• Save
Risk Assessment And Management
Upcoming SlideShare
Loading in...5
×
 

Risk Assessment And Management

on

  • 928 views

Nut and Shell

Nut and Shell

Statistics

Views

Total Views
928
Views on SlideShare
923
Embed Views
5

Actions

Likes
1
Downloads
0
Comments
0

2 Embeds 5

http://www.linkedin.com 3
http://www.slideshare.net 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Risk Assessment And Management Risk Assessment And Management Presentation Transcript

  • RISK ASSESSMENT AND MANAGEMENT
    • Purpose of Talk
    • Define risk.
    • Propose an assessment methodology
    • Discuss risk mitigation strategies
    • Avoid overly technical digression
    • High Level Agenda
    • Addressing Risk
    • Establish Policy
    • Implement Countermeasures
    • Maintain Vigilance
    • Concluding Remarks
    • Risk Assessment
    • The “Risk Equation”
    • Likelihood
    • Impact
    • Addressing Risk
    • Establish Policy
    • Implement Countermeasures
    • Maintain Vigilance
    • Concluding Remarks
    • Security Terminology
    • Security is a GOAL, not a STATE OF BEING.
    • Security is everyone’s responsibility.
    • Important Terms
    • Flaw!
    • Weakness!
    • Vulnerability
    • Exploit!
    • Attack!
    • Adversary!
    • Threat!
    • Flaw:
    • Imperfection of a system
    • Found in design, implementation or execution
    • Concealed or exposed .
    • Known or unknown
    • Source of weakness or vulnerability
    • Not always exploitable
    • Weakness :
    • Attribute of a system or defense
    • Insufficient to resist expected attack –lack of strength
    • Not necessarily due to a flaw
    • Source of vulnerability
    • Not always exploitable
    • Vulnerability
    • Feature of system or defense
    • Sometimes (often) undiscovered
    • Caused by flaws and weaknesses
    • Always exploitable
    • Target of adversaries
    • Exploit
    • Methodology for attack
    • Takes advantage of one or more vulnerabilities
    • Repeatable
    • Always “succeeds”
    • Used in an attack
    • Attack
    • Prosecution of an exploit (an instance)
    • Defined objective
    • Can be undetected or detected
    • Sometimes (often) unsuccessful
    • Performed by a motivated adversary
    • Adversary
    • Agent (person or corporate)
    • Motivated
    • Often unscrupulous
    • Goals :
    • Competition,
    • Defamation, Financial gain,
    • Notoriety
    • Information
    • May or may not have means & knowledge
    • Threat
    • Adversary
    • Possesses means and knowledge
    • Actively targeting
    • Known or unknown
    • Countermeasures
    • Methodology for defense
    • Technological or procedural
    • Types:
    • Detection
    • Resistance
    • Avoidance
    • Counter-attack
    • Usually specific to an exploit
    • Countermeasures: Defense in Depth
    • Security Countermeasures Include a Lot
    • Security is an Arms Race
  •  
    • Risk
    • Measures importance
    • Determines relevance of vulnerabilities
    • Useful for setting programmatic priority
    • Varies over time
    • The Risk Equation
    • Impact x Likelihood= Risk
    • Universal: Applies to all types of risk
    • Uniform: Enables comparison
    • Objective: Track over time
    • Risk is Two Dimensional
    • Impact
    • Measures the level of “pain” to the organization
    • Examples:
    • Financial: Loss or cost to repair
    • Operational: Lost time, production or delivery
    • Reputation: Loss of customer or consumer confidence
    • Competitive: Reduction of market advantage
    • Regulatory: Legal liability
    • Fiduciary: Fiduciary liability
    • Likelihood:
    • Measures the probability of feeling the impact
    • Contributors:
    • Known exploits
    • Motivated adversaries
    • Adequacy of countermeasures
    • Performing the Assessment
    • Requires experience
    • Two approaches:
    • Vulnerability driven
    • Asset driven
    • Combine for greatest effect
    • Vulnerability Driven Analysis
    • 1.Search for known vulnerabilities
    • 2.Tabulate and estimate severity
    • 3.Determine what assets are affected
    • 4.Assign impact value
    • 5.Consider adversaries and their motivations
    • 6.Assign likelihood
    • 7.Tabulate and report
    • Searching for Known Vulnerabilities
    • Research known threat databases
    • Use scanning tools
    • Review technology and procedures
    • Test users (social engineering)“
    • Grade ease of exploitation
    • Network and System Vulnerabilities
    • Network:
    • Unnecessary pathways
    • Unsecured data-streams
    • System:
    • Unhardened systems
    • Unprotected administrator logon
    • Exposed management interfaces
    • Application and Operations Vulnerabilities
    • Application:
    • Unneeded services
    • Buffer overflows
    • Lack of or weak authentication
    • Operations:
    • Lack of change control program
    • No monitoring or intrusion detection
    • Easy access to backup media
    • Determine Affected Assets
    • Most vulnerabilities affect multiple assets
    • Can’t determine likelihood yet
    • Gauge the Impact
