Risk Analysis On It Assets Using Case Based Reasoning


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Risk Analysis On It Assets Using Case Based Reasoning

  1. 1. Risk Analysis on IT Assets using Case-Based Reasoning A Thesis Report Submitted By Afeef Veetil (Registration Number: 0713001) Student of M.Sc.-Information Systems Specialization: Internet Systems & Security Under the Guidance of Dr. S.K.Pandey Chairperson IT Dept. Chairperson, Department of Information Technology June 2009 Department of Information Technology, Manipal University – Dubai Campus, Block No: 7, Dubai International Academic City, Dubai, UAE
  2. 2. Manipal University Dubai Campus Certificate This is to certify the project work entitled “Risk Analysis on IT Assets using Case Based Reasoning “ carried out by Afeef Veetil (Registration Number: 0713001), bonafide student of Manipal University Dubai Campus, in partial fulfillment for the award of the Masters Degree in Internet Systems and Security of Manipal University Dubai Campus, during the year 2008 – 2009. Project guide: Dr SK Pandey Chairperson Dept. of Information Technology External Viva Date: _____________ External Examiner Name: External Examiner Signature:
  3. 3. Acknowledgements This thesis paper is submitted towards the Final Year Master of Science in Information Security 2009; Manipal University, Dubai Campus. In the process of researching and writing this thesis, many people have been very generous with their time, advice and support. I would like to thank my supervisors, Professor Dr SK Pandey, Chairperson Department of IT Mahe Manipal University Dubai Campus and Mr. Mohammed Shabir, Head of IT United Arab Bank who was the project guide, without their encouragement, this thesis would not have been written. I would also like to thank Mr.PathaSarathy Lead Vulnerability Assessor in Paramount Computer Systems and Mr.Suhas Lead Risk Assessor from Paramount Computer System who have also helped and guided me informally for the success of this paper. Also sincere gratefulness to Mr. Mohandas K Nair, Senior Developer Al Tayer Group of companies in helping me in creating the prototype design forms. Last but not least my sincere thanks to my colleagues and my family without them this paper would not have been completed.
  4. 4. Table of Contents Chapter 1: Introduction.............................................................................................. 7 1.1. Purpose, Scope and Limitations ....................................................................... 7 1.2. Sources and Methods ....................................................................................... 8 Chapter 2: Risk Assessment .................................................................................... 10 2.1. Risk Assessment Methodology ...................................................................... 10 2.1.1. Quantitative Analysis ................................................................................. 12 2.1.2. Qualitative Analysis ................................................................................... 12 Asset Value ............................................................................................ 13 Threat Level ........................................................................................... 13 Vulnerability Level ................................................................................ 14 2.1.3. Quantitative V/S Qualitative Analysis ........................................................ 14 Chapter 3: Case Based Reasoning ............................................................................ 16 3.1. Main types of CBR methods .......................................................................... 16 3.2. The CBR cycle ............................................................................................... 19 3.3. CBR Inductive Retrieval using Decision Tree ................................................ 20 Chapter 4: Applying CBR Technique in Risk Analysis ............................................ 21 Chapter 5: Methodology .......................................................................................... 23 5.1. Decision Tree for E banking........................................................................... 23 5.2. Prototype Screen ............................................................................................ 31 Chapter 6: Conclusion ............................................................................................. 39 Glossary ........................................................................................................................ 40 Bibliography ................................................................................................................. 41
  5. 5. List of Figures Fig 1 Risk Assessment Procedure Fig 2 Risk Factor Impact Fig 3 CBR Cycle Fig 4 Decision Tree Fig 5 Risk Analysis System with CBR Workflow Fig 6 Screen 1 of Assessment Tool Fig 7 Screen 2 of Assessment Tool Fig 8 Screen 3 of Assessment Tool Fig 9 Screen 4 of Assessment Tool Fig 10 Screen 10 of Assessment Tool Fig 11 Report Screen of Assessment Tool
  6. 6. Abstract /Summary The purpose of this thesis is to discuss a prototype of using Case based reasoning with decision tree approach to assess the risk factor related to E- Banking. A Qualitative Risk Analysis is done on using methodology specified by ISO 27001. The case based reasoning values are attained with decision tree approach. To analyze the same, E-banking system (EB) is taken under study as EB appears to be essential for any bank’s day to day business which extends its support to its customer with an online presence. Then the security of the EB systems, which ensures authorized and correct transaction processing, becomes one of the most critical issues in implementing the systems. The analysis of risk that a system faces is the core part of security management. Risk analysis can identify the principal assets, the threats and the vulnerabilities of those assets, and the risks confronting the Assets. The process of the proposed system is composed of four steps: initial data collection, asset evaluation, threat and vulnerability evaluation, and result generation of risk analysis. This system employs the case base of past analyses and security accidents. The proposed system is the first to apply the CBR technique for risk analysis for finding the Risk Factor based on Threats and Vulnerability of an EB system. .
