Risk management -...
Transcript of Risk management -...
Pattern Recognitionand Applications Lab
Universityof Cagliari, Italy
Department of Electrical and Electronic Engineering
Risk management
Giorgio Fumera
http://pralab.diee.unica.it
Risk Management in Computer Security
1
http://pralab.diee.unica.it
Introduction: risk factors
2
Threat
Vulnerability
Asset
exploits
exposed by
Impactcausing
Anything that has value for an organization (tangible or intangible):• primary: business processes and
activities, information• support: hardware, software,
network, personal, facilities
http://pralab.diee.unica.it
Introduction: risk factors
3
Threat
Vulnerability
Asset
exploits
exposed by
Impactcausing
• Non-adversarial: accidental events caused by non-deliberatesource of hazard, e.g., component or structural failures, environmental disruptions, human errors
• Adversarial: deliberate actions originating from malicious attacks by human actors, accomplished physically or by cyber means
http://pralab.diee.unica.it
Introduction: risk factors
4
Threat
Vulnerability
Asset
exploits
exposed by
Impactcausing
Weakness that can be exploited by a threat to compromise or
damage an asset
http://pralab.diee.unica.it
Introduction: information security risks
5
Confidentiality
Integrity
Availability
Riskscenario
http://pralab.diee.unica.it
Introduction: impact of information security risks
6
Information security risks can be caused by non-adversarial threats and can have an impact beyond confidentiality, integrity and availability of information, e.g., in critical infrastructures.
An example: industrial automation and control systems
Supervisory Control And Data Acquisition
Manufactory Execution System
Enterprise Resource Planning
Programmable Logic Controller
http://pralab.diee.unica.it
Information security risk management frameworks
• ISO/IEC 27005:2018 – Information security risk managementhttps://www.iso.org/standard/75281.html(not available through our Faculty Library)
• NIST framework for information security
7
http://pralab.diee.unica.it
NIST framework for information security
National Institute of Standards and Technology (NIST)– https://www.nist.gov/– founded in 1901– part of the U.S. Department of Commerce– development of industry-related standards, guidelines and best
practices– publicly available documents
8
http://pralab.diee.unica.it
NIST framework for information security
Context:– Information Security Handbook: A Guide for Managers (2006)
https://www.nist.gov/publications/information-security-handbook-guide-managers (Special Publication 800 series)
– Cybersecurity Framework v1.1 (2018)https://www.nist.gov/cyberframework
Risk management: Special Publication 800 series– SP 800-39, Managing Information Security Risk: Organization, Mission,
and Information System View (2011)https://csrc.nist.gov/publications/detail/sp/800-39/final
– SP 800-37 Rev. 2, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (2018)https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
– SP 800-30 Rev. 1, Guide for Conducting Risk Assessments (2012)https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Concepts and principles consistent with ISO and IEC standards
9
http://pralab.diee.unica.it
NIST Information Security Handbook (2006)
10
SP 800-100Guidelines to provide a broad overview of information security program elements to assist managersin understanding how to establish and implement an information security program
http://pralab.diee.unica.it
NIST Information Security Handbook (2006)
• Information Security Governance• System Development Life Cycle• Awareness and Training• Capital Planning and Investment Control • Interconnecting Systems • Performance Measures • Security Planning • Information Technology Contingency Planning • Risk Management• Certification, Accreditation, and Security Assessments• Security Services and Products Acquisition • Incident Response • Configuration Management
11
http://pralab.diee.unica.it
NIST Information Security Handbook (2006)
Risk management: an important component of a successful information security program
– Principal goal: to protect organizations and their ability to perform their mission, not just information assets
– Scope: an essential management function of the organization, tightly woven into system development life cycle (SDLC) – not only a technical function carried out by information security experts who operate and manage information security systems
– Benefits: allowing information security program managers to balance the operational and economic costs of protective measures and achieve gains in mission capability; fostering informed decision making
– Risk assessments should be conducted and integrated into the SDLC for information systems, not because it is required by law or regulation, but because it is a good practice and supports the organization’s business objectives or mission
12
http://pralab.diee.unica.it
NIST Cybersecurity Framework (2018)
13
A risk-based approach to managing cybersecurity risk
framework core functions
• Flexible approach to cybersecurity, applicable to anyorganization relying on technology
• Provides a common organizing structure for multiple approaches to cybersecurity by assembling currently effective standards, guidelines, and practices
http://pralab.diee.unica.it
NIST Cybersecurity Framework (2018)
April 16, 2018 Cybersecurity Framework Version 1.1
This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018 12
2.4 Coordination of Framework Implementation
Figure 2 describes a common flow of information and decisions at the following levels within an organization:
x Executive x Business/Process x Implementation/Operations
The executive level communicates the mission priorities, available resources, and overall risk tolerance to the business/process level. The business/process level uses the information as inputs into the risk management process, and then collaborates with the implementation/operations level to communicate business needs and create a Profile. The implementation/operations level communicates the Profile implementation progress to the business/process level. The business/process level uses this information to perform an impact assessment. Business/process level management reports the outcomes of that impact assessment to the executive level to inform the organization’s overall risk management process and to the implementation/operations level for awareness of business impact.
