cybersecurity risk management - cybersecurity risk management.ppt

1
09/03/24 1
Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875
Lectures: Tues (CB 122), 7–10 PM
Office hours: Wed 3-5 pm (CSEB 3043), or by
appointment.
Textbooks:
1. "Management of Information Security", M. E. Whitman, H. J.
Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition
2. "Guide to Computer Forensics and Investigations", B. Nelson, A.
Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE
Learning, 2010, 4th Edition.
CSE 4482: Computer Security Management:
Assessment and Forensics

2
Objectives
• Upon completion of this chapter you should
be able to:
– Define risk management and its role in the
organization
– Use risk management techniques to identify
and prioritize risk factors for information assets
– Assess risk based on the likelihood of adverse
events and the effects on information assets
when events occur
– Document the results of risk identification
Management of Information Security, 3rd ed.

3
A true story
A local company suffered a catastrophic loss one night when its
office burned to the ground.
As the employees gathered around the charred remains the next
morning, the president asked the secretary if she had been
performing the daily computer backups. To the president’s relief
she replied that yes, each day before she went home she
backed up all the financial information regarding customers,
invoices, order and payments.
The president then asked the secretary to retrieve the backup so
they could begin to determine their current financial status.
“Well”, the secretary said, “I guess I cannot do that. You see, I put
those backups in the desk drawer next to the computer in the
office. ”
M. Ciampa, “Security+Guide to Network Security Fundamentals”, pp 303

4
Risk Management
• Risk management: identification,
assessment, and prioritization of risks
• Managing risk is one of the key
responsibilities of every manager within
the organization
• In any well-developed risk management
program, two formal processes are at
work
– Risk identification and assessment
– Risk control

5
Risk Management
“If you know the enemy and know yourself,
you need not fear the result of a hundred
battles
If you know yourself but not the enemy, for
every victory gained you will also suffer a
defeat
If you know neither the enemy nor yourself,
you will succumb in every battle”
-- Sun Tzu

6
Knowing Yourself
• Identifying, examining and understanding
the information and how it is processed,
stored, and transmitted
• Armed with this knowledge, one can initiate
an in-depth risk management program
• Risk management is a process
– Safeguards and controls that are devised and
implemented are not install-and-forget devices

7
Knowing the Enemy
• Identifying, examining, and understanding
the threats facing the organization’s
information assets
– Must fully identify those threats that pose risks
to the organization and the security of its
information assets
• Risk management
– The process of assessing the risks to an
organization’s information and determining
how those risks can be controlled or mitigated

8
Risk management cycle
From http://technet.microsoft.com/en-us/library/cc750827.aspx
• Risk identification
– Identify
– Measure
– Prioritize
• Control measures
– Cost benefit analysis

9
Accountability for Risk Management
Communities of interest must work together
• Information Security – leadership role in
addressing risk
• Information Technology – role involves
building and maintaining secure systems
• Management – role involves resource allocation
and prioritization of security concerns
• Users – crucial role in (early) detection, and
proper response to threats

10
Steps in Risk Management
• Evaluating the risk controls
• Determining which control options are cost-
effective
• Acquiring or installing the appropriate controls
• Overseeing processes to ensure that the controls
remain effective
• Identifying risks
• Assessing risks
• Summarizing the findings

11
Risk Identification
Figure 8-1 Risk identification process
Source: Course Technology/Cengage Learning

12
Asset inventory
• Managers identify the organization’s
information assets
– Classify them into useful groups
– Prioritize them by their overall importance

13
Information Asset Inventory
creation
• Identify information assets
– Includes people, procedures, data and
information, software, hardware, and
networking elements
– This step should be done without pre-judging
the value of each asset
• Values will be assigned later in the process
• Determine which attributes of each
information asset should be tracked

14
Table 8-1 Organizational assets used in systems
creation (contd.)

15
creation (contd.)
• Potential asset attributes
– Name
– Asset tag
– IP address
– MAC address
– asset type
– Serial number
– manufacturer name
– Manufacturer’s model or part number
– Software version, update revision, or FCO number
– Physical location, logical location
– Controlling entity

16
Example: Network Asset tracker
• http://www.misutilities.com/network-asset-tracker/howtouse.html

17
creation (contd.)
Identifying people, procedures and data assets.
Sample attributes for people, procedures, and
data assets
– People
• Position name/number/ID
• Supervisor name/number/ID
• Security clearance level
• Special skills

18
• Sample attributes for people, procedures, and
data assets (cont’d.)
– Procedures
• Description
• Intended purpose Software/hardware/networking
elements to which it is tied
• Location where it is stored for reference
• Location where it is stored for update purposes
creation (contd.)

19
• Sample attributes for people, procedures, and
data assets (cont’d.)
– Data
• Classification
• Owner/creator/manager
• Size of data structure
• Data structure used
• Online or offline
• Location
• Backup procedures
creation (contd.)

