Performing Effective Risk Assessments Dos and Don ts

Transcription

1 Performing Effective Risk Assessments Dos and Don ts % Gary Braglia Security Specialist GreyCastle Security TCTC March 18, 2013

2 Introduction

3 Who am I?

4

5

6

7

8 Why Risk Management?

9 Because you have to

10 Because you can t be secure Copyright DC Comics All Rights Reserved

11 Because people are not awesome Copyright Universal Pictures All Rights Reserved

12 [not awesome] [not awesome]

13 Show Me This Thing You Call Risk Management

14 Risk Management 101 the total process of identifying, controlling and mitigating information system-related risks * * National Institute of Standards in Technology (NIST) SP800-30

15 Risk Management 101 Risk Assessment Risk Mitigation Evaluation and Assessment

16 Risk Management 101 Focuses on: Confidentiality Integrity Availability Qualitative or Quantitative Balances risk, effort and costs Don t build a $200 fence around a $20 horse

17 Take a Deep breath.

18 Risk Management 101 Impact Probability Low (10) Medium (50) High (100) High (1.0) Low 10 x 1 = 10 Medium 50 x 1 = 50 High 100 x 1 = 100 Medium (0.5) Low 10 x.5 = 5 Medium 50 x.5 = 25 Medium 100 x.5 = 50 Low (0.1) Low 10 x.1 = 1 Low 50 x.1 = 5 Low 100 x.1 = 10

19 Must. Resist. Temptation.

20 Risk Assessment

21 Risk Assessment 1 st process in Risk Management Used to determine potential threats and associated risk Output of this process is used to determine appropriate controls to reduce risk

22 Step 1 System Characterization Characterize system boundaries, criticality and sensitivity based on: Hardware Software Interfaces and integrations People Mission System and data criticality System and data sensitivity

23 Step 2 Threat Identification Identify threats to organizational systems based on: Security violations Incident Management External intelligence Media Classify threats as: Natural Environmental Human

24 You

25 [not awesome]

26 Step 3 Vulnerability Identification Identify vulnerabilities based on: Vulnerability scans Penetration tests Audits Vulnerability lists and advisories Standards Generate list of Vulnerability/Threat pairs Exploits

27 Step 3 Vulnerability Identification Threat Vulnerability Exploit Terminated Employees Fire or Negligent Employees User accounts for terminated employees that are left enabled Fire suppression controls for data center left in uncontrolled areas Terminated employees gain access confidential information Data center fire suppression controls are activated accidentally or maliciously Unauthorized Users Unprotected confidential documents Confidential information is exfiltrated

28 QUIZ Pairing up Threats with Vulnerabilities leads to identifying.what? 1. Exploits

29 Step 4 Control Analysis Analyze the controls that have been implemented, or are planned for implementation that will minimize or eliminate the likelihood of a threat s exercising a system vulnerability Identify: Technical controls Non-technical controls Identify: Preventative controls Detective controls Corrective controls

30 FAIL

31 FAIL

32 FAIL

33 FAIL

34 Step 5 Likelihood Determination Determine the overall likelihood that a vulnerability will be exercised, based on: Threat-source motivation and capability Existence and effectiveness of controls All other factors

35

36 Step 5 Likelihood Determination Level High Medium Definition The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability Low The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised

37 Determining Risk

38 Step 6 Impact Analysis Determine the adverse impact of the exercising of a vulnerability, based on: Loss of (C)onfidentiality Unauthorized, unintentional or unanticipated disclosure of confidential information could result in fines, degradation of reputation, loss of public confidence, embarrassment or legal action Loss of (I)ntegrity Unauthorized, unintentional or unanticipated changes to systems can result in errors, fraud or corruption Loss of (A)vailability Loss of system functionality can result in operational inefficiencies and loss of productive time Occurrences of all jeopardize the organization s mission

39 Step 6 Impact Analysis Level High Medium Low Definition Exercise of the vulnerability (1) may result in the highly costly loss of tangible assets or resources; (2) may significantly violate, harm or impede the organization s mission, reputation, or interest; or(3) may result in human death or serious injury Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm or impede the organization s mission, reputation or interest; or (3) may result in human injury Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources; (2) may noticeably affect the organization s mission, reputation or interest

40 QUIZ How do we completely eliminate risk? 1. We don t!

41 Step 7 Risk Determination Determine the risk for each threat/vulnerability pair, based on: The likelihood of a given threat-source s attempting to exercise a given vulnerability The magnitude of the impact should a threat-source exercise the vulnerability The adequacy of planned or existing security controls for reducing or eliminating risk

42 Step 7 Risk Determination R i = P i (I i ) R = P i (I i )

43 Step 7 Risk Determination Impact Probability Low (10) Medium (50) High (100) High (1.0) Low 10 x 1 = 10 Medium 50 x 1 = 50 High 100 x 1 = 100 Medium (0.5) Low 10 x.5 = 5 Medium 50 x.5 = 25 Medium 100 x.5 = 50 Low (0.1) Low 10 x.1 = 1 Low 50 x.1 = 5 Low 100 x.1 = 10

44 Step 7 Risk Determination Risk levels are defined as the following: High There is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible Medium Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time Low The system s DAA (Designated Approving Authority) must determine whether corrective actions are still required or decide to accept the risk

45 Step 8 Control Recommendations Recommend controls to reduce risk to an acceptable level, based on: Cost-benefit analysis Feasibility Legislation and regulation Organizational policy Operational impact Safety and reliability

46 RISK vs. REWARD

47 Step 9 Results Documentation Produce a management-level report that helps senior management make decisions on budget, process and control recommendations Control recommendations could include changes to: Policy Procedure Personnel Facilities

48 Risk Mitigation

49 Risk Mitigation prioritizing, evaluating and implementing the appropriate riskreducing controls recommended from the risk assessment process * * National Institute of Standards in Technology (NIST) SP800-30

50 Risk Mitigation

51 Risk Mitigation Controls categories include: People Process Technology Risk Mitigation options include: Limitation (fix, modification) Avoidance (remove, eliminate) Transference Assumption Planning (defer)

52 Risk Mitigation Step 1 Prioritize Actions Prioritize control implementation evaluations based on the risk levels presented in the Risk Assessment Resources and priority should be given to High-level risks Step 2 Evaluate Recommended Control Options Analyze the feasibility and effectiveness of the recommended controls Step 3 Conduct Cost-Benefit Analysis Step 4 Select Controls

53 Risk Mitigation Step 5 Assign Responsibility Assign implementation responsibility to resources with the appropriate expertise and experience Step 6 Develop Safeguard Implementation Plan Document the plan for implementing the selected controls, documenting all previously defined criteria, resources, actions, priorities, schedules and requirements Step 7 Implement Controls Implement selected controls and determine residual risk

54 Risk Management Demo

55 Evaluation and Assessment

56 Evaluation and Assessment emphasizes the good practice and need for ongoing risk evaluation and assessment and the factors that will lead to a successful Risk Management program * * National Institute of Standards in Technology (NIST) SP800-30

57 Evaluation and Assessment Risk Management is continuous process Risk Assessment should be considered whenever changes occur in: Hardware, software or technology infrastructure Executive leadership or other key personnel Organizational mission Competitors or market factors Physical facilities, locations Environmental factors Finances Risk appetite

58 QUIZ According to Capt. Kirk - what is our business? 1. RISK!!!

59 Final Thoughts

60 Focus on data

61 and all other assets

62 Leverage your metrics

63