Dipartimento di Scienze, 27 gennaio 20141 ? What is the scenario? An enterprise and its IT system.

Dipartimento di Scienze, 10 aprile 2023 1

?What is the scenario?

An enterprise and its IT system


?What are the players?

Attacker Defender


What is the game?

Interruption of

service

Diffusion of reserved

information

Loss of

data

?

1234

1234

Defence trees + indexes

Strategic games

Three novel indicators

……

agenda


11. Risk Assessment

identification of the: assets, threats and vulnerabilities, countermeasures

2. Risk Analysis determination of the acceptable risk threshold.

3. Risk Mitigation prioritize, evaluate and implement the countermeasure recommended.

Economic

Indexes

Defencetrees

Risk Management process


1Defence tree

Defence trees are an extension of attack trees [Schneier00].

Attack tree: the root is an asset of an IT system the paths from the root to the leaf are the way to attack the root the non-leaf nodes can be:

and-nodes or-nodes

Defence tree: attack tree a set of countermeasures

root

and-nodes

or-nodes

An enterprise server is used to store information about customers…

An attacker wants to steal this server…


1An example: (1)

Install asecurity door

Install a videosurveillanceequipment

c4 c2

c3Assume

a securityguard

Install asafety lock


c2

c3Assume

a securityguard

c1

Go outunobserve

d

a1 a2

Have the keys

Break downthe door

Go outunobserve

d

Steal theserver


1Estimate the cost of investment

the annual loss produced by an attack the effectiveness of a countermeasure in mitigating the risks the cost of a countermeasure



c4 c2

c3Assume

a securityguard



c2

c3Assume

a securityguard

c1

Go outunobserve

d

a1 a2

Have the keys

Break downthe door

Go outunobserve

d

Steal theserver


1The Single Loss Exposure (SLE) represents a measure of an enterprise's loss from a single threat event and can be computed by using the following formula:

where:

the Asset Value (AV) is the cost of creation, development, support, replacement and ownership values of an asset, the Exposure Factor (EF) represents a measure of the magnitude of loss or impact on the value of an asset arising from a threat event.

Economic index: SLE


1The Annualized Loss Expectancy (ALE) is the annually expected financial loss of an enterprise that can be ascribed to a threat and can be computed by using the following formula:

where:

the Annualized Rate of Occurrence, (ARO) is a number that represents the estimated number of annual occurrences of a threat.

Economic index: ALE


1The Return on Investment (ROI) indicator can be computed by using the following formula:

where:

MR is the risk mitigated by a countermeasure and represents the effectiveness of a countermeasure in mitigating the risk of loss deriving from exploiting a vulnerability CSI is the cost of security investment that an enterprise must face for implementing a given countermeasure.

Economic index: ROI


1Economic index: ROI

Attack EF ARO Countermeasures RM CSI

a1 Break down the door and go out unobserved

0,9 0,1 c1 Install a security door 0,7 1500

c2 Install a video surveillance ... 0,1 3000

c3 Employ a security guard 0,5 12000

c4 Install a security lock 0 300

a2 Open the door with keys and go out unobserved

0,93 0,1 c1 Install a security door 0 1500

c2 Install a video surveillance … 0,1 3000

c3 Employ a security guard 0,5 12000

c4 Install a security lock 0,2 300


1 AV Asset Value

EF Exposure Factor

SLE Single LossExposure

ARO Annualized Rateof Occurrence

ALE Annualized LossExpectancy

RM Risk Mitigated

CSI Cost Security Investment

ROI=3,20

ROI= - 0,70

ROI=5,20

ROI= - 0,69

ROI= - 0,61

AV=100.000 €

EF=90%

ARO=0,10

EF=93%ARO=0,10

RM=70%

RM=10%

RM=20%

RM=10%

RM=50%CSI=1.500€

CSI=3.000€

CSI=300€

CSI=3.000€

CSI=12.000€ROI= - 0,62

RM=50%CSI=12.000€

SLE=90.000 €ALE=9.000 €

SLE=93.000 €ALE=9.300 €



Assumea security

guard



Assumea security

guard

Go outunobserve

d

Have the keys

Break downthe door

Go outunobserve

d

Steal theserver

Economic index: ROI


1Estimate the cost of the attack

the expected gain from the successful attack on the target the cost sustained by the attacker to succeed, the additional cost brought by a possible countermeasure



c4 c2

c3Assume

a securityguard



c2

c3Assume

a securityguard

c1

Go outunobserve

d

a1 a2

Have the keys

Break downthe door

Go outunobserve

d

Steal theserver


1

GI is the expected gain from the successful attack on the specifiedtarget

costa is the cost sustained by the attacker to succeed,

costac is the additional cost brought by the countermeasure c adopted by the defender to mitigate the attack a.