20
Next: Asset ranking
• Determine the values of assets
• Prioritize according to value

21
Classifying and Categorizing Assets
• Determine/refine an asset classification scheme
• A classification scheme categorizes information
assets based on their sensitivity, security needs
• Each category designates the level of protection
needed for a particular information asset
• Some asset types, such as personnel, may
require an alternative classification scheme
• Classification categories must be comprehensive
and mutually exclusive

22
Assessing Values for
Information Assets
• Assign a relative value: Comparative
judgments made to ensure that the most
valuable information assets are given the
highest priority

23
Assessing Values for
Information Assets - Questions
1. Which asset is the most critical to the success of
the organization?
2. Which asset generates the most revenue?
3. Which asset generates the highest profitability?
4. Which asset is the most expensive to replace?
5. Which asset is the most expensive to protect?
6. Which asset’s loss or compromise would be the
most embarrassing or cause the greatest
liability?

24
Figure 8-2 Sample asset classification worksheet

25
Table 8-2 Example weighted factor analysis worksheet
Listing Assets in Order of
Importance
Final step: list the assets in order of importance
•achieved by using a weighted factor analysis worksheet

26
Next step: Threat Identification
• Typically: wide variety of threats; each threat
presents a unique challenge to information
security
Questions:
• Which threats present a danger to your
company’s information assets?
– reduce scope and cost of risk management
• Which threats present the gravest danger to
your company’s information assets?
– Rough assessment of severity of threat

27
Table 8-3 Threats to information security
Source: ©2003 ACM, inc., included here by permission
Threat Identification (cont’d.)

28
Source: Adapted from M. E. Whitman. Enemy at
the gates: Threats to information security.
Communications of the ACM, August
2003. Reprinted with permission
Prioritizing threats
Weighted ranks of threats to information security
1000 top computing executives rated threats on a 5 point scale, from
not significant to very significant

29
Prioritizing threats (contd.)
• Severity of threat: catastrophic, major,
moderate, minor, insignificant

30
Prioritizing threats (contd.)
• Probability of threat: negligible to
extreme
Next: Vulnerability analysis

31
Vulnerability Assessment
• Vulnerability: flaw or weakness in an asset that
can be exploited to breach security
– Begin to review every information asset for each threat
– leads to the creation of a list of vulnerabilities that
remain potential risks to the organization
– At the end of the risk identification process, a list of
assets and their vulnerabilities has been developed
– This list serves as the starting point for the next step in
the risk management process - risk assessment

32
Table 8-4 Vulnerability assessment of a DMZ router
Vulnerability Assessment (contd.)

33
Examples
1. Asset: email servers,
– vulnerability: antivirus software not updated,
– threat: virus attack
2. Asset: router,
– vulnerability: incorrect router configuration,
– threat: network susceptible to reduction or loss of
connectivity

34
Likelihood and Consequences
(contd.)
• Consequences and likelihoods are combined
• The resulting rankings can then be inserted into
the TVA tables for use in risk assessment

35
The TVA Worksheet
• At the end of the risk identification process,
a list of assets and their vulnerabilities has
been developed
• Another list prioritizes threats facing the
organization based on the weighted table
discussed earlier
• These lists can be combined into a single
worksheet

36
Table 8-5 Sample TVA spreadsheet
The TVA Worksheet (cont’d.)

37
Figure 8-3 Risk identification estimate factors
Introduction to Risk Assessment
• The goal is to create a method to evaluate
the relative risk of each listed vulnerability
• It is not the presence of a vulnerability that
matters but the associated risk
• Simple model – risk R, probability of risk
event P and value lost by risk event V
satisfy R = PV

38
More complex model
• Extended risk formula
R = Pa Ps V
• Where Pa = Probability of attack and
Ps = Probability that the attack
successfully exploits the vulnerability
V = value lost by successful
exploitation of vulnerability

39
Another formula
• Extended Whitman’s Risk Formula
R = P*V*(1 – CC + UK)
where P = probability that a vulnerability is
exploited,
V = value of asset,
CC = fraction of risk mitigated by current
control,
UK = fraction of risk not fully known
(uncertainty of knowledge)

40
Figure 8-3 Risk identification estimate factors
In words…
Uncertainty: Impossible to know everything about every vulnerability
•The degree to which a current control can reduce risk is also subject
to estimation error
•Uncertainty is estimated by the manager using judgment/experience

