Business survival binnen de cyberketen:Voorwaartse risicobeheersing nodig

Ronald Paansvrije Universiteit amsterdam

9 oktober 2012File: PaansR Voorwaartse risk management© 2012, version 1.0Email: ronald.paans@noordbeek.com

2Research for Risk Management

Agenda

RISK MANAGEMENT• Methods for IT• Specific threats

• Research at Vrije Universiteit Amsterdam

Parts of this research were a joint operation with European companies such as CapGemini, and some ideas have been stimulated by our colleague Marco van der Vet

3Research for Risk Management

Introduction: Pyramid of IT

Web

Websoftware

Infrastructure (Cloud)

Application

Housing

DATAMiddleware / Connectivity

HousingO

ffice Autom

ation

Vulnerabilit

ies

Weaknesses

ExternalThreats

OWASPIncidentsFraud, abuse

OWASP = Open Web Application Security Project

Pyramid of IT• Web access, business logic and business rules,

interactive and batch application• Connections to own applications and external parties• Data base management systems, query systems• !!! DATA !!! = information• Infrastructure: servers and networks, virtualization• Housing: Computer room or data center

InternalThreats

Obstruction, error

Incidents

Fraud, abuse

4Research for Risk Management

We are overwhelmed by new security concerns

Security has moved from an IT issue to an ongoing business concern

STUXNETCausing damage to

process controllers

refining uranium

WIKILEAKSAbuse of key sensitive

information

Unauthorized release of military and diplomatic notes and reports. Damage to worldwide foreign relations

DIGINOTARCompromising

trusted SSL certificates

SSL certificates used for social media and websites of the Dutch government. Hacker caused chaos

OV-CHIPKAARTPayment card for

public transportation hacked Etc.

Etc.Etc.

Etc.

WIKILEAKSDenied hosting by

providersAmazon terminated hosting contract. Other providers rejected a request for hosting no business anymore

DUQUStealing information

The development of Duqu took tens of millions dollars. It is asumed three countries participated. In contrast to Stuxnet, which attempts to damage nuclear equipment, Duqu focuss on stealing information

Comodo’s Registration Authority was compromised, allowing several bogus SSL certificates to be issued

COMODOHackers issued fraudulent SSL

certificates FLAMEDORIFE

LDORIFEL 2

5Research for Risk Management

Attacks from everywhere

People

Peop

lePeople

Web

Websoftware

Cloud (Infrastructure)

Applica-tion

Housing

Data (multi Value)

Middleware

Housing

Office A

utomation

OV-CHIPKAART

DUQU

STUXNET

COMODO

HOSTING DENIED

Peop

le

DIGINOTAR

WIKILEAKS

Each threat uses multiple points of attack

ETC.

ETC.

ETC.

Next attack?

6Research for Risk Management

Specific situation of your organization ???

Web

Websoftware

Infrastructure

Application

Housing

Data

Middleware

Housing

Office A

utomation

OWASPIncidents

Aspects• Changes in mission• Changes in organisation• Changes in market• Changes in legislation• Etc.

ExternalThreats

Fraud, abuseV

ulne

rabi

litie

s

Aspects1. Governance is not effective2. No central knowledge base on present and future threats3. Business lacks consistency and focus on customer security4. Designing new e-services in a threatening e-world5. Value of information and service delivery increases fastly6. No vulnerability check on new projects7. No secure software development: no training, no awareness campaigns8. Testing is incomplete9. No maturity model for software and data security10.Insufficient monitoring of people and actual security threats

Weaknesses

OWASP = Open Web Application Security Project

Obstruction, error

Aspects• Possible demotivation• Move activities offshore• Too many projects• Errors, sloppiness• Fraud and intentional abuse• Etc.

InternalThreats

Fraud, abuse

7Research for Risk Management

Web

Websoftware

Infrastructure

Application

Housing

Data

Middleware

Housing

Office A

utomation

Web

Websoftware

Infrastructure

Application

Housing

Data

Middleware

Housing

Office A

utomation

And now we move it into the cloud

OWASPIncidents

Aspects• Changes in mission• Changes in organisation• Changes in market• Changes in legislation• Etc.

ExternalThreats

Fraud, abuseV

ulne

rabi

litie

s

Aspects1. Governance is not effective2. No central knowledge base on present and future threats3. Business lacks consistency and focus on customer security4. Designing new e-services in a threatening e-world5. Value of information and service delivery increases fastly6. No vulnerability check on new projects7. No secure software development: no training, no awareness campaigns8. Testing is incomplete9. No maturity model for software and data security10.Insufficient monitoring of people and actual security threats

Weaknesses

OWASP = Open Web Application Security Project

Obstruction, error

Aspects• Possible demotivation• Move activities offshore• Too many projects• Errors, sloppiness• Fraud and intentional abuse• Etc.

