Theuygvvtsis

/
2004

,

.
. ,

(Abstract)

, . ,

.
, ,
.
,
,

() CRAMM .

............................................................................................................................................................................2
(ABSTRACT).............................................................................................................................................................3
.........................................................................................................................................................................4

A.1. .................................................................7
1.1
1.2
1.3
1.4
.....................................................................................................................................................................7
...........................................................................................................................................7
...........................................................................................9
..........................................................................................................................................................10
.2. ( RISK ANALYSIS)...............................................................................................................11

2.1
2.2
2.3
2.4
2.5
2.6
2.7
...................................................................................................................................................................11
.....................................................................................................................................................................11
BPL ............................................................................................................................................................12
...................................................................................................12
............................................................................................................................15
...............................................................................................................................16
.................................................................................................................................................17
.3
3.1
3.2
3.3
...................................................................................................................................................................20
........................................................................................................................20
........................................................................................................................................................22
.4
4.1
4.2
4.3
4.4
(QUANTITATIVE RISK ANALYSIS) ................................................20
(QUALITATIVE RISK ANALYSIS) ...............................................23
...................................................................................................................................................................23
10 ..........................................................................................................................23
FRAP (FACILITATED RISK ANALYSIS PROCESS).......................................................................................29
OCTAVE (OPERATIONALLY CRITICAL THREAT, ASSET, AND VULNERABILITY EVALUATION)................35
.5 .................................................................................................................41
5.1
5.2
5.3
5.4
5.5
5.6
5.7
...................................................................................................................................................................41
...................................................................................................41
CALLIO SECURA 17799 ..............................................................................................................................................44
COBRA.....................................................................................................................................................................46
CRAMM ...................................................................................................................................................................46
EZRISK .......................................................................................................................................................................47
RISKWATCH FOR INFORMATION SYSTEMS & ISO 17799...........................................................................................47
........................................................................................................................................................................48

.1.
1.1
1.2
1.3
1.4
..................................................................................................................................................................50
............................................................................................................................................50
.........................................................................................................................................50
............................................................................................................................................50
..............................................................................................................................................................50
.2.
CRAMM () ....................................................................................51
.3.
(ASSETS)....................................................................................................................52
3.1
3.2
3.3
3.4
.4.
4.1
4.2
4.3
.5.
5.1
5.2
5.3
.6.
6.1
6.2
6.3
.7.
..........................................................................................................................................................52
.........................................................................................53
..............................................................................................................................................54
................................................................................................56
....................................................................................................................................57
..........................................................................................................................................................57
....................................................................................................................58
...................................................................................63
(RISK)...........................................................................................................65
..........................................................................................................................................................65
...............................................................................................................65
........................................................................................................................67
...............................................................................................................................................................68
..........................................................................................................................................................68
CRAMM .............................................................................68
....................................................................................................69
..................................................................................................................................................................71
A.1.
1.1
,
. H .
, Internet

. ,

. ,
,
, ,
.
,

.
:

, .

, .
1.2

80,
,
. .
90 ,

.

CERT 1988-2003:

160000
140000
120000
100000
80000
60000
40000
20000
2003
2002
2001
2000
1999
1998
1997
1996
1995
1994
1993
1992
1991
1990
1989
1988
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003
132 252 406 773 1334 2340 2412 2573 2134 3734 9859 21756 52658 82094 137529
,

.
, (bugs).
,

.

. ,
,
.
.

CERT 1995-2003:

4500
4000
3500
3000
2500
2000
1500
1000
500
0
1995
1995
171
1996
1996
345
1997
1997
311
1998
1999
1998
262
1999
417
2000
2000
1090
2001
2001
2437
2002
2002
4129
2003
2003
3784
:

.
1.3

. ,

.
.
2002 Computer Security Institute (CSI)
FBI 503 ,
, , , 80%
. 223
$455,848,000.

($170,827,000) ($115,753,000).
2003 $201,797,340,
.

Internet. , 4 ,
(73%) Internet
(36%).
.

. Mydoom
9
38
, ,
, , .

.
1.4
, ,
.
,

.

(, , , )
.
. ,

, .
,

.
(risk analysis).

.

. , ,
,
.
. ,

.
,
,

.

,
.
10
.2. ( Risk Analysis)

2.1

mainframe .
.
.
,
mainframe.

.

,
.

. (risk
analysis).
2.2

:
:

, ,

.
:
,
.
:
.
, ,
4 :
1. ; ()
2. ; ()
3. ; ()
4. 3 ; (
)
11
:

. ,

.
:

,
.
.

.
2.3
BPL
B>P*L
BPL :
=
P =
L =

.
.
.
, .
.

. ,
.

.
,
BPL.
2.4

,
(cost effective)
,
.
.
, .
12
:

.
:
1. :

.
2.
:
,
.
.
13
3.
:
.
,
.
4. :

.
.
:
= x
5. :

. , :
- ( )
-
6. :
3 :
)
)
) ( )
:
- , .
- :

- .

- . , firewall
- , .
- (), . backup

.
7. :

.

. ,
, , .
.

.
14
2.5

.

.

,
.
.

.

.
.
.

.
.

.