  7. 7. Chapter 1: Introduction Risk Analysis assessment on IT assets has become a vital process as heavy financial losses, breaches of privacy, and even the downfall of corporations have recently been attributed to the inability of corporations to protect themselves from cyber-risks. Cyber-risks are generated from hackers, malicious software, disgruntled employees, competitors, and many other sources both internal and external. These external and internal cyber-attacks on corporate assets and an increasingly technology-savvy corporate management have led to a more appropriate awareness of the information security risks to corporate information than ever previously experienced in corporations and government agencies. It should be rather clear that the organizations need a reliable method for measuring the effectiveness of their information security program. An information security risk assessment is designed specifically for that task. An information security risk assessment, when performed correctly, can give corporate managers the information they need to understand and control the risks to their assets. Now the challenge is how to perform a security risk assessment correctly, efficiently, and effectively. Case-Based Reasoning (CBR) is a problem solving technique based on the reuse of past experiences. For this reason there is considerable optimism about its use in difficult problem solving areas where human expertise is evidently experience based. It is particularly suitable in weak theory domains, that is on types of problems where cause and effect are not well understood 1.1. Purpose, Scope and Limitations The majority of risk analysis is done using the Memory based approach, where which the Threat and vulnerability which constitutes two major factor in any Risk assessment method is relied on the experience and judgment made by the Risk assessor. Thus relying upon the risk assessor’s experience may jeopardize the entire purpose of the Risk Assessment. The purpose of this thesis is to discuss the effectiveness of the Case Based reasoning on each case [Threats] to asses the value of Risk Factor, which compares each threat with a database and possible vulnerabilities of the particular case. Once the Threat is identified and a vulnerability pertaining to that threat is also identified, the Risk assessor is prompted with a decision tree to decide based on the controls already in place to assess the threat or vulnerability level exposed to the particular asset under study. This will ensure that the Risk assessor has touched up all the possible vulnerabilities associated with the threat which is already in the Database. If in case the particular vulnerability or threat is not listed in the database the Assessor can always add this case and can be used for similar risk assessment on later stage.
  8. 8. This thesis is no way introducing any new Risk assessment methodology as the methodology in practice is well proven. The thesis is only trying to introduce a tool so that the Risk assessor can enhance the quality of the Assessment. The scope of this study is discussing the effectiveness of Case based reasoning System in assessing the Risk value on calculating the Risk factor for E-Banking system. This paper doesn’t include the full cycle Risk assessment or Risk treatment The approach can only be used for a qualitative risk assessment Since the Risk Factor is highly dependent on the variables visa vi Asset Value, threat and vulnerability, each factor has limitation .Asset Value is highly dependable on the business .Threat and vulnerability are dependable on the Business and the region ,so the approach currently will be having these dependencies as well ,but once the data in the database gets more samples the reliability to this approach will be much higher .As the assessment of Threat and the vulnerability are the factors which are highly dependable on human based experience both factors has to under go the cased based reasoning technique. Another limitation for this method is that the technique is more relevant for an organization which does risk assessment of various clients as huge database has to be collected before. The database normally is confined to individual Risk assessment Consultants or consultancy organization as the previous case pertaining to particular assessment are not normally allowed to share as per the NDA signed between the consultants and the client’s organization. 1.2. Sources and Methods The statistics used for building the Database in this work is indicative as real data are not publicly due to security reasons as the risk of any organizations cannot be made public. Anyhow, for the Proof of Concept the indicative values can be used. The Risk assessment on the E banking is done on Organization’s E banking system. The Risk Analysis methodology used in this paper is as suggested by ISO 27001 directives. The Information Technology — Code of Practice for Information Security Management (ISO 27001) was issued by the International Organization for Standardization. The objective of the standard is to provide a common basis for organizations developing information security management programs. The ISO 27001 comprises a set of information security controls seen as best practices and applicable to most organizations. Case-Based Reasoning (CBR) is a problem solving technique based on the reuse of past experiences. CBR techniques use different methodologies like Cohen’s Formula [Nearest Neighbor Algorithm], KATE
  9. 9. methodology, PATDEX Methodology or Inductive Decision Tree to asses the similar case.
