Post on 23-Dec-2015
Risk Analysis
COEN 250
Risk Management
Risk Management consists ofRisk AssessmentRisk MitigationRisk Evaluation and Assessment
Risk Management allowsBalance operational and economic costs of
protective measures
Risk Management andSystem Development Life Cycle Phase 1 – Initiation
Need for IT system is expressed, scope is documented Identified risks are for
Developing system requirements Including security requirements Security strategy of operations
Phase 2 – Development or Acquisition IT system is Designed, Purchased, Programmed, Developed Risks identified during this phase are used to
Support security analyses of system Might lead to architecture and design trade-offs during development
Risk Management andSystem Development Life Cycle Phase 3 – Implementation
System features are configured, enabled, tested, verified Risk management supports assessment of system
implementation against requirements and modeled operational environment
Phase 4 – Operation or Maintenance System performs its functions
Typically: modification on an ongoing basis Risk Management activities:
System reauthorization / reaccreditation Periodic Triggered by changes in system Triggered by changes in operational production environment
Risk Management andSystem Development Life Cycle Phase 5 – Disposal
Disposition of Information Hardware Software
Activities Moving Archiving Discarding Destroying Sanitizing
Risk management: Ensure proper disposal of software and hardware Proper handling of residual data System migration conducted securely and systematically
Risk Management andSystem Development Life Cycle Risk management is management responsibility
Senior management Ensures effective application of necessary resources to develop
mission capabilities Need to asses and incorporate results of risk management into
decision making process Chief Information Officer (CIO)
Responsible for planning, budgeting, and performance of IT Includes Information Security components
Systems and Information Owners Responsible for ensuring existence of proper controls Have to approve and sign off to changes in IT system Need to understand role of risk management
Risk Management andSystem Development Life Cycle
Business and Functional Managers Have authority and responsibility to make trade-off decisions Need to be involved in risk management
Information System Security Officer (ISSO) Responsible for security program, including risk management Play leading role for methodology of risk management Act as consultant to senior management
IT Security Practitioners Responsible for proper implementation Must support risk management process to identify new potential risks Must implement new security controls
Security Awareness Trainers Proper use of systems is instrumental in risk mitigation and IT resource
protection Must understand risk management Must incorporate risk assessment into training programs
Risk Assessment
Risk depends on Likelihood of a given threat-source exercising
a particular potential vulnerability Resulting impact of the adverse event
Hypothetical 2003 Example
Polish hacker N@te upset at Polish control of Multinational Division Central South Iraq
His hacker group wants to attack www.wp.mil.plFinds out
www.wp.mil.pl runs Apache Runs old version of OpenSSL vulnerable to a
buffer overflow attack
Bejtlich: The Tao of Network Security Monitoring
Hypothetical 2003 Example
Bejtlich: The Tao of Network Security Monitoring
Factor Description Assessment Rationale
Threat N@te and his buddies
5/5 Has capability and intention
Vulnerability Unpatched OpenSLL process
5/5 Vuln. gives N@te root access. No countermeasures deployed
Asset Value Military spends more than $10,000 annually
4/5 Damage to Polish prestige, costs of web server
Risk Loss of integrity and control of web server and site
100/125
Hypothetical 2003 Example
Polish military does not know N@te, but knows about its exposure
Needs to know about vulnerability Risk assessment changes dramatically
once vulnerability is recognized
Vulnerability Threat
February 2002 SNMP vulnerabilitySNMP widespread network management tool.Potentially affected most network devices.However, NO exploits were discovered.
