Web Based Open Risk Assessment Framework & Decision Support Tool

Madhan Raj Ramachandran Supervised by Dr. Peter Richard Burnap

MSc Information Security & Privacy School of Computer Science and Informatics, Cardiff University September 2012

DECLARATION This work has not previously been accepted in substance for any degree and is not concurrently submitted in candidature for any degree. Signed . (candidate) Date

STATEMENT 1 This dissertation is being submitted in partial fulfilment of the requirements for the degree of MSc Signed . (candidate) Date

STATEMENT 2 This dissertation is the result of my own independent work/investigation, except where otherwise stated. Other sources are acknowledged by footnotes giving explicit references. A Bibliography is appended. Signed . (candidate) Date

STATEMENT 3 I confirm that the electronic copy is identical to the bound copy of the dissertation Signed . (candidate) Date

STATEMENT 4 I hereby give consent for my dissertation, if accepted, to be available for photocopying and for interlibrary loan, and for the title and summary to be made available to outside organisations. Signed . (candidate) Date

STATEMENT 5 - BAR ON ACCESS APPROVED I hereby give consent for my dissertation, if accepted, to be available for photocopying and for interlibrary loans after expiry of a bar on access approved by the Graduate Development Committee. Signed . (candidate) Date

ii

Table of Contents Chapter 1 1.1 1.2 1.3 1.4 1.5 Chapter 2 2.1 2.2 2.2.1 2.2.2 2.2.3 Chapter 3 3.1 3.2 3.3 Chapter 4 4.1 4.2 4.3 4.4 4.4.1 4.4.2

Introduction2 Motivation..3 Aim of the Project....4 Project Idea Canvas..5 Arrangement of Report.6

Defining the Problem..8 Current RM & ISMS practices Nature, challenge & Misconceptions8 Current Practices...8 Challenges & Flaws with Current ISMS .14 Misconceptions16

Literature Review..18 Concept of Information Sharing..19 Key Concerns.21

4.5

Approach & development methodology ...23 The ORAF Risk Assessment Model.24 Comparing WARP to ORAF.27 RA data stripping & anonymization algorithm .30 Stripping technique..31 Anonymizing RA data by K-anonymity for trend realization..32 4.4.2a Justification for using K-anon..37 4.4.2b Limitation to k-anon. .37 4.4.2c Addressing the K-anon limitation...38 Summary.38

Chapter 5 5.1 5.2 5.3 5.3.1 5.4 5.5 5.6 -

Design Specification40 ORAF business Requirements..40 Top level Use Case Design.41 Use Case Specification..45 Activity Diagram 50 Sequence Diagram..52 Mockup of ORAF framework...56

iii

Chapter 6 6.1 6.2 Chapter 7 7.1 7.2 7.3 References Appendix A1 -

Case Scenario Validation..68 How ORAF could have helped71

Reflective Conclusion..73 Contributions.76 Limitation & Future Work.77

ISO 27001 compliant Risk Assessment Template

iv

Acknowledgements

Firstly, I would like to pay homage to my God, Lord Shiva to whom I owe my life and my Late Grandfather, Advocate K.V.Rakkan, who is the source of my inspiration & persistence. I miss you. To my Dad, Mr.K.Ramachandran, who was ever supportive throughout my life and ensured I was on the right path. To my Mom, Mrs.R.Rani, who reminded me of my duty each day with love & care. To my little brother, Vinod who cares for me like an elder brother. I would like to thank my Supervisor Dr. Peter Burnap for his guidance throughout the period of this dissertation. Thank you for bearing my endless amount of long emails and early morning Skype calls even when you were off duty My heart content thanks to every single staff who handled lectures during my Masters, you guys rock! The amount of time we spent discussing & learning was truly valuable. You made us feel at home, especially Ms.Wendy Thank you for those bakes & cakes! Last but not the least, to dear Sneha Desai who kept me motivated & made me feel Im the bes t. Thank you is such a small word towards your love & care. Dedicated to all friends & family. To Cardiff, my second home.

List of Abbreviations used in the dissertation

API CSS Application Programming Interface Cross Site Scripting Health Insurance Portability and Accountability Act Heads-Up Display International European Council Information Security Information Security Management System Open Risk Assessment Framework Risk Assessment Russian Business Network Risk Management Real World Threats Subject Matter Expert Unified Modeling Language Warning, Advice & Reporting Points

HIPAA HUD IEC IS ISMS ORAF RA RBN RM RWT SME UML -

WARP -

vi

Glossary of terms Assets Control Could be a tangible physical property or data Mitigation measures used to address a risk A pre-clouded judgment or preconceived inclination A collection of complex processes The desire to merely copy a control measure without prior assessment or

Cognitive bias System Lazy urge

validating it Spearheading Territory A focused or targeted attack by threat sources Spread of network, NOT the geographic territory

vii

ABSTRACT
Although successful Risk Assessment (RA) methodologies have been developed over the years to model complex systems, Conventional Risk Management (RM) techniques are outdated, increasingly becoming daunting and complex with a steep decline in the ability to mitigate emerging or unknown threats. Much of RA conducted within an organization is based on an individuals perception of risk and most controls are implemented with doubt and uncertainty since prediction is inherently hard. Typical RA reports are treated as classified and are self contained within Organizations as they believe that it could potentially compromise their security leverage against Real World Threats (RWT) or competing Organizations. A clear case of clouded uncertainty exists when assigning tolerance indicators and risk metrics leading to bad decision making among managerial authority to which we shall refer to as Cognitive bias. An ill -informed RM strategy could cost dearly to the organization. The problem is complex, however the solution need not be. This work aims to make Risk Management more approachable & standardized by suggesting a framework following the ISO 27001 methodology where anonymized (Privacy Preservation of public data achieved by K-anonymity) RA reports can be shared among various organizations grouped across industry sectors to enable mutual and collaborative defense against cyber crime and facilitate informed decisions about True security risks without the fear of specific privacy disclosure. This could potentially help managerial authority make efficient decisions that can be validated & to focus on improving security controls within organization and worry less on ball parking likelihood of probable risk, its risk factors and flawed estimates.

Chapter 1
This part of chapter presents a brief introduction to the project, the motivation behind it, aim, Scope and concludes with a report arrangement outline. There is also a project canvas that intends to illustrate the concepts of the framework.

1.1. Introduction
Day by day, businesses around the world are increasingly becoming dependant on technology and use Internet to stay connected and to access electronic information and data resources across the globe over organizational networks. Almost every aspect of our day to day lifestyle is dependent on technology and we look towards it to communicate with peers across the globe, share ideas, and reduce barriers to trade. With our increasing dependence on Cyberspace, there exists risks which could potentially exploit vulnerabilities in our networks, compromising or damaging key data and systems on which businesses thrive upon (cabinet office 2011) and could pose a major threat to the survivability of the organization. These risks could come either intentionally or unintentionally and in worst case, unexpectedly. A good Risk Management process involves assessing these risks caused by threats and vulnerabilities along one of the Information Security Management Systems (ISMS) available (ISO 27001), and recommend controls (mitigation measures) and best practices. A proper Risk management policy covering an organization has the potential to not only prepare for an event but also measure and control the magnitude of its impact. (Stanleigh 2010). Over the years, various methodologies on ISMS and Risk Assessments (RA) have been developed, e.g. ISO 27001, CRAMM, Ebios, and Octave to name a few, to model the complex organization systems and control any possible risks. Although these ISMS methodologies did a good job of assessing and reporting risks and implementing safety controls, controversially, these Risk Management processes are simply outdated. As Kearney P quotes security is fundamentally about manipulating relevant categories of operational risk, with controls being applied or removed to decrease or increase the likelihood and impact of undesirable events. Unfortunately, both the assessment of risk and

the prediction of the effects of controls are fraught with difficulties (SecureThinking 2012). Most RA methodology use a rating system where a risk analyst expert assigns impact and likelihood ratings on a 0-3 or 0-7 point scale. (vRisk ISO 27001) Common risks are easier to mitigate than unknown or emerging threats (Schneier 2011) and people are quite bad at estimating risk and making decisions. Although the RA methodologies by themselves cannot be claimed to be flawed, the current organizational practices are quite outdated and lack severely in terms of effective risk control.

1.2. Motivation
A survey by PWC (Pricewaterhousecoopers 2010) shows that over 77% gave very high priority to information security yet over 92% faced a security incident with an average 280k 690K GBP in financial and asset losses annually. The technical report also shows that 82% of its participant large-scale organizations had Security Risk Assessments by the book in place, and so did 75% of all small scale organizations. Yet the scale of financial losses being reported seems humungous in spite of such deliberate measures. This leads us to think there is something at fault here. Although the ISO 27001 ISMS by itself cannot be criticized, the procedures listed are quite objective type with preset solutions in place. (vRisk ISO 27001) This is indeed effective in mitigating known risks, to an extent, yet fails when faced with challenge of unknown or newly emerging threats. If it (a security incident) hasnt happened, we have no data and no rigorous basis for identifying all the events says Slater D, 2012. The cyber criminals who constantly look for new vulnerabilities to be exploited are known to work in teams or collaborate over underground networks to exploit their target. D33Ds (citation masked by request), a group of elite black hat hackers who published over 450,000 clear-text Yahoo! Voice (www.voice.yahoo.com) passwords recently (July 2012) agreed to provide insights to this project. They quote that most hackers do sell or share their hacks and discovered vulnerabilities to other hackers in their network and the reason they are a step ahead is because Most companies are compromised even before they get a chance to realize that they could be harboring some sort of threat or risk (0-day) within their systems. Zero-day occurs when a threat or attack exploits previously unknown vulnerability and there is generally
3

zero day of awareness leaving little or no time for the developers to patch up the flaw. (Cohen 2012) One of the largest and well organized mafia counterparts of the online world are the Russian Business Network (RBN) who have a reputation of carrying out organized cybercrimes on foreign soils. (Coldman 2011) They are highly respected group of cyber criminals among hactivists worldwide and they are incredibly persistent , according to Granado J. of Ernst & Young security. The RBN the biggest and baddest of all has branch operations in multiple parts of the world similar to a Multinational Corporations globally and accepts out-sourced hacking commissions from its clients. The preceding set of facts leads us to conclude that Cyber criminals indeed work collaboratively when the occasion calls for it, whereas organizations are quite secretive of their efforts towards information security, the risk assessments and discovered vulnerabilities. Craig Wright S, Exec President, Centre for Strategic Cyberspace Security Science (CSCSS)
(http://www.cscss.org/) quotes A damn good question (Why RA reports are not shared) and one that should be addressed. Fear of disclosure for the most part, but the end is hiding the reality of what we are doing and helping the hackers many times ." The UK Cyber Security

Strategy (cabinet office 2011) intends to nurture a Safe haven, where it aims to tackle cyber crime and make UK one of the safest places to do business in cyberspace. In order for the vision to be realized, organizations must realize the importance of treating Information Security as a collaborative effort with every security incident being reported, documented and controls shared with others who may face the same vulnerability.

1.3. Aim of the Project

Current RA approaches tend be divided into statistical and heuristic (based on experience or personal judgment of an SME) which work quite well for major organizations yet cannot be termed fault free since people are inherently bad at estimating risks. Often High Frequency Low Impact (HF-LI) events are assigned the same risk levels to a High Impact Low

or rare Frequency (HI-LF) event, which is clearly not the right way to deal with a risk, argues Kearney P (SecureThinking 2012). The aim of this project is to design and potentially develop a framework for a trusted collaborative environment where organizations can develop and record risk assessments based on ISO 27001 the most popular RA methodology and share anonymized versions of their RA reports and timely information on most recent attacks or threats to collaboratively defend themselves against cyber threats and procure help in better decision making by adopting the Wisdom of the crowds approach. As Neils Bohr says, prediction is inherently difficult, especially if it is about future, yet a collaborative approach where numerous heads share & contribute opinions and expert advice with sole aim of better defense could improve the efficiency of prediction and informed decision making capabilities. This project based its research on ISO 27001 among other standards because it is widely advocated by practitioners globally and has consistently received a positive recognition. (Siponen and Willison 2009) Owing to the privacy concerns of organizations, the project proposes the use of K-anonymity anonymization algorithm to mask identifying elements or quasi identifiers in the RA reports to maintain confidentiality yet a fair level of transparency to participating entities. The framework also extends as a decision support tool wherein it tries to address the knowledge gap & cognitive bias that clouds most decision makers by employing the knowledge of the crowds.

