Rapid Risk Assessment


Published on

Anitian's Rapid Risk Assessment is a revolutionary new way to approach risk. It is an accelerated version of the NIST 800-30 methodology designed to put Business Risk Intelligence into the hands of executive leadership to fuel informed, data-driven decision making.

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • PCI: The information supplements of 2012, which Anitian contributed to, underscored the importance of proper risk assessment HIPAABreach, in HIPAA language is anytime PII goes to an unauthorized person/entity, not just hacking or malware. HIPAA 4 Factors:(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification(ii) The unauthorized person who used the protected health information or to whom the disclosure was made (iii) Whether the protected health information was actually acquired or viewed and(iv) The extent to which the risk to the protected health information has been mitigated.  FFIEC: Over the past few year, many regulators were focused on solvency issues with banks. Now they are returning to look at securty risk issue.
  • Can’t apply financial risk models to computer systems and volatile apps.
  • Breach notification stats are flawed because most companies don’t disclose their breaches. You still need to do probability analysis, just keep it realistic
  • Testing also gives you two types of risks: technical and operational
  • Stating the obvious, but its gets easily forgottenIts not enough to just identify risk and explain it, risk management must take that next step and actually present ways to reduce or eliminate the risk: not merely document it. And those ways must be realistic, tangible, and practical. An impractical recommendation is useless and just fills us space. It is fruitless to force numbers on to something to provide the appearance of empiricism. It is the action of immature risk managers who feel they need numbers to be taken seriously. If a company cannot take risk management seriously through clear explanations of risk, then numbers are just a show. Which makes them even less meaningful.Moreover, its nearly impossible to assign value to every IT asset. And that value is too volatile. If you do not understand how something works, how can you assess the risks?
  • Hands on skills are most valuable for recommendationsSecurity analysis: pen testing, vulnerability
  • Value should be in the context of the entire company, not an individual team, group, or function. Its easy for database admins, for example, to see the database as the most critical asset in the company, but it might not be. Everybody things their job is the most critical. Questions for custodians: walk me through the infrastructure, what are the most critical systems, applications, etc. Who approves access to these systems? What are some of the incidents.Question business process: who are the users, how important is it to the business, do you know who maintains it. Who is the owner?
  • Bad item is from somebody that does not know what he is talking about.
  • Rapid Risk Assessment

    1. 1. intelligent information securityANITIAN RAPID RISK ASSESSMENT A NEW APPROACH TO RISK
    2. 2. intelligent information securityANITIAN Overview Intent • Discuss the problems with current risk assessment techniques • Introduce Rapid Risk Assessment, a new way to do risk assessments Outline 1. The Risk Environment 2. Failure of Current Risk Assessment Practices 3. Preparing for Rapid Risk Assessment 4. The Rapid Risk Assessment Process
    3. 3. intelligent information securityANITIAN Speaker: Andrew Plato • President / CEO of Anitian • 20 years of experience in IT & security • Completed thousands of security assessments & projects • Discovered SQL injection attack tactic in 1995 • Helped develop first in-line IPS engine (BlackICE) • Co-developed RiskNow™ - Rapid Risk Assessment approach • Championed movement toward practical, pragmatic information security solutions
    4. 4. intelligent information securityANITIAN We enlighten, protect and empower great security leaders. We believe security will make the world a better place. • Security is necessary for innovation and growth • Security can be empowering when it is practical and pragmatic • Good security comes from rational, scientific methods of analysis ANITIAN
    5. 5. intelligent information securityANITIAN THE RISK ENVIRONMENT
    6. 6. intelligent information securityANITIAN What is Risk Assessment? • Answers a simple questions: • What could harm the organization? • How bad would it be? • How do we prevent it? • Risk assessment aims to: • Identify threats • Determine the risk of those threats • Craft reasonable remedies to mitigate, transfer or accept risk • Help protect the business/organization and its assets • Empower leadership to make sensible risk decisions
    7. 7. intelligent information securityANITIAN Increasing Emphasis on Risk Assessment • Always been a PCI requirement (12.1.2) • HIPAA Omnibus reinforces need for risk assessment • Assessment to define risk management program (which in turn defines the controls that meet the standard) • Breach notification now require risk analysis of any suspected breach to determine if notification is necessary • FFIEC 2011 Supplement mandated new things to assess • Defines specific issues to analyze concerning authentication • Reinforced the need for annual assessments • Mandated assessments on banking applications • Outlined requirements to reperform assessments when there are changes
    8. 8. intelligent information securityANITIAN Increased Scrutiny • From HIPAA Omnibus: “…we expect these risk assessments to be thorough, completed in good faith, and for the conclusions reached to be reasonable.” • Regulations are demanding more risk assessments • Regulators are shifting focus to look at risk assessments • Business leaders are demanding better risk analysis • So what’s the problem?
