Transcript A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig Wright GSE May 2012 GIAC GSE, GSM, GSC SANS Technology Institute - Candidate for.

A Preamble into Aligning Systems
Engineering and Information Security
Risk
Dr. Craig Wright GSE
May 2012
GIAC GSE, GSM, GSC
SANS Technology Institute - Candidate for Master of Science Degree
1
1
Controls are countermeasures for
vulnerabilities
Controls need to be economically viable to
be effective. There are four types:
1.
2.
3.
4.
Deterrent controls
Preventative controls
Corrective controls
Detective controls
SANS Technology Institute - Candidate for Master of Science Degree
2
System Survival
• Network reliability requires us to
model the various access paths and
survival times for not only each
system, but for each path to the
system.
SANS Technology Institute - Candidate for Master of Science Degree
3
Mapping Vulnerabilities within
Software
• Now let E stand for the event
where a vulnerability is discovered
within the Times T and T+h for n
vulnerabilities in the software
SANS Technology Institute - Candidate for Master of Science Degree
4
Mapping Vulnerabilities within
Software
• Where a vulnerability is discovered
between time T and T+h use
Bayes’ Theorem to compute the
probability that n bugs exist in the
software:
SANS Technology Institute - Candidate for Master of Science Degree
5
Mapping Vulnerabilities within
Software
• From this it can be seen that:
SANS Technology Institute - Candidate for Master of Science Degree
6
Exponential Failure
• The reliability function (also called
the survival function) represents
the probability that a system will
survive a specified time t.
Rt
()1Ft
()
SANS Technology Institute - Candidate for Master of Science Degree
7
Exponential Failure
• The reliability function is a
probabilistic calculation.
– We cannot forecast the exact time of
any compromise.
– We can estimate the behaviour of
systems that are constructed of many
components.
SANS Technology Institute - Candidate for Master of Science Degree
8
Reliability
• Reliability is expressed as either
MTBF (Mean time between failures)
and MTTF (Mean time to failure).
– The choice of terms is related to the
system being analyzed.
– For system security, it relates to the
time that the system can be expected
to survive when exposed to attack.
SANS Technology Institute - Candidate for Master of Science Degree
9
Modelling Failure Rate
• The failure rate for a specific time
interval can also be expressed as:
SANS Technology Institute - Candidate for Master of Science Degree
10
Modelling Failure Rate
• The time to failure of a system
under attack can be expressed as
an exponential density function:
SANS Technology Institute - Candidate for Master of Science Degree
11
Modelling Failure Rate
• Here is the mean survival time of
the system when in the hostile
environment
• t is the time of interest
• Reliability function, R(t) can be
expressed as:
SANS Technology Institute - Candidate for Master of Science Degree
12
Modelling Failure Rate
• The mean ( ) or expected life of
the system under hostile conditions
can hence be expressed as:
SANS Technology Institute - Candidate for Master of Science Degree
13
No Absolutes
•There are no absolutes but data can
be modelled.
– Security remains a risk and economic
function.
– No comparison to levels of security
can be made other than to a relative
measure (no absolute level of
security).
SANS Technology Institute - Candidate for Master of Science Degree
14
Conclusion
• Before we invest our valuable resources into
protecting the information assets it is vital to
address concerns such as:
– the importance of information or the resource
being protected,
– the potential impact if the security is breached,
– the skills and resources of the attacker and
– the controls available to implement the security.
SANS Technology Institute - Candidate for Master of Science Degree
15