Introduction and implementation OWASP Risk Rating Management

Slides:



Advertisements
Similar presentations
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Advertisements

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Service Design – Section 4.5 Service Continuity Management.
…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
By: Ashwin Vignesh Madhu
Principles of Information Security, 2nd Edition1 Risk Management.
Computer Security: Principles and Practice
The Information Systems Audit Process
Vulnerability Assessments
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
SEC835 Database and Web application security Information Security Architecture.
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.
Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
David N. Wozei Systems Administrator, IT Auditor.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
1 Introducing Enterprise Risk Management (ERM) - The KOC Experience November 2012 Khaled Al-Awadhi Risk Management Team Kuwait Oil Company.
1 Risk Management 2 n IEEE defines risk as: “the likelihood of an event, hazard, threat or situation occurring and its undesirable consequences” [Std.
Alaa Mubaied Risk Management Alaa Mubaied
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.
Risk Management for Small & Medium Sized Enterprises
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
CAN I DO THAT IN THE CLOUD? Jason Testart, BMath, CISSP Director, Information Security Services May 2016.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Headquarters U.S. Air Force
Society for Maintenance and Reliability Professionals (SMRP)
Modern Systems Analysis and Design Third Edition
Deployment Planning Services
Information Security, Theory and Practice.
Risk management.
CompTIA Security+ Study Guide (SY0-401)
ISSeG Integrated Site Security for Grids WP2 - Methodology
Network Security Research Presentation
Design for Security Pepper.
Information Technology Controls
Compliance with hardening standards
TOPIC 3 RISK MANAGEMENT.
Errors, Fraud, Risk Management, and Internal Controls
CSCE 548 Secure Software Development Test 1 Review
Information Security based on International Standard ISO 27001
I have many checklists: how do I get started with cyber security?
Risk Assessment = Risky Business
Security Consulting and Strategic Research
Must cost less than possible Impact
Cyber security Policy development and implementation
Copyright Gupta Consulting, LLC.
Information security planning
Effective Risk Management in Decision Making Process
Albeado - Enabling Smart Energy
A New Concept for Laboratory Quality Management Systems
V1.1 1.
Presentation transcript:

Introduction and implementation OWASP Risk Rating Management Project Leaders Mohammad Febri Ramadlan Ade Yoseman Putra Nanang Eka Cahya P Present by Ade Yoseman Putra asdasdasdasd

About Me Ade Yoseman Putra OWASP Risk Rating Management Project https://www.owasp.org/index.php/OWASP_Risk_Rating_Management OWASP Jakarta Indonesia Chapter Lead https://www.owasp.org/index.php/Jakarta Founder of Security BSide Indonesia Speakers OWASP KL DAY 2016, University Kuala Lumpur Malaysia  Arsenal, Blackhat Asia Singapore 2017 Taiwan International Information Security Organization Summit 2017, OWASP DAY TAIWAN 2017

Risk Rating Methodology Introduction OWASP Risk Rating Methodology

Risk Risk is hazards, consequences that may occur as a result of an ongoing process or future event. Risk factor: Intervension bad habit life style bankrupt Non-Intervension gen age sex

Process!!!!

Future events

Risk Management Risk management is management process that encompasses the identification, evaluation and control of risk that may threaten the continuity of a business or a company's activities. General Objectives: reduce expenditure, prevent companies from failure, increase corporate profits, reduce production costs and many things.

Risk Assessment Risk Assessment is methods performed to determine whether an activity / risk has an acceptable or not. Good assessment should to be done by a trained team and experienced. Each company or organization have variety of acceptance level.

Risk Rating Method Many standard and guidance that will help you: DREAD (risk assessment model) CVSS OCTAVE OWASP Threat Risk Modeling OWASP Risk Rating Methodology

OWASP Threat Risk Modeling https://www. owasp. org/index

OWASP Risk Rating Methodology Let's start with the standard risk model: Risk = Likelihood * Impact How to use OWASP Risk Rating Methodology: #Step 1: Identifying a Risk #Step 2: Factors for Estimating Likelihood #Step 3: Factors for Estimating Impact #Step 4: Determining Severity of the Risk #Step 5: Deciding What to Fix #Step 6: Customizing Your Risk Rating Model

#Step 1: Identifying a Risk The first step is: to identify a security risk that needs to be rated.

