«MASTER THESIS Current Established Risk Assessment Methodologies and Tools Dan Ionita Faculty of Electrical Engineering, Mathematics and Computer ...»
Current Established Risk
Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS)
Department of Computer Science - Information Systems group
31st of July 2013
The technology behind information systems evolves at an exponential rate, while at the same time becoming more and more ubiquitous. This brings with it an implicit rise in the average complexity of systems as well as the number of external interactions. In order to allow a proper assessment of the security of such (sub)systems, a whole arsenal of methodologies, methods and tools have been developed in recent years. However, most security auditors commonly use a very small subset of this collection, that best suits their needs. This thesis aims at uncovering the differences and limitations of the most common Risk Assessment frameworks, the conceptual models that support them, as well as the tools that implement them. This is done in order to gain a better understanding of the applicability of each method and/or tool and suggest guidelines to picking the most suitable one.
0000000 Current Established Risk Assessment Methodologies and Tools Page 3 0000000 Current Established Risk Assessment Methodologies and Tools Page 4 PREFACE This thesis marks the successful completion of my Master in Computer Science - Information Systems Engineering at the University of Twente, Netherlands (2011-2013). It has been a truly life-changing experience, in which I have had much to learn and understand.
The topic for the thesis was chosen due to the authors’ interest in the European TREsPASS project (www.tresspass-project.eu). The project aims to design a new socio-technical Risk Assessment methodology, and as such, a comprehensive survey of the current state-of-the-art is essential. It is this goal that this thesis hopes to help achieve.
0000000 Current Established Risk Assessment Methodologies and Tools Page 5 0000000 Current Established Risk Assessment Methodologies and Tools Page 6
ACKNOWLEDGMENTSThe author would like to thank Prof. Dr. Roel Wieringa for his unbounded support for the creations of this thesis and for providing me with opportunities far beyond my expectations. Furthermore, I would also like to extend my gratitude to my secondary supervisors, Pieter Hartel and Wolter Pieters, for useful comments and remarks. I would like to extend a special mention to Suse Engbers who makes everything that happens in the IS department at the UT possible thanks to her dedication and skills.
However, I am and always will be most grateful to my family for the unadulterated physical, ﬁnancial and emotional support which helped me get where I am now. Without you, I would be nothing! A special thanks goes to my best friend: my brother. Last but not least, I am especially grateful to my lovely girlfriend, Vincy, who stood by me whenever I felt lost and did her best to make me happy! I will be forever grateful.
I would like to make one ﬁnal acknowledgment: to all the wonderful people I met while completing my Masters degree. There are to many names to mention, but you know who you are: Thank you for all the good times we’ve had together!
0000000 Current Established Risk Assessment Methodologies and Tools Page 7 0000000 Current Established Risk Assessment Methodologies and Tools Page 8 CONTENTS
4.1 Decomposition of Risk according to the FAIR framework and The Open Group taxonomy................................................... 59
4.2 Relationships between the entities involved in RM/RA according to ISO/IEC 13335-1... 60
4.3 Decomposition of Risk level (Exposure) according to the OWASP  methodology... 63
4.4 Decomposition of Risk level (Exposure) according to the SRA methodology...... 65
4.5 The basic entities commonly found in Information Security Conceptual Models...... 66
7.1 Decision table for selecting the most suitable RA method(s)................. 107 A.1 RA/RM methods and their complete set of characteristics.................. 119 B.1 Intermediary table used for construction of Decision Table.................. 122 0000000 Current Established Risk Assessment Methodologies and Tools Page 13 0000000 Current Established Risk Assessment Methodologies and Tools Page 14 CHAPTER 1
1.1 Background In December 2012, based on EU funding, the TREsPASS project was ofﬁcially launched. Consisting of 17 partners from both industry and research, the project aims to improve the way we secure information by integrating the digital, technical and social domains with the current state-of-the-art in the ﬁeld of security. This is because of the impact that human behavior (be it an attacker, employee or bystander) has on the (in)security of an infrastructure. Furthermore, strict technical mechanisms can still be bypassed by using social engineering. As such, a better understanding of how these domains intertwine in the ﬁeld of information security is crucial in identifying potential weak points within an organization or infrastructure.
This is where Risk Assessments come in. A Risk Assessment (RA) is a structured or semi-structured approach of analyzing the security of an infrastructure, identifying weak spots, and selecting countermeasures. Such assessments are done according to various methodologies. Currently, the sheer number of different such methodologies might be overwhelming for someone trying to get an overview of Risk Assessment methods and tools. Furthermore, each such method follows a slightly different procedure, uses different data, requires certain skills, provides different output, or is based on a different understanding of Risk all-together.
One of the ﬁrst deliverables within the TREsPASS project includes a survey of the state-of-the-art in Risk Assessments. This includes both methods and tools. This master thesis is, amongst others, meant to provide input for this document. It can also serve as an introduction to Risk Assessment and Risk Management, or a glossary of relevant methods and tools.
1.2 Goals The overall goal is obtain a better understanding of the key differences and commonalities between the various state-of-the-art Information Risk Assessment methodologies and tools. Interesting aspects are the scope, target users of the methods or tools and intended audience of the results.
We are also interested in the conceptualization and decomposition of Risk according to various methodologies and how this relates to their other characteristics.
1.2.1 Research Questions
These goals can be distilled into the following research questions:
RQ1 What are the most commonly used Risk Assessment methods?
SRQ1.1 What are their goals?