1.4. Project Idea Canvas:

A simple visual message map has been shown below to highlight the key functionality of the proposed framework.

Fig.1.4 - ORAF Project canvas

1.5. Arrangement of the Report:

This work is organized as follows. The chapter 1 gives brief introduction to the research, motivation, aims and a visual canvas of the project. Chapter 2 defines the problem with case examples, elucidates challenges & misconceptions with current ISMS & the inability to validate controls. Also shown is the difficulty when aligning technical assessment to business terms. In chapter 3, we carried out a literature review & show how different researchers in the past, although few, challenged the outdated RA process & suggested innovations. The chapter also shows the key concerns that continually suppressed such efforts. In chapter 4 we proposed a

RM usage model aligned with the ISO 27001 PDCA, & critically review WARP to ORAF. We also proposed anonymization techniques to overcome the key concerns & relevant examples were demonstrated. Chapter 5 shows UML Design specification of the ORAF framework. We have also made a wireframe mockup of the ORAF envisioning the web application & its decision support capabilities. Proposed along with is the hypothesis on guided probability & validation of decision making through knowledge of crowds. The chapter 6 shows a small example scenario where ORAF could potentially ease RA and validation. The last chapter concludes with a reflective report in insight of subject matter learned with scope for future work.

Chapter 2 2.1 Defining the problem

In order to fully realize the purpose of this project, it is necessary to gain an insight on the current industry standard IS practices, effects and possible pitfalls. In this chapter we first outline some background information on ISO 27001 discussing why traditional ISMS practices are not a failsafe road to security. We shall also observe the potential weaknesses of this universally accepted approach. This part of the chapter forms the basis to why there is a need for an alternate approach i.e. a collaborative RM methodology. It is to be noted that the ISO/IEC 27001 ISMS has long stood as the most widely adopted RM process worldwide and our motive was never to belittle it, although, like with any research, all processes and theories need to be challenged and reviewed with a motive to find simpler alternatives which fueled a strong driving force behind the following argument.

2.2 The current RM & ISMS practice Nature, Challenges & misconceptions 2.2.1 Current Practices
It has been recognized that a sound RA is mandatory for an effective ISMS control within an Organization. Ideal risk assessments (RA) and risk managements (RM) practices have always involved identifying & assessing organizational assets, recognizing threats (internal & external) and probable vulnerabilities, prioritizing the risks based on impact rating index and formulating strategic decisions on minimizing and controlling these risks followed by a continual monitoring process. Several RM methodologies have been developed to adhere to these established standards yet abiding to the scope of this research work, the aforementioned methodology can be closely related to the ISO/IEC 27001 ISMS as the Plan-Do-Check-Act (PDCA) model which is applied to structure all of its processes.

Figure2.2 - PDCA model of ISO 27001 (Source: BSI ISO/IEC 27001:2005)

The above shown figure is the PDCA process approach recommended by the ISO 27001 standards organization for ISMS. Exhaustive content explaining in detail the entire stages of a PDCA model can be found on the ISO 27001:2005 documentation on Information Technology Security Techniques Information Security Management Requirements report from the BSI. The following provides an abridged overview of the PDCA cycle:a. Plan Establish the ISMS In this phase of the ISMS process, the Organization willing to incorporate an ISMS process must first define a scope followed by an ISMS policy relevant to the organization itself taking into account of all legal and regulatory obligations as approved by the management. It is in this phase where assets of the organization as defined by the ISMS scope boundary are identified followed by recognizing probable threats, vulnerabilities that might be exploited by

those threats and relative impact ratings. The risks are treated by identifying controls or measures that can used to counterweigh the identified risks. b. Do Implement and operate the ISMS This phase involves the actual implementation of control measures once approved from the management. c. Check Monitor and review the ISMS Here, the ISO 27001 recommends that organization must assess the performance of the risk treatment controls in place against the pre-defined scope and policy and the reports to be made available to interested parties within the organization including the management. d. Act Maintain and improve the ISMS The final phase recommends that there be continual monitor of the ISMS in place, taking corrective or preventive measures based on variety of rigorous audit sources. These methods were intended to be followed in order to secure an IS certification. By adopting such an authoritative guidance of ISMS, Organizations hope to demonstrate their compliance to security standards of business culture and practices with an aim to get certification or accreditation by international standards. Although this standardized approach to ISMS initiates a tipping point to Organizations that have an ill configured or disjoint security management and risk controls, in reality, The ISO 27001 is merely a framework and nothing more (Wright 2012)

Although risk assessment methodology are quite complex in nature, its actual roots are a routine in everyday life, sometimes we ourselves being unaware that we are doing so. Simple case of crossing a road could be taken as an infamous example in this context. However, unlike our daily routines, the Organization is a complex System and a mere estimate of risk impacts will not suffice and requires identifying almost every possible threat sources, vulnerabilities and associated risks.

10

In practice, Most risk assessments can be roughly categorized into two basic approaches (Sims 2012) as follows:a. Qualitative assessment b. Quantitative assessment A qualitative assessment approach is preferred when there is lack of sufficient data likelihood or costs, for instance and risks are defined in a subjective manner categorized into low, medium or high (Tregear 2001) are most likely to depend on the risk analyst individuals expertise and judgment relative to the Organization. This is a good approach as it overcomes the challenges of calculating accurate figures for each of the risk elements, however, Business Organizations, specifically industries with finance or accounting are of focus, prefer numbers and statistics to qualitative analysis. A quantitative approach, on the other hand, appreciates a wider audience and is the most frequently used method (Burnap 2009) to risk analysis and involves defining a scope stating the assets to be protected, its potential vulnerabilities and likelihood of threat sources exploiting those vulnerabilities. Along with Outage costs (loss suffered estimate), these statistical elements are combined to form a single figure (Tregear 2001) called the Annual Loss Expectancy (ALE) scale which is used to theoretically rank prioritized risks based on their impact rating index. Although numerous scientific risk formulae exist, perhaps, the most widely used formula to risk quantification is obtained by taking product of two variables the Probability of occurrence (P) and the Impact of the event (I) being equated to produce the risk magnitude.

The risk magnitude R is usually taken on a scale 0 9 and P and I assumed on a 0 3 scale. For instance, let us apply the calculation to a case scenario to understand the RA practice

11

Case 1 A large Organization conducts a penetration testing via trusted third party consultancy and has identified that one of its databases is vulnerable to SQL injection attack a famous SQL based database vulnerability that allows unauthorized agents to gain read/write/modify access to the underlying system. On-line Transaction Processing (OLTP) services are highly likely (OWASP 2006) to be impacted by this vulnerability. The organization patched up the security hole and a new RA has been carried out lists the risk impact scale as follows For SQL injection attack, P could be assigned a value of 3 and impact rating could be anywhere from 0 3 since the potential losses greatly depends on the threat agent. This is due to the fact that recent day SQL injection attacks can be carried out via automated tools and a mere Script kiddie a hacker newbie capable of wrecking havoc without his own awareness. Yet, based on professional experience of the risk analyst, the Organization assigns a value of 2 to the im pact scale. As per the formula R = P x I, we have R = 3 x 2 ; Meaning R = 6; gaining a higher up the ladder position on a prioritized risk magnitude scale of 9 and mitigation controls are set in place. Case 2 A large Organization is unaware of a potential new 0 day vulnerability that lurks in one of its backbone applications due to a code flaw. This is a highly rare risk yet the impact can be extreme enough to bring down the organization to its knees. No prior statistical data exists to back up support and provide informed decisions. The expert assigns probability P as 0.5 and impact rating as 3 of the highest magnitude. We urge recalling the cognitive bias here. In this case R = 0.5 x 3 ; giving us a rating index of 1.5 which according to ALE gets pushed down the list on our prioritized risk scale of 0 9. Now we might want to ask ourselves, is this intellectually the right way to categorize the risk? Does it make sense to put a high impact risk down the scale just because the number had a lower value? What risks are we deliberately putting ourselves into by taking such an action?

12

Although business units are rather fond of numbers and statistics over names (Sims 2012) ; using inconsistent values or estimates could prove unhealthy to the Organization. Let us take yet another formula used widely for calculating or prioritizing risks

We know that most IS experts, plug in numbers, say, threat = 8 and vulnerability = 5 based on personal experience, which yields a priority rating of 50; Risk Priority = 8 x 5 = 50; So usually formulating such calculations, gives them an index where lets say, all risk values exceeding the 50 points threshold shall be given immediate priority, and the rest down the scale. What if, lets say, someone assigns a value 0 to a perceived threat, but recognizes the vulnerability to be 10? One could argue, why a value of 0 to a threat, this is simply because we might not have prior information that such a threat could even exist to that asset. As we know by basic math, any number multiplied by a Zero is 0! Again, we have an error, where a Risk that could potentially bring down an Organization to its knees would still get pushed down the priority list just because of this number theory. Lets take a geographic location X where our Datacenter could be placed, we know for sure that this territory has never experienced an earthquake for the last 100 years and based on that experience we assign Zero threat from natural disaster to our asset yet taking into consideration of the budget cost, we overlook the option of installing earthquake countermeasures. This leaves the datacenter vulnerable to a threat that does not exist at this point of time and should test of time shift tectonic plates & cause earthquake, our number theory has failed. Risk assessment needs to be a Logical model that involves rather than merely taking decisions on a formula based system. (Eli 2010)

13

2.2.2 Challenges & Flaws with current ISMS practices:

We need to realize that risk management is simply a practice of systematically deriving best practices and cost effective approaches to minimize threat to an Organizations assets. The current ISMS in place have a number of shortcomings that need to be addressed. First, the ISO 27001 has been designed as a generalized standard and not exactly tailored to suit specific Organizations. This is a serious flaw in cases where Organizations implement ISMS for the very first time without proper guidance and could invariably end up with an overall flawed ISMS since an Organization is a complex system and no two Organizations are the same even if their industry focus is from the same background. Secondly, the ISMS guidelines have not been validated but fostered by common industry practices which could often be an unsound basis for an International Standard (Siponen and Willison 2009) The controls stated in the ISO/IEC 27001 are too authoritative and the curb the openness or flexibility to identify potentially new or unaware threats. When using the Quantitative approach to risk assessment, calculation probability of occurrence and related outage costs are quite difficult since there is severe lack of consistent data. Jonathan T, senior consultant from Insight Consulting (Tregear 2001) says in his Information security technical report that calculating costs involved due to loss is a time consuming activity & often delays development plan by months until the Management has finalized on the same, and yet, finalized cost figures are often a variable and subject to constant change with changing business environmen t. Mathematically, Probability always lies between 0 & 1 and calculating the probability of occurrence with respect to threat source is very difficult as it is often a subjective conclusion and is open to disagreement of debate. There is very little reliable past data from which such predictions can be made, simply because most Organizations stay quite secretive of their RM process owing to privacy and reputation concerns. It is extremely difficult to create a mathematical model without sufficient past data that would predict an attackers actions. (Stewart 2004) There is confusion among prediction based on probability (measurable risk) and pure uncertainty a point where we do not know
14

the probability or at least lack credible sources to ball park it. Refer to the Case examples in the previous section where case 1 and Case 2 had RA performed with controls placed on Risk index scale. Such Nave reliance on ALE as a definition of risk leads to high impact events being listed down the prioritized mitigation scales or assign the same level of priority to HF-LI and LF-HI events which again, is a faulty decision due to cognitive bias. This being said for low or rare frequency events, how do we ensure that we are not living with a false sense of security? The feeling of security and the reality of security don't always match The security Mirage. (Schneier 2011) If an event has never happened, we have no rigorous data nor a basis of identifying and addressing the threat. (Slater 2012) Though the ISO 27001 is a rigid & authoritative ISMS with strict standards for certification, it surprisingly seems to have been over simplified to the point where the assessment seems like a multiple choice or checklist questionnaire for raising awareness. Although this is forgiving on most quantifiable cases, it is sacrificing on the more rigorous analysis of new risk disciplines. (Slater 2012) Unarguably, there are quite a number of sophisticated RA tools such as the VsRisk from Vigilant Software (http://www.vigilantsoftware.co.uk/) that is ISO 27001 compliant which boasts of being an easy to use RA tool with comprehensive sections for quickly conducting risk exercises and a host of other features, yet, this tool still would not replace the knowledge and the skill of a risk analyst. (Tregear 2001) And this situation worsens if there is a knowledge risk where the risk assessment expert is subjected to lack of exposure or knowledge to the uncertain risk. There is lack of observation of the World the fundamental difficulty in RA is how do we determine the rate of occurrence of an event if it has never ever surfaced before? There are 100% probability events which could be ignored due to lack of knowledge. A traditionally plaguing inconvenience is what we shall refer to as the Technologist VS Business Personnel warfare where there is inconsistency & difficulty in expressing a complex IS Technical assessment alongside of Business orientation and this is extremely important since ultimately its the managers decision to comprehend the data and approve mitigation controls.

