Dipartimento di Scienze, 21 aprile 2023 1
?What is the scenario?
An enterprise and its IT system
Dipartimento di Scienze, 21 aprile 2023 2
?What are the players?
Attacker Defender
Dipartimento di Scienze, 21 aprile 2023 3
What is the game?
Interruption of
service
Diffusion of reserved
information
Loss of
data
?
Dipartimento di Scienze, 21 aprile 2023 4
What is the game?
Interruption of
service
Diffusion of reserved
information
Loss of
data
?
1234
1234
Defence trees + indexes
Strategic games
Three novel indicators
……
agenda
Dipartimento di Scienze, 21 aprile 2023 6
11. Risk Assessment
identification of the: assets, threats and vulnerabilities, countermeasures
2. Risk Analysis determination of the acceptable risk threshold.
3. Risk Mitigation prioritize, evaluate and implement the countermeasure recommended.
Economic
Indexes
Defencetrees
Risk Management process
Dipartimento di Scienze, 21 aprile 2023 7
1Defence tree
Defence trees are an extension of attack trees [Schneier00].
Attack tree: the root is an asset of an IT system the paths from the root to the leaf are the way to attack the root the non-leaf nodes can be:
and-nodes or-nodes
Defence tree: attack tree a set of countermeasures
root
and-nodes
or-nodes
An enterprise server is used to store information about customers…
An attacker wants to steal this server…
Dipartimento di Scienze, 21 aprile 2023 9
1An example: (1)
Install asecurity door
Install a videosurveillanceequipment
c4 c2
c3Assume
a securityguard
Install asafety lock
Install a videosurveillanceequipment
c2
c3Assume
a securityguard
c1
Go outunobserve
d
a1 a2
Have the keys
Break downthe door
Go outunobserve
d
Steal theserver
Dipartimento di Scienze, 21 aprile 2023 10
1Estimate the cost of investment
the annual loss produced by an attack the effectiveness of a countermeasure in mitigating the risks the cost of a countermeasure
Install asecurity door
Install a videosurveillanceequipment
c4 c2
c3Assume
a securityguard
Install asafety lock
Install a videosurveillanceequipment
c2
c3Assume
a securityguard
c1
Go outunobserve
d
a1 a2
Have the keys
Break downthe door
Go outunobserve
d
Steal theserver
Dipartimento di Scienze, 21 aprile 2023 11
1The Single Loss Exposure (SLE) represents a measure of an enterprise's loss from a single threat event and can be computed by using the following formula:
where:
the Asset Value (AV) is the cost of creation, development, support, replacement and ownership values of an asset, the Exposure Factor (EF) represents a measure of the magnitude of loss or impact on the value of an asset arising from a threat event.
Economic index: SLE
Dipartimento di Scienze, 21 aprile 2023 12
1The Annualized Loss Expectancy (ALE) is the annually expected financial loss of an enterprise that can be ascribed to a threat and can be computed by using the following formula:
where:
the Annualized Rate of Occurrence, (ARO) is a number that represents the estimated number of annual occurrences of a threat.
Economic index: ALE
Dipartimento di Scienze, 21 aprile 2023 13
1The Return on Investment (ROI) indicator can be computed by using the following formula:
where:
MR is the risk mitigated by a countermeasure and represents the effectiveness of a countermeasure in mitigating the risk of loss deriving from exploiting a vulnerability CSI is the cost of security investment that an enterprise must face for implementing a given countermeasure.
