1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning...
-
Upload
peter-logan -
Category
Documents
-
view
212 -
download
0
Transcript of 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning...
![Page 1: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/1.jpg)
1SANS Technology Institute - Candidate for Master of Science Degree 1
A Preamble into Aligning Systems Engineering and Information Security Risk
Dr. Craig Wright GSEMay 2012
GIAC GSE, GSM, GSC
![Page 2: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/2.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 2
Controls are countermeasures for
vulnerabilitiesControls need to be economically viable to be effective. There are four types:
1. Deterrent controls2. Preventative controls3. Corrective controls4. Detective controls
![Page 3: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/3.jpg)
System Survival
• Network reliability requires us to model the various access paths and survival times for not only each system, but for each path to the system.
SANS Technology Institute - Candidate for Master of Science Degree 3
![Page 4: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/4.jpg)
Mapping Vulnerabilities within Software
• Now let E stand for the event where a vulnerability is discovered within the Times T and T+h for n vulnerabilities in the software
SANS Technology Institute - Candidate for Master of Science Degree 4
![Page 5: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/5.jpg)
Mapping Vulnerabilities within Software
• Where a vulnerability is discovered between time T and T+h use Bayes’ Theorem to compute the probability that n bugs exist in the software:
SANS Technology Institute - Candidate for Master of Science Degree 5
![Page 6: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/6.jpg)
Mapping Vulnerabilities within Software
• From this it can be seen that:
SANS Technology Institute - Candidate for Master of Science Degree 6
![Page 7: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/7.jpg)
Exponential Failure
• The reliability function (also called the survival function) represents the probability that a system will survive a specified time t.
SANS Technology Institute - Candidate for Master of Science Degree 7
() 1 ()Rt Ft
![Page 8: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/8.jpg)
Exponential Failure
• The reliability function is a probabilistic calculation.–We cannot forecast the exact
time of any compromise.–We can estimate the behaviour
of systems that are constructed of many components.
SANS Technology Institute - Candidate for Master of Science Degree 8
![Page 9: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/9.jpg)
Reliability
• Reliability is expressed as either MTBF (Mean time between failures) and MTTF (Mean time to failure).–The choice of terms is related to
the system being analyzed. –For system security, it relates to
the time that the system can be expected to survive when exposed to attack.
SANS Technology Institute - Candidate for Master of Science Degree 9
![Page 10: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/10.jpg)
Modelling Failure Rate
• The failure rate for a specific time interval can also be expressed as:
SANS Technology Institute - Candidate for Master of Science Degree 10
![Page 11: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/11.jpg)
Modelling Failure Rate
• The time to failure of a system under attack can be expressed as an exponential density function:
SANS Technology Institute - Candidate for Master of Science Degree 11
![Page 12: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/12.jpg)
Modelling Failure Rate
• Here is the mean survival time of the system when in the hostile environment
• t is the time of interest • Reliability function, R(t) can be
expressed as:
SANS Technology Institute - Candidate for Master of Science Degree 12
![Page 13: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/13.jpg)
Modelling Failure Rate
• The mean ( ) or expected life of the system under hostile conditions can hence be expressed as:
SANS Technology Institute - Candidate for Master of Science Degree 13
![Page 14: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/14.jpg)
No Absolutes
•There are no absolutes but data can be modelled.
–Security remains a risk and economic function.
–No comparison to levels of security can be made other than to a relative measure (no absolute level of security).
SANS Technology Institute - Candidate for Master of Science Degree 14
![Page 15: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.](https://reader035.fdocuments.us/reader035/viewer/2022072005/56649cf45503460f949c19c3/html5/thumbnails/15.jpg)
Conclusion
• Before we invest our valuable resources into protecting the information assets it is vital to address concerns such as:– the importance of information or the
resource being protected, – the potential impact if the security is
breached, – the skills and resources of the attacker and – the controls available to implement the
security.
SANS Technology Institute - Candidate for Master of Science Degree 15