Rapid Risk Assessment: A New Approach to Risk Management


Published on

Presented by: Andrew Plato, Anitian

Abstract: Understanding, managing and responding to risk is one of the core functions of any information security program. However, for many organizations risk assessment is cumbersome and time consuming process. IT leaders, as well as security regulations, are demanding risk management practices that can deliver quick and actionable results.

Rapid Risk Assessment is a new approach to risk management that dramatically reduces the time, effort, and complexity for IT security risk assessment. Using the existing principles of risk management defined in NIST 800-30 documents, Rapid Risk Assessment can deliver more actionable and reliable results empowering business leaders to make sound decisions about risk. The key to this approach is a unique combination of skills, organization, and documentation that accelerates every aspect of the risk management process.

This presentation shows why current risk management tactics are failing and how Rapid Risk Assessment can correct those deficiencies.

Published in: Technology, Business

Rapid Risk Assessment: A New Approach to Risk Management

  2. 2. SECURITY:ServicesSolutionsSupport Biography   •  Andrew  Plato,  CISSP,  CISM,  QSA     •  President  /  CEO  –  AniFan  Enterprise  Security   •  20  years  of  experience  in  IT  &  security   •  Completed  thousands  of  security  assessments  &  projects   •  Discovered  SQL  injecFon  aRack  tacFc  in  1995   •  Helped  develop  first  in-­‐line  IPS  engine  (BlackICE)     •  Championed  movement  toward  pracFcal,  pragmaFc   informaFon  security  soluFons    
  3. 3. SECURITY:ServicesSolutionsSupport AniFan  Overview   •  Compliance    PCI,  NERC,  HIPAA,  FFIEC   •  Services        PenetraFon  tesFng,  web  applicaFon  tesFng,        code  review,  incident  response,  risk          assessment   •  Technologies      UTM/NGFW,  IPS,  SIEM,  MDM   •  Support    Managed  security,  staff  augmentaFon     •  Leadership    Industry  analysis,  CIO  advisory  services      
  4. 4. SECURITY:ServicesSolutionsSupport Why  AniFan?   •  AniFan  is  the  only  security  firm…   •  Focused  on  pracFcal,  pragmaFc  informaFon  security   •  Able  to  deliver  compliance  quickly  &  affordably   •  That  does  not  push  products   •  Who  rejects  using  fear  to  sell   •  Dedicates  research  efforts    to  benefit  our  clients,  not  our   press-­‐releases   •  Implements  business-­‐friendly  security   •  Remains  honest  and  independent    
  5. 5. SECURITY:ServicesSolutionsSupport PresentaFon  Outline   •  The  Risk  Assessment  Environment   •  Failure  of  Current  Risk  Assessment  PracFces   •  Preparing  for  a  Rapid  Risk  Assessment   •  The  Rapid  Risk  Assessment  Process  
  6. 6. SECURITY:ServicesSolutionsSupport THE  RISK  ASSESSMENT   ENVIRONMENT   Rapid  Risk  Assessment  
  7. 7. SECURITY:ServicesSolutionsSupport What  is  Risk  Assessment?   •  SystemaFc  and  objecFve  determinaFon  of  the  seriousness  of   threats.     •  Good  risk  assessment  aims  to:     •  IdenFfy  the  threats  that  affect  an  enFty  (company,  network,   systems,  applicaFon,  etc.)     •  Qualify  and  quanFfy  those  threats     •  Crae  reasonable  remedies  to  reduce,  eliminate,  accept  or   transfer  the  risk   •  Help  protect  the  business/organizaFon  and  its  assets     •  Empower  leadership  to  make  sensible  investments  in   security  controls  and  processes    
  8. 8. SECURITY:ServicesSolutionsSupport Increasing  Emphasis  on  Risk  Assessment   •  Always  been  a  PCI  requirement  (12.1.2)   •  HIPAA  Omnibus  reinforces  need  for  risk  assessment   •  Assessment  to  define  risk  management  program  (which  in   turn  defines  the  controls  that  meet  the  standard)   •  Breach  noFficaFon  now  require  risk  analysis  of  any   suspected  breach  to  determine  if  noFficaFon  is  necessary   •  FFIEC  2011  Supplement  mandated  new  things  to  assess   •  Defines  specific  issues  to  analyze  concerning  authenFcaFon   •  Reinforced  the  need  for  annual  assessments     •  Mandated  assessments  on  banking  applicaFons     •  Outlined  requirements  to  reperform  assessments  when   there  are  changes    
  9. 9. SECURITY:ServicesSolutionsSupport Increased  ScruFny     •  From  HIPAA  Omnibus:   “…we  expect  these  risk  assessments  to  be  thorough,  completed   in  good  faith,  and  for  the  conclusions  reached  to  be   reasonable.”   •  RegulaFons  are  demanding  more  risk  assessments     •  Regulators  are  shieing  focus  to  look  at  risk  assessments   •  Business  leaders  are  demanding  beRer  risk  analysis     •  So  what’s  the  problem?    
