Rass English Version

Bucharest Academy of Economic Studies
Faculty of Economic Cybernetics, Statistics and Informatics (ECSI)

IT&C Security Master
RISK ANALYSIS IN SECURE

SYSTEMS
Associate professor Ph. D. Emil BURTESCU
University of Pitesti
emil.burtescu@yahoo.com
Contents
Real world
Terms and definitions
Reference moments that highlight the need of security
Attacks and organization losses
Risk and company
Risk management and risk analysis
Threat, Vulnerability and Risk mitigation
Qualitative risk analysis
Quantitative risk analysis
Vulnerability analysis/workstation risk analysis
Countermeasures - Decisional process coordination
Costs and profitability economic indicator of securitys investment
Security outsourcing
Question .
Q: Why is that happening?

A: Unsecured or unlocked perimeter
A: Lack visual warning
Which is the correct position of the switch ?
Another questions .
Does your company, in case of finding

guilty/culprit for an attack,
to prove this and it sue the guilty?
Does your company evaluate in detail
and state the profile for a new employee ?
Can your company prevent, detect and
respond to an attack (from inside or outside) ?
If an important server is temporarily inoperable,
how long can be reinstated and fully operating?
What are the effects on business ?
There are backup computers in your company (cold park)?
How much time is lost to their start operation?
What are the effects on business ?
There is your company control devices voltage variations?
How long can "resist" the company without voltage (from outside)?
Does your company operate regularly for data ?
s
n
a
e
m
n os
o
i
t
a
a
h
iz g c
n
a
n
i
g
g
r na
o
n ma
a
n
)
i
s
h
e
t
i
s
a
w
c
y ny
t
i
r
a
u
c
m
Se (in
Tips and more
Philosophical Problem in Dealing with PC Security

Most employees take the term Personal Computer (PC) literally
Principle of Easiest Penetration

Attack Weakest Point
One Form of Protection

Backup ! Backup ! Backup !
The Key to Successful Recovery

Complete and Timely Backup
The Bottom Line

Storage Media Must be Protected
Terms and definitions
Good/asset
- Anything that represents a value within an organization. Here we include the buildings, hardware and software
components, data, personnel, plans and documentations etc.
Vulnerability
- A weakness concerning system procedures, system architecture, system implementation, internal control and other
causes that can be exploited to bypass the security system and to have unauthorized access to information.
- Any weakness, administrative process, act or statement that makes a piece of information about an asset likely to
be exploited by a threat.
- A flaw or weakness in sistem security procedures, design, implementations, or internal controls that could be
exercised (accidentally triggered or intentionally exploited) and result in a security breanch or a violation of the
systems security policy (NIST SP 800-3).
Threat
- Potential cause of an undesired impact over a system or organization (ISO 13335-1).
- An undesired event (intentional or accidental) that can damage the assets of the organization.
- The potential for a person pr thing to exercise (accidentally trigger or intentionally exploit) a specific
vulnerability (NIST SP 800-3).
Terms and definitions (continuation)

Risk
- Threat that can exploit eventual system weaknesses.
- Combination between the probability of an event and its consequences (ISO Guide 73).
- A vulnerability triggered or exploited by a threat (NIST SP 800-3).
Impact - the overall expected loss of the business when a threat exploits a vulnerability against an asset.
Exploit - a means of using vulnerability to cause a malfunction of the organization activities or a failure of
information security services within the organization.
Exposure - a threat action through which the senzitive information is released directly to an unauthorized entity
(RFC2828).
Integrity - te property through wich the data was not altered or destroyed through an unauthorized manner
(ISO 7498-2).
Accesibility (availability) - the property of a system to ensure it accesibility and availability for use at the request
of a user or authorized process within the system.
Confidentiality - the property that the information is not made available or disclosed to persons, entities or
unauthorized processes(ISO 7498-2).

Senzitive data - any data that can not be made public.
Control - an organizational, procedural or technological means of controlling the risk; a synonimous for warranty
or risk prevention measures.
Reduction (risk) - a combination of planned measures and actions that are taken at the level of the organization in
order to mitigate or eliminate a risk.
Reduction solution - the implementation of an organizational, procedural or technological control meant to help
the security risk management.
Defense in depth - solution for ensuring security on multiple levels meant to protect against the failure of a single
safety component.
Reputation - opinions that people have about the organization. Value difficult to calculate.
Risk assessment/risk analysis - the process of identifying security risk, determining their magnitude, and
identifying areas needing safeguards.
Risk management the total process of identifying, controling, and eliminating or minimizing uncertain events
that may effect system resources.
Qualitative analysis - approach or risk analysis in which relative values are assigned to goods, assets, risks,
controls and impacts.
Quantitative analysis - risk analysis approach in which objective (real) numerical values are assigned to goods,
assets, risks, controls and impacts.
Annual Loss Expectancy (ALE) - the total amount of money that an organization will lose in a year if it will not
take measures for minimizing or eliminating the risk.
Annual Loss Expectancy per Asset (ALEa) - the total amount of money related to a good that the organization
will lose in a year if it will not take measures fo minimizing or eliminating the risk that affects that certain good.
Annual Loss Expectancy per Threat (ALEt) - the total amount of money created by a threat, the organization will
lose in a year if it will not take measures for minimizing or eliminating the risk that affects the goods.
Annual production/occurrence (of an event) rate - value which quantifies the number of times an event may
occur during one year.
Cost-benefit analysis - estimation and comparison of the relative value and cost related to each proposed control.
Efficiency criterion used to choose the control that will be implemented.
The return on investment (the profit from investing in security) - the total amount of money that an organization
expects to save in one year by implementing security measures.
User
A person who uses a computer system.
User = expert / novice.
End user
A person/user who runs a program application.
Need of security
1970
Phone line piracy (phreaking/boxing)
1980
Illegal dial-up coneections

1990
Unauthorized Interned access
Stages in electronic information theft.
Reference moments that highlight the need of security
November 2nd, 1988

Giant Worm
A worm (virus - according to some) launched on the Internet, infects a number of 60.000
computers from all over United States. It quickly spread from computers of Cambridge,
Massachusetts and Berkeley, California, to the computers in Princeton, than to NASA
Ames Research Center from Sillicon Valley, California, to the University of Pittsburgh, to
Los Alamos National Laboratory and to other universities, military bases and research
institutes. The costs necessary to stop the worm and to test the infected systems were
estimated to be between 1.000.000 and 100.000.000 dollars. Guilty- Robert T. Morrisstudent at Cornell University.
September 11th 2001
Attacks on the World Trade Center (WTC) and the Pentagon.
Attacks cause damages of over $100 billion.
Due to the existence of measure plans in case of disasters, the communications are
restored quickly and some companies manage to come back online within 48 hours from
the attack. After these attacks, United States and other countries are reviewing their
security policy.
Reference moments that highlight the need of security (continuation)

1. Cliff Stoll, employee at Lawrence Berkeley Laboratory during 1988 has attacked a number of 450 computers in West
Germany, managing to penetrate 30 of them. Initially accused of unauthorized access, after it came out that he has sold
secrets to the KGB, he was charged for espionage.
2. In 1990, an australian student, who called himself Phoenix, was blamed for causing the 24-hour shutdown of NASA
computers in Norfolk, Virginia. He has also altered the information from Lawrence Livemore National Laboratory in
California.
3. In 1988, at a number of air transport agencies it is discovered that somebody managed to penetrate the system and print
illegal plane ticket reservations. For the first time the question of whether the terrorist organizations did so in order to have
access to the passengers list appeared. The question reappeared when the members of the Kuweit royal family were taken
hostages on board of a plane. The same question was asked even after the attacks of September 11 th, 2001.
4. In April 1986, an intruder, known as Captain Midnight manages to increase the transmission power of an HBO channel
transmitting his own message to millions of viewers. This action brought the eventual use for terrorist purposes of these
actions.
5. The event recorded as Constitution Loss may be the most serious human error and of implementing the security. In
1991, before the final vote for the Constitution of Columbia, a user who had to make the last changes to the online version
does a mistake that has as effect loss of data. With no backup, data has been restored after a laborious work, using the drafts
of the Committee members for the new Columbian Constitution.
6. In January 1988, at the Hebrew University in Jerusalem it is found that hundreds of computers are infected with a virus.
The virus was active in every day of 13 every month, which was Friday, was slowing down the processes and erased the data
from that day of 13th. The virus was also named Columbus Day or Datacrime.
7. A 14 year old kid from Kansas manages in 1989, using an Apple computer to penetrate the positioning system of the
satellites belonging to Air Force, to speak internationally and to access confidential files.
8. Flamble virus can be included in a special category of viruses. It acts also on the hardware equipment by increasing the
horizontal scanning frequency of the monitors electron beam beyond the admitted limits. As effect, the monitor is set on
fire. This virus has affected in 1988 a consulting company in San Jose, California.
Reference moments that highlight the need of security (continuation)

9. In 1988, a researcher working for a commission that investigated the business with Iran discovers on a computer used by
Oliver North stolen secret data referring to NSC. These were transferred and then deleted from a computer, that was
considered safe, belonging to the White House.
10. A manager of a company has managed in 1984, manipulating a computer, to transfer $ 25 million funds trying to fool the
audit.
11. In march 1999, the Melissa virus manages to block e-mail services from all over the world. The damages produced are
estimated at $80 million. The culprit is found in the person of David Smith, programmer, who has given the name of the
virus after a topless dancer. Being sentenced, he is executing several years of imprisonment in the state and federal prisons in
the United States.
12. Love Letter Worm manages to infect, in only a single day of year 2000, 45 million computers.
13. In February 2000, the activity of many e-commerce sites, including Yahoo!, e-Bay and e-Trade, was affected by a new
DoS type attack, called Distributed Denial of Service (DDoS). The attack was using the client-server technology to focus its
attack on certain points. The culprit was found, after months of searching, in the person of a young hacker.
14. In October the same year, Microsoft has reported that a young hacker has gained access at a portion of its own LAN
network.
15. The website of US State Department was attacked in october 2002 and filled with obscenities. Therefore, its operation
had to be interrupted.
16. After the attack in Bali in october 2002 when Australia has imposed pressure on terrorist groups in Indonesia allegedly
responsible for attack, over 200 australian websites have been attacked by Indonesian hackers.
17. The Internet structure itself has been attacked in october 2002. 13 root servers have been affected by DDoS and many
users found themselves unable to make connections.
18. A conference against theft of information has been sabotaged in May 2003. The hackers managed to steal about 1000
names and e-mail adresses of the persons participating at the conference.
Types of attacks or reported abuses
100
Internal abuses of the network

Viruses
Laptop theft
80
Unauthorized access
Service Denial (DoS)
System Penetration
60
Intellectual property theft

Telecommunications fraud
40
Financial fraud
Sabotage
Wireless networks abuse
20
Public web servers abuse

Website damage
1999
2000
2001
2002
2003
2004
2005
2006
Sursa: Computer Security Institute, CSI/FBI 2006 Computer Crime and Security Survey

Attack
2004
2005
2006
2007
2008
Denial of service
39%
32%
25%
25%
21%
Laptop theft
49%
48%
47%
50%
42%
Telecom fraud
10%
10%
8%
5%
5%
Unauthorized access
37%
32%
32%
25%
29%
Virus
78%
74%
65%
52%
50%
8%
7%
9%
12%
12%
Insider abuse
59%
48%
42%
59%
44%
System penetration
17%
14%
15%
13%
13%
5%
2%
3%
4%
2%
10%
9%
9%
8%
9%
Financial fraud
Sabotage
Theft/loss of proprietary info
from mobile devices
4%
from all other sources
5%
Abuse of wireless network
15%
16%
14%
17%
14%
7%
5%
6%
10%
6%
10%
5%
6%
9%
11%
21%
20%
6%
8%
Instant messaging abuse
25%
21%
Password sniffing
10%
9%
Theft/loss of customer data
17%
1700%
Web site defacement

Misuse of Web application
Bots
DNS attacks
from mobile devices
8%
from all other sources
8%
2008: 433 respondents

Losses due to attacks within the organization

Security tehnologies used (year 2008)
respondeni
521
Main attack sources
2003: 488 rspunsuri/92%
2002: 414 rspunsuri/82%
2001: 484 rspunsuri/91%
2000: 583 rspunsuri/90%
Techniques used for the evaluation of security
respondeni
2008: 496
Actions taken after an incident
respondeni
2008: 295
Why arent the incidents reported?
respondeni
2008: 233
2008 CSI Computer Crime and Security Survey

New Questions

New Questions

New Questions
The last CSI/FBI reveal
(continuation)
(continuation)
(continuation)
(continuation)
What do we want to obtain through risk management and/or risk analysis?
S E C U R I T Y
Secrecy
Accuracy
Prohibiting
unauthorized
access of persons
to information
which is not
intended for them.
Data stored in the

computer can not be
altered or can only be
modified by
authorized persons.
Data stored in the

computer are only
accessed by
authorized persons.
Basement
Confirms the
authenticity of an
electronic message.
What can the company do?

