Abstract: The article is devoted to the actual problem of ensuring information security today. In this connection, a comparative analysis of risk analysis tools of some AIS (CRAMM, RiskWatc, Digital Security) was carried out in order to assess the measurement of possible damage from the implementation of threats to the organization's IP.
Introduction.Ensuring information security is an important task for any organization, since the quality and efficiency of making technical decisions and the effectiveness of their implementation depend on maintaining the confidentiality, integrity and availability of information resources [1].
The analysis of IS threats is carried out with the purpose of risk assessment - measuring the possible damage from the realization of threats directed at the organization's IS. In the simplest case, an assessment of two factors is used: the probability of the threat and the amount of damage from the threat. The greater is the risk, the higher is the likelihood of the threat and the severity of the consequences.
Research methods.Currently risk analyzing AIS are developed and used, which allows you to automate the work of specialists in the field of FIS. Most of risk analysis and management tools are developed in accordance with ISO 17799, which is based on BS7799 [2]. Developed by C&A Systems Security Ltd, the COBRA AIS [94] formalizes and implements the process of verifying that the information security regime complies with the British standard BS7799 and carries out risk analysis. AIS contains several knowledge bases: the general requirements of BS7799 and specialized databases, focused on various applications. COBRA presents the requirements of the standard in the form of thematic —questionnaires! for individual aspects of the organization's activities, implements quantitative risk assessment methods, as well as consulting and security review tools.
CRAMM AIS developed by the UK Security Service (UK Security Service) and used as a state standard, Insight Consulting Limited implements the CRAMM risk analysis and management method [3]. The method is based on an integrated approach to risk assessment, combining quantitative and qualitative methods of analysis. The method is universal and can be used by organizations of various levels. The AIS versions which implement this method differ from each other in knowledge bases that have a commercial profile and a government profile.
The audit procedure in the CRAMM method is formalized, at each stage a large number of intermediate and resulting reports are generated. So, at the first stage, the followings are created: a resource model containing a description of resources, an assessment of resource criticality; the resulting report on the first stage of the risk analysis, which summarizes the results assigned during the survey. At the second stage, reports are generated: the results of assessing the level of threats and vulnerabilities; risk assessment results; the resulting report on the second stage of risk analysis. At the third stage, reports are generated: recommended countermeasures; detailed safety specification; valuation of recommended countermeasures; a list of countermeasures sorted according to their priorities; the resulting report on the third stage of the survey; security policy, which includes the description of security requirements, strategies and principles of IP protection; list of events on the OIB.
Outcomes and discussion.The advantages of the CRAMM method are: clear structure and a widely tested method of risk analysis, which allows to obtain real practical results; The CRAMM software toolkit can be used at all stages of an IS security audit; the software product is based on a voluminous knowledge base with countermeasures in the field of information security based on the recommendations of BS 7799; flexibility and versatility of the method allows it to be used for auditing IS of any level of complexity and purpose; The method can be used as a tool for developing a business continuity plan and organization's information security policies; can be used as a means of documenting IS security mechanisms. The disadvantages of CRAMM AIS are: the use of the method requires special training and highly skilled auditors; the method is much more suitable for auditing existing ISs that are at the operation stage than for those that are at the development stage; CRAMM audit is a time consuming process and may require months of uninterrupted audit work; software toolkit method generates a large amount of paper documentation, which is not always useful in practice; the method does not allow you to create your own report templates or modify existing ones; making additions to the CRAMM knowledge base inaccessible to users, which causes difficulties in adapting this method to the needs of a particular organization [3].
The RA Software Tool AIS for risk analysis and auditing [4] is also based on British Standard BS 7799 (Part 1 and 2), the teaching materials of the British Standards Institute (BSI). AIS allows you to perform risk assessment (modules 4 and 5), both in accordance with the requirements of the base level, and with more detailed specifications BS 7799.
Risk Advisor - AIS that implements a methodology that allows you to set up an IP model from the perspective of information security, identify risks, threats, losses as a result of incidents, document the aspects related to risk management at the administrative and organizational levels. Risk assessments are given in quality scales, a detailed analysis of risk factors is not provided. The advantage of this method is the possibility of describing diverse relationships, adequately taking into account many risk factors.
RiskWatch AIS, developed by the American company RiskWatch, Inc. [4], is a tool for analyzing and managing risks and includes software for conducting various types of security audits: Risk Watch for Physical Security - for physical methods of IP protection; Risk - Watch for Information Systems for information risks; HIPAA-WATCH for Heahhcare Industry - for assessing compliance with the requirements of the HIPAA standard; RiskWatch RW17799 for ISOl7799 - to assess the requirements of ISO 17799. In the RiskWatch ANS, ALE and ROI indicators are used as criteria for assessing and managing risks. AIS uses a simplified approach to describing the information system model and risk assessment. The complexity of risk analysis using this method is relatively small. This method is suitable if it is necessary to conduct a risk analysis at the software and technical protection level, without taking into account organizational and administrative factors. It should be borne in mind that the obtained risk assessments (expectation of losses) far from exhaust the understanding of risk from systemic positions.