    • Is there money at stake?
    • Can private information be revealed?
    • Would an attack embarrass the organization?
    • Could a targeted system be used as a “stepping stone?
    • Would an attack advance the cause of information warfare or terrorism?
    • Will competitive advantage be lost?
    • Identify Your Adversaries
    • Internet Hacker
    • Insider
    • Thief
    • Terrorist
    • Industrial Spy
    • Gauge the Likelihood
    • Depends on:
    • Threat
    • Complexity
    • Examples:
    • DoS or DDoS on an Online Banking Application
    • Threat: Medium, Complexity: Low
    • Modify Stock Price Quote
    • Threat: High, Complexity: Medium
    • Execute Unauthorized Transactions
    • Threat: High, Complexity: Very High
    • Tabulate and Report
    • " Many assessments stop at vulnerability and don’t consider impact
    • Asset Driven Analysis
    • 1.Inventory information assets
    • 2.Estimate impact
    • 3.Trace information back to technology
    • 4.Analyze for vulnerabilities
    • 5.Consider adversaries and their motivations
    • 6.Assignlikelihoods
    • 7.Tabulate and report
    • Asset Table
    • This is just the vulnerability driven table “turned inside out”
    • Risk Leads to Priority
  •  
    • Risk Management Program
    • Establish Policy
    • Implement Countermeasures
    • Maintain Vigilance
  •  
    • Policy Statements
    • Most corporate policies must be translated to concrete statements.
    • Major elements:
    • Information Classification
    • System Criticality
    • Operational Context
    • Information Classification
    • Information classification streamlines policy statement and enforcement.
    • CAVEAT: Over-classification leads to excessive cost and added Overhead.
    • CAVEAT: Some collections of unclassified data become sensitive when aggregated.
    • An Example of Information Classification
    • Criticality
    • Criticality is a quality of operational systems.
    • It depends upon the importance of a network system or application.
    • Criticality motivates reliability measures.
    • Example of Criticality
    • Operational Context
    • Facilities (systems and networks) are certified to the maximum classification level permitted.
    • “ Guards” ensure that information does not pass to an unauthorized environment.
    • Example of Operational Context
    • Create a Policy Hierarchy
    • Example: Requirements Specify Security Services
    • Authentication
    • Access Control
    • Data Confidentiality
    • Data Integrity
    • Non-repudiation
    • (X.800, Security Architecture for Open Systems Interconnection for CCITT Applications –also ISO/IEC 7498-2)
    • Communications Policies (Examples)
    • Personally Identifiable Information (PII) may not be transmitted in the clear on the Internet.
    • Transmission of corporate restricted information on any network requires data confidentiality, peer-entity authentication, and non-repudiation with proof of delivery.
    • Example: Standards Specify Service Mechanisms
    • Includes algorithms and parameters:
    • Encipherment: DES, 3DES, RSA, key-length, etc.
    • Digital signature: RSA, DSS, key-length, etc.
    • Access control: authorization type, time, duration, etc.
    • Integrity: MD5, SHA, HMAC, etc.
    • Many more choices exist.
    • Tabulate Policy to Ensure Consistent Practice
    • Recap of Policy
    • Policy defines classification and rules for access/exchange.
    • Policy defines criticality.
    • Policy hierarchy defines security services and quality of mechanisms.
    • Implement Countermeasures
    • Countermeasures: Defense in Depth
    • The 10 Guiding Principles*
    • 1.Secure the Weakest Link
    • 2.Practice Defense in Depth
    • 3.Fail Securely
    • 4.Follow the Principle of Least Privilege
    • 5.Compartmentalize
    • 6.Keep It Simple
    • 7.Promote Privacy
    • 8.Remember That Hiding Secrets Is Hard
    • 9.Be Reluctant to Trust
    • 10.Use Your Community Resources
    • Cost vs. Risk
    • Maintain Vigilance
    • Balance Security Activities
    • Plan
    • Consider:
    • Future business needs
    • Changing threatscape
    • Tolerance to residual risk
    • Establish policy
    • Design security infrastructure
    • Develop security procedures
    • Execute
    • Implement according to design
    • Operate according to procedures
    • Continually improve
    • Appraise
    • Appraise the plan:
    • Does it meet the expected threats?
    • Will it protect business interests?
    • Are there flaws in the design?
    • Is policy adequate or overly burdensome?
    • Appraise the execution:
    • Is the design implemented correctly?
    • Has the configuration changed?
    • Do procedures cover all events?
    • Are operators alert?
    • Conclusions
    • Understanding vulnerability alone is not enough
    • Risk depends upon likelihood of successful attack and its impact on the organization.
    • Countermeasures include technology, procedures and people.
    • Reducing risk generally requires additional cost.
    • The war is never won—constant vigilance is the only way.
  •