41
Risk Determination Example
– Asset A has a value of 50 and has one vulnerability, which has a
likelihood of 1.0 with no current controls. Your assumptions and
data are 90% accurate
– Asset B has a value of 100 and has two vulnerabilities:
vulnerability #2 has a likelihood of 0.5 with a current control that
addresses 50% of its risk; vulnerability # 3 has a likelihood of 0.1
with no current controls. Your assumptions and data are 80%
accurate
– The resulting ranked list of risk ratings for the three vulnerabilities
is as follows:
• Asset A: Vulnerability 1 rated as 55 = (50 × 1.0) – 0% + 10%
• Asset B: Vulnerability 2 rated as 35 = (100 × 0.5) – 50% +
20%
• Asset B: Vulnerability 3 rated as 12 = (100 × 0.1) – 0 % + 20%

42
Documenting the Results
of Risk Assessment
• Goals of the risk management process
– To identify information assets and their vulnerabilities
– To rank them according to the need for protection
• In preparing this list, a wealth of factual
information about the assets and the threats they
face is collected
• Information about the controls that are already in
place is also collected
• The final summarized document is the ranked
vulnerability risk worksheet

43
Table 8-9 Ranked vulnerability risk worksheet

44
Documenting the Results of Risk
Assessment (cont’d.)
• What should the documentation package
look like?
• What are the deliverables from this stage of
the risk management project?
• The risk identification process should
designate what function the reports serve,
who is responsible for preparing them, and
who reviews them

45
Summary
• Introduction
• Risk management
• Risk identification
• Risk assessment
• Documenting the results of risk
assessment

46
Risk Control (Ch 9)
Identify Possible Controls
• For each threat and its associated
vulnerabilities that have residual risk,
create a preliminary list of control ideas
• Three general categories of controls exist:
– Policies
– Programs
– Technical controls

47
Objectives
• Upon completion of this chapter, you
should be able to:
– Recognize and select from the risk mitigation
strategy options to control risk
– Evaluate risk controls and formulate a cost-
benefit analysis using existing conceptual
frameworks
– Explain how to maintain and perpetuate risk
controls
– Describe the OCTAVE Method and other
approaches to managing risk

48
Introduction
• To keep up with the competition,
organizations must design and create a
safe environment in which business
processes and procedures can function
– This environment must maintain confidentiality
and privacy and assure the integrity and
availability of organizational data
– These objectives are met via the application of
the principles of risk management

49
Risk Control Strategies
• four basic strategies to control risks
– Avoidance
• Applying safeguards that eliminate or reduce the
remaining uncontrolled risks for the vulnerability
– Transference
• Shifting the risk to other areas or to outside entities
– Mitigation
• Reducing the impact if the vulnerability is exploited
– Acceptance
• Understanding the consequences and accepting the
risk without control or mitigation

50
Avoidance
• The risk control strategy that attempts to
prevent the exploitation of the vulnerability
• Avoidance is accomplished through:
– Application of policy
– Application of training and education
– Countering threats
– Implementation of technical security controls
and safeguards

51
Transference
• The control approach that attempts to shift
the risk to other assets, other processes, or
other organizations
• May be accomplished by rethinking how
services are offered
– Revising deployment models
– Outsourcing to other organizations
– Purchasing insurance
– Implementing service contracts with providers

52
Mitigation
• The control approach that attempts to
reduce the damage caused by the
exploitation of vulnerability
– Using planning and preparation
– Depends upon the ability to detect and respond
to an attack as quickly as possible
• Types of mitigation plans
– Disaster recovery plan (DRP)
– Incident response plan (IRP)
– Business continuity plan (BCP)

53
Mitigation (cont’d.)
Table 9-1 Summaries of mitigation plans

54
Acceptance
• do nothing to protect an information asset
– To accept the loss when it occurs
• assumes that it may be a prudent business
decision to examine the alternatives and
conclude that the cost of protecting an
asset does not justify the security
expenditure

55
Acceptance (contd.)
• the organization must:
– Determine the level of risk to the information asset
– Assess the probability of attack and the likelihood of a
successful exploitation of a vulnerability
– Approximate the ARO of the exploit
– Estimate the potential loss from attacks
– Perform a thorough cost benefit analysis
– Evaluate controls using each appropriate type of
feasibility
– Decide that the particular asset did not justify the cost
of protection

56
Managing Risk
• Risk appetite (also known as risk tolerance)
– The quantity and nature of risk that
organizations are willing to accept
• As they evaluate the trade-offs between perfect
security and unlimited accessibility
• The reasoned approach to risk is one that
balances the expense (in terms of finance
and the usability of information assets)
against the possible losses if exploited

57
Managing Risk (contd.)
• Residual risk
– When vulnerabilities have been controlled as much as
possible, there is often remaining risk that has not
been completely removed, shifted, or planned for
• Residual Risk is a combined function of:
– Threats, vulnerabilities and assets, less the effects of
the safeguards in place
• The goal of information security is not to bring
residual risk to zero, but to bring it in line with an
organization’s risk appetite

58
• If decision makers have been informed of
uncontrolled risks and the proper authority groups
within the communities of interest decide to leave
residual risk in place, then the information security
program has accomplished its primary goal
• Once a control strategy has been selected and
implemented:
– The effectiveness of controls should be monitored and
measured on an ongoing basis to determine its
effectiveness and the accuracy of the estimate of the
residual risk

59
Figure 9-1 Residual risk

60
• Risk control involves selecting one of the
four risk control strategies
– For the vulnerabilities present
• If the loss is within the range of losses the
organization can absorb, or if the attacker’s
gain is less than expected costs of the
attack, the organization may choose to
accept the risk
– Otherwise, one of the other control strategies
will have to be selected
Managing Risk (cont’d.)