Economic index: ROI
Dipartimento di Scienze, 21 aprile 2023 14
1Economic index: ROI
Attack EF ARO Countermeasures RM CSI
a1 Break down the door and go out unobserved
0,9 0,1 c1 Install a security door 0,7 1500
c2 Install a video surveillance ... 0,1 3000
c3 Employ a security guard 0,5 12000
c4 Install a security lock 0 300
a2 Open the door with keys and go out unobserved
0,93 0,1 c1 Install a security door 0 1500
c2 Install a video surveillance … 0,1 3000
c3 Employ a security guard 0,5 12000
c4 Install a security lock 0,2 300
Dipartimento di Scienze, 21 aprile 2023 15
1 AV Asset Value
EF Exposure Factor
SLE Single LossExposure
ARO Annualized Rateof Occurrence
ALE Annualized LossExpectancy
RM Risk Mitigated
CSI Cost Security Investment
ROI=3,20
ROI= - 0,70
ROI=5,20
ROI= - 0,69
ROI= - 0,61
AV=100.000 €
EF=90%
ARO=0,10
EF=93%ARO=0,10
RM=70%
RM=10%
RM=20%
RM=10%
RM=50%CSI=1.500€
CSI=3.000€
CSI=300€
CSI=3.000€
CSI=12.000€ROI= - 0,62
RM=50%CSI=12.000€
SLE=90.000 €ALE=9.000 €
SLE=93.000 €ALE=9.300 €
Install asecurity door
Install a videosurveillanceequipment
Assumea security
guard
Install asafety lock
Install a videosurveillanceequipment
Assumea security
guard
Go outunobserve
d
Have the keys
Break downthe door
Go outunobserve
d
Steal theserver
Economic index: ROI
Dipartimento di Scienze, 21 aprile 2023 16
1Estimate the cost of the attack
the expected gain from the successful attack on the target the cost sustained by the attacker to succeed, the additional cost brought by a possible countermeasure
Install asecurity door
Install a videosurveillanceequipment
c4 c2
c3Assume
a securityguard
Install asafety lock
Install a videosurveillanceequipment
c2
c3Assume
a securityguard
c1
Go outunobserve
d
a1 a2
Have the keys
Break downthe door
Go outunobserve
d
Steal theserver
Dipartimento di Scienze, 21 aprile 2023 17
1
GI is the expected gain from the successful attack on the specifiedtarget
costa is the cost sustained by the attacker to succeed,
costac is the additional cost brought by the countermeasure c adopted by the defender to mitigate the attack a.
Return On Attack (ROA) measures the gain that an attacker expects from a successful attack over the losses that he sustains due to the adoption of security measures by his target
Economic index: ROA
Dipartimento di Scienze, 21 aprile 2023 18
1Attack Costa Countermeasures Costac
a1 Break down the door and go out unobserved
4000 c1 Install a security door 2000
c2 Install a video surveillance equip. 1000
c3 Employ a security guard 1500
c4 Install a security lock 0
a2 Open the door with keys and go out unobserved
4200 c1 Install a security door 0
c2 Install a video surveillance equip. 1000
c3 Employ a security guard 1500
c4 Install a security lock 200
Economic index: ROA
Dipartimento di Scienze, 21 aprile 2023 19
1GI Asset Value
RM Risk Mitigated
costa Cost of the attack
costac Additional cost produced by a countermeasure
Install asecurity door
Install a videosurveillanceequipment
Assumea security
guard
Install asafety lock
Install a videosurveillanceequipment
Assumea security
guard
Go outunobserve
d
Have the keys
Break downthe door
Go outunobserve
d
Steal theserver
Economic index: ROA
ROA=5,00
ROA=6
ROA=6,82
ROA=5,77
ROA=5,26
GI=30.000 €
costa=4.000 € costa=4.200 €
costac= 2.000 €
costac=1.000€
costac=200€
costac= 1.000 €
costac= 1.500 €
ROA=5,45
costac= 1.500 €
Dipartimento di Scienze, 21 aprile 2023 20
1
ROI=3.20ROA=0.50
ROI=-0.70ROA=4.40
ROI=-0.63ROA=1.73
ROI=5.20ROA=4.45
ROI=-0.69ROA=4.19
ROI=-0.61ROA=1.63
Install asecurity door
Go outunobserve
d
Install a videosurveillanceequipment
a1 a2
c4 c2
c3
Have the keys
Break downthe door
Go outunobserve
d
Steal theserver
Assumea security
guard
Install asafety lock
Install a videosurveillanceequipment
c2
c3Assume
a securityguard
c1
Evaluation
Dipartimento di Scienze, 21 aprile 2023 21
Install asecurity door
Go outunobserve
d
a1 a2
c4
Have the keys
Break downthe door
Go outunobserve
d
Steal theserver
Install asafety lock
Install a videosurveillanceequipment
c2 c3Assume
a securityguard
c1
Future Works: attack graphs
Dipartimento di Scienze, 21 aprile 2023 22
Future Works: journal version?
