Download
risk analysis n.
Skip this Video
Loading SlideShow in 5 Seconds..
Risk Analysis PowerPoint Presentation
Download Presentation
Risk Analysis

Risk Analysis

465 Views Download Presentation
Download Presentation

Risk Analysis

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Risk Analysis COEN 250

  2. Risk Management • Risk Management consists of • Risk Assessment • Risk Mitigation • Risk Evaluation and Assessment • Risk Management allows • Balance operational and economic costs of protective measures

  3. Risk Management andSystem Development Life Cycle • Phase 1 – Initiation • Need for IT system is expressed, scope is documented • Identified risks are for • Developing system requirements • Including security requirements • Security strategy of operations • Phase 2 – Development or Acquisition • IT system is Designed, Purchased, Programmed, Developed • Risks identified during this phase are used to • Support security analyses of system • Might lead to architecture and design trade-offs during development

  4. Risk Management andSystem Development Life Cycle • Phase 3 – Implementation • System features are configured, enabled, tested, verified • Risk management supports assessment of system implementation against requirements and modeled operational environment • Phase 4 – Operation or Maintenance • System performs its functions • Typically: modification on an ongoing basis • Risk Management activities: • System reauthorization / reaccreditation • Periodic • Triggered by changes in system • Triggered by changes in operational production environment

  5. Risk Management andSystem Development Life Cycle • Phase 5 – Disposal • Disposition of • Information • Hardware • Software • Activities • Moving • Archiving • Discarding • Destroying • Sanitizing • Risk management: • Ensure proper disposal of software and hardware • Proper handling of residual data • System migration conducted securely and systematically

  6. Risk Management andSystem Development Life Cycle • Risk management is management responsibility • Senior management • Ensures effective application of necessary resources to develop mission capabilities • Need to asses and incorporate results of risk management into decision making process • Chief Information Officer (CIO) • Responsible for planning, budgeting, and performance of IT • Includes Information Security components • Systems and Information Owners • Responsible for ensuring existence of proper controls • Have to approve and sign off to changes in IT system • Need to understand role of risk management

  7. Risk Management andSystem Development Life Cycle • Business and Functional Managers • Have authority and responsibility to make trade-off decisions • Need to be involved in risk management • Information System Security Officer (ISSO) • Responsible for security program, including risk management • Play leading role for methodology of risk management • Act as consultant to senior management • IT Security Practitioners • Responsible for proper implementation • Must support risk management process to identify new potential risks • Must implement new security controls • Security Awareness Trainers • Proper use of systems is instrumental in risk mitigation and IT resource protection • Must understand risk management • Must incorporate risk assessment into training programs

  8. Risk Assessment • Risk depends on • Likelihood of a given threat-source exercising a particular potential vulnerability • Resulting impact of the adverse event

  9. Hypothetical 2003 Example • Polish hacker N@te upset at Polish control of Multinational Division Central South Iraq • His hacker group wants to attack www.wp.mil.pl • Finds out • www.wp.mil.pl runs Apache • Runs old version of OpenSSL vulnerable to a buffer overflow attack Bejtlich: The Tao of Network Security Monitoring

  10. Hypothetical 2003 Example Bejtlich: The Tao of Network Security Monitoring

  11. Hypothetical 2003 Example • Polish military does not know N@te, but knows about its exposure • Needs to know about vulnerability • Risk assessment changes dramatically once vulnerability is recognized

  12. Vulnerability  Threat • February 2002 SNMP vulnerability • SNMP widespread network management tool. • Potentially affected most network devices. • However, NO exploits were discovered.

