White Cyber Knight – a Risk Assessment Tool for Network Resilience Evaluation

نویسندگان

  • Gwendal Le Grand
  • Eyal Adar
چکیده

The Communication Sector is one of the areas which, over the past several years, evolved most significantly and caused revolutions in both system-wide and system-use aspects. These revolutions have resulted in many communication networks being set up without adequate consideration of the risks involved. The existing RM (Risk Management) concepts are high level, and must be adapted to cope with the specific needs and risks of the communication world. This article aims to: • Analyze the main existing RM concepts and point out those which can be applied to complex communication systems. • Define the specific elements which need to be examined while assessing the risks to communication systems, and define how RM software can aid in the process. The use of RM applications applied specifically to critical and complex communication systems can significantly assist in bridging the gap in communication systems RM which was created in the past few years, and cut down IT Management costs. Introduction: Risk Management in Telecom Today Today, increasingly complex and IT-dependent digital elements (computers, networks, contents, etc.) or infrastructures are at the center of our lives; they constitute the essential pillars of our communication, economic, social and institutional infrastructures. Security and threat mitigation within those systems has thus implicitly become a fundamental stake for the citizen (to preserve his privacy), for the company (to protect digital assets and transactions), and for the states (to protect their critical infrastructures, and ensure the smooth continuity of the government and government services, etc.) Generalized access to infrastructures like the Internet or mobile 3G telephone infrastructures has profoundly modified users’ behaviors and has radically changed the risks they and the infrastructures are facing. Although several security measures exist, trust in the digital world is not sufficient for several reasons. On the one hand, security technologies are not yet widespread due to the complexity involved in deploying them. On the other hand, ICT (Information and Communication Technologies) are particularly vulnerable due to the heterogeneity of systems, terminals, users, and infrastructures, which all require regular upgrades, and to the interconnectivity of infrastructures, the mobility of the users, and the facility to launch remote or distributed attacks. Risk assessment is therefore an essential stake in our societies, and it remains a burden because of its complexity. Actually, it is necessary to adopt a global vision that takes into account not only technical elements like cryptographic protocols used to provide confidentiality or infrastructures resilience, but also economic aspects like the impact an attack could have on the business or on the corporate image of a company. Interdependencies between infrastructures will also play a major role in the near future since they will certainly be exploited to build attacks using their interplay, while the attacked infrastructure may not necessarily be the final designated target. The effects of such attacks will be disseminated rapidly through a domino effect and the chain of events will be difficult to predict or control in time before a major breakdown happens. Therefore, infrastructure and service risk and crisis management must play an increasing role: since it is impossible to make a system error-free and invulnerable, it is necessary to cope with identifiable, controllable and quantifiable risks. This must be accomplished through various types of actions: the design of efficient risk assessment tools, the development of crisis management models, the certification of systems and products, etc. In subsequent sections of the paper, we will first examine the challenges related to complex risk management in telecommunication. We will then present existing frameworks and methodologies for risk analysis. Then, we will focus on specific parameters for telecom risk assessment and provide an example evaluation checklist. Finally, we will introduce WCK (White Cyber Knight), a software tool which constitutes a possible answer to risk assessment requirements. Dealing with Complex Risk Management Challenges The growing field of risk management plays an important role in mitigating and managing risks of complex and distributed architectures and environments. However, this field is not yet fully standardized, and different RM methods cover different RM aspects. Within the different frameworks which currently exist for assessing risk in such environments, many methods are very high level oriented. From industry inputs, there is little use of these methodologies by IT operations staff on a day-to-day basis. The products used often include software tools that address specific IT platforms, and lack the "over-all" security assessment ability. In order to adapt these frameworks towards a more practical application for the telecom world, a layer of additional analysis is needed; such a layer must rely upon a thorough and multi-faceted understanding of the telecom world's unique business needs and requirements, and its specific systems and protocols. This assessment layer should include concrete checklists which will adhere to these parameters. Practical methodologies that can bridge this gap are required. These should enable the identification of critical paths through an understanding of the telecommunications unique business processes as well as the ability to apply an additional assessment layer which deals with the specific parameters which will be discussed in this article. A solution to the complex problems we have stated here lies in utilizing a combination of 3 realms: • RM framework or methodology layer which includes risk analysis • Controls and policies – IT governance layer • Specific checklists (detailed controls) or questionnaires aimed to identify the telecom specific vulnerabilities IT Governance and Management (RM Life Cycle) Security Governance (Assessment Fields) Detailed Controls (Technical, Policy, Operational) COBIT, ITIL ISO17799, ISF, GAISP, OCTAVE, SysTrust NIST, CIS, FFIEC, EESA Evaluate Using Automated Software Tool Figure 1: Describes how these 3 elements operate and interact RM Framework or Methodology Layer Which Includes Risk Analysis The following are examples of some of the leading RM frameworks: • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®): The Octave approach is a systematic way for an organization to address its information 1 http://www.cert.org/octave/ security risks, sorting through the complex web of organizational and technological issues. The OCTAVE approach includes a set of criteria that defines the requirements for a comprehensive, self-directed information security risk evaluation, and a set of methods consistent with the criteria. Octave was developed by Software Engineering Institute at Carnegie Mellon University. COBIT® • Information and related Technology, is an • complete system that combines different : COBIT, Control Objectives for IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT® is Sponsored and funded by the IT Governance Institute (affiliate of the Information Systems Audit and Control Association). The Framework emphasizes best practices and leverages other recognized methodologies and tools such as COSO, ISO, ITIL, NIST and AICPA. Its Focus is on helping leaders understand and manage the risks relating to IT and the links between the management process, the technical questions, the need for control and the risks Thales SHIELDTM: Thales SHIELD is a areas from intelligence gathering and analysis, communications and network security, physical security to crisis management, to provide a fully integrated solution for nations, regions and institutions potentially vulnerable to intrusive security strikes or threats. Figure 2: the COBIT® risk assessment framework Focusing on the RM framework layer, in this context we will recommend COBIT® as a risk • It is one of the only RM frameworks which deal with organizational processes. ganization to speak the management framework, due to the following advantages: • It is a well respected and recognized tool even by regulators. • It is an excellent methodology for getting various parts of an or same language. 2 http://www.isaca.org/cobit/ 3 http://shield.thalesgroup.com/ • t IT in general not just at security, and it includes detailed • cutives and provides an excellent • with other methods, which makes it an open Controls and Policies – IT Governance Layer ISO 17799 COBIT® looks a assessment domains, systems and programs. It facilitates communication with top level exe management perspective (e.g., CMM). It was planned and designed to interface framework.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Prevention and Intervention Strategies for Promoting Resilience in Disadvantaged Children