InternalThreats

Fraud, abuse

8Research for Risk Management

Web

Websoftware

Infrastructure

Application

Housing

Data

Middleware

Housing

Office A

utomation

Security

Is the cloud itself secure?

NO !

9Research for Risk Management

Risk considerations

ENISA: Main (high) risk that have been identified are• Lock In• Loss of Governance• Compliance challenges, lack of audit and assurance• Isolation failure• Cloud provider malicious insider – high privilege access abuse• Subpoena and e-discovery• Changes of jurisdiction (location of data)• Data protection• Network Management

http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessmenthttp://www.enisa.europa.eu/act/rm/files/deliverables/

cloud-computing-information-assurance-framework

10Research for Risk Management

The Risk Carousel

People in ITPeop

le

Cus

tom

ers People Users

Governance

Work process

Technology

Input Output

ThreathsE-world

ThreathsIT

Vulnerabilities

BUSINESS

RISKS: PAST PRESENTFUTURE

SOLL

IST

GAP

Improve

Continuous Risk

Monitoring

Identify

Judge

Mitigate AssessRisk Assessment

Structu

red

Incident

Collect

Combine

Analyze

Conclude

Intelligence

Structured

11Research for Risk Management

Example: low probability, catastrophic impact

EXAMPLE: Threat for continuity• 26 December 2004 Sumatra-Andaman tsunami in Indonesië, Thailand etc.

– Economies damages, data centers and IT organizations disappeared, still lack of production capacity for IT hardware

• 11 March 2011 Tohoku-Oki earthquake and mega-tsunami in Japan, resulting in Fukushima melt down– Severe damage for Japanese economy with impact on many Western business processes

(cars, chips, disks etc.)• Frequency of mega-tsunami on Plain of Sendai is approximately 0,9×10-3/annum, i.e.

once per 900 year– 1.000-500 BC based upon analysing sediment layers in ground (estimated 900 BC)– 1 AD ditto– 9 July 869 Jogan earthquake and tsunami are well documented and marked– Fukushima: first nuclear production 26 March 1971, 2006/2007 tsunami risk studied– 2011 Tohoku-Oki1, almost identical to 900 BC, 1 AD and 896 AD melt down

1 NASA, Wikipedia 2007: The probability of a Sendai earthquake with a magnitude of Mw 8.1–8.3 was estimated as 99% within the 30 years following 2007

General question about such risk with low probability and catastrophic impact• When was the last volcanic outburst in the Netherlands?• When was the last tsunami in the Netherlands?• What was the damage?• When can we expect the “next one”?

12Research for Risk Management

Zuidwal vulcano

Vulcano in the Netherlands• Revealed during investigation for gas drilling• (Very) active 160 to 148 million year ago (Jura)• 1 km high, situated 2 km under the island Griend• Is still 30 0C hotter than its environment• See: Wikipedia and VPRO site

The walled town Stedeke Grint with a church and monastry disappeared due to the Sint-Lucia flood in 1287

13Research for Risk Management

Example: Doggerland Storegga tsunami

TSU

NA

MI

Source: ‘Tsunami sedimentary facies deposited by the Storegga tsunami in shallow marine basins and coastal lakes, western Norway’Stein Bondevik, in Sedimentology 1997 The next one?: Storegga is now stable. Exploding volcano at IJsland? Meteorite in North Sea? Our location is dangerous

Doggerland

Source: ‘Tsunami sedimentary facies deposited by the Storegga tsunami in shallow marine basins and coastal lakes, western Norway’Stein Bondevik, in Sedimentology 1997

Last tsunami in the Netherlands• 2de Storegga slide• Waves up to 25 meter on

Shetland islands• Dated 6,000-6,200 BC• Estimate: October 6,125 BC• Center of (our) neolithic

civilization was Doggerland• This center is destroyed• Thereafter no trace of our

ancestors during centuries • Division between cultures in

Engeland and the continent

14Research for Risk Management

AutomatiseringsGids:The Netherlands• Number 12 in world

wide Risk Top 15• Number 2 as risky

Western country• Major risk: flooding• ((( In my personal

opinion, picture is biased )))

EMC sponsored European Disaster Recovery Survey 2011“Data Today Gone Tomorrow: How Well Companies Are Poised For IT Recovery”