1 attack n countermeasures
where f is fC=max(c) or fC=sum(c) and CRMc 1
1 attack 1 countermeasure
Old ROINew version of ROI
Dipartimento di Scienze, 21 aprile 2023 23
Old ROI
m attacks 1 countermeasure
where g is gA=sum(a) and gA AV
m attacks, n countermeasures
Future Works: journal version?
New version of ROI
Dipartimento di Scienze, 21 aprile 2023 24
1 attack n countermeasures
where f is fC=max(c) or fC=sum(c) and CRMc 1
1 attack 1 countermeasure
Old ROA
Future Works: journal version?
New version of ROA
Dipartimento di Scienze, 21 aprile 2023 25
Old ROA
m attacks 1 countermeasure
where g is gA=sum(a) and
m attacks, n countermeasures
Future Works: journal version?
New version of ROA
Dipartimento di Scienze, 21 aprile 2023 26
Future Works: min set cover
a1
a2
a3
c4
c2
c3
c1
a1
a2
a3
c2
c1
c4
c3
RM=[max(c1,c2), min(1, c1+c2)]
Dipartimento di Scienze, 21 aprile 2023 27
Future Works: intervals
Intervals to represent the possible values of the exposure factor (EF), and risk mitigated (RM)
20% 40% 20% 40%
30% 80%
Devo ridefinire tutte le formule considerando adesso gli intervalli!
Ad se x<EF<y AV ottengo che anche SLE è un intervallo! E quindi anche ALE e anche ROI
Dipartimento di Scienze, 21 aprile 2023 28
1Paper
Defense trees for economic evaluation of security investments
S. Bistarelli, F. Fioravanti, P. Pamela In: 1st International Conference on Availability, Reliability and Security (ARES 2006). Vienna, Austria, April 20-22 2006.
Dipartimento di Scienze, 21 aprile 2023 29
2Strategic game
We consider a strategic game: 2 players: the defender and the attacker of a system. Sd: the set of defender's strategies (the countermeasures)
Sa: the set of attacker's strategies (the vulnerability) ROI and ROA: payoff functions for the defender and the attacker
Dipartimento di Scienze, 21 aprile 2023 30
2Strategic game: an example
a1
a2
c2
c3
c3 c1
Ud=1Ua=1
Ud=0Ua=2
Ud=1Ua=2
Ud=1Ua=0
Sa={a1, a2}
Sd={c1, c2, c3}
payoff: ud(ci,ai) and ua(ci,ai)
Dipartimento di Scienze, 21 aprile 2023 31
2
!
Nash equilibrium
Nash Equilibrium
The combination of strategy (s1*,s2*) with s1* S1 and s2* S2 is a Nash Equilibrium if and only if, for each player i, the action si* is the best response to the other player:
This game admits two different Nash Equilibrium: the couple of strategies {c1,a1} and {c3,a2}.
Dip. Scienze, 21 aprile 2023
Dipartimento di Scienze, 21 aprile 2023 32
2Mixed strategy: an example
pc1
pc2
pc3
pa1 pa2
½
1
½
?If a player does not know the behaviour of the other player?
Mixed strategies
Dipartimento di Scienze, 21 aprile 2023 33
2Our game
Selection of a single countermeasure/attack
!The set of strategies for the defender and the attacker is composed by a single action.
