Title: Risk Analysis
1Risk Analysis
2Risk Management
- Risk Management consists of
- Risk Assessment
- Risk Mitigation
- Risk Evaluation and Assessment
- Risk Management allows
- Balance operational and economic costs of
protective measures
3Risk Management andSystem Development Life Cycle
- Phase 1 Initiation
- Need for IT system is expressed, scope is
documented - Identified risks are for
- Developing system requirements
- Including security requirements
- Security strategy of operations
- Phase 2 Development or Acquisition
- IT system is Designed, Purchased, Programmed,
Developed - Risks identified during this phase are used to
- Support security analyses of system
- Might lead to architecture and design trade-offs
during development
4Risk Management andSystem Development Life Cycle
- Phase 3 Implementation
- System features are configured, enabled, tested,
verified - Risk management supports assessment of system
implementation against requirements and modeled
operational environment - Phase 4 Operation or Maintenance
- System performs its functions
- Typically modification on an ongoing basis
- Risk Management activities
- System reauthorization / reaccreditation
- Periodic
- Triggered by changes in system
- Triggered by changes in operational production
environment
5Risk Management andSystem Development Life Cycle
- Phase 5 Disposal
- Disposition of
- Information
- Hardware
- Software
- Activities
- Moving
- Archiving
- Discarding
- Destroying
- Sanitizing
- Risk management
- Ensure proper disposal of software and hardware
- Proper handling of residual data
- System migration conducted securely and
systematically
6Risk Management andSystem Development Life Cycle
- Risk management is management responsibility
- Senior management
- Ensures effective application of necessary
resources to develop mission capabilities - Need to asses and incorporate results of risk
management into decision making process - Chief Information Officer (CIO)
- Responsible for planning, budgeting, and
performance of IT - Includes Information Security components
- Systems and Information Owners
- Responsible for ensuring existence of proper
controls - Have to approve and sign off to changes in IT
system - Need to understand role of risk management
7Risk Management andSystem Development Life Cycle
- Business and Functional Managers
- Have authority and responsibility to make
trade-off decisions - Need to be involved in risk management
- Information System Security Officer (ISSO)
- Responsible for security program, including risk
management - Play leading role for methodology of risk
management - Act as consultant to senior management
- IT Security Practitioners
- Responsible for proper implementation
- Must support risk management process to identify
new potential risks - Must implement new security controls
- Security Awareness Trainers
- Proper use of systems is instrumental in risk
mitigation and IT resource protection - Must understand risk management
- Must incorporate risk assessment into training
programs
8Risk Assessment
- Risk depends on
- Likelihood of a given threat-source exercising a
particular potential vulnerability - Resulting impact of the adverse event
9Hypothetical 2003 Example
- Polish hacker N_at_te upset at Polish control of
Multinational Division Central South Iraq - His hacker group wants to attack www.wp.mil.pl
- Finds out
- www.wp.mil.pl runs Apache
- Runs old version of OpenSSL vulnerable to a
buffer overflow attack
Bejtlich The Tao of Network Security Monitoring
10Hypothetical 2003 Example
Factor Description Assessment Rationale
Threat N_at_te and his buddies 5/5 Has capability and intention
Vulnerability Unpatched OpenSLL process 5/5 Vuln. gives N_at_te root access. No countermeasures deployed
Asset Value Military spends more than 10,000 annually 4/5 Damage to Polish prestige, costs of web server
Risk Loss of integrity and control of web server and site 100/125
Bejtlich The Tao of Network Security Monitoring
11Hypothetical 2003 Example
- Polish military does not know N_at_te, but knows
about its exposure - Needs to know about vulnerability
- Risk assessment changes dramatically once
vulnerability is recognized
12Vulnerability ? Threat
- February 2002 SNMP vulnerability
- SNMP widespread network management tool.
- Potentially affected most network devices.
- However, NO exploits were discovered.