. ,
.
.
15
2.6

.
.
: (quantitative) (qualitative).
:
(.
) .
( )
. (
, , ,
, ) .
:

(managers)
/ (cost/benefit) .
(
, )
.
.
:

.
.
,
(knowledge
base).
,
.

. ,
,
.
:

. .
, , .
.
,
.
.
.
16

,
.

.
:

.

:

. ,
.

/ (cost/benefit)

.
.
2.7

.

.
, .
.
.
.
.
() .
.

.
,

.
17
:
: , ,
: , ,
: , , ,
(
) :
, , , ,
, , ,
(. ),
, , .

.
, .

.

.
.
()

1.000
1
1 5
2
5 15
3
15 50
4
50 150
5
150 300
6
300 1
7
1 3
8
3
9

.
:
:
;
: ;
18

2
4
5
6
8
, .
. 5
,
4 .

.
19
.3
(Quantitative Risk Analysis)
3.1
,

.
. ,
.
3.2

() .
:
: 10.000
: 6.000
backup : 4000
backup: 1.000
: 21.000
.
(knowledge bases)
0,9
.

.
0 ( ) 1
( ). 0,3
30% 30%
.
(single loss expectancy) :
SLE = * = 21.000 * 0,3 = 6.300
(Annualized Loss Expectancy):
ALE = SLE * = 6.300 * 0,9 = 5.760
20

:

0,4
= 0
= 1.000
/ :
,
:
ALE = * * = 21.000 * 0,3 * 0,4 = 2.520
To ALE ALE = 5.760 2.520 = 3.240
,
.
RAID
RAID
. ,
,
. RAID
0,08.
= 3.000
= 0
/ :
:
ALE = * * = 21.000 * 0,08 * 0,9 = 1512
To ALE ALE = 5.760 1.512 = 4.248

.
, RAID
.

RAID; RAID
1512
:
ALE = * * = 21.000 * 0,08 * 0,4 = 672
To ALE ALE = 1.512 672 = 840
(1000 )
(840 )
.
21
3.3

.
,
,
.
. ,
.
22
.4
(Qualitative Risk Analysis)
4.1

.
,
.
,
. ,
.
.
4.2
10

.
:

.
.
10 . 10

.
1:
.
.
, ,
(.. ) .

.
. (..
Internet) ,
.

,
23
.
.
.
2:

.
,
.

( ).

,
(.. ).
( )
(management)
. .
,

.
3:
,
.
.

.

(knowledge base).
.

(brainstorming).
.
.
, .
.
1

:

24
4:
,
.

.
2.
3
4

.
.
.

.

.
3.
3

:

1
3
5
25
5:

.

, .
.

.
.
, .
2.
4.
4

:

1
3
5
5
4
3
6:

, 2 10.
,
.
5

:

...
5
3
1
3
4
5
8
7
6
,
.
, ,
.
26
7:

.

.

.
4 :
1. :
2. : ,

3. : ,

4. :

.
4
.
.

.
6

:

27

1.500
10.000
15.000
8: / (cost/benefit)
.
, , .
.

.

.

,
.
.
. /

.
.
9:
/
.
,

.
/ , ,

.

.
10:

. :
.
:
)

.
.

.
)
.

.
28
)

. (, , ).
,
.
)

, .

.

.
, . ,
.
4.3
FRAP (Facilitated Risk Analysis Process)

FRAP Thomas Peltier,
. FRAP

.
.

FRAP

.
.

,
. , ,
,

. FRAP.

, ,
. ,

.
,
. ,
,
, Internet .
29
,
,
/ .
26
.
.
, ,
.
,
project
(project lead)
(action plan).

/
. ,
.
FRAP :
1. , ,
project FRAP.
2. ,
7-15 , 4 50
.
3. FRAP (report), 4-6
FRAP .
4.
.
(pre-FRAP meeting)

, project (project leader) FRAP.
1 :
1.
10 ,
.
.
10 .
2.
,
.
FRAP
.
3. FRAP
FRAP.
30
4.
,
.
5.
(, ,
, , , )

.
.
FRAP
.
. ,
.

,
.
FRAP
FRAP .

(
). FRAP 7
15 . ,

.
, ,
:
-
- (Information Security)
-
-
-
- (Webmasters)
- firewalls

, .

FRAP.
,
. FRAP
.
31
FRAP

FRAP . FRAP :
1.
2.

3. -
4. ,
5.
6. ( )
7.

8. . , ,

9.
10.
11. FRAP
12. ,
FRAP

FRAP 4 .
3 4
FRAP
.
FRAP , ,
, .
, :
1. ()
2. Project (project leader)
3. FRAP
4.
5.

,
. ,
.
,
(brainstorming) ,
, ,
.
. 3
. ,
. ,

.
.
.
32
,
, ( )
. 10-15
.
. ,
.
3 , :
:
.
:
.
: .
.
3
:
:

: ,

:
.
( )
4 , :

, :
B
B
C
C
C
D

. :
1.
.
2. 3-4

.
, . ,

.
, 15 10 C 5
C .
33
3. 10 , , 10
. ,
.

. 26
FRAP
FRAP .
.
.
:
1.

.
2. 3-4
.
.
:
#

1
1,5,8,11

2
D
hardware software
3
2,4,11,17,20,24

4
( )

. 3 6
. , project FRAP
1 2
.
100% .