15

Fig 2.2 - RA report requirement We need a way to align the technical assessments in terms of business concept since Risk usually translates to loss of business. They may have a direct or indirect impact, for instance, in medical industry, compromise of sensitive Patient information does NOT bring in direct impact & loss of business to the Organization, yet, since a confidential customer information has been breached and violated HIPAA data privacy rule, the Organization is liable to be sued for a substantial amount of money which will impact normal business. A way to address such complications between technical issues or legal issues needs to be identified.

2.2.3 Misconceptions
First Organizations need to realize that being ISO 27001 certified does NOT necessarily mean they are secure! There is always something vulnerable or at fault, especially if the System has a Human element involved. Any disagreement on this fact can be nullified by having a look at the bigger picture, that all though over 82% of large Organizations (>250 staff) had carried out regular Risk assessments, over 62% of them had faced serious security incident.

16

(Pricewaterhousecoopers 2010) The ISO 27001 is a management standard and not necessarily a security standard, as refuted by Price D. (Security & Investigations, UK. 2011). The current ISO 27001 practices are seemingly outdated, (SecureThinking 2012) rigid and are not sustainable, neither can they be validated for each of the individual Organizations. The risk controls are seldom clouded with fear, uncertainty and doubt. (Stewart 2004) On risk perception & direction, Stewart A (Stewart 2004) agrees that in reality, it is difficult, perhaps impossible to calculate a real risk for an asset as true weight of a risk is a combination of multiple factors, many of which are subjective. In the end, we - Security professionals are all just guessing risks. A better realization of ISMS existing practices reveal that security incidents or events occur at immense speed in cyberspace to which current control measures can barely keep up. The current ways of managing risks are unable to cope up with the changing dynamic & complex environment pressurizing us to invent alternative programs of handling the same. (cabinet office 2011)

17

Chapter 3 3.1 Literature review

In this Chapter, we analyze previously existing work relevant to our project. Seminal and recent works relevant to the collaborative RA strategies have been critically reviewed and discussed. We also try to show a collaborative approach to RA addressing the issues with current ISMS practices as discussed in the previous chapter. At the time of writing, very little research work relevant to our project surfaced. Rather to start abruptly with a list of relevant works, we believe that it makes more sense to acknowledge the role that the papers played in evolving IS, with an innovative effort to address the current ISMS plague. So far we have discussed that the biggest challenge to effective risk management has been a potentially flawed decision clouded with fear, uncertainty and doubt, where there is considerable amount of hindrance in deriving risk factors due to lack of consistent or reliable data. In (Coles-Kemp 2009), the author says that Information Security Management has become increasingly a research challenge. The author points out that there exists a greater chance for annihilation if ISMS is designed with a faulty or wrong type of security management decision. This could effectively impair the perception of validity that a security management structure exhibits within the organization. Although the (Coles-Kemp 2009) information security technical report does not abruptly propose an alternative methodology to address the pitfalls of current ISMS systems, it lucidly elucidates the challenges in Information Security management and shows that despite being a major field that demands attention, there is considerably only a few progress or development supported by the works of researchers such as (Siponen and Willison 2009); (Dhillon 1997) etc.

18

3.2 The concept of Information Sharing

The (Homeland Security 2011) recognizes that there is a need for transparent security process and adherence to Need to share and Responsibility to provide collaboration principles would foster an efficient Cyber Security process. They show that effective mitigation of Cyber risks greatly depends on broad awareness of risks and costs to enable informed decision making capabilities. This statement refutes our argument that a collaborative approach to risk assessment potentially increases awareness and mitigates uncertainty and doubt in decision making phases. This (Homeland Security 2011) report gives an exhaustive set of proposals that focus on free flow of information across Organizations & a distributed security innovation for a safer cyberspace that coincides with our project motive. The systems risk journal (Welke 1998) shows how IS decision authority managers have been nave and ignored the issues and challenges posed by growing threat. From their study, (Welke 1998) seem to have identified that a. Managers are aware of only a fraction of the full spectrum of actions that needed to be taken to reduce systems risk. b. Managers exposed to theory ground security planning techniques will be inclined to employ these in their planning process. Their work elucidates how lack of IS statistical data affects effective controls and suggests a theory-based security program to address these issues as follows:a. Using a security risk planning model (derived from Simon 1960) b. Training & awareness program c. Countermeasure Matrix analysis In our point of view, the security risk planning model is quite straightforward and similar to current ISMS guidelines of the PDCA model. Although the Training & awareness program is a good enough strategy to impart knowledge to managers, it still does not compensate for the plaguing knowledge gap of reliable information or data sources. On the other hand, (Welke
19

1998) suggests use of Countermeasure Matrix Analysis (CMA) as a means of evaluating the overall effectiveness of security controls in place. This is an interesting measure to maintain integrity of Welkes security countermeasures Deterrence, Prevention, Detection, and Remedy. Within an Organization, when Users need to be granted privileged access, it employs multifactor authorization by the use of PINS. The cells of the CMA enable the Managers to compare the effect of the proposed control solution to the security countermeasure factors. Use of PINS are argued to control access and meet the goal of deterrence since they allow IS officers to trace back the perpetrator, however, in our view, this has a limited scope when it comes to addressing ISMS issues simply because all of these measures can be bypassed effectively. The authors (Elsinger et al. 2003) take a novel approach at looking into risk assessments. Rather than looking at banks individually, they argue that there exists a correlation in banks assets portfolio and it is efficient to analyze risk at the level of banking system as a whole. Although their original study was NOT on Information Security based risks but rather credit market risk analysis, their strategy of combining overall bank data to estimate risk analysis for individual banks seems to draw attention to the fact that our proposal follows a similar approach of taking in wisdom of the crowds to predict threats to assets. In (Mandrik 2005) risk aversion strategy, they explore the concept & measurement of risk in general as opposed to domain specific constructs. They realize that there are problems with the current measurement approaches and decisions suffer what they call as the Choice Dilemma where deficiencies exist in choices being made towards risk since each individual has his own perception towards risk. The author (Mandrik 2005) emphasizes on risky shift where people in groups tend to take risk decisions differently rather than being alone and are likely to make riskier decisions. Although a good read on decisions & risks, their paper lacks sufficient data to be validated against Information Security domain. The works of (Ozkan and Karabacak 2010) state that the ISO 27001 does not recommend any specific risk analysis method but merely guides the mandatory process required for a systematic approach. They show the initial challenges an Organization faces when defining the
20

scope of its ISMS. Their argument closely follows our argument against the current ISMS practices that without credible data, decision making could be flawed or inconsistent and if the risk analysis is not performed properly, the selection of countermeasures could also fail. They propose a solution of collaborative risk assessment within the organization (between departments), i.e. ensuring that all employees are brought into as a part of the RA process. Since the ISO 27001 originally had no specific guidelines on the actual RA method, (Ozkan and Karabacak 2010) suggest a systemic approach by replacing the PDCA process with Scope and determination of modeling of the process enabling the PDCA to implement itself among processes. A similar idea on collaborative RM approach was from (Dyadem 2012) a recent innovation that proposes centralizing and sharing risk assessment data across different departments within an Organization categorized in databases. This is similar yet very different in a way that our work proposes sharing anonymized RA data and security elements with mutually participating Organizations. Although the reports motive overlaps with our project ORAF as they justify their product as Next level of RA processes with a belief that sharing information allows better insight on events and empowers individuals with knowledge and corporate best practices.

3.3 Key Concerns

Although preliminary research during the initial stages revealed that corporate sectors are quite paranoid & conservative with sharing RA related data, such a serious lack of relevant work paved way for some deeper research on why collaborative measures was never proposed so far. In (Rak 2002) several challenges and deterring factors to information sharing are discussed. Rak (Rak 2002) has acknowledged that the unabated maturing & our dependency on the Internet has given rise to a growing complexity of threats. He argues that the more the information that is available about vulnerabilities, threat sources and best practices, the sooner can these threats be addressed and risk control measures be deployed. He further presses that information sharing between industry and government can significantly cause an increase in the flow of intelligence, thereby promoting a broader picture of the Cyber landscape and the ability to recognize potential threats at a much faster pace.
21

According to the report, it is clear that the government and the individual Organizations understand the importance of sharing risk information, yet there are three key concerns that hinder the success of such an initiative. They are a. Lack of Trust b. Concerns over protection of shared data owing to privacy c. Failure by the Government to reciprocate in sharing (Rak 2002) Therefore a new approach to risk assessment and management is required that should aim to address these issues and concerns by ensuring that the ORAF remains a two-way information share i.e. data must be contributed to be extracted.

22

Chapter 4
It is clear from chapter 2 that there exists a gap in the way we perceive Risk Management inclusive of the complexities involved in formulating actual security controls to reasonably address such risks. Chapter 3 has showed that although there are few research works hinting on how structured approach to overall RM can improve the ISMS process, yet the industry has not embraced the innovation owing to the key concerns & prejudices that exists among rivaling Organizations & between Governments. The purpose of this chapter is to discuss how we aim to address the issues plaguing RM process & suggest a structured RM framework to foster collaborative defense. Here, we shall outline the scope of the project what it is and what is not, the choice of algorithm used and justification for the same, any limitations & assumptions made, special constraints or requirements needed for the proposed solution to work.

4.1 Approach & Development Methodology

Although this is project was not intended to be of passive data sourcing in nature involving surveys, a fair share of background research on Organizational needs was carried out and involved interviews with Information Security personnel of various concerns. With respect to the UK cyber (cabinet office 2011) understanding that although ways to manage risks exists currently, it still is not self sufficient in coping up with the dynamic & complex environment of Organizations. We envision a secure cyber space where mission critical security information can flow freely among participating entities with the sole purpose to mitigate cyber threats & risk impact & at the very least, foster proactive defenses to inhibit wide & rapid propagation of such attacks.

23

4.2 The ORAF Risk Assessment guidance Model

By emphasizing on sharing of RA related data and strategy information, we understand that sometimes, it is quite easy for Organizational IS decision makers to give in to lazy urge syndrome merely copying what others have implemented. There is no such nor ever will be, a one size fits all risk control applicable to all Organizations since each organization ( even if it is of the same industry) is bound to be unique although certain parts of RA do overlap each other. This strictly requires that a comprehensive RA be carried out individually and then is recommended that it be compared for ensuring a comprehensive analysis & iteration against data from ORAF knowledge pool rather than copying another Organizations RA data within ones own domain. We must realize that Security is always relative and never absolute. It is only measured against another scenario, not as a measure of perfection (Wright 2012). The Risk Assessment model pictured below shows the Web based ORAF decision tool typical usage model for a standardized RM approach.