  10. 10. SECURITY:ServicesSolutionsSupport THE  FAILURE  OF  CURRENT  RISK   ASSESSMENT  PRACTICES   Rapid  Risk  Assessment  
  11. 11. SECURITY:ServicesSolutionsSupport Something  Is  Not  Right  Here   •  Companies  were  consistently  complaining  about  their  IT  risk   assessments:     •  “Why  does  this  take  so  long?”   •  “This  is  just  a  paperwork  exercise”   •  “What  am  I  supposed  to  do  with  this?”   •  “Where  are  the  problems?   •  “How  do  I  fix  the  problems?”     •  “Are  we  in  danger?”   •  “What  do  all  these  numbers,  charts  and  worksheets  mean?”   •  “This  is  just  a  meaningless  regulatory  requirement!”     •  We  were  not  the  only  ones…    
  12. 12. SECURITY:ServicesSolutionsSupport PracFFoners  are  QuesFoning  Risk  Assessment     Source:  h*p://www.networkworld.com/news/tech/2012/101512-­‐risk-­‐ management-­‐263379.html  
  13. 13. SECURITY:ServicesSolutionsSupport With  Mixed  Results   For  any  risk  management  method   …  we  must  ask  …“How  do  we  know   it  works?”  If  we  can’t  answer  that   ques=on,  then  our  most  important   risk  management  strategy  should   be  to  find  a  way  to  answer  it  and   adopt  a  risk  assessment  and  risk   mi=ga=on  method  that  does  work.     Hubbard,  Douglas  W.  (2009-­‐04-­‐06).  The  Failure   of  Risk  Management:  Why  It's  Broken  and  How   to  Fix  It.  John  Wiley  and  Sons.  Kindle  EdiWon.    
  14. 14. SECURITY:ServicesSolutionsSupport The  Problem   •  Current  pracFces  are…   •  Slow   •  Complex     •  Incomprehensible  to  management     •  Fail  to  provide  clear  acFonable  steps  to  reduce  risk   •  Why?      
  15. 15. SECURITY:ServicesSolutionsSupport Arcane  Language   •  Language  affects  not  only  comprehension,  but  also  acceptance   •  Overly  complex,  arcane  language  is  inefficient  and  inaccessible     •  Risk  management  theories  devolve  into  nitpicking  paperwork   exercises  that  nobody  reads   •  Consider  this  definiFon  from  OCTAVE  for  Defined  EvaluaFon   AcFviFes:     Implemen=ng  defined  evalua=on  ac=vi=es  helps  to   ins=tu=onalize  the  evalua=on  process  in  the  organiza=on,   ensuring  some  level  of  consistency  in  the  applica=on  of  the   process.  It  also  provides  a  basis  upon  which  the  ac=vi=es  can  be   tailored  to  fit  the  needs  of  a  par=cular  business  line  or  group.  