61
Risk handling action points
Figure 9-2 Risk-handling action points

62
• When a vulnerability exists
– Implement security controls to reduce the likelihood of a
vulnerability being exercised
• When a vulnerability can be exploited
– Apply layered controls to minimize the risk or prevent occurrence
• When the attacker’s potential gain is greater than the
costs of attack
– Apply technical or managerial controls to increase the attacker’s
cost, or reduce his gain
• When potential loss is substantial
– Apply design controls to limit the extent of the attack, thereby
reducing the potential for loss
Guidelines for risk control
strategy selection

63
Risk control cycle
Figure 9-3 Risk control cycle

64
Feasibility and Cost-Benefit Analysis
• Before deciding on the strategy for a specific
vulnerability
– All readily accessible information about the
consequences of the vulnerability must be explored
– Ask “what are the advantages of implementing a
control as opposed to the disadvantages of
implementing the control?”
• There are a number of ways to determine the
advantage or disadvantage of a specific control
• The primary means are based on the value of the
information assets that it is designed to protect

65
Cost-Benefit Analysis
• Economic feasibility
– The criterion most commonly used when
evaluating a project that implements
information security controls and safeguards
• It is difficult to determine the value of
information
– It is also difficult to determine the cost of
safeguarding it

66
Cost-Benefit Analysis (cont’d.)
• Factors that affect the cost of a safeguard
– Cost of development or acquisition of
hardware, software, and services
– Training fees
– Cost of implementation
– Service and maintenance costs

67
• Benefit
– The value to the organization of using controls
to prevent losses associated with a specific
vulnerability
– Usually determined by valuing the information
assets exposed by the vulnerability and then
determining how much of that value is at risk
and how much risk there is for the asset
– This is expressed as the annualized loss
expectancy (ALE)

68
• Asset valuation
– The process of assigning financial value or
worth to each information asset
– The value of information differs within and
between organizations
• Based on the characteristics of information and the
perceived value of that information
– Involves estimation of real and perceived costs
associated with the design, development,
installation, maintenance, protection, recovery,
and defense against loss and litigation

69
• Asset valuation components
– Value retained from the cost of creating the
information asset
– Value retained from past maintenance of the
information asset
– Value implied by the cost of replacing the
information
– Value from providing the information
– Value acquired from the cost of protecting the
information

70
• Asset valuation components (cont’d.)
– Value to owners
– Value of intellectual property
– Value to adversaries
– Loss of productivity while the information
assets are unavailable
– Loss of revenue while information assets are
unavailable

71
• Potential loss is that which could occur
from the exploitation of vulnerability or a
threat occurrence
• Ask these questions:
– What loss could occur, and what financial
impact would it have?
– What would it cost to recover from the attack,
in addition to the financial impact of damage?
– What is the single loss expectancy for each
risk?

72
• A single loss expectancy (SLE)
– The calculation of the value associated with
the most likely loss from an attack
– SLE is based on the value of the asset and the
expected percentage of loss that would occur
from a particular attack
– SLE = asset value (AV) x exposure factor (EF)
• Where EF is the percentage loss that would occur
from a given vulnerability being exploited
– This information is usually estimated

73
• In most cases, the probability of a threat
occurring is the probability of loss from an
attack within a given time frame
• This value is commonly referred to as the
annualized rate of occurrence (ARO)
ALE = SLE * ARO

74
• CBA determines whether or not a control
alternative is worth its associated cost
• CBAs may be calculated before a control or
safeguard is implemented
– To determine if the control is worth
implementing
• Or calculated after controls have been
implemented and have been functioning for
a time

75
• Cost-benefit analysis formula
CBA = ALE(prior) – ALE(post) – ACS
– ALE (prior to control) is the annualized loss
expectancy of the risk before the
implementation of the control
– ALE (post-control) is the ALE examined after
the control has been in place for a period of
time
– ACS is the annual cost of the safeguard

cybersecurity risk management - cybersecurity risk management.ppt

More Related Content

Similar to cybersecurity risk management - cybersecurity risk management.ppt

Recently uploaded

cybersecurity risk management - cybersecurity risk management.ppt