Vulnerability Threat
Windows RPC vulnerability of 2003Dozens of exploitsBlaster worm caused > $1.000.000.000
damage
Risk Assessment
Step 1: System Characterization Collect system related information
Hardware Software Connectivity Data and information Users and support System mission System and data criticality and sensitivity …
Risk Assessment
Step 2: Threat Identification Threat Source Identification
Natural events: Floods, fires, earthquakes, …
Human threats: Unintentional acts Deliberate actions
Consider motivations and actions Environmental threats
Long-term power failure, pollution, chemicals, liquid leakage
Risk Assessment
Step 3: Vulnerability Identification Varies on SDLC phase Sources
Previous risk assessment documents IT system audits and logs Vulnerability lists (NIST I-CAT, CERT, SANS,
SecurityFocus.com) Security advisories Vendor advisories System software security analyses
Risk Assessment
Step 3: Vulnerability IdentificationSecurity Testing
Automated vulnerability scanning tools Penetration testing Security Test and Evaluation (ST&E)
Develop a test plan Test Effectiveness of security controls
See NIST SP 800-42
Risk Assessment
Step 3: Vulnerability Identification Develop a Security Requirements Checklist
Management Security Assignment of responsibilities Continuity of support Incident response capability Periodic review of security controls Personnel clearance and background investigations Risk assessment Separation of duties System authorization and reauthorization System or application security plan
Risk Assessment
Step 3: Vulnerability Identification Develop a Security Requirements Checklist
Operational Security Control of air-borne contaminants Controls to ensure the quality of the electrical power supply Data media access and disposal External data distribution and labeling Facility protection (e.g., computer room, data center, office) Humidity control Temperature control Workstations, laptops, and stand-alone personal computers
Risk Assessment
Step 3: Vulnerability Identification Develop a Security Requirements Checklist
Technical Security Communications (e.g., dial-in, system interconnection, routers) Cryptography Discretionary access control Identification and authentication Intrusion detection Object reuse System audit
Risk Assessment
Step 3: Vulnerability IdentificationOutcome: A list of system vulnerabilities that
could be exercised by a potential threat source
Risk Assessment
Control Analysis Control Methods
Technical methods Safeguards built into computer hardware, software, firmware
Nontechnical methods Management and operational controls
Security policies Operational procedures Personnel security Physical security Environmental security
Risk Assessment
Control CategoriesPreventive controlsDetective controls
Risk Assessment
Control AnalysisCompare security requirements checklist to
validate security (non)-compliance
Output:List of current or planned controls
Risk Assessment
Step 5: Likelihood determinationGoverning factors
Threat source motivation and capability Nature of vulnerability Existence and effectiveness of current controls
Assign likelihood levels
Risk Assessment
Step 6: Impact AnalysisRequires
System mission System and data criticality System and data sensitivity
Can typically be described in Loss of integrity Loss of availability Loss of confidentiality
Risk Assessment
Step 6: Impact AnalysisCan be done quantitatively or qualitatively
Risk Assessment
Step 7: Risk determinationRisk Level Matrix
Composed of threat likelihood and impact
Determines risk scaleRisk Scale
Used to determine and prioritize activities
Risk Assessment
Control Recommendations Reduce risks to data and system to acceptable level Base evaluation on
Effectiveness Legislation and regulation Organizational policy Operational impact Safety and reliability
Perform cost benefit analysis
Risk Assessment
Step 9: Result DocumentationRisk assessment report
Describes threats and vulnerabilities Measures risk Provides recommendations for control
implementation
Risk Mitigation
Prioritizing Evaluating Implementing
Appropriate risk-reducing controls
Risk Mitigation Options
Risk Assumption To accept the potential risk and continue operating the IT system or to
implement controls to lower the risk to an acceptable level Risk Avoidance
To avoid the risk by eliminating the risk cause and/or consequence Risk Limitation
To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability
Risk Planning To manage risk by developing a risk mitigation plan that prioritizes,
implements, and maintains controls Research and Acknowledgment
To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability
Risk Transference To transfer the risk by using other options to compensate for the loss, such
as purchasing insurance.
Risk Mitigation
Risk Mitigation
Control ImplementationPrioritize ActionsEvaluate Recommended Control OptionsConduct Cost-Benefit AnalysisSelect ControlAssign ResponsibilityDevelop a Safeguard Implementation Plan Implement Selected Control(s)