1SANS Technology Institute - Candidate for Master of Science Degree 1

A Preamble into Aligning Systems Engineering and Information Security Risk

Dr. Craig Wright GSEMay 2012

GIAC GSE, GSM, GSC

SANS Technology Institute - Candidate for Master of Science Degree 2

Controls are countermeasures for

vulnerabilitiesControls need to be economically viable to be effective. There are four types:

1. Deterrent controls2. Preventative controls3. Corrective controls4. Detective controls

System Survival

• Network reliability requires us to model the various access paths and survival times for not only each system, but for each path to the system.

SANS Technology Institute - Candidate for Master of Science Degree 3

Mapping Vulnerabilities within Software

• Now let E stand for the event where a vulnerability is discovered within the Times T and T+h for n vulnerabilities in the software

SANS Technology Institute - Candidate for Master of Science Degree 4

Mapping Vulnerabilities within Software

• Where a vulnerability is discovered between time T and T+h use Bayes’ Theorem to compute the probability that n bugs exist in the software:

SANS Technology Institute - Candidate for Master of Science Degree 5

Mapping Vulnerabilities within Software

• From this it can be seen that:

SANS Technology Institute - Candidate for Master of Science Degree 6

Exponential Failure

• The reliability function (also called the survival function) represents the probability that a system will survive a specified time t.

SANS Technology Institute - Candidate for Master of Science Degree 7

() 1 ()Rt Ft

Exponential Failure

• The reliability function is a probabilistic calculation.–We cannot forecast the exact

time of any compromise.–We can estimate the behaviour

of systems that are constructed of many components.

SANS Technology Institute - Candidate for Master of Science Degree 8

Reliability

• Reliability is expressed as either MTBF (Mean time between failures) and MTTF (Mean time to failure).–The choice of terms is related to

the system being analyzed. –For system security, it relates to

the time that the system can be expected to survive when exposed to attack.

SANS Technology Institute - Candidate for Master of Science Degree 9

Modelling Failure Rate

• The failure rate for a specific time interval can also be expressed as:

SANS Technology Institute - Candidate for Master of Science Degree 10

Modelling Failure Rate

• The time to failure of a system under attack can be expressed as an exponential density function:

SANS Technology Institute - Candidate for Master of Science Degree 11

Modelling Failure Rate

• Here is the mean survival time of the system when in the hostile environment

• t is the time of interest • Reliability function, R(t) can be

expressed as:

SANS Technology Institute - Candidate for Master of Science Degree 12

Modelling Failure Rate

• The mean ( ) or expected life of the system under hostile conditions can hence be expressed as:

SANS Technology Institute - Candidate for Master of Science Degree 13

No Absolutes

•There are no absolutes but data can be modelled.

–Security remains a risk and economic function.

–No comparison to levels of security can be made other than to a relative measure (no absolute level of security).

SANS Technology Institute - Candidate for Master of Science Degree 14

Conclusion

• Before we invest our valuable resources into protecting the information assets it is vital to address concerns such as:– the importance of information or the

resource being protected, – the potential impact if the security is

breached, – the skills and resources of the attacker and – the controls available to implement the

security.

SANS Technology Institute - Candidate for Master of Science Degree 15