0
SECURITY:ServicesSolutionsSupport
RAPID	
  RISK	
  ASSESSMENT	
  
A	
  NEW	
  APPROACH	
  TO	
  IT	
  RISK	
  MANAGEMENT	
...
SECURITY:ServicesSolutionsSupport
Biography	
  
•  Andrew	
  Plato,	
  CISSP,	
  CISM,	
  QSA	
  	
  
•  President	
  /	
 ...
SECURITY:ServicesSolutionsSupport
AniFan	
  Overview	
  
•  Compliance	
   	
  PCI,	
  NERC,	
  HIPAA,	
  FFIEC	
  
•  Ser...
SECURITY:ServicesSolutionsSupport
Why	
  AniFan?	
  
•  AniFan	
  is	
  the	
  only	
  security	
  firm…	
  
•  Focused	
  ...
SECURITY:ServicesSolutionsSupport
PresentaFon	
  Outline	
  
•  The	
  Risk	
  Assessment	
  Environment	
  
•  Failure	
 ...
SECURITY:ServicesSolutionsSupport
THE	
  RISK	
  ASSESSMENT	
  
ENVIRONMENT	
  
Rapid	
  Risk	
  Assessment	
  
SECURITY:ServicesSolutionsSupport
What	
  is	
  Risk	
  Assessment?	
  
•  SystemaFc	
  and	
  objecFve	
  determinaFon	
 ...
SECURITY:ServicesSolutionsSupport
Increasing	
  Emphasis	
  on	
  Risk	
  Assessment	
  
•  Always	
  been	
  a	
  PCI	
  ...
SECURITY:ServicesSolutionsSupport
Increased	
  ScruFny	
  	
  
•  From	
  HIPAA	
  Omnibus:	
  
“…we	
  expect	
  these	
 ...
SECURITY:ServicesSolutionsSupport
THE	
  FAILURE	
  OF	
  CURRENT	
  RISK	
  
ASSESSMENT	
  PRACTICES	
  
Rapid	
  Risk	
 ...
SECURITY:ServicesSolutionsSupport
Something	
  Is	
  Not	
  Right	
  Here	
  
•  Companies	
  were	
  consistently	
  comp...
SECURITY:ServicesSolutionsSupport
PracFFoners	
  are	
  QuesFoning	
  Risk	
  Assessment	
  	
  
Source:	
  h*p://www.netw...
SECURITY:ServicesSolutionsSupport
With	
  Mixed	
  Results	
  
For	
  any	
  risk	
  management	
  method	
  
…	
  we	
  m...
SECURITY:ServicesSolutionsSupport
The	
  Problem	
  
•  Current	
  pracFces	
  are…	
  
•  Slow	
  
•  Complex	
  	
  
•  ...
SECURITY:ServicesSolutionsSupport
Arcane	
  Language	
  
•  Language	
  affects	
  not	
  only	
  comprehension,	
  but	
  ...
SECURITY:ServicesSolutionsSupport
The	
  Fallacy	
  of	
  Numbers	
  
•  Using	
  numbers	
  does	
  not	
  make	
  analys...
SECURITY:ServicesSolutionsSupport
Time	
  Consuming	
  
•  IT	
  risk	
  is	
  volaFle,	
  dynamic	
  and	
  has	
  a	
  s...
SECURITY:ServicesSolutionsSupport
Probability	
  Can	
  Be	
  Flawed	
  
•  On	
  a	
  long	
  enough	
  =me	
  line,	
  t...
SECURITY:ServicesSolutionsSupport
Lack	
  of	
  Evidence	
  
•  Risk	
  assessment	
  methodologies	
  focus	
  heavily	
 ...
SECURITY:ServicesSolutionsSupport
The	
  Challenge	
  
•  Risk	
  assessment	
  needs	
  to	
  be	
  more	
  useful.	
  
