Risk Management Overview

2008 Security Architecture - All Rights Reserved.
RISK MANAGEMENT
CONTENTS
Risk Management Terms
What is Risk?
Risk Assessment
Assets
Threats
Vulnerabilities
Risk Analysis
Risk Mitigation
1
RISK MANAGEMENT
RISK MANAGEMENT BASICS
(VulnerabilityxThreatsxAssetValue)=TotalRisk
TotalRiskxCountermeasures=ResidualRisk
Conceptofmitigatingcontrols:
Risk Management reduces risks by
defining and controlling threats and
vulnerabilities.
RISK MANAGEMENT DEFINITION
3
RISK MANAGEMENT TERMS
Threat: any potential danger to information or an information
system.
Exposure: an instance of being exposed to losses from a
threat.
Vulnerability: an information system weakness that could be
exploited.
Countermeasuresand Controls: anything that mitigates the
potential risk.
Risk: likelihood of an unwanted event occurring.
Residual Risk: the portion of risk that remains even after
mitigation.
Risk Management reduces risks by defining and controlling
threats and vulnerabilities.
4
WHAT IS RISK?
Classic formula:
Risk = Threat x Vulnerability x Value of Loss
Contributing factors:
Event cost?
Time?
Asset Value?
Risk = Threats x Vulnerabilities x Impact
Threats increase as exposure increases
Vulnerabilities increase with complexity
Impact varies with asset value.
5
SECURITY RISK ANALYSIS CHECKLIST
Asset
What are we trying to protect?
Threat
What are the security threats?
What is the threat environment?
Classify the threat.
Risk
What is the risk outcome (impact) associated with that threat?
What is the priority and likelihood (exposure) for that threat?
Is the risk growing or diminishing?
Controls
What could be done? What should be done?
6
ASSET DISCOVERY
Perform an inventory of IT assets
Include both logical and physical assets
Indicate who owns the asset
Indicate the classification of the asset
Indicate where (physically and/or logically)
the asset is sited
7
ASSET VALIDATION
Assign a value to the inventoried assets
Include real physical value, losses if
modified, losses if destroyed, losses if
disclosed, etc.
Assets could be assigned multiple values
Value + value type help determine what to
protect and how to protect it
Determine mission critical assets
8
DETERMINING ASSET VALUE & COMPROMISE
Losses if information is
Destroyed without proper authorization
Modified without proper authorization
Accessed or copied without proper authorization
Inaccessible when needed
Unauthorized access, duplication, modification, or destruction.
IT Services, Paper Documents, Electronic Data, Storage Media
IT Equipment, Software
Communications Media
Employee Knowledgebase
9
ISO/IEC 27005
Part of the 27000 series of information security
standards, Information technology -- Security
techniques -- Information security risk management
was published in J une 2008 intended to be a
complementary guide for organizations following
ISO 27001.
Despite the title, ISO 27005 is more focused on risk
analysis and risk estimation for organizational assets
than the actual management of risk (which is
addressed to some degree in ISO 27001.
It is not a methodology, but provides definitions and
concepts relevant to following a risk-based
approach to an ISMS
10
ISO/IEC 27005 Contents
References, Terms, Structure, and Background
Overview of the ISRM Process
Context Establishment
Information Security Risk Assessment (ISRA)
Information Security Risk Treatment
Information security Risk Acceptance
Information security Risk Communication
Information security Risk Monitoring and Review
Annex A: Defining the scope of the process
Annex B: Asset valuation and impact assessment
Annex C: Examples of Typical Threats
Annex D: Vulnerabilities and vulnerability assessment methods
Annex E: ISRA approaches
11
NIST SP800-30
Risk Management Guide for Information
Technology Systems (published J uly 2002)
Provides recommendations for identifying
and assessing risk, controlling risk, and overall
risk management
Incorporates many traditional risk
analysis/risk management principles and
practices
12
SP800-30 RISK ASSESSMENT METHODOLOGY
System Characterization
Threat Identification
Vulnerability Identification
Control Analysis
Likelihood Determination
Impact Analysis
Risk Determination
Control Recommendations
Results Documentation
13
SYSTEM CHARACTERIZATION
Perform an inventory of IT assets
Include both logical and physical assets
Indicate who owns the asset
Indicate the classification of the asset
Indicate where (physically and/or logically)
the asset is located
14
SYSTEM CHARACTERIZATION
Assign a value to the inventoried assets
Include real physical value, losses if
modified, losses if destroyed, losses if
disclosed, etc.
Assets could be assigned multiple values
Value + value type help determine what to
protect and how to protect it
Determine mission critical assets
15
RISK MANAGEMENT
THREATS AND VULNERABILITIES
THREAT IDENTIFICATION
