Introduction to O-RA Security challenges in E-Commerce Control considerations Data Breaches in Retail Environment Risk Analysis & Taxonomy

1. 1 | Copyright © 2015 Tata Consultancy Services Limited
Adoption of O-RA for Secure Architecture of an
E-commerce Platform
Satish K Sreenivasaiah
Lead Architect
Tata Consultancy Services
February 16, 2015

2. 2
Agenda
Introduction to O-RA1
Security challenges in E-commerce2
Control considerations3
Summary4

3. 3
Click to edit Master title styleIntroduction to O-RA Standard

4. 4
O-RA (Risk Analysis)
A Standard that is intended to be applied toward the problem of managing the
frequency and magnitude of loss that arises from a threat (whether human,
animal, or natural event)
Coupled with the Risk Taxonomy (O-RT) Standard, it provides risk analysts the
specific processes necessary to perform effective FAIR-based information security
risk analysis

5. 5
Risk Analysis
Risk Assessment
Risk Analysis
Identify Evaluate Report
Determines the
significance of the
identified risk
concerns
Risk-related concerns
Identified risk
concerns
Managing ‘How often bad things happen, and how bad they are when they occur‘

6. 6
A Few Key Objectives of O-RA
Used with companion O-RT standard to,
Establish a common language for the information security and risk management
profession
Introduce rigor and consistency into analysis for more effective risk modeling
Educate information security, risk and audit professionals

7. 7
Click to edit Master title styleIntroduction to O-RT Standard

8. 8
O-RT (Risk Taxonomy)
A Standard to provide a single logical and rational taxonomical framework to
understand and/or analyze information security risk
Each factor that drives risk is identified and defined
Limited to describing the factors that drive risk and their relationships to one
another

9. 9
Risk
Why do we Need a Taxonomy for Risk?
Software
Flaws or Faults
So , Is Risk = (Threat *
Vulnerability) / Controls?
If not, what are the factors that drive risk?

10. 10
Risk Taxonomy – High Level
Estimates probable frequency
and magnitude of future loss
Probable frequency within a given
timeframe that a threat agent can
inflict harm on asset
Probable magnitude of
loss resulting from a loss
event
TCap RSPoACF
Risk
Loss
Magnitude
Loss Event
Frequency
Threat Event
Frequency
Vulnerability
Primary
Loss
Secondary
Loss
Contact
Frequency
Probability
of Action
Threat
Capability
Resistance
Strength
Secondary Loss
Event Frequency
Secondary Loss
Magnitude
LEF
LM
TEF
Vuln

11. 11
Risk Taxonomy – Loss Event Frequency
Threat Event
Frequency
Vulnerability
Probable frequency within a given timeframe that a
threat agent will act against an asset
Probability that a threat event can
become a loss event
Contact Frequency
Probability of Action
Threat Capability
Resistance Strength
Probable frequency within a given timeframe that a threat
agent will come into contact with an asset
Probability that a threat agent will act against the asset once the
contact occurs
Probable level of force that a threat agent is capable of applying
against an asset
Strength of a control as compared to a baseline measure of
force

12. 12
Risk Taxonomy – Loss Magnitude
Primary Loss
Secondary
Loss
Occurs directly as a result of threat
agent’s action on the asset
Occurs due to secondary
stakeholders
Secondary Loss Event
Frequency
Secondary Loss
Magnitude
Allows analyst to estimate percentage of time a scenario is
expected to have secondary effects
Losses that are expected dealing with secondary stakeholders
(e.g. fines, loss of market share)

13. 13
Click to edit Master title styleRisk Analysis – Deep Dive

14. 14
Risk Analysis Stages
01
02
03
04
Scope the Analysis
Evaluate Loss Magnitude
Evaluate Loss Event
Frequency
Derive and Articulate Risk

