Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
14 views14 pages

Week 7 - Risk Analysis Concepts

Uploaded by

mustafapektas.mn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views14 pages

Week 7 - Risk Analysis Concepts

Uploaded by

mustafapektas.mn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

IoT Security

Dr. Hakan KILINC


[email protected]
Risk Analysis &
Management
• Risk Assessment Process
• Risk Management
• Value of Information and Assets
• Threats, Vulnerabilities, Exploits
• Threat Risk Modelling
Overview

4
Risk
Management

5
Value of
Information
and Assets
Threats
Vulnerabilities
Exposure, Exploit, Attack
Concepts
Exposure
An instance of being exposed to losses from a threat
agent.

Exploit
Gaining control of the system by advantage of the
vulnerabilities

Attack
A threat event exploiting a vulnerability is called as an
attack.

9
1. Identify assets and their CIA requirements.
2. Identify threats to those assets.
Threat Risk 3. Identify vulnerabilities in those assets.
4. Identify attack possibilities.
Modeling 5. Identify existing controls.
6. Perform vulnerability assessment and penetration tests on
the assets and the infrastructure.
7. Estimate risk (potential loss).
Threat and Vulnerability Analysis

In a threat risk-modeling scenario, the infrastructure/application has to be broken down


into various types of assets. During threat and vulnerability analysis, the following
questions are pertinent to determine the risks:

• Q1. What are the security objectives (requirements)?


• Q2. What is the overall infrastructure?
• What are the individual components in the infrastructure? What are the CIA values
of the assets (people, infrastructure, application, data, and so on)? Will the CIA
values change due to certain factors? If so, what are those factors?
• Q3. What threats are applicable based on the type of assets (threat register)? What are
the prevailing threats to these assets?
• Q4. What are the vulnerabilities (vulnerability register) that these threats can
compromise? Which of these vulnerabilities are identified in these assets?

The end result of such an exercise will be a documented matrix of assets, threats, and
vulnerabilities.
Based on the matrix of threats and vulnerabilities and
based on the results of security testing, a few attack
scenarios can be constructed. Such a scenario is called as
an attack tree.
Attack Analysis An attack tree is constructed based on the following
questions:
• Q1. What are the various attacks that are possible
based on the type of assets (attack vectors)?
• Q2. What will happen when the attack succeeds?
• Q3. What will be the loss? Is the loss quantifiable?

Threat, vulnerability, and attack analysis provide


information to perform risk analysis.
Risk Analysis
Risk analysis is used to estimate the probability of an
attack, identify prevailing controls and their effectiveness
in combating the attacks, and estimate the consequence
of such an attack in terms of potential loss.
Risk has to be understood from the following
perspectives:
• Risk to what?
• Risk from what?
• Risk of what?

Different types of risk assessments can be conducted


based on the type of assets and applicability and based
on regulatory requirements.
Thanks

You might also like