  16. 16. SECURITY:ServicesSolutionsSupport The  Fallacy  of  Numbers   •  Using  numbers  does  not  make  analysis  more  “true”   •  If  a  number  is  arrived  at  from  a  subjecFve  assessment,  then  its   use  in  any  calculaFons  is  equally  subjecFve     •  Charts  full  of  numbers  may  “feel”  empirical,  but  they’re  not   •  Its  impossible  to  establish  true  value  for  IT  asset   •  Misleading,  creates  a  false  sense  of  accuracy     •  Creates  a  false  scale  that  does  not  translate  into  real-­‐world   thinking    
  17. 17. SECURITY:ServicesSolutionsSupport Time  Consuming   •  IT  risk  is  volaFle,  dynamic  and  has  a  short  shelf  life     •  Any  risk  assessment  over  90-­‐180  days  old  is  stale     •  NIST,  OCTAVE,  FAIR  are  nice  ideas,  but  too  Fme  consuming   •  Spending  a  year  on  a  risk  assessment  is  too  long   •  A  good  enterprise  risk  assessment  should  be  done  in  under  30   days     •  DocumentaFon  is  Fme  consuming   •  Risk  assessment  is  not  a  consensus  of  opinions,  it’s  an   assessment  from  a  single  person  or  group  that  understands  risk    
  18. 18. SECURITY:ServicesSolutionsSupport Probability  Can  Be  Flawed   •  On  a  long  enough  =me  line,  the  survival  rate  for  everybody   drops  to  zero.    Jack,  Fight  Club,  1999   •  Lack  of  Fme  context  makes  any  assessment  of  probability   fundamentally  flawed.     •  Humans  are  naturally  bad  at  assessing  the  probability  of  risks.   •  Fallacy  of  backtesFng    
  19. 19. SECURITY:ServicesSolutionsSupport Lack  of  Evidence   •  Risk  assessment  methodologies  focus  heavily  on  process,  and   very  liRle  on  evidence     •  Custodians  and  business  process  owners  withhold  informaFon   •  The  security  of  an  environment  can  be  tested  in  a  controlled,   raFonal  manner   •  Without  tesFng,  the  enFre  analysis  is  one-­‐sided   •  TesFng  can  cut  through  conjecture  and  prove  (or  disprove)  the   severity  of  a  threat  
  20. 20. SECURITY:ServicesSolutionsSupport The  Challenge   •  Risk  assessment  needs  to  be  more  useful.   •  How  can  this  process  produce  tangible  ways  to  reduce  risk?     •  The  volaFlity  of  modern  IT  makes  IT  risk  assessment  a   fundamentally  qualita=ve  effort   •  Since  the  effort  is  qualitaFve,  the  skill  of  the  assessor  is   paramount  to  obtaining  accurate  assessments   •  How  do  we  improve  risk  assessment  to  make  it:   •  More  accurate   •  More  responsive  to  business  needs   •  More  acFonable   •  Quicker    
  21. 21. SECURITY:ServicesSolutionsSupport PREPARATION   Rapid  Risk  Assessment  
  22. 22. SECURITY:ServicesSolutionsSupport Features  of  Rapid  Risk  Assessment   •  Aims  to  speed  up  the  risk  assessment  process  &  make  it  more   useful  to  the  business   •  Trades  precision  and  some  accuracy  for  efficiency  and  usability     •  Focuses  on  simplicity  and  clarity     •  Dismisses  theory  and  conjecture  in  place  of  decisive  acFon   •  Explains  risk  in  simple,  business-­‐friendly  terminology   •  Uses  a  set  Fme  frame  for  probability     •  Simplifies  the  assignment  of  value   •  Uses  a  “lens”  that  focuses  and  frames  assessment  effort   •  Establishes  authority  to  make  risk  judgments     •  Leverages  new  technologies  such  as  Allgress    
  23. 23. SECURITY:ServicesSolutionsSupport Rapid  Risk  Assessment  Outline   •  Prerequisites   •  Advanced  wriFng  skills   •  Hands  on  IT  skills   •  Authority     1.  Establish  Scope  &  Lens   2.  Interview  Stakeholders   3.  Test  the  Environment   4.  Define  Threats  &  Correlate  Data   5.  Define  Probability  &  Impact  Scale     6.  Document  Risks   7.  Develop  AcFon  Plan  
  24. 24. SECURITY:ServicesSolutionsSupport Prerequisite:  Advanced  WriFng  Skills   •  No  theories,  no  complex  worksheets,  no  “risk  management”   terms   •  Simple,  business  language  that  states  risk  in  plain,  maRer-­‐of-­‐ fact  way   •  Establishes  authority     •  States  risk  as  it  *is*  without  conjecture  or  indecisiveness   •  AcFve  voice     •  Should  be  able  to  sum  up  the  enFre  assessment  effort  in  a  few   bullet  points    
  25. 25. SECURITY:ServicesSolutionsSupport Prerequisite:  Hands-­‐on  IT  Skills   •  Must  have  in-­‐depth  understanding  of  IT  operaFons   •  Systems  administraFon   •  Network  design,  architecture,  management     •  Security  analysis     •  ApplicaFon  lifecycle  management     •  Database  administraFon   •  IT  pracFces,  procedures,  policies  development   •  Must  know  how  an  IT  department  runs,  if  you  ever  hope  to   idenFfy  its  weaknesses  