    9. 9. intelligent information securityANITIAN THE FAILURE CURRENT RISK ASSESSMENT PRACTICES
    10. 10. intelligent information securityANITIAN Something Is Not Right Here • For years, people have been complaining about risk assessment: • “Why does this take so long?” • “This is just a paperwork exercise” • “What am I supposed to do with this?” • “Where are the problems? • “How do I fix the problems?” • “Are we in danger?” • “What do all these numbers, charts and worksheets mean?” • “This is just a meaningless regulatory requirement!” • We were not the only ones…
    11. 11. intelligent information securityANITIAN Practitioners are Questioning Risk Assessment Source: http://www.networkworld.com/news/tech/2012/101512-risk-management- 263379.html
    12. 12. intelligent information securityANITIAN With Mixed Results For any risk management method … we must ask …“How do we know it works?” If we can’t answer that question, then our most important risk management strategy should be to find a way to answer it and adopt a risk assessment and risk mitigation method that does work. Hubbard, Douglas W. (2009-04-06). The Failure of Risk Management: Why It's Broken and How to Fix It. John Wiley and Sons. Kindle Edition.
    13. 13. intelligent information securityANITIAN The Problem • Current practices are… • Too slow • Incomprehensible to leadership • Failing to provide clear actionable steps to reduce risk • Failing to protect the business How did this happen?
    14. 14. intelligent information securityANITIAN Fail 1: Arcane Language • Language affects not only comprehension, but also acceptance • Overly complex, arcane language is inefficient and inaccessible • Risk management theories devolve into nitpicking paperwork exercises that nobody reads • Consider this definition from OCTAVE for Defined Evaluation Activities: Implementing defined evaluation activities helps to institutionalize the evaluation process in the organization, ensuring some level of consistency in the application of the process. It also provides a basis upon which the activities can be tailored to fit the needs of a particular business line or group.
    15. 15. intelligent information securityANITIAN Fail 2: The Fallacy of Numbers • Using numbers does not make analysis more “true” • If a number is arrived at from a subjective assessment, then its use in any calculations is equally subjective • Charts full of numbers may “feel” empirical, but they’re not • Its impossible to establish true value for IT asset • Misleading, creates a false sense of accuracy • Creates a false scale that does not translate into real-world thinking
    16. 16. intelligent information securityANITIAN Fail 3: Time Consuming • IT risk is volatile, dynamic and has a short shelf life • Any risk assessment over 90-180 days old is stale • NIST, OCTAVE, FAIR are too time consuming • Risk assessments need to be done in 30 days or less • Surveys and questionnaires do not work, people ignore them • Risk assessment is not a consensus of opinions
    17. 17. intelligent information securityANITIAN Fail 4: Probability Can Be Flawed On a long enough time line, the survival rate for everybody drops to zero. Jack, Fight Club, 1999 • Lack of time context makes any assessment of probability fundamentally flawed. • Humans are naturally bad at assessing the probability of risks. • Fallacy of backtesting • Breach statistics are flawed, since most do not report breaches
    18. 18. intelligent information securityANITIAN Fail 5: Lack of Evidence • Current risk assessment methodologies focus heavily on process and documentation • People omit negative information on surveys or questionnaires • Without technical testing, how do you prove if vulnerabilities are real or not? • Leadership must be able to trust that assessment conclusions are valid
    19. 19. intelligent information securityANITIAN We Need a New Way to do Risk Assessment • Risk assessment needs to be more useful. • How can this process produce tangible ways to reduce risk? • The volatility of modern IT makes IT risk assessment a fundamentally qualitative effort • Since the effort is qualitative, the skill of the assessor is paramount to obtaining accurate assessments • How do we improve risk assessment to make it: • More accurate • More responsive to business needs • More actionable • Quicker
    20. 20. intelligent information securityANITIAN Introducing Rapid Risk Assessment • Accelerates the risk assessment process • Integrated technical testing • Trades precision and some accuracy for efficiency and usability • Focuses on simplicity and clarity • Dismisses theory and conjecture in place of decisive action • Explains risk in simple, business-friendly terminology • Uses a set time frame for probability • Simplifies the assignment of value • Uses a “lens” to categorize and contextualize threats • Establishes authority to make risk judgments • Fully vetted for PCI, HIPAA, FFIEC, NERC
    21. 21. intelligent information securityANITIAN PREPARING FOR RAPID RISK ASSESSMENTS