•...
SECURITY:ServicesSolutionsSupport
PREPARATION	
  
Rapid	
  Risk	
  Assessment	
  
SECURITY:ServicesSolutionsSupport
Features	
  of	
  Rapid	
  Risk	
  Assessment	
  
•  Aims	
  to	
  speed	
  up	
  the	
 ...
SECURITY:ServicesSolutionsSupport
Rapid	
  Risk	
  Assessment	
  Outline	
  
•  Prerequisites	
  
•  Advanced	
  wriFng	
 ...
SECURITY:ServicesSolutionsSupport
Prerequisite:	
  Advanced	
  WriFng	
  Skills	
  
•  No	
  theories,	
  no	
  complex	
 ...
SECURITY:ServicesSolutionsSupport
Prerequisite:	
  Hands-­‐on	
  IT	
  Skills	
  
•  Must	
  have	
  in-­‐depth	
  underst...
SECURITY:ServicesSolutionsSupport
Prerequisite:	
  Authority	
  
•  Management	
  must	
  definiFvely	
  endorse	
  and	
  ...
SECURITY:ServicesSolutionsSupport
THE	
  PROCESS	
  
Rapid	
  Risk	
  Assessment	
  
SECURITY:ServicesSolutionsSupport
#1	
  -­‐	
  Establish	
  Scope	
  &	
  Lens	
  
•  Scope	
  –	
  what	
  assets	
  are	...
SECURITY:ServicesSolutionsSupport
#2	
  -­‐	
  Interview	
  Stakeholders	
  
•  Develop	
  a	
  set	
  of	
  quesFons	
  s...
SECURITY:ServicesSolutionsSupport
#3	
  –	
  Test	
  the	
  Environment	
  
•  Vulnerability	
  scans	
  of	
  all	
  in-­...
SECURITY:ServicesSolutionsSupport
#4	
  –	
  Define	
  Threats	
  &	
  Correlate	
  Data	
  
•  Organize	
  threats	
  into...
SECURITY:ServicesSolutionsSupport
Threat	
  Samples	
  
•  Good	
  Threat	
  DefiniFons	
  
•  Thee	
  of	
  confidenFal	
  ...
SECURITY:ServicesSolutionsSupport
#5	
  -­‐	
  Define	
  Probability	
  &	
  Impact	
  Scale	
  
Probability	
  	
  
	
  
	...
SECURITY:ServicesSolutionsSupport
#6	
  -­‐	
  Document	
  Risks	
  
•  Condense,	
  simplify	
  and	
  focus	
  on	
  the...
SECURITY:ServicesSolutionsSupport
DocumentaFon	
  Sample	
  
Threat	
   VulnerabiliFes	
   RecommendaFon	
  
Impact	
  
Pr...
SECURITY:ServicesSolutionsSupport
Online	
  Version	
  Using	
  Allgress	
  
SECURITY:ServicesSolutionsSupport
#7	
  –	
  Develop	
  an	
  AcFon	
  Plan	
  
•  Summarize	
  all	
  the	
  recommendaFo...
SECURITY:ServicesSolutionsSupport
Don’t	
  	
  
•  Try	
  to	
  change	
  the	
  culture	
  of	
  the	
  business	
  	
  
...
SECURITY:ServicesSolutionsSupport
Do	
  
•  Use	
  simple	
  language.	
  Plain	
  English	
  descripFons	
  
•  Establish...
SECURITY:ServicesSolutionsSupport
Thank	
  You	
  
	
  
EMAIL:	
   	
   	
  andrew.plato@aniFan.com	
  	
  
WEB: 	
   	
  ...
Upcoming SlideShare
Loading in...5
×

Rapid Risk Assessment: A New Approach to Risk Management

1,193

Published on

Presented by: Andrew Plato, Anitian

Abstract: Understanding, managing and responding to risk is one of the core functions of any information security program. However, for many organizations risk assessment is cumbersome and time consuming process. IT leaders, as well as security regulations, are demanding risk management practices that can deliver quick and actionable results.

Rapid Risk Assessment is a new approach to risk management that dramatically reduces the time, effort, and complexity for IT security risk assessment. Using the existing principles of risk management defined in NIST 800-30 documents, Rapid Risk Assessment can deliver more actionable and reliable results empowering business leaders to make sound decisions about risk. The key to this approach is a unique combination of skills, organization, and documentation that accelerates every aspect of the risk management process.

This presentation shows why current risk management tactics are failing and how Rapid Risk Assessment can correct those deficiencies.