Install asecurity door
Install a videosurveillanceequipment
c4 c2
c3Assume
a securityguard
Install asafety lock
Install a videosurveillanceequipment
c2
c3Assume
a securityguard
c1
Go outunobserve
d
a1 a2
Have the keys
Break downthe door
Go outunobserve
d
Steal theserver
Dipartimento di Scienze, 21 aprile 2023 34
2Our game
Selection of a single countermeasure/attack
!The set of strategies for the defender and the attacker is composed by a single action.
Dipartimento di Scienze, 21 aprile 2023 35
2
!There is one Nash Equilibrium with mixed strategies.
Our game
Selection of a single countermeasure/attack
205769
564769
3152
2152
Dipartimento di Scienze, 21 aprile 2023 36
2Our game
!Each player can play any set of countermeasuresattacks together.
Selection of a set of countermeasures/attack
Install asecurity door
Install a videosurveillanceequipment
c4 c2
c3Assume
a securityguard
Install asafety lock
Install a videosurveillanceequipment
c2
c3Assume
a securityguard
c1
Go outunobserve
d
a1 a2
Have the keys
Break downthe door
Go outunobserve
d
Steal theserver
Dipartimento di Scienze, 21 aprile 2023 37
2Our game
Selection of a set of countermeasures/attack
Dipartimento di Scienze, 21 aprile 2023 38
2!
Our game
Selection of a set of countermeasures/attack
521
1621
3955
There is one Nash Equilibrium with mixed strategies.
1655
Dipartimento di Scienze, 21 aprile 2023 39
Future Works
Considerare giochi con 1 attaccante e n-1 difensori
Tipi di attaccanti (giochi bayesiani)Cooperazione tra attaccanti
Giochi dinamici, giochi ripetuti
Dipartimento di Scienze, 21 aprile 2023 41
2Papers
Strategic game on defense trees
S. Bistarelli, M. Dall’Aglio, P. Pamela In: 4th International Workshop on Formal Aspects in Security and Trust (FAST2006).Hamilton, ON, Canada, August 26-27 2006.
Dipartimento di Scienze, 21 aprile 2023 42
3 Critical time
Retaliation
Collusion
Three novel indicators
Dipartimento di Scienze, 21 aprile 2023 43
3Critical time
Dipartimento di Scienze, 21 aprile 2023 44
3Exposure Factor during Critical Timeexpresses the influence that the criticality of a specific time instance plays on the EF as follows:
CTF being the Critical Time Factor that expresses the percentage of criticality of a specific time instance.
If CTF=0, then EFCT = EF
If CTF=1, then EFCT = 1 If EF=0, then EFCT=CTF
If EF=1, then EFCT=1
Critical time
Dipartimento di Scienze, 21 aprile 2023 45
Annualized Rate of Occurrence, AROCT, is the rate of occurrence of an attack at a specific CTF per year. Single Loss Exposure, SLECT, is the cost of a single attack at a specific CTF:
Annualized Loss Expectancy, ALECT, is the cost per year of an attack at a specific CTF:
Return On Investment, ROICT, is the economic return of an enterprise's investment against an attack mounted at a specific CTF:
3Critical time: the indicators
Dipartimento di Scienze, 21 aprile 2023 46
Asset AV CTF EFCT AROCT SLECT ALECT
Demo machine 5000 $ 95% 96,5% 25% 4825 $1206,25
$
Simulation Infrastructure 30000 $ 98% 98,8% 60% 29640 $ 17784 $
Researcher's machine 3000 $ 90% 91,5% 20% 2745 $ 549 $
Asset AV EF ARO SLE ALE
Demo machine 5000 $ 30% 55% 1500 $ 825$
Simulation Infrastructure 30000 $ 40% 60% 12000 $ 7200$
Researcher's machine 3000 $ 15% 20% 450 $ 90$
3Critical time: an example
Dipartimento di Scienze, 21 aprile 2023 47
3Retaliation
Dipartimento di Scienze, 21 aprile 2023 48
3Exposure Factor under Retaliationexpresses the influence that the chance of retaliating an attack to an asset plays on the EF as follows:
RF being the Retaliation Factor that expresses the percentage of retaliation that can be performed.
