Risk Assessment And Management

736 views
637 views

Published on

Nut and Shell

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
736
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Risk Assessment And Management

  1. 1. RISK ASSESSMENT AND MANAGEMENT
  2. 2. <ul><li>Purpose of Talk </li></ul><ul><li>Define risk. </li></ul><ul><li>Propose an assessment methodology </li></ul><ul><li>Discuss risk mitigation strategies </li></ul><ul><li>Avoid overly technical digression </li></ul>
  3. 3. <ul><li>High Level Agenda </li></ul><ul><li>Addressing Risk </li></ul><ul><li>Establish Policy </li></ul><ul><li>Implement Countermeasures </li></ul><ul><li>Maintain Vigilance </li></ul><ul><li>Concluding Remarks </li></ul>
  4. 4. <ul><li>Risk Assessment </li></ul><ul><li>The “Risk Equation” </li></ul><ul><li>Likelihood </li></ul><ul><li>Impact </li></ul><ul><li>Addressing Risk </li></ul><ul><li>Establish Policy </li></ul><ul><li>Implement Countermeasures </li></ul><ul><li>Maintain Vigilance </li></ul><ul><li>Concluding Remarks </li></ul>
  5. 5. <ul><li>Security Terminology </li></ul><ul><li>Security is a GOAL, not a STATE OF BEING. </li></ul><ul><li>Security is everyone’s responsibility. </li></ul>
  6. 6. <ul><li>Important Terms </li></ul><ul><li>Flaw! </li></ul><ul><li>Weakness! </li></ul><ul><li>Vulnerability </li></ul><ul><li>Exploit! </li></ul><ul><li>Attack! </li></ul><ul><li>Adversary! </li></ul><ul><li>Threat! </li></ul>
  7. 7. <ul><li>Flaw: </li></ul><ul><li>Imperfection of a system </li></ul><ul><li>Found in design, implementation or execution </li></ul><ul><li>Concealed or exposed . </li></ul><ul><li>Known or unknown </li></ul><ul><li>Source of weakness or vulnerability </li></ul><ul><li>Not always exploitable </li></ul>
  8. 8. <ul><li>Weakness : </li></ul><ul><li>Attribute of a system or defense </li></ul><ul><li>Insufficient to resist expected attack –lack of strength </li></ul><ul><li>Not necessarily due to a flaw </li></ul><ul><li>Source of vulnerability </li></ul><ul><li>Not always exploitable </li></ul>
  9. 9. <ul><li>Vulnerability </li></ul><ul><li>Feature of system or defense </li></ul><ul><li>Sometimes (often) undiscovered </li></ul><ul><li>Caused by flaws and weaknesses </li></ul><ul><li>Always exploitable </li></ul><ul><li>Target of adversaries </li></ul>
  10. 10. <ul><li>Exploit </li></ul><ul><li>Methodology for attack </li></ul><ul><li>Takes advantage of one or more vulnerabilities </li></ul><ul><li>Repeatable </li></ul><ul><li>Always “succeeds” </li></ul><ul><li>Used in an attack </li></ul>
  11. 11. <ul><li>Attack </li></ul><ul><li>Prosecution of an exploit (an instance) </li></ul><ul><li>Defined objective </li></ul><ul><li>Can be undetected or detected </li></ul><ul><li>Sometimes (often) unsuccessful </li></ul><ul><li>Performed by a motivated adversary </li></ul>
  12. 12. <ul><li>Adversary </li></ul><ul><li>Agent (person or corporate) </li></ul><ul><li>Motivated </li></ul><ul><li>Often unscrupulous </li></ul><ul><li>Goals : </li></ul><ul><li>Competition, </li></ul><ul><li>Defamation, Financial gain, </li></ul><ul><li>Notoriety </li></ul><ul><li>Information </li></ul><ul><li>May or may not have means & knowledge </li></ul>
  13. 13. <ul><li>Threat </li></ul><ul><li>Adversary </li></ul><ul><li>Possesses means and knowledge </li></ul><ul><li>Actively targeting </li></ul><ul><li>Known or unknown </li></ul>
