COMP3441 Lecture 10: Risk/Case Studiesmeyden/3441/w10.pdf · COMP3441 Lecture 10: Risk/Case Studies...
Transcript of COMP3441 Lecture 10: Risk/Case Studiesmeyden/3441/w10.pdf · COMP3441 Lecture 10: Risk/Case Studies...
COMP3441 Lecture 10: Risk/Case Studies
Ron van der Meyden
(University of New South WalesSydney, Australia)
May 20, 2013
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Overview
I Risk
I Case Study: Banking
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Risk
If you are afraid that
I crooks might try to rip you off
I your staff might try to cheat you
I customers might sue you
... then don’t go into business!
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Risk versus reward
Business/investors accept risk as inevitable.
What matters is the risk/reward tradeoff:
I low risk/low reward (e.g., cash in the bank, governmentbonds)
I moderate risk/moderate reward (stock of slow growthmultinational, e.g. IBM)
I high risk/high reward (stock in a potentially high growthstartup company)
What type of business/investor are you?
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Business Risk Concepts
I Exposure - what could be lost in the worst case?
I Volatility - how predictable and variable are losses?
I Probability - how likely is a particular type of loss event?
I Severity - what is the amount of loss likely to happen?
I Time Horizon - how long will the exposure last?
I Correlation - how are different risks related to each other?
I Capital - how much should I set aside for a rainy day?
Some types of business risks are well understood andquantifiable, particularly in finance.
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Example: credit risk
The risk that a borrower will default on the loan.
I exposure: amount of the loan
I volatility: default more likely in a recession
I probability: can be estimated based on borrower’s: credithistory, age, employment, level of borrowings
I severity = exposure * probability of default
I time horizon: term of loan
I correlation: recession based defaults highly correlated
I capital: increase at time of recession
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Risk Assessment
Identifying degree of risk/severity can be quantitative:
I quantify exposure and probability
I calculate severity
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Example: Quantitative Risk Assessment
Consider a system with a random 4 digit password, and userslocked out for one day after 3 failed login attempts within asingle day.
Question: What is the probability that a brute force attackwill break in within k days?
Answer:
P(success after k days) =3k104
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Quantitative risk assessment is often not feasible:
I Hard to get the numbers.
I How credible are the numbers when you can get them?
I Hard to get a model that captures all relevant detail.
An alternative is a qualititative approach:
High Exposure /Low Probability
Low Exposure /High Probability
Low Exposure /Low Probability
High Exposure/High Probability
0 <---------------Probability------------------>1
Exposure
High
Low
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Limits of Risk Assessment
A “poem” by Donald Rumsfeld, US secretary of State 2003,on war on terror
As we knowThere are known knownsThere are things we know we knowWe also knowThere are known unknownsThat is to sayWe know there are some thingsWe do not knowBut there are also unknown unknownsThe ones we don’t know we don’t know
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Risk Management
I Deny it: “that would never happen to us!”
I Carry it: accept as part of the game
I mitigate it: e.g., make a borrower post collateral
I balance it: e.g., create a portfolio of uncorrelated risks
I transfer it:I buy insurance against the lossesI cook it into a derivative and sell it (e.g.,
mortgage-backed securities)
Which of these to apply? Depends on your risk profile, cost ofstrategy.
Still more of an art than a science, even in finance.
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Even mitigation and transfer leave residual risk:
I loss of market value of collateral
I counter-party risk: default of the insurer
I moral hazard: people with insurance are more likely toengage in risky behavior
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Risk Mitigation: Security Example
I Risk: Virus borne attacks
I Mitigation Strategy: antivirus on firewall, on desktop
I residual risk: zero-day attacks
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Balancing Risks: Security example
A major company runs its web servers on a variety ofplatforms:
I Apache on Linux machines
I Windows Server on Windows
I MacHTTP on Macintosh
Vulnerabilities on these platforms are unlikely to be correlated,leading to increased reliability overall.
(Cf. genetic diversity in biological populations.)
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Moral Hazard: Security Example
This issue not much studied yet, but there is some evidence ofit:
E.g., users who believe they are protected by a firewall aremore likely to choose weak passwords.