    22. 22. intelligent information securityANITIAN 1. Get Everybody to Agree on the Core Six Words • Risk is an over-used word that is often misunderstood. • Get everybody using proper risk terminology Threat: Something bad that might happen Vulnerability: A weakness a threat could exploit Impact: How bad a threat can damage the business Probability: How likely a threat is in a given timeframe Control: Something that mitigates threat Risk: An assessment of a threat based upon its probability and impact in relation to the relevant controls
    23. 23. intelligent information securityANITIAN 2. Simplify the Content • No theories, no complex worksheets, no “risk management” terms • Simple, business language that states risk in plain, matter-of- fact way • Express risk as it *is* without conjecture or indecisiveness • Use active voice in all risk documentations • Should be able to sum up the entire assessment effort in a few bullet points
    24. 24. intelligent information securityANITIAN 3. Conduct Technical Testing • Test in-scope assets for vulnerabilities • Assign IT savvy people to the risk team with skills in: • Systems administration • Network design, architecture, management • Security analysis • Application lifecycle management • Database administration • IT practices, procedures, policies development • Must know how an IT department runs, if you ever hope to identify its weaknesses
    25. 25. intelligent information securityANITIAN 4. Sell Risk Assessment to Leadership • Management must support the risk assessment effort • Must have access to business process owners and IT custodians • Need ability to test or access to testing data • Authority to decisively analyze technologies • Ability to built credibility and authority through experience, language, and engagement
    26. 26. intelligent information securityANITIAN THE RAPID RISK ASSESSMENT PROCESS
    27. 27. intelligent information securityANITIAN 1. Establish Scope & Lens • Scope: what assets are in scope (can be anything) • Lens: how will you look at the assets? • Data types: customer, internal, security, etc. • System: server, workstation, infrastructure • Application: user, customer, financial, etc. • Location: Offices, divisions, etc. • The Lens is what makes Rapid Risk Assessment work: • Provides a contextual framework for analyzing data • It helps focus the effort • It aids greatly in comprehension
    28. 28. intelligent information securityANITIAN 2. Interview Stakeholders • No questionnaires or surveys, conduct face to face discussions • Questions should be open-ended, and encourage venting: • Chase the rabbit (data) • Focus on current state • Document answers Leadership • “How would you kill this company?” Business process owners • “What is critical? • “How would you cause harm?” • “How bad would it be?” IT custodians • “Walk me through how you manage this environment.”
    29. 29. intelligent information securityANITIAN 3. Test the Environment • Scan and test all in-scope assets • Vulnerability scanning • Penetration testing • Web application testing • Database testing • Configuration analysis (sample as needed) • Review AV / IPS / Firewall logs (sample and spot check) • Are people following security policies? • Risk analysis must be grounded in REAL data, not feelings, ideas, theories, or personal interpretations • This is where hands-on IT experience is a must
    30. 30. intelligent information securityANITIAN 4. Define Threats & Correlate Data • Define threats: something bad that could happen • Organize threats into simplified categories • Technical: threat to systems, hardware, applications, etc. • Operational: threats that affect practices, procedures, or business functions • Relational: threat to a relationship between groups, people or third parties • Physical: threats to facilities, offices, etc. • Reputational (optional): threats to the organization’s reputation, perception, or public opinion • Keep threats simple (see examples next slide) • Avoid compound or cascading threats
    31. 31. intelligent information securityANITIAN Threat Samples • Good Threat Definitions • Theft of confidential data • Malware infection • Denial of service attack • Theft of sensitive authentication data • Bad Threat Definitions • Lack of alignment to organizational policies with guidelines set forth by the security committee means staff is not properly implementing security controls. • A hacker breaks into the election system and uses the data to threaten people and influence politicians • Missing patches on systems
    32. 32. intelligent information securityANITIAN 5. Define Probability & Impact Scale Probability: Impact: Metric Description Certain <95% likelihood of occurrence within the next 12 months. High 50-95% likelihood of occurrence within the next 12 months. Medium 20-49% likelihood of occurrence within the next 12 months. Low 1-20% likelihood of occurrence within the next 12 months. Negligible >1% likelihood of occurrence within the next 12 months. Metric Description Critical Catastrophic effect on the Data Asset. High Serious impact on the Data Asset's functionality. Medium Threat may cause some intermittent impact on the Data Asset, but would not lead to extended problems. Low Impact on the Data Asset is small and limited. Would not cause any disruption in core functions. Negligible Data Asset remains functional for the business with no noticeable slowness or downtime.