  26. 26. SECURITY:ServicesSolutionsSupport Prerequisite:  Authority   •  Management  must  definiFvely  endorse  and  support  risk   assessment     •  Must  have  access  to  stakeholders     •  Ability  to  scan,  test  and  evaluate  technology     •  Authority  to  decisively  analyze  technologies     •  Ability  to  built  credibility  and  authority  through  experience,   language,  and  engagement    
  27. 27. SECURITY:ServicesSolutionsSupport THE  PROCESS   Rapid  Risk  Assessment  
  28. 28. SECURITY:ServicesSolutionsSupport #1  -­‐  Establish  Scope  &  Lens   •  Scope  –  what  assets  are  in  scope  (hopefully  all  of  them)   •  Lens  –  how  will  you  look  at  the  assets?   •  Data  types  –  customer,  internal,  security,  etc.   •  System  –  server,  workstaFon,  infrastructure   •  ApplicaFon  –  user,  customer,  financial,  etc.     •  The  Lens  is  what  makes  Rapid  Risk  Assessment  work:     •  Provides  a  contextual  framework  for  analyzing  data   •  It  helps  focus  the  effort     •  It  aids  greatly  in  comprehension    
  29. 29. SECURITY:ServicesSolutionsSupport #2  -­‐  Interview  Stakeholders   •  Develop  a  set  of  quesFons  specific  to  the  business  role:     •  IT  custodians  –  technical  quesFons   •  Business  process  owners  –  criFcality  &  usage     •  Define  value  in  context  of  the  enFre  business  using  simple   terms:  cri=cal,  high,  medium,  low,  none   •  Focus  on  current  state     •  Be  careful  with  “forward  looking”  data  –  chasing  a  moving   target   •  Catalog  results  
  30. 30. SECURITY:ServicesSolutionsSupport #3  –  Test  the  Environment   •  Vulnerability  scans  of  all  in-­‐scope  systems,  apps  or  locaFons  of   data     •  Conduct  penetraFon  tests   •  Web  applicaFon  tesFng   •  Database  tesFng     •  ConfiguraFon  analysis  (sample  as  needed)   •  AV  /  IPS  /  Firewall  logs  (sample  and  spot  check)   •  Risk  determinaFon  must  be  based  on  REAL  data,  not  feelings,   ideas,  theories,  or  personal  interpretaFons     •  This  is  where  hands-­‐on  IT  experience  is  a  must    
  31. 31. SECURITY:ServicesSolutionsSupport #4  –  Define  Threats  &  Correlate  Data   •  Organize  threats  into  simplified  categories   •  Technical  –  threat  to  systems,  hardware,  applicaFons,  etc.     •  OperaFonal  –  threats  that  affect  pracFces,  procedures,  or   business  funcFons   •  RelaFonal  –  threat  to  a  relaFonship  between  groups,  people   or  third  parFes     •  Physical  –  threats  to  faciliFes,  offices,  etc.     •  ReputaFonal  (opFonal)  –  threats  to  the  organizaFon’s   reputaFon,  percepFon,  or  public  opinion     •  Correlate  threats  to  assessment  data   •  Keep  threats  simple  
  32. 32. SECURITY:ServicesSolutionsSupport Threat  Samples   •  Good  Threat  DefiniFons   •  Thee  of  confidenFal  data   •  Malware  infecFon   •  Denial  of  service  aRack     •  Thee  of  sensiFve  authenFcaFon  data   •  Bad  Threat  DefiniFons   •  Lack  of  alignment  to  organizaFonal  policies  with  guidelines   set  forth  by  the  security  commiRee  means  staff  is  not   properly  implemenFng  security  controls.     •  Use  of  telnet  among  staff  is  threatening  PCI  compliance   requirements.     •  Missing  patches  on  systems  
  33. 33. SECURITY:ServicesSolutionsSupport #5  -­‐  Define  Probability  &  Impact  Scale   Probability               Impact     Metric     DescripFon   Certain   <95%  likelihood  of  occurrence  within  the  next  12  months.       High   50-­‐95%  likelihood  of  occurrence  within  the  next  12  months.       Medium   20-­‐49%  likelihood  of  occurrence  within  the  next  12  months.       Low   1-­‐20%  likelihood  of  occurrence  within  the  next  12  months.       Negligible   >1%  likelihood  of  occurrence  within  the  next  12  months.       Metric     DescripFon   CriWcal   Catastrophic  effect  on  the  Data  Asset.     High   Serious  impact  on  the  Data  Asset's  funcWonality.     Medium   Threat  may  cause  some  intermi*ent  impact  on  the  Data  Asset,  but  would   not  lead  to  extended  problems.     Low   Impact  on  the  Data  Asset  is  small  and  limited.  Would  not  cause  any   disrupWon  in  core  funcWons.     Negligible   Data  Asset  remains  funcWonal  for  the  business  with  no  noWceable  slowness   or  downWme.    
