Risk Analysis - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Risk Analysis

Description:

Risk Analysis COEN 250 Risk Management Risk Management consists of Risk Assessment Risk Mitigation Risk Evaluation and Assessment Risk Management allows Balance ... – PowerPoint PPT presentation

Number of Views:389
Avg rating:3.0/5.0
Slides: 36
Provided by: thomassc4
Learn more at: https://www.cse.scu.edu
Category:
Tags: analysis | risk | snmp

less

Transcript and Presenter's Notes

Title: Risk Analysis


1
Risk Analysis
  • COEN 250

2
Risk Management
  • Risk Management consists of
  • Risk Assessment
  • Risk Mitigation
  • Risk Evaluation and Assessment
  • Risk Management allows
  • Balance operational and economic costs of
    protective measures

3
Risk Management andSystem Development Life Cycle
  • Phase 1 Initiation
  • Need for IT system is expressed, scope is
    documented
  • Identified risks are for
  • Developing system requirements
  • Including security requirements
  • Security strategy of operations
  • Phase 2 Development or Acquisition
  • IT system is Designed, Purchased, Programmed,
    Developed
  • Risks identified during this phase are used to
  • Support security analyses of system
  • Might lead to architecture and design trade-offs
    during development

4
Risk Management andSystem Development Life Cycle
  • Phase 3 Implementation
  • System features are configured, enabled, tested,
    verified
  • Risk management supports assessment of system
    implementation against requirements and modeled
    operational environment
  • Phase 4 Operation or Maintenance
  • System performs its functions
  • Typically modification on an ongoing basis
  • Risk Management activities
  • System reauthorization / reaccreditation
  • Periodic
  • Triggered by changes in system
  • Triggered by changes in operational production
    environment

5
Risk Management andSystem Development Life Cycle
  • Phase 5 Disposal
  • Disposition of
  • Information
  • Hardware
  • Software
  • Activities
  • Moving
  • Archiving
  • Discarding
  • Destroying
  • Sanitizing
  • Risk management
  • Ensure proper disposal of software and hardware
  • Proper handling of residual data
  • System migration conducted securely and
    systematically

6
Risk Management andSystem Development Life Cycle
  • Risk management is management responsibility
  • Senior management
  • Ensures effective application of necessary
    resources to develop mission capabilities
  • Need to asses and incorporate results of risk
    management into decision making process
  • Chief Information Officer (CIO)
  • Responsible for planning, budgeting, and
    performance of IT
  • Includes Information Security components
  • Systems and Information Owners
  • Responsible for ensuring existence of proper
    controls
  • Have to approve and sign off to changes in IT
    system
  • Need to understand role of risk management

7
Risk Management andSystem Development Life Cycle
  • Business and Functional Managers
  • Have authority and responsibility to make
    trade-off decisions
  • Need to be involved in risk management
  • Information System Security Officer (ISSO)
  • Responsible for security program, including risk
    management
  • Play leading role for methodology of risk
    management
  • Act as consultant to senior management
  • IT Security Practitioners
  • Responsible for proper implementation
  • Must support risk management process to identify
    new potential risks
  • Must implement new security controls
  • Security Awareness Trainers
  • Proper use of systems is instrumental in risk
    mitigation and IT resource protection
  • Must understand risk management
  • Must incorporate risk assessment into training
    programs

8
Risk Assessment
  • Risk depends on
  • Likelihood of a given threat-source exercising a
    particular potential vulnerability
  • Resulting impact of the adverse event

9
Hypothetical 2003 Example
  • Polish hacker N_at_te upset at Polish control of
    Multinational Division Central South Iraq
  • His hacker group wants to attack www.wp.mil.pl
  • Finds out
  • www.wp.mil.pl runs Apache
  • Runs old version of OpenSSL vulnerable to a
    buffer overflow attack

Bejtlich The Tao of Network Security Monitoring
10
Hypothetical 2003 Example
Factor Description Assessment Rationale
Threat N_at_te and his buddies 5/5 Has capability and intention
Vulnerability Unpatched OpenSLL process 5/5 Vuln. gives N_at_te root access. No countermeasures deployed
Asset Value Military spends more than 10,000 annually 4/5 Damage to Polish prestige, costs of web server
Risk Loss of integrity and control of web server and site 100/125
Bejtlich The Tao of Network Security Monitoring
11
Hypothetical 2003 Example
  • Polish military does not know N_at_te, but knows
    about its exposure
  • Needs to know about vulnerability
  • Risk assessment changes dramatically once
    vulnerability is recognized

12
Vulnerability ? Threat
  • February 2002 SNMP vulnerability
  • SNMP widespread network management tool.
  • Potentially affected most network devices.
  • However, NO exploits were discovered.