24

Fig 4.2 - ORAF risk assessment guidance model

25

The Organizations following ISO 27001 may use ORAF to prepare, assess, recognize threats, formulate efficient risk index, communicate & iterate, continual monitor of ISMS in place. The fig 4.2 is the ORAF usage model which is a suggestive process relating the ISO 27001 PDCA cycle to ORAF process. The usage model can be explained as follows 1. Step 1 is the Plan phase where preliminary preparations are to be done. This phase needs to be done extremely well if the rest of the process is to go smooth. Assemble a team of Organizational Decision makers with a goal to include & represent all of your Organization departments. (Peyton 2010) Here you prepare a plan on what needs to be done, define an assessment boundary scope and need to be aware of all compliance regulations & adherence to Organizational policies. ORAF will have a consolidated set of legal information resources under the help section of the webpage.

2. Step 2 to 7 is the Do phase where the actual risk assessment process begins. All of the identified Organizational assets are recorded into ORAF and the risk assessment is started. We identify threats, vulnerabilities likely to be exploited, formulate chance & impact of such risk, and identify control objectives for treatment of risks. The ORAF provides guided assistance on formulating chance or probability of occurrence using knowledge of crowds. 3. Step 8 & 9 contribute to the Check phase of the PDCA cycle where Organization shall use its RA report to implement & check control strategies in place. The ORAF can be used to verify comprehensiveness of risk mitigation strategies identified for a particular asset with the sole aim of achieving fuller measures. In this phase, Organization also gives back to the community by providing its RA data to the ORAF. Such contribution of data strengthens & fosters better decision making capability by pooling in quantitative & qualitative risk data.

26

4. Step 10 & 11 can be related to the Act phase wherein RM is a continual process & Organizations need to monitor & improve the ISMS controls iteratively. To ease the monitoring process, ORAF allows real time Watch lists that can be configured to monitor & receive real-time filtered alerts on assets of special interest. The procedure of setting up an alert & receiving alerts through ORAF dashboard has been represented visually in figure 5.6g & 5.6h.

4.3 Comparing WARP to ORAF

In contrast, The Warning Advice & Reporting Points (WARP) is an UK based commercial Information sharing strategy which was developed as a part of CPNI (http://www.cpni.gov.uk) to provide cost effective methods to defend against cyber attacks (Gov 2010) and provide personalized alerts via SMS, email, telephone based or through in person group meetings. Here, we shall compare & contrast WARP to our ORAF in order to explain how the ORAF watch list function is a better alternative. In the figure 4.3a, we have tried to visually represent the IS Problem & Solution information flow as adopted by WARP strategy.

27

Fig 4.3a The WARP method A, B & C are small communities (20-100 members) that are influenced by a WARP operator who necessarily need not be a IS expert. Periodically the facilitator sends information on IS incidents problems & solutions. The alerts are Filtered Warnings in such a way that members will receive only relevant information i.e. Linux user will not receive Windows vulnerability information. Should any member of the community face an incident, he reports it to the WARP operator through a meeting or through Bulletin Boards and that information is reported to everyone subscribed through alerts. This, in our opinion, involves higher overhead and delay since reporting needs to go through a mediator, and sharing information relies more on BB or passive communication and never near instant. Let us have a look at ORAF watch-list system.

28

Fig 4.3b The ORAF collaboration method In our system, A, B, C, D, E are sample participating Organizations and the ORAF web tool is the autonomous facilitator. Assume that each of the individual entity have already setup watch-list alerts, say C,E,D have alerts setup for Asset X and entity B has set up alert for asset Z apart from the many others but NOT for X. When any of the Participating organization faces a security incident or a compromise, in this example, entity A, it reports the incident using ORAF Reporting tool (Refer label No.9 in figure 5.6a) and all of the members within the network except B; are reported near instantaneously with the problem & solution (P+S) still keeping the reporting Organizations identity anonymous if desired. This way of reporting & sharing information is much faster since there is no involvement of a third party facilitator, is better streamlined since only those subscribing organizations will receive the alert, and reception of alert is near instant as there is no delay involved to wait & organize a periodic meeting. This way of disseminating critical information at near instant rates potentially enables participating entities to even handle 0-day threats much efficiently.
29

Now, we shall explain the underlying algorithm that ORAF will use to achieve anonymization capability.

4.4 RA data Stripping & Anonymization algorithm

ORAF encourages collaborative sharing of sensitive RA data pertaining to individual Organizations, hence owing to the privacy concerns of such participating entities, we recommend using stripping & anonymization techniques within the ORAF so that all quasi identifying factors giving away an Organizations sensitive details can be taken out before being submitted to the public sphere of the ORAF knowledge pool. This is done in order to prevent illintent defamers or malicious threat agents from compromising or spearheading attacks on any individual member of the ORAF system. By providing anonymity & containing within the confidential or sensitive information of participating entities, we hope to increase the trust placed on the system and address the key concerns that puts off Organizations from participating in such Risk Information sharing initiatives. Risk Assessment data are recognized as personal & confidential data since they contain a host of information about the Organization in terms of its key personnel, assets, mitigation strategies to specific threats & risks. Giving away the document as a whole would defeat the very purpose of this effort since it would mean that we are providing comprehensive recon information about a particular Organization to the public & it could prove disastrous in the wrong hands. Therefore all public data via ORAF needs to be stripped of any identifying factors pointing to an individual Organization & anonymized before being submitted to the knowledge pool.

30

The following table (Qi and Zong 2012) shows some of the widely practiced methods of data anonymization. Research Direction General privacy preservation technology Demonstration Perturbation, Encryption. Association Rule Mining data mining privacy preservation technology privacy protection data publishing principle Classification, Clustering k-anonymity l-diversity m-Invariance l-Closeness Table 4.4 - Privacy protection research direction At the moment, ORAF has been proposed to adopt stripping (discarding certain part of identifying data) & K-anonymity is chosen as the choice of anonymizing algorithm, a short study of which follows below. Randomization, Swapping,

4.4.1 Stripping technique

This is a simple technique where data fields that are not needed or not deemed mandatory to be available in a public risk assessment data are stripped away before being submitted to the public sphere.

31

Let us consider a typical Risk assessment sheet from ORAF, it would have the following: Version Control details Contains identifiers to keep track of Asset Registration details Contains information Risk Assessment The actual risk section

on actual asset name, type, asset owner,

assessment

document, might be populated with Team details, owner, version ID, process ID etc.

where known threats, vulnerabilities, risk

extra comments etc.

index & controls are assessed.

Here, the parent Organization will want to have all of the structured data when obtaining a printable version for itself but when it has authorized the RA data to be submitted to the knowledge pool or the public sphere, we simply have no reason to give away information on version control details or the impact rating from the risk assessment section since this could potentially give away a lot of background information about the Organization itself, whereas the other, would influence a decision negatively since impact rating is something dependent greatly on the assessing Organization itself. For instance, failure of a particular service, say instant messaging would impact customer support businesses far greater than it would to a front end sales business. Also it is to be noted that the version control details to be stripped here is NOT the asset version details but the risk assessment document version control details. We discard or strip certain parts of data before being processed into k-anon & storage. However, stripping does not sufficiently cater to our requirements as applying a stripping algorithm to all the fields where we need obscurity will result in complete loss of information.

4.4.2 Anonymizing RA data by K-anonymity for trend realization

In the earlier section, we saw how data can be manipulated to discard sensitive information, however, in this section, we will manipulate data in such a way that we can publish qualitatively, representing them in a range or interval of values to aid in decision making & risk assessment process and without the ability to distinguish uniquely any single individual from
32

the record set. For instance, let us say that an excerpt from RA data is published as Organization with employee size 50 -100 using Asset X recommends controls Y for risk R. Other entities can understand that the featured Organization has probably implemented the said controls. This is an unacceptable case even when the other entity means no harm or has any ill intent, however, to make matters worse, should this be accessible by threat agents themselves, we are aiding them with enough information to spearhead an attack and we do not want this since it defeats the very purpose of our defense strategy. If we recall from section 3.3 of Chapter 3, Organizations expressed concern & feared of such obvious compromise of their classified information by sharing RA reports detailing out what assets they own & defense strategy adopted by each individually. In such cases where sensitive data needs to be published discreetly, K-anon ensures that good enough privacy is achieved and does not discard too much information making the data actually unusable. K-anonymity has been a successful paradigm for privacy preservation among data mining & algorithms community. (Nergiz & Clifton 2006) The main idea is to ensure that in a released data set, each data record if indistinguishable from (k-1) other records. It works in such a way that uniquely identifying attributes are Suppressed dropping some tuples from relation to satisfy K-anon (Lefevre et al. 2005) or Generalized until each row is identical with at least (k-1) other rows, thus making the database k-anonymous. A database will contain Quasi identifiers a set of attributes in a public database which can be linked with external information to identify the entity in the records. All anonymized dataset must satisfy the K-anon property in such a way that If D is a database and QD be quasi identifier attribute, we can say that D is K -anonymized if & only if each values in D(QD) appears in at least K records of D. (Gionis 2007)

33

Let us consider an excerpt of small sample trend report record set this is how it would potentially look in plain text. Organization Name Citca hughes Industry Type Financial Organization address CF24 Employee size 250 SQL v9 X12 flaw ABC1, ABC2 Mediquick Eversafe EZ sports Medical Financial Sporting CF20 CF24 CF14 55 130 50 IIS 7 SQL v9 Zen Cart Z03 flaw X12 flaw F05 flaw ABC4 ABC3 ABC13, ABC5 Tesco Supplies CF14 100 Asset Vulnerability Controls

Table 4.4 - Sample RA trend record

The above select database entries from potential consolidated risk assessment trend reports pinpoint that Organization Citca hughes is a financial industry with an employee size of 250, owns & operates an asset SQL v9 which has X12 type flaw. They organization has addressed it with choice of controls ABC1 & ABC2. If we are to publish this stripped version of Risk Assessment data as is, we are giving away too much information and compromising Organizational privacy concerns. Eversafe a financial industry similar to Citca hughes, owns a similar asset yet has identified control ABC3. We somehow need to ensure that Eversafe realizes that there are 2 more possible controls for the same flaw & can iterate on their RA & update their controls. Eversafe does not ever need to know about Citca hughes private information or about the Organization itself. We need to be concerned only with the asset, associated vulnerabilities, threats or risks & practiced or recommended risk controls. Yet, discarding too much information will render the knowledge incomplete or useless & giving away too much would mean a perfect aid to initiate spearhead attacks. To prevent this, we either suppress or generalize using single or multidimensional K-anon to achieve just enough privacy and make the RA trend data available through query from within ORAF.
34

The generalization of a data entry needs to be systematic and not random which can be understood by the following representation.

Fig 4.4 Generalization rule At any point, when using a single dimension generalization, CF24 will always be generalized to CF2* within a data entry.

The following example shows Single Dimensional Suppression (SDS) and Single Dimensional Generalization (SDG) K-anon property applied to our sample data record.

Organization Name *

Industry Type Financial

Organization address CF2*

Employee size 50 250

Asset

Vulnerability Controls

SQL v9

X12 flaw

ABC1, ABC2

* * *

Financial Medical Sporting

CF2* CF2* CF1*

50 250 50 250 50 250

SQL v9 IIS 7 ZenCart

X12 flaw Z03 flaw F05 flaw

ABC3 ABC4 ABC13, ABC5

Supplies

CF1*

50 - 250

Table: K-anonymized dataset

35

In the above example, we see that we have anonymized just enough of the information where there is no way to backtrack which Organization actually owns the asset say, SQL v9, yet we have enough obscured information to understand the asset type & it s set of known vulnerabilities and possible mitigation controls adopted by individual organizations. Now when Eversafe queries the k-anon ORAF knowledge pool (generic flow shown in fig 5.4) with a query, say, mitigation controls for X12 flaw for SQL v9, from the results, Eversafe can realize that a financial corporation similar to theirs using the same asset & have identified controls ABC1 & ABC2 but will have no way of identifying contributing organization. Such a trend report can be useful to cross verify if we have achieved a comprehensive risk control. The probability of re-identification here would be 1/K and in our case, the probability of identifying information on Citca hughes, would be i.e. 0.5 if considering only financial industry or including the industry type entry field with the same SDG process, it would be increased to 1/3 considering the address postcode anonymity. The probability of reidentification also diminishes when the data record entries increases. By sharing such an anonymized aggregate trend data, participating organizations can get a cue that their industry counterparts have identified & used certain controls which they could have potentially overlooked. By considering & iterating on those slipped control measures, we believe overall security can be strengthened.