    33. 33. intelligent information securityANITIAN 6. Build a Threat Matrix • A spreadsheet that defines each threat with the following attributes: • Threat name • Threat type • Affected assets • Vulnerabilities • Impact • Impact type • Mitigating controls • Probability • Risk • Risk Mitigation • Residual Risk
    34. 34. intelligent information securityANITIAN Risk Matrix Example Threat Threat Type Affected Systems, Processes or Place Affected Data Types Vulnerabilities Impact Impact Type Mitigating Controls Probability Risk Risk Type Risk Mitigation Residual Risk A data center disaster puts the systems offline for an indefinite period of time •Physical •SampleCorp •123SampleApp •ePHI •PII •The current SampleCorp and 123SampleApp production systems have no geographical diversity Critical •Availabilit y •The IO Data center appears to be a very w ell designed and w ell run facility, w ith multiply redundant pow er and netw ork connectivity. Negligible Medium •Reputational •Financial •Regulatory •Legal Implement the follow ing components of the Common Control Framew ork: •Develop a secondary location w ith a recent backup copy of the data. Anitian Low A disaster interrupts business processes •Operational •SampleCorp •123SampleApp •ePHI •PII •A formal Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP) does not exist for critical systems and applications High •Availabilit y •123SampleApp and SampleCorp are not highly time sensitive applications, and a short-duration dow ntime w ould not critically impact business. •Business operations could theoretically be resumed by reconstructing databases from original sources in a moderate amount of time, but no formal business resumption test has been performed. Low Medium •Reputational •Financial •Regulatory •Legal Implement the follow ing components of the Common Control Framew ork: •Develop and test a formal BCPand DRP Low A disaster interrupts business processes •Operational •Physical •All corporate and production systems •BSD •A formal Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP) does not exist for critical systems and applications •The current SampleCorp and 123SampleApp production systems have no geographical diversity High •Availabilit y •123SampleApp and SampleCorp are not highly time sensitive applications, and a short-duration dow ntime w ould not critically impact business. •Business operations could theoretically be resumed by reconstructing databases from original sources in a moderate amount of time, but no formal business resumption test has been performed. •The IO Data center appears to be a very w ell designed and w ell run facility, w ith multiply redundant pow er and netw ork connectivity. Low Medium •Reputational •Financial •Regulatory •Legal Implement the follow ing components of the Common Control Framew ork: •Develop and test a formal BCPand DRP •Develop a secondary location w ith a recent backup copy of the data. Anitian understands that this is already under consideration, and SampleCorp should move ahead w ith its plans. Low
    35. 35. intelligent information securityANITIAN 7. Develop an Business Risk Intelligence Report • Summarize risks to the business • List the top 10 most serious threats • Simplify the data into: • Threat, • Vulnerabilities • Recommendation • Rankings for impact, probability and risk • Develop an Action Plan that rolls up recommendations • Make specific recommendations, no vague suggestions • Keep report under 15 pages (preferably 5-10)
    36. 36. intelligent information securityANITIAN Business Risk Intelligence Report Sample Threat Vulnerabilities Recommendation Impact Probability Risk Malware infection  Outdated anti-virus  Lack of anti-virus on 36% of servers  32 high ranked vulnerabilities on in-scope systems  Lack of virus scanning at the network layer  Endpoint antivirus must be installed on all hosts.  All endpoint antivirus must be updated daily  All systems must have new patches applied within 30 days of release.  Company must deploy a more robust patch management platform.  Implement a core firewall that can perform virus scanning at the network layer. H C C
    37. 37. intelligent information securityANITIAN Action Plan Example # Action Description Estimate Effort 1. Integrate all critical devices with SIEM  Complete the SIEM deployment, aggregating system- and application-level logs for all critical application and security monitoring devices.  Tune event correlation, incident thresholds and alerting.  Integrate alerting with incident response plan.  This work is critical because currently little or no automated review or alerting for unauthorized access to PHI occurs. 200-280 hours High
    38. 38. intelligent information securityANITIAN Do Not… • Try to change the culture of the business • Let perfection become the enemy of good • Cite any kind of risk management theory, nobody cares • Send out questionnaires, surveys or spreadsheets, nobody will do them correctly • Use a lot of risk terminology, nobody understand them • Document indecision, shows weakness • Create complexity to make things feel more important • Create phony numbers to make it feel true • Use inaccessible matrices, worksheets, or process flows • Waste time with sensationalist threats • Involve anybody who sells you equipment in the process
    39. 39. intelligent information securityANITIAN Do • Use simple language • Define simplistic threats • List simple vulnerabilities • Keep impact and probability simple • Establish authority with experience, language, and presence • Identify tangible, actionable recommendations • Help management make decisions about risk • Focus on the likely
    40. 40. intelligent information securityANITIAN Thank You EMAIL: andrew.plato@anitian.com WEB: www.anitian.com BLOG: blog.anitian.com SLIDES: http://bit.ly/anitian CALL: 888-ANITIAN