  34. 34. SECURITY:ServicesSolutionsSupport #6  -­‐  Document  Risks   •  Condense,  simplify  and  focus  on  the  problem   •  Threat  –  How  the  asset  is  at  risk   •  VulnerabiliFes  –  The  vulnerabiliFes  relevant  to  the  risk     •  RecommendaFon  –  Tangible  acFons  to  remediate  the  risk     •  Impact  –  Simplified  5  point  score  (criFcal,  high,  medium,  low,   none)     •  Probability  –  Simplified  5  point  score  (certain,  high,  medium,   low,  negligible)     •  Risk  –  Simplified  product  of  Impact  *  Probability  (criFcal,  high,   medium,  low,  negligible)    
  35. 35. SECURITY:ServicesSolutionsSupport DocumentaFon  Sample   Threat   VulnerabiliFes   RecommendaFon   Impact   Probability   Risk   Malware   infecWon   •  Outdated  anW-­‐ virus   •  Lack  of  anW-­‐ virus  on  36%  of   servers   •  32  high  ranked   vulnerabiliWes   on  in-­‐scope   systems     •  Lack  of  virus   scanning  at  the   network  layer   •  Endpoint  anWvirus  must  be  installed  on  all  hosts.   •  All  endpoint  anWvirus  must  be  updated  daily   •  All  systems  must  have  new  patches  applied  within   30  days  of  release.   •  Company  must  deploy  a  more  robust  patch   management  plaborm.     •  Implement  a  core  firewall  that  can  perform  virus   scanning  at  the  network  layer.     H   C   H
  36. 36. SECURITY:ServicesSolutionsSupport Online  Version  Using  Allgress  
  37. 37. SECURITY:ServicesSolutionsSupport #7  –  Develop  an  AcFon  Plan   •  Summarize  all  the  recommendaFons  into  a  single,  prioriFzed  list     •  Simplify  into  tangible  tasks   •  GOOD:  Implement  third  party  patch  management.  IBM  BigFix,   Dell  Kace,  and  GFI  Languard  are  all  viable  products  to  consider.   Require  solu=on  to  patch  all  systems  within  30  days  of  a  new   patch.     •  BAD:  IT  management  procedures  need  upda=ng  to  align  with   best  prac=ces.    
  38. 38. SECURITY:ServicesSolutionsSupport Don’t     •  Try  to  change  the  culture  of  the  business     •  Let  perfecFon  become  the  enemy  of  good   •  Cite  any  kind  of  risk  management  theory  –  nobody  cares   •  Use  a  lot  of  risk  terminology   •  Say  more  than  you  need  to   •  Document  indecision   •  Add  complexity  when  it  offers  no  improvement  in  clarity   •  Use  inaccessible  matrices,  worksheets,  or  process  flows   •  Insert  charts  or  graphs  when  they  don’t  aid  in  comprehension    
  39. 39. SECURITY:ServicesSolutionsSupport Do   •  Use  simple  language.  Plain  English  descripFons   •  Establish  authority  with  experience,  language,  and  presence     •  Simplify,  condense,  clarify   •  IdenFfy  tangible,  acFonable  recommendaFons   •  Help  management  make  decisions  about  risk     •  Focus  on  the  likely    
  40. 40. SECURITY:ServicesSolutionsSupport Thank  You     EMAIL:      andrew.plato@aniFan.com     WEB:    www.aniFan.com   BLOG:          blog.aniFan.com   SLIDES:    hRp://slidesha.re/11UaeFN