  10. 10. Chapter 2: Risk Assessment Risk Assessment activity measures the strength of the overall security program and provides the information necessary to make planned improvements based on information security risks. The security risk assessment is the tool of senior management that gives them an effectiveness measurement of their security controls and an indication of how well their assets are protected. The objective of this analysis is to analyze the effectiveness of the current security controls that protect an organization’s assets and a determination of the probability of losses to those assets. A security risk assessment reviews the threat environment of the organization, the value of assets, the criticality of systems, the vulnerabilities of the security controls, the impact of expected losses, and recommendations for additional controls to reduce risk to an acceptable level. Based on this information the senior management of the organization can determine if additional security controls are required. The below figure depicts a typical Risk Assessment Cycle including the process of Treatment plan. Figure 1 Risk Assessment Procedure 2.1. Risk Assessment Methodology Kailay and Jarratt (1995) stated that the risk is the potential for damage to a system or associated assets that exist as the result of the combination of a security threat and vulnerability. The risk is the combination of threats, vulnerability and asset value. The term vulnerability is a weakness in the security system that might be exploited to cause loss or harm (Pfleeger,
  11. 11. 1989). Threats are defined as the sources or circumstances that have the potential to cause loss or harm (Kailay and Jarratt, 1995; Pfleeger, 1989). Risk analysis is a systematic process to examine the threats facing the IT assets and the vulnerabilities of these assets and to show the likelihood that these threats will be realized. Risk analysis begins with the identification of IT assets. However, not all the assets require protection; therefore the boundary of the review should be established during asset identification. After the boundary is specified, the overall worth of the identified assets should be assessed. The next step is to identify all possible threats to the identified assets and to note vulnerabilities. As with the IT assets, all the threats will not necessarily be realized for each identified asset. Only those threats that are likely to occur in any given organization need be identified. The identified threats are assessed as the likelihood of occurrences in accordance with the related vulnerabilities. The final step is the analysis of the risk in the current IT. The impact of the threats is analyzed in this step. This assessment should take into account the asset value within the review boundary and The identified threats and vulnerabilities. The assessed impact leads to risk measures Fig 2. Risk Factor Impact There are many number of Risk Assessment techniques in practice, but fundamentally the variables determining the Risk assessment are common and they are ; o value of the asset; o likelihood that a vulnerability will be exploited; and o severity of the impact Various risk analysis methodologies used currently are categorized into quantitative and qualitative. This paper discusses more on calculating the risk factor on the qualitative approach.
  12. 12. 2.1.1. Quantitative Analysis The quantitative methodologies usually calculate the impact and frequency of threats mathematically. Quantitative analysis is an approach that relies on specific formulas and calculations to determine the value of the risk decision variables. There are several formulas that are commonly associated with quantitative security risk analysis. These formulas cover the expected loss for specific risks and the value of safeguards to reduce the risk. There are three classic quantitative risk analysis formulas: annual loss expectancy, single loss expectancy, and safeguard value: o Annual Loss Expectancy (ALE) =Single Loss Expectancy * Annual Rate of Occurrence. o Single Loss Expectancy= Asset Value * Exposure Factor. o Safeguard Value = ALE Before - ALE After - Annual Safeguard Cost. Thus the Management can figure out the amount to be spent on to protect the particular asset on the listed threats. 2.1.2. Qualitative Analysis Whereas quantitative analysis relies on complex formulas and monetary or frequency values for the variables, qualitative analysis relies on the subjective judgment of the security risk assessment members to determine the overall risk to the information systems. The same basic elements are required to determine risk, such as asset value, threat frequency, impact, and safeguard effectiveness, but these elements are now measured in subjective terms such as ‘‘high’’ or ‘‘not likely.’’ Formula used to Asses the Risk Factor is depicted below RISK FACTOR= ASSET VALUE +THREAT+ VURNERABILITY+LIKELY HOOD OF OCCURENCE Thus arrived Risk factor is analyzed using the Risk Matrix to depict the exposure of the Asset in terms of Security Risk associated with it. Low Medium High Levels of threat 1 2 3 Levels of Low Medium High Low Medium High Low Medium High vulnerability 1 2 3 1 2 3 1 2 3
  13. 13. Negligible 1 3 4 5 4 5 6 5 6 7 Asset Value Low 2 4 5 6 5 6 7 6 7 8 Medium 3 5 6 7 6 7 8 7 8 9 High 4 6 7 8 7 8 9 8 9 10 Very High 5 7 8 9 8 9 10 9 10 11 Table 1- Risk Matrix The details of the above table is discussed in more below Asset Value As mentioned in the above table [Table 1] Asset Value is quantified using the scale starting from 1 to 5 which is Measured using the level Negligible through Very High being Negligible the least. The Asset Value is measured by the corresponding business unit, considering the various factor like the importance of the asset to the business in terms of the revenue generated, considerable loss of revenue in an event of unavailability due to any threats or vulnerability. So the asset value depends on business to business and organization to organization. For e.g.: An Email Server used in an Airline for sending the Reservation tickets and communicating with the customers are very vital. As for the airline the service disruption to the Asset Email server can incur loss also the reputational risk ,since the tickets are not been sent out to the customer which may impact the customer confidence. Where as in a bank where the dependency to the email server to run its business is very less they may not consider the asset value as VERY HIGH or HIGH as the bank can afford the unavailability of the services for a specific period of time so it can value the asset as MEDIUM. But if another bank is sending out the Customer Statements using Email, it may consider the Asset value as HIGH. Threat Level The threats are identified from the various sources pertaining to the region or business. But most of the threats are common in every business and region only assessing the level of the threat varies. This is purely based on memory based reasoning or by interviewing various stakeholders. Again once the threat level is identified the scaling is done as LOW, MEDIUM and HIGH But as mentioned the threat level varies from business to business and region to region. For e.g.: The possibility of the Robbery is much higher in some places like India while comparing to the same in UAE which is very less as
  14. 14. the reported number of robberies is lesser. So in India the Threat Robbery/Theft will be HIGH while in UAE can be MEDIUM. Even though the Risk assessor does do a historical and statistical approach to assess the threat level, level is identified partly based by his judgment or chances of missing the real threats are high. Vulnerability Level Each threat will be associated to various vulnerability .The risk assessor will evaluate the current controls in place to assess the exposure of vulnerability compared to the controls in place. Again each vulnerability level is scaled through LOW to HIGH after assessing the controls in place and likelihood of the vulnerability which can expose the threat. For e.g; a. A public available system with no firewall ,the vulnerability level associated with the threat Hackers will be HIGH, where as another organization with a Firewall and IPS will be LOW b. A Asset Car with Value HIGH with the threat Robbery and Vulnerability of having Door Lock but no Theft Alarm will be HIGH in a country like India but MEDIUM in UAE, as the vulnerability of not having Theft Alarm is subjective. The Vulnerability level assessment is still a risk assessor’s memory based reasoning or may be concluded after an interview or statistical analysis. But chances of missing the right vulnerability or assessing the proper controls can lead to a wrong interpretation. 2.1.3. Quantitative V/S Qualitative Analysis To select the proper Analysis approach is really dependable on the time, Scope and quality of the risk assessment. The below table depicts some of the Advantages and disadvantages of both Quantitative and Qualitative approaches for the risk assessment.
