1 / 35

Risk Analysis

Risk Analysis. COEN 250. Risk Management. Risk Management consists of Risk Assessment Risk Mitigation Risk Evaluation and Assessment Risk Management allows Balance operational and economic costs of protective measures. Risk Management and System Development Life Cycle.

samira
Download Presentation

Risk Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Analysis COEN 250

  2. Risk Management • Risk Management consists of • Risk Assessment • Risk Mitigation • Risk Evaluation and Assessment • Risk Management allows • Balance operational and economic costs of protective measures

  3. Risk Management andSystem Development Life Cycle • Phase 1 – Initiation • Need for IT system is expressed, scope is documented • Identified risks are for • Developing system requirements • Including security requirements • Security strategy of operations • Phase 2 – Development or Acquisition • IT system is Designed, Purchased, Programmed, Developed • Risks identified during this phase are used to • Support security analyses of system • Might lead to architecture and design trade-offs during development

  4. Risk Management andSystem Development Life Cycle • Phase 3 – Implementation • System features are configured, enabled, tested, verified • Risk management supports assessment of system implementation against requirements and modeled operational environment • Phase 4 – Operation or Maintenance • System performs its functions • Typically: modification on an ongoing basis • Risk Management activities: • System reauthorization / reaccreditation • Periodic • Triggered by changes in system • Triggered by changes in operational production environment

  5. Risk Management andSystem Development Life Cycle • Phase 5 – Disposal • Disposition of • Information • Hardware • Software • Activities • Moving • Archiving • Discarding • Destroying • Sanitizing • Risk management: • Ensure proper disposal of software and hardware • Proper handling of residual data • System migration conducted securely and systematically

  6. Risk Management andSystem Development Life Cycle • Risk management is management responsibility • Senior management • Ensures effective application of necessary resources to develop mission capabilities • Need to asses and incorporate results of risk management into decision making process • Chief Information Officer (CIO) • Responsible for planning, budgeting, and performance of IT • Includes Information Security components • Systems and Information Owners • Responsible for ensuring existence of proper controls • Have to approve and sign off to changes in IT system • Need to understand role of risk management

  7. Risk Management andSystem Development Life Cycle • Business and Functional Managers • Have authority and responsibility to make trade-off decisions • Need to be involved in risk management • Information System Security Officer (ISSO) • Responsible for security program, including risk management • Play leading role for methodology of risk management • Act as consultant to senior management • IT Security Practitioners • Responsible for proper implementation • Must support risk management process to identify new potential risks • Must implement new security controls • Security Awareness Trainers • Proper use of systems is instrumental in risk mitigation and IT resource protection • Must understand risk management • Must incorporate risk assessment into training programs

  8. Risk Assessment • Risk depends on • Likelihood of a given threat-source exercising a particular potential vulnerability • Resulting impact of the adverse event

  9. Hypothetical 2003 Example • Polish hacker N@te upset at Polish control of Multinational Division Central South Iraq • His hacker group wants to attack www.wp.mil.pl • Finds out • www.wp.mil.pl runs Apache • Runs old version of OpenSSL vulnerable to a buffer overflow attack Bejtlich: The Tao of Network Security Monitoring

  10. Hypothetical 2003 Example Bejtlich: The Tao of Network Security Monitoring

  11. Hypothetical 2003 Example • Polish military does not know N@te, but knows about its exposure • Needs to know about vulnerability • Risk assessment changes dramatically once vulnerability is recognized

  12. Vulnerability  Threat • February 2002 SNMP vulnerability • SNMP widespread network management tool. • Potentially affected most network devices. • However, NO exploits were discovered.

