Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate...
Transcript of Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate...
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 1/27
INFORMATION TECHNOLOGIES & SERVICES
Copyright
• Copyright Benjamin Nathan, 2008. This work is theintellectual property of the author. Permission isgranted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on thereproduced materials and notice is given that thecopying is by permission of the author. To
disseminate otherwise or to republish requireswritten permission from the author.
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 2/27
INFORMATION TECHNOLOGIES & SERVICES
Using Nontraditional
Security Risk Assessmentsto Measure Risk, Request
Budgets, and Illustrate
Trends
Ben Nathan
Associate Director
Security and Identity Management
Weill Cornell Medical College
5/6/2008
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 3/27
INFORMATION TECHNOLOGIES & SERVICES
Agenda• About Weill Cornell Medical College (WCMC)
• About Information Technologies and Services (ITS)
• Problems With A Traditional Risk Assessment
• Risk Management Portfolio• Identifying and Addressing Risk
• Cataloging Solutions
• Risk Categories
• Scoring
• The Risk Scorecard
• Measuring the Process
• Funding Requests
• Observations
•
Conclusion
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 4/27
About WCMC
WCMC
CU
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 5/27
Network Partners
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 6/27
Information Technologies and Services (ITS)
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 7/27
D i a g r a m R
e m o v e d
Network Diagram
Internet/Extranet
Firewall
Network Core
Network
Core
Network Core
Servers
Servers
NYPH
Servers
Extranet
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 8/27
Risk Management?
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 9/27
Add Value MeasurePerformance
Risk Management Portfolio
Risk Management
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 10/27
3 Step Approach
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 11/27
Identify Threats by CatalogingSolutions
Identify
securitythreats bycatalogingsecurity
solutions
SecuritySolution:
MalwareProtection ?
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 12/27
Threats, Identified
SecuritySolutions
Intrusion Prevention
ThreatsNetwork Intrusions
?
Network AccessControl
Rogue Computers
Client Encryption Unencrypted Clients
Data Classification Inappropriate Security
Awareness Training End User Errors
~75 Security Solutions in Total,Available in the Files Posted for this
Presentation
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 13/27
3 Step Approach
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 14/27
Break Risk Into Categories
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 15/27
3 Step Approach
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 16/27
Scoring
IntrusionPrevention
Security Solutions
Does
Risk Categories Score (1-10)
ReduceSusceptibility toExternal Attack?
Yes! 10
1 is No Effect5 is Indirect Effect
10 is Direct, SignificantEffect
Improve PolicyEnforcement
5Improve or IncreaseNetwork Visibility?
3
Total Score
0101518
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 17/27
Reduce
Susceptibilityto Internal
Attack
Improve PolicyEnforcement
ImproveVisibility IntoNetwork
Total
262
259
240
234
214
SecuritySolution
s
IntrusionPrevention
Network AccessControl
Client
EncryptionData
Classification
Awareness
Training
10 5 3
10 10 5
7 10 1
7 10 7
7 10 1
ScoringX5 X5 X3
50
50
35
35
35
25
50
50
50
50
9