What security threats exist for your
organization?
Classify threats as appropriate:
External vs. Internal
Technical vs. Human
Dont overlook environmental/natural threats
Look outside your organization to increase
awareness of possible threats
17
THREAT IDENTIFICATION VISIBILITY
How big of a target do you present?
Are you engaged in controversy?
Are you political or politically sensitive?
Do you dominate an industry?
Do you have a high degree of name
recognition?
18
THREAT VECTORS
Who would likely threaten you?
Terrorists
Outside intruders with malicious intent
Curious outside intruders
Foreign governments
Organized crime
Vendor seeking an advantage
Insider
Competitor
Malicious code writers (virus, worm, etc.)
Script kiddies
19
THREAT LEVELS
How motivated is the attacker?
What resources are available to the
attacker?
What is the attackers level of expertise?
How easy are your vulnerabilities to exploit?
20
THREAT EXAMPLES
People (internal or external intentional or
unintentional)
Natural Disasters
Loss of Service (public utilities outage, ISP
failure, etc.)
Hardware / Software Failure
21
You are here.
THREATS AND CONSEQUENCES
Threats
Potential Damage
Fraud
Sabotage
Lost
Confidence
Operations
Halted
Data
Disclosed
Services
Interrupted
Ecomm
Integrity
Compromised
Lost
Assets
Pranks
Natural
Disaster
Malicious
Acts
Inappropriate
Access
22
VULNERABILITY IDENTIFICATION
Execute vulnerability assessment incorporating all
classes of identified threats
Security audits are an important source of
vulnerabilities
Penetration tests provide a security snapshot
Compare current environment to best practices,
common criteria, ISO17799 and/or any documented
policies
Assess vulnerabilities affecting all assets and pay
special attention to those defined as mission
critical
23
VULNERABILITY VECTORS
Improper Security Configurations
Buggy Software
Poor Physical Security
Accidental Compromise
Poor Training
Inadequate processes surrounding the
technology
24
RISK MANAGEMENT
RISK ANALYSIS
CONTROL ANALYSIS
Perform regular security audits of your
environment
Determine what you are currently doing with
regard to security
Review all layers (physical, perimeter,
network, systems, applications, data,
personnel)
26
ANALYTICAL PROCESS APPROACHES
System Isolation and Analysis
Leverage the OSI model
Examination of separate systems
System = Application + Platform + Connectivity + Access
Transaction Data Path
End-to-End; Client to Data Storage
White Box & Black Box testing criteria
Use of web crawler and debugging tools
Process Analysis
Breakdown of individual operating logic
Flow charts instrumental to success
Technical, logistical, organizational and support documentation is
critical.
27
SYSTEM ISOLATION AND ANALYSIS
Application User Interface
What authentication & authorization methods are used?
Presentation Translation & Interpretation
Is user input & output converted without compromising security?
Session End-to-End Communications
What methods are used to validate and authenticate the session?
Transport Error Checking
Assurance of reliability & authentication session
Network Routing & Redirection
Encryption?
Data Link Communication Protocol
Frame Relay? Ethernet? Link-to-link crypto?
Physical Connectivity Equipment
How are the devices connected?
28
SYSTEM ISOLATION AND ANALYSIS
Users
Tech Support
System Admin
Web Servers
Database
App Servers
29
TRANSACTION PATH ANALYSIS
30
PROCESS ANALYSIS METHODOLOGY
31
PROCESS ANALYSIS METHODOLOGY
32
BUSINESS IMPACT ANALYSIS
Used to identify and measure effects from security
breaches
Intended to drive prioritization of resources and
attention devoted to different threats
Affects cost/benefit considerations for security
provisions when incorporated in risk management
strategy
Vital input to effective incident response, event
correlation, and disaster recovery procedures
33
MISSION IMPACT ANALYSIS
Translates BIA concepts to mission-based
operations
Particularly relevant in the public sector arena
One common challenge is quantifying mission
value
Traditionally centered on system perspective
In practice, requires data perspective as well
34
IMPACT ANALYSIS PERSPECTIVES
Enterprise
Calls for defense in depth
Foundation for trust and confidence
System
Most common frame of reference
Matches up with many organizations structures
Relying on system perspective is too narrow
Data
Most often overlooked frame of reference
Harder to quantify value
Cant realistically take a system or enterprise view without data
35
SOURCES OF IMPACT
Operational interruption
Competitive weakness
Regulatory mandates/penalties
Publicity and public confidence
Time to recovery
36
UNFAVORABLE OUTCOMES
Legal Ramification
Loss of Competitive
Advantage
Loss of Public Trust
Loss of Revenue
Loss of Productivity
Degraded Customer
Service
Impaired Management
Decisions
Inaccurate Accounting
Invasion of Privacy
Wasted Resources