Published in: Technology, Business
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,193
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
100
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "Rapid Risk Assessment: A New Approach to Risk Management"

  1. 1. SECURITY:ServicesSolutionsSupport RAPID  RISK  ASSESSMENT   A  NEW  APPROACH  TO  IT  RISK  MANAGEMENT  
  2. 2. SECURITY:ServicesSolutionsSupport Biography   •  Andrew  Plato,  CISSP,  CISM,  QSA     •  President  /  CEO  –  AniFan  Enterprise  Security   •  20  years  of  experience  in  IT  &  security   •  Completed  thousands  of  security  assessments  &  projects   •  Discovered  SQL  injecFon  aRack  tacFc  in  1995   •  Helped  develop  first  in-­‐line  IPS  engine  (BlackICE)     •  Championed  movement  toward  pracFcal,  pragmaFc   informaFon  security  soluFons    
  3. 3. SECURITY:ServicesSolutionsSupport AniFan  Overview   •  Compliance    PCI,  NERC,  HIPAA,  FFIEC   •  Services        PenetraFon  tesFng,  web  applicaFon  tesFng,        code  review,  incident  response,  risk          assessment   •  Technologies      UTM/NGFW,  IPS,  SIEM,  MDM   •  Support    Managed  security,  staff  augmentaFon     •  Leadership    Industry  analysis,  CIO  advisory  services      
  4. 4. SECURITY:ServicesSolutionsSupport Why  AniFan?   •  AniFan  is  the  only  security  firm…   •  Focused  on  pracFcal,  pragmaFc  informaFon  security   •  Able  to  deliver  compliance  quickly  &  affordably   •  That  does  not  push  products   •  Who  rejects  using  fear  to  sell   •  Dedicates  research  efforts    to  benefit  our  clients,  not  our   press-­‐releases   •  Implements  business-­‐friendly  security   •  Remains  honest  and  independent    
  5. 5. SECURITY:ServicesSolutionsSupport PresentaFon  Outline   •  The  Risk  Assessment  Environment   •  Failure  of  Current  Risk  Assessment  PracFces   •  Preparing  for  a  Rapid  Risk  Assessment   •  The  Rapid  Risk  Assessment  Process  
  6. 6. SECURITY:ServicesSolutionsSupport THE  RISK  ASSESSMENT   ENVIRONMENT   Rapid  Risk  Assessment  
  7. 7. SECURITY:ServicesSolutionsSupport What  is  Risk  Assessment?   •  SystemaFc  and  objecFve  determinaFon  of  the  seriousness  of   threats.     •  Good  risk  assessment  aims  to:     •  IdenFfy  the  threats  that  affect  an  enFty  (company,  network,   systems,  applicaFon,  etc.)     •  Qualify  and  quanFfy  those  threats     •  Crae  reasonable  remedies  to  reduce,  eliminate,  accept  or   transfer  the  risk   •  Help  protect  the  business/organizaFon  and  its  assets     •  Empower  leadership  to  make  sensible  investments  in   security  controls  and  processes    
  8. 8. SECURITY:ServicesSolutionsSupport Increasing  Emphasis  on  Risk  Assessment   •  Always  been  a  PCI  requirement  (12.1.2)   •  HIPAA  Omnibus  reinforces  need  for  risk  assessment   •  Assessment  to  define  risk  management  program  (which  in   turn  defines  the  controls  that  meet  the  standard)   •  Breach  noFficaFon  now  require  risk  analysis  of  any   suspected  breach  to  determine  if  noFficaFon  is  necessary   •  FFIEC  2011  Supplement  mandated  new  things  to  assess   •  Defines  specific  issues  to  analyze  concerning  authenFcaFon   •  Reinforced  the  need  for  annual  assessments     •  Mandated  assessments  on  banking  applicaFons     •  Outlined  requirements  to  reperform  assessments  when   there  are  changes    
  9. 9. SECURITY:ServicesSolutionsSupport Increased  ScruFny     •  From  HIPAA  Omnibus:   “…we  expect  these  risk  assessments  to  be  thorough,  completed   in  good  faith,  and  for  the  conclusions  reached  to  be   reasonable.”   •  RegulaFons  are  demanding  more  risk  assessments     •  Regulators  are  shieing  focus  to  look  at  risk  assessments   •  Business  leaders  are  demanding  beRer  risk  analysis     •  So  what’s  the  problem?    