Return On Attack (ROA) measures the gain that an attacker expects from a successful attack over the losses that he sustains due to the adoption of security measures by his target

Economic index: ROA


1Attack Costa Countermeasures Costac

a1 Break down the door and go out unobserved

4000 c1 Install a security door 2000

c2 Install a video surveillance equip. 1000

c3 Employ a security guard 1500

c4 Install a security lock 0

a2 Open the door with keys and go out unobserved

4200 c1 Install a security door 0

c2 Install a video surveillance equip. 1000

c3 Employ a security guard 1500

c4 Install a security lock 200

Economic index: ROA


1GI Asset Value

RM Risk Mitigated

costa Cost of the attack

costac Additional cost produced by a countermeasure



Assumea security

guard



Assumea security

guard

Go outunobserve

d

Have the keys

Break downthe door

Go outunobserve

d

Steal theserver

Economic index: ROA

ROA=5,00

ROA=6

ROA=6,82

ROA=5,77

ROA=5,26

GI=30.000 €

costa=4.000 € costa=4.200 €

costac= 2.000 €

costac=1.000€

costac=200€

costac= 1.000 €

costac= 1.500 €

ROA=5,45

costac= 1.500 €


1

ROI=3.20ROA=0.50

ROI=-0.70ROA=4.40

ROI=-0.63ROA=1.73

ROI=5.20ROA=4.45

ROI=-0.69ROA=4.19

ROI=-0.61ROA=1.63


Go outunobserve

d


a1 a2

c4 c2

c3

Have the keys

Break downthe door

Go outunobserve

d

Steal theserver

Assumea security

guard



c2

c3Assume

a securityguard

c1

Evaluation



Go outunobserve

d

a1 a2

c4

Have the keys

Break downthe door

Go outunobserve

d

Steal theserver



c2 c3Assume

a securityguard

c1

Future Works: attack graphs


Future Works: journal version?

1 attack n countermeasures

where f is fC=max(c) or fC=sum(c) and CRMc 1

1 attack 1 countermeasure

Old ROINew version of ROI


Old ROI

m attacks 1 countermeasure

where g is gA=sum(a) and gA AV

m attacks, n countermeasures


New version of ROI


1 attack n countermeasures

where f is fC=max(c) or fC=sum(c) and CRMc 1

1 attack 1 countermeasure

Old ROA


New version of ROA


Old ROA

m attacks 1 countermeasure

where g is gA=sum(a) and

m attacks, n countermeasures


New version of ROA


Future Works: min set cover

a1

a2

a3

c4

c2

c3

c1

a1

a2

a3

c2

c1

c4

c3

RM=[max(c1,c2), min(1, c1+c2)]


Future Works: intervals

Intervals to represent the possible values of the exposure factor (EF), and risk mitigated (RM)

20% 40% 20% 40%

30% 80%

Devo ridefinire tutte le formule considerando adesso gli intervalli!

Ad se x<EF<y AV ottengo che anche SLE è un intervallo! E quindi anche ALE e anche ROI


1Paper

Defense trees for economic evaluation of security investments

S. Bistarelli, F. Fioravanti, P. Pamela In: 1st International Conference on Availability, Reliability and Security (ARES 2006). Vienna, Austria, April 20-22 2006.


2Strategic game

We consider a strategic game: 2 players: the defender and the attacker of a system. Sd: the set of defender's strategies (the countermeasures)

Sa: the set of attacker's strategies (the vulnerability) ROI and ROA: payoff functions for the defender and the attacker


2Strategic game: an example

a1

a2

c2

c3

c3 c1

Ud=1Ua=1

Ud=0Ua=2

Ud=1Ua=2

Ud=1Ua=0

Sa={a1, a2}

Sd={c1, c2, c3}

payoff: ud(ci,ai) and ua(ci,ai)


2

!

Nash equilibrium

Nash Equilibrium

The combination of strategy (s1*,s2*) with s1* S1 and s2* S2 is a Nash Equilibrium if and only if, for each player i, the action si* is the best response to the other player:

This game admits two different Nash Equilibrium: the couple of strategies {c1,a1} and {c3,a2}.

Dip. Scienze, 10 aprile 2023


2Mixed strategy: an example

pc1

pc2

pc3

pa1 pa2

½

1

½

?If a player does not know the behaviour of the other player?