.
FRAP .
.
FRAP
.
34

FRAP 5
. , , project
(action plan).

(cross-reference sheet).
.
,
. (
), project
.
80%
. ,

. ,

/ .
,
.
4.4
OCTAVE (Operationally Critical Threat, Asset, and

Vulnerability Evaluation)
OCTAVE CERT (www.cert.org).
OCTAVE - (self-directed) .

(
).

.
,

. ,

.
200
. OCTAVE-S CERT,
.

OCTAVE 3 ,

.
(workshops),
.
35
OCTAVE
(: Introduction to the OCTAVE Approach)
OCTAVE
OCTAVE :
1.
2.
.
.

.

, .
. ,

,
.
(Preparation)
.
:
:
.
.

.
:
.
36
. ,

.
: ,

.
.
.
:
,
.
, .
: , ,
.
1

.
:
(: Managing Information Security Risks: The OCTAVE(SM) Approach)
37
1-3:
.

(assets) .
:
1.
2.
3.
4.
:
1. :
2. :

3. : .

4:
.

.
:
- 3
-
-
-
2
OCTAVE
()
(, , ). 2
:
38
5:

.
,
. 5
:
-
-
6:

.
5.

. 6 :
-
-
3
.

.
:
39
7:
.
. 7
:
-

-

-
8:
8 2 .

.
,
. :
- 1-3
- 7
-
-
-
,
.

.
:
-
-
- () ,

-
,
OCTAVE .
40
.5
5.1

. ,
.
,
.
.

.
.

Internet ( ).
5.2

80.
. ,
,

. 90
,

. ,
.
:
.
.
(knowledge bases)
,
.
,
,
.
:
,
. ,
.
.
41

,
.
.
.
:

,
.
.

.
:

.

.
.
:
,

.
.
. ,

.
:
,
.

.
:

, ,
.
.
:

.
, , ,
,
/.
,
.
,
42

.
What If:

. what if.
what if
.
.
:

. .

.
.
rtf, doc .
:

.
:

.
,
.
,
.

.
:

.
web browser
.
. ,
.
.
:

.

.
:

.
43
5.3
Callio Secura 17799

Callio Secura 17799
, Callio Technologies 2001
. Callio Secura 17799
BS7799 / ISO 17799.
,
,
. .
:
- ,
- ,
- ,
- ,
- ,
- , .

http(ColdFusion) server,
( ) web browser.
web site

,
, . server

.

(. version control). interface
.
Callio Secura
17799 (
).
44
Callio Secura 17799
45
5.4
COBRA
COBRA .
C&A Systems Security Ltd
3. ,
ISO17799/BS7799.

. ,
(knowledge
bases). What if ,

. ,

.
( )
.
MS Windows
interface .
5.5
CRAMM
CRAMM
CCTA (Central Computer and Telecommunications Agency)
1985
. ,
5,
Insight Consulting . CRAMM
, 500 23 ,
NATO. ,

ISO17799/BS7799. :
- (3000 )
. .
- What if
- Business Continuity
-
-

- MS Windows
- (
)
CRAMM ,

. , CRAMM Express

.
46
5.6
Ezrisk
Ezrisk Ezrisk Limited
.

. Ezrisk
, .
,
.
ISO17799/BS7799 .
,
. ,

ISO17799/BS7799, . Ezrisk

.
5.7
RiskWatch for Information Systems & ISO 17799

RiskWatch
,
.
.

. :
- ISO 17799
- ,
,
,
,
,
.
-

-
,
- ROI (Return on Investment). ,
/.
- What if
-
.
.
- (interface) windows
RiskWatch
.
: , , NSA (National
Security Agency), AT&T Vodafone
47

., Risk Analysis and Risk Management: Capabilities and Limitations
. ., ,
Alberts C., Dorofee A., Stevens J. and Woody C., Introduction to the OCTAVE Approach
(pdf), CERT, August 2003
http://www.cert.org/octave/approach_intro.pdf
Alberts C. and Dorofee A., Managing Information Security Risks: The OCTAVE(SM)
Approach, Addison Wesley, July 2002
Ding Tan, Quantitative Risk Analysis Step-By-Step, SANS Institute, December 2002
Krause M. and Tipton H., Handbook of Information Security Management,
http://www.cccure.org/Documents/HISM/ewtoc.html
McCarthy Linda, IT Security: Risking the Corporation, Prentice Hall PTR, February 2003
Meritt James, A Method for Quantitative Risk Analysis, CISSP
Nichols A., A Perspective on Threats in the Risk Analysis Process, SANS Institute, 2002
OCTAVE, CERT
www.cert.org/octave/
Peltier Thomas, Information Security Risk Analysis, Auerbach
Pierce E., The value of Risk Assessment - A Case Study, SANS Institute, 2003
Visintine Vishal, An Introduction to Information Risk Assessment, SANS Institute, 2003
Callio Secura 17799
www.callio.com
COBRA
www.riskworld.net
CRAMM
www.cramm.com
Ezrisk
www.ezrisk.co.uk
RiskWatch
www.riskwatch.com
48

()
CRAMM
49
.1.
1.1

.
,
.
1.2

(mission critical),
. ,

. ,
(servers)
.
1.3

CRAMM
,
The CRAMM Manager Insight Consulting,
4. (qualitative) ,

(quantitative) ,
.
.
1.4

. .
,
.
50
.2. CRAMM ()
CRAMM
(assets) ,
, .