13Vulnerability ? Threat
- Windows RPC vulnerability of 2003
- Dozens of exploits
- Blaster worm caused gt 1.000.000.000 damage
14(No Transcript)
15Risk Assessment
- Step 1 System Characterization
- Collect system related information
- Hardware
- Software
- Connectivity
- Data and information
- Users and support
- System mission
- System and data criticality and sensitivity
16Risk Assessment
- Step 2 Threat Identification
- Threat Source Identification
- Natural events
- Floods, fires, earthquakes,
- Human threats
- Unintentional acts
- Deliberate actions
- Consider motivations and actions
- Environmental threats
- Long-term power failure, pollution, chemicals,
liquid leakage
17Risk Assessment
- Step 3 Vulnerability Identification
- Varies on SDLC phase
- Sources
- Previous risk assessment documents
- IT system audits and logs
- Vulnerability lists (NIST I-CAT, CERT, SANS,
SecurityFocus.com) - Security advisories
- Vendor advisories
- System software security analyses
18Risk Assessment
- Step 3 Vulnerability Identification
- Security Testing
- Automated vulnerability scanning tools
- Penetration testing
- Security Test and Evaluation (STE)
- Develop a test plan
- Test Effectiveness of security controls
- See NIST SP 800-42
19Risk Assessment
- Step 3 Vulnerability Identification
- Develop a Security Requirements Checklist
- Management Security
- Assignment of responsibilities
- Continuity of support
- Incident response capability
- Periodic review of security controls
- Personnel clearance and background investigations
- Risk assessment
- Separation of duties
- System authorization and reauthorization
- System or application security plan
20Risk Assessment
- Step 3 Vulnerability Identification
- Develop a Security Requirements Checklist
- Operational Security
- Control of air-borne contaminants
- Controls to ensure the quality of the electrical
power supply - Data media access and disposal
- External data distribution and labeling
- Facility protection (e.g., computer room, data
center, office) - Humidity control
- Temperature control
- Workstations, laptops, and stand-alone personal
computers
21Risk Assessment
- Step 3 Vulnerability Identification
- Develop a Security Requirements Checklist
- Technical Security
- Communications (e.g., dial-in, system
interconnection, routers) - Cryptography
- Discretionary access control
- Identification and authentication
- Intrusion detection
- Object reuse
- System audit
22Risk Assessment
- Step 3 Vulnerability Identification
- Outcome A list of system vulnerabilities that
could be exercised by a potential threat source
23Risk Assessment
- Control Analysis
- Control Methods
- Technical methods
- Safeguards built into computer hardware,
software, firmware - Nontechnical methods
- Management and operational controls
- Security policies
- Operational procedures
- Personnel security
- Physical security
- Environmental security
24Risk Assessment
- Control Categories
- Preventive controls
- Detective controls
25Risk Assessment
- Control Analysis
- Compare security requirements checklist to
validate security (non)-compliance - Output
- List of current or planned controls
26Risk Assessment
- Step 5 Likelihood determination
- Governing factors
- Threat source motivation and capability
- Nature of vulnerability
- Existence and effectiveness of current controls
- Assign likelihood levels
27Risk Assessment
- Step 6 Impact Analysis
- Requires
- System mission
- System and data criticality
- System and data sensitivity
- Can typically be described in
- Loss of integrity
- Loss of availability
- Loss of confidentiality
28Risk Assessment
- Step 6 Impact Analysis
- Can be done quantitatively or qualitatively
29Risk Assessment
- Step 7 Risk determination
- Risk Level Matrix
- Composed of threat likelihood and impact
- Determines risk scale
- Risk Scale
- Used to determine and prioritize activities
30Risk Assessment
- Control Recommendations
- Reduce risks to data and system to acceptable
level - Base evaluation on
- Effectiveness
- Legislation and regulation
- Organizational policy
- Operational impact
- Safety and reliability
- Perform cost benefit analysis
31Risk Assessment
- Step 9 Result Documentation
- Risk assessment report
- Describes threats and vulnerabilities
- Measures risk
- Provides recommendations for control
implementation
32Risk Mitigation
- Prioritizing
- Evaluating
- Implementing
- Appropriate risk-reducing controls
33Risk Mitigation
- Options
- Risk Assumption
- To accept the potential risk and continue
operating the IT system or to implement controls
to lower the risk to an acceptable level - Risk Avoidance
- To avoid the risk by eliminating the risk cause
and/or consequence - Risk Limitation
- To limit the risk by implementing controls that
minimize the adverse impact of a threats
exercising a vulnerability - Risk Planning
- To manage risk by developing a risk mitigation
plan that prioritizes, implements, and maintains
controls - Research and Acknowledgment
- To lower the risk of loss by acknowledging the
vulnerability or flaw and researching controls to
correct the vulnerability - Risk Transference
- To transfer the risk by using other options to
compensate for the loss, such as purchasing
insurance.
34Risk Mitigation
35Risk Mitigation
- Control Implementation
- Prioritize Actions
- Evaluate Recommended Control Options
- Conduct Cost-Benefit Analysis
- Select Control
- Assign Responsibility
- Develop a Safeguard Implementation Plan
- Implement Selected Control(s)