IA: Week 2 Risk - PowerPoint PPT Presentation

About This Presentation
Title:

IA: Week 2 Risk

Description:

... nessus Security test and evaluation Penetration testing Vulnerability Identification Output A vulnerability assessment report and vulnerability list This report ... – PowerPoint PPT presentation

Number of Views:172
Avg rating:3.0/5.0
Slides: 36
Provided by: souEdu
Learn more at: http://webpages.sou.edu
Category:

less

Transcript and Presenter's Notes

Title: IA: Week 2 Risk


1
IA Week 2Risk
  • Risk Management
  • Risk Assessment
  • Risk Mitigation
  • Risk evaluation and re-assessment

2
Risk Management SDLC
  • System Development Life Cycle
  • (SDLC)?
  • Initial concept and need
  • Development/Acquisition
  • Implementation
  • Operation and Maintenance
  • Disposal

3
Key Personnel forRisk Management
  • Risk Management is a management responsibility.
  • Senior Management
  • CIO, ISSO
  • System owners
  • Information Owners
  • IT security folks

4
Risk Assessment
  1. System Characterization
  2. Vulnerability Identification
  3. Threat Identification
  4. Control Analysis
  5. Likelihood Determination
  6. Risk Determination
  7. Control Recommendations
  8. Results Documentation

5
Step 1System Characterization
  • Gather information about the system and its role
    in the organization.
  • What information?
  • How to gather it?

6
System Characterization
Hardware, software, interfaces Communication
channels, network configuration Data,
information IT personnel System description and
mission System and data criticality System and
data sensitivity
7
System Characterizationadditional information
Functional requirements of the IT
system Users Security policies Security
architecture Information storage
controls Technical controls Management
controls Operational controls Physical and
environmental security
8
Information Gathering Techniques
Questionnaire Interviews Corporate
documents System documents Security plans,
policies and procedures
9
Step 2Vulnerability Identification
A vulnerability is a flaw or weakness in system
security procedures, design, implementation of
internal controls that could be exercised and
result in a security breach or violation of the
system's security policy. Identifying the
vulnerabilities of a system is necessary for a
realistic threat analysis of a system.
10
Methods for Vulnerability ID
Security checklists and vulnerability
sources System testing
11
Sources of Vulnerability Info
  • Previous risk assessments
  • IT Audit reports
  • Vulnerability databases
  • Security advisories
  • Incident response reports
  • Vulnerability alerts
  • System software security analysis

12
System Security Testing
  • Automated vulnerability scanning tools
  • Nmap, nessus
  • Security test and evaluation
  • Penetration testing

13
Vulnerability Identification
  • Output
  • A vulnerability assessment report and
    vulnerability list
  • This report and list is updated and amended
    throughout the system life cycle.

14
Step 3Threat Identification
A threat is a potential for a threat source to
exercise a specific vulnerability. A threat
source is (1) an intent and method targeted at
the intentional exploitation of a vulnerability
or (2) a situation and method that may
accidentally trigger a vulnerability.
15
Common Threat Sources
  • Natural Floods, earthquakes, tornadoes,
    landslides, etc.
  • Environmental Long-term power failure,
    pollution, chemicals, liquid leakage, fire,
    smoke, etc.
  • Human Unintentional acts or deliberate acts
  • Machine Failure, malfunction, incorrectly
    configured.

16
Threat Sources
  • Hackers
  • Criminals
  • Terrorist
  • Industrial Espionage
  • Insiders

17
Threat Profile
A threat profile is a list of threat-sources and
their associated vulnerabilities and potential
harm/damage to the IT system.
18
Step 4Control Analysis
Analyze the controls that have been implemented
or are planned to minimize or eliminate the
likelihood of a threat's exercising a system
vulnerability. Control Methods Control
Categories Control Analysis Techniques
19
Control Methods
  • NIST
  • Technical Controls
  • Operational Controls
  • Management Controls
  • HIPAA
  • Technical Safeguards
  • Physical Safeguards
  • Administrative Safeguards

20
Technical Controls
  • Identification Authentication
  • Logical control access
  • Audit trails
  • System protection

21
Operational Controls
  • Personnel Security
  • Physical Environmental Protection
  • Contingency Plan
  • Configuration Management
  • HW SW Maintenance
  • Media Protection
  • Incident Response
  • Training

22
Management Controls
  • Risk Assessment
  • Security Plan
  • System Services Acquisition
  • Security Control Review
  • Processing Authorization

23
Control Categories
  • Preventive Controls
  • Policy enforcement
  • Access controls, encryption, authentication
  • Detective Controls
  • Warn of policy violations
  • Intrusion detection
  • Audit trails
  • Checksums

24
Control Analysis Techniques
  • Checklists
  • Security requirements lists versus security
    controls design

25
Step 5Likelihood Determination
Derive a likelihood rating (probability) that a
potential vulnerability may be exercised by the
associated threat environment. Threat source
motivation and capability Nature of
vulnerability Effectiveness of current controls
26
Likelihood Definitions
Likelihood Likelihood Level Definition High The
threat-source is Highly motivated and capable
and existing controls are ineffective. Medium Thr
eat-source is motivated and capable but controls
may impede successful exploit. Low Threat-source
lacks motivation or capability or controls are
in place to prevent significantly impede exploit.
27
Step 6Impact Analysis
Determine the impact of a successful exploit of a
vulnerability by a threat source. Input System
mission System and data criticality System and
data sensitivity
28
Incident Impact
  • The adverse impact of a security incident is
    described in terms of
  • Loss of Integrity
  • Loss of Availability
  • Loss of Confidentiality
  • Lost revenue
  • Cost of repair
  • Damage of intangibles

29
Impact Metrics
High Sever or catastrophic adverse effect on
organizational operations, assets or
individuals. Medium Serious adverse effect on
organizational operations, assets or
individuals. Low Limited adverse effect on
organizational operations, assets or individuals.
30
Step 7Risk Determination
  • Determine risk of a particular threat/vulnerabilit
    y pair as a function of
  • Likelihood of the threat source exploiting the
    vulnerability
  • Magnitude of the impact of the successful exploit
  • Adequacy of protective security controls for the
    pair

31
Risk-Level Matrix

32
Step 8Control Recommendations
  • Recommend controls the reduce the level of risk
    to the system and/or data to an acceptable level.
  • Considerations
  • Effectiveness of recommendations
  • Legislation and regulation
  • Organizational policy
  • Operational impact
  • Safety and reliability

33
Step 9Results Documentaiton
Risk assessment report that describes each threat
and vulnerability, measurement of the risk and
the recommended controls for risk mitigation.
34
Risk Mitigation
  • Risk Assumption
  • Accept the potential risk
  • Risk Avoidance
  • Shut down until Vulnerability is fixed
  • Risk Limitation
  • Implement controls to limit risk
  • Risk Transference
  • Insurance

35
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "IA: Week 2 Risk" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!