  14. 14. <ul><li>Countermeasures </li></ul><ul><li>Methodology for defense </li></ul><ul><li>Technological or procedural </li></ul><ul><li>Types: </li></ul><ul><li>Detection </li></ul><ul><li>Resistance </li></ul><ul><li>Avoidance </li></ul><ul><li>Counter-attack </li></ul><ul><li>Usually specific to an exploit </li></ul>
  15. 15. <ul><li>Countermeasures: Defense in Depth </li></ul>
  16. 16. <ul><li>Security Countermeasures Include a Lot </li></ul>
  17. 17. <ul><li>Security is an Arms Race </li></ul>
  18. 19. <ul><li>Risk </li></ul><ul><li>Measures importance </li></ul><ul><li>Determines relevance of vulnerabilities </li></ul><ul><li>Useful for setting programmatic priority </li></ul><ul><li>Varies over time </li></ul>
  19. 20. <ul><li>The Risk Equation </li></ul><ul><li>Impact x Likelihood= Risk </li></ul><ul><li>Universal: Applies to all types of risk </li></ul><ul><li>Uniform: Enables comparison </li></ul><ul><li>Objective: Track over time </li></ul>
  20. 21. <ul><li>Risk is Two Dimensional </li></ul>
  21. 22. <ul><li>Impact </li></ul><ul><li>Measures the level of “pain” to the organization </li></ul><ul><li>Examples: </li></ul><ul><li>Financial: Loss or cost to repair </li></ul><ul><li>Operational: Lost time, production or delivery </li></ul><ul><li>Reputation: Loss of customer or consumer confidence </li></ul><ul><li>Competitive: Reduction of market advantage </li></ul><ul><li>Regulatory: Legal liability </li></ul><ul><li>Fiduciary: Fiduciary liability </li></ul>
  22. 23. <ul><li>Likelihood: </li></ul><ul><li>Measures the probability of feeling the impact </li></ul><ul><li>Contributors: </li></ul><ul><li>Known exploits </li></ul><ul><li>Motivated adversaries </li></ul><ul><li>Adequacy of countermeasures </li></ul>
  23. 24. <ul><li>Performing the Assessment </li></ul><ul><li>Requires experience </li></ul><ul><li>Two approaches: </li></ul><ul><li>Vulnerability driven </li></ul><ul><li>Asset driven </li></ul><ul><li>Combine for greatest effect </li></ul>
  24. 25. <ul><li>Vulnerability Driven Analysis </li></ul><ul><li>1.Search for known vulnerabilities </li></ul><ul><li>2.Tabulate and estimate severity </li></ul><ul><li>3.Determine what assets are affected </li></ul><ul><li>4.Assign impact value </li></ul><ul><li>5.Consider adversaries and their motivations </li></ul><ul><li>6.Assign likelihood </li></ul><ul><li>7.Tabulate and report </li></ul>
  25. 26. <ul><li>Searching for Known Vulnerabilities </li></ul><ul><li>Research known threat databases </li></ul><ul><li>Use scanning tools </li></ul><ul><li>Review technology and procedures </li></ul><ul><li>Test users (social engineering)“ </li></ul><ul><li>Grade ease of exploitation </li></ul>
  26. 27. <ul><li>Network and System Vulnerabilities </li></ul><ul><li>Network: </li></ul><ul><li>Unnecessary pathways </li></ul><ul><li>Unsecured data-streams </li></ul><ul><li>System: </li></ul><ul><li>Unhardened systems </li></ul><ul><li>Unprotected administrator logon </li></ul><ul><li>Exposed management interfaces </li></ul>
  27. 28. <ul><li>Application and Operations Vulnerabilities </li></ul><ul><li>Application: </li></ul><ul><li>Unneeded services </li></ul><ul><li>Buffer overflows </li></ul><ul><li>Lack of or weak authentication </li></ul><ul><li>Operations: </li></ul><ul><li>Lack of change control program </li></ul><ul><li>No monitoring or intrusion detection </li></ul><ul><li>Easy access to backup media </li></ul>
  28. 29. <ul><li>Determine Affected Assets </li></ul><ul><li>Most vulnerabilities affect multiple assets </li></ul><ul><li>Can’t determine likelihood yet </li></ul>
