Risk Identification , Assessment and management

1. Dr. Lasantha Ranwala
MBBS, Msc- Biomedical Informatics
Cert. in Ethical Hacking & Cyber
Forensic
Registrar in Health Informatics
Information Security
Session 02: Risk Management

2. VULNERABILI
TY
ASSESSMENT

3. VULNERABILITY
A CHARACTERISTIC OR SPECIFIC WEAKNESS THAT RENDERS AN
ORGANIZATION OR ASSET (SUCH AS INFORMATION OR AN
INFORMATION SYSTEM) OPEN TO EXPLOITATION BY A GIVEN THREAT
OR SUSCEPTIBLE TO A GIVEN HAZARD.

4. EXPLOIT
A TECHNIQUE TO BREACH
THE SECURITY OF A
NETWORK OR
INFORMATION SYSTEM IN
VIOLATION OF SECURITY
POLICY.
A PROGRAM OR TECHNIQUE
THAT TAKES ADVANTAGE
OF A VULNERABILITY TO
REMOTELY ACCESS OR
ATTACK A PROGRAM,
COMPUTER OR SERVER.

5. VULNERABILITY
ASSESSMENT
• start off with the target
network or an individual
specific URL or IP address
• run the test with tools- Scan
• generated the results report
• further investigate and mitigate
potential weaknesses by means
of exploitation
• Do not rely solely on automated
tools
A vulnerability assessment is the process in which one can identify,
quantify, and prioritize or rank the vulnerabilities in a network
infrastructure or a system/systems.

6. SCAN REPORT
• Online scanners
• https://pentest-
tools.com
• https://sitecheck.sucuri
.net/

7. VULNERABILITY ASSESSMENT : RESOURCES
National Vulnerability Database
https://nvd.nist.gov/
• U.S. government repository of standards based vulnerability
management data
• This data enables automation of vulnerability management, security
measurement, and compliance.
• The National Vulnerability Database includes databases of security
check-lists, security related software flaws, misconfiguration, product
names, and impact metrics
SANS Top 20 Critical Security Controls
https://www.cisecurity.org/controls/
focus first on prioritizing security functions which are successful in
producing security controls against the latest Advanced Targeted Threats

8. VULNERABILI
TY
ASSESSMENT
TOOLS
NESSUS SCAN / OPENVAS
SCAN

9. RISK MANAGEMENT

10. RISK
DEFINITION: THE POTENTIAL FOR AN UNWANTED OR
ADVERSE OUTCOME RESULTING FROM AN INCIDENT, EVENT,
OR OCCURRENCE, AS DETERMINED BY THE LIKELIHOOD
THAT A PARTICULAR THREAT WILL EXPLOIT A PARTICULAR
VULNERABILITY, WITH THE ASSOCIATED CONSEQUENCES.
Risk = Likelihood X Consequences

11. RISK VS VULNERABILITY
• Vulnerability
• should be identified and proactive measures taken to
correct identified vulnerabilities.
• Risk
• CAN be mitigated
• Risk can be managed to either lower vulnerability or
the overall impact on the business.

12. WHY IS IT
IMPORTAN
T TO
MANAGE
RISK?
• The principle reason for managing risk in an
organization is to protect the mission and
assets of the organization
• Therefore, risk management must be a
management function rather than a technical
function.

13. RISK
MANAGEME
NT
• Risk management requires an understanding of
how security measures are implemented in the
environment and how a threat can affect the
daily operations
• Failure to manage given risks will result..
• disruption of normal operations
• loss of data, loss of money, legal issues
• Risk management goal is to reduce the
presented risk to an acceptable level
• should balance between the impact of a risk
and the cost of protective measures

14. RISK ASSESSMENT
RISK IS ASSESSED BY IDENTIFYING
THREATS AND VULNERABILITIES, THEN
DETERMINING THE LIKELIHOOD AND
IMPACT FOR EACH RISK
COMPLEX PROCEDURE

15. 1.QUANTITAT
IVE RISK
ASSESSMENT
assigning values to information, systems,
business processes, recovery costs, etc.,
impact, and therefore risk, can be measured
in terms of direct and indirect costs.