1
Establishing the personnel

responsible
with ensuring security
Establishing the main stages

for ensuring security
-Defining and obtaining the approval for a security table

-Evaluation of the existent security policies
-Creation of security policies
-Implementation of security policies
-Process surveillance
-Risk analysis
-Data and document classification
-Establishing access rights
-Defining the security policy
-Planning, designing and technical implementation of security measures
Defining the demands for

improving security
Informing the personnel about

the adopted measures
-Awareness (program)
-Executive communication (program)
Audit and monitoring security
Hardware control and evaluation

-Software control and evaluation
-Intrusion monitoring and vulnerability scan
-Response to intrusions
What can the company count on?
People
- Training
- Responsibilities
- Knowledge
- Organization
COMPANY
Processes
- Policies
- Procedures
- Standards
Technologies
- Infrastructure
- Aplications
Risk management cycle (variant)
Risk analysis
Determination of needs
Policy implementation
Monitoring
Convergence point
Control implementation
Assistance
Awareness
Evaluation
Risk management cycle (variant)
Source http://www.noweco.com/
At http://www.noweco.com/downe.htm one can find material referring to risk management (Trial software, brochures, presentations)
Risk management cycle (Microsoft variant)
Assesing risk/
Measuring program
effectiveness
Implementing
controls
Risk evaluation
2
Conducting decision
support
http://technet.microsoft.com/en-us/library/cc163143.aspx
Risk management cycle (Microsoft)
Risk evaluation Identifying and classifying the risks that can affect the business.
Conducting decision support Identifying and evaluating the control measures and solutions
taking into account the cost-benefits report.
Control implementation Implementing and running control measures meant to reduce or to

eliminate the risks
Measuring the programs efficiency Analyzing the efficiency of the adopted control
measures and checking if the applied controls ensure the established protection level.
Effort level (Microsoft)
Effort
level
Effort curve
Data
gattering
Summary
risk
analysis
Detailed
risk
analysis
Decision
support
Implement
controls
Operate
controls
Process stages
Relative Level of Effort During the Microsoft Security Risk Management Process
The levels of security risk management (Microsoft)

Level
Status
Description
NonExistent
The company does not have the security policy well documented
Ad-hoc
The company is aware of the risk. The risk management efforts are done in a hurry and
chaotic. Policies and processes are not well documented. Risk management projects are
chaotic and non- coordinated, and the results can not be measured and evaluated.
Repeatable The company has knowledge about risk management. The risk management process is
repeatable but immature. The risk management processes are not sufficiently documented, but
the company is taking actions in this sense. There is no formal training or communication
regarding risk management, the responsibility being to the choice of the employee.
Defined
The company adopts a formal decision for implementing the risk management. The objectives
and the ways of measuring the results are clearly defined. The employees are formally trained
at a base level.
Managed
Risk management is well understood in all compartments and levels of the company. There
are well defined procedures of control and risk reduction. Efficiency can be measured. The
personnel is trained. The allocated resources are enough. The benefits are visible. The risk
management team work to permanently improve the processes and the instruments they use. A
great deal of the risk evaluation processes, of control identification, of cost-benefits anlaysis
are non-automatic (manual).
Optimized
The organization has committed significant resources to security risk management, and staff
members are looking toward the future trying to ascertain what the issues and solutions will
be in the months and years ahead. The risk management process is well understood and
significantly automated through the use of tools (either developed in-house or acquired from
independent software vendors).
Questions
Score
Organizational Risk Management Maturity Level Self Assessment (Microsoft)
1. The information security insurance policies are clear, concise, well-documented

and complete.
05
2. All posts which have responsibilities regarding information security have clear
and well-understood their roles and responsibilities.
05
3. The policies and procedures of securing the companys partners access to the
companys data are well documented.
05
4. There is an inventory of IT components, both hardware and software, accurate and

up to date?
05
5. The existent control systems are adquate and work on the correct parameters to
protect the companys data against inside or outside unauthorized access.
05
6. The policies and practices for data security insurance are known by the users, and
they are periodically trained and informed about the latest news.
05
7. The physical access to the computer network and other IT components is

restricted by using efficient control systems.
05
8. The computers are equipped according to the security standards in the field,
having automatic instruments for assuring data security.
05
9. An automatic management system is created which updates the programs within

the organization and is capable of providing automatically the software updates from
most of the providers to the great majority of computers in the organization.
10. A team that reacts and responds in case of incidents has been created. This team
has developed efficient processes and has created the necessary documentation in
this purpose, in order to solve the incidents regarding security. All these incidents are
analyzed until the main cause is found and the problems of any kind are solved.
11. The company owns a complete antivirus program which includes multiple
protection layers, user training and efficient processes for responding to virus
attacks.
12. The user update processes are well documented and at least partially automatic
in such way that the new employees, providers or partners to be guaranteed a proper
access level to the computers of the organization in a short period of time. These
processes should also achieve in a short period of time a new user account, deleting
the old users accounts and the accounts which are no longer needed.
13. The access to computers and network is controlled through authentication and
authorization, restrictive control lists on data access and preventive monitoring for
company policy violation.
05
05
05
05
05
14. The ones that deal with application development are given a periodical training
and they are aware of the security standards for creating the software but also of
testing the quality.
15. The fluency of the business (of the activity) and the programs that offer this
standard are clearly defined, well documented and periodically tested through
simulations and repetitions.
05
05
16. Programs have been launched (they are efficient) in order to be sure that all
employees accomplish their tasks in a manner according to the legal provisions.
05
17. Reviews and audits (official examinations) are used to verify the compliance to
the standard procedures to obtain security benefits.
05
Final score
0 ... 85
Score
obtained
Stage
51 ... 85
The company is prepared to introduce and use Microsoft

security risk analysis management processes.
34 ... 50
k
s
i
r
t
inen tions
m
r im menda
o
s
.
s
mnecessary
resto
ne stages
i
o
u
s
s
c
a
e
u
The company has to go through
several
the risk control
r
e
b
e
m
n
h
i
t
y
t
t
ore ofsenew
uri control processes.
oinintroduction
c
n
and to gradually
J
g
i
ses ny can ose its

a
c
ome compa idly imp
s
n
I
the to rap
n
e
h
t
der
r
o
in
0 ... 33
The company in this cateogry must first create a nucleus of a risk analysis management team.
The team will concentrate its efforts for a period of several months on one of the departments.
After the viability of the applied risk reduction measures is proved,
they will extend the measures at the next two or three departments.
Other questions that will define the security level of your organization and will guide you to
the subsequent actions are available at:
http://csrc.nist.gov/
http://csrc.nist.gov/ publications/nistpub/index.html
Security Guideline 800 series

fiierul Mapping-of-800-53v1.doc
NIST
National Institute of Standatds and Technology
Security Self-Assessment Guide for Information Technology Systems
Rules and responsibilities during the security risk management (Microsoft)
Title
Responsibility
Executive director
Manages all activities that represent a risk on the

business- development, fund allocation, licensing
and support for the risk management team.
Responsibility assured by the chief of security or
the chief of information security. The last level at
which an acceptable risk for the business is
defined.
Business owner
-Is responsible for the material assets (tangible) and

non-material (intangible) of the business
(company).
-Responsible for establishing the business goods
that have priority and for defining the level of
impact on these assets.
-Defining the acceptable risk level.

Information security group
-Owns the larger process of risk control.

-Risk analysis stages evaluation and risk
prioritization for the business
-The team is minimally composed of an assistant
for risk evaluation and a secretary.
IT group
Responsible with architecture, engineering and

operations.
Reguli i responsabiliti pe parcursul procesului de Management al riscului de securitate (Microsoft)

continuare
Title
Responsibility
Security risk management team
-Responsible for leading the risk control program

-Responsible for the risk evaluation stage
-Establishes the priority risks.
Risk evaluation assistant
-Leads the discussions for data collection

-Can lead the whole risk management process.
Secretary
Records detailed information from the data collection

discussions.
Risk reduction team
Responsible for implementing and maintaining control

solutions for bringing the risk at an acceptable level.
Security leading committee
Is composed of members of the risk control team, IT

group representatives and shareholders of the
business. The executive director is the chief of
committee. He is responsible with selecting the risk
reduction strategies and defining an acceptable risk for
the company.
Stakeholders
Defines the direct or indirect participants at the risk

management process. It can include groups and
persons from outside the IT.
Reguli i responsabiliti pe parcursul procesului de Management al riscului de securitate (Microsoft)

schematic
Owner
Establishes
Determine
acceptable risk
what is important
Security
Group
Prioritize risks
IT Group
Best
control solution
Assess risk/
Risk evaluation
Defining
security
requirements
Design and
build security
solutions
Measure
security solutions
Operate & support

security solution
Developing a risk level evolution diagramUndrstanding the risk level and its evolutions
Establishing the data collection plan - discussing

the solutions for data collection effectiveness.
Measuring the effectiveness of the programperiodic evaluation of the risk management

program for its periodic improvement.
Data collection - collecting, grouping an data

analysis.
Continuous review of the adopted control

measures.
Prioritizing/ranking risks - establishing solutions

for classifying and quantifying risks.
Assesing risk/
Risk evaluation
Measuring program
effectiveness
1
Defining functional requirements - defining functional requirements for
reducing the risk
3
Implementing
controls
Looking for an integrated approach correlation between people, processes and
technologies for risk attenuation.
Organizing control solutions - organizing the
solutions of risk reduction on the companys
activities.
Selection of possible control solutions - the summary of possible

2
solutions that will reduce the risk
SolutionsConducting
review - evaluation
of control solutions compared with the
decision
imposed requirements.
support
Estimation of risk mitigation - estimation of exposure reduction or the

risk likelihood.
Estimation of solutions costs - evaluation of direct and indirect costs of
risk mitigation
Selection of cost reduction strategy - complete cost-benefits analysis for
determining the optimum.
Defining the functional requirements - defining the functional
requirements for risk reduction.
Selecting the possible control solutions- possible control solutions
summary that will reduce the risk.
Risk management vs risk analysis

Comparisons
Risk management
Objectives
Manages risk, in the sense of its

reduction to an acceptable level for
the needs of the company.
Process type
Permanent process on all phases.
Risk analysis/assessment
Identifies and prioritize risks
within the company.
Works only on one phase, when

risk evaluation is needed.
Implementing
controls
Risk evaluation
Assesing risk/
Risk evaluation
Measuring
program
effectiveness
2
Conducting
decision support
1. Planning
Alignment
Purpose
Acceptance
2. Data collection facilitation

Determining the companys goods
Identifying the threats
Identifying the vulnerabilities
Exposure estimation
Occurance probability estimation
Summary
3. Risk prioritizing
Coordinating a summary prioritization of the risk level
Summary of the risk level prioritization
Review together with the owner
Detail analysis of the risk level prioritization
Detailing the risk level prioritization
The reasons for which risk analysis is done?
Identifying the companys goods/assets

Identifying the (security) controls
Warns the companys management on the terms that can produce risks
Warns on the necessity for adopting control measures.
Guides in resource allocation
Relates the control program to the companys mission.
Offers criteria for designing and evaluating the damage plans.
Offers criteria for designing and evaluating the recovery plans
Improve overall awareness
Risk analysis approaches
Qualitative analysis
Works with less complex data.
Quantitative analysis
Work with statistical data in the field.

Put the employee in the front and quantify the specific working conditions.
Risk
Risk
- Threat that can exploit eventual system weaknesses.
- Combination between the probability of an event and its consequences (ISO Guide 73).
- A vulnerability triggered or exploited by a threat (NIST SP 800-3).
Risk is an event that is waiting to happen.