  10. 10. SECURITY:ServicesSolutionsSupport THE  FAILURE  OF  CURRENT  RISK   ASSESSMENT  PRACTICES   Rapid  Risk  Assessment  
  11. 11. SECURITY:ServicesSolutionsSupport Something  Is  Not  Right  Here   •  Companies  were  consistently  complaining  about  their  IT  risk   assessments:     •  “Why  does  this  take  so  long?”   •  “This  is  just  a  paperwork  exercise”   •  “What  am  I  supposed  to  do  with  this?”   •  “Where  are  the  problems?   •  “How  do  I  fix  the  problems?”     •  “Are  we  in  danger?”   •  “What  do  all  these  numbers,  charts  and  worksheets  mean?”   •  “This  is  just  a  meaningless  regulatory  requirement!”     •  We  were  not  the  only  ones…    
  12. 12. SECURITY:ServicesSolutionsSupport PracFFoners  are  QuesFoning  Risk  Assessment     Source:  h*p://www.networkworld.com/news/tech/2012/101512-­‐risk-­‐ management-­‐263379.html  
  13. 13. SECURITY:ServicesSolutionsSupport With  Mixed  Results   For  any  risk  management  method   …  we  must  ask  …“How  do  we  know   it  works?”  If  we  can’t  answer  that   ques=on,  then  our  most  important   risk  management  strategy  should   be  to  find  a  way  to  answer  it  and   adopt  a  risk  assessment  and  risk   mi=ga=on  method  that  does  work.     Hubbard,  Douglas  W.  (2009-­‐04-­‐06).  The  Failure   of  Risk  Management:  Why  It's  Broken  and  How   to  Fix  It.  John  Wiley  and  Sons.  Kindle  EdiWon.    
  14. 14. SECURITY:ServicesSolutionsSupport The  Problem   •  Current  pracFces  are…   •  Slow   •  Complex     •  Incomprehensible  to  management     •  Fail  to  provide  clear  acFonable  steps  to  reduce  risk   •  Why?      
  15. 15. SECURITY:ServicesSolutionsSupport Arcane  Language   •  Language  affects  not  only  comprehension,  but  also  acceptance   •  Overly  complex,  arcane  language  is  inefficient  and  inaccessible     •  Risk  management  theories  devolve  into  nitpicking  paperwork   exercises  that  nobody  reads   •  Consider  this  definiFon  from  OCTAVE  for  Defined  EvaluaFon   AcFviFes:     Implemen=ng  defined  evalua=on  ac=vi=es  helps  to   ins=tu=onalize  the  evalua=on  process  in  the  organiza=on,   ensuring  some  level  of  consistency  in  the  applica=on  of  the   process.  It  also  provides  a  basis  upon  which  the  ac=vi=es  can  be   tailored  to  fit  the  needs  of  a  par=cular  business  line  or  group.  
  16. 16. SECURITY:ServicesSolutionsSupport The  Fallacy  of  Numbers   •  Using  numbers  does  not  make  analysis  more  “true”   •  If  a  number  is  arrived  at  from  a  subjecFve  assessment,  then  its   use  in  any  calculaFons  is  equally  subjecFve     •  Charts  full  of  numbers  may  “feel”  empirical,  but  they’re  not   •  Its  impossible  to  establish  true  value  for  IT  asset   •  Misleading,  creates  a  false  sense  of  accuracy     •  Creates  a  false  scale  that  does  not  translate  into  real-­‐world   thinking    
  17. 17. SECURITY:ServicesSolutionsSupport Time  Consuming   •  IT  risk  is  volaFle,  dynamic  and  has  a  short  shelf  life     •  Any  risk  assessment  over  90-­‐180  days  old  is  stale     •  NIST,  OCTAVE,  FAIR  are  nice  ideas,  but  too  Fme  consuming   •  Spending  a  year  on  a  risk  assessment  is  too  long   •  A  good  enterprise  risk  assessment  should  be  done  in  under  30   days     •  DocumentaFon  is  Fme  consuming   •  Risk  assessment  is  not  a  consensus  of  opinions,  it’s  an   assessment  from  a  single  person  or  group  that  understands  risk    