Figure 2: Notional Information and Decision Flows within an Organization
Risk management: information and decisions flow within an organization
14
http://pralab.diee.unica.it
NIST SP 800-39 – Managing Information Security Risk
15
Purpose: to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems
http://pralab.diee.unica.it
NIST SP 800-39 – Managing Information Security Risk
16
Multitiered organization-wide risk management
http://pralab.diee.unica.it
NIST SP 800-39 – Managing Information Security Risk
17
Risk management process
describing the environment in which risk-based decisions are made
to produce a risk management strategy
http://pralab.diee.unica.it
NIST SP 800-30 – Guide for conducting risk assessments
18
Purpose: to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39• how to carry out steps in the risk
assessment process• how risk assessments and other
organizational risk management processes complement and inform each other
• identifying specific risk factors to monitor on an ongoing basis
Content:• risk management process• risk assessment process• resources: glossary; information on threat
sources, event and likelihood; vulnerabilities; impact; risk determination and response
http://pralab.diee.unica.it
NIST SP 800-30 – Guide for conducting risk assessments
• Concepts and principles similar to and consistent with ISO and IEC standards
• Flexible guidelines – no specific requirements on:– formality, rigor, level of detail of the particular risk assessment– methodologies, tools, and techniques – format and content of assessment results and reporting mechanisms
• Cautionary note: risk assessments are often not precise instruments of measurement and reflect– the limitations of the specific assessment methodologies, tools, and
techniques employed– subjectivity, quality, and trustworthiness of the data used– the interpretation of assessment results– the skills and expertise of those conducting the assessments
19
http://pralab.diee.unica.it
Definition of risk
A multidimensional concept, whose definition varies with the purpose and discipline/sector.
Risk is a measure of the extent to which an entity is threatenedby a potential circumstance or event, and is a function of:
– the adverse impacts that would arise if the circumstance or event occurs
– the likelihood of occurrence
20
http://pralab.diee.unica.it
Definition of information security risk
Information security risks arise from the loss of confidentiality, integrity, or availability of information or information systems.
They reflect the potential adverse impacts to organizational operations:
– mission– functions– image– reputation
and to organizational assets, individuals, and other organizations (where a threat intersects with a vulnerability, risk is present –NIST Information Security Handbook)
21
http://pralab.diee.unica.it
Definition of risk assessment
The process of identifying, estimating, and prioritizinginformation security risks.
This requires the careful analysis of threat and vulnerabilityinformation to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.
