1 / 65

Risk Management: Controlling Risk

Risk Management: Controlling Risk. “Weakness is a better teacher than strength. Weakness must learn to understand the obstacles that strength brushes aside.” ….Mason Cooley (1927 – 2002) Presented by: Molly Coplen, Dan Hein, and Dinesh Raveendran. Chapter Overview. Risk Control Strategies

bernardreed
Télécharger la présentation

Risk Management: Controlling Risk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Risk Management: Controlling Risk “Weakness is a better teacher than strength. Weakness must learn to understand the obstacles that strength brushes aside.” ….Mason Cooley (1927 – 2002) Presented by: Molly Coplen, Dan Hein, and Dinesh Raveendran EECS 711 Chapter 8 Risk Management: Controlling Risk

  2. Chapter Overview • Risk Control Strategies • Managing Risk • Feasibility and Cost-Benefit Analysis • Recommended Control Practices • The OCTAVE Method • Microsoft Risk Management Approach EECS 711 Chapter 8 Risk Management: Controlling Risk

  3. Risk Management Risk management is the process used by managers, auditors, and other professionals to identify vulnerabilities in an organization’s information systems and to assure the confidentiality, integrity, and availability of all the components in the organization’s information system. EECS 711 Chapter 8 Risk Management: Controlling Risk

  4. Risk Control Strategies Four strategies: • Avoidance • Transference • Mitigation • Acceptance EECS 711 Chapter 8 Risk Management: Controlling Risk

  5. Avoidance – applying safeguards that eliminate or reduce the remaining uncontrolled risks – attempts to prevent the exploitation of the vulnerability Avoidance is the preferred approach as it seeks to avoid risk rather than deal with it after it has been realized. EECS 711 Chapter 8 Risk Management: Controlling Risk

  6. Avoidance is accomplished through…….. • Policy • Training and education • Countering threats • Implementation of technical security controls and safeguards EECS 711 Chapter 8 Risk Management: Controlling Risk

  7. Transference The control approach that attempts to shift the risks to other assets, other processes, or other organizations. EECS 711 Chapter 8 Risk Management: Controlling Risk

  8. Mitigation The control approach that attempts to reduce, by means of planning and preparation, the damage caused by the exploitation of a vulnerability. EECS 711 Chapter 8 Risk Management: Controlling Risk

  9. EECS 711 Chapter 8 Risk Management: Controlling Risk

  10. Acceptance Acceptance is the choice to do nothing to protect an information asset from risk, and to accept the outcome from any resulting exploitation. The control assumes that it can be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not justify the security expenditure. EECS 711 Chapter 8 Risk Management: Controlling Risk

  11. Acceptance Valid practice if management has …. • Determined the level of risk posed to the information asset • Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability • Approximated the potential loss that could result from attacks EECS 711 Chapter 8 Risk Management: Controlling Risk

  12. Acceptance Valid practice if management has …. • Performed a thorough cost-benefit analysis • Evaluated controls using each appropriate type of feasibility analysis report • Determined that the particular function, service, information, or asset did not justify the cost of protection EECS 711 Chapter 8 Risk Management: Controlling Risk

  13. Managing Risk Risk appetite (or risk tolerance) describes the quantity and nature of the risk that organizations are willing to accept, as they evaluate the trade-offs between perfect security and unlimited accessibility. EECS 711 Chapter 8 Risk Management: Controlling Risk

  14. 14 EECS 711 Chapter 8 Risk Management: Controlling Risk

  15. Managing Risk Residual risk is what is left after vulnerabilities have been controlled as much as possible – the risk that has not been completely removed, shifted, or incorporated into plans. The goal of information security is not to bring residual risk to zero, rather it is to bring residual risk in line with an organization’s risk appetite. EECS 711 Chapter 8 Risk Management: Controlling Risk

  16. Managing Risk – Strategy Selection • When a vulnerability (flaw or weakness) exists, implement security controls to reduce the likelihood of a vulnerability being exercised. • When a vulnerability can be exploited, apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. EECS 711 Chapter 8 Risk Management: Controlling Risk

  17. Managing Risk – Strategy Selection (continued) • When the attacker’s potential gain is greater than the cost of attack, apply protections to increase the attacker’s costs, or reduce the attacker’s gain by using technical or managerial controls. • When the potential loss is substantial, build protections to limit the extent of the attack, thereby reducing the potential for loss. EECS 711 Chapter 8 Risk Management: Controlling Risk

  18. Managing Risk The control strategy articulates which of the four fundamental risk-reducing approaches will be used, how the various approaches might be combined, and justifies the findings by referencing the feasibility studies. EECS 711 Chapter 8 Risk Management: Controlling Risk

  19. Managing Risk Once a control strategy has been selected and implemented, controls should be monitored and measured on an ongoing basis to determine their effectiveness and to estimate the remaining risk. EECS 711 Chapter 8 Risk Management: Controlling Risk

  20. EECS 711 Chapter 8 Risk Management: Controlling Risk

  21. Managing Risk At a minimum, each information asset-threat pair should have a documented control strategy that clearly identifies any residual risk that remains after the proposed strategy has been executed. EECS 711 Chapter 8 Risk Management: Controlling Risk

