Risk Management: A Failed Strategy with
Unachievable Goals.

Richard Stiennon
Chief Research Analyst
IT-Harvest
International Cybersecurity Dialogue

What is risk?
Risk = Threat * Vulnerability * Asset Value
-or-

The probable frequen...
International Cybersecurity Dialogue

Risk Management
101
• 1. Identify all critical assets
• 2. Score them by “value”
• 3...
International Cybersecurity Dialogue

•
•
•
•
•
•
•
•
•
•

What is an IT asset?
Desktops

Laptops
Servers
Thumb drives

Sw...
International Cybersecurity Dialogue

What is the value of an IT asset?

•
•
•
•
•
•

Replacement cost?
Purchase+shipping+...
International Cybersecurity Dialogue

Can you really reduce the
surface area (exposed
vulnerabilities) ?
• Some systems ca...
International Cybersecurity Dialogue

Risk Manage This:
International Cybersecurity Dialogue

Or this:
Athens 2004:
A series of software updates turns on
Lawful intercept functio...
International Cybersecurity Dialogue

Or this:
Cyber sabotage: Stuxnet
s7otbxdx.dll

Step 7 software

DLL
Rootkit

s7otbxs...
International Cybersecurity Dialogue
Trading losses

Or this:

2008, Jerome Kerviel covers up trading losses,
Largest trad...
International Cybersecurity Dialogue

Or this:
• Saudi Aramco, August 2012
• South Korea, March 2013
International Cybersecurity Dialogue

Or this:
• Malware transmitted to SIPRNET

across an air gap by “foreign agents” in
...
International Cybersecurity Dialogue

Risk management is based on normal
distribution of events

• IT security is not subj...
International Cybersecurity Dialogue

Targeted Attacks are Not Random

• Risk Management arose to

address “random attacks...
International Cybersecurity Dialogue

So, if Risk Management is a failure
what should be done?

• Welcome to the world of ...
International Cybersecurity Dialogue

Some scenarios
• A mass killer is on the loose. Find him

and stop him? Or protect e...
International Cybersecurity Dialogue

Cyber kill chain
International Cybersecurity Dialogue

Security Intelligence is the key to
threat management

• Malware analysis
• Key indi...
International Cybersecurity Dialogue

The Cyber Defense Team
Operations
Analysts

Red Team

Cyber Commander
International Cybersecurity Dialogue

Let’s be honest
• Risk Management was developed so
that IT security could “speak to
...
Upcoming SlideShare
Loading in …5
×

Why Risk Management is Impossible

2,666 views

Published on

It is impossible to identify all critical assets. It is impossible to determine value of IT assets. It is impossible to manage vulnerabilities. Impossible^3 = Impossible. Presented at ITAC 2013 Boston, November 19, 2013

Published in: Business, Technology
2 Comments
5 Likes
Statistics
Notes
  • Good Richard
    I replaced risk management with threat scenario analysis years ago.
    Could not have said it better myself. There is another fundamental disconnect you didn't touch on and that is the disconnect between IT and security - IT is about running predictable process while sucking up as much money as possible while failing half the time and security is about dealing with unpredictable threats in a cost-effective way and living to tell the story
    See http://www.software.co.il/2013/07/why-security-defenses-are-a-mistake/
    and http://www.software.co.il/2013/07/why-security-defenses-are-a-mistake/
    and
    http://www.software.co.il/2012/08/auditing-healthcare-it-security-and-privacy-with-multiple-threat-scenarios/
    Danny
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Here is a column I wrote that goes into more detail on my thinking about Risk Management. http://www.networkworld.com/news/tech/2012/101512-risk-management-263379.html?page=1
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
2,666
On SlideShare
0
From Embeds
0
Number of Embeds
348
Actions
Shares
0
Downloads
42
Comments
2
Likes
5
Embeds 0
No embeds