SRQ1.2 What steps do they contain?
SRQ1.3 What decisions do they support?
SRQ1.4 What is the scope of each method?
RQ2 What are the underlying conceptual models used in Risk Assessment frameworks?
SRQ2.1 How does each model conceptualize Risk?
0000000 Current Established Risk Assessment Methodologies and Tools Page 15 SRQ2.2 What are the sub-components of Risk and how are they combined?
SRQ2.3 What are the target organizations of each model?
SRQ2.4 What signiﬁcant differences can be found between these models?
RQ3 What are the most commonly used Risk Assessment tools?
SRQ3.1 What functionality does each offer?
RQ4 What are the relationships between each tool, method and model?
1.3 Approach The core of the thesis consists of surveys of established methodologies, related tools and underlying conceptual models. Each relevant methodology, tool and conceptual model will be described and analyzed in order to create an overview of the current state-of-the-art. The analysis of individual methods/tools is followed by a comparison of key features as well as identiﬁcation of commonalities and differences. Several discussion regarding the cross-compatibility between methodologies, tools and conceptual models are also included, with conclusions being drawn with regard to the observations.
Finally, a guideline to choosing the most suitable method given the organization’s business context and security requirements is designed. The ﬁndings are validated via expert judgment.
1.4 Structure of the report The report is structured in 8 Chapters. This ﬁrst chapter contains an introduction to the chosen topic.
Chapter 2.3 contains an introduction to the ﬁeld of Information Security Risk Management, of which Risk Assessments are a part of, as well as criteria for the sub-selection discussed in this thesis.
Chapter 3 presents an overview of common Risk Assessment methods. Chapter 4 describes the various ways of conceptualizing risk that each framework implies. Chapter 5 indexes the software tools available and maps them to their relevant frameworks. Chapter 6 attempts to extract the key features from each of the previously identiﬁed methodologies and tools, while drawing conclusions regarding the most signiﬁcant differences. Chapter 7 suggests a guideline to selecting the most suitable method. Chapter 8 draws some conclusions based on the previous analysis.
INFORMATION SECURITY RISKMANAGEMENT
2.1 The Risk Management process According to the European Network and Information Security Agency (ENISA), Risk Management (RM) is "a process aiming at an efﬁcient balance between realizing opportunities for gains while minimizing vulnerabilities and losses” . Furthermore, it is an integral part of the management practice and crucial for achieving good corporate governance. Risk Management is usually a continuously re-iterating process, that typically consists of several activities. Such activities typically include identifying, analyzing and prioritizing risks and ﬁnding, evaluating and applying relevant countermeasures as well as monitoring the results. This process is either continuous or cyclical and focuses on achieving a coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events .
2.2 Information Security Risk Management Risk Management and Risk Assessment are techniques that can be used to identify, monitor and control the risk level of an Information System (IS). Information Security Risk Management, in particular, can either be part of the overall organizational Risk Management process, or can be implemented separately . Information Security Risk Management activities usually include implementing appropriate policies and related controls, promoting awareness, as well as monitoring and evaluating policy and control effectiveness . The process is a usually cyclical. An overview of a typical Information Security Risk Management process is depicted in Figure 2.1. The dashed arrow means that the Monitor process does not stop when the Control process is started. Rather, the Monitor process is continuous and running in parallel with all other processes.
2.3 Risk Assessment A critical step in the Information Security Risk Management process is the Risk Assessment. This involves the evaluation each IT risk as well as the total IT risk and giving them priorities.
While Risk Assessment is an activity that also takes place as part of the Risk Management process, it is not continuous. It is, however, a discrete activity, only being initiated when required or at regular intervals. Risk Assessments usually serve to identify and analyze possible vulnerabilities of and threats to a given system, as well as the relative value of assets and possible damage resulting from their compromise. This is done in order to estimate the risks that the owner, operator or user of the system may face.
As such, its output is base for all the other Risk Management activities by eliciting new security requirements, aiding in the choice and speciﬁcation of countermeasures, evaluating current Security Policies, supporting relevant management decisions, assessing existing protection mechanisms, controls, etc.
The main result of a Risk Assessment is usually a qualitative or quantitative evaluation of the possible risks that a given complex system is exposed to, taking into consideration its context and likely threats.
It should be noted that most Risk Assessments, as well as most Risk Management processes, do not aim at obtaining a fully secure system as this is often impossible. Instead, the end-goal is to reach 0000000 Current Established Risk Assessment Methodologies and Tools Page 17 Figure 2.1: Overview of a typical Risk Management process what is perceived as an acceptable level of security at an acceptable cost (also called "good enough" security). Frameworks differ in their interpretation of this, and in the way of achieving and maintaining it.
In the most general sense, a Risk Assessment is a multidisciplinary task that might contain one or
more of the following steps (Figure 2.1 maps the steps to the RM phases):
1. Establishment of context: Identifying and deﬁning the digital, technical social and business context in which the system operates as well as building some kind of model of the information system itself. Although the context of the IS is always relevant, this step is sometimes skipped if a satisfying speciﬁcation of the IS already exists. This is usually part of the "preparation" stage in Figure 2.1.
Other activities relevant for this phase are deﬁning the scope of the assessment, security requirements, stakeholder goals, risk criteria etc.
2. Risk Identiﬁcation: this is the core of any risk assessment and has to do with using available data to identify possible attack vectors and vulnerabilities of the system. This step corresponds to the "identify" stage in Figure 2.1.