The advantage of RiskWatch is the flexibility of the method provided by the possibility of introducing new categories, descriptions, questions, etc., on the basis of which it is possible to create your own profiles that take into account domestic requirements in the field of information security, and develop departmental risk analysis and management techniques.
Buddy System AIS, developed by Countermeasures Corporation [4], carries out quantitative and qualitative risk analysis and contains means for generating reports. The main focus of its use is on information risks associated with physical security breaches and project management.
The most well-known Russian AIS in the field of information risk analysis is the Grif complex developed by the St. Petersburg company Digital Security, and AvanGard developed by the Institute for System Analysis of the Russian Academy of Sciences. AvanGard is an expert information security management system, which includes AvanGard Analysis, a risk analysis, and AvanGard Control, a risk management. This software package has the means to build an IP model from the perspective of information security. With its help, unlike, for example, from Risk Advisor, it is possible to build models of different levels (administrative, organizational, software and hardware, physical) and different degrees of abstraction. Risk is defined as the product of damage to the probability of risk. Baseline data — damage and probability — must be entered into the model. There is a reference database that helps the decision maker in choosing these values, but the procedure is not intentionally formalized. This approach has its advantages and disadvantages. The disadvantage is that the methodologically complex stage - the choice of values, which, moreover, should be measured in quantitative scales, is completely shifted to the analyst (user). No value verification is assumed. Another feature - the database is filled with information for a specific order. The universal version, designed for the "average" consumer is not supplied. Thus, the AvanGard ES is suitable for building departmental methods of risk analysis and management, however, this system cannot be considered for use as a universal tool for the information security analyst. A comparative analysis of some AIS are shown in Table 1.
Table 1.- Comparative analysis of risk analysis tools
Criteria |
CRAMM |
RiskWatc |
Vulture Digital Security |
Support |
Provided |
Provided |
Provided |
Ease of work for the user |
Requires special training and high qualification of the auditor |
Requires special training and high qualification of the auditor |
The interface is focused on the IT manager and manager, does not require special knowledge in the field of information security |
The cost of one license, US dollars |
From 2000 to 5000 |
From 10000 |
From 1000 |
System requirements |
OS Windows 98 / Me / NT / 2000 / XP Free disk space 50 MB Minimum requirements 800 MHz processor frequency, 64 MB of memory |
Windows 2000 / XP OS Free disk space for installation 30 MB Intel Pentium or compatible processor, 256 MB of memory |
Windows 2000WP Minimum requirements free disk space (for a disk with user data) 300 MB, 256 MB of memory • Recommended requirements: free |
Recommended Requirements 1000 MHz processor frequency, 128 MB of memory |
disk space (for a disk with user data) 1 I byte, 512 MB of memory |
||
Functionality |
Input resources, value of resources, threats, system vulnerabilities, selection of adequate countermeasure Report options report on risk analysis, general risk analysis report, detailed risk analysis report |
Input type of IP, basic security requirements, resources, losses, threats, vulnerabilities, protection measures, value of resources, frequency of threats, choice of countermeasures Report options brief summary, cost report protected resources and expected losses from the realization of threats, a report on threats and countermeasures, a report on the ROI report on the results of security audits |
Input data resources, network equipment, information, user groups, security features, threats, vulnerabilities, choice of countermeasures Composition of the report, inventory of resources, risks by type of information, risks to resources, the ratio of 'damage and risk of information and resource, selected countermeasures, expert recommendations |
Quantitative / qualitative assessment |
Qualitative assessment |
Qualitative assessment |
Qualitative and quantitative assessments |
Network solution |
None |
None |
Corporate version of Digital Security office |
Summary.To automate the FIS process, in use are automated information systems which perform risk analysis and assessment. Such AIS include COBRA, CRAMM, RA Software Tool, Risk Advisor, RiskWatch, Buddy System, Grif, AvanGard. However, the task of ensuring the information security of an organization using such systems is often difficult for several reasons. Firstly, the use of such systems requires special knowledge in the field of information security, and the situation in Kazakhstan is such that many organizations, even realizing the importance of the FIS, do not take special measures for protection. Secondly, the cost of such systems is quite high. Thirdly, most of the systems are focused on the FIS of foreign organizations and are based on Western standards, which does not allow to take into account the specifics of information systems in Kazakhstani organizations. Fourthly, the most well-known expert system Avangard, developed by the Institute of Systems Analysis of the RAS, is intended for solving information security problems of large regions and cannot be used in medium-sized organizations.
Therefore, the effectiveness of the use of expert automated systems to ensure the information security of an organization depends on taking into account the specifics of the conditions in which the system is operated.
List of reference links:
- Kazangapova B.A. Security systems and networks, Almaty: KazATK, 2011. - 97s.
- International Standard ISO / IEC FDIS 17799: 2005. Information technology - Security methods - Practical rules for managing information security.
- Shalabayev K.ZH., Kazangapova B.A. Information security risk analysis using the GRAMM methodology. Collection of scientific papers of undergraduates, volume 2, 2010. KazATK- pp. 169172.
- www.risk-manage.ru