Risk analysis assumes a security risk identification process, determining the amplitude and also identifying
the areas with a high degree of risk that need to be secured. Risk analysis is a part of the assembly of measures that
are called Risk Management. Risk evaluation is a result of a risk analysis process.
Risk management can be defined as the total system of identification, control, elimination or
minimization method of the events that can affect the systems resources.
This includes:
risk analysis;
the benefits cost analysis;
mechanism selection;
evaluating the adopted measures security
risk analysis in general.
Defining the risk level (Microsoft)
Asset
Threat
Vulnerability
Mitigation
What do we want
to protect?
What are we afraid of

happening?
How could the threat

occur?
What is the currently

reducing the risk ?
Impact
What is the impact to the business?
Probability
How likely is the threat given
the control?
Defining the risk level

Risk level = Impact rate x Probability rate
where
Impact rate = Impact class x Exposure factor
Risk categories
A risk categorization can be done taking into account the risk sources. A first categorization may be:
1.
2.
3.
4.
5.
6.
7.
1.
Reports and legal and commercial relations

Economic circumstances
Political circumstances
Technical and technological problems
General management and control activities
Individual activities
Human behavior
Natural events
The standards in the field offer the following risk categorization:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Goods management
Management of change
Understanding
Environment
Financial
General management
Responsibilities
Personnel
Services and production
Technology
1/2
Risk categories
The standards in the field offer the following risk categorization:
No.
Category
Examples/ Description
Diseases
Affect people, animals and plants.
Economic
Currency fluctuations, interest rates fluctuations, market shares.
Environment
Noises, pollution, contamination.
Financial
Contractual risks, insufficient funds, fraud, fines.
Human
Revolte, lovituri, sabotaje, erori. Riots, strikes, sabotages, errors.
Natural disasters
Climatic conditions, earthquakes, storms, volcanic eruptions.
Safety measures
Inadequate safety measures, improper safety management.
Productivity
Design error, under the standard quality control, inadequate testing.
Professional
Poor and insufficient training, negligence, design errors.
10
Property damage
Fire, floods, earthquakes, contaminations, human errors.
11
Public
Public relations.
12
Security
Attacks, intrusions, storms, vandalism.
13
Technological
New technologies (not tested), old technologies, dependent technologies.
2/2
Events !!!!!!
Risk categories
Summary
Natural threat
The
company
People
Human threat
Environment threat
Processes
Technologies
What can we do to mitigate the risk ?
Control
Applying countermeasures
that means
Implementing controls
Really ?
Is it so easy ?
si
a
eb
i
a
e
de
i
c
Countermeasures
Th
Risk
Risk level = 0 (zero)

This is perfect
but
In
al
e
r
e
lif
Countermeasures
Risk
Risk level > 0 (zero)
Residual risk
Vulnerability- Threat
Vulnerability
- A weakness concerning system procedures, system architecture, system implementation, internal control and other
causes that can be exploited to bypass the security system and to have unauthorized access to information.
- Any weakness, administrative process, act or statement that makes a piece of information about an asset likely to
be exploited by a threat.
- A flaw or weakness in sistem security procedures, design, implementations, or internal controls that could be
exercised (accidentally triggered or intentionally exploited) and result in a security breanch or a violation of the
systems security policy (NIST SP 800-3).
Factors that determine vulnerability:
physical;
natural;
hardware;
software;
hard drives;
radiation;
communication;
human.
Intentional threats are the most frequent ones. These threats can be
categorized in:
internal;
external.
The internal threats come from its own employees.
The external threats come from more categories, which are the following:
foreign espionage agencies;

terrorists and terrorist organizations;
criminal organizations;
raiders;
hackers and crackers.
Threat
(types and examples)
Type of threat
Example
Example
Fire
Non-standard voltage
Flood
Hardware flaw
Earthquake
Catastrophic
Type of threat
1/2
Accident
Mechanical disconnections
Landslide
Control devices flaw
Avalanche
Construction accident
Storm/ hurricane
Non- informed
employee/collaborator
Terrorist attack
Non-trained employee/
collaborator
Riots
Explosion (industrial)
Nonintentional acts
Negligent employee/
collaborator
Threat
Type of threat
2/2
Example
Hacker, cracker
Espionage (business partners, competition)
Espionage (foreign governments)
Criminal PC
Social engineering
Intentional acts
Disgruntled employee
Disgruntled ex-employee
Terrorist
Black-mailed employee
Fake employee
Vulnerability
(Types and examples)
Vulnerability type
Vulnerability
Unlocked/unsecured rooms
Unlocked/unsecured windows
Building design flaws
Physical
Building construction flaws

Insufficient anti-fire systems
Inappropriately stored flammable materials
1/7
Vulnerability
Type of
vulnerability
Vulnerability
Construction in flood-danger areas
Construction in unsuitable areas
Natural
Construction in avalanche-danger areas

Construction in areas with unstable ground
2/7
Vulnerability
(types and examples) 3/7
Type of
vulnerability
Vulnerability
Inappropriate configuration
Physically uninsured computer system
Hardware
Missing patches
Old equipment
Inadequate protocols
Vulnerability
Type of
vulnerability
Software
Vulnerability
Non-updated antivirus software
Non-updated firewall software
Missing patches/fixes.
Non-professional applications
Backdoor-written applications
Improper software configuration
Vulnerability
Type of
vulnerability
Vulnerability
Defective storage boxes
Hard drives
Improper hard drives

Vulnerable hard drives
Vulnerability
Type of
vulnerability
Vulnerability
Radio interference
Electrical interference
Unencrypted communications
Communications
Unencrypted protocols within the network

Connections between more networks
Active protocols without use
Non- filtering the communication between subnets.
Vulnerability
Type of
vulnerability
Vulnerability
Failure to report attacks
Weak response to attacks
Human
Lack of recovery plans in case of disasters

Insufficient procedure testing
Defense in dept model (Microsoft)
Phyisical
Network
Host
Applications
Data
Data collection
Involving the owner.

The owner knows the best what are the goods in the organization, what their values are and what impact the
undesired events have on them
Dividing into groups.

Each group has specific attributions.
Communication between departments.

The involvement and communication with the IT departments is essential
No level discussing not interrogating

The discussion that take place and the questions that are adressed must not be annoying or interrogatory.
Responsibility and awareness.

Both the responsibility in the process of data collection (and afterwards) and the awareness of the importance of
every phase will be reflected in the final data.
Data collection
How certain you can be.
Precision.
Margin of error.
Number of posts/ computers that must be tested.
Number of posts/ computers I am testing.

Testing sample.
Testing is done on the sample but the data must then be

extended to the total number of posts/ computers.
http://www.macorr.com/ss_calculator.htm
Data collection (Microsoft)

Identifying the goods for which your group is responsible with development, management and maintenance.
Good
Good classification (from the point of view of impact) ( H, M, L )
DB server
LAN printer
For each good the following table will be filled in:

Level
(from the Defense in
dept model)
What are we
afraid of?
(Threat)
How is may
happen?
(Vulnerabilities)
Exposure
level
(H, M, L)
Current
control
description
Probability
(H, M, L)
Potential
controls
Physical
Network
Host
Applications
Data
Data collection (Microsoft)

Information collected through the process of data collection .
Asset/goods
Exposure
Identified
data
Asset/
description
Asset
class
Applicability
level
Threat
description
Vulnerability
description
Exposure
rate
(H, M, L)
Impact rate
(H, M, L)
Data
Client data
Host
Unauthoriz
ed access
Theft or
password
guess
Data
Client data
Host
Alteration
Viruses.
Improper
configuration.
Social approach for the risk
Employer
Security group
Interrogations
Discussions
Employees
Approaches for risk analysis
Works with less complex data
Works with statistical data in the field

Security risk analysis
Qualitative security risk analysis
This method is more often used than the quantitative method, this referring mainly to small companies.
This method does not use statistical data. Instead it uses the loss potential as input.
The method operates with terms such as:
Often/ high, medium, seldom/reduced- referring to the possibility of risk occurrence and their
impact.
Vital, critic, important, general and informational - referring to the type and classification of
information.
numbers, 1, 2, 3.
This has as immediate effect reducing the amount of work and of consumed time.
This method also has disadvantages:
Hard to quantify certain terms (important - is a hard term to define in management)
Numbers are this time even more subjective. If on the previous method the data were statistical, now
the data is subjective.
Qu
a
3. Prioritizing risks
coordinating a short prioritization of the risk level
summary of the risk level prioritization
analysis together with the owner
detail analysis of the risk level prioritization
detailing the risk level prioritization.
lit
at i
ve
a
na
For coordinating a short prioritization of the risk level the following steps are followed:
1. Determining the impact value for goods
2. Estimating the probability for an event to occur
3. Establishing a short list or risk level by combining the impact and the occurrence probability for every good
lys
is
- Determining the value of impact

- Estimating the probability of impact from the short
list of levels
- Filling in the short list of risk level by combining the
impact and the occurrence probability
- Determining the impact and exposure

- Identifying the current control methods
- Determining the impact probability
- Detail determination of the risk level
detailing the risk level prioritization.
a
Qu
e
t iv
a
t
li
is
lys
a
n
Qu
a
Establishing the level of losses and the Class/ Level of impact
Losses (USD)*
Points
Class/ level of impact
< 2.500
2.501 8.000
8.001 10.000.000
10.000.001 15.000.000
15.000.001 20.000.000
20.000.001 25.000.000
25.000.001 37.500.000
37.500.001 50.000.000
> 50.000.000
lit
ati
ve
an
al y
sis
Value of class/ level of impact (V)
10
Class of impact: L- low, M - medium, H - high
* The value of losses can differ according to the size of the company.
A high level of losses for a small company can be a small level for a large company.
A minimum and maximum level of losses for every company is imposed and then the establishment of the
related point scales.
Qu
a
Types of companies according to their size
Type of
company
Number of
servers
Annual income
(USD)
Number
of
employees
Other characteristics
>1.000
>1 mld.
>2.000
Medium
>100
>100 ml.
>500
- A few sites
Small
<100
<100 ml.
<100
Large
lit
at i
ve
a
- a multitude of sites;
- special management
na
lys
is
1.
Qu
a
Determining the impact value for assets

Class of impact and the exposure factor
lit
at i
ve
a
na
lys
is
Rate of impact
Impact
class
High
Medium
High
High
Medium
Low
Medium
High
Low
Low
Low
Medium
Low
Medium
High
Exposure factor
2.
Qu
a
Estimating the probability for an event to occur
Probability of occurrence
(Probability rate)
High
Medium
Low
lit
at i
ve
a
na
lys
is
Description
Certain. It occurs one or more times per year
Probable. Event that can occur at least one, two or three times per year.
Unlikely. Event that can not occur in the following three years.
3. Establishing a short list or risk level by combining the impact and the occurrence probability for every
asset
Impact and probability
Risk level
Impact rate
High
Medium
High
High
Medium
Low
Medium
High
Low
Low
Low
Medium
Low
Medium
High
Probability of occurrence
Q
ua
lit
e
tiv
an
y
al
si s
Qu
a
3. Prioritizing risks
detailing the risk level prioritization
For detailing the risk level the following steps are to be followed
1. Determining the value of impact and exposure for goods
2. Identifying current controls
3. Determining the impact probability
4. Detailed determination of risk level
lit
at i
ve
a
na
lys
is
Qu
a
1.
Determining the value of impact and exposure for assets
lit
at i
ve
a
na
lys
is
Determining the exposure
Exposure
rate
Consequences
Description
Insignificant
Minor financial losses. No material damages or injured.
Minor
Medium financial losses. Low material damages, first aid is imposed to

be given to personnel.
Moderate
Important financial losses. Medical treatment is imposed to be applied to

the personnel. The activity can be carried further.
Major
Important financial losses. Serious personnel injures. Important damages.

The production capacity is diminished.
Catastrophic
Enormous financial losses. Dead people. Total loss of the production

capacity.
Qu
a
lit
at i
ve
a
Determining the impact
na
lys
is
Determining the value of the impact is done by multiplying the impact class value (V) by the corresponding exposure factor (EF).
Impact class value

(V)
Exposure rate
Exposure factor
(EF)
Impact H(igh)
10
100%
Impact M(edium)
80%
Impact L(ow)
60%
40%
20%
Impact class
x
Values of the impact rate
Level
Impact rate
7- 10
High
The values are between 0 and 10
4-6
Medium
0-3
Low
Qu
a
2.
Identifying the current controls
Inventory of the current controls (physical).
Inventory of the current controls.
Establishing their efficiency (eventually).
Identifying inactive controls
lit
at i
ve
a
na
lys
is
Qu
a
3.
Determining the impact probability.
lit
at i
ve
a
-Assumes determining the existence of a certain vulnerability and the possibility of exploiting it.
-Assumes determining the probability of a certain vulnerability to be diminished by using controls
The vulnerability level mainly depends on a few attributes:
1. Number of attackers.
The vulnerability will grow if the number of persons who produce an attack is increasing.
Vulnerability will grow if the training level of the attackers is high.
2. Local or remote attack.
Vulnerability will grow if certain security flaws can be remotely exploited.
3. Knowledge
Vulnerability will grow if a certain type of attack is known and documented.
4. Automation
Vulnerability will grow if a certain type of attack can be automated in such way that it would find and
exploit the security flaws by itself.
na
lys
is
Qu
a
3.
Determining the impact probability (continuation)
Vulnerability
level
High
Medium
Redusa
Conditions
-Great number of attackers - script-kiddie/hobbyist
-Remote attack
-anonymous privilege
-very well known and documented exploiting methods
-Automation
-medium number of specialists - expert-specialist
-local attack
-requires access rights
-Undocumented methods of attack
-Non- automation
-Low number of attackers internal architecture knowledge
-Local attack
-Requires Administrator privileges
-Undocumented attack methods
-Non- automation
lit
at i
ve
a
Grade
5
if at least one of the
conditions is satisfied
3
1
na
lys
is
Qu
a
3.
Determining the impact probability (continuation)
Questions
lit
at i
ve
a
na
lys
is
Note
0 - Yes, 1 - No
Are the responsibilities defined and effectively applied?

