Why Risk Management is Impossible
Upcoming SlideShare
Loading in...5
×
 

Why Risk Management is Impossible

on

  • 2,037 views

It is impossible to identify all critical assets. It is impossible to determine value of IT assets. It is impossible to manage vulnerabilities. Impossible^3 = Impossible. Presented at ITAC 2013 ...

It is impossible to identify all critical assets. It is impossible to determine value of IT assets. It is impossible to manage vulnerabilities. Impossible^3 = Impossible. Presented at ITAC 2013 Boston, November 19, 2013

Statistics

Views

Total Views
2,037
Views on SlideShare
1,779
Embed Views
258

Actions

Likes
3
Downloads
26
Comments
2

4 Embeds 258

http://www.scoop.it 193
https://twitter.com 61
http://www.linkedin.com 3
https://hootsuite.scoop.it 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Good Richard
    I replaced risk management with threat scenario analysis years ago.
    Could not have said it better myself. There is another fundamental disconnect you didn't touch on and that is the disconnect between IT and security - IT is about running predictable process while sucking up as much money as possible while failing half the time and security is about dealing with unpredictable threats in a cost-effective way and living to tell the story
    See http://www.software.co.il/2013/07/why-security-defenses-are-a-mistake/
    and http://www.software.co.il/2013/07/why-security-defenses-are-a-mistake/
    and
    http://www.software.co.il/2012/08/auditing-healthcare-it-security-and-privacy-with-multiple-threat-scenarios/
    Danny
    Are you sure you want to
    Your message goes here
    Processing…
  • Here is a column I wrote that goes into more detail on my thinking about Risk Management. http://www.networkworld.com/news/tech/2012/101512-risk-management-263379.html?page=1
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Why Risk Management is Impossible Why Risk Management is Impossible Presentation Transcript

  • Risk Management: A Failed Strategy with Unachievable Goals. Richard Stiennon Chief Research Analyst IT-Harvest
  • International Cybersecurity Dialogue What is risk? Risk = Threat * Vulnerability * Asset Value -or- The probable frequency and probable magnitude of future loss - FAIR
  • International Cybersecurity Dialogue Risk Management 101 • 1. Identify all critical assets • 2. Score them by “value” • 3. Discover all vulnerabilities • All three are impossible.
  • International Cybersecurity Dialogue • • • • • • • • • • What is an IT asset? Desktops Laptops Servers Thumb drives Switches Applications Data bases Records Artifacts (VM images) Usernames, passwords, e mail addresses • • • • • • • • • • IP addresses, domains Digital certificates (SSL, SSH, Kerboros, code signing, identity) Email, email archives Business intelligence data Logs Policies, settings, configurations Processes, work flow, authorization • • • • • • IP. Designs, formulae, patent applications, litigation documents, spreadsheets, docs, Powe r Point. Real time data Meta data • • Software licenses and version data Virtual data center (repeat most of above) Phones Smart phones Video conferencing Firewalls, IPS, Content filtering, Log management, patch management, trouble ticketing, AV, etc. etc. etc. Active Directory, Ephemeral assets
  • International Cybersecurity Dialogue What is the value of an IT asset? • • • • • • Replacement cost? Purchase+shipping+config+restore+staging+d eployment Cost to reproduce data? Loss of productivity? Loss of business competitiveness? Lost sales? Lost battle?
  • International Cybersecurity Dialogue Can you really reduce the surface area (exposed vulnerabilities) ? • Some systems cannot be patched • Legacy • Operations • All systems have unknown vulnerabilities
  • International Cybersecurity Dialogue Risk Manage This:
  • International Cybersecurity Dialogue Or this: Athens 2004: A series of software updates turns on Lawful intercept function in Ericsson switch 104 diplomats and Olympic officials spied on Engineer mysteriously commits suicide
  • International Cybersecurity Dialogue Or this: Cyber sabotage: Stuxnet s7otbxdx.dll Step 7 software DLL Rootkit s7otbxsx.dll DLL original New data blocks added
  • International Cybersecurity Dialogue Trading losses Or this: 2008, Jerome Kerviel covers up trading losses, Largest trading fraud in history to be carried out by a single person. $54 billion exposure, $7.14 Billion loss 5 year sentence reduced to 3
  • International Cybersecurity Dialogue Or this: • Saudi Aramco, August 2012 • South Korea, March 2013
  • International Cybersecurity Dialogue Or this: • Malware transmitted to SIPRNET across an air gap by “foreign agents” in an “overseas theater” according to assistant defense secretary Lynn. • Buckshot Yankee costs reputed to be over $1 billion to re-image all machines within DoD.
  • International Cybersecurity Dialogue Risk management is based on normal distribution of events • IT security is not subject to Gaussian distributions • The difference is: adversaries
  • International Cybersecurity Dialogue Targeted Attacks are Not Random • Risk Management arose to address “random attacks.” Viruses, worms, opportunistic hackers. • Targeted attacks are Black Swan events
  • International Cybersecurity Dialogue So, if Risk Management is a failure what should be done? • Welcome to the world of threat based security, the real world.
  • International Cybersecurity Dialogue Some scenarios • A mass killer is on the loose. Find him and stop him? Or protect every “asset”? • Chinese Comment Crew is in your network. Do a vulnerability scan? • Rogue employee is accessing customer database. Beef up security awareness training?
  • International Cybersecurity Dialogue Cyber kill chain
  • International Cybersecurity Dialogue Security Intelligence is the key to threat management • Malware analysis • Key indicators of attack • Key indicators of compromise • Threat actor intelligence
  • International Cybersecurity Dialogue The Cyber Defense Team Operations Analysts Red Team Cyber Commander
  • International Cybersecurity Dialogue Let’s be honest • Risk Management was developed so that IT security could “speak to management.” • Management understands threats not risks. • Show them the threats and they will respond.