Fig 4.4b - Privacy & enough valid information preserved & shared

36

4.4.2a

Justification on using K-anon

Although raw data anonymization techniques are fairly in development phases, K-anon has been a popular technique especially in health information sharing environments. (El Emam and Dankar 2008) The major advantage of K-anon over other such algorithms is accuracy of published results & its lower computational overhead. K-anon achievesgood enough privacy by achieving a balance in data sacrificed to data obscured. The re-identification in a released data set, at worst narrows down an individual entry to a group of K individuals in a dataset (williams and Blum 2007). Taking into consideration the nature of application & cost to computation, K-anonymity among others proved a successful candidate.

4.4.2b

Limitations to K-anon

Although K-anonymity has been long proposed as a mechanism for providing privacy in micro data publishing (Samarati and Sweeney n.d.) and numerous re-coding models have been considered for achieving k anonymity, it still is in early stages of perfection. K-anon poses certain limitation in a way that it is susceptible to Homogeneity attack (Machanavajjhala et al 2006) especially in cases where all sensitive values in a K-anon group are the same. In (Narayanan and Shmatikov 2010), the authors quote that privacy techniques used by companies to store and anonymize data is not adequate in terms of confidentiality as always there are attacks that can trace back the dataset to the original individual compromising his privacy. Organizations such as credit card companies, hospitals, and real estate hold large volume of personally identifiable data and their released anonymized data sets often are traceable to the individual. (Narayanan and Shmatikov 2010) argue that K-anonymity de-identifies quasi identifiers effectively in a given data set; however, by joining enough datasets on common attributes, reidentification of data pointing to an individual is possible. Then there is the human element involved in re-identification process which makes the algorithm even more intelligent. The
37

author from his experience quotes that any remaining attributes can be used to re-identify as long as they differ from individual to individual. Therefore, for instance, with respect to published medical data, an anonymized version of Personally Identifiable Information (PII) has no meaning even in the context of HIPAA privacy rule.(HHS 2002) And hence, an absolute deidentified data is an un-attainable goal & further computational research is deemed necessary.

4.4.2c

Addressing the K-anon limitation

ORAF has been proposed to use Single Dimensional Generalization K-anon at the time of writing, which when following a generic approach of storing sensitive data and public release as practiced currently by data gathering industry will also be prone to attacks & privacy compromise. However, we tend to achieve differential privacy in a way that sensitive data that can give away Organization Specific information is never stored to the ORAF knowledge repository. It is to be noted that RA data by itself is a sensitive document, but only if we know to which Organization does that RA belongs to. There are potentially lower chances of tracing back Risk data to its parent Organization since that information will never exist in the first place. (Narayanan and Shmatikov 2010) agree that interactive query based approach is generally superior
to the release and forget approach, which is exactly what ORAF will adhere to. Our knowledge repository displays trend or information to risk controls to participating entities only upon query and deters from frequent release or publishing this trend data to the naked internet sphere where we have no access controls.

4.5 Summary
In this chapter we proposed a RA guidance model aligned with the PDCA cycle of ISO 27001 processes suggesting a typical usage scenario to users adopting the ORAF framework. This showed how the ORAF assessment framework overlapped with the well established & familiar PDCA model reducing fear of change in Users mind. The ORAFs proposed IS incident reporting service was critically compared to WARP (Gov, 2010) & major differences were

38

highlighted. We showed how ORAF was comparatively a faster way to report incidents by eliminating the need for human intervention to mediate reporting. Owing to the privacy & identity concerns of participating Organizations, we suggested the use of selective data stripping & k-anon algorithms with suppression and generalization applied to RA report data, the anonymized versions of which were placed in the ORAF knowledge pool searchable by queries. Illustrated sample data records shows the just enough privacy and abstraction attained by our process enabling free flow of critical information yet withholding compromising attributes. Although k-anon is a widely practiced anonymization techniques, it does have certain limitations & drawbacks. We followed a query based approach over the release & forget approach thereby considerably addressing one of the K-anon limitations.

39

Chapter 5 5.1 Design Specification

In this chapter, from a technical architect point of view, we specify a design framework for the web based ORAF decision tool using Unified Modeling Language (UML) to communicate a road map or a blue print for the ORAF project.

5.2 ORAF Business Requirements

The ORAF prototype is intended to be a web based RA & decision support tool which relies on collaborative defense against cyber threats & aims to suggest a structured yet mutual & additive risk assessment based on the ISO 27001 standards. The web based system should allow Organizations or relevant participating entities to work closely with each other enabling free flow of anonymized risk assessment data coupled with recommendations for best security practices, ability to report IS incident for proactive heads up alert & defense, gain insight on decision making based on knowledge of crowds marching closely on the UK cyber security strategy (cabinet office 2011) of a safer cyber space.

All participating entities must be able to conduct an assisted self risk assessment with compliance to the ISO 27001 ISMS and an anonymized version of the report be submitted to a repository which we shall call as the knowledge pool and must be retrievable by queries. The assistance could be either proactive the functionality of a guided probability estimation for assigning one of the values (Probability of occurrence) for the risk index based on knowledge of the crowds or, reactive Insights & trends based on collective past incidents accompanied with near instant incident report alert systems.

40

The Organizations must be able to set up & configure watch-lists which lets them stay up-todate on threat & risk alerts. The reporting systems that work in conjugation with the watch list should have provisions to alert others in real time and maybe accompanied with first-aid mitigation controls. The insight capability API integration (depicted in fig 5.6a labels 5, 6) of ORAF at the moment is based on aggregate unstructured report data from trusted sources such as news media, social networks etc filtered through Recorded future graph analysis engine (recorded future 2012) which tries to build a structured point in temporal space by linking past unstructured events people, time, location, incident itself etc. The data could be plotted over a visual map to show the geographic distribution of threat sources & incidents. Also, the system should be able to analyze the knowledge pool autonomously and present a visual display of Top 10 Risks based on industry sectors to the subscribed Organizations. This serves as a gentle reminder for Organizations to take heed & ensure those high ranked risks are addressed. The last but not the least component is information reference space site content where comprehensive information on legal & legislative laws is presented. This is to serve guidance and remind compliance of laws & data protection act to participating organizations.

5.3 Top-level Use Case design Modeling the functional requirement

The top level use case diagram captures what the system will do for the user, capturing the functional requirement of the system in a high level generalization schema. It is to be noted that a top level use case specification as shown in fig 5.3 does not include the how or the implementation details. The conventions used are explained below.

41

Actors: The actors could be a person, a system or a device an external entity that interacts with a system. In our case, we have 4 actors as explained below a. Participating Organizations the main actors around whom the system is to be built. b. ORAF intelligence module a major system component responsible for pooling & responding to user queries, the algorithm component that processes raw data into structured format usable in the knowledge pool and a host of other functions as described. c. Trusted Sources They are external system interface that contribute data to the ORAF for trend analysis & insight purposes. They could be news media, social network sites etc. d. Administrator The well known entity responsible for overall system maintenance & site management. Relationships: Interactions carried out by the actors with the system are represented by an arrow.

The use cases specified in the Top level Use Case diagram (fig 5.3) tries to capture the essence of the ORAF business requirements.

42

Fig 5.3 Top Level Use Case diagram of ORAF system In the figure, the administrator (actor) and connected use cases is self explanatory in the sense that Perform System Maintenance & Manage Site Content enable the user to perform periodic maintenance tasks on the ORAF website. Moderate Registered Users allows the admin to moderate or govern over registered profiles & resolve issues should any conflict arise.

The Participating Organization is a primary actor and interacts with a majority of the use cases as shown, the Manage personal account is a personal profile editor that allows the user to register & maintain a personal profile. This could be say, an Organization name, the type of
43

industry they operate on, and a host of other information. This information is stored beforehand so that at each new RA they conduct; this data can be appended into their personally retrievable RA reports. The Manage risk assessment allows user to create new RA, access/print or remove previously conducted assessments. Submit RA reports lets users approve personal RA reports to be forwarded for anonymization & being added to the ORAF knowledge pool. The manage threat watch list allows users to set up an alert system for an ass et of their concern. This lets us add, remove new watch lists, receive alerts etc. The alert viewer is real time and should display an alert when it has been reported by another participating entity. This works in conjugation with the Report/send Asset compromise notification use case where users are given the ability to report the problem & a probable solution. Additionally the use case view real time asset compromise notification allows users to receive such reported alerts. When an Organization believes one of its assets have been compromised, it does not need to remain in the dark waiting for newspapers to report the incident next day, by which enough time would have passed for the attack to propagate over a larger territory and claim more victims. We are referring to area of compromised network resources as territory. The reporting functionality allows a compromised entity to notify others of the compromise and also lists an option to include possible mitigation controls. However, the notification would be received only by those already subscribed to the respective alert. A watch list set up for, say SQL v9 will not receive the alert if a compromise has occurred for a say, biometric scanner with a faulty firmware, however, this incident does get reported to the ORAF knowledge base and displayed in trend analysis at a later date. Rank Top-10 risks use case accepts inputs from participating organizations & pre-defined trusted sources. The ORAF module needs to interact here at this point to classify & list out Top10 risks based on trend data & organization industry sector. We shall now explain what each Use Case represent and how each plays a significant role as a part of the system with reference to each other. The individual functionality of each use case can be understood by the Use case Specification document as shown below.
44

5.3.1 Use Case Specification

The use case specification describes each of the use in more detail to aid in the implementation process. The specification document describes what actors interact with each use case, the preconditions that need to be met for the use case function to be activated and the description or scenario that can be performed on a use case.
Use Case No. 1 Use Case Name: Perform System Maintenance Rating: Essential Purpose: To allow administrator to perform basic maintenance tasks on the ORAF system Main Actor: Administrator Secondary Actors: NA Pre Conditions: Requires User to be logged-in into system with admin privileges Trigger: No special trigger. Description: Enable admin perform maintenance routine Must limit task to database optimization, content moderation & other such pseudo-primary task Must NOT allow changes to core system functionality EXT: None Post Conditions: Optimized system performance Related Use Cases: Moderate Registered Users, Manage Site Content

Use Case No. 2 Use Case Name: Moderate registered users Purpose: Allows super admin governance over registered profiles Main Actor: Administrator Pre Conditions: Requires User to be logged-in into system with admin privileges Trigger: The need to interact with a user profile Description: Enables monitor & moderation of registered user profiles Useful to review a profile based on suspicious activity Ability to remove, block or suspend accounts Ability to send group messages EXT: None Post Conditions: One of the intended purposes. Related Use Cases: Manage Site Content, Perform System Maintenance

Rating: Essential Secondary Actors: NA

Use Case No. 3 Use Case Name: Manage Site Content Purpose: To manage site content Main Actor: Administrator Pre Conditions: Requires User to be logged-in into system with admin privileges

Rating: Essential Secondary Actors: NA

45

Trigger: A need to update/modify feeds from trusted sources. No special trigger. Description: Allows overall site administration posting special announcements Configure/modify incoming RSS & news snippet feeds (Trusted sources) EXT: None Post Conditions: Achieve required changes. Related Use Cases: Manage Registered users, system maintenance

Use Case No. 4 Use Case Name: Manage personal account Rating: Essential Purpose: To allow user to review/update personal information Main Actor: Participating Secondary Actors: NA Organization Pre Conditions: Requires user to be logged-in into system terminal Trigger: changes in organization profile Description: Enables Add/update personal information into the database Requests information on Organization details, industry segment and size This information is appended to risk assessment report conducted by relevant User but is NOT shared with others and is discarded when submitting RA data to the knowledge pool. EXT: None Post Conditions: Update changes to profile as required. Related Use Cases: None