  15. 15. Quantitative Qualitative • Applicability to all assets • Simple risk calculation • Mathematical foundation • Usability to the irrelevant or • Support to cost–benefit unknowable asset value Advantages decision • Less time consuming • More Credible as based on real • Provides Adequate Identification of calculations Problem Areas • Can supports Budget Decisions as the values are in Cost. Table 2: Advantages Quantitative and Qualitative Approach Quantitative Qualitative • Inappropriateness of monetary • Coarse granularity of asset value • Inability of cost–benefit decision • Inappropriateness of general • Subjective result Disadvantages statistics • Difficult to Track Improvements • Time consuming • Subjective Asset Value • Complex formulas Table 3: Disadvantages Quantitative and Qualitative Approach
  16. 16. Chapter 3: Case Based Reasoning Case-Based Reasoning (CBR) is a problem solving technique based on the reuse of past experiences. As past experiences are used there is considerable optimism about CBR’s use in difficult problem solving areas where the problem has to depend on human expertise, which are evidently experience based. It is particularly suitable in weak theory domains, which are on types of problems where cause and effect are not well understood. A case is a prior experience and, therefore, is situation-specific and domain-dependent. A case base is the collection of cases (Brown and Gupta, 1994). A case base is to a CBR system as a knowledge base is to a rule-based system. The CBR technique is one of the major artificial Intelligence (AI) methodologies and is mostly applied to the problem- solving and learning area. The fundamental principle of the CBR technique is similar to that of the human reasoning process. Humans use analogical reasoning in complex situations, which employs solutions to past problems to solve current ones. While humans use analogical reasoning, the limitation of the human brain does not take all past cases into consideration. As the number of cases increases, humans seem to use cases most recently solved or that seem most important. However, the CBR system can overcome this limitation and use all past cases in its reasoning, potentially making more effective decision. It can use successful cases to solve current problems or failed cases to adjust solutions to them. Please find below CBR life cycle When the CBR system is presented with a new problem, it selects past cases that are similar to the current problem and proposes a solution based on solutions to the selected past cases. Once the system solution is evaluated, the evaluation results are reported to the system. The system updates its case base by capturing and storing important lessons learned during the problem-solving process 3.1. Main types of CBR methods The CBR paradigm covers a range of different methods for organizing, retrieving, utilizing and indexing the knowledge retained in past cases. Cases may be kept as concrete experiences, or a set of similar cases may form a generalized case. Cases may be stored as separate knowledge units or split up into subunits and distributed within the knowledge structure. Cases may be indexed by a prefixed or open vocabulary, and within a flat or hierarchical index structure. The solution from a previous case may be directly applied to the present problem, or modified according to differences between the two cases. The matching of cases, adaptation of solutions, and learning from an experience may be guided and supported by a deep model of general domain knowledge, by more shallow and
  17. 17. compiled knowledge, or be based on an apparent, syntactic similarity only. CBR methods may be purely self-contained and automatic, or they may interact heavily with the user for support and guidance of its choices. Some CBR method assume a rather large amount of widely distributed cases in its case base, while others are based on a more limited set of typical ones. Past cases may be retrieved and evaluated sequentially or in parallel. Actually, "case-based reasoning" is just one of a set of terms used to refer to systems of this kind. This has lead to some confusions, particularly since case-based reasoning is a term used both as a generic term for several types of more specific approaches, as well as for one such approach. To some extent, this can also be said for analogy reasoning. An attempt of a clarification, although not resolving the confusions, of the terms related to case-based reasoning are given below. o Exemplar-based reasoning The term is derived from a classification of different views to concept definition into "the classical view", "the probabilistic view", and "the exemplar view" (see [Smith-81]). In the exemplar view, a concept is defined extensionally, as the set of its exemplars. CBR methods that address the learning of concept definitions (i.e. the problem addressed by most of the research in machine learning) are sometimes referred to as exemplar-based. Examples are early papers by Kibler and Aha [Kibler- 87], and Bareiss and Porter [Porter-86]. In this approach, solving a problem is a classification task, i.e. finding the right class for the unclassified exemplar. The class of the most similar past case becomes the solution to the classification problem. The set of classes constitutes the set of possible solutions. Modification of a solution found is therefore outside the scope of this method o Instance-based reasoning. This is a specialization of exemplar-based reasoning into a highly syntactic CBR-approach. To compensate for lack of guidance from general background knowledge, a relatively large number of instances are needed in order to close in on a concept definition. The representation of the instances are usually simple (e.g. feature vectors), since a major focus is to study automated learning with no user in the loop. Instance-based reasoning labels recent work by Kibler and Aha and colleagues [Aha-91], and serves to distinguish their methods from more knowledge-intensive exemplar-based approaches (e.g. Protos' methods). Basically, this is a non- generalization approach to the concept learning problem addressed by classical, inductive machine learning methods
