IDENTIFYING AND ANALYZING RISK IN INFORMATION SYSTEMS

ERIC SORENSON

Utah Chapter of ISACAApril 21, 2016

Identifying and Analyzing Risk In Information Systems

• Identify – establish who or what is

• Analyze – examine in detail the information for purpose

• Risk – the potential of gaining or losing something of value

• Harm from current or future event

• Threat - accidentally trigger or intentionally exploit a specific vulnerability

UNUSUAL PLOY IN ANTHEM BREACH CASE FAILS

• You may recall, ≈ 80 million records breached

• Database Administrator discovers his credentials are being used to execute a questionable query

• Someone had gained unauthorized access to their IT systems

• Health Plan Anthem Inc., makes a bold motion, “to access plaintiffs’ computers, smartphones and tablets to image and copy them to determine whether the data breach or embedded malware was responsible for the potential harm that could include identity theft and tax problems”**

• Could the consumer be at fault?

**http://www.databreachtoday.com/blogs/unusual-ploy-in-anthem-breach-case-fails-p-2101

What Do You Think?

• Should consumers bear some of the risk?

https://www.youtube.com/watch?v=NZJrGuC92U8

InformationalAuthentication

Threat Landscape

Execution

Denial of Service

Users Acts of Nature

How is Risk Assessed?

• Identify the threats and vulnerabilities

• Analyze the impact to the organization or process, then determine the likelihood of an event

• Easy right?

What Do You Think?

• What are some guiding principles you use to analyze risk?

Internal and External Risks Effect Decision-Making

INTERNAL EXTERNAL

• Employees

• Technology

• Security

• Compliance – legal and regulatory

• IP

• Former Employees

• Natural Disasters

• Hackers

• Vendors

• Regulators looking at compliance

https://www.youtube.com/watch?v=opRMrEfAIiI

How I Identify and Analyze Risk

• First• Identify threats

• Identify vulnerabilities

• Second• Relate threats to vulnerabilities

• Threat VulnerabilityPair

How I Identify and Analyze Risk (Continued)

• Define the likelihood• You have a threat, how likely is it going to occur against

the vulnerability?

Likelihood – These percentages are relative to your organization

Low 0 – 40%

Medium 41 – 75%

High 76 – 100%

How I Identify and Analyze Risk (Continued)

• What’s the Impact?• Availability

• I use the CIA triad• Confidentiality – loss leads to limited, serious, or severe

effect upon the organization• Integrity• Availability

• I categorize them by low, medium, and high

How I Identify and Analyze Risk (Continued)

• Organizational Effect?• Business Disruption – Capability how is it effected

• Financial loss – Assigned dollar amount

• Employees – Incapacitated

• I categorize them by limited, serious, and severe

How I Identify and Analyze Risk (Continued)

• “Assessing risk is determining the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise.” SANS Institute

• The purpose of assessing risk is to assist management in decision making on where resources should be assigned

How I Identify and Analyze Risk (Continued)

• Four strategies for managing risk• Mitigation – Most common. Fixing the flaw or a control

• Transference – Primarily financial. Another party assumes the risk

• Acceptance – We know the risk is there, so we accept it.

• Avoidance – Remove the vulnerability or even eliminate the system

How I Identify and Analyze Risk (Continued)

• In many ways, our greatest risk are employees within organizations

• Is he your employee?

How I Identify and Analyze Risk (Continued)

• COMMUNICATE• Management and employees to know and understand the risks

and how the organization will deal with risks

• I’m going to say it again, COMMUNICATE!

• Train, Train, and Train• I cannot stress enough how important training is

• Every month, test the employees

• Send out examples of attacks and what the outcome was

“Apply” What I’ve Learned

• Risk will always be unique to an organization

• Know the threats and vulnerabilities

• Need to analyze all aspects of the business

• Create or enhance a Risk Management Program

• Communicate

• Train