Use Case No. 5 Use Case Name: Manage Risk Assessment Rating: Essential Purpose: To allow actors to manage risk assessments activities. Main Actor: Participating Secondary Actors: NA Organization Pre Conditions: Requires user to be logged-in into system terminal Trigger: No special trigger. Can be accessed when there is a need to review or perform a new risk assessment. Description: Allows user to perform one of the desired tasks initiate a new risk assessment based on ISO 27001 Allows user to View or print previously performed risk assessments Provides guided step-by-step template to perform risk assessment Must comply to ISO 27001 requirements RA starts with confirming/updating the organization profile, registering the Assets, the actual assessment where threats and risk factors are identified, assigning risk index etc EXT: Print RA report Post Conditions: RA results are populated and the report is applied K-anon algorithm to anonymize the data. Submitted to the Knowledge pool and confirmation sent to parent organization Related Use Cases: submit RA reports, Anonymize submitted reports

Use Case No. 6 Use Case Name: Submit RA report Purpose: Allows user to authorize submission of personal RA report to ORAF

Rating: Essential

46

Main Actor: Participating Secondary Actors: NA Organizations Pre Conditions: None Trigger: When a fresh Risk assessment is made Description: Recommends users to submit RA data Forwards the report to anonymization module before being added to the pool. EXT: None Post Conditions: A new anonymized RA report is made available in the pool for all to share. Related Use Cases: Anonymize submitted RA report

Use Case No. 7 Use Case Name: Anonymize submitted RA report Rating: Essential Purpose: Enables the ORAF to successfully anonymize user submitted risk assessment data Main Actor: ORAF intelligent Secondary Actors: Participating organization module Pre Conditions: Requires successful completion of a new risk assessment Trigger: Process started before submitting to the knowledge pool Description: The module takes RA report as input and anonymizes the data in line with the privacy concerns of the organization All quasi identifiers pertaining to the organization are removed The asset details, risk rating, industry segment & size, identified threats, risk controls are preserved EXT: None Post Conditions: Anonymized RA data is submitted to the knowledge pool & made available to other participating organizations Related Use Cases: None

Use Case No. 8 Use Case Name: Manage Threat Watch-list Rating: Essential Purpose: To allow user to customize & receive threat alerts Main Actor: Participating Secondary Actors: NA Organization Pre Conditions: Requires user to be logged-in into system terminal Trigger: Interest to know real time update on potential vulnerabilities to a particular asset Description: Enables Add/Remove customized threat watch lists with real time updates A pre registered organizations asset needs to be assigned here The knowledge pool is monitored continually for any reported incidents or vulnerabilities pertaining to that asset. EXT: None Post Conditions: Submits watch list criteria to the system for real time monitoring. 47

Related Use Cases: Report/Send asset compromise notification, View asset compromise notification

Use Case No. 9

Use Case Name: Report/Send asset compromise Rating: Essential notification Purpose: To allow user to report any 0-day vulnerability or emerging threat outbreak to all participating organization Main Actor: Participating Secondary Actors: NA Organization Pre Conditions: Requires user to be logged-in into system terminal Trigger: Identification of a 0-day vulnerability or a security incident Description: Allows the participating organizations to notify all in a network of the incident A sort of alert system Notification sent real time along with Asset type, recorded incident & possible controls EXT: None Post Conditions: Real time alert received by participating organizations based on their watch list. Related Use Cases: View asset compromise notification

Use Case No. 10

Use Case Name: View asset compromise Rating: Essential notification Purpose: To allow user receive real time threat alerts based on watch list preference Main Actor: Participating Secondary Actors: NA Organization Pre Conditions: Requires Supervisor to be logged-in into system terminal and have at least one preconfigured watch list Trigger: Report of a prioritized threat from trusted sources Description: Shows visual alerts based on watch list Does NOT show the compromised organizations identifiers yet includes the compromised asset, vulnerability, risk and potential mitigation controls. EXT: None Post Conditions: Update Service record once the prescribed service is done. Related Use Cases: Report/Send asset compromise notification, Manage Threat Watch-list

Use Case No. 11 Use Case Name: show IS Trends & Insight Rating: Essential Purpose: Allows users to obtain a graphical trend chart & keyword insight Main Actor: Trusted Sources Secondary Actors: ORAF intelligent module Pre Conditions: Trusted sources needs to be defined and the module configured to received RSS data feeds Trigger: updates each time user logs in to the system Description: Collects data feeds from predefined trusted sources News media, social networks etc Plots geographic threat distribution over a graphical map Aids in predicting advancing threat agents & propagating risks API to be built over Google insight, trend analysis similar to Recorded Future intelligent 48

prediction analysis. Enables real time Cyber threats monitoring EXT: None Post Conditions: Enlighten Users with comprehensive knowledge and aid in informed decisions Related Use Cases: None

Use Case No. 12

Use Case Name: View IS best practices & UK law Rating: medium compliance Purpose: Allows user to quickly refer up to date UK cyber laws & recommended practices Main Actor: Participating Secondary Actors: Trusted Sources Organizations Pre Conditions: None Trigger: No special conditions, can be accessed any time within the site navigation menu Description: Contains an exhaustive list of recommendations & Information Security best practices Acts as a quick reference scheme Updated information on UK cyber law compliance requirements EXT: None Post Conditions: Advices Users to ensure integrity to required Law & practices. Related Use Cases: None

49

5.4 Activity Diagram

In previous section we saw how use case diagram helped us in understanding what the user wants to do with the system, here we use an activity diagram to capture the business operation workflow, actions & activities related to it.

Fig 5.4 Activity Diagram We have visually represented an overview of overall workflow in general with decisions & choices affecting possible outcomes.

50

Fig 5.4b Legend Img source: http://www.csci.csusb.edu/dick/samples/uml0.html

Let us start at the point <Register Organization>, this step can be skipped if the user is already registered with the ORAF. Upon creating a valid user profile, the participating entity can now log into the system as denoted by <Login> and be able to choose one of the many available options within the site. They could now decide if they would like to <initiate a new risk assessment> or <view/print existing RA reports> if they have already done one earlier using the ORAF. For the sake of scenario, let us assume the user initiates a new assessment. They are then shown the option <Register organizational Assets> where they need to input comprehensive list of assets categorized by type. Once done, they proceed to perform the actual assessment. When the process is complete, ORAF displays a detailed printable output of the RA with risks categorized by risk index. The user now has an option to <print report> or use the electronic format and <compare> self selected mitigation controls to the knowledge pool.

51

This can be extremely useful step where knowledge of the crowds ensures if we have considered maximum exhaustive possibility list of risks & controls. Going one step backward, the fork & join denote the incidence where ORAF performs background stripping & anonymization of the RA data to be added to the knowledge pool. A <confirmation> is then shown. The process could stop here or continue again with a new choice, say <Access Knowledge pool> The knowledge pool is a huge central repository where participating organization can turn to seek guidance & validation on their risk assessment & control measures. Let us take the first activity, <seek mitigation advice>, the ORAF prompts user to enter <Asset details> for which the controls needed to be looked up. The knowledge pool that contains variety of RA data from various anonymized Organization, is now queried and results are populated at the user view. The Organization can now <Compare> the populated list of strategy with its own mitigation control & iterate on the same.

5.5 Sequence Diagram

A sequence diagram is part of an UML diagram that illustrates sequence of messages & interactions between objects over specific period of time and can be used to work out detailed object oriented designs. A sequence diagram contains lifelines that represent properties of any UML element that shows behavior, including actors, systems or subsystems, classes, and components. (IBM 2005) The sequence diagram shown below illustrates the same scenario as described in the activity diagram, yet here we capture complicated interactions between objects which potentially add more clarity for the project development phase. The Objects that make up the system are represented with boxed heads and the dotted line that drips vertically down is the life line segment of those objects. The vertically overlapping white rectangular boxes show the period of time in which the object is initiated, remains active
52

and dies after an operation. Requests are represented with dark arrows whereas replies from other objects are represented in dotted arrows as shown. These requests could sometimes have conditions to be true in order for an action to occur, as denoted with square brackets [condition statement]

Fig 5.5a Legend

53

There is also a recursive function where the object waits until, say a math function has been computed which can be denoted using a half loop arrow to self as follows

Fig 5.5b Recursive notation

The activity diagram shown in fig 5.4 has been interpreted conceptually as a sequence diagram below, starting with a conditional logon statement and the object: participating organization calling a new risk assessment from the object: RA module. From the diagram, the steps are self explanatory, however, if we note the activation period of the object: ORAF intelligence module and object: Knowledge pool are not alive till a function is actually called for that involves their participation.

54

Fig 5.5c Sequence diagram

55

For illustration purposes, in the sequence diagram (fig 5.5c), let us see how a RA report anonymization function is called by the system. Once the user has been presented with a detailed RA report, the object :RA module prompts the user (Request) to submit the RA to the knowledge pool. The user approves (reply) submission to the module which in turn passes on a <request> to the :ORAF intelligent Module to initialize anonymization process & compute filtering as required. The computed data is then submitted to the knowledge pool and an acknowledgement is sent to the ORAF module. The module is then shown to pass the confirmation to the end user thereby successfully completing a phase of an operation.

5.6 Mockup of ORAF framework

In this section, we present a potential User Interface (UI) and sample functionality for the proposed web based Open Risk Assessment Framework & Decision support tool. The framework mockup was created using trail version of Balsamiq (http://www.balsamiq.com/) and Adobe Photoshop CS3 (http://www.adobe.com/). In the fig 5.6a that represents the home screen of the web based framework; key controls have been labeled numerically for easier interpretation.

56

Fig 5.6a - ORAF dashboard

The label 1 is the profile manager which stores personal information about the organization as described in Use Case Specification No.4. This is visible only to the parent Organization & no other participating entity can access this information.
57

The label 2 is the center for all RA related operations as described in Use Case Specification No.5. The option View/Print reports lets logged in User to access their existing personal RA reports. The Manage assets contains a list of assets that Organization might have added to the RA form during one or many of the previous Risk assessments. This functionality lets users keep tab of previously assessed assets and makes the process of configuring a watch list a matter of choosing assets from drop down as shown in fig 5.6g. The Access knowledge pool provides an interactive interface to query the ORAF knowledge pool (public sphere) where anonymized public RA data is stored. The following decision support queries are supported a. Guided estimation on assigning probability index in a risk matrix b. Crowd identified threats/vulnerabilities for a particular asset c. Possible known mitigation controls for an asset Our hypothesis or rather a factual belief is that 1. The reliability or quality of decision making depends directly on availability & accuracy of critical information appended with experience. 2. Risk rating must be a logical measure backed up with judgmental reasoning and not merely relied upon numerical statistics.

Fig 5.6b decision vs. information hypothesized graph Please note the graph is not accurately plotted

58

The upward increasing curve has been used to visually express the idea that when we are placed in a situation to make a decision, the quality of decision we make greatly depends on the amount of relevant information we have at our disposal on the subject matter. This information could be a personal experience, or made available through unabated information channels. This information has to be accurate, relevant and available at the right time and/or when the decision maker needs it. (India 2010) In the past, we had our fair share of concern when analyzing the Risk Rating Formula (RRF), where a single person or a small group of technical personnel assigns decisive factors (either probability or impact). Calculating the Cost of impact is a huge debatable topic of its own which is out of scope of this project, but we realized that by increasing accuracy of one of the two factors, the accuracy of RRF can be improved.

Fig 5.6c Venn diagram

59

In the figure 5.6c we represent two factors of commonly used Risk Rating index to be Probability and Impact. The impact cost varies greatly with each Organization and it is up to the IS assessor to understand and formulate Organizations impact cost. Furthermore, even if we cannot directly influence the probability of occurrence and is often left to chances; we can however, strive to perfect our accuracy in estimating the probability of occurrence which will greatly give us better insight on the RRF which directly influences our risk prioritization controls. The objective is to ensure that we are not focusing on the lesser risks & overlooking greater ones. The ORAF guided probability works by taking average of individually assigned probability estimates from various RA data categorized by industry type for an Asset.