This article addresses the emergence of a resilience-based prevention practice perspective that focuses on positively affecting the development of disadvantaged, at-risk children. Significant progress has been made in understanding risk and resilience processes; however, use of the field’s advances in applied settings has lagged. The article will attempt to bridge this gap by reviewing relevant...

متن کامل

The cyber infrastructure is vulnerable to threats from many different sources

The criticality of cyber infrastructure makes it a very attractive target, which we try to protect by building perimeter defences. This paper argues that a reactive-oriented network defence policy based solely on perimeter defences is not sufficient to properly safeguard IT infrastructure. An argument is made for an approach based on the idea that defence begins with an understanding of those a...

متن کامل

A New Index for Quantitative Assessment of ‎Distribution Network Resilience in the Presence of Distributed ‎Generations

Resilience is defined as the system ability to keep an acceptable performance level against a sever disturbance and to return to a stable condition in a suitable time. Occurrence of inconvenient weather conditions and natural disasters, which are growing in number and severity during the last years, has always led to damages and wide outage throughout the distribution network. Therefore the ass...

متن کامل

Assessment the Resilience of the Healthcare Network in Accidents and Chemical Crises

Background and Aim: Healthcare networks in industrial areas are the main pillars of preventing and coping with chemical accidents and crises, which are of great importance in improving their level of resilience. In order to achieve this goal, it is necessary to apply a precise method for assessing and empowering these centers. The purpose of this study was to provide a resiliency pattern for th...

متن کامل

Title : Resilience Profiling in the Model - Based Design of Cyber - Physical Systems

We consider the potential to use co-modelling and co-simulation in the design of dependably resilient Cyber-Physical Systems (CPSs). The topic of resilience is widely discussed in the public discourse on CPSs, but is rarely well defined. We propose the description of system resilience in terms of a composite profile which may be used as a basis for assessment and trade-off analysis in CPSs. Our...

متن کامل

Presenting a semi-quantitative model based on the resiliency engineering management commitment index in assessing the level of preparedness against emergency situations of hospitals in a fuzzy environment (case study: selected Faraja hospitals in 202

Abstract Background and Objective: The main index in resilience engineering is the management commitment index. In this study, a semi-quantitative risk assessment method based on the fuzzy hierarchical analysis method for management commitment index was implemented in evaluating the resilience level of two selected hospitals. Materials and methods: At first, evaluation tools including a 17-qu...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2006