Mixed strategies


2Our game

Selection of a single countermeasure/attack

!The set of strategies for the defender and the attacker is composed by a single action.



c4 c2

c3Assume

a securityguard



c2

c3Assume

a securityguard

c1

Go outunobserve

d

a1 a2

Have the keys

Break downthe door

Go outunobserve

d

Steal theserver


2Our game


!The set of strategies for the defender and the attacker is composed by a single action.


2

!There is one Nash Equilibrium with mixed strategies.

Our game


205769

564769

3152

2152


2Our game

!Each player can play any set of countermeasuresattacks together.

Selection of a set of countermeasures/attack



c4 c2

c3Assume

a securityguard



c2

c3Assume

a securityguard

c1

Go outunobserve

d

a1 a2

Have the keys

Break downthe door

Go outunobserve

d

Steal theserver


2Our game



2!

Our game


521

1621

3955

There is one Nash Equilibrium with mixed strategies.

1655


Future Works

Considerare giochi con 1 attaccante e n-1 difensori

Tipi di attaccanti (giochi bayesiani)Cooperazione tra attaccanti

Giochi dinamici, giochi ripetuti


2Papers

Strategic game on defense trees

S. Bistarelli, M. Dall’Aglio, P. Pamela In: 4th International Workshop on Formal Aspects in Security and Trust (FAST2006).Hamilton, ON, Canada, August 26-27 2006.


3 Critical time

Retaliation

Collusion

Three novel indicators


3Critical time


3Exposure Factor during Critical Timeexpresses the influence that the criticality of a specific time instance plays on the EF as follows:

CTF being the Critical Time Factor that expresses the percentage of criticality of a specific time instance.

If CTF=0, then EFCT = EF

If CTF=1, then EFCT = 1 If EF=0, then EFCT=CTF

If EF=1, then EFCT=1

Critical time


Annualized Rate of Occurrence, AROCT, is the rate of occurrence of an attack at a specific CTF per year. Single Loss Exposure, SLECT, is the cost of a single attack at a specific CTF:

Annualized Loss Expectancy, ALECT, is the cost per year of an attack at a specific CTF:

Return On Investment, ROICT, is the economic return of an enterprise's investment against an attack mounted at a specific CTF:

3Critical time: the indicators


Asset AV CTF EFCT AROCT SLECT ALECT

Demo machine 5000 $ 95% 96,5% 25% 4825 $1206,25

$

Simulation Infrastructure 30000 $ 98% 98,8% 60% 29640 $ 17784 $

Researcher's machine 3000 $ 90% 91,5% 20% 2745 $ 549 $

Asset AV EF ARO SLE ALE

Demo machine 5000 $ 30% 55% 1500 $ 825$

Simulation Infrastructure 30000 $ 40% 60% 12000 $ 7200$

Researcher's machine 3000 $ 15% 20% 450 $ 90$

3Critical time: an example


3Retaliation


3Exposure Factor under Retaliationexpresses the influence that the chance of retaliating an attack to an asset plays on the EF as follows:

RF being the Retaliation Factor that expresses the percentage of retaliation that can be performed.

If RF=0, then EFR = EF

If RF=1, then EFR = 0 If EF=0, then EFR=0

If EF=1, then EFR=1-RF

Retaliation


Annualized Rate of Occurrence, AROR, is the rate of occurrence per year of an attack that can be retaliated. Single Loss Exposure, SLER, is the cost of a single attack that can retaliated:

Annualized Loss Expectancy, ALER, is the cost per year of an attack that can be retaliated:

Return On Investment, ROIR, is the economic return of an enterprise's investment against an attack that can be retaliated:

3Retaliation: the indicators


Asset AV EF ARO SLE ALE

Demo machine 5000 $ 30% 55% 1500 $ 825$

Simulation Infrastructure 30000 $ 40% 60% 12000 $ 7200$

Researcher's machine 3000 $ 15% 20% 450 $ 90$

Asset AV RF EFR AROR SLER ALER

Demo machine 5000 $ 25% 23% 15% 1150 $ 172,50 $

Simulation Infrastructure 30000 $ 25% 30% 60% 9000 $ 5400 $

Researcher's machine 3000 $ 130% -4,5% 20% -135 $ -27 $

3Retaliation : an example


3Collusion


3Mitigated Risk against Collusionexpresses the influence that collusion of attackers plays on the MR (mitigated risk) as follows:

CF being the Collusion Factor that expresses the percentage of collusion of the attackers.