Are the warnings communicated and their executions supervised?
Are the processes and procedures well defined and learned?
Does the existent technology or the existent control reduce the threat?
Are the current audit practices enough for detecting abuses or for controlling deficiencies?
Qu
a
3.
Determining the impact probability (continuation) - example
lit
at i
ve
a
na
lys
is
Network (LAN) and remote host
Vulnerability level
Questions referring to the controls effectiveness
Note
0 - Yes, 1 - No
Are the responsibilities defined and effectively applied?
Are the warnings communicated and their executions supervised?
Are the processes and procedures well defined and learned?
Does the existent technology or the existent control reduce the threat?
Are the current audit practices enough for detecting abuses or for controlling deficiencies?
Total probability rate for LAN and remote host
4.
Qu
a
Detalied determination of the risk level
lit
at i
ve
a
Risk level = Impact rate * Probability rate

Impact rate
10 7
Impact
Probability rate
High
Result (product)
10 7
41 100
High
Medium
64
20 40
Medium
30
Low
30
0 19
Low
Mediu
lys
is
Risk level
64
High
na
10
10
20
30
40
50
60
70
80
90
100
18
27
36
45
56
63
72
81
90
16
24
32
40
48
56
64
72
80
14
21
28
35
42
49
56
63
70
12
18
24
30
36
42
48
54
60
10
15
20
25
30
35
40
45
50
12
16
20
24
28
32
36
40
12
15
18
21
24
27
30
10
12
14
16
18
20
10
10
Low
Low
Mediu
m
Probability
High
Qu
a
Qualitative analysis of the Security risk (simplified version)

We establish the probability of disaster occurrence
Occurrence level
Occurrence
probability
Description
Almost certain
It may occur in any conditions
Likely
It may occur in certain conditions
Moderate
It may occur in time
Unlikely
It could occur in time
Rare
It may occur only in exceptional conditions
lit
at i
ve
a
na
lys
is
Qu
a
lit
at i
ve
a

We establish the consequences of disasters
Consequenc
es level
Description/
consequences
Consequences example
Insignificant
Minor financial losses. No material damages or injured
Minor
Medium financial losses. Low material damages, first aid is imposed to be given to
personnel.
Moderate
Important financial losses. Medical treatment is imposed to be applied to the personnel.

The activity can be carried further.
Major
Important financial losses. Serious personnel injures. Important damages. The

production capacity is diminished
Catastrophic
Enormous financial losses. Dead people. Total loss of the production capacity.
na
lys
is

We establish the qualitative analysis of risk matrix.
Qu
a
lit
at i
ve
a
na
lys
is
Consecine
Occurrence
probability
Insignificant
Minor
Moderate
Major
Catastrophic
A (almost certain)
B (likely)
C (moderate)
D (unlikely)
E (rare)
E - Extreme risk. Immediate actions are imposed for its diminishing. A detail review on goods and risk
reduction management plans is imposed. Strategies must be imposed.
H - High risk. The manager must take them immediately into consideration. Management strategies will be
identified. As the previous case, risk must be minimized.
M - Moderate risk. The manager must take them into consideration
L - Low risk. Actions specified in the routine procedures.
The tables used in qualitative analysis of risk must be custom for the specific activities and places.
Approaches for risk analysis
Quantitative Analysis

Put the employee in the front and quantify the specific working conditions .
Quantitative analysis of the security risk
For the quantitative analysis of risk he following steps are to be followed:
1.
Identifying and evaluating the assets (goods)
2.
Determining the vulnerabilities
3.
Estimating the occurrence probability
4.
Computing the annual estimated losses
5.
Analiza msurilor de control Control measures analysis
6.
Computing the Investment Return (IR)
Qu
a
nt
ita
tiv
e
an
a
lys
is
1. a. Identifying goods
It assumes the identification of software and hardware components, the data, the personnel involved in processes, the afferent
documentation, support etc.
Data
Physical
Financial
Administrative
Documentations
Logistic/ managerial
Software
Planning
Hardware
Statistical
Files
Operational
Programs
Personal
Systems
Buildings
Operational
Offices
Programs
Auxiliary systems
Operating guidelines
Electricity supply systems
Audit documents
Water supply systems

Gas supply systems
Procedures
Lighting systems
Damage plans
Air conditioning systems
Security plans
Data safety systems
I/E Procedures
Drives/ backup
Control measures
Auxiliary voltage sources/ sources

Communication lines
Communication procedures
Modems
Cables
Terminals
Antennas
nt
it a
tiv
ea
na
ly
sis
Switch/hub/multiplexers
Q
ua
Communication
Qu
a
1. b. Goods evaluation
When we evaluate goods it is preferred to use a scale of goods values.
Value in USD
Number
0
<1
110
11 100
100.001 1.000.000
1.000.00110.000.000
>10.000.000
nt
ita
tiv
e
an
a
lys
is
Determining the value of impact for goods
Case 1
Replacement costs
Case 2
Recovery costs
1. b. Good evaluation
Qu
a
nt
ita
It assumes the establishment of replacement costs for the cases when a certain good is destroyed.
For this we have to ask ourselves some questions that would help us evaluate these goods.
Some of these questions might be found in the following lines.
Regarding the hardware components the following questions must be asked:
- What is the replacement cost for the good at the present prices?
- How long does it last until the destroyed good/component is replaced?
- If the operation/operations can be done manually, how many people do we need? How much additional time is needed.
- What are the losses in the customer relations in case of non- functionality?
Regarding the software component the following questions must be asked:

- How long will it take the programmer to find the problem in case of program malfunction?
- How long will it take to upload and test the debugged program?
- How long will it take to reinstall the operating system in case of disaster?
For data:
- Can data be restored?
- How much time is lost while restoring the data in case of losing it?
- Is the disaster caused by a deliberate action or by a random action?
For personnel:
- How many people do we need to work for disaster recovery?
- How much does it cost to train a new personnel?
- What are the psychological effects of disasters?
tiv
e
an
a
lys
is
Estimating the impact value on an area

Every good has in case of its loss or malfunction, an impact on three necessary elements in assuring security:
- Secrecy
- Integrity
- Availability
- Non-repudiation
Example:
Value b Impact i
i 1
where Value b = value of impact for good b;

Impact i = the value of impact in that certain area for good b.
We have three (i=3) impact areas ( Secret, integrity and availability)
In this case, Value b = 5.000 + 0 + 25 = 5.025 USD.
Impact area
Impact value (USD)
Secret
5.000
Integrity
Availability
10 + 15 = 25
Q
ua
nt
ita
tiv
e
Calculating the total value for each good.

We calculate the total value for an impact using the formula:
an
al
ys
is
We consider a file which stores the personal data of 200 employees of one company. After an undesired event (intentionally,
unintentionally, accident, natural phenomena), both the data from the file and also its structure are lost. There is no backup copy for them.
Restoring the files structure can be done by a qualified person, working 4 hours for restoration (during the schedule). The salary is 2,5 USD/
hour. Restoring the data will be done outside the schedule by the same person or by a different person. This operation lasts 5 hours and its paid
with 3 USD/ hour (work is done outside the schedule - overtime).
Losing the secret, not knowing the nature of the disaster causes losses estimated at 5. 000 USD, this being the area with the highest impact
regarding restoration costs.
4 (hours) x 2,5 (USD/hour) + 5(hours) x 3 (USD/hour supplementary) = 25 USD.
Qu
a
2. Determining vulnerabilities
. Assumes establishing the threats to goods and the frequency with which these threats can occur.
The possible threats to the companys goods are exemplified in the following lines:
Natural
Accidents
Earthquakes
Intentional acts
Disclosures
Floods
Employee blackmail
Hurricanes
Fraud
Landslides
Theft
Snow storms
Strikes
Sand storms
Unauthorized use
Tornados
Vandalism
Tsunami
Intrusions
Thunderstorm
Bomb attacks
Volcanic eruptions
Riots
Disclosures
Electrical disturbances
Electrical malfunction
Fire
Leakage of liquid
Errors in transmissions- telecommunication.
Operators/ users errors
Organizational errors
Hardware errors
Software errors
nt
ita
tiv
e
an
a
lys
is
Qu
a
3. Estimating the occurrence probability

The probability of occurrence of an incident in a period of time is established. In the following
table we have exemplified the incidents occurrence frequency:
Theincidentoccurrencefrequency.
Frequency
Value
Never
0,0
Every 300 years
1/300
0,00333
Every 200 years
1/200
0,005
Every 100 years
1/100
0,01
Every 50 years
1/50
0,02
Every 25 years
1/25
0,04
Every 5 years
1/5
0,2
Every 2 years
1/ 2
0,5
Every year
1/1
1,0
Twice a year
2/1
2,0
Once a month
12/1
12,0
Once a week
52/1
52
Once a day
365/1
365
nt
ita
tiv
e
an
a
lys
is
Threats
Natural
Accidents
Intentional acts
Occurrence rate
Earthquakes
0,005 - 0,2
Floods
0,01- 0,5
Hurricanes
0, 05 - 0,5
Landslides
0 - 0,1
Snow storms
0,07 - 50
Sand storms
0,01 - 0,5
Tornado
0 - 10
Tsunami
0,00001 - 2
Electrical discharges
0 - 0,125
Volcanic eruptions
0 - 0,01
Disclosures
0,2 - 5
Electric disturbances
0, 1 - 30
Electric malfunctions
0,1 -10
Fire
0,1 - 10
Leakage of liquid
0,02 - 3
Errors in transmissions- telecommunication.
0,5 - 100
Operators/ users errors
10 - 200
Hardware errors
10 - 200
Software errors
1 - 200
Disclosures
0,2 - 5
Employee blackmail
0,1 - 5
Fraud
0,09 - 0,5
Theft
0,015 - 1
Strikes
0,1 - 5
Unauthorized use
0,009 - 5
Vandalism
0,008 - 1,0
Intrusions
Bomb attacks
0, 01 - 100
Riots
0 - 0,29
Qu
a
nt
ita
tiv
e
an
a
lys
is
Qu
a
4. Calculating the estimated annual loss
nt
ita
Calculate the Annual Loss Expectancy per Threat:
tiv
e
an
a
ALE t Va xOt
a o
where
ALE t = Annual Loss Expectancy per threat t,
Va = Value of asset a (0 to n assets),
Ot = Estimating the number of occurrences of threat t (0 to m threats).
Asset = Computer (local)
Asset = Printer
Asset = Server centre
Threat = Voltage shock
Incident cost = 500
Incident cost = 500
Incident cost = 10.000
The frequency of occurrence is

5 times a year
The frequency of occurrence is 5

times a year
The frequency of occurrence is 5

times a year
ALE1, 1 = 500 x 5 = 2.500
ALE2, 1 = 500 x 5 = 2.500
ALE3, 1 = 10.000 x 5 = 50.000
ALE = ALE1, 1 + ALE2, 1 + ALE3, 1

ALE = 2.500 + 2.500 + 50.000 = 55.000 USD
lys
is
Qu
a
4. Calculating the estimated annual loss
nt
ita
Calculate the Annual Loss Expectancy per Asset:
tiv
e
an
a
ALEa Va xOt
t o
where
ALE a = Annual Loss Expectancy per asset a,
Va = Value of asset a (0 to n assets),
Ot = Estimating the number of occurrences of threat t (0 to m threats).
Threat= Voltage shock
Threat = Earthquake
Threat = Flood

5 times a year
The frequency of occurrence is every

50 years

every 25 years
ALE1, 1 = 30.000 x 5 = 150.000
ALE1, 2 = 50.000 x 0,02 = 10.000
ALE1, 3 = 10.000 x 0,04 = 4.000
ALE = ALE1, 1 + ALE2, 1 + ALE3, 1

ALE = 150.000 +10.000 + 4.000 = 164.000 USD
lys
is
Calculate Total Annual Loss Expectancy
Determinate Total ALE by summing over Threat Categories :

m
ALE ALEt
t o
where
ALE t = Annual Loss Expectancy per threat t.
Determinate Total ALE by summing over all Assets:

m
ALE ALEa
a o
where
ALE a = Annual Loss Expectancy per asset a.
Qu
a
nt
ita
tiv
e
an
a
lys
is
Qu
a
ALE = Total Annual Loss Expectancy for all asset/threat pairs.
nt
ita
tiv
e
an
a
lys
is
Check for Correctness !

Both calculation of ALE should produce the same value.
Asset 1
Threat 1
(V1 x O1) +
Threat 2
(V1 x O2) +
Asset 2
(V2 x O1) +
(V2 x O2) +
Asset n
+ (Vn x O1)
ALE t, 1
+ (Vn x O2)
ALE t, 2
Sum
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Threat m
(V1 x O m) +
(V2 x O m) +
+ (Vn x O m)
ALE t, m
ALE a, 1
ALE a, 2
ALE a, n
Sum
ALE
Qu
a
nt
ita
ALE = Total Annual Loss Expectancy for all asset/threat pairs.
tiv
e
an
a
lys
is
Survey new controls

Observe which threats produce the great ALEt (ALE per threat).
Asset 1
Asset 2
(V2 x O1) +
Asset n
+ (Vn x O1)
ALE t, 1
+ (Vn x O2)
ALE t, 2
Threat 1
(V1 x O1) +
Threat 2
(V1 x O2) +
(V2 x O2) +
.
.
.
.
.
.
.
.
.
Threat m
(V1 x O m) +
(V2 x O m) +
+ (Vn x O m)
ALE a, 1
ALE a, 2
ALE a, n
.
.
.
MAX
.
.
.
ALE t, m
ALE
Identify possible controls which may reduce vulnerability (some may apply several
vulnerabilities).
Qu
a
5. Control measures analysis