  18. 18. SECURITY:ServicesSolutionsSupport Probability  Can  Be  Flawed   •  On  a  long  enough  =me  line,  the  survival  rate  for  everybody   drops  to  zero.    Jack,  Fight  Club,  1999   •  Lack  of  Fme  context  makes  any  assessment  of  probability   fundamentally  flawed.     •  Humans  are  naturally  bad  at  assessing  the  probability  of  risks.   •  Fallacy  of  backtesFng    
  19. 19. SECURITY:ServicesSolutionsSupport Lack  of  Evidence   •  Risk  assessment  methodologies  focus  heavily  on  process,  and   very  liRle  on  evidence     •  Custodians  and  business  process  owners  withhold  informaFon   •  The  security  of  an  environment  can  be  tested  in  a  controlled,   raFonal  manner   •  Without  tesFng,  the  enFre  analysis  is  one-­‐sided   •  TesFng  can  cut  through  conjecture  and  prove  (or  disprove)  the   severity  of  a  threat  
  20. 20. SECURITY:ServicesSolutionsSupport The  Challenge   •  Risk  assessment  needs  to  be  more  useful.   •  How  can  this  process  produce  tangible  ways  to  reduce  risk?     •  The  volaFlity  of  modern  IT  makes  IT  risk  assessment  a   fundamentally  qualita=ve  effort   •  Since  the  effort  is  qualitaFve,  the  skill  of  the  assessor  is   paramount  to  obtaining  accurate  assessments   •  How  do  we  improve  risk  assessment  to  make  it:   •  More  accurate   •  More  responsive  to  business  needs   •  More  acFonable   •  Quicker    
  21. 21. SECURITY:ServicesSolutionsSupport PREPARATION   Rapid  Risk  Assessment  
  22. 22. SECURITY:ServicesSolutionsSupport Features  of  Rapid  Risk  Assessment   •  Aims  to  speed  up  the  risk  assessment  process  &  make  it  more   useful  to  the  business   •  Trades  precision  and  some  accuracy  for  efficiency  and  usability     •  Focuses  on  simplicity  and  clarity     •  Dismisses  theory  and  conjecture  in  place  of  decisive  acFon   •  Explains  risk  in  simple,  business-­‐friendly  terminology   •  Uses  a  set  Fme  frame  for  probability     •  Simplifies  the  assignment  of  value   •  Uses  a  “lens”  that  focuses  and  frames  assessment  effort   •  Establishes  authority  to  make  risk  judgments     •  Leverages  new  technologies  such  as  Allgress    
  23. 23. SECURITY:ServicesSolutionsSupport Rapid  Risk  Assessment  Outline   •  Prerequisites   •  Advanced  wriFng  skills   •  Hands  on  IT  skills   •  Authority     1.  Establish  Scope  &  Lens   2.  Interview  Stakeholders   3.  Test  the  Environment   4.  Define  Threats  &  Correlate  Data   5.  Define  Probability  &  Impact  Scale     6.  Document  Risks   7.  Develop  AcFon  Plan  
  24. 24. SECURITY:ServicesSolutionsSupport Prerequisite:  Advanced  WriFng  Skills   •  No  theories,  no  complex  worksheets,  no  “risk  management”   terms   •  Simple,  business  language  that  states  risk  in  plain,  maRer-­‐of-­‐ fact  way   •  Establishes  authority     •  States  risk  as  it  *is*  without  conjecture  or  indecisiveness   •  AcFve  voice     •  Should  be  able  to  sum  up  the  enFre  assessment  effort  in  a  few   bullet  points    
  25. 25. SECURITY:ServicesSolutionsSupport Prerequisite:  Hands-­‐on  IT  Skills   •  Must  have  in-­‐depth  understanding  of  IT  operaFons   •  Systems  administraFon   •  Network  design,  architecture,  management     •  Security  analysis     •  ApplicaFon  lifecycle  management     •  Database  administraFon   •  IT  pracFces,  procedures,  policies  development   •  Must  know  how  an  IT  department  runs,  if  you  ever  hope  to   idenFfy  its  weaknesses  