  13. Vulnerability  Threat • Windows RPC vulnerability of 2003 • Dozens of exploits • Blaster worm caused > $1.000.000.000 damage

  14. Risk Assessment • Step 1: System Characterization • Collect system related information • Hardware • Software • Connectivity • Data and information • Users and support • System mission • System and data criticality and sensitivity • …

  15. Risk Assessment • Step 2: Threat Identification • Threat Source Identification • Natural events: • Floods, fires, earthquakes, … • Human threats: • Unintentional acts • Deliberate actions • Consider motivations and actions • Environmental threats • Long-term power failure, pollution, chemicals, liquid leakage

  16. Risk Assessment • Step 3: Vulnerability Identification • Varies on SDLC phase • Sources • Previous risk assessment documents • IT system audits and logs • Vulnerability lists (NIST I-CAT, CERT, SANS, SecurityFocus.com) • Security advisories • Vendor advisories • System software security analyses

  17. Risk Assessment • Step 3: Vulnerability Identification • Security Testing • Automated vulnerability scanning tools • Penetration testing • Security Test and Evaluation (ST&E) • Develop a test plan • Test Effectiveness of security controls • See NIST SP 800-42

  18. Risk Assessment • Step 3: Vulnerability Identification • Develop a Security Requirements Checklist • Management Security • Assignment of responsibilities • Continuity of support • Incident response capability • Periodic review of security controls • Personnel clearance and background investigations • Risk assessment • Separation of duties • System authorization and reauthorization • System or application security plan

  19. Risk Assessment • Step 3: Vulnerability Identification • Develop a Security Requirements Checklist • Operational Security • Control of air-borne contaminants • Controls to ensure the quality of the electrical power supply • Data media access and disposal • External data distribution and labeling • Facility protection (e.g., computer room, data center, office) • Humidity control • Temperature control • Workstations, laptops, and stand-alone personal computers

  20. Risk Assessment • Step 3: Vulnerability Identification • Develop a Security Requirements Checklist • Technical Security • Communications (e.g., dial-in, system interconnection, routers) • Cryptography • Discretionary access control • Identification and authentication • Intrusion detection • Object reuse • System audit

  21. Risk Assessment • Step 3: Vulnerability Identification • Outcome: A list of system vulnerabilities that could be exercised by a potential threat source

  22. Risk Assessment • Control Analysis • Control Methods • Technical methods • Safeguards built into computer hardware, software, firmware • Nontechnical methods • Management and operational controls • Security policies • Operational procedures • Personnel security • Physical security • Environmental security

  23. Risk Assessment • Control Categories • Preventive controls • Detective controls

  24. Risk Assessment • Control Analysis • Compare security requirements checklist to validate security (non)-compliance • Output: • List of current or planned controls

  25. Risk Assessment • Step 5: Likelihood determination • Governing factors • Threat source motivation and capability • Nature of vulnerability • Existence and effectiveness of current controls • Assign likelihood levels

  26. Risk Assessment • Step 6: Impact Analysis • Requires • System mission • System and data criticality • System and data sensitivity • Can typically be described in • Loss of integrity • Loss of availability • Loss of confidentiality

  27. Risk Assessment • Step 6: Impact Analysis • Can be done quantitatively or qualitatively

  28. Risk Assessment • Step 7: Risk determination • Risk Level Matrix • Composed of threat likelihood and impact • Determines risk scale • Risk Scale • Used to determine and prioritize activities

  29. Risk Assessment • Control Recommendations • Reduce risks to data and system to acceptable level • Base evaluation on • Effectiveness • Legislation and regulation • Organizational policy • Operational impact • Safety and reliability • Perform cost benefit analysis

  30. Risk Assessment • Step 9: Result Documentation • Risk assessment report • Describes threats and vulnerabilities • Measures risk • Provides recommendations for control implementation

  31. Risk Mitigation • Prioritizing • Evaluating • Implementing Appropriate risk-reducing controls

  32. Risk Mitigation • Options • Risk Assumption • To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level • Risk Avoidance • To avoid the risk by eliminating the risk cause and/or consequence • Risk Limitation • To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability • Risk Planning • To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls • Research and Acknowledgment • To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability • Risk Transference • To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.

  33. Risk Mitigation

  34. Risk Mitigation • Control Implementation • Prioritize Actions • Evaluate Recommended Control Options • Conduct Cost-Benefit Analysis • Select Control • Assign Responsibility • Develop a Safeguard Implementation Plan • Implement Selected Control(s)

More Related