Secure Thinking Session 4 Risk Analysis PDF
Document Details
Uploaded by EntrancedMaracas
North Carolina State University
Jeff Crume
Tags
Summary
This document is a presentation on risk analysis. It covers the topic of security through various examples from history and modern-day scenarios. It also includes questions to prompt discussion. This presentation was delivered by Jeff Crume at NC State University.
Full Transcript
Secure Thinking Session 4 Risk Analysis Jeff Crume, PhD, CISSP, ISSAP IBM Distinguished Engineer NCSU Assistant Teaching Professor [email protected] LAST ASSIGNMENT: Mitnick Questions Does it matter that he didn’t directly profit from his hacking? Does it matter that...
Secure Thinking Session 4 Risk Analysis Jeff Crume, PhD, CISSP, ISSAP IBM Distinguished Engineer NCSU Assistant Teaching Professor [email protected] LAST ASSIGNMENT: Mitnick Questions Does it matter that he didn’t directly profit from his hacking? Does it matter that he said there were no laws against what he was doing? Does it “take a thief to catch a thief?” Would you hire a “reformed hacker?” RISK ANALYSIS https://youtu.be/xt_Cdtvjbd4 Meteor-proof Car? Avolio, F.M. (1997) Firewalls are not enough. Trusted Information Systems, Inc., Networld &Interop Security Symposium, October, Atlanta, GA. Misunderstanding Risk Bad: Is it secure? Better: Is it secure enough? The “Unsinkable Ship” "There is no danger that Titanic will sink. The boat is unsinkable and nothing but inconvenience will be suffered by the passengers." Phillip Franklin, White Star Line vice-president, 1912 “Unbreakable” Security https://www.youtube.com/watch?v=Pro8jsMrzhA Nov 2001 Risk Mgmt vs. Risk Avoidance ▪ How can we make sure 9/11 never happens again? – Ground all aircraft ▪ How much security is enough? Too much? ▪ How much should we spend? ▪ Liberty vs Security – “They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” -- Benjamin Franklin Which is safe enough? How good are we at risk analysis? Consider that: – 40,000 die in cars annually in the US Only a few hundred die in planes annually WW – Food poisoning kills 5,000 each year 9/11 killed less than 3,000 in a single, non-repeating event – More people are killed in the US by cows than by sharks (22:1) Does our spending on countermeasures reflect this? – Feelings vs Facts (yet another trade-off) – “… these seeming irrationalities have a good evolutionary reason for existing: they’ve served our species well in the past.” http://www.washingtonpost.com/blogs/wonkblog/wp/2015/06/16/chart-the-animals-that-are-most-likely-to-kill- you-this-summer/ http://www.cdc.gov/mmwr/preview/mmwrhtml/mm5829a2.htm Crypto-Gram, Feb 28, 2007, Bruce Schneier 10 Risk Analysis and COVID-19: NCSU in-person classes resume How did we do? NC mask requirement 1st vaccinations Businesses begin reopening Remote CDC recommends masks vs F2F Gap NC State of emergency declared NC mask requirement NCSU classes moved online lifted Businesses begin closing offices Quantitative Risk Analysis Example Bang for the Buck Ratio (BBR) = Cost of Compromise / Cost of Protection Vulnerability Index (VI) = Cost of Compromise X Probability of Compromise Relative Value (RV) = Vulnerability Index / Cost of Protection Source: Inside Internet Security: What Hackers Don’t Want You to Know, Addison-Wesley, Jeff Crume 12 Continuous Improvement Cycle Policy ure c t ite A rch Start Here Risk An effective and Implementation Analysis efficient Security Management Program Transfer Indemnify Accept Avoid Mitigate Audit/Assess Administration 13 ASSIGNMENT Read: – https://slate.com/news-and-politics/2020/03/ coronavirus-tsa-liquid-purell-paid-leave-rules.html Do you agree or disagree with the position taken? Why?