Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk

507 Aufrufe

Veröffentlicht am

Slides from Tony Martin-Vegue presentation at FAIRcon, Charlotte, NC: October 14, 2016

"Measuring DDoS Risk with FAIR (Factor Analysis of Information Risk)"​

Veröffentlicht in: Daten & Analysen
  • Als Erste(r) kommentieren

Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk

  1. 1. Case Study: Measuring DDoS Risk Using FAIR FAIR CONFERENCE – OCT 14TH, 2016 1 #FAIRCON
  2. 2. About Me Tony Martin-Vegue • CISSP, CISM, GCIH • BS, Business Economics, University of San Francisco • 20 years in IT • FAIR practitioner for about 5 years now • Reside in the Bay Area
  3. 3. Why FAIR? 3
  4. 4. Agenda & Objectives • Objective: Give you a hands-on look at how we can measure DDoS risk for a typical US bank • Distributed Denial of Service – what is it??? • Our Bank • Fair Analysis ◦ Scope Scenario ◦ Evaluate Loss Event Frequency ◦ Evaluate Loss Magnitude ◦ Derive and Articulate Risk ◦ Resources
  5. 5. Our Company
  6. 6. The CIO wants to know… Can this happen to us?
  7. 7. Ok, what’s a DDoS attack?
  8. 8. Threats: Methods and Objectives Hacktivists • Highly motivated, disruptive, possibly destructive, supporter of a cause. • Wide range of capabilities Foreign Governments • Attacks opposition and government websites • Very high capabilities Cyber Criminals • Cyber extortion or use DDoS to mask other criminal activity • Moderate capabilities Cyber Vandals • Interested in networking/computing disruption, web hijacking • Derives thrills from destruction. No strong agenda • Wide range of capabilities 8
  9. 9. Intel’s Threat Agent Library 9 Source: Prioritizing Information Security Risks With Threat Agent Risk Assessment; Intel; https://communities.intel.com/community/itpeernetwork/blog/2010/01/05/whitepaper- prioritizing-information-security-risks-with-threat-agent-risk-assessment
  10. 10. Purpose of a Risk Assessment 10
  11. 11. Anatomy of a FAIR Risk Assessment 11 Risk Loss Event Frequency Threat Event Frequency Contact Frequency Probability of Action Vulnerability Threat Capability Resistive Strength Loss Magnitude Primary Loss Secondary Loss Source: Measuring and Managing Information risk; Jack Jones and Jack Freund
  12. 12. Stage 1: Identify asset(s) at risk Examples: Customer PII Data on the website Money
  13. 13. Stage 1: Identify asset(s) at risk How do you do this? • Talk to people in the IT Department • Talk to the application owner, data owner, data custodian, etc. • Look at asset lists • Reports from DLP, SIEM etc • Talk to Business Continuity Managers
  14. 14. Stage 2: Evaluate Loss Event Frequency Risk Loss Event Frequency Threat Event Frequency Contact Frequency Probability of Action Vulnerability Threat Capability Resistive Strength Loss Magnitude Primary Loss Secondary Loss
  15. 15. Stage 2: Evaluate Loss Event Frequency Risk Loss Event Frequency Threat Event Frequency Contact Frequency Probability of Action Vulnerability Threat Capability Resistive Strength Loss Magnitude Primary Loss Secondary Loss
  16. 16. Why Ranges? Credibility / Trust Monte Carlo Simulations Calibrated Probability Estimates Express Uncertainty 16
  17. 17. Measuring TeF Threat Event Frequency Contact Frequency Probability of Action
  18. 18. Measuring TEF Make a calibrated estimate Build a list of attacks that occurred in the last 2 years Update calibrated estimate based on new information Repeat steps 2-3
  19. 19. List of US Banks
  20. 20. Where? • VERIS • Privacy Clearinghouse • Internal data • 10-K • Google news • Research (e.g. academic papers, blogs) • Vendor produced studies (whitepapers, reports)  be careful 20
  21. 21. Results Bank Oct 1, 2014 – Oct 1, 2016 Chase 2 Wells Fargo 2 Bank of America 1 Citibank 0 US Bank 1 PNC Bank 0 Bank of NY 0 Capital One 1 TD Bank 2 State Street 0 21
  22. 22. Measuring TEF with Bayes • Old technique • Allows an analyst to compute frequencies with very few data points
  23. 23. Measuring TEF with Bayes • Vase is filled with mostly yellow but some blue marbles • We want to estimate the proportion of blue marbles without counting every marble in the vase • Reach in and pull out 6 marbles; 1 is blue and 5 are yellow • We can estimate that the proportion of blue marbles is between 5.3 and 52%
  24. 24. Apply to DDoS Attacks Obtain a sampling of banks Find DDoS data for sample Apply Bayes (betadist in Excel) 24
  25. 25. Stage 2: Evaluate Loss Event Frequency Risk Loss Event Frequency Threat Event Frequency Contact Frequency Probability of Action Vulnerability Threat Capability Resistive Strength Loss Magnitude Primary Loss Secondary Loss
  26. 26. Vulnerability Vulnerability Threat Capability Resistive Strength
  27. 27. Stage 3: Evaluate Loss Magnitude Risk Loss Event Frequency Threat Event Frequency Contact Frequency Probability of Action Vulnerability Threat Capability Resistive Strength Loss Magnitude Primary Loss Secondary Loss
  28. 28. Primary Loss 28 Loss Types Range of Loss How to get Productivity $0 - $300,000 • BCP managers, managers for each LoB that sells through website • ProTip: Someone in your org has the average value of a customer over the customer’s lifetime. Response $1,000 - $300,000 • IT people, outside counsel, public relations, freebies • ProTip: Get average salaries for all departments from HR. Replacement N/A • ProTip: How much did it cost originally? Fines and Judgements N/A • Legal and Compliance people, other companies’ SEC filings, news reports • ProTip: Mostly public; possible to extrapolate Competitive Advantage N/A • Senior management can get this info • May have already been done in a BIA Reputation N/A • Roll up to competitive advantage
  29. 29. Secondary Loss 29 Loss Types Replacement Fines and Judgement Competitive Advantage Reputation
  30. 30. So Far - Recap • Our asset is the website • The loss type is Availability • The threat community is Cyber Criminals • The TEF is 0-1x every year • TC is 50-75% • Resistance Strength is 50% - 90% • Losses: ◦ Productivity - $0 - $300,000 ◦ Response - $1,000 - $300,000 30
  31. 31. Stage 4: Derive and Articulate Risk Risk Loss Event Frequency Threat Event Frequency Contact Frequency Probability of Action Vulnerability Threat Capability Resistive Strength Loss Magnitude Primary Loss Secondary Loss
  32. 32. Final Risk
  33. 33. Resources • Threat Modeling ◦ Intel TARA - http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdf ◦ Threat Modeling: Designing for Security: Book by Adam Shostack • Quantitative Risk Assessment Methodology • Measuring and Managing Information Risk: A FAIR Approach: Book by by Jack Freund and Jack Jones • How to Measure Anything: Book by Douglas Hubbard • How to Measure Anything in Cybersecurity Risk: Book by Douglas Hubbard 33

×