(risk) ,
.
, (cost effective)
. ,
.
CRAMM :
-
-
-
-
-

-
-

.
51
.3. (assets)
3.1
CRAMM
:
(Data assets):
,
DNS server.
(End User Services):

.
.
:

, , , .
:
,

5
(software).
.
.

,
.

,
.

.
,
.
, CRAMM
.
, .
,
.
. ,
,
, .
(worst case).
1 10 (guidelines)
.
, ,
.
, , (
52
),
.
3.2

. .

.

.
,
:
Backup:
servers ,
(. )
. ,
backup . ,

.
DNS:

.
dns.
Smart Cards
smart cards
.

( , )
Authentication

(user account information).
,
. ,
mail .
.
AFS
AFS :
1. .
Internet.
2. licensing .

.

.
53

,
, .
( )
:
- 1 Backup Server
- backup server
- 2 DNS Servers ( )
- 1 Database Server smart cards
- 2 Authentication Servers ( , )
- 2 AFS File Servers
- 3 AFS License Servers
:
- Server Room, servers
- Backup Tape Room, backup
3.3
54
Backup
DNS Data
Backup
DNS
DNS
Servers
Backup
Server
Server
Room
Backup
Tapes
Server
Room
Backup
Tape
Room
Smart
Cards
Authentication
Data
Smart Cards
Authentication
Smart Card DB
Server
Authentication
Servers
Server
Room
Server
Room
AFS License
Data
AFS User Data

AFS
AFS
AFS File
Servers
AFS File
Servers
Server
Room
Server
Room
AFS License
Servers
Server
Room
55
3.4

. .
CRAMM
:
1
2
3
4
5
1.000
1.000 10.000
10.000 30.000
30.000 100.000
100.000 300.000 .
AFS File Servers

AFS License Servers
Authentication Servers
Backup Server
DNS Servers
Smart Card DB Server

3
3
2
3
2
2
. ,
, ,
.
:
:
DP = backup
DT = backup
I = (insiders)
= (outsiders)
DM =
.
56
.4.
4.1
CRAMM
. CRAMM
. ,

. , ,
:
-
-
-
-

.

:
- (logical infiltration)
- (communications infiltration)
- (failures of equipment)
- (physical threats) . ,

,
.
:
- very low
- low
- medium
- high
- very high

:
- low
- medium
- high
CRAMM .
(rapid risk assessment) .
.
57
, CRAMM
.
, .

(low, high ).
,
,
.
.

(guidelines) . ,
, ,
.
(
).
, ,

.
4.2

.
AFS:
, ,

dynamic licensing. :
Masquerading of User Identity by Insiders / Outsiders:
username password ,
. ,
,
. , administrator
.
Communications Interception:
server
.
Communications Failure:

, .
58
Authentication:
username password
,
. , ,
,
.
server
.

.
Backup:
Masquerading of User Identity by Outsiders:
backup .
,
backup .
backup, .
(
backup server .
backup,
.
DNS:
DNS
,
DNS tables. ,
DNS entry

. , (. www.auth.gr) DNS
(. ),

.
,
IP addresses, .
59
Smart Cards:

smart cards. smart
cards
.
. ,

.

,
smart cards.

.
AFS File Server:
Introduction of Damaging or Disruptive Software:
, ,
(worms), . AFS File Server
( backup),
AFS.
Technical Failure of Host:
(hardware).
server
server.
System and Network Software Failure:

server. (accidental)
. : .
Authentication Server:
, authentication
server.

.
Authentication.
60
Backup Server:
backup
backup.
backup
.
backup,
backup.
DNS Server:
DNS,
DNS backup DNS entries.
DNS
backup.
DNS
backup.
Smart Card DB Server:
smart card,
backup .

backup.
,
backup
smart cards.
AFS License Server:
license
information.
61
Technical Failure of Host / System and Network Software Failure:

.
Backup Tape Room:
Fire:
backup.
Theft by Insiders / Theft by Outsiders:
backup
.
Server Room:
servers. ,
,
.
Power Failure:
.
Air Conditioning Failure:
server room
.
Fire:
backup
server room.
Water Damage:
,
backup .
Theft by Insiders / Theft by Outsiders:
,
() .
Wilful Damage by Insiders:

,
backup.
62
4.3

.
,

. . .

