Model-based qualitative risk assessment for availability of IT infrastructures
Tóm tắt
For today’s organisations, having a reliable information system is crucial to safeguard enterprise revenues (think of on-line banking, reservations for e-tickets etc.). Such a system must often offer high guarantees in terms of its availability; in other words, to guarantee business continuity, IT systems can afford very little downtime. Unfortunately, making an assessment of IT availability risks is difficult: incidents affecting the availability of a marginal component of the system may propagate in unexpected ways to other more essential components that functionally depend on them. General-purpose risk assessment (RA) methods do not provide technical solutions to deal with this problem. In this paper we present the qualitative time dependency (QualTD) model and technique, which is meant to be employed together with standard RA methods for the qualitative assessment of availability risks based on the propagation of availability incidents in an IT architecture. The QualTD model is based on our previous quantitative time dependency (TD) model (Zambon et al. in BDIM ’07: Second IEEE/IFIP international workshop on business-driven IT management. IEEE Computer Society Press, pp 75–83, 2007), but provides more flexible modelling capabilities for the target of assessment. Furthermore, the previous model required quantitative data which is often too costly to acquire, whereas QualTD applies only qualitative scales, making it more applicable to industrial practice. We validate our model and technique in a real-world case by performing a risk assessment on the authentication and authorisation system of a large multinational company and by evaluating the results with respect to the goals of the stakeholders of the system. We also perform a review of the most popular standard RA methods and discuss which type of method can be combined with our technique.
Tài liệu tham khảo
Bagchi, S., Kar, G., Hellerstein, J.: Dependency analysis in distributed systems using fault injection: application to problem determination in an e-commerce environment. In: DSOM ’01: Proceedings of 2001 International Workshop on Distributed Systems: Operations & Management. http://www.research.ibm.com/PM/DSOM2001_dependency_final.pdf (2001)
Baiardi F., Suin S., Telmon C., Pioli M.: Assessing the risk of an information infrastructure through security dependencies. Crit. Inf. Infrastruct. Secur. 4347, 42–54 (2006)
Bennet, S.P., Kailay, M.P.: An application of qualitative risk analysis to computer security for the commercial sector. In: Eighth Annual Computer Security Applications Conference, pp. 64–73. IEEE Computer Society Press. http://ieeexplore.ieee.org/xpls/abs_all.jsp?isnumber=5913&arnumber=228232&count=25&index=15, April 1992
Brown, A., Kar, G., Keller, A.: An active approach to characterizing dynamic dependencies for problem determination in a distributed application environment. In: IM ’01: IEEE/IFIP International Symposium on Integrated Network Management, pp. 377–390 (2001)
BS 7799-3: Information Security Management Systems. Part 3: Guidelines for Information Security Risk Management (2006)
BSI: BS IEC 61882:2001: Hazard and Operability Studies (HAZOP studies). Application Guide. British Standards Institute (2001)
Cunningham, B., Dykstra, T., Fuller, E., Gatford, C., Gold, A., Hoagberg, M.P., Hubbard, A., Little, C., Manzuik, S., Miles, G., Morgan, C.F., Pfeil, K., Rogers, R., Schack, T., Snedaker, S.: The Best Damn IT Security Management Book Period. Syngress Publishing. November 2007
den Braber F., Hogganvik I., Lund M.S., Stolen K., Vraalsen F.: Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technol. J. 25(1), 101–117 (2007)
Evangelidis, A., Akomode, J., Taleb-Bendiab, A., Taylor, M.: Risk assessment & success factors for e-government in a UK establishment. In: Electronic Government, vol. 2456/2002, pp. 93–99. Springer, Berlin (2002)
Goseva-Popstojanova K., Hassan A., Guedem A., Abdelmoez W., Nassar D.E.M., Ammar H., Mili A.: Architectural-level risk analysis using UML. IEEE Trans. Softw. Eng. 29, 946–960 (2003)
Gunter C.A., Gunter E.L., Jackson M.A., Zave P.: A reference model for requirements and specifications. IEEE Softw. 17(3), 37–43 (2000)
Herrmann D.S.: Complete Guide to Security and Privacy Metrics. Auerbach Publications, Boston (2007)
Innerhofer-Oberperfler, F., Breu, R.: Using an enterprise architecture for IT risk management. In: ISSA ’06: Proceedings of Information Security South Africa Conference. http://icsa.cs.up.ac.za/issa/2006/Proceedings/Full/115_Paper.pdf (2006)
ISO/IEC 13335:2001: Information Technology—Security Techniques. Guidelines for the management of IT security (2001)