  29. 30. <ul><li>Gauge the Impact </li></ul><ul><li>Is there money at stake? </li></ul><ul><li>Can private information be revealed? </li></ul><ul><li>Would an attack embarrass the organization? </li></ul><ul><li>Could a targeted system be used as a “stepping stone? </li></ul><ul><li>Would an attack advance the cause of information warfare or terrorism? </li></ul><ul><li>Will competitive advantage be lost? </li></ul>
  30. 31. <ul><li>Identify Your Adversaries </li></ul><ul><li>Internet Hacker </li></ul><ul><li>Insider </li></ul><ul><li>Thief </li></ul><ul><li>Terrorist </li></ul><ul><li>Industrial Spy </li></ul>
  31. 32. <ul><li>Gauge the Likelihood </li></ul><ul><li>Depends on: </li></ul><ul><li>Threat </li></ul><ul><li>Complexity </li></ul><ul><li>Examples: </li></ul><ul><li>DoS or DDoS on an Online Banking Application </li></ul><ul><li>Threat: Medium, Complexity: Low </li></ul><ul><li>Modify Stock Price Quote </li></ul><ul><li>Threat: High, Complexity: Medium </li></ul><ul><li>Execute Unauthorized Transactions </li></ul><ul><li>Threat: High, Complexity: Very High </li></ul>
  32. 33. <ul><li>Tabulate and Report </li></ul><ul><li>&quot; Many assessments stop at vulnerability and don’t consider impact </li></ul>
  33. 34. <ul><li>Asset Driven Analysis </li></ul><ul><li>1.Inventory information assets </li></ul><ul><li>2.Estimate impact </li></ul><ul><li>3.Trace information back to technology </li></ul><ul><li>4.Analyze for vulnerabilities </li></ul><ul><li>5.Consider adversaries and their motivations </li></ul><ul><li>6.Assignlikelihoods </li></ul><ul><li>7.Tabulate and report </li></ul>
  34. 35. <ul><li>Asset Table </li></ul><ul><li>This is just the vulnerability driven table “turned inside out” </li></ul>
  35. 36. <ul><li>Risk Leads to Priority </li></ul>
  36. 38. <ul><li>Risk Management Program </li></ul><ul><li>Establish Policy </li></ul><ul><li>Implement Countermeasures </li></ul><ul><li>Maintain Vigilance </li></ul>
  37. 40. <ul><li>Policy Statements </li></ul><ul><li>Most corporate policies must be translated to concrete statements. </li></ul><ul><li>Major elements: </li></ul><ul><li>Information Classification </li></ul><ul><li>System Criticality </li></ul><ul><li>Operational Context </li></ul>
  38. 41. <ul><li>Information Classification </li></ul><ul><li>Information classification streamlines policy statement and enforcement. </li></ul><ul><li>CAVEAT: Over-classification leads to excessive cost and added Overhead. </li></ul><ul><li>CAVEAT: Some collections of unclassified data become sensitive when aggregated. </li></ul>
  39. 42. <ul><li>An Example of Information Classification </li></ul>
  40. 43. <ul><li>Criticality </li></ul><ul><li>Criticality is a quality of operational systems. </li></ul><ul><li>It depends upon the importance of a network system or application. </li></ul><ul><li>Criticality motivates reliability measures. </li></ul>
  41. 44. <ul><li>Example of Criticality </li></ul>
  42. 45. <ul><li>Operational Context </li></ul><ul><li>Facilities (systems and networks) are certified to the maximum classification level permitted. </li></ul><ul><li>“ Guards” ensure that information does not pass to an unauthorized environment. </li></ul>
  43. 46. <ul><li>Example of Operational Context </li></ul>
  44. 47. <ul><li>Create a Policy Hierarchy </li></ul>
  45. 48. <ul><li>Example: Requirements Specify Security Services </li></ul><ul><li>Authentication </li></ul><ul><li>Access Control </li></ul><ul><li>Data Confidentiality </li></ul><ul><li>Data Integrity </li></ul><ul><li>Non-repudiation </li></ul><ul><li>(X.800, Security Architecture for Open Systems Interconnection for CCITT Applications –also ISO/IEC 7498-2) </li></ul>