If RF=0, then EFR = EF
If RF=1, then EFR = 0 If EF=0, then EFR=0
If EF=1, then EFR=1-RF
Retaliation
Dipartimento di Scienze, 21 aprile 2023 49
Annualized Rate of Occurrence, AROR, is the rate of occurrence per year of an attack that can be retaliated. Single Loss Exposure, SLER, is the cost of a single attack that can retaliated:
Annualized Loss Expectancy, ALER, is the cost per year of an attack that can be retaliated:
Return On Investment, ROIR, is the economic return of an enterprise's investment against an attack that can be retaliated:
3Retaliation: the indicators
Dipartimento di Scienze, 21 aprile 2023 50
Asset AV EF ARO SLE ALE
Demo machine 5000 $ 30% 55% 1500 $ 825$
Simulation Infrastructure 30000 $ 40% 60% 12000 $ 7200$
Researcher's machine 3000 $ 15% 20% 450 $ 90$
Asset AV RF EFR AROR SLER ALER
Demo machine 5000 $ 25% 23% 15% 1150 $ 172,50 $
Simulation Infrastructure 30000 $ 25% 30% 60% 9000 $ 5400 $
Researcher's machine 3000 $ 130% -4,5% 20% -135 $ -27 $
3Retaliation : an example
Dipartimento di Scienze, 21 aprile 2023 51
3Collusion
Dipartimento di Scienze, 21 aprile 2023 52
3Mitigated Risk against Collusionexpresses the influence that collusion of attackers plays on the MR (mitigated risk) as follows:
CF being the Collusion Factor that expresses the percentage of collusion of the attackers.
If CF=0, then MRC = MC
If CF=1, then MRC = 0 If MR=0, then MRC=0
If MR=1, then MRC=1-CF
Collusion
Dipartimento di Scienze, 21 aprile 2023 53
The Return On Investment against Collusionis the economic return of an enterprise's investment against an attack mounted by one or more colluding attackers:
3Collusion: the indicators
Dipartimento di Scienze, 21 aprile 2023 54
Asset AV ALE CSI MR ROI
Demo machine 5000 $ 825 $ 600 $ 85% 16,87%
Simulation Infrastructure 30000 $ 7200 $ 4500 $ 75% 20%
Researcher's machine 3000 $ 90 $ 70 $ 90% 15,71%
Asset AV ALE CSI CF MRC ROIC
Demo machine 5000 $ 825 $ 600 $ 45% 46,75% -35,71%
Simulation Infrastructure 30000 $ 7200 $ 4500 $ 35% 45% -22%
Researcher's machine 3000 $ 90 $ 70 $ 10% 81% 4,14%
3Collusion: an example
Dipartimento di Scienze, 21 aprile 2023 55
3Paper
Augmented Risk Analysis
G. Bella, S. Bistarelli, P. Peretti, S. Riccobene In: 2nd Workshop in Views On Designing Complex Architectures (VODCA2006). Bertinoro (FC), September 16-17 2006.
Dipartimento di Scienze, 21 aprile 2023 56
Future Works
…. ….. ….
Dipartimento di Scienze, 21 aprile 2023 57
Su Wr
Su Ww
Sv Ww
Sv Wr
Sv Wr > Ww
Su Ww > Wr
Sv > Su
S
W
CP-nets
Dipartimento di Scienze, 21 aprile 2023 58
CP-nets
a1 c1>c2>c3
a2 c5>c3>c4
a3 c6>c7
a4 c8>c9
a5 c11>c10
a6 c13>c12
A
C
a4>a3>a5>a6>a1>a2
c2
c3
c1
c4
c5
c3
c7
c6
c9
c8
c11
c10
c13
c12
a1 a2 a3 a4 a5 a6
Dipartimento di Scienze, 21 aprile 2023 59
CP-nets
Add an identification
token
c3
c4Distribute
responsibilities among users
Corrupt a user with root priv.
c5
Motivate employees
Steal access to a user with
root priv.