.
.
.
:
- very low, 10.
- low,
3
- medium,
- high,
4
- very high,

. ,
.
.
63
Masquerading of User Identity by Insiders

!DNS
!Smart card
!Authentication
!AFS
Low
Medium
High
High
Low
Medium
Medium
Low
Masquerading of User Identity by Outsiders

!DNS
!Smart card
!Authentication
!AFS
!Backup
High
Medium
High
High
Medium
Low
Very Low
Medium
High
Medium
Introduction of Damaging or Disruptive Software

!Backup Server
High
!AFS File Server
High
!Smart Card DB Server
Medium
!Authentication Server
High
!DNS Server
High
AFS Licence Server
High
Very Low
Very Low
Low
Medium
Low
Very Low
Communications Interception
!Smart card
!Authentication
!AFS
!Backup
High
High
High
High
Medium
Medium
Medium
Medium
Communications Failure
!DNS
!Smart card
!Authentication
!AFS
!Backup
High
High
High
High
High
Very High
Very High
Very High
Very High
Very High
Technical Failure of Host

!Backup Server
!AFS File Server
!DNS Server
AFS Licence Server
High
High
High
High
High
High
Low
Medium
Medium
Medium
Medium
Medium
Power Failure
!Server Room
Medium
Very High
Air Conditioning Failure

!Server Room
High
Medium
System and Network Software Failure

!Backup Server
!AFS File Server
!DNS Server
AFS Licence Server
High
High
High
High
High
High
Medium
Very High
Very High
Very High
High
High
Fire
!Server Room
!Backup Tape Room
High
High
Low
Low
Water Damage
!Server Room
Medium
Low
Theft by Insiders
!Server Room
!Backup Tape Room
High
High
Low
Low
Theft by Outsiders
!Server Room
!Backup Tape Room
High
High
Low
Low
Wilful Damage by Insiders

!Server Room
Low
Very Low
64
.5. (risk)
5.1
CRAMM
.
,
.
CRAMM 1 ( ) 7 (
).
.
:
5.2

CRAMM
, .

.
65
Masquerading of User Identity by Insiders

!DNS
!Smart card
!Authentication
!AFS
Low
Medium
High
High
Low
Medium
Medium
Low
2
3
3
3
Masquerading of User Identity by Outsiders

!DNS
!Smart card
!Authentication
!AFS
!Backup
High
Medium
High
High
Medium
Low
Very Low
Medium
High
Medium
3
2
4
4
4
Introduction of Damaging or Disruptive Software

!Backup Server
High
!AFS File Server
High
Medium
!DNS Server
High
AFS Licence Server
High
Very Low
Very Low
Low
Low
Very Low
3
2
2
3
2
Communications Interception
!Smart card
!Authentication
!AFS
!Backup
High
High
High
High
Medium
Medium
Medium
Medium
3
4
3
5
Communications Failure
!DNS
!Smart card
!Authentication
!AFS
!Backup
High
High
High
High
High
Very High
Very High
Very High
Very High
Very High
5
4
4
4
3
Technical Failure of Host

!Backup Server
!AFS File Server
!DNS Server
AFS Licence Server
High
High
High
High
High
Low
Medium
Medium
Medium
Medium
2
2
2
3
3
Power Failure
!Server Room
Medium
Very High
Air Conditioning Failure

!Server Room
High
Medium
System and Network Software Failure

!AFS File Server
!DNS Server
AFS Licence Server
High
High
High
High
Very High
Very High
High
High
3
2
3
2
Fire
!Server Room
!Backup Tape Room
High
High
Low
Low
4
4
Water Damage
!Server Room
Medium
Low
Theft by Insiders
!Server Room
!Backup Tape Room
High
High
Low
Low
4
4
Theft by Outsiders
!Server Room
!Backup Tape Room
High
High
Low
Low
4
4
Wilful Damage by Insiders

!Server Room
Low
Very Low
66
5.3

,
. :
-
Authentication, AFS Backup

authentication backup
DNS, authentication, smart card AFS
server room
servers backup
server room backup
.
4 5,
.
. ,
,

.
:

.
.
67
.6.
6.1
CRAMM
.
.
. CRAMM
,
.
.
.
CRAMM
.

. ,
, . ,

.
6.2
CRAMM
CRAMM
.
:
-
Accounting, ( log files )

Audit, ( log files )
Backup of data
Backup Tapes Controls, backup
Business Continuity Planning,
Compliance Checks, .
Data Confidentiality over Networks,

Environmental Protection,
Equipment Failure Protection,

Fire Protection,
Identification and Authentication,
Malicious Software,
Power Protection,
Room Physical Security,
Software Change Controls,
Software Maintenance Controls,
System Administration Controls,
Theft Protection,
Vulnerability Analysis,
Water Protection, .
68
CD , .
( pdf rtf ).
. 2 ,

. ,
.
.
,
.
, .
.

.
6.3

CRAMM

.

.
6.3.1 Business Continuity Planning

(contingency
action plan) (disaster recovery).
.
Business Continuity Planning
.
6.3.2
:
server room , .

.
servers ,
.
backup .
.
server
room .
. ,
.
69
:

server room
.
, .

business continuity planning .
:
.
,
hardware.
: .
:
backup DNS
Authentication. hardware, proprietary
hardware . ,
(servers)
(RAID).
6.3.3
Firewall:
To firewall
.
firewall.
:
.
Backup, Authentication Smart Card
.
Smart card server server .
:
.

redundancy .
NOC
.
6.3.4
:

. .
70
:
(patching)

.
.
(strong passwords):
(
) .
, ,
. 6 .
3 .

.
brute force .
6.3.5
,
.
(Intrusion detection)
(accounting)
. , log
files .
6.3.6

(, worms, ) .
(.
logged in )
.7.

.
,
. .