22
http://pralab.diee.unica.it
The context of risk assessment
23
Risk management process
focus of SP 800-30
describes the environment in
which risk-based decisions are made
to produce a risk management
strategy
http://pralab.diee.unica.it
Risk framing components
24
defines risk factors and their
relationships
specifyes the range of values of risk factors and how to combine them to evaluate risk – can be
quantitative, qualitative, or semi-qualitative
describes how combinations of risk factors are identified/analyzed
– can be threat-oriented, asset/impact-oriented, or
vulnerability-oriented
http://pralab.diee.unica.it
Risk model: an example
25
http://pralab.diee.unica.it
Assessment approaches
26
Quantitative
• Use of numbers• Meanings and
proportionality are maintained inside and outside the assessment context• Issues: reliability,
significance, effort required
Qualitative
• Based on non-numerical categories or levels
• Useful to support communicating risk results to decision makers
• Understanding categories or levels requires clear examples
Semi-quantitative
• Use of bins, scales, or representative numbers whose values and meanings are not maintained in other contexts
• Expert judgment is crucial in assigning values
http://pralab.diee.unica.it
Analysis approach
27
Threat
Vulnerability
Asset
exploits
exposed by
Impactcausing
http://pralab.diee.unica.it
Analysis approach
28
Threat-oriented
•Identification of threat sources and events
•development of threat scenarios
•Identification of vulnerabilities
Asset/impact-oriented
•Identification of impacts or consequences of concern and critical assets
•Identification of threat events that could lead to and/or threat sources that could seek those impacts or consequences
Vulnerability-oriented
•Identification of predisposing conditions or exploitable weaknesses/deficiencies in organizational information systems or its environments
•identification of threat events that could exercise those vulnerabilities together with possible consequences of vulnerabilities being exercised
http://pralab.diee.unica.it
Application of risk assessments
29
supporting organizational strategies, policies, guidance,
and processes for managing risk
supporting the determination of mission/business process protection and
resiliency requirements, and the allocation of those requirements to the enterprise
architecture as part of mission/business segments
traditional risk assessments focus at the Tier 3 level, and tend to
overlook other significant risk factors
that may be more appropriately assessed at
higher levels
http://pralab.diee.unica.it
The NIST SP 800-30 risk assessment process
Special Publication 800-30 Guide for Conducting Risk Assessments ________________________________________________________________________________________________
CHAPTER 3 PAGE 23
CHAPTER THREE
THE PROCESS CONDUCTING RISK ASSESSMENTS WITHIN ORGANIZATIONS
his chapter describes the process of assessing information security risk including: (i) a high-level overview of the risk assessment process; (ii) the activities necessary to prepare for risk assessments; (iii) the activities necessary to conduct effective risk assessments;
(iv) the activities necessary to communicate the assessment results and share risk-related information; and (v) the activities necessary to maintain the results of risk assessments on an ongoing basis. The risk assessment process43 is composed of four steps: (i) prepare for the assessment; (ii) conduct the assessment; (iii) communicate assessment results; and (iv) maintain the assessment.44 Each step is divided into a set of tasks. For each task, supplemental guidance provides additional information for organizations conducting risk assessments. Risk tables and exemplary assessment scales are listed in appropriate tasks and cross-referenced to additional, more detailed information in the supporting appendices. Figure 5 illustrates the basic steps in the risk assessment process and highlights the specific tasks for conducting the assessment.
FIGURE 5: RISK ASSESSMENT PROCESS
43 The intent of the process description in Chapter Three is to provide a common expression of the essential elements of an effective risk assessment. It is not intended to limit organizational flexibility in conducting those assessments. Other procedures can be implemented if organizations choose to do so, consistent with the intent of the process description. 44 The four-step risk assessment process described in this publication is consistent with the general risk assessment process described in NIST Special Publication 800-39. The additional steps and tasks result from the need to provide more detailed guidance to effectively carry out the specific activities associated with risk assessments.
T
Step 1: Prepare for Assessment
Derived from Organizational Risk Frame
Step 2: Conduct Assessment Expanded Task View
Determine Likelihood of Occurrence
Identify Threat Sources and Events
Identify Vulnerabilities and Predisposing Conditions
Determine Magnitude of Impact
Determine Risk
Step
3: C
omm
unic
ate
Res
ults
Step
4: M
aint
ain
Ass
essm
ent
30
http://pralab.diee.unica.it
Comparison with ISO 31000 process
31
http://pralab.diee.unica.it
Step 1: preparing for the risk assessment
32
Tasks 1-1 Identify the purpose of the assessment
1-2 Identify the scope
1-3 Identify the assumptions and constraints associated with the assessment
1-4 Identify the sources of information to be used as inputs to the assessment
1-5 Identify the risk model and analytic approaches (i.e., assessment and analysis approaches) to be employed
http://pralab.diee.unica.it
Step 1: preparing for the risk assessment
33
TASK 1-1: Identifying the purpose• what information is it intended to produce?• what decisions is it intended to support?• how to capture and present information produced?
TASK 1-2: Identifying the scope• organizational applicability: organization tiers and parts
affected • time frame supported: how long will the results be
relevant? what influences the need to update the assessment?