ISO/IEC 15408:2006: Common Criteria for Information Technology Security Evaluation. http://www.commoncriteriaportal.org/thecc.html, September 2006
ISO/IEC 17799:2000: Information Security. Code of Practice for Information Security Management (2000)
ISO/IEC 27001:2005: Information Technology. Security Techniques: Information Security Management Systems—Requirements (2005)
ISO/IEC 27002:2005: Information Technology. Security Techniques: Code of Practice for Information Security Management (2005)
Kar, G., Keller, A., Calo, S.: Managing application services over service provider networks: architecture and dependency analysis. In: NOMS ’00: Proceedings of the 7th IEEE/IFIP Network Operations and Management Symposium, pp. 61–75. IEEE Press (2000)
Kim, I.-J., Jung, Y.-J., Park, J.G., Won, D.: A study on security risk modeling over information and communication infrastructure. In: SAM ’04: Proceedings of the International Conference on Security and Management, pp. 249–253. CSREA Press, June 2004
Lippmann, R.P., Ingols, K.W.: An annotated review of past papers on attack graphs. Technical report, Defense Technical Information Center OAI-PMH Repository. http://stinet.dtic.mil/oai/oai (United States), 1998. http://en.scientificcommons.org/18618950
Morali, A., Zambon, E., Houmb, S.H., Sallhammar, K., Etalle, S.: Extended eTVRA vs. security checklist: experiences in a value-Web. In: ICSE ’09: Proceedings of the 31th IEEE International Conference on Software Engineering, IEEE. IEEE Computer Society Press (2009)
Muntz R.R., de Souzae Silva E., Goyal A.: Bounding availability of repairable computer systems. SIGMETRICS Perform. Eval. Rev. 17(1), 29–38 (1989)
Pawson R., Tilley N.: Realistic Evaluation. Sage Publications, Beverly Hills (1997)
Rossebo, J.E.Y., Cadzow, S., Sijben, P.: eTVRA, a threat, vulnerability and risk assessment method and tool for eEurope. In: ARES ’07: Second International Conference on Availability, Reliability and Security, pp. 925–933. IEEE Computer Society Press. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4159893, April 2007
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: IEEE Symposium on Security and Privacy, p. 273 (2002)
Stoneburner, G., Goguen, A., Feringa, A.: NIST SP 800-30: Risk management guide for information technology systems. Technical report, NIST National Institute of Standards and Technology (2002)
Vesely, W.E., Goldberg, F.F., Roberts, N.H., Haasl, D.F.: Fault tree handbook. Technical report, US Nuclear Regulatory Commission NUREG-0492 (1981)
Wieringa, R.J., Heerkens, J.M.G.: Designing requirements engineering research. In: CERE ’07: Workshop on Comparative Evaluation in Requirements Engineering, pp. 36–48. IEEE Computer Society Press. http://eprints.eemcs.utwente.nl/13002/, October 2007
Wieringa R.J., Maiden N., Mead N., Rolland C.: Requirements engineering paper classification and evaluation criteria: a proposal and a discussion. Requir. Eng. J. 11, 102–107 (2006)
Zambon, E., Bolzoni, D., Etalle, S., Salvato, M.: Model-based mitigation of availability risks. In: BDIM ’07: Second IEEE/IFIP International Workshop on Business-Driven IT Management, Munich, pp. 75–83. IEEE Computer Society Press. May 2007
Alberts, C.J., Dorofee, A.J.: OCTAVE criteria. Technical report ESC-TR-2001-016, Carnegie Mellon-Software Engineering Institute. http://www.cert.org/octave/, December 2001
Risk management: AS/NZS 4360:2004. http://www.riskmanagement.com.au/, October 2004
CISCO Systems: Cisco 2007 Annual Security Report. http://www.cisco.com/web/about/security/cspo/docs/Cisco2007Annual_Security_Report.pdf (2007)
CobiT 4.1: Control objectives for information and related technology. http://www.isaca.org (2007)
CRAMM v5.1 Information Security Toolkit. http://www.cramm.com (2009)
Deladrière, A., Morrison, M.: The risk management challenge. http://www.bankingfinance.be/40915/default.aspx, March 2008
EBIOS: Expression des Besoins et Identification des Objectifs de Sécurité. Section 2: Approach. http://www.ssi.gouv.fr/en/ (2004)
ENISA: Risk management: implementation principles and inventories for risk management/risk assessment methods and tools. Technical report, European Network and Information Security Agency (ENISA). http://www.enisa.europa.eu/rmra/rm_home.html, June 2006
BSI Standard 100-1: Information Security Management Systems (ISMS). http://www.bsi.de/english/gshb/ (2005)
McAfee: In the Crossfire—Critical Infrastructure in the Age of Cyber War. http://resources.mcafee.com/content/NACIPReport (2010)
MEHARI 2007: Risk analysis guide. http://www.clusif.asso.fr/en/clusif/present/, April 2007
NIST National Vulnerability Database. http://nvd.nist.gov/ (2009)
PriceWaterhouseCoopers: BERR Information Security Breaches Survey 2008. http://www.pwc.co.uk/pdf/BERR_ISBS_2008(sml).pdf (2008)
Sarbanes-Oxley Act of 2002: http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.tst.pdf (2002)