.
71

.
, ,
.
,
( ). ,
2
.
.
.

:
Policy and Operations of Public Service:

Financial Loss:
(.
)
Loss of Goodwill:

(embarrassment) .
Personal Information:

(. ).
.
Management and business operations:
.
Disruption to Activities:
.
CRAMM V4.0
Data Asset Valuation

Confidential
Review: KYT Review

Data Asset
AFS License Data
Type of Data
Other Data Types
Interviewees
Interviewers
Date
26/Mar/2004
Status
Completed
Description of Data
Impacts
Unavailability - less than 15 minutes
Guideline
Policy and Operations of Public
Service
Unavailability - 1 hour
Guideline
Service
Unavailability - 3 hours
Guideline
Service
Unavailability - 1 day
Guideline
Service
Unavailability - 2 weeks
Guideline
Service
Unavailability - 2 months and over
Guideline
Service
Scale
Value
1
Financial
Value
Scale
Value
1
Financial
Value
Scale
Value
2
Financial
Value
Scale
Value
3
Financial
Value
Scale
Value
4
Financial
Value
Scale
Value
5
Financial
Value
Confidential
12-Apr-2004 1:55:14
Page: 1
CRAMM V4.0

Confidential
Review: KYT Review

Data Asset
AFS License Data
Destruction since the last successful

back-up
Total destruction including back-ups
Guideline
Scale
Value

Service
Guideline
Scale
Value
5
Financial
Value
Scale
Value
2
Financial
Value
Scale
Value
3
Financial
Value

Service
Unauthorized disclosure to insiders
Guideline
Financial Loss
Unauthorized disclosure to outsiders
Guideline
Financial Loss
Financial
Value
Confidential
12-Apr-2004 1:55:14
Page: 2
CRAMM V4.0

Confidential
Review: KYT Review

Data Asset
AFS User Data
Type of Data
Personal
Interviewees
Interviewers
Date
26/Mar/2004
Status
Completed
Description of Data
home directory
AFS
Impacts
Guideline
Scale
Value
1
Financial
Value
Scale
Value
2
Financial
Value
Scale
Value
3
Financial
Value
Scale
Value
4
Financial
Value
Guideline
Scale
Value
Financial
Value
Loss of Goodwill
Guideline
Scale
Value
6
Loss of Goodwill
Guideline
Loss of Goodwill
Unavailability - 1 week
Guideline
Loss of Goodwill
Guideline
Loss of Goodwill

back-up
Loss of Goodwill
Financial
Value
Confidential
12-Apr-2004 1:55:14
Page: 3
CRAMM V4.0

Confidential
Review: KYT Review

Data Asset
AFS User Data
Guideline
Personal Information
Guideline
Deliberate modification
Guideline
Loss of Goodwill
Scale
Value
1
Financial
Value
Scale
Value
1
Financial
Value
Scale
Value
2
Financial
Value
Confidential
12-Apr-2004 1:55:14
Page: 4
CRAMM V4.0

Confidential
Review: KYT Review

Data Asset
Authentication Data
Type of Data
Other Data Types
Interviewees
Interviewers
Date
26/Mar/2004
Status
Completed
Description of Data
(login password)

Impacts
Unavailability - less than 15 minutes
Guideline
Scale
Value
1
Financial
Value
Scale
Value
2
Financial
Value
Scale
Value
3
Financial
Value
Scale
Value
4
Financial
Value
Scale
Value
5
Financial
Value
Guideline
Scale
Value
Financial
Value

Service

Service
Guideline
Service
Guideline
Service
Guideline
Service
Unavailability - 1 month
Guideline
Service

back-up
Confidential
12-Apr-2004 1:55:14
Page: 5
CRAMM V4.0

Confidential
Review: KYT Review

Data Asset
Authentication Data
Guideline
Service
Guideline
Guideline
Guideline
Scale
Value
8
Financial
Value
Scale
Value
3
Financial
Value
Scale
Value
5
Financial
Value
Scale
Value
3
Financial
Value
Confidential
12-Apr-2004 1:55:14
Page: 6
CRAMM V4.0

Confidential
Review: KYT Review

Data Asset
DNS Data
Type of Data
Other Data Types
Interviewees
Interviewers
Date
26/Mar/2004
Status
Completed
Description of Data
Domain Name data
Impacts
Unavailability - 1 hour
Guideline
Scale
Value
2
Financial
Value
Scale
Value
3
Financial
Value
Scale
Value
4
Financial
Value
Scale
Value
5
Financial
Value
Scale
Value
6
Financial
Value
Guideline
Scale
Value
Financial
Value

Service

Service
Guideline
Service
Guideline
Service
Guideline
Service
Guideline
Service

back-up
Confidential
12-Apr-2004 1:55:14
Page: 7
CRAMM V4.0

Confidential
Review: KYT Review

Data Asset
DNS Data
Guideline
Service
Guideline
Loss of Goodwill
Scale
Value
5
Financial
Value
Scale
Value
3
Financial
Value
Confidential
12-Apr-2004 1:55:14
Page: 8
CRAMM V4.0