• architectural/technological considerations: specific technologies, mission/businness segment architecure, organizational information systems and its environment
http://pralab.diee.unica.it
Step 1: preparing for the risk assessment
34
TASK 1-3: Identifying assumptions and constraints• threats sources: types of sources to be considered, identification process• threat events: types of threat events to be considered, required level of
detail of their description• vulnerabilities and predisposing conditions: types of vulnerabilities and
predisposing conditions to be considered, required level of detail of their description
• likelihood determination process• impacts to organizational operations (missions, functions, image, and
reputation) and assets, individuals, other organizations• risk tolerance and uncertainty: what levels and types of risk are
acceptable? reasons for uncertainty about risk factors• analytic approach: assessment approaches (quantitative, qualitative,
semi-quantitative) and analysis approaches (threat-oriented, asset/impact-oriented, vulnerability-oriented)
http://pralab.diee.unica.it
Step 1: preparing for the risk assessment
35
TASK 1-4: Identifying the sources of threat, vulnerability, and impact information• threats and vulnerabilities: internal sources (e.g., risk and
vulnerability assessment reports, incident reports, security logs, trouble tickets, monitoring results) and external sources (e.g., cross-community organizations like CERT, research and non-governmental organizations), etc.
• predisposing conditions: descriptions of information systems, environments of operation, shared services, common infrastructures, enterprise architecture, etc.
• impact information: mission/business impact analyses, information system component inventories, security categorizations, etc.
http://pralab.diee.unica.it
Step 1: preparing for the risk assessment
36
TASK 1-5: Identifying the risk model and analytic approach
• risk models include, or can be translated into, the risk factors: threat, vulnerability, impact, likelihood, and predisposing condition
• assessment approach: quantitative, qualitative, semi-quantitative
• analysis approach: threat-oriented, asset/impact-oriented, vulnerability-oriented
• definition or selection of existing assessment scales, annotated with organizationally-meaningful examples for specific values
• defining algorithms (e.g., formulas, tables, rules) for combining risk factors
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
37
Objective: to produce a list of information security risks that can be prioritized by risk level and used to inform risk response decisions
Special Publication 800-30 Guide for Conducting Risk Assessments ________________________________________________________________________________________________
CHAPTER 3 PAGE 23
CHAPTER THREE
THE PROCESS CONDUCTING RISK ASSESSMENTS WITHIN ORGANIZATIONS
his chapter describes the process of assessing information security risk including: (i) a high-level overview of the risk assessment process; (ii) the activities necessary to prepare for risk assessments; (iii) the activities necessary to conduct effective risk assessments;
(iv) the activities necessary to communicate the assessment results and share risk-related information; and (v) the activities necessary to maintain the results of risk assessments on an ongoing basis. The risk assessment process43 is composed of four steps: (i) prepare for the assessment; (ii) conduct the assessment; (iii) communicate assessment results; and (iv) maintain the assessment.44 Each step is divided into a set of tasks. For each task, supplemental guidance provides additional information for organizations conducting risk assessments. Risk tables and exemplary assessment scales are listed in appropriate tasks and cross-referenced to additional, more detailed information in the supporting appendices. Figure 5 illustrates the basic steps in the risk assessment process and highlights the specific tasks for conducting the assessment.
FIGURE 5: RISK ASSESSMENT PROCESS
43 The intent of the process description in Chapter Three is to provide a common expression of the essential elements of an effective risk assessment. It is not intended to limit organizational flexibility in conducting those assessments. Other procedures can be implemented if organizations choose to do so, consistent with the intent of the process description. 44 The four-step risk assessment process described in this publication is consistent with the general risk assessment process described in NIST Special Publication 800-39. The additional steps and tasks result from the need to provide more detailed guidance to effectively carry out the specific activities associated with risk assessments.