The threat that produces the highest values of estimated annual loss will be identified.
The measures that can lead to reducing vulnerability will be identified.
Threats
Natural
Accidents
Intentional actions
Control measures
Earthquakes
Sensors, emplacement
Floods
Sensors, emplacement
Hurricanes
Emplacement
Landslides
Emplacement
Snow storms
Emplacement
Sand storms
Emplacement
Tornado
Emplacement
Tsunami
Emplacement
Electrical discharges
Spark gaps, emplacement
Volcanic eruptions
Emplacement
Disclosures
Encryption
Electrical disturbances
Voltage stabilizers
Electrical malfunction
Uninterruptible sources
Fire
Warning/ extinguishing systems
Fluid leakage
Sensors, protection cases
Telecommunication error
Dedicated transmission lines
Operator/ user errors
Personnel training
Hardware errors
Testing brand equipment
Software errors
Software testing
Disclosures
Data encryption
Employee blackmail
Data encryption
Fraud
Access journals (control log)
Theft
Access journals (control log)
Strikes
Physical access limitation
Unauthorized use
Passwords, encryption
Vandalism
Bomb attacks
Riots
Intrusions
Access/data encryption control
nt
ita
tiv
e
an
a
lys
is
The quantitative method of calculating the risk analysis is mainly used in medium or/and large
companies.
The shown quantitative method has some drawbacks. Among these we can mention:
- The difficulty in finding a number that would quantify as exactly as possible the occurrence
frequency of an event.
- The difficulty in quantifying certain values. For example the availability of information and the
calculus of losses are very hard to define when this characteristic is missing.
- The method does not distinguish between rare threats that produce great disasters as value (fire,
earthquakes, tornado etc.) and the frequent threats that produce small disasters as value (operating
errors), in both cases the financial effects being almost the same.
- Choosing the used numbers can be considered as being subjective, laborious work that takes time
and resources.
Comparisons between the quantitative and qualitative security risk analysis
Benefits
Risks are prioritized because of the financial

impact; goods are prioritized because of their
financial value
Results help risk management through security
investments.
The values of the results get tangible values
(financial values, percentages etc)
Accuracy tends to increase over time due to the
fact that the company creates a database with
the events history, in the same time the company
gaining experience.
Advantages
Allows a better and clearer hierarchy of risk

value.
Allows the faster gaining of a consensus due to
the used values.
Threat frequency quantification is not
necessary.
The financial value of goods is not necessary to
be determined.
Comparisons between the quantitative and qualitative security risk analysis
Drawbacks
The value of impact on every risk is based on

the subjective opinions of the ones who do the
analysis.
The processes through which one obtains
credible results take a long time.
The calculus is very complex and takes a long
time.
The results have monetary value and are hard to
be interpreted by the non-technical personnel.
The processes require experienced personnel
that cant be easily trained.
Doesnt differentiate the risks enough.
It is hard to justify an investment in security

measures/ controls when it is not based on a
cost-benefits analysis.
The results are subjective. These are dependent

on the quality and the components of the risk
analysis team.
2
Assesing risk/
Risk evaluation
Measuring
program
effectiveness
Implementing
controls
2
Conducting
decision support
Decisional process coordination
Defining the functional demands
Identifying the control solutions
Review of the proposed control solutions

according to the functional demands
Estimating the risk reduction degree.
Estimating the cost for every solution
Selecting the risk attenuation strategy
Phases of decisional process coordination (Microsoft)
Security risk
management
team
Mitigation
group
Defining the functional

requirements
Identifying the control solutions
Security coordination committee
Review of the proposed

control solutions
according to the functional
requirements
Estimating the risk reduction

degree
Estimating the cost for

eaech solution
Selecting the risk mitigation/

attenuation strategy
Participant in the phase of decisional process coordination

Participants
Responsibilities
Business operators
Identifies the available control procedures for risk control.
Business owner
Analyses the cost- benefits report for risks.
Financial group
Assist the cost- benefits analysis. Defines the resource allocation.
Human resources office (HRO)
Identifies the personnel training demands according to the adopted

measures.
IT architecture
Identific i evalueaz soluiile posibile de control. Identifies and

evaluates the possible control solutions.
IT - engineering
Determines the control solutions cost and their method of

implementation.
IT performers
Effective implementation of control solutions.
Internal auditor
Identifies the degree of conformity with the demands and does

evaluations on control effectiveness.
Jurist
Identifies the legality of controls according to the companys policy

and the contractual aspects.
Public relations (PR)
Estimates the impact values created by the adopted control solutions

on the market.
Security coordination committee
Selects the control solutions based on the recommendations of the risk

management team.
Risk management team
Defines the functional demands for the control of each category of

risk. It informs the shareholders about the stage of the control
application projects and the personnel affected.
Necessary information in the phase of decisional process coordination
Information needed to be collected
Description
Decision on the method of solving

every risk.
At what level has the risk to be done for every major risk. All
major risks must be accepted. Certain major risks can be
avoided.
Functional demands
Declarations in which the elements necessary for risk

attenuation must be written.
Potential control solutions
Lists with possible control elements identified by the risk

management team, that can be efficient in attenuating every
risk.
The degree of risk reduction for every Evaluation of every proposed control measure to determine
control solution
how much it reduces the risk level for goods.
The estimated cost for every control
solution.
Total costs associated to the purchase, implementation,

support and effectiveness measurement for every proposed
control.
List of control solutions that are to be

implemented.
The choice is done based on a cost- benefits analysis.
In the phase of decisional process coordination, certain questions must be asked in order to choose the controls
meant to reduce the risks:
How long will the control be effective ?
How many person hours per year will be required to monitor and maintain the control ?
How much inconvenience will the control impose on users ?

How much training will be needed for those responsible for implementing, monitoring, and maintaining the
control ?
Is the cost of the control reasonable, relative to the value of the asset ?
Defining the functional requirements:
Defining some functional requirements necessary for ensuring security represents in fact declarations/
exposure regarding the description of the necessary controls for risk attenuation.
Controls must be expressed more as a functional demand and less as a functional status.
Functional controls must be defined for each of the risks.
The functional demands define WHAT we assume must be done for identifying and reducing the
risk but doesnt specify HOW the risk can be attenuated or to indicate the specific controls.
HOW can the risk be attenuated by identifying the control solutions is a task for the risk
control/ /mitigation/attenuation group.
Identifying the control solutions.
Identifying the control measures assumes that the team which has this task to have experience in the field. If the
personnel is not specialized in this purpose then one can appeal to specialists or consultants from outside the
company (outsourcing). These can take all the tasks or to assure assistance in the field.
Methods/ approaches in identifying control solutions
Informal Brainstorming
Classifying and organizing controls
Informal Brainstorming
Coordinator
Risk evaluation team
??
Risk evaluation team
Answer
(= proposed control)
Secretary
Proposed control
(= UPS)
Questions:
-What are the stages which the company has to go through for preventing a risk or to control it ?
-A. Implementarea autentificrii multi-factor pentru reducerea riscului de compromitere a parolelor. Implementing the multi- factor authentication for
reducing the risk of password compromise.
-What can the company do for recovery (disaster recovery) when the event triggered ?
-A. Backup, backup, backup.
-A. Teams and action procedures in case of disasters.
-A. Auxiliary systems.
-What measures can the company take for detecting a risk ?

-A. Video surveillance systems.
-A. Intrusion detection systems at the level of host and workstations.
-How can the company check that a control is placed where it is supposed to, that it works and can be monitored ?
-A. Expert in field.
-How can the company declare the effectiveness of an adopted control as being correct ?
-A. Specialization and periodical training of internal personnel or collaboration with a specialized company (person).
-Are there other measures that can be taken for risk control ?
-A. Insurances (in the case of inventory objects)
The method classifies the possible controls in three categories:

organizational, operational and technological.
Each category is split in three subcategories with the following purposes: prevention, detection and answer (management).
Type of control
Organizational
Description
Subcategories
Procedures and processes that establish

the mode of action of the personnel in
case of events.
Prevention
Detection
Answer (management)
Operational
(Processes)
Tehnological
Define the modes of working with data,

of software and hardware components by
the personnel. The general and specific
protection elements are included.
Prevention
The infrastructure, architecture,

engineering, hardware, software and
firmware elements are included
All the technological components used
for building the companys informational
system are included.
Prevention
Detection
Detection
Answer (management)
Type of control:
Subcategory:
Organizational
Prevention
Clear roles and responsibilities. Their clear defining and documenting will make the managers and employees
understand the responsibilities on each work station.
Separating the duties and less privileges. This will ensure the fact that every work station is permitted only the
operations that would ensure the development of the working tasks.
Well documented plans and security procedures. These are developed to explain how the control systems were
implemented and how they must be maintained.
Training and information campaigns. Training is necessary so that the personnel to be always up to date with the
technology and the information campaigns are necessary to warn the personnel on the changes that were made.
Systems and processes of user activation/ deactivation. These are necessary in order for a new personnel, when
its hired to become productive as fast s possible, and the one that is not working in the company anymore to
immediately lose its rights. The same principles must be stipulated at the personnel transfer between two different
departments. The classification change for a post or department must also be taken into consideration.
Establishing the processes for providing access to business partners. All business partners are included:
suppliers, clients, distributors, subcontractors etc. The principles are similar to the ones mentioned before.
Type of control:
Subcategory:
Organizational
Detection
Continuous risk control programs for evaluating and controlling the risk in the key departments of the
company.
Recurrent reviews of the control systems to verify their efficiency.
Periodical system audit for assuring that the control systems were not compromised or poorly configured.
References security and records for new employers.
Establishing a work rotation system. This will allow the discovery of dishonest activities amongst the IT
teams and amongst the employees who have access to sensitive data.
Type of control:
Subcategory:
Organizational
Answer
(management)
Plans of response to incidents. These plans will include fast reaction measures for recovery in case of security
violation and minimization of impact for preventing the spreading to other systems. The plans of response to
incidents must allow the gathering of evidence that would eventually allow the prosecution of the guilty person.
Plan of business continuation. Contains plans meant to maintain the company in function, total or partial, in the
case of catastrophic events that affect the greatest part of the IT infrastructure.
Type of control:
Subcategory:
Operational
Prevention
System protection through physical means. Protection perimeters, room dividers, electronic locks, biometric
identifiers etc are included.
Physical protection for end-user systems (workstation). Systems of computer and mobile systems blocking in
case of theft, encrypting the files stocked on mobile hard drives are included..
Providing electricity when needed. These will provide electricity necessary for computer functioning when the
primary energy source is not available. Also, they will ensure the normal shutdown of the applications and operating
systems that run on the system, in this way avoiding gata loss.
Anti- fire systems. Include the automatic fire warning systems, fire fighting and also the extinguishers.
Systems of temperature and humidity control. These systems are meant to assure the functioning of systems
within the parameters indicated by the manufacturer, extending their life.
Procedures of access to data stocked on external hard drives. These will facilitate only the access of authorized
personnel to these data.
Backup systems. These will allow the immediate recovery of lost data. In some cases it is imposed that the backup
files are kept outside the company in order to be used on case of major disasters.
Type of control :
Subcategory :
Operational
Detection
Physical security. Systems that will protect the company from persons who want to break into it. Sensors, alarms,
surveillance cameras, perimeter and movements sensors are included.
Security from the environment. Systems that will protect the company from the threats that come from the
environment. Smoke and fire detectors, flood detectors, atmospheric overload detectors, spark gaps etc are included.
Type of control :
Subcategory :
Tehnological
Prevention
Authentication/ Identification. Process of validation of a persons, computer, process or device identification

elements. Authentication assumes that one of the elements that has requested authentication to be the one that it
pretends it is. The form for authentication are: username and password, Kerberos, tokens, biometric, certificates.
Authorization. The process of granting access to certain information, services or function to a person, computer or
device. After granting the authentication the authorization is obtained.
Access (access control). The process of limiting access to certain information, process which is based on users
identity and on belonging to certain groups.
Non-repudiation. It is a technique used to make sure that a person who has performed an action on a computer can
not deny that action.
Communication protection. For protecting communication at the level of networks, encryption is used- to ensure
the integrity and confidentiality of the transmitted data.
Controlling the access and detecting the intrusion
Access control
Identification
Authentication
Authorization
Access control mechanisms
Type of control :
Subcategory :
Tehnological
Detection
Audit systems. These system make possible the monitoring and following the evolution of a system in order to see
if it works within the configured parameters. The audit systems represent a basic instrument for detecting,
understanding and recovering in case of events.
Antivirus programs. Antivirus programs are built to detect and respond to a series of malicious programs (viruses,
worms, trojan horses etc). The answer consists in blocking the users access to the infected files, cleaning the infected
files and systems and also informing the user about the infected components.
Instruments for maintaining the systems integrity. These instruments help the IT personnel which is responsible
with security to determine where has an unauthorized modification been done. (Ex. File Chechsum).
Type of control :
Subcategory :
Tehnological
Answer
(Management)
Tools for security administration. These instruments are included in the operating systems, programs and devices
meant to ensure security on a certain segment.
Cryptography. Creating, stocking and distributing the cryptographic keys in safe conditions gave birth to
technologies such as Virtual Private Network (VPN), authentication in safe conditions and also data encryption on
certain hard drives.
Identification. Allows the facility to identify in a unique way a certain entity. With the help of this facility some
others can also be created: accounting, discretionary access control, role- based access control and mandatory access
control.
Inherent protections in the system. These are facilities implemented in systems that ensure the security of the
information which is subject to processing or which is stored in that system. Amongst these we have: object reuse, the
use of NX memory zone (Non-Execute) and process separation.
Reviewing the proposed solutions according to the demands

The security risk management team must approve the proposed control solutions taking into account
the definition of functional demands.
Estimating the reduction degree of risk

