Abstract
We outline a framework for the risk assessment of information infrastructures that generalizes the notion of dependency with respect to security attributes such as confidentiality, integrity or availability. Dependencies are used to model an infrastructure at distinct abstraction levels, to discover attack strategies and to define risk mitigation plans. A plan is formulated in terms of set of countermeasures because single countermeasures may be ineffective due to alternative threat attack strategies. We do not detail the assessment steps and focus on the integration of their results to define risk mitigation plans. Lastly, we discuss the development of programming tools to support the assessment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alberts, C., Dorofee, A.: Managing Information Security Risks. Addison-Wesley, Reading (2002)
Ammann, P., et al.: Scalable, Graph-based Network Vulnerability Analysis. In: 9th ACM Conf. on Computer and Communications security, Washington, DC, USA (November 2002)
Anderson, R.J.: Security Engineering A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Chichester (2001)
Baiardi, F., et al.: Constrained Automata: a Formal Tool for ICT Risk Assessment. In: NATO Advanced Research Workshop on Information Security and Assurance, Marocco (June 2005)
Barber, B., Davey, J.: The use of the CCTA risk analysis and management methodology CRAMM. In: Proc. MEDINFO 1992, vol. 1589, p. 1593. North Holland, Amsterdam (1992)
CORAS: A platform for risk analysis of security critical systems. IST-2000-25031 (2000)
Dawkins, J., Campbell, C., Hale, J.: Modeling Network Attacks: Extending the Attack Tree Paradigm. Statistical and Machine Learning in Computer Intrusion Detection (June 2002)
Gordon, L., Loeb, M.: The economics of information security investment. ACM Trans. on Information and System Security 5(4), 438–457 (2002)
Lipmann, R.P., Ingols, K.W.: An Annotated Review of Past Paper on Attack Graphs, Project Report, Lincoln Lab. MIT (March 2005)
IEC 1025: 1990 Fault tree analysis (FTA)
Jha, S., Sheyner, O., Wing, J.: Two Formal Analysis of Attack Graphs. In: 15th IEEE Computer Security Foundations Workshop, June 2002, p. 49 (2002)
Moore, P., Ellison, R.J., Linger, R.C.: Attack modeling for information security and survivability, CMU/SEI- 2001-TN001
National Infrastructure Advisory Council, The Common Vulnerability Scoring System, Final Report and Recomandations (October 2004)
Ning, P., et al.: Constructing attack scenarios through correlation of intrusion alerts. In: 9th ACM Conf. on Computer and Communications Security, Washington, DC, USA (November 2002)
Phillips, C., Painton Swiler, L.: A graph-based system for network-vulnerability analysis. In: Workshop on New Security Paradigms, September 1998, pp. 71–79 (1998)
Ritchey, R., et al.: Representing TCP/IP Connectivity For Topological Analysis of Network Security. In: 18th Annual Computer Security Applications Conf., December 2002, p. 25 (2002)
Russell, S., Norving, P.: Artificial Intelligence: a Modern Approach. Prentice-Hall, Englewood Cliffs (2003)
Sheyner, O., et al.: Automated Generation and Analysis of Attack Graphs. In: Proc. of the 2002 IEEE Symposium on Security and Privacy, May 12-15 (2002)
Sheyner, O.M.: Scenario Graphs and Attack Graphs, CMU-CS-04-122 (2004)
Swiler, L.P., Phillips, C., Ellis, D., Chakerian, S.: Computer-Attack Graph Generation Tool. In: Proc. of the DARPA Information Survivability Conf. (June 2001)
Swarup, V., Jajodia, S., Pamula, J.: Rule-Based Topological Vulnerability Analysis. In: 3rd Int. Wor. on Math. Methods, Models and Arc. for Network Security, S. Petersburg (September 2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Baiardi, F., Suin, S., Telmon, C., Pioli, M. (2006). Assessing the Risk of an Information Infrastructure Through Security Dependencies. In: Lopez, J. (eds) Critical Information Infrastructures Security. CRITIS 2006. Lecture Notes in Computer Science, vol 4347. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11962977_4
Download citation
DOI: https://doi.org/10.1007/11962977_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69083-2
Online ISBN: 978-3-540-69084-9
eBook Packages: Computer ScienceComputer Science (R0)