#Step 2: Factors for Estimating Likelihood There are a number of factors that can help determine the likelihood. The first set of factors are related to the threat agent involved. Skill level - How technically skilled is this group of threat agents? Security penetration skills (9), network and programming skills (6), advanced computer user (5), some technical skills (3), no technical skills Motive - How motivated is this group of threat agents to find and exploit this vulnerability? Low or no reward (1), possible reward (4), high reward (9) Opportunity - What resources and opportunities are required for this group of threat agents to find and exploit this vulnerability? Full access or expensive resources required (0), special access or resources required (4), some access or resources required (7), no access or resources required (9) Size - How large is this group of threat agents? Developers (2), system administrators (2), intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9)

#Step 2: Factors for Estimating Likelihood (Continue) Vulnerability Factors Ease of discovery - How easy is it for this group of threat agents to discover this vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools available (9) Ease of exploit - How easy is it for this group of threat agents to actually exploit this vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9) Awareness -How well known is this vulnerability to this group of threat agents? Unknown (1), hidden (4), obvious (6), public knowledge (9) Intrusion detection -How likely is an exploit to be detected? Active detection in application (1), logged and reviewed (3), logged without review (8), not logged (9)

#Step 3: Factors for Estimating Impact Again, each factor has a set of options: Loss of confidentiality Loss of integrity Loss of availability Loss of accountability Financial damage Reputation damage Non-compliance Privacy violation

#Step 4: Determining the Severity of the Risk (1) Informal Method Likelihood and Impact Levels 0 to < 3 low 3 to < 6 medium 6 to 9 high

#Step 4: Determining the Severity of the Risk (2) Repeatable Method Likelihood Skill level Motive Opportunity Size Ease of discovery Ease of exploit Awareness Intrusion detection Overall Likelihood 5 9 4 9 3 3 4 8 5.625 Medium

#Step 4: Determining the Severity of the Risk (2) Repeatable Method Likelihood Skill level Motive Opportunity Size Ease of discovery Ease of exploit Awareness Intrusion detection Overall Likelihood 5 9 4 9 3 3 4 8 5.625 Medium

#Step 4: Determining the Severity of the Risk (2) Repeatable Method (2) Impact Loss of confidenti-ality Loss of integrity Loss of availability Loss of account-ability Financial damage Reputation damage Non-compliance Privacy violation Overall Impact 5 7 7 7 7 9 7 7 7.0 High

#Step 4: Determining the Severity of the Risk (2) Repeatable Method (2) Impact Loss of confidenti-ality Loss of integrity Loss of availability Loss of account-ability Financial damage Reputation damage Non-compliance Privacy violation Overall Impact 5 7 7 7 7 9 7 7 7.0 High

#Step 4: Determining the Severity of the Risk (3) Determining Severity Overall Risk Severity IMPACT High MEDIUM HIGH CRITICAL Medium LOW Low NOTE LIKELIHOOD

#Step 4: Determining the Severity of the Risk (3) Determining Severity Overall Risk Severity IMPACT High MEDIUM HIGH CRITICAL Medium LOW Low NOTE LIKELIHOOD

#Step 5: Deciding What to Fix After the risks to the application have been classified there will be a prioritized list of what to fix. As a general rule, the most severe risks should be fixed first. It simply doesn't help the overall risk profile to fix less important risks, even if they're easy or cheap to fix. Remember that not all risks are worth fixing, and some loss is not only expected, but justifiable based upon the cost of fixing the issue.

#Step 6: Customizing the Risk Rating Model Having a risk ranking framework that is customizable for a business is critical for adoption. Adding factors Customizing options Weighting factors

Tools

1. OWASP Risk Rating Template (excel format) https://www. owasp

2. OWASP Risk Rating Calc (one website/domain) https://gist. github http://165.227.109.55/riskrating.html

3. OWASP Risk Rating Management (many website/domain) https://github.com/mohammadfebrir/owasp-riskrating

//category set by OWASP Top 10 - 2013

//you can assesst many website as you want (dynamic)

Thank you..