Performing Effective Risk Assessments Dos and Don ts % Gary Braglia Security Specialist GreyCastle Security TCTC March 18, 2013
Introduction
Who am I?
Why Risk Management?
Because you have to
Because you can t be secure Copyright DC Comics All Rights Reserved
Because people are not awesome Copyright Universal Pictures All Rights Reserved
[not awesome] [not awesome]
Show Me This Thing You Call Risk Management
Risk Management 101 the total process of identifying, controlling and mitigating information system-related risks * * National Institute of Standards in Technology (NIST) SP800-30
Risk Management 101 Risk Assessment Risk Mitigation Evaluation and Assessment
Risk Management 101 Focuses on: Confidentiality Integrity Availability Qualitative or Quantitative Balances risk, effort and costs Don t build a $200 fence around a $20 horse
Take a Deep breath.
Risk Management 101 Impact Probability Low (10) Medium (50) High (100) High (1.0) Low 10 x 1 = 10 Medium 50 x 1 = 50 High 100 x 1 = 100 Medium (0.5) Low 10 x.5 = 5 Medium 50 x.5 = 25 Medium 100 x.5 = 50 Low (0.1) Low 10 x.1 = 1 Low 50 x.1 = 5 Low 100 x.1 = 10
Must. Resist. Temptation.
Risk Assessment
Risk Assessment 1 st process in Risk Management Used to determine potential threats and associated risk Output of this process is used to determine appropriate controls to reduce risk
Step 1 System Characterization Characterize system boundaries, criticality and sensitivity based on: Hardware Software Interfaces and integrations People Mission System and data criticality System and data sensitivity
Step 2 Threat Identification Identify threats to organizational systems based on: Security violations Incident Management External intelligence Media Classify threats as: Natural Environmental Human
You
[not awesome]
Step 3 Vulnerability Identification Identify vulnerabilities based on: Vulnerability scans Penetration tests Audits Vulnerability lists and advisories Standards Generate list of Vulnerability/Threat pairs Exploits
Step 3 Vulnerability Identification Threat Vulnerability Exploit Terminated Employees Fire or Negligent Employees User accounts for terminated employees that are left enabled Fire suppression controls for data center left in uncontrolled areas Terminated employees gain access confidential information Data center fire suppression controls are activated accidentally or maliciously Unauthorized Users Unprotected confidential documents Confidential information is exfiltrated
QUIZ Pairing up Threats with Vulnerabilities leads to identifying.what? 1. Exploits
Step 4 Control Analysis Analyze the controls that have been implemented, or are planned for implementation that will minimize or eliminate the likelihood of a threat s exercising a system vulnerability Identify: Technical controls Non-technical controls Identify: Preventative controls Detective controls Corrective controls
FAIL
FAIL
FAIL
FAIL
Step 5 Likelihood Determination Determine the overall likelihood that a vulnerability will be exercised, based on: Threat-source motivation and capability Existence and effectiveness of controls All other factors
Step 5 Likelihood Determination Level High Medium Definition The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability Low The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised
Determining Risk
Step 6 Impact Analysis Determine the adverse impact of the exercising of a vulnerability, based on: Loss of (C)onfidentiality Unauthorized, unintentional or unanticipated disclosure of confidential information could result in fines, degradation of reputation, loss of public confidence, embarrassment or legal action Loss of (I)ntegrity Unauthorized, unintentional or unanticipated changes to systems can result in errors, fraud or corruption Loss of (A)vailability Loss of system functionality can result in operational inefficiencies and loss of productive time Occurrences of all jeopardize the organization s mission
Step 6 Impact Analysis Level High Medium Low Definition Exercise of the vulnerability (1) may result in the highly costly loss of tangible assets or resources; (2) may significantly violate, harm or impede the organization s mission, reputation, or interest; or(3) may result in human death or serious injury Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm or impede the organization s mission, reputation or interest; or (3) may result in human injury Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources; (2) may noticeably affect the organization s mission, reputation or interest
QUIZ How do we completely eliminate risk? 1. We don t!
Step 7 Risk Determination Determine the risk for each threat/vulnerability pair, based on: The likelihood of a given threat-source s attempting to exercise a given vulnerability The magnitude of the impact should a threat-source exercise the vulnerability The adequacy of planned or existing security controls for reducing or eliminating risk
Step 7 Risk Determination R i = P i (I i ) R = P i (I i )
Step 7 Risk Determination Impact Probability Low (10) Medium (50) High (100) High (1.0) Low 10 x 1 = 10 Medium 50 x 1 = 50 High 100 x 1 = 100 Medium (0.5) Low 10 x.5 = 5 Medium 50 x.5 = 25 Medium 100 x.5 = 50 Low (0.1) Low 10 x.1 = 1 Low 50 x.1 = 5 Low 100 x.1 = 10
Step 7 Risk Determination Risk levels are defined as the following: High There is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible Medium Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time Low The system s DAA (Designated Approving Authority) must determine whether corrective actions are still required or decide to accept the risk
Step 8 Control Recommendations Recommend controls to reduce risk to an acceptable level, based on: Cost-benefit analysis Feasibility Legislation and regulation Organizational policy Operational impact Safety and reliability
RISK vs. REWARD
Step 9 Results Documentation Produce a management-level report that helps senior management make decisions on budget, process and control recommendations Control recommendations could include changes to: Policy Procedure Personnel Facilities
Risk Mitigation
Risk Mitigation prioritizing, evaluating and implementing the appropriate riskreducing controls recommended from the risk assessment process * * National Institute of Standards in Technology (NIST) SP800-30
Risk Mitigation
Risk Mitigation Controls categories include: People Process Technology Risk Mitigation options include: Limitation (fix, modification) Avoidance (remove, eliminate) Transference Assumption Planning (defer)
Risk Mitigation Step 1 Prioritize Actions Prioritize control implementation evaluations based on the risk levels presented in the Risk Assessment Resources and priority should be given to High-level risks Step 2 Evaluate Recommended Control Options Analyze the feasibility and effectiveness of the recommended controls Step 3 Conduct Cost-Benefit Analysis Step 4 Select Controls
Risk Mitigation Step 5 Assign Responsibility Assign implementation responsibility to resources with the appropriate expertise and experience Step 6 Develop Safeguard Implementation Plan Document the plan for implementing the selected controls, documenting all previously defined criteria, resources, actions, priorities, schedules and requirements Step 7 Implement Controls Implement selected controls and determine residual risk
Risk Management Demo
Evaluation and Assessment
Evaluation and Assessment emphasizes the good practice and need for ongoing risk evaluation and assessment and the factors that will lead to a successful Risk Management program * * National Institute of Standards in Technology (NIST) SP800-30
Evaluation and Assessment Risk Management is continuous process Risk Assessment should be considered whenever changes occur in: Hardware, software or technology infrastructure Executive leadership or other key personnel Organizational mission Competitors or market factors Physical facilities, locations Environmental factors Finances Risk appetite
QUIZ According to Capt. Kirk - what is our business? 1. RISK!!!
Final Thoughts
Focus on data
and all other assets
Leverage your metrics