Questions that must be asked:
Does the proposed control prevent a specific attack or a specific category of attacks?
Does the proposed control reduce/ minimize the risk for a certain class of attacks?
Is the proposed control capable of recognizing an attack/ exploit when it is happening at the moment?
If the proposed control recognizes an attack/ exploit which is happening at the moment, is it capable of resisting and
following the attack?
Can the proposed control help at the recovery of goods (data) after an attack?
Proposed control can help to data restore ?
Does the proposed control offer any other benefits?
What is the value of the proposed control related to the value of the good?
Estimating the cost for each solution

Contains
Acquisition costs
Contain software and hardware costs or services necessary for the acquisition of a
control.
Contain costs necessary for the development and the update of the existent ones.
Implementation costs
Contain costs necessary for the own teams or consultants to install and
configurethe proposed controls.
Subsequent costs
These are costs difficult to estimate. We include here the costs associated to the
new controls on a certain period of time. These are management, monitoring and
maintenance costs. Sometimes they are 24/7 (24/7/365) costs.
Communication costs
Contain the necessary costs for informing the personnel about the new policies and
procedures of ensuring the implemented security within the company.
IT personnel training costs
Contain the necessary costs for training the IT personnel for implementing,
managing, monitoring and maintaining the new controls.
User training costs
Contain the necessary costs for training the personnel in order to incorporate the
new controls in the usual procedures.
Productivity costs
Audit and verification costs
They actually contain the productivity losses (initial) until the use of the new
controls becomes routine. In many cases these losses are due to the lack of
communication and personnel training.
Contain costs the company will periodically support for auditing and verifying the
effectiveness of the adopted controls. In some cases these costs go to specialized
companies.
Selecting the risk reduction solution
In this stage the risk level achieved after adopting the new controls will be compared with the control solution costs.
Both the risks (risk level) and the costs of adopted solution contain subjective values that
make a financial quantification rather difficult.
Policies and security models
The security policy is made from a set of measures accepted by the leading staff,
which provides clear but flexible rules for determining the standard operations
and technologies necessary for ensuring security.
A security policy represents a document that emphasizes the main demands or rules that must be known and applied
for ensuring security. A security policy will seize the security demands in a company and will describe the steps to
ensuring security.
The following items are aimed to be protected:
memory;
files or data that are stored on an auxiliary hard drive;
the executable program in the memory;
structure of directories/ folders;
an electronic device;
data structure;
operating system;
instructions;
passwords;
protection system in itself.

A standard is formed from a set of system or procedural demands that must be known and implemented.
A standard will describe for example how the security of a Windows Server 2003 which is placed in an
unsecured area can be increased. The guideline represents a set of specific system or procedural suggestions
necessary for the best practical implementation. These are not compulsory to be known but are highly
recommended.
3
Assesing risk/
Risk evaluation
Measuring
program
effectiveness
Implementing
controls
2
Conducting
decision support
Controls implementation
Searching for an integrated approach
Organizing the control solutions
Participants in the phase of Controls implementation
Participant
IT engineers
IT architecture designers
Responsibilities
Determines the way of implementing control
solutions
Define the way if implementing control
solutions in such way that they are according
to the existent systems
Implement the technical control solutions
IT operators
Personnel responsible for information

security
Financial personnel
Help in solving the problems that appeared in

the testing and development phases.
They make sure that the level of expenses
regarding implementation is at the
established level
4
Assesing risk/
Risk evaluation
Measuring
program
effectiveness
Implementing
controls
2
Conducting
decision support
Measuring the effectiveness of the program
1. Developing the security risk evolution diagram
2. Measuring the effectiveness of controls
3. Reevaluation (continuous evaluation) of the control measures,

of the changes occurred on the goods and risks.
Participants in the phase of Measuring the effectiveness of the program
Participant
Personnel responsible for information

security
Responsibilities
Creates a report for the Committee of
Security Coordination regarding the
effectiveness of the adopted controls and the
changes occurred in the risk level. In
addition, it will create and maintain a risk
level evolution diagram.
Internal auditor
Valideaz eficacitatea soluiilor de control

implementate. Validates the effectiveness of
the implemented control solutions.
IT engineers
Inform the security risk management team

about the imminent changes.
IT architecture designers
Inform the security risk management team

about the planned changes.
IT operators
Informs the security risk management team

about the details referring to the security
events.
!
Physical
Network
Host
!
Applications
Data
Low risk
Risk evolution diagram
December
November
October
September
August
July
June
May
April
March
Medium risk
February
High risk
January
Legend:
Data warehouse
Data Mining
Way of response to incidents

(Microsoft)
1
Life protection
2
Damage limitation
3
Damage evaluation
4
Cause determination
5
Damage repair
6
Verification/review of
countermeasures,
review of policies and update
This has to represent the first priority.

In certain situations, the systems have an important role in
protecting the peoples lives. Their malfunction or non- function can
lead to human losses.
The systems that have a direct incidence on peoples lives must be
Assume taken measures regarding the limitation of the aftermath of
considered carefully.
an attack or an event. In many situation it must be decided very
quickly between down the infected server or stay on and present on
the market.
After
limitation
has been
a damage
is
In the the
casedamage
of an attack
the actions
of done
the attacker
andevaluation
the limitation
imposed.
Damage
evaluation
will offer
a measure
of the
of the damages
must
be monitored.
Keeping
evidence
forattacks
a
success
and
also
its
virulence.
In
the
case
of
natural
disasters
a
malicious action and find a culprit.
measure
intensity
will beby
offered
through
the value of the
Limiting of
thetheir
damages
provoked
physical
events.
created damages.
Determining the causes concerns mainly establishing the source of
disasters. A disaster can be provoked by an accident or can be a
willed act. Disasters provoked by natural phenomena or accidents
are easy to determine. Difficulties arise at determining the causes
when
these are necessary
provoked by
attack ofthe
a malicious
person
It is absolutely
thatanrepairing
damages is
done as fast
(cracker,
hacker).
all resumes
the configurations
absolutely
as possible
so thatReviewing
the company
its activityisand
come back
necessary.
on the market. The plans and procedures at the level of the company
must contain restoration strategies. The teams specialized in this
purpose must provide assistance and guidance. In some cases
repairing
It
is established
the damages
what stages
must be
anddone
actions
withwere
verysuccessful
much attention
and which
(ex.
Reinfecting
with
from
another system.
were
the ones
thatviruses
were not
successful
in the previous stages. The
approach and action mistakes are established. The processes will be
modified, were needed, so that in the future they will offer a higher
effectiveness. Impovements and updates are done. The news/
publications in the field are reviewed.
Methods of approach for risk analysis

Vulnerability/ post analysis
Vu
ln
er
ab
il
it y
/w
or
ks
ta
tio
na
The method follows the analysis of vulnerabilities in a department prioritizing the human element as a main
factor of vulnerability.
This method analyses risks starting from the work station and its characteristics.
The following facts are analyzed:
The working conditions specific to each group of posts.
The features specific to each post in the posts group.
The level of professional training of the occupant of that certain post.
The access level for that certain post.
Asset/Goods/ category of asset/goods the post/ person is in contact with.
na
lys
is
Vu
ln
er
ab
il
it y
/w
Metoda implic parcurgerea urmtorilor pai: The method implies following the next
steps:
1.
Identifying the goods and the threats to which they are exposed to.
2.
Estimating the probability and the impact on vulnerability.
3.
4.
Emphasizing the vulnerable points.
Identifying the control methods.
or
ks
ta
tio
na
na
lys
is
Vu
ln
er
Probability
ab
il
it y
/w
Exposure
Low
Medium
High
Low
Medium
High
or
ks
ta
tio
na
Working station/ good

Threat
Risk level
Voltage drop
Shocks/ voltage disturbances
Personnel errors
.....
.....
.....
.....
Unauthorized use
Floods
na
lys
is
2003: 488 rspunsuri/92%
2002: 414 rspunsuri/82%
2001: 484 rspunsuri/91%
2000: 583 rspunsuri/90%
Vu
ln
er
ab
il i
ty
/w
or
ks
ta
tio
n
an
al
ys
is
The impact of informatic systems component on security
Impact on data security and losses caused by the employee training
High
High
High
Medium
High
Medium
ti o
Low
rk
s ta
Medium
wo
Low
y/
Low
Low
is
Unwilled
bi
lit
Deliberate
Losses
an
al
ys
Actions on data security
Vu
ln
er
a
Type of company
Employee
training/
knowledge
Vu
ln
er
Social engineering attack types
Phone
ab
il
it y
/w
or
ks
ta
tio
na
Hoax applications
e-mail
IM/IRC
Company employee
na
lys
is
Vu
ln
er
ab
il
it y
/w
or
ks
ta
tio
na
na
lys
A study made in 1999 by Net-Partners Internet Solutions showed that at the level of the United States, the
employers have had productivity losses estimated at 500. 000. 000 USD due to the fact that almost 13.500.000
employees have read or downloaded at work the Starr report. The Starr report contains data referring to the scandal
in which the US President Bill Clinton and the employee of White House Monica Lewinsky were involved.
?Howcanthistypeoflossesbeeliminated?
Another category of actions that have as effect productivity losses are represented by unsolicited e-mails, the socalled spam e-mails. According to Yankee Group (www.yankeegroup.com), spam messages create annually
productivity losses estimated at 4 billion USD.
In 2003 (feb.) 42% of the e-mails were spam.
In 2004 (feb.) 62% of the e-mails were spam.
?Whatcanbedoneinthiscase?
is
Vu
ln
er
Data collection
Professional training
ab
il
it y
/w
or
ks
ta
tio
na
IT training
Risk level
Conduct
Employee/ partner
High
References
Workstation customization
Workstation customization detailing
Quantification
Processing
(+/- 05/010)
Medium
Low
General good he is in contact with

Specific goods he is in contact with
Software quality
....
na
lys
is
Risk analysis at the level of network
Ot
he
rm
M. Kaeo, DesigningNetworkSecurity, Cisco Press, Indianapolis, Indiana 46290 USA, 1999.
eth
Values
Occurrence
rate
Explanation
Unlikely
2
3
Values
Low losses
Likely
Moderate losses
Most likely
Critical losses
Occurrence rate
Volume of losses
Risk value
Low risk
Low risk
Medium risk
Low risk
Medium risk
High risk
Low risk
High risk
High risk
Values
Explanation
Risk
level
Explanation
Volume of losses
od
Explanation
1, 2
Low risk
3, 4
Medium
risk
6, 9
High risk
Risk analysis at the level of network (continuation)
Available
Availability
Confidentiality
[D]
[I]
Administrative
Technical
Financial
LAN
Ot
he
rm
eth
od
Incident
prevention
[IP]
Damage
prevention
[DP]
Relative risk
[RR]
[C]
Network
importance
[NI]
0,1
0,3
3,78
12
0,5
0,5
3,00
18
0,3
0,3
8,82
IR = D * I * C
Very low
0,1
RR = IR * [ (1 PI) * (1- PD) ]
PI
Low
0,3
RR Administrative = 6 * [ (1 - 0,1) * ( 1 - 0,3 ) ] = 6 * 0,9 * 0,7 = 3,78
PD
Moderate
0,5
High
0,7
Very high
0,9
RR Tehnical
RR Financial
= 12 * [ (1 - 0,5) * ( 1 - 0,5 ) ] = 12 * 0,5 * 0,5 = 3,00

= 18 * [ (1 - 0,3) * ( 1 - 0,3 ) ] = 18 * 0,7 * 0,7 = 8,82
Questions referring to security investments

What is the acceptable level of risk?
Risks
?
?
?
?
Costs
How much shall be invested in security?
How much shall be invested in security?