Change the password
periodically
c2
c3Log out the pc after the
use
c3Add an
identification token
a1
Obtain root privileges
Use an anti-virus software
c8
c9Stop
suspicious attachment
Exploit a web server vulnerability
Exploit an on-line
vulnerability
Update the system
periodically
c6
c7Separate the contents on the server
Attack the system with a remote login
Install a videosurveillanceequipment
c12
c13Employ a securityguard
Go outunobserve
d
Access to the server’s
room
Install a security door
c10
c11
Install a safety lock
Steal theserver
a2 a3 a4 a5 a6
Steal datastored in a
server
Dipartimento di Scienze, 21 aprile 2023 60
CP-nets: and-composition
The and-composition of the preference tables described by the partial orders (D(xi), fu
i) and (D(xi), fvi), is described by the partial
order (D(xi), fu vi) where fu v
i represents the conditional preference of the instantiations of variable xi given an instantiation u v. So given a,b D(xi) and xj=Pa(xi):
Dipartimento di Scienze, 21 aprile 2023 61
CP-nets: and-composition
a
b
c c
a a
b
a a a
b
c
b
c
b
c
x y y>x>z x>z>yz
Dipartimento di Scienze, 21 aprile 2023 62
CP-nets: or-composition
Given two sets of countermeasure C={c1,…,ck} and C'={c'1…,c'k'} covering the attacks u1, …, uk, the or-composition conditional preference table (D(x),fu1 … uk
) is defined as follows:
Dipartimento di Scienze, 21 aprile 2023 63
CP-nets: or-composition
a
b
c c
a a
ba,b,c
b,c
a
a,b
a,c
x y z
Dipartimento di Scienze, 21 aprile 2023 64
Orange book
A system can be used to simultaneously store:
unclassified information (U),
secret information (S),
top-secret information (T).
The information may flow from U to T
C S T
Dipartimento di Scienze, 21 aprile 2023 65
Red book: level of assurance
Considering the type of information stored into a system we have different level of assurance
Dipartimento di Scienze, 21 aprile 2023 66
Quantitative level of assurance
We want to define a quantitative level of assurance as a function of:
f(data; device; environment)
Dipartimento di Scienze, 21 aprile 2023 67
Quantitative level of assurance
Cost of compromise: .
The costs associated to a system depend on the type of attack and the type of countermeasure:
Cost(attack; countermeasures).
The asset value, AV[info], is the value of the information stored in a system.
Dipartimento di Scienze, 21 aprile 2023 68
Quantitative level of assurance
The asset value, AV[info], is the value of the information stored in a system.
Given an information flow a<b the cost of a flow (Cf) is:
NOTICE: the cost of a flow can be reduced considering the percentage of risk mitigated by a countermeasure.
Dipartimento di Scienze, 21 aprile 2023 69
Quantitative level of assurance
The level of assurance:
Given a defence tree, the level of assurance of a system depends on:
the asset's value, AV[info],
the damage produced by an attack (flow),
the type of countermeasure, Cost(attack, countermeasures).
Dipartimento di Scienze, 21 aprile 2023 70
Quantitative level of assurance
Dipartimento di Scienze, 21 aprile 2023 71
Cascade?
Se due sistemi A e B hanno un livello di sicurezza economicamente accettabile, cosa succede se li collego tra loro?
Il nuovo sistema così creato può essere ancora considerato sicuro?
Dipartimento di Scienze, 21 aprile 2023 72
Confronto
Data una configurazione di sistema A, come faccio a dire che una nuova configurazione B non è economicamente meno vantaggiosa della precedente?
Dipartimento di Scienze, 21 aprile 2023 73
Analisi
Quando costruisco l’albero e cerco di raggruppare le contromisure, devo stare attenta che non si creino conflitti!!
Top Related