15. 15
FAIR Basic Risk Analysis Methodology
 Identify the asset
at risk
 Identify the
threat
community
under
consideration
 Define the loss
event
 Estimate the Threat
Event Frequency
 Estimate the Threat
Capability
 Estimate Resistance
Strength
 Derive Vulnerability
 Derive Loss Event
Frequency
 Estimate Primary
Loss
 Evaluate
Secondary Loss
 Estimate
Secondary Loss
Event Frequency
 Estimate
Secondary Loss
Magnitude
 Derive Primary
Risk
 Derive Secondary
Risk
 Derive Total Risk
So, why apply risk analysis for E-commerce?
Scoping Evaluate LEF Evaluate LM Derive Risk

16. 16
Click to edit Master title styleData Breaches in Retail Environment

17. 17
Categories of Data Breach
Year 2013 may be remembered as the “year of the retailer breach”
*Source – Verizon 2014 Data Breach investigations Report

18. 18
Breaches Per Asset
*Source – Verizon 2014 Data Breach investigations Report

19. 19
Incident Classification
*Source – Verizon 2014 Data Breach investigations Report

20. 20
Click to edit Master title styleMapping of O-RA to E-commerce Domain

21. 21
The Scenario
An E-commerce portal specialized in selling gift items such as fragrance,
books, watches, sunglasses, bags, wallets etc. across the globe. Customer
personal information is stored in the portal whereas his/her credit and debit
card details are stored with external payment gateways and not within the
portal. Portal is available for all the registered and guest users, 24X7.

22. 22
Mapping of Stage 1 to E-commerce Platform
Scoping E-commerce Platform
Key Assets:
 Customer Data - personal details like name, contact details and
address
 E-commerce server infrastructure such as Web, Application,
Database servers
 Customer Credit and Debit card details (But this has been handled by
external payment gateways which are PCI-DSS compliant)
 Hackers for gain and to cause disruption
 Script kiddies
 Internal employees of the organization
 The malicious access and misuse of sensitive customer data by
Hackers using the vulnerabilities in the system
Identify the asset at risk
Identify the threat
community under
consideration
Define the loss event
What Asset is at risk?
Risk associated with
what threat?
What does the
loss event look
like?
Note that it excludes events by script kiddies,
internal employees and stipulates the intent to
be malicious and involves data misuse

23. 23
Mapping of Stage 2 to E-commerce Platform
Evaluate LEF
Estimate the
Threat Event
Frequency
Estimate the
Threat Capability
(skills, resources)
Rating Description
Very High(VH) >100 times per year
High(H) Between 1 and 100 times per year
Medium(M) Between 1 and 10 times per year
Low(L) Between 0.1 and 1 times per year
Very Low(VL) Less than once every ten years
Very High(VH) Top 2% as compared to overall threat population
High(H) Top 16% as compared to overall threat population
Medium(M) Average skill and resources (between bottom 16% and top
16%)
Low(L) Bottom 16% as compared to overall threat population
Very Low(VL) Bottom 2% as compared to overall threat population
Probable motive factors are value
of the asset, how vulnerable the
asset is, versus the risk of being
caught

24. 24
Mapping of Stage 2 to E-commerce Platform
Evaluate LEF
Estimate
Resistance
Strength
Rating Description
Very High(VH) Protects against all but the top 2% of an average threat
population
High(H) Protects against all but the top 16% of an average threat
population
Medium(M) Protects against the average threat agent
Low(L) Only protects against bottom 16% of an average threat
population
Very Low(VL) Only protects against bottom 2% of an average threat
population

25. 25
Deriving Vulnerability and LEF using Monte Carlo Simulation
Loss Event frequency is Medium, meaning it can happen between 1 and 10 times per year
Difference between
likely force to be applied
and assets ability to
resist that force
LEF > TEF and TEF > 100%
as it is a %

26. 26
Possible set of ranges to characterize Loss Magnitude for customer data misuse
Stage 3 – Loss Magnitude (Primary)
Primary Loss Magnitude
Loss Forms
Productivity Response Replacement
Fines/
Judgments
Competitive
Advantage
Reputation
L M L - - -
Productivity Loss is considered Low as
the Ecommerce portal is operational and
Replacement Loss is Low as well. The
primary loss magnitude cost associated
here would be due to response