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Transfer of Risk: Security example
Insurance companies are starting to
I remove IT security risks from business insurance policies
I create new type of policy to cover these risks
One example:http://www.chubb.com/businesses/csi/chubb822.html
Early days for this:
I how to quantify these risks, build actuarial models
I rapidly changing technology (cf. life expectancy models)
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Case Study: The Credit Card Arms Race
The history of credit card security illustrates an arms racebetween banks & the crooks.
Each new defensive measure met with a new type of attack.
The banks’ management of this reflects not just technologicalresponse, but also risk management practice.
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Credit card transaction process
Merchant Merchant'sbank
switching centre (e.g. Visa)
Customer'sbank
(merchantdiscount 4-5%)
(commission)
(interest,loyalty)
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
First security approach
Hot card lists
I paper local hot card list sent to merchants
I for transactions > limit1, merchant to call Visa
I for transactions > limit2, Visa to check with customerbank
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Improved communications networks now allow mosttransactions to be verified back to customers’ bank.
But not all:
I cost of ensuring 100% network uptime too high,dimishing returns
I approval on network failure risk: example of accepting risk
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
1970’s: rise of mail order
Attack: use of credit card number acquired by crookDefenses:
I lower limits for calls to check cards (mitigate & acceptrisk)
I use expiry date as password (mitigate)
I require delivery to customer card address (mitigate)
I increase merchant discount (mitigate by increased capital)
I in case of customer complaint, debit amount back tomerchant
I transfer risk to merchantI insurance to customers (against card & merchant fraud,
goods return), so attracts customer business
Residual risk: the system won’t be viable for merchants (sobanks still need to ensure system is secure!)
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
1980’s: Card Forgery
With rise of electronic terminals for authorization, crooks turnto faking cards:
I fish receipts with card number and expiry date fromgarbage
I encode card number and expiry date on a stolen/forgedcard’s magnetic strip
Defense: Card verification values (CVV) printed on card butnot encoded on magnetic strip
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
1990’s: Skimming
Attack: Criminal gangs run businesses (or plant membersthere as stafff), e.g. restaurants, to swipe cards through extraterminal to collect card data (and copy CVV) for fake cardmanufacture.
Defense: Intrusion detection systems (mitigation) to
I identify merchants used preceding fraud
I detect unusual customer purchase patterns (e.g., out oftown, higher rate of charge than usual)
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Late 90’s: Invisible Skimming
Attack: (hide from intrusion detection systems)
I Criminal merchants omit charging for transactions inwhich data was skimmed (carry loss)
I Wait (e.g. one year) for customer to forget about use ofthat merchant
I Manufacture fake card and use for large transaction(s)(recoop loss)
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Mid 90’s-2000’s: E-commerce
Original expected attack: theft of card data from plain-textemail, web traffic
Defense: SSL/TLS, encryption of card data.
Actual attacks:
I phishing
I theft of card data from hacked merchant websites
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
PIN based vulnerabilities
Attack Example:
I crook working at merchant observes customer enter PINon terminal
I crook returns fake card to customer: retains customercard
I or, crook’s friend subsequently does grab and run oncustomer handbag.
I crook uses stolen card and PIN
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
2000’s: Automated Teller Machine skimming
(images from http://krebsonsecurity.com/category/
all-about-skimmers/)
(pinhole contains camera to capture PIN)
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
ATM skimming
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Point-of-Sale terminal skimming
Oct 2012: found inside POS terminals at an (undisclosed)“major US retailer”:
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Current Defenses
Visa/Mastercard requirements on merchants:
I Payment Card Industry Data Security Standard
I https://www.pcisecuritystandards.org/
security_standards/pci_dss.shtml
Security Breach disclosure Laws:
I legal requirement to publicly report theft of CC data frommerchant machines
I report can affect merchant stock price, customer loyalty
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Smart-card based credit cards
PIN + cryptography based cards
Several technologies:
I Static Data Authentication (shared key cryptography)
I Dynamic Data Authentication (+ digital signatures)
I Combined Data Authentication (+ digital signatures)
I Contactless cards (RFID)
All with vulnerabilities, depending on overall design of thesystem.
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies
Summary: Risk Management
I Identify exposure (assets)
I Identify risks (threats)
I Measure/qualify risk parameters
I Quantify response costs
I Prioritise responses
I Implement responses in order of priority
I monitor and adjust as needed
I watch out for unknown unknowns!
R. van der Meyden COMP3441 Lecture 10: Risk/Case Studies