T
Step 1: Prepare for Assessment
Derived from Organizational Risk Frame
Step 2: Conduct Assessment Expanded Task View
Determine Likelihood of Occurrence
Identify Threat Sources and Events
Identify Vulnerabilities and Predisposing Conditions
Determine Magnitude of Impact
Determine Risk
Step
3: C
omm
unic
ate
Res
ults
Step
4: M
aint
ain
Ass
essm
ent
• iterations among the tasks is necessary and expected
• task ordering can be modified
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
38
TASK 2-1: Identify and characterize threat sources of concern• adversarial threats: capability, intent and targeting
characteristics• non-adversarial threats: range of effects
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
39
threat source taxonomy(first two levels only)
ADVERSARIAL ACCIDENTAL STRUCTURAL ENVIRONMENTAL
Group
Nation-State
Individual
Organization
User
Privileged User/Administrator
IT Equipment
EnvironmentalControls
Software
Natural or man-madedisaster
Unusual Natural Event
InfrastructureFailure/Outage
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
40
Exemplary assessment scale: characteristics of adversary capability
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
41
TASK 2-2: Identify threat events• potential threat events• relevance of threat events• threat sources that could initiate the events
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
42
Perform reconnaissance and gather information, e.g., sniffing of exposed networks
Craft or create attack tools, e.g., phishing attacks
Deliver/insert/install malicious capabilities, e.g., known malware to internal information systems (virus
via email)
Exploit and compromise, e.g., poorly configured or unauthorized information
systems exposed to the Internet
Conduct an attack, e.g., Distributed Denial of
Service (DDoS)
Achieve results, e.g., obtain sensitive information via
exfiltration
Maintain a presence or set of capabilities, e.g., obfuscate adversary
actions
Coordinate a campaign, e g., cyber attacks using
external (outsider), internal (insider), and supply chain (supplier) attack vectors
Representative examples of adversarial threat events
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
43
Exemplary tables: F1–F6
TASK 2-3: Identify and select relevant vulnerabilities and predisposing conditions that affect the likelihood that threat events of concern result in adverse impacts
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
44
Exemplary assessment scale for vulnerability severity
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
45
TASK 2-4: Determining the likelihood that threat events of concern result in adverse impacts• characteristics of the threat sources that could initiate
the events (for adversarial threats, including capability, intent and targeting), or that make the event occur (non-adversarial threats)
• vulnerabilities/predisposing conditions identified• organizational susceptibility reflecting the safeguards/
countermeasures planned or implemented
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
46
The overall likelihoodof a threat event
is a combination of:
• likelihood of event occurrence (e.g., due to human error or natural disaster) or initiation (by an adversary)
• likelihood of adverse impactsresulting from initiation or occurrence
Combining algorithmsdepend on:
• organizational attitudes toward risk (overall risk tolerance, uncertainty tolerance)
• specific tolerances toward uncertainty in different risk factors
• organizational weighting of risk factors
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
47
Examples of likelihood combining rules
• use the maximum of the two likelihood values• use the minimum of the two likelihood values• consider likelihood of initiation/occurrence only,
assuming that adverse impacts are certain• consider likelihood of impact only, assuming that if
adverse impacts are possible, adversaries will initiate the events
• take a weighted average of the two likelihood values
http://pralab.diee.unica.it
Assessment scales: likelihood
48
Exemplary assessment scale: likelihood of threat event initiation (adversarial)
http://pralab.diee.unica.it
Assessment scales: likelihood
49
Exemplary assessment scale: likelihood of threat event resulting in adverse impact
http://pralab.diee.unica.it
Assessment scales: likelihood
50
Exemplary assessment scale: overall likelihood
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
51
TASK 2-5: Determining the adverse impacts from threat events of concern
Factors to consider:•characteristics of the threat sources that could initiate the events•vulnerabilities/predisposing conditions identified•susceptibility reflecting the safeguards/countermeasures planned or implemented to
impede such eventsDescription of adverse impacts in terms of potential harm to:•organizational operations•assets•individuals•other organizationsMay involve identification of assets or potential targets of threat sources, • information resources (e.g., information, data repositories, information systems,
applications, information technologies, communications links)•people•physical resources (e.g., buildings, power supplies)
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
52
Exemplary assessment scale: threat event impact
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
53
Exemplary assessment scale: threat event impact (continued)
http://pralab.diee.unica.it
Step 2: conducting the risk assessment
54
TASK 2-6: Determine the risk to the organization from threat events of concernRisk level is a function of:• impact resulting from the events• likelihood of the events occurring
Risks at the same level or with similar scores can be further prioritized
Including information related to uncertainties arising from, e.g.:• missing information• subjective determinations• assumptions made
http://pralab.diee.unica.it
Assessment scales: level of risk
55
Exemplary assessment scale: level of risk
http://pralab.diee.unica.it
Assessment scales: level of risk
56
Exemplary assessment scale: level of risk as a combination of likelihood and impact (risk matrix)