Phân tích &
Quản lý rủi ro
Võ Viết Minh Nhật
Khoa CNTT – Trường ĐHKH

Nội dung trình bày

Mở đầu

Định nghĩa rủi ro

Tính dể bị xâm hại (vulnerability)

Mối de dọa (threat)

Xác định rủi ro cho một tổ chức

Đo lường rủi ro

Mở đầu

Security is about managing risk. Without an understanding of the
security risks to an organization’s information assets, too many or
not enough resources might be used or used in the wrong way.

Risk management also provides a basis for valuing of information
assets. By identifying risk, you learn the value of particular types of
information and the value of the systems that contain that
information.

What is risk?

Risk is the underlying concept that forms the basis for what we call
“security.”

Risk is the potential for loss that requires protection. If there is no
risk, there is no need for security.

And yet risk is a concept that is barely understood by many who
work in the security industry.

What is risk?

Example of the insurance industry

how much the car repair is likely to cost?

how much the likelihood that the person will be in an
accident?

Two components of risk:

The money needed for the repair => vulnerability

the likelihood of the person to get into an accident => threat

Relationship between
vulnerability and threat

Vulnerability


A vulnerability is a potential avenue of attack.

Vulnerabilities may exist in computer systems and networks

allowing the system to be open to a technical attack

or in administrative procedures

allowing the environment to be open to a non-technical or
social engineering attack.

Vulnerability

A vulnerability is characterized by the difficulty and the level of
technical skill that is required to exploit it.

For instance, a vulnerability that is easy to exploit (due to the
existence of a script to perform the attack) and that allows the
attacker to gain complete control over a system is a high-value
vulnerability.

On the other hand, a vulnerability that would require the attacker
to invest significant resources for equipment and people and
would only allow the attacker to gain access to information that
was not considered particularly sensitive would be considered a
low-value vulnerability.

Vulnerabilities are not just related to computer systems and
networks. Physical site security, employee issues, and the

security of information in transit must all be examined.

Threat

A threat is an action or event that might violate the security of an
information systems environment.

There are three components of threat:

Targets The aspect of security that might be attacked.

Agents The people or organizations originating the threat.

Events The type of action that poses the threat.

Targets

The targets of threat or attack are generally the security services :
confidentiality, integrity, availability, and accountability.

Confidentiality is targeted when the disclosure of
information to unauthorized individuals or organizations is
the motivation.

Exemples: government information, salary information
or medical histories.

Integrity is the target when the threat wishes to change
information.


Examples: bank account balance, important database

Targets

Availability (of information, applications, systems, or
infrastructure) is targeted through the performance of a
denial-of-service attack. Threats to availability can be
short-term or long-term.

Accountability is rarely targeted. The purpose of such an
attack is to prevent an organization from reconstructing
past events. Accountability may be targeted as a prelude to
an attack against another target such as to prevent the
identification of a database modification or to cast doubt on
the security mechanisms actually in place within an
organization.

Targets

Athreat may have multiple targets.

For example, accountability may be the initial target to
prevent a record of the attacker’s actions from being
recorded, followed by an attack against the confidentiality
of critical organizational data.

Agents

The agents of threat are the people who may wish to do harm to an
organization. To be a credible part of a threat, an agent must have

three characteristics:

Access The ability an agent has to get to the target.

Knowledge The level and type of information an agent has
about the target.

Motivation The reasons an agent might have for posing a
threat to the target.

Access

An agent must have access to the system, network,
facility, or information that is desired.

This access may be direct (for example, the agent
has an account on the system) or indirect (for
example, the agent may be able to gain access to
the facility through some other means).

The access that an agent has directly affects the
agent’s ability to perform the action necessary to
exploit a vulnerability and therefore be a threat.

A component of access is opportunity. Opportunity
may exist in any facility or network just because an
employee leaves a door propped open.

Knowledge


An agent must have some knowledge of the target.
The knowledge useful for an agent includes

User IDs

Passwords

Locations of files

Physical access procedures

Names of employees

Access phone numbers

Network addresses

Security procedures

Knowledge

The more familiar an agent is with the target, the more likely it is that
the agent will have knowledge of existing vulnerabilities.

Agents that have detailed knowledge of existing vulnerabilities will
likely also be able to acquire the knowledge necessary to exploit
those vulnerabilities.

Motivation


An agent requires motivation to act against the
target. Motivation is usually the key characteristic to
consider regarding an agent as it may also identify
the primary target.

Motivations to consider include

Challenge A desire to see if something is possible and be
able to brag about it.

Greed A desire for gain. This may be a desire for money,
goods, services, or information.

Malicious Intent A desire to do harm to an organization or
individual.

Agents to Consider

A threat occurs when an agent with access and
knowledge gains the motivation to take action.

Based on the existence of all three factors, the
following agents must be considered:

Employees

have the necessary access and knowledge to systems
because of their jobs.

whether have the motivation to do harm to the organization.


be counted when conducting a risk analysis.

Agents to Consider

Ex-employees

have the necessary knowledge to systems due to the
jobs that they held.

may still have access to systems.

Motivation depending upon the circumstances of the
separation, for example, if the ex-employee bears a
grudge against the organization.

Agents to Consider

Hackers

are always assumed to have a motivation to do harm
to an organization.

may or may not have detailed knowledge of an
organization’s systems and networks.

Access may be acquired if the appropriate
vulnerabilities exist within the organization.

Agents to Consider


Commercial rivals

should be assumed to have the motivation to learn
confidential information about an organization.

may have a motivation to do harm to another
organization depending on the circumstances of the
rivalry.

Such rival organizations should be assumed to have
some knowledge about an organization since they are
in the same industry.

Knowledge and access to specific systems may not
be available but may be acquired if the appropriate
vulnerabilities exist.

Agents to Consider

Terrorists

are always assumed to have a motivation to do harm
to an organization.

Terrorists will generally target availability. Therefore,
access to high-profile systems or sites can be
assumed (the systems are likely on the Internet and
the sites are likely open to some physical access).


Specific motivation for targeting a particular
organization is the important aspect of identifying
terrorists as a probable threat to an organization.

Agents to Consider

Criminals

are always assumed to have a motivation to do harm
to an organization.

tend to target items (both physical and virtual) of
value.

Access to items of value, such as portable computers,
is a key aspect of identifying criminals as a probable
threat to an organization.

Agents to Consider

general public

must always be considered as a possible source of
threat.

However, unless an organization has caused some
general offense to civilization, motivation must be
considered lacking. Likewise, access to and
knowledge about the specifics of an organization is
considered minimal.


Agents to Consider

Companies that supply services to an organization

may have detailed knowledge and access to the
organization’s systems.

Business partners may have network connections.

Consultants may have people on site performing
development or administration functions.

Motivation is generally lacking for one organization to
attack another but given the extensive access and
knowledge that may be held by the suppliers of
services, they must be considered a possible source
of threat.