  26. 26. SECURITY:ServicesSolutionsSupport Prerequisite:  Authority   •  Management  must  definiFvely  endorse  and  support  risk   assessment     •  Must  have  access  to  stakeholders     •  Ability  to  scan,  test  and  evaluate  technology     •  Authority  to  decisively  analyze  technologies     •  Ability  to  built  credibility  and  authority  through  experience,   language,  and  engagement    
  27. 27. SECURITY:ServicesSolutionsSupport THE  PROCESS   Rapid  Risk  Assessment  
  28. 28. SECURITY:ServicesSolutionsSupport #1  -­‐  Establish  Scope  &  Lens   •  Scope  –  what  assets  are  in  scope  (hopefully  all  of  them)   •  Lens  –  how  will  you  look  at  the  assets?   •  Data  types  –  customer,  internal,  security,  etc.   •  System  –  server,  workstaFon,  infrastructure   •  ApplicaFon  –  user,  customer,  financial,  etc.     •  The  Lens  is  what  makes  Rapid  Risk  Assessment  work:     •  Provides  a  contextual  framework  for  analyzing  data   •  It  helps  focus  the  effort     •  It  aids  greatly  in  comprehension    
  29. 29. SECURITY:ServicesSolutionsSupport #2  -­‐  Interview  Stakeholders   •  Develop  a  set  of  quesFons  specific  to  the  business  role:     •  IT  custodians  –  technical  quesFons   •  Business  process  owners  –  criFcality  &  usage     •  Define  value  in  context  of  the  enFre  business  using  simple   terms:  cri=cal,  high,  medium,  low,  none   •  Focus  on  current  state     •  Be  careful  with  “forward  looking”  data  –  chasing  a  moving   target   •  Catalog  results  
  30. 30. SECURITY:ServicesSolutionsSupport #3  –  Test  the  Environment   •  Vulnerability  scans  of  all  in-­‐scope  systems,  apps  or  locaFons  of   data     •  Conduct  penetraFon  tests   •  Web  applicaFon  tesFng   •  Database  tesFng     •  ConfiguraFon  analysis  (sample  as  needed)   •  AV  /  IPS  /  Firewall  logs  (sample  and  spot  check)   •  Risk  determinaFon  must  be  based  on  REAL  data,  not  feelings,   ideas,  theories,  or  personal  interpretaFons     •  This  is  where  hands-­‐on  IT  experience  is  a  must    
  31. 31. SECURITY:ServicesSolutionsSupport #4  –  Define  Threats  &  Correlate  Data   •  Organize  threats  into  simplified  categories   •  Technical  –  threat  to  systems,  hardware,  applicaFons,  etc.     •  OperaFonal  –  threats  that  affect  pracFces,  procedures,  or   business  funcFons   •  RelaFonal  –  threat  to  a  relaFonship  between  groups,  people   or  third  parFes     •  Physical  –  threats  to  faciliFes,  offices,  etc.     •  ReputaFonal  (opFonal)  –  threats  to  the  organizaFon’s   reputaFon,  percepFon,  or  public  opinion     •  Correlate  threats  to  assessment  data   •  Keep  threats  simple  
  32. 32. SECURITY:ServicesSolutionsSupport Threat  Samples   •  Good  Threat  DefiniFons   •  Thee  of  confidenFal  data   •  Malware  infecFon   •  Denial  of  service  aRack     •  Thee  of  sensiFve  authenFcaFon  data   •  Bad  Threat  DefiniFons   •  Lack  of  alignment  to  organizaFonal  policies  with  guidelines   set  forth  by  the  security  commiRee  means  staff  is  not   properly  implemenFng  security  controls.     •  Use  of  telnet  among  staff  is  threatening  PCI  compliance   requirements.     •  Missing  patches  on  systems  