If CF=0, then MRC = MC

If CF=1, then MRC = 0 If MR=0, then MRC=0

If MR=1, then MRC=1-CF

Collusion


The Return On Investment against Collusionis the economic return of an enterprise's investment against an attack mounted by one or more colluding attackers:

3Collusion: the indicators


Asset AV ALE CSI MR ROI

Demo machine 5000 $ 825 $ 600 $ 85% 16,87%

Simulation Infrastructure 30000 $ 7200 $ 4500 $ 75% 20%

Researcher's machine 3000 $ 90 $ 70 $ 90% 15,71%

Asset AV ALE CSI CF MRC ROIC

Demo machine 5000 $ 825 $ 600 $ 45% 46,75% -35,71%

Simulation Infrastructure 30000 $ 7200 $ 4500 $ 35% 45% -22%

Researcher's machine 3000 $ 90 $ 70 $ 10% 81% 4,14%

3Collusion: an example


3Paper

Augmented Risk Analysis

G. Bella, S. Bistarelli, P. Peretti, S. Riccobene In: 2nd Workshop in Views On Designing Complex Architectures (VODCA2006). Bertinoro (FC), September 16-17 2006.


Future Works

…. ….. ….


Su Wr

Su Ww

Sv Ww

Sv Wr

Sv Wr > Ww

Su Ww > Wr

Sv > Su

S

W

CP-nets


CP-nets

a1 c1>c2>c3

a2 c5>c3>c4

a3 c6>c7

a4 c8>c9

a5 c11>c10

a6 c13>c12

A

C

a4>a3>a5>a6>a1>a2

c2

c3

c1

c4

c5

c3

c7

c6

c9

c8

c11

c10

c13

c12

a1 a2 a3 a4 a5 a6


CP-nets

Add an identification

token

c3

c4Distribute

responsibilities among users

Corrupt a user with root priv.

c5

Motivate employees

Steal access to a user with

root priv.

Change the password

periodically

c2

c3Log out the pc after the

use

c3Add an

identification token

a1

Obtain root privileges

Use an anti-virus software

c8

c9Stop

suspicious attachment

Exploit a web server vulnerability

Exploit an on-line

vulnerability

Update the system

periodically

c6

c7Separate the contents on the server

Attack the system with a remote login


c12

c13Employ a securityguard

Go outunobserve

d

Access to the server’s

room

Install a security door

c10

c11

Install a safety lock

Steal theserver

a2 a3 a4 a5 a6

Steal datastored in a

server


CP-nets: and-composition

The and-composition of the preference tables described by the partial orders (D(xi), fu

i) and (D(xi), fvi), is described by the partial

order (D(xi), fu vi) where fu v

i represents the conditional preference of the instantiations of variable xi given an instantiation u v. So given a,b D(xi) and xj=Pa(xi):


CP-nets: and-composition

a

b

c c

a a

b

a a a

b

c

b

c

b

c

x y y>x>z x>z>yz


CP-nets: or-composition

Given two sets of countermeasure C={c1,…,ck} and C'={c'1…,c'k'} covering the attacks u1, …, uk, the or-composition conditional preference table (D(x),fu1 … uk

) is defined as follows:


CP-nets: or-composition

a

b

c c

a a

ba,b,c

b,c

a

a,b

a,c

x y z


Orange book

A system can be used to simultaneously store:

unclassified information (U),

secret information (S),

top-secret information (T).

The information may flow from U to T

C S T


Red book: level of assurance

Considering the type of information stored into a system we have different level of assurance


Quantitative level of assurance

We want to define a quantitative level of assurance as a function of:

f(data; device; environment)



Cost of compromise: .

The costs associated to a system depend on the type of attack and the type of countermeasure:

Cost(attack; countermeasures).

The asset value, AV[info], is the value of the information stored in a system.



The asset value, AV[info], is the value of the information stored in a system.

Given an information flow a<b the cost of a flow (Cf) is:

NOTICE: the cost of a flow can be reduced considering the percentage of risk mitigated by a countermeasure.



The level of assurance:

Given a defence tree, the level of assurance of a system depends on:

the asset's value, AV[info],

the damage produced by an attack (flow),

the type of countermeasure, Cost(attack, countermeasures).


Cascade?

Se due sistemi A e B hanno un livello di sicurezza economicamente accettabile, cosa succede se li collego tra loro?

Il nuovo sistema così creato può essere ancora considerato sicuro?


Confronto

Data una configurazione di sistema A, come faccio a dire che una nuova configurazione B non è economicamente meno vantaggiosa della precedente?


Analisi

Quando costruisco l’albero e cerco di raggruppare le contromisure, devo stare attenta che non si creino conflitti!!

Dipartimento di Scienze, 27 gennaio 20141 ? What is the scenario? An enterprise and its IT system.

Documents

Transcript of Dipartimento di Scienze, 27 gennaio 20141 ? What is the scenario? An enterprise and its IT system.