15
3
21
3
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 18/27
Showcase Risk
Score 1-10, 10 highest *5 Multiplier *5 Multiplier *5 Multiplier *5 Multiplier *5 Multiplier
Technology
ReduceSusceptibility toInternal Attack
ReduceSusceptibility toExternal Attack
Improve VisibilityInto Network
Meet/ExceedAudit/ RegulatoryRequirement
Decrease PotentialDamage toReputation
ImproveMetricsCapabilities
ImproveChangeManagement
ImproveMonitoring &Response
ImprovePolicyEnforcement
Decrease Riskof Theft orLoss
Improve DataConfidentiality
ImproveDataIntegrity
Improve DataAvailability Total
Firewall Re-Architecture 50 50 25 15 50 5 1 10 10 7 1 1 5 230
NBAD 50 50 45 15 50 5 1 10 5 7 3 3 1 245
Layer 7 Packet Inspection 50 50 50 15 50 1 1 7 5 7 1 3 1 241
Strong Authentication 25 50 5 35 25 1 1 1 10 1 5 5 1 165
Identity & Access Management 15 25 5 35 25 5 1 1 10 5 5 5 1 138
Network Access Control 50 50 5 35 35 3 5 5 7 5 5 5 1 211
SSL VPN 5 35 5 35 15 1 5 3 5 3 7 5 1 125
Client Encryption 15 15 5 25 50 1 1 1 10 10 10 10 1 154
Enterprise SSO 25 25 5 25 25 5 1 5 7 5 5 5 3 141
Antivirus/Antispyware 5 5 5 5 5 1 1 1 1 1 1 1 1 33
Firewall/Host IPS 15 15 5 15 15 1 1 3 3 3 3 3 1 83
Email Encryption & Filtering 15 15 5 25 50 1 1 1 10 10 10 10 1 154
Web Filtering 15 15 15 15 15 5 1 5 3 3 3 3 1 99
Information Leak Protection 25 25 15 35 35 3 3 5 5 7 7 7 3 175
Digital Investigation & Forensics 5 5 15 35 25 3 1 5 7 1 1 1 1 105
SIM/SIEM 15 15 35 25 25 7 5 7 5 3 3 3 3 151
Database Encryption 35 35 5 50 50 1 1 1 1 7 7 7 1 201
Database Monitoring 25 25 5 35 25 5 10 7 1 5 5 5 5 158
IDS 50 50 35 35 35 3 1 10 3 10 5 3 7 247
Remote Access VPN 5 5 5 5 5 1 1 1 1 1 1 1 1 33
Storage Security 15 15 15 35 50 3 1 1 7 10 10 10 3 175
Endpoint ConfigurationManagement 15 15 15 15 15 1 5 5 5 5 3 3 1 103
Vulnerability Management 50 50 15 35 35 3 1 7 7 7 5 5 5 225
IDS NBAD
Layer 7 Packet Inspection
Firewall Re-Architecture
Vulnerability Management
Network Access Control
Database Encryption
Information Leak Protecti
Storage Security
Strong Authentication
Database MonitoringClient EncryptionEmail Encryption
SIM/SIEM
Identity & Access Management
Enterprise SSO
SSL VPN
Digital Investigation & Forensics
Endpoint Configuration Management
Web Filtering
Firewall/Host IPS
Remote Access VPN
Antivirus/Antispyware
-150
50
250
The Risk Scorecard
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 19/27
IDS NBAD
Layer 7 Packet Inspection
Firewall Re-Architecture
Vulnerability Management
Network Access Control
Database Encryption
Information Leak Protecti
Storage Security
Strong Authentication
Database MonitoringClient EncryptionEmail Encryption
SIM/SIEM
Identity & Access Management
Enterprise SSO
SSL VPN
Digital Investigation & Forensics
Endpoint Configuration Management
Web Filtering
Firewall/Host IPS
Remote Access VPN
Antivirus/Antispyware
-150
50
250
The Risk Scorecard
Th Ri k S d
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 20/27
The Risk ScorecardSourceFire +
RNAArbor Peakflow
XNexpose
VulnerabilityScanner
Th Ri k S d
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 21/27
IDSNBAD
Layer 7 Packet Inspection
Firewall Re-Architecture
Vulnerability Management
Network Access Contr
Database Encryption
Information Leak Prot
Storage Security
Strong Authentication
Database Monitoring
Enterprise SSO
Identity & Access Management
SSL VPN
tigation & Forensics
ation Management
Web Filtering
Firewall/Host IPS
Antivirus/Antispyware
Remote Access VPN
IPS
0
200
400
Technology Scores10/1/2006
Technology Scores10/1/2007
The Risk Scorecard
M P
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 22/27
S i d e E f f e c t o f
