• understand that good security involves more than just prevention
• identify what a company can do beyond prevention
• detection
• reaction
• countermeasures
• identify the risks of insecure systems faced by business partners
• appreciate that business partners can pass on vulnerabilities to your clients
• differentiate between the relative risk benefits of intranets, extranets and the Internet
• understand the risk management paradigm and methodology
• differentiate between control weakness and control risk

Practices for Protecting Information Resources Assets
 www.stac.state.tx.us/IRAPC/practices/

"guidelines are intended to assist agencies and institutions of higher education to achieve the goal of acceptable information resources risk management"

    Chapter 1. Establishing an Information Security Policy  
    Chapter 2. Identifying Critical Information Assets and Risks 
    Chapter 3. Tools and Practices for Critical Information Asset Protection 
    Chapter 4. Security Incident Planning 

   Part 2 – Appendices – 144 pages, 22 MS Word files

    Appendix A-1. Bibliography 
    Appendix A-2. Glossary – 66 pages, - recommended
    Appendix B-1. Additional References and Sources 
    Appendix C-1. Example of Virus Handling Procedures 
    Appendix C-2. Perspective: Malicious Code and Other Security Threats 
    Appendix D-1. Checklist for Outsourcing Contracts 
    Appendix E-1. What to Do if You Think Your Installation Has Been Hacked 
    Appendix E-2. DoS Defense 
    Appendix E-3. Recipe for Developing a Successful Incident Handling Plan 
    Appendix E-4. Example of Agency Incident Response Plan 
    Appendix E-5. Emergency Steps for Incident Response 
    Appendix E-6. IDS Product Evaluation Criteria 
    Appendix E-7. Disruption Defense; Mitigation Checklist 
    Appendix F-1. LAN Security Checklist 
    Appendix G-1. Considering an Extranet?
    Appendix H-1. Protecting Your Password 
    Appendix I-1. Low-Cost/No-Cost Computer Security Measures 
    Appendix J-1. A Snapshot in Time: Where are the Vulnerabilities Now? 
    Appendix J-2. Risk Analysis and Assessment 
    Appendix J-3. Automation Controls Self-Assessment Guide 
    Appendix K-1. Implementation of Transaction Safeguards 
    Appendix K-2. Questions to Consider When Assessing Transaction Security Risks 
 

A. Answer - magnitude

• more damage can be done 
• on a very large scale 
• in a short period of time

In Bruce Schneier's book "Secrets & Lies: Digital Security in a Networked World" he explains that 

"Threat modeling is the first step in any security solution. It's a way to start making sense of the vulnerability landscape. What are the real threats against the system? If you don't know that, how do you know what kid of countermeasures to employ?"

In Schneier's books he often uses silly examples to explain scenarios and processes and several years ago he described a situation of how to steal pancakes -which was silly, but provided an excellent way of explaining how vulnerability can exist in many ways - additionally, it serves to explain that sometimes you can steal something of value without having anything to do with the transcation part of taking the money.

Here is the pancake story repeated below.

"Threat modeling is a lot like this, and the only way to learn it is to do it. So let’s start by stealing some pancakes."

"Our goal is to eat, without paying, at the local restaurant. And we’ve got a lot of options. We can eat and run. We can pay with a fake credit card, a fake check, or counterfeit cash. We can convince another patron to leave the restaurant without eating and eat his food. We can impersonate a cook, a waiter, a manager, or the restaurant owner (who might be someone that few workers have ever met). We could snatch a plate off someone’s table before he eats it, or from under the heat lamps before the waiters can get to it. We can wait at the dumpster for the busboy to throw away the leftovers. We can pull the fire alarm and sneak in after everyone evacuates."

" We can even try to convince the manager that we’re some kind of celebrity who deserves a free breakfast, or maybe we can find a gullible patron and convince him to pay for our food. We could mug someone, nowhere near the restaurant, and buy the pancakes. We can forge a coupon for free pancakes, and there’s the time-honored tradition of pulling a gun and saying “give me all your pancakes.”