Unfavorable Audit
Reports
37
ACCEPTABLE LEVELS OF RISK
Cost / Benefit Comparison
Legal / Contractual Requirements
Principle of Adequate Protection
Organizational policy/risk tolerance
38
WHAT IS A RISK ASSESSMENT?
Risk
Dictionary: The chance of
injury, damage or loss.
A potential problem, with
causes and effects.
It is the harm that can result
if a threat is actualized.
A measure of the extent of
that harm (likelihood *
extent)
Risk Assessment
A review of the attack
potential against a specified
resource, systems,
environment, or enterprise.
Measure that possibility of a
threat exploiting a
vulnerability of a system
39
QUALITATIVE VS. QUANTITATIVE
Qualitative:
Softer values
High, Medium, Low
No Simple Calculations
or Answers
Quantitative:
More binary in
approach
Defined values
Measured and tested
40
QUANTITATIVE RISK ANALYSIS
Attempts to assign independently objective numeric
values (e.g., monetary values) to the elements of
the risk assessment and to the assessment of
potential losses.
When all elements (asset value, impact, threat
frequency, safeguard effectiveness, safeguard
costs, uncertainty and probability) are quantified,
the process is considered to be fully quantitative.
41
QUANTITATIVE RISK ANALYSIS STEPS
Step One: Estimate potential losses
Physical destruction/theft of assets
Loss of data
Theft of information
Indirect theft of assets
Delayed processing
Step Two: Conduct Threat analysis
Rate of occurrence
Use industry and academic security sources of information
CERT Coordination Center (www.cert.org)
US-CERT (www.us-cert.gov)
42
QUANTITATIVE RISK ANALYSIS STEPS
Step Three: Determine Annual Loss
Expectancy
Combine potential loss and rate/year
Magnitude of risk = Annual Loss Expectancy
Guide
Security measures
Amount to spend
Cost to mitigate should be less than cost of risk
Single Loss Exposure x Annualized Rate of Occurrence
= Annualized Loss Expectancy
43
RISK MITIGATION ALTERNATIVES
Risk reduction
Alter environment
Erect barriers
Improve procedures
Early detection
Contingency plans
Risk assignment (transference)
Insurance
Risk acceptance
Important consideration in Accreditation
(Risk denial)
44
RISK MITIGATION SUMMARY
Risks cannot be eliminated, they can only be
reviewed, understood, and prepared for so
that the actual threat can be decreased to
the greatest extent possible.
This process is information security.
The goal is for practical business-sensitive risk
management.
45
INTERNAL RISK COMMUNICATION
How you communicate risk is an important factor in its
effectiveness
There is a lot of focus on risk communication in health
industries, financial audit, and other disciplines but not as
much attention to communicating risk in information security
Key factors to communicate are those measured in a risk
assessment:
Asset and its business value
Threat, threat class
Likelihood of occurrence
Consequences to the business if it succeeds
The impact of these consequences
Prioritize and provide context for the exposure
46
EXTERNAL RISK COMMUNICATION
One type of risk/assessment communications used in financial
services: Statement of Auditing Standards #70: SAS-70
It allows an external auditor to assess an environment and
provide a report in a standardized format that explains the
assessed controls security posture.
Financial services companies depend on its guidance when
partnering with other financial processing organizations.
Sections include:
Auditors opinion
Description of controls / control environment
Description of tests and effectiveness of tests
Other information provided by audited company
47
RISK ASSESSMENT/MANAGEMENT OUTCOMES
Obtain a reality check: stay out of the public eye
Induce management action (legal notice)
Document compliance with laws and regulations
Reduce chances of a lawsuit
Provide compelling evidence of due care
Raise level of Information Security
Prioritize projects to increase budget allocation
Establish organizational context for information
security.
48
USEFUL ONLINE RESOURCES
NIST Documentation
Special Publication Series:
http://csrc.nist.gov/publications/nistpubs/
FIPS Publications:
http://csrc.nist.gov/publications/fips/index.html
OMB & Congressional Resources
OMB Information Policy, E-Gov, and IT
http://www.whitehouse.gov/omb/inforeg/infopoltech.html#cs
Federal Enterprise Architecture:
http://www.whitehouse.gov/omb/egov/a-1-fea.html
IT Security Presidential Initiatives:
http://www.whitehouse.gov/omb/egov/c-6-6-its.html
House Committee on Oversight and Government Reform
http://oversight.house.gov/
49
RISK MANAGEMENT
Stephen Gantz
CISSP-ISSAP, CEH, CGEIT
Principal Architect
sgantz@securityarchitecture.com

Risk Management Overview

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Risk Management Overview

Încărcat de

Drepturi de autor:

Formate disponibile

2008 Security Architecture - All Rights Reserved.

S-ar putea să vă placă și