Confidential
Review: KYT Review

Data Asset
Backup
Type of Data
Personal
Interviewees
Interviewers
Date
26/Mar/2004
Status
Completed
Description of Data
backup,
Impacts
Guideline
Financial
Value
Guideline
Financial
Value
Guideline
Financial
Value
Guideline
Financial
Value
Guideline
Scale
Value
Management and Business Operation
1
Scale
Value
2
Scale
Value
4
Scale
Value
5
Guideline
Scale
Value
6
Financial
Value
Scale
Value
6
Financial
Value
Confidential
12-Apr-2004 1:55:15
Page: 9
CRAMM V4.0

Confidential
Review: KYT Review

Data Asset
Backup
Guideline
Scale
Value
3
Financial
Value
Confidential
12-Apr-2004 1:55:15
Page: 10
CRAMM V4.0

Confidential
Review: KYT Review

Data Asset
smart cards
Type of Data
Other Data Types
Interviewees
Interviewers
Date
26/Mar/2004
Status
Completed
Description of Data
smart cards .
Impacts
Guideline
Scale
Value
1
Financial
Value
Scale
Value
2
Financial
Value
Scale
Value
3
Financial
Value
Scale
Value
4
Financial
Value
Guideline
Scale
Value
Financial
Value

Service
Guideline
Scale
Value
2
Loss of Goodwill
Guideline
Loss of Goodwill
Guideline
Loss of Goodwill
Guideline
Loss of Goodwill

back-up
Disruption to Activities
Financial
Value
Confidential
12-Apr-2004 1:55:15
Page: 11
CRAMM V4.0

Confidential
Review: KYT Review

Data Asset
smart cards

-

Guideline
Financial Loss
Guideline
Financial Loss
Scale
Value
3
Financial
Value
Scale
Value
3
Financial
Value
END OF REPORT V4.0
Confidential
12-Apr-2004 1:55:15
Page: 12

.
, .

. ,
. 4 ,
, , .
Very Low(VL) , Low(L), Medium(M), High(H),
Very High(VH). Low(L), Medium(M), High(H).
1-10 1-7.
3.1 , 4.1 5.1
:
UNAVAIL- = X
DISCL-I =
DISCL-O =
MODIF-DEL= ( )
DESTR-PART= backup
DESTR-FULL= backup
PHYSICAL-DEST=
CRAMM V4
Review: KYTP Review
Measure of Risk Report

Confidential
All Asset Groups

Threat
Asset: !AFS File Server
Vulnerability
Impact
MoR
Threat: Introduction of Damaging or Disruptive Software

DESTR-PART
VL
DISCL-I
VL
MODIF-DEL
VL
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DESTR-PART
UNAVAIL-15ML
VH
UNAVAIL-1H
VH
UNAVAIL-3H
VH
UNAVAIL-12H
VH
DISCL-I
DISCL-O
Asset: !AFS
Threat
Threat: Technical Failure of Host
Threat: System and Network Software Failure
Vulnerability
Impact
MoR
Threat: Masquerading of User Identity by Insiders

UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
DESTR-PART
DISCL-I
MODIF-DEL
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DISCL-O
MODIF-DEL
DISCL-I
DISCL-O
Threat: Masquerading of User Identity by Outsiders
Threat: Communications Interception
, 8 2004
Confidential
Page 1 of 7
CRAMM V4
Review: KYTP Review

Confidential
All Asset Groups

Threat: Communications Failure
UNAVAIL-15ML
VH
UNAVAIL-1H
VH
UNAVAIL-3H
VH
UNAVAIL-12H
VH
UNAVAIL-1D
VH
UNAVAIL-2D
VH
Asset: !Athentication Server
Threat
Vulnerability
Impact
MoR

DESTR-PART
DISCL-I
MODIF-DEL
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DESTR-PART
UNAVAIL-15ML
VH
UNAVAIL-1H
VH
UNAVAIL-3H
VH
UNAVAIL-12H
VH
Asset: !Authentication
Threat
Vulnerability
Impact
MoR

UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
DESTR-PART
DISCL-I
MODIF-DEL
, 8 2004
Confidential
Page 2 of 7
CRAMM V4
Review: KYTP Review

Confidential
All Asset Groups

UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DISCL-O
MODIF-DEL
DISCL-I
DISCL-O
UNAVAIL-15ML
VH
UNAVAIL-1H
VH
UNAVAIL-3H
VH
UNAVAIL-12H
VH
UNAVAIL-1D
VH
UNAVAIL-2D
VH
Asset: !Backup
Threat
Vulnerability
Impact
MoR

DISCL-O
DISCL-I
DISCL-O
UNAVAIL-1D
VH
UNAVAIL-2D
VH
Asset: !Backup Server
Threat
Vulnerability
Impact
MoR

DISCL-I
VL
UNAVAIL-1D
UNAVAIL-2D
UNAVAIL-1W
Asset: !Backup Tape Room
Threat
Vulnerability
Impact
MoR
Threat: Fire
DESTR-FULL
Threat: Theft by Insiders

DISCL-I
, 8 2004
Confidential
Page 3 of 7
CRAMM V4
Review: KYTP Review

Confidential
All Asset Groups

Threat: Theft by Outsiders
DISCL-O
Asset: !DNS
Threat
M
Vulnerability
6
Impact
4
MoR

UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
DESTR-PART
MODIF-DEL
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
MODIF-DEL
UNAVAIL-1H
VH
UNAVAIL-3H
VH
UNAVAIL-12H
VH
UNAVAIL-1D
VH
UNAVAIL-2D
VH
Asset: !DNS Server
Threat
Vulnerability
Impact
MoR

DESTR-PART
MODIF-DEL
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DESTR-PART
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
Asset: !Server Room
Threat
Vulnerability
Impact
MoR
Threat: Power Failure

UNAVAIL-15ML
VH
UNAVAIL-1H
UNAVAIL-3H
, 8 2004
Confidential
Page 4 of 7
CRAMM V4
Review: KYTP Review

Confidential
All Asset Groups

Threat: Air Conditioning Failure
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
PHYSICAL-DEST
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
UNAVAIL-1W
UNAVAIL-2W
UNAVAIL-1M
UNAVAIL-2MO
DESTR-PART
PHYSICAL-DEST
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
UNAVAIL-1W
DESTR-PART
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DISCL-O
Threat: Fire
Threat: Water Damage
Threat: Theft by Insiders

DISCL-I
Threat: Theft by Outsiders
, 8 2004
Confidential
Page 5 of 7
CRAMM V4
Review: KYTP Review

Confidential
All Asset Groups

Threat: Wilful Damage by Insiders
PHYSICAL-DEST
VL
UNAVAIL-15ML
VL
UNAVAIL-1H
VL
UNAVAIL-3H
VL
UNAVAIL-12H
VL
UNAVAIL-1D
VL
UNAVAIL-2D
VL
UNAVAIL-1W
VL
UNAVAIL-2W
VL
DESTR-PART
VL
Asset: !Smart Card DB Server
Threat
Vulnerability
Impact
MoR

DESTR-PART
MODIF-DEL
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
DESTR-PART
UNAVAIL-3H
VH
UNAVAIL-12H
VH
Asset: !Smart card
Threat
Vulnerability
Impact
MoR

UNAVAIL-3H
UNAVAIL-12H
DESTR-PART
MODIF-DEL
UNAVAIL-3H
VL
UNAVAIL-12H
VL
UNAVAIL-1D
VL
UNAVAIL-2D
VL
DISCL-O
VL
MODIF-DEL
VL

DISCL-O
, 8 2004
Confidential
Page 6 of 7
CRAMM V4
Review: KYTP Review

Confidential
All Asset Groups

UNAVAIL-3H
VH
UNAVAIL-12H
VH
UNAVAIL-1D
VH
UNAVAIL-2D
VH
Asset: AFS Licence Server
Threat
Vulnerability
Impact
MoR

DESTR-PART
VL
DISCL-I
VL
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
UNAVAIL-1D
UNAVAIL-2D
UNAVAIL-15ML
UNAVAIL-1H
UNAVAIL-3H
UNAVAIL-12H
DISCL-I
VL
DISCL-O
VL
, 8 2004
Confidential
Page 7 of 7

Theuygvvtsis

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Theuygvvtsis

Uploaded by

Copyright:

Available Formats

/

.2. ( RISK ANALYSIS)...............................................................................................................11

(QUANTITATIVE RISK ANALYSIS) ................................................20

(QUALITATIVE RISK ANALYSIS) ...............................................23

.2. ( Risk Analysis)

FRAP (Facilitated Risk Analysis Process)

OCTAVE (Operationally Critical Threat, Asset, and

(: Introduction to the OCTAVE Approach)

(: Managing Information Security Risks: The OCTAVE(SM) Approach)

(: Managing Information Security Risks: The OCTAVE(SM) Approach)

(: Managing Information Security Risks: The OCTAVE(SM) Approach)

Callio Secura 17799

Callio Secura 17799

RiskWatch for Information Systems & ISO 17799

Callio Secura 17799

AFS User Data

AFS File Servers

Technical Failure of Host / System and Network Software Failure:

Masquerading of User Identity by Insiders

Masquerading of User Identity by Outsiders

Introduction of Damaging or Disruptive Software

Technical Failure of Host

Air Conditioning Failure

System and Network Software Failure

Wilful Damage by Insiders

Masquerading of User Identity by Insiders

Masquerading of User Identity by Outsiders

Introduction of Damaging or Disruptive Software

Technical Failure of Host

Air Conditioning Failure

System and Network Software Failure

Wilful Damage by Insiders

Authentication, AFS Backup

Accounting, ( log files )

Equipment Failure Protection,

6.3.1 Business Continuity Planning

Data Asset Valuation

Review: KYT Review

Data Asset Valuation

AFS License Data

Other Data Types

Unavailability - 2 months and over

Data Asset Valuation

Review: KYT Review

Data Asset Valuation

AFS License Data

Destruction since the last successful

Total destruction including back-ups

Policy and Operations of Public

Policy and Operations of Public

Unauthorized disclosure to outsiders

Data Asset Valuation

Review: KYT Review

Data Asset Valuation

AFS User Data

Unavailability - 2 months and over

Destruction since the last successful

Total destruction including back-ups

Data Asset Valuation

Review: KYT Review

Data Asset Valuation

AFS User Data

Unauthorized disclosure to insiders