jpg)
The Challenge of Uncertainty
29
![Page 30: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/30.jpg)
The Challenge of Aggregation
30
![Page 31: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/31.jpg)
The Challenge of Black-swans(Nassim N. Taleb)
31
![Page 32: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/32.jpg)
Security Analysis Using CORAS
32
![Page 33: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/33.jpg)
Overview
What is CORAS? Main concepts Process of eight steps Risk modeling Semantics Calculus Tool support Further reading
33
![Page 34: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/34.jpg)
What is CORAS? CORAS consists of Method for risk analysis Language for risk modeling Tool for editing diagrams
Stepwise, structured and systematic process Directed by assets Concrete tasks with practical guidelines Model-driven Models as basis for analysis Models as documentation of results
Based on international standards
34
![Page 35: Security Analysis Part I: Basics · saves cost and time” [Jürjens'02]. 7. Oversettelse av Terminologi asset aktivum (noe med verdi) threat trussel unwanted incident uønsket hendelse](https://reader035.vdocuments.mx/reader035/viewer/2022081618/60960a1c2c1ecb12742d9ebe/html5/thumbnails/35.jpg)
Mandatory Reading
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Chapter 3 "A Guided Tour of the CORAS Method" in the book "Model-Driven Risk Analysis: The CORAS Approach", 2011. Springer. The chapter can be downloaded freely.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Risk Analysis of Changing and Evolving Systems Using CORAS, 2011. LNCS 6858, Springer. Pages 231-274.
Le Minh Sang Tran, Bjørnar Solhaug, Ketil Stølen. An approach to select cost-effective risk countermeasures exemplified in CORAS. SINTEF A24343, SINTEF ICT, July 2013.
35