"There are probably even more possibilities, but you get the idea. Looking at this list, most of the attacks have nothing to do with the point where money changes hands. This is interesting, because it means that securing the payment system does not prevent illicit pancake stealing."

another story about "attack points" to rig an election
 http://www2.cio.com/books/2000/excerpt295.html 

permission to quote Bruce Schneier and to quote from his book dealt with in emails June 9th, 2006. Copies of emails kept in the permissions binder.

One of the purposes of recounting Schneier's pancake stealing story is to illustrate that one of the best ways to approach security is to use the powers of an overactive imagination to conceive of as many different weird possibilities that could happen. 

So one of the things I'm trying to do in this unit is give students a very long list of all the possible risk and threat situations that can possibly happen, and discuss these, so that by being aware of such circumstances, you may be better prepared to address them if the threat develops into an immediate risk.

If you can develop countermeasures and contingencies to protect against most of these possible threats then it is unlikely you can be "surprised" by something that happens in the real world.

"A disaster is a disruption of normal business functions where the expected time for returning to normalcy would seriously impact the organization' s ability to maintain operations, including customer commitments and regulatory compliance"
Green Security Policies and Procedures Chpt 11, p. 352

- definitions

Chpt 7
2nd Edition

the powerpoints for Chpt 5 (1st Ed) can be obtained from
http://homepages.cambrianc.on.ca/timrichardson/ecommerce/ECP1220/greensteinchap5.ppt

Page 133 Greenstein Text - 1st Edition
Page 215 Greenstein Text - 2nd Edition

Before you begin reading Chapter 5 (7) in the Greenstein book, it would be a good idea to go to the website for the book and scan through the online list of "Key Terms"

- definitions

from www.unisdr.org/eng/library/ lib-terminology-eng%20home.htm the United Nations International Strategy for Disaster Reduction

"The potential danger that threatens to harm or destroy an object, event, or person."
the Legal Encyclopedia

- definitions

• threats, 
• probability (chances it could happen) 
• impact (cost) 

- definitions

Risk = Threat x Vulnerability x Cost ( $ $)
from  www.icharter.org/articles/risk_equation.html

- therefore in order to evaluate and quantify Risk, you need to 

• ascertain what the threats are, 
• assess your vulnerability to the threat, 
• and determine if your company or enterprise has the financial resources to pay for covering those vulnerabilities

Risk
"A threat that exploits a vulnerability that may cause harm to one or more assets"

Threat
"A circumstance, event, or person with the potential to cause harm to a system in the form of destruction, disclosure, data modification, and/or Denial of Service"

Simply put:

• Threat is the bad thing that can happen
• Risk is the consequence when that bad thing is very likely to actually happen to you because you did something, or created something that made you vulnerable.
• the quantifying, or measuring, of Risk is directly related to how much you can afford for a Threat to take place
• if the result of a Threat is "affordable", then there really is no Risk, if a Threat took place, and cost you very very much, then you can describe it as being a severe Risk
• almost everybody drives a car
• almost everybody worries about the threat of a mechanical breakdown, which is why many people have CAA to deal with the Risk
• but if your son is a mechanic, and he lives close to you, and you never drive your car more than 10 miles from home, then there really is no risk and you don't need CAA

• threat - it is freezing rain
• but if you stay inside all day, you have no risk
• if you go out and drive your car, you have a risk
• if your tires are bald, you have a vulnerability to the risk
• if you are very wealthy and can afford to get your car smashed up, cause you were in an accident, cause your tires were bald, then you have no vulnerability (except the damage to your body)

For example, we have a threat of heavy rain.
We have a tented awning in the backyard.
If the rain is expected to be very heavy, and we know the awning is not tied down well, then we have a vulnerability because the threat can successful act upon the asset and damage it.

If the awning is tied down well, and made of heavy canvas, then there is no vulnerability with a normal heavy rain. If the rain approaches that of a hurricane, than we have a graduation to the level of being vulnerable.