  22. Feasibility Studies and Cost-Benefit Analysis • Determines the level of risk posed to the information asset • Identifying the advantages and disadvantages of implementing a control • Value of information assets • Dollar-denominated expenses and savings from economic cost avoidance • Non economic feasibility criteria EECS 711 Chapter 8 Risk Management: Controlling Risk 22

  23. Cost-Benefit Analysis (CBA) • Economic feasibility: • Evaluating a project that implements information security controls and safeguards. • Start this analysis by valuing the information assets and determine the loss in value if compromised. • Decision making process of not spending more to protect an asset is CBA or an economic feasibility study. EECS 711 Chapter 8 Risk Management: Controlling Risk 23

  24. Cost • Difficult to determine the cost for safeguarding • Items that could affect the cost: • Cost of development or acquisition of hardware, software, and services. • Training fees • Cost of implementation • Service costs • Cost of maintenance EECS 711 Chapter 8 Risk Management: Controlling Risk 24

  25. Benefit • Value to the organization of using controls to prevent losses associated with a specific vulnerability • Determined by • Valuing the information asset or asset exposed by the vulnerability • How much of that value is at risk • How much risk exists for the asset • The result is expressed as annualized loss expectancy EECS 711 Chapter 8 Risk Management: Controlling Risk 25

  26. Asset Valuation • Process of assigning financial value to each information asset • Involves the estimation of actual or perceived costs • It can be selected from any or all of those associated - • Design, development, installation, maintenance, protection, recovery and defense against loss or litigation EECS 711 Chapter 8 Risk Management: Controlling Risk 26

  27. Asset Valuation Value retained from the cost of creating the information asset Value retained from past maintenance of the information asset Value implied by the cost of replacing the information Value from providing the information Value acquired from the cost of protecting the information Value to owners Value of intellectual property Value to adversaries Loss of productivity while the information assets are unavailable Loss of revenue while the information assets are unavailable EECS 711 Chapter 8 Risk Management: Controlling Risk 27

  28. Asset Valuation • This process yields the estimate of potential loss per risk • A single loss expectancy (SLE) is the calculation of the value associated with the most likely loss from an attack • SLE = asset value (AV) * exposure factor (EF) where EF = the percentage loss that would occur from a given vulnerability being exploited EECS 711 Chapter 8 Risk Management: Controlling Risk 28

  29. Asset Valuation • Annualized rate of occurrence (ARO) indicates how often you expect a specific type of attack to occur • Annualized loss expectancy (ALE) indicates the overall loss potential per risk • ALE = SLE * ARO EECS 711 Chapter 8 Risk Management: Controlling Risk 29

  30. The CBA formula • CBA determines whether a control alternative is worth its associated cost • CBA = ALE (pre-control) – ALE (post-control) –ACS where ALE (pre-control) = ALE of the risk before the implementation of the control ALE (post-control) = ALE examined after the control has been in place for a period of time ACS = annual cost of the safeguard EECS 711 Chapter 8 Risk Management: Controlling Risk 30

  31. Asset Valuation As Frederick Avolio states in his article “Best Practices in Network Security” Security is an investment, not an expense. Investing in computer and network security measures that meet changing business requirements and risks makes it possible to satisfy changing business requirements without hurting the business’s viability. EECS 711 Chapter 8 Risk Management: Controlling Risk 31

  32. Other Feasibility Studies Organizational Feasibility Operational Feasibility Technical Feasibility Political Feasibility EECS 711 Chapter 8 Risk Management: Controlling Risk 32

  33. Organizational Feasibility • Examines how well the proposed information security alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization • Organization should not invest in technology that changes its fundamental ability to explore certain avenues and opportunities. EECS 711 Chapter 8 Risk Management: Controlling Risk 33

  34. Operational Feasibility • Known as Behavioral feasibility • Refers to user acceptance and support, management acceptance and support and the system’s compatibility with the requirements of the organization’s stakeholders. • User involvement • method to obtain user acceptance and support • can be achieved by three simple actions; Communicate, educate and involve • Can reduce resistance to change, and build resilience for change EECS 711 Chapter 8 Risk Management: Controlling Risk 34

  35. Technical Feasibility • Examines whether the organization has or can acquire the technology necessary to implement and support them • Also examines whether the organization has the technological expertise needed to manage the new technology EECS 711 Chapter 8 Risk Management: Controlling Risk 35

  36. Political Feasibility • Considers what can and cannot occur based on the consensus and relationships among the communities of interest. • Information security community is assigned a budget, which they then allocate to activities and projects, making decision about how to spend the money using their own judgment. EECS 711 Chapter 8 Risk Management: Controlling Risk 36

  37. Alternatives to Feasibility Analysis • Benchmarking • Adopt a certain minimum level of security • Best business practices, balancing the need to access information with adequate protection • Gold standard • Government recommendations and best practices • A baseline is derived by comparing measured actual performance against established standards for the measured category EECS 711 Chapter 8 Risk Management: Controlling Risk 37

