Security Risk Management. Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec email@example.com. Agenda. What is Risk Management? Security Strategy Mission and Vision Security Principles Risk Based Decision Model Tactical Prioritization
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec firstname.lastname@example.org
Agenda • What is Risk Management? • Security Strategy • Mission and Vision • Security Principles • Risk Based Decision Model • Tactical Prioritization • Representative Risks and Tactics
What is Risk Management? • The process of measuring assets and calculating risk! • Something we all do! (More or less)
Risk Based Security Strategy Corporate Security Mission and Vision Security Operating Principles Risk Based Decision Model Tactical Prioritization
Mission and Vision Operating Principles Risk Based Decision Model Assess Risk Tactical Prioritization Define Policy Audit Controls Information Security Mission Prevent malicious or unauthorized use that results in the loss of Company Intellectual property or productivity by systematically assessing, communicating and mitigating risks to digital assets
Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Information Security Vision • Key Client Assurances • My Identity is not compromised • Resources are secure and available • Data and communications are private • Clearly defined roles and accountability • Timely response to risks and threats An IT environment comprised of services, applications and infrastructure that implicitly provides availability, privacy and security to any client.
Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Security Operating Principles • Management Commitment • Manage risk according to business objectives • Define organizational roles and responsibilities • Users and Data • Manage to practice of Least Privilege • Privacy strictly enforced • Application and System Development • Security built into development lifecycle • Layered defense and reduced attack surface • Operations and Maintenance • Security integrated into Operations Framework • Monitor, audit, and response functions aligned to operational functions
Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Enterprise Risk Model High Unacceptable Risk Risk assessment drives to acceptable risk Impact to Business (Defined by Business Owner) Acceptable Risk Low Low Probability of Exploit (Defined by Corporate Security) High
Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Components of Risk Assessment Asset Threat Vulnerability Mitigation What are you trying toassess? What are you afraid of happening? How could the threat occur? What is currently reducing the risk? Impact Probability What is the impact to the business? How likely is the threat giventhe controls? + = Current Level of Risk What is the probability that the threat will overcome controls to successfully exploit the vulnerability and impact the asset?
Mission and Vision OperatingPrinciples Risk Based Decision Model Tactical Prioritization Risk Management Process and Roles CorpSec PrioritizeRisks Security Policy Compliance 1 2 5 Engineering and Operations SecuritySolutions &Initiatives Sustained Operations 3 4 Tactical Prioritization
Mission and Vision OperatingPrinciples Risk Based Decision Model Tactical Prioritization Tactical Prioritization by Environment Data Center Client Prioritized Risks Policies and mitigation tactics appropriate for each environment Unmanaged Client RAS Extranet
Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Risk Analysis by Asset Class Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks Host Application Unauthenticated access to applications, unchecked memory allocations Assets Network Data sniffing on the wire, network fingerprinting Account Compromise of integrity or privacy of accounts Trust Unmanaged trusts enable movement among environments
Representative Risks and Tactics Enterprise Risks Tactical Solutions Unpatched Devices Secure Environment Remediation Embody Trustworthy Computing Unmanaged Devices Network Segmentation via IPSec Remote & Mobile Users Secure Remote User Single-Factor Authentication 2-Factor for RAS & Administrators Focus Controls Across Key Assets Managed Source Initiatives
Mitigate risk to the infrastructure through implementation of key strategies 1. Securethe Network Perimeter 2. Securethe NetworkInterior 3. SecureKey Assets 4.Enhance Monitoring and Auditing • Secure Wireless • Smart Cards for RAS • Secure Remote User • Next Generation AV • Messaging Firewall • Direct Connections • IDC Network Cleanup • Eliminate Weak Passwords • Acct Segregation • Patch Management (SMS/WUS/SUS) • NT4 Domain Migration • Network Segmentation • Smart Cards for Admin Access • Regional Security Assessment • Automate Vulnerability Scans • Secure Source Code Assets • Lab Security Audit • Network Intrusion Detection System • Host Intrusion Detection Systems • Automate Security Event Analysis • Use MOM for Server Integrity Checking • Use ACS for real-time security log monitoring Security Solutions and Initiatives
More information • www.microsoft.se/technet • www.microsoft.se/security • www.truesec.se/events • www.itproffs.se
Marcus Murray email@example.com