EMC VansonBourne report, 23 November 2011Paper in AutomatiseringsGids, 7 December 2011

15Research for Risk Management

EMC: Organizations NOT very confident to recover

NO

T v

ery

conf

iden

t

16Research for Risk Management

ISO IT securityOverview of ISO standards related

to information security

17Research for Risk Management

ISO 27001 process

ISO 27001

SAS 70

ISAE 3402

Static

approach

Necessary. In fact,

“good citizenship”

18Research for Risk Management

Method for risk analysis

Literature (Wikipedia)

METHOD FOR RISK MANAGEMENTThe conventional standard methods consist of the

following elements, performed, more or less, in the following order

• Identify, characterize, and assess threats• Assess the vulnerability of critical assets to specific

threats• Determine the risk, i.e. the expected consequences

of specific types of attacks on specific assets• Identify ways to reduce those risks• Prioritize risk reduction measures based on a cost

effective strategy

Keywords• Threat• Weakness• i=1ΣN Likelihoodi x Impacti

• Risk mitigation• Priorities

Determining the probability and the impact is a real challenge

19Research for Risk Management

USA IT risk analysis: NIST 800-30

Step 1. System Characterization

Step 2. Threat Identification

Step 5. Likelihood Determination

Step 3. Vulnerability Identification

Step 4. Control Analysis

Step 6. Impact Analysis (Loss of CIAA)

Step 9. Results Documentation

Step 8. Control Recommendations

Step 7. Risk Determination

Operating system

• Information• Software

Application

Network

• Scope• Highest value

Relevant threats

Expected damage: net risk

Residual risks

Additional controls

Relevant vulnerabilities

i=1ΣN Likelihoodi×Impacti

C = ConfidentialityI = IntegrityA = AvailabilityA = Auditability

20Research for Risk Management

Opinion: risk management

OPINIONAll methods for risk analysis use almost the same approach“View the past, and you may expect it to continue in the future”However• Today threats are developing fast, much faster than some years ago

(more advanced hacking technologies: StuxNet, Duqu, OV-chipcard etc.)• Organized crime and some governments become more active, due to the

gains (botnets, denial of service, Cyber attacks etc.)• Errors with risk analysis due to an incorrect scope, time frame etc.

(Fukushima, using selected earthquakes and ignoring Plain of Sendai)• Calculating “likelihood” x “impact”

– Historical values are often not available (“likelihood” is unknown)– Impact depends on the severity of the incident (“impact” is unknown)

• Benefits cannot be quantified, complicating the decision process on mitigating controls

“We must also view present risks and the risks of tomorrow”

21Research for Risk Management

Risk assessment(risks in the past)

COSO mapping

Governance

Continuous RiskMonitoring(present risks)

COSO modelNo people

in COSO?

??

Intelligence(future risks)COSO is not

looking forward?

??

COSO looks at TODAY. Your security architecture should view TOMORROW

Information security architecture

Work process

Technology

22Research for Risk Management

The Risk Carousel

People in ITPeop

le

Cus

tom

ers People Users

Governance

Work process

Technology

Input Output

ThreathsE-world

ThreathsIT

Vulnerabilities

BUSINESS

RISKS: PAST PRESENTFUTURE

SOLL

IST

GAP

Improve

Continuous Risk

Monitoring

Identify

Judge

Mitigate AssessRisk Assessment

Structu

red

Incident

Collect

Combine

Analyze

Conclude

Intelligence

Structured

23Research for Risk Management

Centrum voor Informatiebeveiliging en Privacybescherming

De Stuurgroep Compacte Rijksdienst richt expertisecentra in waarin overheidsinstellingen de krachten gaan bundelen. Eén hiervan is het Centrum voor Informatiebeveiliging & Privacy (CIP)

CIP is begin 2012 opgericht met als doelstelling:• Participanten te ondersteunen bij het zodanig veilig krijgen en houden van

hun informatievoorziening dat Participanten elkaar kunnen vertrouwen op het gebied van de integriteit en beschikbaarheid van hun onderlinge gegevensstromen en burgers kunnen vertrouwen op de integriteit, de beschikbaarheid en de vertrouwelijkheid van de gegevens en diensten die zij via de aangeboden kanalen afnemen bij de Participanten

Het Centrum biedt kennis aan, maakt kennis toegankelijken levert concrete diensten aan de Participanten

Het Centrum gebruikt een aantal Kennispartners binnenen buiten de overheid

Voor de toekomstige bedreigingen wordt er gewerkt aanscenariodenken, het opstellen van draaiboeken en hetinrichten van een robuuste e-overheid