This formula is applicable only to a set of records from each category for an asset X (defined by metadata or searchable by keywords within ORAF knowledge pool) being owned by Organizations O falling under Industry type Y having Vulnerability V and Threats T.

SQL database (X) used in Zydus Cadilla (O) which is a Pharma/hospital database (Y) vulnerable to SQL injection (V) from known Threats will have higher probability of facing an attack than a SQL database being targeted in an education industry. In this case, an IS assessor who has spent most of his career among education industry will experience a cognitive bias and rate risk probability to be on a lower scale for the Pharma industry. The lack of information has made him commit a grave error in assessing risk index. This can potentially be addressed by ORAF decision support queries.

60

Let us consider a sample scenario where the ORAF knowledge pool has assimilated 3 RA data from individual organizations, 2 from finance sector and 1 from Pharma, each using more or less overlapping assets and similarly identified threats and vulnerabilities.

From the figure we can see that since each RA was conducted by unique individuals with varying perception towards probability of occurrence or Likelihood, the same asset with the same vulnerability has been assigned varying likelihood values. Now, if a fourth organization from Finance sector conducts a RA and identifies similar threats or vulnerabilities to the same asset A and would like to verify its accuracy, it can do so by calling ORAF guided probability index.

61

In which case, ORAF will compute (for asset A)

In which case, recommended probability rating will be 0.3 and is advised to reiterate if self formulated index rating & ORAF index varies greater than 2 points. Observe that ORAF has ignored the RA data from PHARMA industry in the computation even though all the 3 reports had a similar Asset A with same threats & vulnerabilities; as mentioned earlier, this is because of the varying likelihood of events based on industry sector. Below shown is a mockup showing an excerpt from ISO 27001 compliance Risk assessment template (Full doc attached herewith in appendix) illustrating how it could take place in ORAF system.

62

Fig 5.6d Asset registration window This is the Risk assessment window, where the actual process of risk assessment takes place. A full RA template has been created and attached herewith in appendix. Seen here in fig 5.6e is ORAF tooltip suggesting that guidance is available for formulating priority risk index. This works only after a value has been assigned by an assessor based on his estimate, and auto guidance kicks in only if the values differ by a considerable margin (pre-defined range). As always, they are accessible manually as well at any point of time.

Fig 5.6e Risk Assessment page

Figure 5.6f shows ORAFs guided probability formulation where Users can query ORAF knowledge pool for assistance on probability of Occurrence or likelihood chances. The

63

figure shows interactive tag cloud - a set of keywords or meta-tags relevant to the User search query which aims to simplify the query process.

Fig 5.6f ORAFs probability guidance system Such information availability in real-time enables an assessor to potentially overcome information gap that plagues effectiveness or validity of decisions; and also to estimate efficiency or comprehensiveness of a formulated mitigation technique with respect to others.

The Label 3 in fig 5.6a can be related to use case 8. The Watch list manager interfaces to the live alert on homepage dashboard marked by label 8. Any alerts configured via watch-list window (figure 5.6g), will be constantly monitored by ORAF and any reported incident is displayed near instantly along with possible mitigation controls as shown in label 8 of fig 5.6a.

64

Fig 5.6g Watch-list manager

The label 8 in figure 5.6a is the visual dashboard that receives filtered watch-list alerts. In our case, it shows a scenario where a previously configured watch list asset Windows 7 has been reported compromised due to vulnerability and suggested treatment plan has been sent by a participating organization. This alert will be received by all who have subscribed or set up such a watch list, however, the reporting organizations name is kept anonymous. This anonymity however, although not recommended, can be made visible if the reporting organization wishes to disclose it. There is also a Vote Up/down feature that sends an aggregate feedback to the reporter of the reported incident either being positive or negative. The label 9 is the report incident panic button, that lets the compromised Organization report the incident to [problem + solution] filtered listening parties. (Please refer to section 4.3)

65

Fig 5.6h is a mockup of the reporting window.

Fig 5.6h Incident reporting system Towards the left are a list + pie chart that show all previously reported incidents by the user and the feedback received from others. The right shows a template to report an incident. Labels 5 & 6 in figure can be related to Use case specification number 11 are trend data received from pre-defined trusted sources configured to send live feeds to ORAF; in our case we show Google Trend API, and Recorded future API, which give an insight on currently trending threat agents. Depicted here is the Google insight on trending SQL injection attacks, and recorded futures temporal analysis engine is shown to predict an event (still in experimental phases) for Oct 2012 by structuring articles & events from the largely unstructured information floating in the web sphere. A single page canvas view where the manager can have up-to-date information of his preference goes a long way in helping him make that decisive choice. Label 7 is a live scrolling alert window showing Top 10 risks for a particular industry sector populated by aggregate risk rating index of public RA data. This data is compared with users native RA data and color variations shows if the risk has been identified and addressed in one of
66

the prior recently conducted Risk Assessments. In the mockup, ORAF has recognized that risks due to insider actions has not been identified or addressed in the recent most RA by current active user and has highlighted the field in red alerting the user. This lets an Organization know if top risks to its industry sector have been addressed comprehensively. The label 4 is a read only page where current laws & compliance regulation information have been provided for a read. The aim here is to provide a consolidated reference repository of UK legal & legislative laws pertaining to Cyber Security. This serves as a reminder to enrich Organizations with the need to adhere to compliance requirements and avoid unexpected law suits.

67

Chapter 6 6.1 Case scenario validation

In this chapter we will simulate a case scenario comparing typical risk assessment approach with ORAF suggested approach and validate them on basis of a. Addressing knowledge gap & cognitive bias in risk decision making b. Timeliness of critical information availability c. Mutual defense against risk We will be using a sample risk assessment report from (Security and Webcast 2004) for our illustration purposes. An independent Organization X wishes to perform a risk assessment. This is going to be their first ISMS process and they settle upon the ISO 27001 process of RM. Lacking comprehensive knowledge on the same, they hire a third party IS assessor, John; as part of their managerial team to steer the assessment process. Although John is not originally from Organization Xs industry sector, assessors familiarity with RM was approved by the Organizations managerial team. After minor hiccups & a few disagreements of opinions on both sides, the team finally lays a blueprint for the RM process. John and team begin with traditional approach of laying down purpose, scope & document versioning with list of involved personnel. Owing to budget & time constraints, the Organization wants John to formulate a risk model to prioritize & implement controls only for top priority risks. Based on Johns personal experience & skill set, John formulates a risk model as follows.

68

Fig 6.1a Threat likelihood ; Source - (Security and Webcast 2004)

Fig 6.1b Magnitude of impact ; source - (Security and Webcast 2004)

69

Since Organization X liked numbers, John formulated his risk index as follows and advised his team that risk priority can be assessed by their the overall score ranges as listed below

Fig 6.1c Risk matrix ; source - (Security and Webcast 2004)

The risk assessment was completed and sample report was summarized as follows

Fig 6.1d Report excerpt adapted from (Security and Webcast 2004) showing flawed risk rating

70

The populated controls seen in figure 6.1d shows John & teams cognitive bias that the likelihood of an event - Cross Site Scripting (CSS) attack occurring are low. John had no way of forecasting this unless he had prior knowledge of the industry. Even with an Impact scale a High (100), that could typically bring down X to its knees, according to Johns risk scale matrix, the risk index would still be about (0.1*100) = 10 classifying it a low risk category merely because an speculative low (0.1) rating for likelihood due to knowledge gap. Of course if John had enough resources & time frame to validate his number theory, this gap could have been addressed yet owing to the project deadline & budgetary constraints, the Organizational decision makers authorize resources for only medium to high risk controls, leaving out CSS. Unexpectedly a CSS attack happens within first few weeks setting back the Organization by huge resource costs and trouble. 6.2 How ORAF could have helped As mentioned earlier, Risk ratings are not always verified by logical constructs & are being overlooked (Eli 2010). Another major problem with ISMS is the inability to validate decisions or distinguish between critical and non-critical assets. (Theiia n.d.) The main purpose of ORAF is to provide a standardized approach to RM and aid in decision making by providing structured & real-time critical information where required. Using ORAF alongside the ISMS process would have provided a structural approach to risk assessment and validation of controls against other structurally similar RA reports categorized by industry sectors. When John had his doubts on likelihood of CSS as risk in Xs industry sector, he could have used the guided probability functionality as mentioned in section 5.4 under label 2 to validate his estimate against knowledge of the crowds thereby addressing the knowledge gap almost instantaneously. An increased accuracy in Risk index would have meant tighter priority checks & logical scrutiny. Updated anonymized risk assessments being made available by various Organizations in realtime over the knowledge pool could have potentially been used to ensure if all known threats to an asset was identified and addressed. In cases such as CSS, knowledge of crowds could be
71

used to figure out the odds in spite of cumulative lower risk index ratings ensuring availability of critical information when needed. Even if an IS incident was to happen, even those unidentified before, the combination of reporting & filtered Watch-list functionality could have been used to report (problem & a solution) incident in real time and alert many others in the network preventing further compromise of territory & subsequently minimizing area of compromise. Such selfless reporting saves other members from facing the likelihood of such attacks or at least prepares them to defend better against onset of such attack. All submitted RA reports are stripped and Kanonymized and each field is referentially accessible by queries via ORAF. The HUD on ORAF webpage constantly monitors new threats and are color coded (label 7 in fig 5.6a) to ensure comprehensive risk assessment has been made to an asset at given point of time. These elucidate our mutual defense strategy.

72

Chapter 7
In this chapter, we conclude our research with a reflective report on insight & learning.

7.1 Reflective Conclusion

The main aim of this Masters dissertation was to propose a framework for standardized Risk assessment approach and decision support tool, to allow participating organizations to take part in a mutual defense initiative against lurking cyber threats which was previously limited by concerns for privacy & trust. The focus being on addressing risks to Organizations, we encouraged sharing anonymized versions of partially obscured RA reports via ORAF to realize comprehensiveness or validity of an assessment and also, to aid in Managerial decision making by providing guidance on Probability or likelihood index, free flow of mission critical information to address knowledge gap and the ability to validate their decisions based on logical constructs be referring to the multitude of knowledge of crowds. The ORAF was also designed with the ability to report an incident with solution where applicable & receive alerts in real time near instantaneously via subscribed watch-list monitors to all in the network thereby controlling widespread of epidemic attacks. The very foundation of motivation to this research was laid by Dr. Burnap of Cardiff University UK (http://burnap.org/) and was kindled by UK Govs cyber security goals for 2015 (cabinet office 2011) coupled with strong personal interest in Information security. Based on assimilated knowledge from academic & real world risk assessment practices and the complications involved, followed by unabated breaches of security in spite of such risk controls provoked the need to dive in depth to understand where exactly are we going wrong? With each individual risk assessment within various organizations are we re-inventing the wheel with the same inherent flaws of conducting an assessment for the same asset and each time missing out important controls? The industry acknowledges that there exists knowledge gap when identifying emerging or unknown threats. Why not share Risk related data with similar industry sectors to challenge comprehensives of assessment & strengthen cyber space mutually?