  18. 18. o Memory-based reasoning. This approach emphasizes a collection of cases as a large memory, and reasoning as a process of accessing and searching in this memory. Memory organization and access is a focus of the case-based methods. The utilization of parallel processing techniques is a characteristic of these methods, and distinguishes this approach from the others. The access and storage methods may rely on purely syntactic criteria, as in the MBR-Talk system [Stanfill-88], or 7 they may attempt to utilize general domain knowledge, as in PARADYME [Kolodner-88] and the work done in Japan on massive parallel memories [Kitano-93]. o Case-based reasoning. Although case-based reasoning is used as a generic term in this paper, the typical case-based reasoning methods have some characteristics that distinguish them from the other approaches listed here. First, a typical case is usually assumed to have a certain degree of richness of information contained in it, and a certain complexity with respect to its internal organization. That is, a feature vector holding some values and a corresponding class is not what we would call a typical case description. What we refer to as typical case-based methods also has another characteristic property: They are able to modify, or adapt, a retrieved solution when applied in a different problem solving context. A paradigmatic case-based method also utilizes general background knowledge - although its richness, degree of explicit representation, and role within the CBR processes varies. Core methods of typical CBR systems borrow a lot from cognitive psychology theories. o Analogy-based reasoning. This term is sometimes used, as a synonym to case-based reasoning, to describe the typical case-based approach just described [Veloso-92]. However, it is also often used to characterize methods that solve new problems based on past cases from a different domain, while typical case- based methods focus on indexing and matching strategies for single- domain cases. Research on analogy reasoning is therefore a subfield concerned with mechanisms for identification and utilization of cross- domain analogies [Kedar-Cabelli-88, Hall-89]. The major focus of study has been on the reuse of a past case, what is called the mapping problem: Finding a way to transfer, or map, the solution of an identified analogue (called source or base) to the present problem (called target).
  19. 19. 3.2. The CBR cycle At the highest level of generality, a general CBR cycle may be described by the following four Processes*: *As a mnemonic, try "the four REs". 1. RETRIEVE the most similar case or cases 2. REUSE the information and knowledge in that case to solve the problem 3. REVISE the proposed solution 4. RETAIN the parts of this experience likely to be useful for future problem solving A new problem is solved by retrieving one or more previously experienced cases, reusing the case in one way or another, revising the solution based on reusing a previous case, and retaining the new experience by incorporating it into the existing knowledge-base (case- base). The four processes each involve a number of more specific steps, which will be described in the task model Fig 3 CBR Cycle
  20. 20. 3.3. CBR Inductive Retrieval using Decision Tree As the final outcome of the CBR is to retrieve the similar case from the Database, in this paper the methodology using Decision tree is used for retrieval. A decision tree will retrieve the similar case with the decisions made in the input level searching the database. This is a hierarchical tree where the decision will be made once there is no sub tree is available If the case is not listed in the list it will go under LEARNING process and add to the Database for future REUSE A typical Table and used Decision tree is depicted below Case-Starting point Destination Road Between 6 AM and Retrieved Value by Car from 8 AM Sharjah Dubai Emirates Road Yes 90 minutes Sharjah Dubai Emirates Road No 30 minutes Sharjah Dubai Ittihad Road Yes 70 minutes Table 4 Decision Tree Sample Data Value Measure YES Learning Mode(New Case) >>> Ittihad Road Between 6 am and 8 am NO 30 Sharjah YES 90 >>> Emirates Road Between 6 am and 8 am NO 30 Fig 4 Decision Tree for Table 4 In the above table Arm “Sharjah Ittihad Road Yes“doesn’t have a value as there are no value in the table. This could be added into the table as a new case [Learning algorithm]
  21. 21. Chapter 4: Applying CBR Technique in Risk Analysis The proposed system in this study has two sub-goals, which are threat analysis and vulnerability analysis. The process is composed of four steps as shown in Figure 4. First, the system collects data about the business and IT environment of an organization by asking questions. Once the First task of identifying the asset value is ascertained, After inputting the asset value and the Asset details, system will verify if the memory provides a relevant case at this point for identifying the threat level, the system focuses on the analysis of threat level by asking few questions towards the assessor from the previous cases to see whether anything can be adopted from it.