16. 2 .
QUALITATI
VE RISK
ASSESSMEN
T
• Qualitative risk assessments assume that there
is already a great degree of uncertainty in the
likelihood and impact values and defines them
• thus risk, in somewhat subjective or
qualitative terms
• Qualitative risk assessments typically give
risk results of “High”, “Moderate” and “Low”

17. 2 .
QUALITATI
VE RISK
ASSESSMEN
T
1. Identifying Threats
• Both threat-sources and threats must
be identified
• Individuals who understand the
organization, industry or type of
system are key in identifying threats
• It is valuable to compile a list of
threats that are present across the
organization and use this list as the
basis for all risk management
activities

18. 2 .
QUALITATI
VE RISK
ASSESSMEN
T
2. Identifying Vulnerabilities
• Different risk management schemes offer
different methodologies for identifying
vulnerabilities
• In general, start with commonly available
vulnerability lists or control areas
• Specific vulnerabilities can be found by
reviewing vendor web sites and public
vulnerability archives
• (Common Vulnerabilities and
Exposures (CVE -
http://cve.mitre.org) or the National
Vulnerability Database (NVD -
http://nvd.nist.gov)
• Vulnerability Scanners
• Penetration Testing

19. 2 .
QUALITATI
VE RISK
ASSESSMEN
T
3. Relating Threats to Vulnerabilities (T-V
pairing)
• One of the most difficult activities in
the risk management process
• But it’s a mandatory activity
• Not every threat-action/threat can be
exercised against every vulnerability.
• a threat of “flood” applies to a
vulnerability of “lack of
contingency planning”, but not to
a vulnerability of “failure to
change default authenticators.
• Organizational standard list of T-V
pairs should be established and used
as a baseline

20. 2 . QUALITATIVE RISK
ASSESSMENT
4. Defining Likelihood
• It is the probability that a
threat caused by a threat-
source will occur against a
vulnerability

21. 2 . QUALITATIVE RISK ASSESSMENT
5. Defining Impact
• In order to ensure repeatability, impact is best defined in
terms of impact upon availability, impact upon integrity and
impact upon confidentiality

22. 2 . QUALITATIVE RISK
ASSESSMENT
6. Assessing Risk
process of determining the
likelihood of the threat
being exercised against the
vulnerability and the
resulting impact from a
successful compromise.

23. RISK
MANAGEME
NT
• Purpose of assessing risk is to assist
management in determining where to direct
resources
• 4 basic strategies for managing risk:
mitigation, transference, acceptance and
avoidance
• For each risk in the risk assessment report, a
risk management strategy must be devised that
reduces the risk to an acceptable level for an
acceptable cost

25. RISK MANAGEMENT STRATEGIES
1. Avoidance
• risk is reduced to 0 or eliminated
• almost impossible to achieve by taking security measures
• only way to do it is to remove the cause of the risk
• Practice of removing the vulnerable aspect of the system or even the
system itself

26. RISK MANAGEMENT STRATEGIES
2. Transference
• Process of allowing another party to accept the risk on your behalf.
• Ex: insurance or service provider
• Note that this does not decrease the likelihood or fix any flaws, but it
does reduce the overall impact (primarily financial) on the organization

27. RISK MANAGEMENT STRATEGIES
3. Mitigation
• use security controls to protect against a risk until the risk impact is
reduced to a tolerance level of the organization.
• Most commonly considered risk management strategy.
• Involves fixing the flaw or providing some type of compensatory control
to reduce the likelihood or impact associated with the flaw.
• Ex:A common mitigation for a technical security flaw is to install a patch
provided by the vendor.

28. RISK MANAGEMENT STRATEGIES
4. Acceptance
• the level of tolerance specified by an organization.
• When all security measures are taken to mitigate a risk, the remainder
of impact will be accepted and tolerated as there is not a way to
remove it 100 percent
• Simply allowing the system to operate with a known risk.
• Many low risks are simply accepted.
• Risks that have an extremely high cost to mitigate are also often accepted

29. Thank you…!
lasantha13@gmail.com