Costs (%)
100
A maximum security can be ensured

only with very high costs
90
80
70
60
In most of the cases 20% of the costs are

reflected in 80% of the benefits regarding risk
minimization and security insurance.
50
40
30
20
10
10
20
30
40
50
60
70
80
90
Benefits (risk attenuation) %

Raportul cost beneficii n asigurarea securitii Cost benefits report in ensuring security.
100
Imposed security (financial)
This risk analysis is done esepcially within large companies and eventually within medium companies. Small
companies have no specialised personnel and no money to pay for such evaluation. Nevertheless a minimum of security
measures must be taken. The fact that company managers are hard to be convinced to invest in something that doesn;t
bring immediate profit is very well known. And when they are convinced about the necessity of the sums for ensuring
security, the alloted sums are under the imposed ones. In these conditions a security whose expenses should not exceed
a certain limit must be ensured. We can talk about a financial imposed security. The alternatives of solving this situation
are in number of two:
covering the most probable threats by keeping the initial control methods;
covering all threats and reducing the costs for control measures.
The first measure will allow a maximum of security for certain threats but will leave partially or totally uncovered
other threats.
Aceast a doua msur este de preferat primei, deoarece nu las vulnerabiliti neacoperite de msuri de control.
The second measure will impose reducing the expenses necessary for ensuring controls in order to cover all the
possible threats. This could reflect in the modification and configuration of the control measures. For example, two
uninterruptible sources APC UPS of 350VA will not be bought for the price of 95$ a piece for two computers, but a
single APC UPS source of 650 VA at 140$ a piece. The saving is of 50$ (95 x 2 140 = 50). In this case though, the
two computers will have to be powered from the same uninterruptible by extending the power cables or by placing
them very close.
Imposed security (financial)

Allocated sum (As)
Calculated sum (Cs)
YES
NO
Cs>As
Covering the most probable

threats with keeping the
initial control methods s.t.
Cc <= As.
Covering all threats and

reducing the costs of control
measures s.t.
Cc <= As.
Implementation
Security Index (financial)

Security is hard to be quantified. We will never be able to say within the company that we have a security of a
certain grade. We can only estimate it as being at a certain level- high, medium, low or non-existent. Nevertheless we
can do a quantification (at least financially) of the security level. Implementing, testing or upgrading security will
always generate equipment and human costs. The index I propose to quantify the security within the company will
refer to equipment and especially to computing. I propose that this index to be called SI(f) (Security Index (financial))
and to be computed using the formula:
SI ( f )
where:
Ce Cost of computing equipment
Pi Participation/share of control
Cci Cost of controls.
Ce Pi xCci
i 1
Ce
Security index (financial)

Security is hard to be quantified.
Security Index (financial) aims to eliminate (partially) this drawback.
SI ( f )
Ce Pi xCci
i 1
Ce
where:
Ce Cost of computing equipment
Pi Participation/share of control
Cci Cost of controls.
SI(f) = 0 Zero investment in security

0 < SI(f) < 1 Investment in security
SI(f) >= 1
We have not evaluated the risks very well and/ or we have exaggerated with the control
measures.
The equipment (computer) is not of quality and needs additional equipment
The updated value of equipment is low comparing it to the costs of controls.
Security Index (financial) (example)
Station 1
UPS
Disk encryption
device
Station 1
Cc = 140 USD
Ce = 1.000 USD
Cc = 500 USD
P = 1/2 = 0,5
P= 1
SI(f) =[(1.000 + 0,5 x 140 + 1 x 500) / 1.000] - 1 =0,57
Calculating the Return on Investment (ROI).
For each applied control measure we identify:
Vulnerabilities that can be reduced by applying those control measures.
Giving an optimal rate/ value for each peer of event/ control method.
Estimarea costurilor anuale pentru implementarea msurii de control respectiv. Estimating the annual costs for
implementing that certain control measure.
Calculating the return of the investment (RI).
rk xALEt
ROI
Ck
Where:
Ck = Annual cost for control k
rk = Effectiveness rating of control k
ALEt = ALE of threat t
In selecting the additional control measures we must take into account the achievement of the following
objectives:
Value of return on investment as high as possible;

Minimization of ALE (Annual Loss Expectancy)
The value of ROI as high as possible will be obtained acting on the effectiveness index r, by raising
it to the maximum value (1), or on the annual cost for applying the control C, by diminishing the costs of
control implementation.
Example:
ALE = ALE1, 1 + ALE2, 1 + ALE3, 1

ALE = 2.500 + 2.500 + 150.000 = 155.000 USD
Threat = Voltage shocks

Control = Voltage stabilizer (100 USD/pc.)
Ck = 22 x 100 = 2.200 (22 buc.)
rk = 0,7 (only 70% of losses are covered)
ROI
(0,7x155.000) 108.500
49,31/1
(2.200)
2.200
Economic indicators of profitability

%
ROI Return on Investment, Rentabilitatea Investiiei

NPV Net Present Value, Valoarea Actual Net
IRR Internal Rate of Return, Rata Intern de Rentabilitate
ROI Return on Investment, Rentabilitatea Investiiei

NPV Net Present Value, Valoarea Actual Net
IRR Internal Rate of Return, Rata Intern de Rentabilitate
(continuation)
Return on Investment (ROI)
ROI
Return on Investment
Net benefit
ROI
x 100 %
Costs
Net benefit = Benefit - Costs
Net Present Value (NPV)

NPV
Net Present Value
Income year a
NPV C
(1 r) t
a 1
r Rate
The initial costs C have negative initial values
The investment is profitable if NPV > 0
Internal rate of return (IRR)

We calculate r from equation NPV, considering VAN = 0 and r = RIR
IRR
Internal Rate of Return
VAN 0 C
Income year 1 Income year 2

Income year n
...
(1 RIR)1
(1 RIR) 2
(1 RIR) n

Example
A 1.000 USD uninterruptible power supply (UPS) is bought. It is considered that it has a warranty of good
functioning of 3 years. After this period of time the source is removed. Calculate ROI, NPV and IRR.
Initial costs = 1.000 USD
Income for year 1 = 1.500 USD
Income for year 2 = 2.000 USD
Income for year 3 = 3.000 USD. The values are increasing due to the increase of volume in the companys activity.
ROI
(1.500 2.000 3.000) 1.000

x 100% 6,5/1
1.000
1.500
2.000
3.000
1.000
1
2
3
(1 0,1) (1 0,1) (1 0,1)
ROI
x 100% 4,3/1
1.000
1.500
2.000
3.000
NPV
1.000 4,3
1
2
3
(1 0,1) (1 0,1) (1 0,1)
NPV > 0 the investment is profitable

Example
NPV
1.500
2.000
3.000
1.000 0 IRR ...

1
2
3
(1 RIR) (1 RIR )
(1 RIR )
NPV
20,7 %
r /IRR
0
5
10
15
20
25
30
35
40
Profitable investment
Unprofitable investment
A possible guilty for the companys security !!!
Business owner
Policies definition
Funds approval
Risk analysis
Another possible guilty for the companys security !!!
Time..
Timecannotbestored
Timecannotbebought
Timecannotbesold
Timecannotbetraded
Timecanonlybeused.
Reducing the risks
In order to reduce or to eliminate the risks the company must be capable of the following operations:
Prevention (the correct selection of products, updating the products and adapting them to the
imposed changes)
Detection (filtering and analyzing the information, analyzing the alerts, correlating with the needs
of the company)
Answer (taking the measures that are imposed, communication and constant training)
Reducing the risks
People
- Training ... continuous, updated ...
- Responsibilities ... brought to the attention and assumed ...
- Knowledge ... in the field ...
- Organization ... effective...
Processes
- Policies ... clear, updated, viable...
- Procedures ... tested ...
- Standards ... updated...
Technologies
- Infrastructure ... adequate, safe ...
- Aplications ... safe, adequate, tested, audited ...
Reducing the risks
There are five strategies for reducing the risks:
Prevention
Preventing some events that can affect the companys security.
Reduction
Reducing the occurrence probability and the impact.
Avoidance
Avoiding a risk through an effective planning.
Transfer
Eliminating the risk by creating an insurance on that risk.
Alternative planning
In the case of unpredictable risks the implementation of alternative plans for reducing the impact is needed.
Backup and restore

Reason
Reason description:
Role of backup copies:
User errors
Users can accidentally delete their files
Implemented periodically they protect users

from their own mistakes allowing them to
restore the files.
Errors of
system
managers
Persons implied in system administration can make important

errors such as deleting active accounts along with the old ones or
can wrongly change important configuration files.
The recovery of lost files is allowed or

finding the wrongly changed ones for
correcting the mistakes.
Hardware
failure
System Hardware failures can lead to data loss
The lost files can be restored on another

system that is working well.
Software
failure
Software applications often have hidden malfunctions which

destroy the data.
Allow the restoration of the lost data and

even give the possibility of finding the
malfunctions within the application by
comparative studies.
Attacks of
hackers and
other
intruders
The system crackers often delete or change the data in the system.
Unfortunately they erase any track that can lead to the finding of
the modifications.
If it is discovered that the system has been

cracked, the backup copy can be used for
detecting the changes and for recovering the
files.
Theft
Due to the high price, computers and especially the portable ones
are stolen. The insurance companies can compensate the financial
loss but not the loss of the stored data.
The recovery of the stored data, at least.

Sometimes these are more important than
the computer.
Natural
disasters
Storms, earthquakes lead to the destruction of rooms where the

computers are found.
Data recovery.
Other
disasters
Fires, explosions, wars etc.
Data recovery
Archive
information
The existence of database archives
Accidental changes can be discovered and a

history of the project can be made.
Backup i restore - Storage devices
JBOD
Definition of: JBOD

(Just a Bunch Of Disks) A group of
hard disks in a computer that are not
set up as any type of RAID
configuration. They are just a bunch
of disks.
RAID
Definition of: RAID

(Redundant Array of Independent
Disks) A disk subsystem that is used
to increase performance or provide
fault tolerance or both. RAID uses two
or more ordinary hard disks and a
RAID disk controller. In the past,
RAID has also been implemented via
software only.
Tape
Definition of: magnetic tape

A sequential storage medium used for
data collection, backup and archiving.
Backup and restore
Data backup is a data transfer process from the companys computers to a special storage device.
Data restore is a process of data restoration from the companys computers, from one or more backup copies.
Archive represents a long term backup copy which is stored outside the company.
File types
Daily
backup
Weekly
backup
Data files
Critical files ( can be saved even

several times a day).
Any other types of files ( including

system and software files)
Backup and restore - types
Backup from day 0

Its the copy of the system in its original form, right after it was installed, before the users use. This backup
must contain any program and file in the system.
Complete backup
Represents the copy of all the files in the system- system files, software files and data files.
Partial backup
Incremental (partial) backup

Contains files added of modified after the last complete or partial backup operation.
Differential (partial) backup

Contains files added of modified after the last complete backup operation.
Backup and restore advantages and disadvantages
Backup type
Incremental
(all new files or
modified ones from the
last partial or total
backup operation)
Diferential
(all the new or modified
files from the last total
backup operation)
Advantages
Fast backup because the number of
files is low.
Low wear of the backup devices and
of supports.
Disadvantages
Large amount of time for restoration
due to the existence of more than 2
supports (complete backup support
and each of the incremental
supports)
Low number of necessary supports.
High costs in case of disasters due to

the large amount of time needed
for restoration.
Fast restoration due to the existence

of only 2 supports (the complete
backup support and the differential
backup support)
Low costs in case of disasters due to
the low amount of time needed for
restoration.
Slow backup due to the high number

of files.
High wear of the backup devices and
supports.
High number of necessary supports.
Backup i restore strokes and tapes

Differential backup: necessary strokes and tapes
Day
Backup type
Size
Time
Number of tapes
Friday
Complete
160 GB
4h
3 tapes
Monday
Differential
45 GB
1.1 h
1 tape
Tuesday
Differential
56 GB
1.4 h
1 tape
Wednesday
Differential
67 GB
1.7 h
2 tapes
Thursday
Differential
83 GB
2.1 h
2 tapes
411 GB
10.3 h
9 tapes
Total:
Incremental backup: necessary strokes and tapes

Day
Backup type
Size
Time
Number of tapes
Friday
Complete
160 GB
4h
3 tapes
Monday
Incremental
45 GB
1.1 h
1 tape
Tuesday
Incremental
11 GB
0.3 h
1 tape
Wednesday
Incremental
11 GB
0.3 h
1 tape
Thursday
Incremental
16 GB
0.4 h
1 tape
243 GB
6.1 h
7 tapes
Total:
These examples are based on a weekly backup cycle with a tape drive that can transfer data at 40 gigabytes (GB) per hour on a 60gigabyte capacity tape.
Backup i restore tapes

Differential backup: necessary tapes for the restoration process
Day
Backup type
Types of copied files
Friday
Complet
Tapes 1, 2, 3
Monday
Diferential
Tape 4
Tuesday
Diferential
Tape 5
Wednesday
Diferential
Tapes 6, 7
Thursday
Diferential
Tapes 8, 9
Necessary tapes for a complete restore:
Tapes 1, 2, 3, 8, 9
Incremental backup: necessary tapes for the restoration process

Day
Backup type
Necessary tapes
Friday
Complet
Tapes 1, 2, 3
Monday
Diferential
Tape 4
Tuesday
Diferential
Tape 5
Wednesday
Diferential
Tape 6
Thursday
Diferential
Tape 7
Necessary tapes for a complete restore:
All 7 tapes
Backup and restore tapes rotation
Small companies use the following tapes rotation schemes:

1.
6 tapes
2.
Grandfather- Father- Son (Grandfather - Father - Son (GFS))
3.
Tower of Hanoi
Backup and restore six tapes
FRI1
FRI2
MON
TUE
WED
Day
Monday
Tuesday
Wednesday
Thursday
Friday
FRI1
MON
TUE
WED
THU
FRI 2
MON
TUE
WED
THU
FRI 1
MON
TUE
WED
THU
FRI 2
MON
TUE
WED
Incremental or differential backup
THU
FRI 1
Complete
backup
THU
Backup and restore Grandfather Father Son (Grandfather - Father - Son (GFS))
MON
WEEK1
IAN
MAI
SEP
TUE
WEEK2
FEB
JUN
OCT
(SON)
(FATHER)
WED
WEEK3
MAR
JUL
THU
WEEK4
APR
AUG
(GRANDFATHER)
NOV
DEC
Day
Monday
Tuesday
Wednesday
Thursday
Friday
WEEK1
MON
TUE
WED
THU
WEEK2
MON
TUE
WED
THU
WEEK3
MON
TUE
WED
THU
WEEK4
MON
TUE
WED
THU
IAN
Incremental or differential backup
Complete
backup
Months of the year
Backup and restore Tower of Hanoi
Backup session
Used set
10
11
12
13
14
15
16
2
4
8
16
Backup and restore Tower of Hanoi
Luni
Mari
(continuation)
Miercuri
Joi
Vineri
Complete backup
Backup and restore comparison between methods