I D S & N B A D
$ 0 . 0 0
1 0 0 H r s N
e x p o s e
V u l n e r a b i l i t
y
S c a n n e r
$ 2 5 , 0
0 0
1 0 0 0 H r s
SourceFire& ArborPeakflow X
$150,000
1250Hrs
Side Effects $0.00 100 Hrs
NexposeVulnerability Scanner
$25,000
1000Hrs
Project Cost TimeMeasure Process
P Ri k S d
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 23/27
Audit & Risk Management FrameworkPolicy Creation
Data Classification
Awareness Training
Incident Response Plan
Threat Research
Vulnerability Managemen
Risk Assessment
BC Planning
BC Testing
Information Risk Prioritization
Event Analysis
Security Testing
System Access ControlApplication Access Control
Log Management
Architecture Review
Risk Impact Analysis
hysical & Environmental Security
Information Risk Handling
Information Risk Tracking
reation/Implementation
Forensics
Facilities Access Control
Change Management
Compliance Research
BC Training
Policy Compliance
-50
150
350
Process Scores10/1/2006
Process Scores10/1/2007
Process Risk Scorecard
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 24/27
Policy ComplianceSecurity Procedure Creation/Implementation
IPS
Network Access Co
Data Classificatio
Awareness Traini
Client Encryption
Audit & Risk Managem
Layer 7 Packet InspectionStrong AuthenticationRisk Assessment
Identity & Access Management
BC Planning
BC Testing
Database Encryption
Information Risk Prioritization
Average Score
Median Score
0
200
400
Policy ComplianceSecurity Procedure Creation/Implementation
IPS
Network Access Co
Data Classificatio
Awareness Traini
Client Encryption
Audit & Risk Managem
Layer 7 Packet InspectionStrong AuthenticationRisk Assessment
Identity & Access Management
BC Planning
BC Testing
Database Encryption
Information Risk Prioritization
Average Score
Median Score
-50
150
350
FY 2009FY 2010
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 25/27
Funding Request
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 26/27
Observations
7/29/2019 Using Nontraditional Security Risk Assessments to Measure Risk, Request Budgets, and Illustrate Trends (166366402)
http://slidepdf.com/reader/full/using-nontraditional-security-risk-assessments-to-measure-risk-request-budgets 27/27
Conclusions
Technology
Total
IntrusionPrevention 262
NetworkAccess Control 259
ClientEncryption 240
Layer 7 PacketInspection 234
StrongAuthentication 214Identity &AccessManagement 206
DatabaseEncryption 201
Web Filtering 195InformationLeakProtection 175
IDS NBADLayer 7 Packet Inspection
Firewall Re-Architecture
Vulnerability Management
Network Access Control
Database Encryption
Information Leak Protecti
Storage Security
Strong Authentication
Database MonitoringClient EncryptionEmail Encryption
SIM/SIEM
Identity & Access Management
Enterprise SSO
SSL VPN
l Investigation & Forensics
Configuration Management
Web Filtering
Firewall/Host IPS
Remote Access VPNAntivirus/Antispyware
-150
50
250
Sourcefir e Arbor
Side
Effect
Nexpose
Policy ComplianceSecurity Procedure Creation/Implementation
IPS
Network Access Co
Data Classificatio
Awareness Traini
Client Encryption
Audit & Risk Managem
Layer 7 Packet InspectionStrong AuthenticationRisk Assessment
Identity & Access Management
BC Planning
BC Testing
Database Encryption
nformation Risk Prioritization
Average Score
Median Score
0
200
400
Policy ComplianceSecurity Procedure Creation/ImplemeIPS
Network Ac
Data Clas
Awarenes
Client EncrAudit & Risk
Layer 7 Packet InspectionStrong AuthenticationRisk Assessmentcess Management
BC Planning
BC Testing
ase Encryption
isk Prioritization
Average ScoreMedian Score
0
200
400
Add Value MeasurePerformance
Risk Management Portfolio