  46. 49. <ul><li>Communications Policies (Examples) </li></ul><ul><li>Personally Identifiable Information (PII) may not be transmitted in the clear on the Internet. </li></ul><ul><li>Transmission of corporate restricted information on any network requires data confidentiality, peer-entity authentication, and non-repudiation with proof of delivery. </li></ul>
  47. 50. <ul><li>Example: Standards Specify Service Mechanisms </li></ul><ul><li>Includes algorithms and parameters: </li></ul><ul><li>Encipherment: DES, 3DES, RSA, key-length, etc. </li></ul><ul><li>Digital signature: RSA, DSS, key-length, etc. </li></ul><ul><li>Access control: authorization type, time, duration, etc. </li></ul><ul><li>Integrity: MD5, SHA, HMAC, etc. </li></ul><ul><li>Many more choices exist. </li></ul>
  48. 51. <ul><li>Tabulate Policy to Ensure Consistent Practice </li></ul>
  49. 52. <ul><li>Recap of Policy </li></ul><ul><li>Policy defines classification and rules for access/exchange. </li></ul><ul><li>Policy defines criticality. </li></ul><ul><li>Policy hierarchy defines security services and quality of mechanisms. </li></ul>
  50. 53. <ul><li>Implement Countermeasures </li></ul>
  51. 54. <ul><li>Countermeasures: Defense in Depth </li></ul>
  52. 55. <ul><li>The 10 Guiding Principles* </li></ul><ul><li>1.Secure the Weakest Link </li></ul><ul><li>2.Practice Defense in Depth </li></ul><ul><li>3.Fail Securely </li></ul><ul><li>4.Follow the Principle of Least Privilege </li></ul><ul><li>5.Compartmentalize </li></ul><ul><li>6.Keep It Simple </li></ul><ul><li>7.Promote Privacy </li></ul><ul><li>8.Remember That Hiding Secrets Is Hard </li></ul><ul><li>9.Be Reluctant to Trust </li></ul><ul><li>10.Use Your Community Resources </li></ul>
  53. 56. <ul><li>Cost vs. Risk </li></ul>
  54. 57. <ul><li>Maintain Vigilance </li></ul>
  55. 58. <ul><li>Balance Security Activities </li></ul>
  56. 59. <ul><li>Plan </li></ul><ul><li>Consider: </li></ul><ul><li>Future business needs </li></ul><ul><li>Changing threatscape </li></ul><ul><li>Tolerance to residual risk </li></ul><ul><li>Establish policy </li></ul><ul><li>Design security infrastructure </li></ul><ul><li>Develop security procedures </li></ul>
  57. 60. <ul><li>Execute </li></ul><ul><li>Implement according to design </li></ul><ul><li>Operate according to procedures </li></ul><ul><li>Continually improve </li></ul>
  58. 61. <ul><li>Appraise </li></ul><ul><li>Appraise the plan: </li></ul><ul><li>Does it meet the expected threats? </li></ul><ul><li>Will it protect business interests? </li></ul><ul><li>Are there flaws in the design? </li></ul><ul><li>Is policy adequate or overly burdensome? </li></ul><ul><li>Appraise the execution: </li></ul><ul><li>Is the design implemented correctly? </li></ul><ul><li>Has the configuration changed? </li></ul><ul><li>Do procedures cover all events? </li></ul><ul><li>Are operators alert? </li></ul>
  59. 62. <ul><li>Conclusions </li></ul><ul><li>Understanding vulnerability alone is not enough </li></ul><ul><li>Risk depends upon likelihood of successful attack and its impact on the organization. </li></ul><ul><li>Countermeasures include technology, procedures and people. </li></ul><ul><li>Reducing risk generally requires additional cost. </li></ul><ul><li>The war is never won—constant vigilance is the only way. </li></ul>

×