Rotation method
Advantages
Six tapes
Requires a low number of tapes which
makes the method to be cheaper.
It is ideal for a low volume of data.
(Grandfather
-Father - Son
(GFS))
Tower of Hanoi
Disadvantages
It keeps the data only for one week, if
you do not archive the tapes with
complete backup regularly.
It delivers the safest way of data

protection and it implements monthly
archives. It is a simple method to
implement and it is supported by many
software products.
Requires many tapes. It is expensive due

to the large number of tapes.
Allows an easy complete restoration

(without a search through the tapes with
partial backups).
Requires a difficult rotation strategy that

can create more complications than the
other methods.
Ideal for small companies that use

complete restoration options.
If there is no specialized software the

manual rotation is hard to realize.
It is cheaper than the

Grandfather-Father-Son (GFS) method
(uses less tapes).
Large amount of time spent in every

session.
Backup and restore - Network Attached Storage (NAS)

NAS is directly connected to a computer network (LAN).
NAS has its own system of files and storage space.
The clients access the data using Remote Procedure Calls (RPCs) to the system of files of NAS.
NFS
NFS
CIFS
CIFS
HTTP
HTTP
LAN
NAS
NAS
NFS (Network File System) for the UNIX
clients
CIFS (Common Internet File System) for
Microsoft Windows clients
HTTP (hypertext transfer protocol) for
WEB access
User 1
User 2
User 3
User n
Backup and restore - Storage Area Network (SAN)
SAN represents a dedicated network of storage devices and of servers that access them. SANs are created
based on the Fibre Channel technology. The data stored in SAN are accessed at the level of block.
SAN
Storage subsystem
LAN
User
1
User
2
User
3
User
n
Backup and restore - Network storage
NAS
SAN
Easy to use
Traffic reduction in LAN network
Easy to implement and maintain
Scalability
High availability
Heterogeneous platforms
Flexibility
High trust
Scalability
High availability
Heterogeneous platforms
Backup/ restoration
Low cost
High speed network
File Sharing
Useful for critical applications
WebSite Hosting
Useful for databases
Data storage for web pages
Remote replication
Limited DB applications
Backup and restore - Storage devices

Striping/Mirroring (RAID 0+1) (RAID 10)
Striping (RAID 0)
Mirroring (RAID 1)
Block And Parity Striping (RAID 5)
http://www.cluboc.net/reviews/hard_drives/raid_project1/index.asp
an
c
ow u s ?
h
d elp
n
t a ld h
a
e
ie
f
w
e
e
h
r
t
a in
e
g
s
a
e
t
i
s
t pan
a
Wh com
the
The actual stage of investments in security
Implementing security measures within the company
Management Security Services Supplier

Access perimeter
control and
authentication
Virtual private
networks
Web content
filtering
Intrusion
detection
Vulnerability/
penetration test
evaluation.
Virus scan
Firewall/router
management
Security Services Supplier

Firewall
Antivirus
Managementul firewall/router Managementul firewall/router
Organization
24/7
Response in case
of incident
Inside security services. We take into consideration a medium- size company. In order to create a firewall for this
connection hardware and software for the firewall must be bought at the price of approximately 10.000 USD. This
amount of money might be higher if the company has more connections to the Internet or its a large company. The
expenses in this case can vary from 50. 000 USD to 75.000 USD. Managing and monitoring the firewall must be done
by a qualified person. The wage of a specialist in the field varies between 40.000 and 60.000 USD per year. Buying
such an expensive firewall product offers no supplementation for the weak training of the administrator. Taking into
consideration the fact that a permanent coverage is requested (24/7 service) at least three men are needed with average
annual expenses of about 150.000 USD. The service personnel training( minimal) will cost 15.000 USD per year. This
last category of expenses is necessary so that the service personnel to be in touch with the latest news in the field.
Component/Expense
Sum (USD)
Software and hardware
From inside
10.000
Wages
150.000
Training
15.000
Total costs
175.000
Outside security services. The hardware and software costs are still the same, the firewall/ router device and the
software are bought by the beneficiary - around 10.000 USD. The expenses with the wages of the three employees
who will manage the firewall will be null but they will be replaced by the monthly expenses for external management
which are around 2.000 USD. This leads to annual expenses of 24.000 USD. The initial cost if installation (payable
only once) is approximately 15.000 USD. There are no more training costs.
Component/Expense
Outsourcing
Sum (USD)
Software and hardware
10.000
Management
24.000
Installation
15.000
Total costs
49.000
Making a difference:
Inside annual costs: 170.000 USD
Outside costs: 49.000 USD
Annual economies: 121.000 USD
What can a company help us with?
securITree
What do the local companies propose?
Business Process Evaluation and

Risk Management
Phase
Phase 11
Identify
technical and
informational
assets
Phase
Phase 22
Identify
operational
and
management
risks
Phase
Phase 33
Establish a
countermeasure plan
GeCAD NET Methodology

BS 7799, ISO 17799, OCTAVE, COBIT, SEI-CM
gecad net security services for information technology
securITree
E-security today : e-business new

requirements demand new forms of
security
APLICAII
MarketMaturity
INFRASTRUCTURE
Authorisation
SmartCards
PKI
VPN
eWallet
Knowledge
Secure
Transactions
Intrusion
Detection
Authentication
Anti
Virus
Firewall
Portalsites
Encryption
Mailinglists
Standalone
LAN/WAN
Internet
Connectivity
Early
EBusiness
Mature
EBusiness
TIME
gecad net - gecad

serviciinet
de securitate
security in
services
tehnologia
for information
informatiei technology oct
securITree
Business Process Evaluation and

Risk Management
Risk Analysis
The standards and methods offered by GeCAD are as following:

BS 7799
ISO 17799
OCTAVE
COBIT
ITIL
To develop a master plan in effective informational security, it is
essential to identify the most critical information or systems, their
qualitative or quantitative value, the potential risks and finally the
solution scenarios available.
The approach used by GeCAD is outlined below:

Identify technical and informational assets
Identify operational and management risks
Establish a counter-measure plan
gecad net security services for information technology
Security Standards
ISO/IEC 17799:2005 Information technology - Security techniques - Code of practice for

information security management
ISO/IEC 27000 family of information security standards commonly known as ISO27k. The ISO27k
standards provide good practice guidance on designing, implementing and auditing Information Security Management Systems to protect the
confidentiality, integrity and availability of the information assets on which we all depend.
ISO 27001
This is the specification for an information security
management system (an ISMS) which replaced the old
BS7799-2 standard
ISO 27002
This is the 27000 series standard number of what was
originally the ISO 17799 standard (which itself was
formerly known as BS7799-1)..
ISO 27003
This will be the official number of a new standard intended
to offer guidance for the implementation of an ISMS (IS
Management System) .
ISO 27004
This standard covers information security system
management measurement and metrics, including
suggested ISO27002 aligned controls..
ISO 27005
This is the methodology independent ISO standard for
information security risk management..
ISO 27006
This standard provides guidelines for the accreditation of
organizations offering ISMS certification.
ISO27000 - Information technology: Information security management systems, Overview and vocabulary
ISO27007 - Guidelines for Information Security Management Systems Auditing
ISO27008 - Guidelines for ISM auditing with respect to security controls (approved April 2008)
ISO27011 - Information technology: Information security management guidelines for telecommunications
ISO27033 - Network Security
ISO27799 - Health Informatics: Information security management in health using ISO/IEC 17799
y
t
i
r
u
c
Se
t
o
sn
r
u
ap
,
e
s
po
y
t
i
r
u
c
e
c
a
s
s
u
o
u
n
ti
n
o
.
s
s
ce
o
pr
Security basic rule BACKUP! BACKUP! BACKUP!

Security is not a purpose, security is a continuous process.
Prevention (the correct selection of products, updating the product and adapting them to the imposed changes).
Detection (filtering and analyzing the information, analyzing the alerts, correlating them with the needs of the company)
The answer (taking the measures that are imposed, communication, constant training)
We must punish the offenders. But we cannot slow down the curiosity of a 13 year old kid who, while experimenting today can develop tomorrow
an informational or telecommunication technology that will lead United States to the XXI century as leader in the domain. They represent our
chance to remain a technology competitive nation.
Patric Leahy, Vermont senator
Security is implemented according to the size and demands of the company.

Security is hard to quantify.
Security is an insurance policy in case of disasters.
Excessive security can have negative effects on business.
Excessive security can become annoying.
Minimal security is preferred instead of its absence.
Security does not solve productivity problems.
Is security a merchandise?
References
[BURT05]
E. Burtescu, Securitateadatelorfirmei, Ed. Ind. Economic, Pitsti, 2005.
[BRHU02]
C. Brenton, C. Hunt, MasteringNetworkSecurity, SYBEX Inc., 2002.
[BURK04]
J.R. Burke, NetworkManagement:ConceptsandPractice,AHands-OnApproach, Prentice Hall PTR, 2004.
[GROT02]
D. Groth, Network+StudyGuide, SYBEX Inc., 2002.
[HSST95]
S.B. Hsiao, R. Stemp, ComputerSecurity, course, CS 4601, Naval Postgraduate School, Monterey, California, 1995.
[HSST95]
S.B. Hsiao, R. Stemp, AdvancedComputerSecurity, course, CS 4602, Naval Postgraduate School, Monterey, California, 1995.
[KAEO99]
M. Kaeo, DesigningNetworkSecurity, Cisco Press, Indianapolis, Indiana 46290 USA, 1999.
[LUAB00]
T. Lunt, M. Abrams, D. Denning, L. Notargiacomo, Informationandcomputersecurity, CS 4990/6990, course, Mississippi State

University, 2000.
[LUSA03]
I. Lungu, Gh. Sabu, I. Velicanu, M. Muntean, S. Ionescu, E. Posdarie, D. Sandu, Sisteme informatice.Analiz, proiectare i
implementare, Ed. Economic, Bucureti, 2003.
[MCCA03]
L. McCarthy, ITSecurity:RiskingtheCorporation, Prentice Hall PTR, 2003.
[MIMI02]
M. Miller,AbsolutePCSecurity&PrivacyDefendingYourComputerAgainstOutsideIntruder, SYBEX Inc., 2002.
[OGTE01]
T.W. Ogletree, FirewallsProteciareelelorconectatelaInternet, Ed. Teora, Bucureti, 2001.
[OPDU99]
D. Oprea, Analizaiproiectareasistemelorinformaionaleeconomice, Ed. Polirom, Bucureti, 1999.
[PRBY02]
P.E. Proctor, F.C. Byrnes, TheSecuredEnterprise, Prentice Hall PTR, 2002.
[RUGA91]
D. Russel, G.T. Gangemi Sr., ComputerSecurityBasics, OReilly & Associates, Inc., 1991.
[SECU02]
SecurityComplete, Second Edition, SYBEX Inc., 2002.
[SECU99]
SecuritateanInternet, Ed. Teora, Bucureti, 1999.
[STPE02]
M. Strebe, C. Perkins, Firewalls24seven, SYBEX Inc., 2002.
***
http://csrc.nist.gov/
***
http://www.gecadnet.ro
***
http://www.idc.com
Conferinta Anuala de Securitate - Editia 2004 SecureITree
Applications
Thank you!
Contact
Conf. univ. dr.
Burtescu R. Emil
emil_burtescu@yahoo.com
eburtescu@yahoo.com
YM ID: eburtescu
www.burtescu.ro
(n construcie)

Rass English Version

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rass English Version

Uploaded by

Copyright:

Available Formats

Bucharest Academy of Economic Studies

Faculty of Economic Cybernetics, Statistics and Informatics (ECSI)

RISK ANALYSIS IN SECURE

Q: Why is that happening?

A: Lack visual warning

Which is the correct position of the switch ?

Does your company, in case of finding

Tips and more

Philosophical Problem in Dealing with PC Security

Principle of Easiest Penetration

One Form of Protection

The Key to Successful Recovery

The Bottom Line

Terms and definitions

Terms and definitions (continuation)

Terms and definitions (continuation)

Terms and definitions (continuation)

Phone line piracy (phreaking/boxing)

Illegal dial-up coneections

Unauthorized Interned access

Stages in electronic information theft.

Reference moments that highlight the need of security

November 2nd, 1988

Reference moments that highlight the need of security (continuation)

Reference moments that highlight the need of security (continuation)

Types of attacks or reported abuses

Internal abuses of the network

Intellectual property theft

Public web servers abuse

Types of attacks or reported abuses

from all other sources

Abuse of wireless network

Instant messaging abuse

Theft/loss of customer data

Web site defacement

from mobile devices

from all other sources

Types of attacks or reported abuses

2008: 433 respondents

Losses due to attacks within the organization

2008: 144 respondents

Security tehnologies used (year 2008)

Main attack sources

Techniques used for the evaluation of security

Actions taken after an incident

Why arent the incidents reported?

2008 CSI Computer Crime and Security Survey

2008 CSI Computer Crime and Security Survey

2008 CSI Computer Crime and Security Survey

The last CSI/FBI reveal

The last CSI/FBI reveal

The last CSI/FBI reveal

The last CSI/FBI reveal

The last CSI/FBI reveal

What do we want to obtain through risk management and/or risk analysis?

Data stored in the

Data stored in the

What can the company do?

Establishing the personnel

Establishing the main stages

-Defining and obtaining the approval for a security table

Defining the demands for

Informing the personnel about