  13. Vulnerability  Threat • Windows RPC vulnerability of 2003 • Dozens of exploits • Blaster worm caused > $1.000.000.000 damage

  14. Risk Assessment • Step 1: System Characterization • Collect system related information • Hardware • Software • Connectivity • Data and information • Users and support • System mission • System and data criticality and sensitivity • …

  15. Risk Assessment • Step 2: Threat Identification • Threat Source Identification • Natural events: • Floods, fires, earthquakes, … • Human threats: • Unintentional acts • Deliberate actions • Consider motivations and actions • Environmental threats • Long-term power failure, pollution, chemicals, liquid leakage

  16. Risk Assessment • Step 3: Vulnerability Identification • Varies on SDLC phase • Sources • Previous risk assessment documents • IT system audits and logs • Vulnerability lists (NIST I-CAT, CERT, SANS, SecurityFocus.com) • Security advisories • Vendor advisories • System software security analyses

  17. Risk Assessment • Step 3: Vulnerability Identification • Security Testing • Automated vulnerability scanning tools • Penetration testing • Security Test and Evaluation (ST&E) • Develop a test plan • Test Effectiveness of security controls • See NIST SP 800-42

  18. Risk Assessment • Step 3: Vulnerability Identification • Develop a Security Requirements Checklist • Management Security • Assignment of responsibilities • Continuity of support • Incident response capability • Periodic review of security controls • Personnel clearance and background investigations • Risk assessment • Separation of duties • System authorization and reauthorization • System or application security plan

  19. Risk Assessment • Step 3: Vulnerability Identification • Develop a Security Requirements Checklist • Operational Security • Control of air-borne contaminants • Controls to ensure the quality of the electrical power supply • Data media access and disposal • External data distribution and labeling • Facility protection (e.g., computer room, data center, office) • Humidity control • Temperature control • Workstations, laptops, and stand-alone personal computers

  20. Risk Assessment • Step 3: Vulnerability Identification • Develop a Security Requirements Checklist • Technical Security • Communications (e.g., dial-in, system interconnection, routers) • Cryptography • Discretionary access control • Identification and authentication • Intrusion detection • Object reuse • System audit

  21. Risk Assessment • Step 3: Vulnerability Identification • Outcome: A list of system vulnerabilities that could be exercised by a potential threat source

  22. Risk Assessment • Control Analysis • Control Methods • Technical methods • Safeguards built into computer hardware, software, firmware • Nontechnical methods • Management and operational controls • Security policies • Operational procedures • Personnel security • Physical security • Environmental security

  23. Risk Assessment • Control Categories • Preventive controls • Detective controls

  24. Risk Assessment • Control Analysis • Compare security requirements checklist to validate security (non)-compliance • Output: • List of current or planned controls

  25. Risk Assessment • Step 5: Likelihood determination • Governing factors • Threat source motivation and capability • Nature of vulnerability • Existence and effectiveness of current controls • Assign likelihood levels

  26. Risk Assessment • Step 6: Impact Analysis • Requires • System mission • System and data criticality • System and data sensitivity • Can typically be described in • Loss of integrity • Loss of availability • Loss of confidentiality

  27. Risk Assessment • Step 6: Impact Analysis • Can be done quantitatively or qualitatively

  28. Risk Assessment • Step 7: Risk determination • Risk Level Matrix • Composed of threat likelihood and impact • Determines risk scale • Risk Scale • Used to determine and prioritize activities

  29. Risk Assessment • Control Recommendations • Reduce risks to data and system to acceptable level • Base evaluation on • Effectiveness • Legislation and regulation • Organizational policy • Operational impact • Safety and reliability • Perform cost benefit analysis

  30. Risk Assessment • Step 9: Result Documentation • Risk assessment report • Describes threats and vulnerabilities • Measures risk • Provides recommendations for control implementation

  31. Risk Mitigation • Prioritizing • Evaluating • Implementing Appropriate risk-reducing controls

  32. Risk Mitigation • Options • Risk Assumption • To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level • Risk Avoidance • To avoid the risk by eliminating the risk cause and/or consequence • Risk Limitation • To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability • Risk Planning • To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls • Research and Acknowledgment • To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability • Risk Transference • To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.

  33. Risk Mitigation

  34. Risk Mitigation • Control Implementation • Prioritize Actions • Evaluate Recommended Control Options • Conduct Cost-Benefit Analysis • Select Control • Assign Responsibility • Develop a Safeguard Implementation Plan • Implement Selected Control(s)