73

Upon research we uncovered important issues relevant to RM process a. Organizations are quite particular & concerned for their privacy when it came to sharing RA document and often lack trust on perception towards rivaling organizations. b. The ISO 27001 was a document of What and not a How to actually do the RA process. c. There was also no way to identify a security incident until it had happened. d. Managers, who authorized prioritized risk controls, had no trusted way of validating their decisions and there existed knowledge gaps often pressed with cognitive biases that clouded better decisions. In support of the above claims, Chapter 2 shows in detail the currently existing trends, process and misconceptions with ISMS. Although risk assessments are extremely integral parts of a RM process, we learnt that current RA approaches are far too varied and are not suitable for scenarios where one need to conduct rapid assessments. Also analyzed is the widely practiced Risk index or Risk rating formula whose computed points system formed the basis of prioritizing risks. Practically speaking, they did not seem to provide a solid basis for formulating risk priorities and one is needed to logically examine and involve a certain degree of rational reasoning when prioritizing risks. As always, traditional ISMS processes were rigid & authoritative and often failed when such arguments or decisions needed to be validated. A lot of existing RA tools available commercially restricted assessments within Organizational boundaries. We used trail versions of vsRisk to see how it faired in terms of fluidity, but it too was rigid, with pre-populated identifiers & little room for a comparative assessment. Also, we learnt that security risk controls are expensive to implement and the industry was facing difficulties in validating their security enhancements. We realized that there was clear case of knowledge gap between The Technical assessors & The Managerial authority. Though risk assessments did identify vulnerabilities and threats to an asset and measures of control, we still lack a way to autonomously align these assessments in terms of business concepts. Thus taking into consideration the key concerns, we spent a considerable amount of time conducting interviews & background research as summarized in chapter 3. A considerable
74

amount of quality articles that were available seemed to argue the inherent flaws in traditional ISMS Managers lacking effective decision channel. Although there were variety of research papers that argued in favor of cultivating free flow of information and sharing security responses, it was surprising to see that not even a handful were implemented & many faced resistance. Lack of trust & privacy concerns often came out as top two reasons in this issue and we wanted to find a way to address this. To compliment a structured approach to RA, we developed an ORAF risk assessment guidance model with an aim to bring in collaborative defense strategy by sharing RA data with peers and ensured that it aligned with the ISO 27001 PDCA cycle to avoid inconsistencies. Dividing Organizations into zones based on their industry sectors, we hypothesized that an event of a particular type is more likely to occur in certain zone than others, which partially depends on motive of the threat entity and also the territory resources. We also suggested that ISMS being a continual process that there be a facility to report & receive IS incidents as instantaneous as possible with the aim to minimize threat propagation. In contrast to ORAF filtered reporting services, the commercially available WARP service was critically examined as shown in section 4.3. To gain trust in system and to address privacy concerns of participating organizations, we suggested the use of K-anonymity algorithm and anonymized a sample RA data set for demonstration purposes. We achieved a balance on compromise of loss of information to abstraction as listed in section 4.4.2. The challenging part was deciding what part of data to obscure and what was to be preserved. This has to be critical since we did not want to give away sensitive information within RA report nor obscure too much information that defeats the very purpose of our effort. In the design specification section, we presented a technical blueprint for interested developers to code this system. A lot of work was put in to ensure business requirements were met & desired level of generalization was achieved in Top level Use cases followed by activity & sequence diagrams. To give a visionary view of the ORAF framework, we used Balsamiq Mockup to envision the system graphically. We developed and demonstrated the ORAFs
75

guided probability functionality based on our hypothesis that by ensuring maximum accuracy to likelihood - one of the two factors of Risk Index, and by validating it against knowledge of the crowds, the overall accuracy could be improved considerably. We also formulated a formula to achieve this control & validated with an example. The concluding chapter featured a scenario validation showing how ORAF could have addressed the commonly occurring issues experienced with traditional ISMS processes. Due the course of research, we personally had wonderful opportunity to interact with senior IS personnel & challenges they face in everyday risk assessments. The field of Information Security is indeed a challenging one, yet, the thrill of diving deeper into uncovering newer controls & techniques to address fallbacks & promote a safer Cyber space is what kept us going.

7.2 Contributions
Through our research, we believe we have taken research around collaborative IS risk assessments & verifiable decision making one more step closer to realizing the goal of safer cyber space. (cabinet office 2011) The proposed risk assessment guidance model in chapter 4 that we aligned around ISO 27001s PDCA model and the formula on probability estimation based on knowledge of crowds as defined in chapter 5, demonstrated how IS risk assessments necessarily need not lack effective validation measures and ORAFs capability as a decision support tool. We also suggested the use of k-anonymity that is widely practiced in public release data of medical records to be applied to Information Security RA reports, obscuring just enough information to enable sharing critical information with participating Organizations without the concern for privacy or trust issues, thereby to strengthen cyber security collectively. The idea of reporting an IS incident with possible countermeasures near instantaneously to participating organizations via filtered or subscriber list was suggested to potentially suppress wide spread attacks. A standardized RA template in spreadsheet format has also been suggested, attached herewith at appendix.
76

7.3 Limitations & Future Work

This research being a bold step to suggest collaborative cyber security defense attainable through sharing anonymized risk related data, is still in nascent stages and has its limitations. The major limitations of this being around our work, since the amount of time & resources available was extremely limited by the number of individual Organizations willing to contribute to our study and the security personnel who gave us their valuable time for an academic research. Had we access to actual real world RA reports from various organizations & the Managerial decision makers; we would have been able to better classify the research work in a more detailed fashion. Being a technical architect, we were able to go so far only as to design a framework specification for the system with UML & mockups but regrettably not actually build it. There is a surprising amount of information available online yet most of them were highly unstructured. We experimented with & suggested commercially available Recorded Futures prediction based temporal engine API in our work that intends to structure these data and provide in-depth trends, however, we would like to develop an open source trend engine native to ORAF in the future. If there was also a possibility to receive SMS based text notification over mobile networks or through a mobile version of ORAF, the turnaround time of report: reception can be reduced further. The future of RA & ORAF could be in a way that we develop a specification language that transcends and aligns technical & business lingo together. As with any research, we would like see this work be critically reviewed, challenged and improvements suggested. Nonetheless the time spent on researching was fruitful and taught us a lot about Organization risk assessments & decision making. We hope this work sets a starting point to foster a standardized approach to RM process & of sharing critical information data across boundaries to enable a safer cyber space & we wish this framework is considered by developers and researchers for study in future work.

77

References Burnap, P.R. 2009. Advanced Access Control in support of Distributed Collaborative Working and. Cohen, D. 2012. What is a Zero-Day Exploit? - An introduction to zero-day software exploits and tips on avoiding them at home. [Online]. Available at: http://what-iswhat.com/what_is/zero_day_exploit.html [Accessed: 2 August 2012]. Coldman, D. 2011. Organized cybercrime has already hacked you - Jul. 27, 2011 [Online]. Available at: http://money.cnn.com/2011/07/27/technology/organized_cybercrime/index.htm [Accessed: 17 July 2012]. Coles-Kemp, L. 2009. Information security management: An entangled research challenge. Information Security Technical Report 14(4), p.pp. 181185. Available at: http://linkinghub.elsevier.com/retrieve/pii/S1363412710000063 [Accessed: 23 July 2012]. Dyadem 2012. Stature Risk Management: Upgrading to Stature Risk Management . El Emam, K. and Dankar, F.K. 2008. Protecting privacy using k-anonymity. Journal of the American Medical Informatics Association: JAMIA 15(5), p.pp. 62737. Available at: http://www.pubmedcentral.nih.gov/articlerender.fcgi?artid=2528029&tool=pmcentrez&render type=abstract [Accessed: 6 September 2012]. Eli 2010. Introduction to Risk Assessment [Online]. Available at: http://www.youtube.com/watch?v=EWdfovZIg2g&feature=fvwrel [Accessed: 3 August 2012]. Elsinger, H. et al. 2003. Risk Assessment for Banking Systems Risk Assessment for Banking Systems. . Available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=423985. Gionis, A. 2007. Approximation algorithms for k-anonymity and privacy preservation in query logs. Gov 2010. A Background to WARPs [Online]. Available at: http://www.warp.gov.uk/background.html [Accessed: 5 September 2012]. HHS 2002. HIPAA Privacy Rule. . Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html [Accessed: 29 August 2012]. Homeland Security, U. 2011. Blueprint for a Secure Cyber Future.

78

IBM 2005. Sequence Diagrams [Online]. Available at: http://publib.boulder.ibm.com/infocenter/rsdvhelp/v6r0m1/index.jsp?topic=/com.ibm.xtools. modeler.doc/topics/cseqd_m.html [Accessed: 30 August 2012]. India, T. 2010. Information accuracy and decision-making capability | eresource ERP [Online]. Available at: http://www.eresourceerp.com/Information-accuracy.html [Accessed: 3 September 2012]. Lefevre, K. et al. 2005. Incognito: Efficient Full Domain K Anonymity. In: SIGMOD. Mandrik, C.A. 2005. Exploring the Concept and Measurement of General Risk Aversion. 32, p.pp. 531539. Narayanan, A. and Shmatikov, V. 2010. Myths and fallacies of personally identifiable information. Communications of the ACM 53(6), p.p. 24. Available at: http://portal.acm.org/citation.cfm?doid=1743546.1743558 [Accessed: 30 July 2012]. OWASP 2006. Introduction_to_OWASP. . Available at: https://www.owasp.org/index.php/File:Introduction_to_OWASP.ppt. Ozkan, S. and Karabacak, B. 2010. Collaborative risk method for information security management practices: A case context within Turkey. International Journal of Information Management 30(6), p.pp. 567572. Available at: http://linkinghub.elsevier.com/retrieve/pii/S0268401210001222 [Accessed: 23 July 2012]. Peyton, E. 2010. Data Security: A 5-Step Risk Assessment Plan [Online]. Available at: http://www.smallbusinesscomputing.com/news/article.php/3896756/Data-Security-A-5StepRisk-Assessment-Plan.htm [Accessed: 22 August 2012]. Pricewaterhousecoopers 2010. PwC UK - Research. Qi, X. and Zong, M. 2012. An Overview of Privacy Preserving Data Mining. Procedia Environmental Sciences 12(Icese 2011), p.pp. 13411347. Available at: http://linkinghub.elsevier.com/retrieve/pii/S1878029612004331 [Accessed: 31 July 2012]. Rak, A. 2002. Information Sharing in the Cyber Age: a Key to Critical Infrastructure Protection . Samarati, P. and Sweeney, L. Protecting Privacy when Disclosing Information: k -Anonymity and Its Enforcement through Generalization and Suppression 1 Introduction. , p.pp. 1 19. Schneier, B. 2011. Bruce Schneier: The security mirage. In: TED. TED.

79

SecureThinking, B. 2012. Are Security Risk Assessments Outdated? Secure Thinking [Online]. Available at: http://www.btsecurethinking.com/2012/02/are-security-risk-assessmentsoutdated/ [Accessed: 17 July 2012]. Security, C. and Webcast 2004. Detailed risk assessment report. Sims, S. 2012. Qualitative vs. Quantitative Risk Assessment [Online]. Available at: http://www.sans.edu/research/leadership-laboratory/article/risk-assessment [Accessed: 21 July 2012]. Siponen, M. and Willison, R. 2009. Information security management standards: Problems and solutions. Information & Management 46(5), p.pp. 267270. Available at: http://linkinghub.elsevier.com/retrieve/pii/S0378720609000561 [Accessed: 16 July 2012]. Stanleigh, M. 2010. Risk Management...The What, Why, and How [Online]. Available at: http://www.bia.ca/articles/rm-risk-management.htm [Accessed: 25 July 2012]. Stewart, A. 2004. On risk: perception and direction. Computers & Security 23(5), p.pp. 362370. Available at: http://linkinghub.elsevier.com/retrieve/pii/S0167404804001233 [Accessed: 23 July 2012]. Theiia Managing_and_Auditing_IT_Vulnerabilities. . Available at: www.theiia.org/download.cfm?file=96404. Tregear, J. 2001. Risk Assessment. Welke, D.W.S. and R.J. 1998. Coping with Systems Risk: Security Planning Models for Management Decision Making. 22(4), p.pp. 441469. Wright, C.S. 2012. IS interview with Craig. recorded future 2012. Recorded Future: Solutions for Defense & Intelligence [Online]. Available at: https://www.recordedfuture.com/. cabinet office, U. 2011. The UK Cyber Security Strategy Protecting and promoting the UK in a digital world. (November). Available at: http://www.cabinetoffice.gov.uk/resourcelibrary/cyber-security-strategy/. williams, R. and Blum, M. 2007. k-anonymity. , p.pp. 17.

80

Appendix A1. ISO 27001 compliant Risk Assessment Template A. Asset registration form

B. Risk assessment form

The above two forms have been developed for ORAF and are ISO 27001 complaint.

81