  33. 33. SECURITY:ServicesSolutionsSupport #5  -­‐  Define  Probability  &  Impact  Scale   Probability               Impact     Metric     DescripFon   Certain   <95%  likelihood  of  occurrence  within  the  next  12  months.       High   50-­‐95%  likelihood  of  occurrence  within  the  next  12  months.       Medium   20-­‐49%  likelihood  of  occurrence  within  the  next  12  months.       Low   1-­‐20%  likelihood  of  occurrence  within  the  next  12  months.       Negligible   >1%  likelihood  of  occurrence  within  the  next  12  months.       Metric     DescripFon   CriWcal   Catastrophic  effect  on  the  Data  Asset.     High   Serious  impact  on  the  Data  Asset's  funcWonality.     Medium   Threat  may  cause  some  intermi*ent  impact  on  the  Data  Asset,  but  would   not  lead  to  extended  problems.     Low   Impact  on  the  Data  Asset  is  small  and  limited.  Would  not  cause  any   disrupWon  in  core  funcWons.     Negligible   Data  Asset  remains  funcWonal  for  the  business  with  no  noWceable  slowness   or  downWme.    
  34. 34. SECURITY:ServicesSolutionsSupport #6  -­‐  Document  Risks   •  Condense,  simplify  and  focus  on  the  problem   •  Threat  –  How  the  asset  is  at  risk   •  VulnerabiliFes  –  The  vulnerabiliFes  relevant  to  the  risk     •  RecommendaFon  –  Tangible  acFons  to  remediate  the  risk     •  Impact  –  Simplified  5  point  score  (criFcal,  high,  medium,  low,   none)     •  Probability  –  Simplified  5  point  score  (certain,  high,  medium,   low,  negligible)     •  Risk  –  Simplified  product  of  Impact  *  Probability  (criFcal,  high,   medium,  low,  negligible)    
  35. 35. SECURITY:ServicesSolutionsSupport DocumentaFon  Sample   Threat   VulnerabiliFes   RecommendaFon   Impact   Probability   Risk   Malware   infecWon   •  Outdated  anW-­‐ virus   •  Lack  of  anW-­‐ virus  on  36%  of   servers   •  32  high  ranked   vulnerabiliWes   on  in-­‐scope   systems     •  Lack  of  virus   scanning  at  the   network  layer   •  Endpoint  anWvirus  must  be  installed  on  all  hosts.   •  All  endpoint  anWvirus  must  be  updated  daily   •  All  systems  must  have  new  patches  applied  within   30  days  of  release.   •  Company  must  deploy  a  more  robust  patch   management  plaborm.     •  Implement  a  core  firewall  that  can  perform  virus   scanning  at  the  network  layer.     H   C   H
  36. 36. SECURITY:ServicesSolutionsSupport Online  Version  Using  Allgress  
  37. 37. SECURITY:ServicesSolutionsSupport #7  –  Develop  an  AcFon  Plan   •  Summarize  all  the  recommendaFons  into  a  single,  prioriFzed  list     •  Simplify  into  tangible  tasks   •  GOOD:  Implement  third  party  patch  management.  IBM  BigFix,   Dell  Kace,  and  GFI  Languard  are  all  viable  products  to  consider.   Require  solu=on  to  patch  all  systems  within  30  days  of  a  new   patch.     •  BAD:  IT  management  procedures  need  upda=ng  to  align  with   best  prac=ces.    
  38. 38. SECURITY:ServicesSolutionsSupport Don’t     •  Try  to  change  the  culture  of  the  business     •  Let  perfecFon  become  the  enemy  of  good   •  Cite  any  kind  of  risk  management  theory  –  nobody  cares   •  Use  a  lot  of  risk  terminology   •  Say  more  than  you  need  to   •  Document  indecision   •  Add  complexity  when  it  offers  no  improvement  in  clarity   •  Use  inaccessible  matrices,  worksheets,  or  process  flows   •  Insert  charts  or  graphs  when  they  don’t  aid  in  comprehension    
  39. 39. SECURITY:ServicesSolutionsSupport Do   •  Use  simple  language.  Plain  English  descripFons   •  Establish  authority  with  experience,  language,  and  presence     •  Simplify,  condense,  clarify   •  IdenFfy  tangible,  acFonable  recommendaFons   •  Help  management  make  decisions  about  risk     •  Focus  on  the  likely    
  40. 40. SECURITY:ServicesSolutionsSupport Thank  You     EMAIL:      andrew.plato@aniFan.com     WEB:    www.aniFan.com   BLOG:          blog.aniFan.com   SLIDES:    hRp://slidesha.re/11UaeFN    
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×