No notes for slide

Why Risk Management is Impossible

  1. 1. Risk Management: A Failed Strategy with Unachievable Goals. Richard Stiennon Chief Research Analyst IT-Harvest
  2. 2. International Cybersecurity Dialogue What is risk? Risk = Threat * Vulnerability * Asset Value -or- The probable frequency and probable magnitude of future loss - FAIR
  3. 3. International Cybersecurity Dialogue Risk Management 101 • 1. Identify all critical assets • 2. Score them by “value” • 3. Discover all vulnerabilities • All three are impossible.
  4. 4. International Cybersecurity Dialogue • • • • • • • • • • What is an IT asset? Desktops Laptops Servers Thumb drives Switches Applications Data bases Records Artifacts (VM images) Usernames, passwords, e mail addresses • • • • • • • • • • IP addresses, domains Digital certificates (SSL, SSH, Kerboros, code signing, identity) Email, email archives Business intelligence data Logs Policies, settings, configurations Processes, work flow, authorization • • • • • • IP. Designs, formulae, patent applications, litigation documents, spreadsheets, docs, Powe r Point. Real time data Meta data • • Software licenses and version data Virtual data center (repeat most of above) Phones Smart phones Video conferencing Firewalls, IPS, Content filtering, Log management, patch management, trouble ticketing, AV, etc. etc. etc. Active Directory, Ephemeral assets
  5. 5. International Cybersecurity Dialogue What is the value of an IT asset? • • • • • • Replacement cost? Purchase+shipping+config+restore+staging+d eployment Cost to reproduce data? Loss of productivity? Loss of business competitiveness? Lost sales? Lost battle?
  6. 6. International Cybersecurity Dialogue Can you really reduce the surface area (exposed vulnerabilities) ? • Some systems cannot be patched • Legacy • Operations • All systems have unknown vulnerabilities
  7. 7. International Cybersecurity Dialogue Risk Manage This:
  8. 8. International Cybersecurity Dialogue Or this: Athens 2004: A series of software updates turns on Lawful intercept function in Ericsson switch 104 diplomats and Olympic officials spied on Engineer mysteriously commits suicide
  9. 9. International Cybersecurity Dialogue Or this: Cyber sabotage: Stuxnet s7otbxdx.dll Step 7 software DLL Rootkit s7otbxsx.dll DLL original New data blocks added
  10. 10. International Cybersecurity Dialogue Trading losses Or this: 2008, Jerome Kerviel covers up trading losses, Largest trading fraud in history to be carried out by a single person. $54 billion exposure, $7.14 Billion loss 5 year sentence reduced to 3
  11. 11. International Cybersecurity Dialogue Or this: • Saudi Aramco, August 2012 • South Korea, March 2013
  12. 12. International Cybersecurity Dialogue Or this: • Malware transmitted to SIPRNET across an air gap by “foreign agents” in an “overseas theater” according to assistant defense secretary Lynn. • Buckshot Yankee costs reputed to be over $1 billion to re-image all machines within DoD.
  13. 13. International Cybersecurity Dialogue Risk management is based on normal distribution of events • IT security is not subject to Gaussian distributions • The difference is: adversaries
  14. 14. International Cybersecurity Dialogue Targeted Attacks are Not Random • Risk Management arose to address “random attacks.” Viruses, worms, opportunistic hackers. • Targeted attacks are Black Swan events
  15. 15. International Cybersecurity Dialogue So, if Risk Management is a failure what should be done? • Welcome to the world of threat based security, the real world.
  16. 16. International Cybersecurity Dialogue Some scenarios • A mass killer is on the loose. Find him and stop him? Or protect every “asset”? • Chinese Comment Crew is in your network. Do a vulnerability scan? • Rogue employee is accessing customer database. Beef up security awareness training?
  17. 17. International Cybersecurity Dialogue Cyber kill chain
  18. 18. International Cybersecurity Dialogue Security Intelligence is the key to threat management • Malware analysis • Key indicators of attack • Key indicators of compromise • Threat actor intelligence
  19. 19. International Cybersecurity Dialogue The Cyber Defense Team Operations Analysts Red Team Cyber Commander
  20. 20. International Cybersecurity Dialogue Let’s be honest • Risk Management was developed so that IT security could “speak to management.” • Management understands threats not risks. • Show them the threats and they will respond.

×