  22. 22. Fig 5 Risk Analysis System with CBR Workflow During this process, the system may ask additional questions about the environment of the organization. If a case of a past security incident is recalled, the system attempts to find out whether it is possible for the accident to occur in the current case. Then the system produces initial results from the recall and adaptation process.
  23. 23. Chapter 5: Methodology Based on the above Risk Methodology and the CBR techniques of assessing the risk using Decision Tree a case study is done on e-banking system with sample data. 5.1. Decision Tree for E banking E banking [Asset Value=5]* Ascertained by the Business Unit | Threat | Threat 1:"Fires, Explosions" | Fire incident is common in this Area | YES=1 √ NO=0 | Are there any Written Procedures to be followed in an event of Fire | YES=1 NO=0 √ | Any Fire Evacuation Drill Conducted in Last 6 months | YES=1 √ NO=0 | New Case to Be Added | Threat Level= 2 | Vulnerability of Fires Explosions | Is the Datacenter is near to Oil, Gas & Explosive Chemicals manufacturing units" | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR1=AV+T+V=5+2+1=8 | Is there any Combustible Material Found near to Datacenter? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR2=AV+T+V=5+2+1=8 | The interiors of Data Center are made up of non combustible material? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR3=AV+T+V=5+2+1=8 | The quality of electrical circuits & equipments are superior LOW=1 √ MEDIUM=2
  24. 24. HIGH=3 RISK FACTOR4=AV+T+V=5+2+1=8 | The Gas Cylinder and Pipes are properly protected LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR5=AV+T+V=5+2+1=8 | Fire Suppression System [FM200] is enabled LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR6=AV+T+V=5+2+1=8 | Fire Suppression System [FM200] is properly maintained | LOW=1 MEDIUM=2 √ HIGH=3 RISK FACTOR7=AV+T+V=5+2+1=8 | Fire Detection System is properly maintained LOW=1 MEDIUM=2 √ HIGH=3 RISK FACTOR8=AV+T+V=5+2+2=9 | Fire fighting equipment is properly maintained LOW=1 MEDIUM=2 √ HIGH=3 RISK FACTOR9=AV+T+V=5+2+2=9 | Strict Control of Smoking near to premises LOW=1 MEDIUM=2 √ HIGH=3 RISK FACTOR10=AV+T+V=5+2+2=9 | New Case | Vulnerability Level = 1∑10RiskFactor =83 Threat 2:"Earth Quake" | Earthquake is common in this Area | YES=1 NO=0 √ | Are there any Written Procedures to be followed in an event of Earthquake? | YES=1 NO=0 √ |
  25. 25. New Case to Be Added | Threat Level= 1 | Vulnerability of Earthquake | Is the Datacenter is in Seismic Zone | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR1=AV+T+V=5+1+1=7 | Is Datacenter is situated in Sky scrapper Building? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR2=AV+T+V=5+1+1=7 | Are the interiors of Data Center and the Roof /Structure with superior quality? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR3=AV+T+V=5+2+1=7 | New Case | Vulnerability Level = 1∑3RiskFactor =21 Threat 3:"Hurricane" | Hurricane is common in this Area | YES=1 NO=0 √ | Are there any Written Procedures to be followed in an event of Hurricane? | YES=1 NO=0 √ | New Case to Be Added | Threat Level= 1 | Vulnerability of Hurricane | Is the Datacenter is in Hurricane prone area | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR1=AV+T+V=5+1+1=7 | Is Datacenter is situated in near Sea shore? | LOW=1 √ MEDIUM=2 HIGH=3
  26. 26. RISK FACTOR2=AV+T+V=5+1+1=7 | Is Datacenter is situated in Ground Floor? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR2=AV+T+V=5+1+1=7 | Is Datacenter is situated in Open Space? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR2=AV+T+V=5+1+1=7 Are the interiors of Data Center has Raised Floor? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR3=AV+T+V=5+2+1=7 | New Case | Vulnerability Level = 1∑5RiskFactor =35 Threat 4:" Hardware/Software Failures" | Is there a Standardized Hardware in Place? | YES=1 NO=0 √ | Are there AMC with Hardware Vendors are in place? | YES=1 NO=0 √ | Are there AMC with Software Vendors are in place? | YES=1 NO=0 √ New Case to Be Added | Threat Level= 3 | Vulnerability of Hardware/Software Failures | Is the usage of Standard Hardware with Superior quality in place? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR1=AV+T+V=5+3+1=9 | Are there any Usage of incompatible peripherals and spare parts? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR2=AV+T+V=5+3+1=9
  27. 27. | Is UAT in practice before going live? | LOW=1 MEDIUM=2√ HIGH=3 RISK FACTOR2=AV+T+V=5+3+2=10 | Is there a change management process in place? | LOW=1 MEDIUM=2√ HIGH=3 RISK FACTOR2=AV+T+V=5+3+2=10 Are the developers access is restricted on to production server? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR3=AV+T+V=5+3+1=9 | Are there proper System overload / improper capacity planning in place? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR2=AV+T+V=5+3+1=9 | Are there regular Server monitoring and controls in place? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR3=AV+T+V=5+3+1=9 | Are there enough controls for Antivirus and Malicious software in place? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR2=AV+T+V=5+3+1=9 Are there practices of regular Security awareness in place? | LOW=1 MEDIUM=2√ HIGH=3 RISK FACTOR3=AV+T+V=5+3+2=9 New Case | Vulnerability Level = 1∑9RiskFactor =93 Threat 4:" Backup and contingency Plan" | Is there Backup policy in Place? | YES=1 NO=0 √