27. 27
Estimating Secondary Loss Probability
Estimating SLEF
Rating Description
Very High(VH) 90% to 100%
High(H) 70% to 90%
Medium(M) 30% to 70%
Low(L) 10% to 30%
Very Low(VL) 0% to 10%
Secondary Loss probability
is Very High as primary
LEF was M and SLEF is VH

28. 28
Stage 3 – Loss Magnitude (Secondary)
Secondary Loss Magnitude
Loss Forms
Productivity Response Replacement Fines/
Judgments
Competitive
Advantage
Reputation
H M
Possible set of ranges to characterize Loss Magnitude for customer data misuse
Response is the time spent by the executives in
meetings, notifications and expenses
inside/outside legal counsel
Response Activities Approx. cost
Executive time 40 hours *
$200/hr=$8000
Notification costs($5 per
customer for ~50,000
customers)
$250,000 USD
Legal expenses $200,USD
Total (approx.) $450,000 USD

29. 29
Stage 4 : Deriving Primary and Secondary Risk
Primary Risk is derived
as probable loss event
frequency(Medium) and probable
future loss Magnitude(Medium)
Secondary Risk is very high as
compared to primary risk due to
the involvement of E-commerce
customer’s data

30. 30
Stage 4 : Deriving Overall Risk
Overall risk is very
High based on the
combination of
Primary and
Secondary risk
Qualitatively Risk
is derived to be
very High, and
Quantitatively, the
magnitude of loss
is Significant

31. 31
Click to edit Master title styleBasic Control Considerations in FAIR Analysis

32. 32
Risk Controls
Risk
Loss
Magnitude
Loss Event
Frequency
Threat Event
Frequency
Vulnerability
Primary
Loss
Secondary
Loss
Contact
Frequency
Probability of
Action
Threat
Capability
Resistance
Strength
Secondary Loss
Event Frequency
Secondary Loss
Magnitude
Avoidance
controls
Deterrent
controls
Response
controls
Vulnerability
controls
Affect the frequency
and/or likelihood of
encountering threats
Affect the likelihood of a
threat acting in a manner
that can result in harm
Affect probability that
a threat’s action will
result in a loss
Affect the amount of loss that
results from a threat’s action

33. 33
Information Security Controls Mapping to E-commerce Platform
Avoidance Controls
 Firewall Filters – datacenter as well as cloud,
̶ Enable VPN for communication in a hybrid cloud
̶ Virtual Private Clouds (preferable from Security stand-point)
 Physical barriers
 Reducing threat population – by implementing Fraud management systems(example EBS)
Deterrent Controls
 Policies – IT Security compliance aligning to organizational policy
 Logging and Monitoring – Use infrastructure and application monitoring (example, Amazon
CloudWatch and Pingdom)
 Asset hardening – Ensure infrastructure Vulnerability is assessed and ensure any issues are
addressed

34. 34
Information Security Controls Mapping to E-commerce Platform
(Contd..)
Vulnerability Controls
 Confidentiality, Integrity, Availability (CIA)
 Industry bodies like OWASP, CWE and WebAppSec provide vulnerabilities and the
resolutions to the known vulnerabilities to be applied at code and configuration levels
 Penetration Testing – VAPT for application and infrastructure. Plan for iterative SAST and
DAST throughout the development and testing life cycle
Response Controls
 Back up and Media restore process – have a real-time sync up between master and Slave DB
and archival strategies
 Forensic capabilities
 Incident response process

35. 35
References
Risk Taxonomy (O-RT),
Version 2.0, Open Group
Standard, C13K, published
by The Open Group,
October 2013; refer to:
www.opengroup.org/boo
kstore/catalog/c13k.htm
Risk Analysis (O-RA),
Open Group Standard,
C13G, published by The
Open Group, October
2013; refer to:
www.opengroup.org/boo
kstore/catalog/c13g.htm
How to Measure
Anything: Finding the
Value of Intangibles in
Business, Douglas W.
Hubbard, John Wiley &
Sons, 2010

36. Thank You
IT Services
Business Solutions
Consulting