  38. Viewpoint – Risk ManagementBy Dr.Whitman • In world of InfoSec, there are three types of peoples- • Those who understand the importance of InfoSec • Those who don’t • Those who think they do but really don’t • Top 5 threats to InfoSec are all people problems. • SETA are designed for the second type of people. • The third type represent the biggest threat as they are misinformed or misguided. EECS 711 Chapter 8 Risk Management: Controlling Risk 38

  39. Recommended Risk Control Practices Cost benefit and feasibility analysis, focused on controlling individual asset-threat pairs can quickly become complex: • Each control affects more than one asset-threat pair. • As each control is applied, ALE must be recomputed as threats to down-stream (e.g. behind a firewall) assets may have also been mitigated. EECS 711 Chapter 8 Risk Management: Controlling Risk 39

  40. Recommended Risk Control Practices: Continued The complexity of risk control, such as CBA, motivates alternatives: • Qualitative measures – scales (for example 1-10), representing relative degrees of threat likelihood, asset exposure, and/or asset value. • Delphi Technique – Group consensus with respect to establishing values/scales used in both quantitative and qualitative assessment. EECS 711 Chapter 8 Risk Management: Controlling Risk 40

  41. Risk Management Approaches Existing risk management approaches provide a tried and true pattern to follow. • OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation • Microsoft Risk Management Approach EECS 711 Chapter 8 Risk Management: Controlling Risk 41

  42. OCTAVE Overview OCTAVE uses a three-phase approach to provide comprehensive situational awareness: Phase 1 – Build Asset-Based Threat Profiles: What are our assets, what threats exist, and what countermeasures already exist? Phase 2 – Identify Infrastructure Vulnerabilities: What are the operational and technological vulnerabilities allowing unauthorized action? Phase 3 – Develop Security Strategy and Plans: What are the impacts (from 1 & 2) to the corporate mission? What are the needed mitigation options? EECS 711 Chapter 8 Risk Management: Controlling Risk 42

  43. OCTAVE: Important Aspects • Self-directed – organization’s personnel are involved (via analysis team) in process management and information analysis • Analysis team – interdisciplinary team representing various communities of interest • Workshop-based – information gathering and decision making done using workshops organized by analysis team • Catalogs of information – catalogs of practices, threats, and vulnerabilities EECS 711 Chapter 8 Risk Management: Controlling Risk 43

  44. OCTAVE: Analysis Team Tasks of the analysis team: • Facilitate knowledge elicitation workshops • Gather necessary supporting data • Analyze threat and risk information • Develop a protection strategy • Develop mitigation plans EECS 711 Chapter 8 Risk Management: Controlling Risk 44

  45. Process and Activities Per Phase Preparing for OCTAVE Phase 1: Build Asset-Based Threat Profiles • Process 1: Identify Senior Management Knowledge • Process 2: Identify Operational Area Management Knowledge • Process 3: Identify Staff Knowledge • Process 4: Create Threat Profiles Phase 2: Identify Infrastructure Vulnerabilities • Process 5: Identify Key Components • Process 6: Evaluate Selected Components Phase 3: Develop Security Strategy and Plans • Process 7: Conduct Risk Analysis • Process 8: Develop Protection Strategy EECS 711 Chapter 8 Risk Management: Controlling Risk 45

  46. Preparing for OCTAVE Preparation is critical for a successful evaluation. Required activities follow: • Obtain senior management sponsorship of OCTAVE • Select analysis team members • Train analysis team • Select operational areas to participate in OCTAVE • Select participants • Coordinate logistics • Brief all participants EECS 711 Chapter 8 Risk Management: Controlling Risk 46

  47. OCTAVE: Phase 1 • The analysis team holds level-tailored workshops with staff members to identify important assets and business impact if the assets are compromised. • The management level workshops are separate from the staff level workshops. • The purpose of the workshops are to elicit: • Important assets and their relative values • Perceived threats to the assets • Security requirements • Current protection strategy practices • Current organizational vulnerabilities EECS 711 Chapter 8 Risk Management: Controlling Risk 47

  48. Phase 1 Processes Process 1-3: Common activities: • Identify assets and relative priorities. • Identify areas of concern. • Identify security requirements for the most important assets. • Capture knowledge of protection strategy and organizational vulnerabilities. EECS 711 Chapter 8 Risk Management: Controlling Risk 48

  49. Phase 1 Processes Continued Process 4: Create threat profiles from earlier process steps. • Group assets, security requirements, and areas of concern by organizational level. • Select critical assets. • Refine security requirements for critical assets. • Identify threats to critical assets. EECS 711 Chapter 8 Risk Management: Controlling Risk 49

  50. OCTAVE: Phase 2 Perform a technology evaluation, often using a catalog of vulnerabilities such as CVE to identify vulnerabilities in key systems and components. Example tests: • Reviewing firewall configuration • Checking the security of public Web servers • Performing a comprehensive review of all operating systems • Identifying services running and/or available on hosts • Listing all system user accounts • Identifying known vulnerabilities in routers, switches, remote access servers, operating systems, and specific services and applications • Identifying known configuration errors • Looking for signs of intrusion (Trojans, system file alteration) • Checking file ownership and permissions EECS 711 Chapter 8 Risk Management: Controlling Risk 50

More Related