  28. 28. | Is the Backup policy reviewed every year? | YES=1 NO=0 √ | Are there AMC with Backup Software Vendors are in place? | YES=1 NO=0 √ New Case to Be Added | Threat Level= 3 | Vulnerability of Backup and contingency Plan | Is the offsite storage well protected? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR1=AV+T+V=5+3+1=9 | Are there any Tape Management Life cycle in place? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR2=AV+T+V=5+3+1=9 | Is Backup Daily logs are monitored? | LOW=1 MEDIUM=2√ HIGH=3 RISK FACTOR2=AV+T+V=5+3+2=10 | Is there a backup restoration testing in place? | LOW=1 MEDIUM=2√ HIGH=3 RISK FACTOR2=AV+T+V=5+3+2=10 Are the enough training provided to the backup operators? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR3=AV+T+V=5+3+1=9 New Case | Vulnerability Level = 1∑5RiskFactor =47 Threat 5:" Security Breaches” | Are there too many incidents reported in last 6 months? | YES=1 √ NO=0 |
  29. 29. Are there any Security Policy in place? | YES=1 NO=0 √ | Is there any incident reporting structure in place and are conveyed to all IT persons? | YES=1 NO=0 √ New Case to Be Added | Threat Level= 3 | Vulnerability of Security Breaches | Is there a well written Security Policy in place? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR1=AV+T+V=5+3+1=9 | Are there any physical access controls in place? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR2=AV+T+V=5+3+1=9 | Are the passwords are kept with System owners only? | LOW=1 MEDIUM=2√ HIGH=3 RISK FACTOR2=AV+T+V=5+3+2=10 | Is the administrator username renamed? | LOW=1 MEDIUM=2√ HIGH=3 RISK FACTOR2=AV+T+V=5+3+2=10 Are the password complexity enforced? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR3=AV+T+V=5+3+1=9 | Is the administrator username renamed? | LOW=1 MEDIUM=2√ HIGH=3 RISK FACTOR2=AV+T+V=5+3+2=10 | Are the password complexity enforced? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR3=AV+T+V=5+3+1=9
  30. 30. New Case | Vulnerability Level = 1∑7RiskFactor =66 Threat 6:" Virus Attack” | Are there too many incidents reported in last 6 months? | YES=1 √ NO=0 | Is there proper Antivirus in place? | YES=1 NO=0 √ | Is there any incident reporting structure in place and are conveyed to all IT persons? | YES=1 NO=0 √ New Case to Be Added | Threat Level= 3 | Vulnerability of Virus Attacks | Is there a comprehensive virus protection system | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR1=AV+T+V=5+3+1=9 | Does a default installation of virus protection tools exists? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR2=AV+T+V=5+3+1=9 | Is there a proper periodical updating of latest virus definitions? | LOW=1 MEDIUM=2√ HIGH=3 RISK FACTOR2=AV+T+V=5+3+2=10 | Is there a proper control for the usage of external media (floppies, CD's, USB) without scanning? | LOW=1 MEDIUM=2√ HIGH=3 RISK FACTOR2=AV+T+V=5+3+2=10 Is there a proper security awareness program conducted? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR3=AV+T+V=5+3+1=9 |
  31. 31. Is there a control on downloading and usage of unauthorized software? | LOW=1 MEDIUM=2√ HIGH=3 RISK FACTOR2=AV+T+V=5+3+2=10 | Is there a control on opening of mail attachments with scanning? | LOW=1 √ MEDIUM=2 HIGH=3 RISK FACTOR3=AV+T+V=5+3+1=9 New Case | Vulnerability Level = 1∑7RiskFactor =66 Analyzing With Database of Similar Cases and Risk | Asset Risk Factor= ∑Risk Factor =411 The above risk factor can be analyzed with Risk Matrix table r table to assess whether the value 345 falls under HIGH, MEDIUM or LOW. 5.2. Prototype Screen Below are the Prototype screens of Risk assessment tool developed for assessing the Risk using CBR Technique. The asset in the evaluation is ATM servers pertaining to a bank. Fig 6 Initial Screen
  32. 32. Fig 6 Screen 1 of Assessment Tool
  33. 33. Fig 7 Screen 2 of Assessment Tool
  34. 34. Fig 8 Screen 3 of Assessment Tool
  35. 35. Fig 9 Screen 4 of Assessment Tool
  36. 36. Fig 10 Screen 10 of Assessment Tool
  37. 37. Fig 11 Report Screen of Assessment Tool after assessing similar cases
  38. 38. Chapter 6: Conclusion From the risk matrix the value of 411 is considered as MEDIUM Risk considering the past cases and thus the Asset is considered as protected but potential threats are there where which the Management has to mitigate those risk with higher Risk Value. The above risk has not considered the business risk and statutory risk. The overall risk are calculated considering the Risk factor of Business risk and statutory risk [compliance].Thus the above Risk factor doesn’t mean that entire Risk analysis is been carried out. The Risk assessment method using Case based Reasoning with Decision tree will always give added value to the Risk Assessor to ask the right questions and to asses the risk. Also assessor can introduce a new case or search existing case in order to finalize the value he can quantify to each threats and vulnerabilities