- assessment of the threat happening

In Bruce Schneier's book "Secrets & Lies: Digital Security in a Networked World" he explains that 

"It's not enough to simply list a bunch of threats, you need to know how much to worry about each of them".
[this is where a threat becomes a risk]

"This is where risk assessment comes in. The basic idea is to take all the threats, estimate the expected loss per incident and the expected number of incidents per year, then calculate the annual loss expendency (ALE)."
Chpt 19, p. 301

from  www.icharter.org/articles/risk_equation.html

In the case of the awning in the backyard - we can hypothesize the following scenario
A. the awning costs $200 to replace
B. it would take you 1/2 hour to tie down the awning more firmly, and reinforce the supporting poles
C. you work from home as an IT consultant and bill $150 per hour
D. if you take 1/2 of your time to tie down the awning, it might be reasonable use of your time - if you took more than an hour and a half of your time to deal with this problem, it would not be reasonable - instead, let the rain come down and take the risk cause you can afford to buy a new awning with the money you made continuing to do your work
 

Bruce Schneier's book "Secrets & Lies: Digital Security in a Networked World" 

"..if the risk is a network intrusion by hackers looking for something to do, the expected loss per incident might be $10,000 (cost of hiring someone to figure out what happened, restore things to their normal state, etc.) and the number of incidents per year might be three per day, or 1000. This means that the ALE is $10,000,000. (You can see where this is heading. If the ALE is $10M, then buying, installing, and maintaining a firewall for $25,000 a year is a bargain. Buying a $40M super whiz-bang whatever is a waste of money. This analysis implies that both the firewall and the super whiz-bang whatever actually counter the threat. We’ll come back to that point later.)

Some risks have a very low probability of incidence. If the risk is a network intrusion by an industrial competitor out to steal the new design plans, the expected loss per incident might be $10,000,000 but the number of incidents per year might be 0.001: there’s a 0.1% chance of this happening per year. This means that the ALE is $10,000, and a countermeasure costing $25,000 isn’t such a bargain anymore."

Chpt 19, p. 302
permission to quote Bruce Schneier and to quote from his book dealt with in emails June 9th, 2006. Copies of emails kept in the permissions binder.

Chpt 7
2nd Edition

 
 
 
 
 
 
 
 
 

• Internet Associated Risks
• Risks to Customers
• False or Malicious Websites (p. 218 2nd Edition)
• Stealing Visitor's ID's and Passwords
• Stealing Visitors's Credit Card information
• "man-in-the-middle" attacks to monitor a Visitor's activity
• Spying on a Visitor's hard drive
• Uploading from the Visitor's hard drive
• Theft of Customer Data
• from Selling Agents
• from ISPs
• Cookies (see special section) p. 220-222   2nd ed.
• Web Bugs
• embedded within the HTML code on a page
• used to track visitor's online movements
• unlike cookies, cannot be turned off
• Risks to Selling Agents and Vendors, p. 223   2nd ed.
• customer impersonation
• used to obtain product and service without paying
• used also to create negative publicity situations
• Denial of service (DNS) Attacks,  p. 224   2nd ed
• explanation of PINGING a DNS
• SYN flooding
• Intranet Associated Risks
• Sabotage by Employees
• former employees
• threats from current employees
• social engineering
• B2B Risks

risks associated with transactions between business partners
• Data Interception
• Archives

risks associated with confidentially-maintained archival, master file and reference data
• Viruses

risks associated with viruses and malicious code overflows
- see our unit  www.witiger.com/ecommerce/viruses.htm
• trojan horses
• hoaxes

buffer overflows

Five groups of "real and present" danger

• Inadvertent acts (malicious intent is absent)
• Human error or failure of the product/system to operate
• Deviations in quality of service by service providers
• Deliberate acts
• Competitive Intelligence
• Industrial Espionage
• Trespass
• hacking
• Information extortion
• Sabotage ad vandalism
• Theft
• Software attacks
• DNS attacks
• Virus attacks
• Trojan Horse
• Worms
• Compromises to Intellectual Property
• Acts of God
• Forces of Nature
• Fire
• Flood
• Earthquake
• Lightning
• Tornado / Hurricane
• Technical failures
• Hardware Failures
• Softare Failures
• Management failures
• Technological Obsolescence
• Ignoring SOPs (Standard Operating Procedures)
• Errors in judegement

Types of
Attacks

- Frauds