13
Vulnerability ? Threat
  • Windows RPC vulnerability of 2003
  • Dozens of exploits
  • Blaster worm caused gt 1.000.000.000 damage

14
(No Transcript)
15
Risk Assessment
  • Step 1 System Characterization
  • Collect system related information
  • Hardware
  • Software
  • Connectivity
  • Data and information
  • Users and support
  • System mission
  • System and data criticality and sensitivity

16
Risk Assessment
  • Step 2 Threat Identification
  • Threat Source Identification
  • Natural events
  • Floods, fires, earthquakes,
  • Human threats
  • Unintentional acts
  • Deliberate actions
  • Consider motivations and actions
  • Environmental threats
  • Long-term power failure, pollution, chemicals,
    liquid leakage

17
Risk Assessment
  • Step 3 Vulnerability Identification
  • Varies on SDLC phase
  • Sources
  • Previous risk assessment documents
  • IT system audits and logs
  • Vulnerability lists (NIST I-CAT, CERT, SANS,
    SecurityFocus.com)
  • Security advisories
  • Vendor advisories
  • System software security analyses

18
Risk Assessment
  • Step 3 Vulnerability Identification
  • Security Testing
  • Automated vulnerability scanning tools
  • Penetration testing
  • Security Test and Evaluation (STE)
  • Develop a test plan
  • Test Effectiveness of security controls
  • See NIST SP 800-42

19
Risk Assessment
  • Step 3 Vulnerability Identification
  • Develop a Security Requirements Checklist
  • Management Security
  • Assignment of responsibilities
  • Continuity of support
  • Incident response capability
  • Periodic review of security controls
  • Personnel clearance and background investigations
  • Risk assessment
  • Separation of duties
  • System authorization and reauthorization
  • System or application security plan

20
Risk Assessment
  • Step 3 Vulnerability Identification
  • Develop a Security Requirements Checklist
  • Operational Security
  • Control of air-borne contaminants
  • Controls to ensure the quality of the electrical
    power supply
  • Data media access and disposal
  • External data distribution and labeling
  • Facility protection (e.g., computer room, data
    center, office)
  • Humidity control
  • Temperature control
  • Workstations, laptops, and stand-alone personal
    computers

21
Risk Assessment
  • Step 3 Vulnerability Identification
  • Develop a Security Requirements Checklist
  • Technical Security
  • Communications (e.g., dial-in, system
    interconnection, routers)
  • Cryptography
  • Discretionary access control
  • Identification and authentication
  • Intrusion detection
  • Object reuse
  • System audit

22
Risk Assessment
  • Step 3 Vulnerability Identification
  • Outcome A list of system vulnerabilities that
    could be exercised by a potential threat source

23
Risk Assessment
  • Control Analysis
  • Control Methods
  • Technical methods
  • Safeguards built into computer hardware,
    software, firmware
  • Nontechnical methods
  • Management and operational controls
  • Security policies
  • Operational procedures
  • Personnel security
  • Physical security
  • Environmental security

24
Risk Assessment
  • Control Categories
  • Preventive controls
  • Detective controls

25
Risk Assessment
  • Control Analysis
  • Compare security requirements checklist to
    validate security (non)-compliance
  • Output
  • List of current or planned controls

26
Risk Assessment
  • Step 5 Likelihood determination
  • Governing factors
  • Threat source motivation and capability
  • Nature of vulnerability
  • Existence and effectiveness of current controls
  • Assign likelihood levels

27
Risk Assessment
  • Step 6 Impact Analysis
  • Requires
  • System mission
  • System and data criticality
  • System and data sensitivity
  • Can typically be described in
  • Loss of integrity
  • Loss of availability
  • Loss of confidentiality

28
Risk Assessment
  • Step 6 Impact Analysis
  • Can be done quantitatively or qualitatively

29
Risk Assessment
  • Step 7 Risk determination
  • Risk Level Matrix
  • Composed of threat likelihood and impact
  • Determines risk scale
  • Risk Scale
  • Used to determine and prioritize activities

30
Risk Assessment
  • Control Recommendations
  • Reduce risks to data and system to acceptable
    level
  • Base evaluation on
  • Effectiveness
  • Legislation and regulation
  • Organizational policy
  • Operational impact
  • Safety and reliability
  • Perform cost benefit analysis

31
Risk Assessment
  • Step 9 Result Documentation
  • Risk assessment report
  • Describes threats and vulnerabilities
  • Measures risk
  • Provides recommendations for control
    implementation

32
Risk Mitigation
  • Prioritizing
  • Evaluating
  • Implementing
  • Appropriate risk-reducing controls

33
Risk Mitigation
  • Options
  • Risk Assumption
  • To accept the potential risk and continue
    operating the IT system or to implement controls
    to lower the risk to an acceptable level
  • Risk Avoidance
  • To avoid the risk by eliminating the risk cause
    and/or consequence
  • Risk Limitation
  • To limit the risk by implementing controls that
    minimize the adverse impact of a threats
    exercising a vulnerability
  • Risk Planning
  • To manage risk by developing a risk mitigation
    plan that prioritizes, implements, and maintains
    controls
  • Research and Acknowledgment
  • To lower the risk of loss by acknowledging the
    vulnerability or flaw and researching controls to
    correct the vulnerability
  • Risk Transference
  • To transfer the risk by using other options to
    compensate for the loss, such as purchasing
    insurance.

34
Risk Mitigation
35
Risk Mitigation
  • Control Implementation
  • Prioritize Actions
  • Evaluate Recommended Control Options
  • Conduct Cost-Benefit Analysis
  • Select Control
  • Assign Responsibility
  • Develop a Safeguard Implementation Plan
  • Implement Selected Control(s)
Write a Comment
User Comments (0)
About PowerShow.com