associated to it. Further these values can be reused if the database are maintained and updated accordingly on timely basis. Risk analysis for any IT Assets requires considerable professional judgment and knowledge of IT. Nonetheless, the immaturity of risk analysis for an IT system makes it difficult to afford expertise and knowledge. This is why this study takes advantage of the CBR technique. The benefits of this technique correspond to the above characteristics of risk analysis for IT assets and complement its immaturity. As the major case base of CBR, this system uses the case base of past risk analyses and security accidents. The proposed system in this study provides a fast and cost-effective analysis using the reasoning ability of CBR, which comes from analogical reasoning of the past cases. Therefore it will become a useful instrument of risk analysis for novices in this area. In addition, the learning ability to update the case base dynamically makes the system valuable in the fast- changing IT environment. Consequently, the performance of this system is expected to improve gradually as the case base is updated. However, the system that is proposed in this study is only a prototype. This prototype system has not been validated, nor applied to any organization or assessed for its superiority to traditional risk analysis methods
  39. 39. Glossary Asset Value A qualitative Value given to an Asset in order to assess the impact to the businesses if the asset is not available the risks, liabilities and solutions associated with electronic Cyber-risks processes and interactions arising from conducting business activities through computer networks Database A Collection of Data put together having common data types for later easy retrieval a decision support tool that uses a tree-like graph or model of Decision Tree decisions and their possible consequences, including chance event outcomes, resource costs, and utility. Online banking (or E banking /Internet banking) allows customers E-banking to conduct financial transactions on a secure website operated by their retail or virtual bank, credit union or building society. ISO/IEC 27001, part of the growing ISO/IEC 27000 series of standards, is an information security management system (ISMS) standard published in October 2005 by the International ISO 27001 Organization for Standardization (ISO) and the International Electro technical Commission (IEC). Its full name is ISO/IEC 27001:2005 - Information technology—Security techniques—Information security management systems—Requirements but it is commonly known as "ISO 27001". A non-disclosure agreement (NDA) creates a confidential relationship between the parties to protect any type of confidential NDA and proprietary information or a trade secret. is a contract through which the parties agree not to disclose information covered by the agreement Risk assessor A Risk assessor is a professional who assess the Risk pertaining to the scope of Risk Assessment Risk compliance Mandatory Compliance of eliminating Risk on the basis of directives from Legal Bodies or Institutions A Risk Matrix is a tool used in the Risk Assessment process, it Risk Matrix allows the severity of the risk of an event occurring to be determined Risk Mitigation Activities that eliminate or reduce the adverse effects of a disaster/Risk Risk treatment Risk Treatment is the process of selecting and implementing of measures to modify risk Technical Controls in place in order to control a threat attached to a security controls vulnerability Security incident A security incident is an alert to the possibility that a breach of security may be taking or may have taken place Threats are entities, physical or logical that can compromise data because Threat of the presence of vulnerability. Vulnerability is applied to a weakness in a system which allows an Vulnerability attacker to violate the integrity of that system. Vulnerability is directly attached to Threat
  40. 40. Bibliography THE SECURITY RISK ASSESSMENT HANDBOOK by DOUGLAS J. LANDOLL, Auerbach Publications Taylor & Francis Group THE APPLICATION OF CASE-BASED REASONING TO EARLY SOFTWARE PROJECT COST ESTIMATION AND RISK Research Paper submitted by SARAH JANE DELANY Department of Computer Science DIT Kevin Street, Dublin and PÁDRAIG CUNNINGHAM Department of Computer Science Trinity College Dublin INTRODUCING OCTAVE ALLEGRO: IMPROVING THE INFORMATION SECURITY RISK ASSESSMENT PROCESS , a technical report submitted to software engineering institute by RICHARD A. CARALLI ,JAMES F. STEVENS , LISA R. YOUNG, WILLIAM R. WILSON RISK ANALYSIS FOR ELECTRONIC COMMERCE USING CASE-BASED REASONING Research paper submitted BY CHANGDUK JUNG, INGOO HAN AND BOMIL SUH Korea Advanced Institute of Science and Technology, Seoul, Korea USING CASE-BASED REASONING FOR THE DESIGN OF CONTROLS FOR INTERNET-BASED INFORMATION SYSTEMS by SANGJAE LEE College of Business Administration, Sejong University and KYOUNG-JAE KIM DEPARTMENT of Information Systems, Dongguk University, Republic of Korea AN INTRODUCTION TO INFORMATION SYSTEM RISK MANAGEMENT by Steve Elky, SANS Institute InfoSec Reading Room