Identifying and Assessing Risk INFORMATION SECURITY MANAGEMENT Risk Management: Identifying and Assessing Risk You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra
True Story A company suffered a catastrophic loss one night when its office burned to the ground. As the employees gathered around the charred remains the next morning, the president asked the secretary if she had been performing the daily computer backups. To his relief she replied that yes, each day before she went home she backed up all of the financial information, invoices, orders ... The president then asked the secretary to retrieve the backup so they could begin to determine their current financial status. “Well”, the secretary said, “I guess I cannot do that. You see, I put those backups in the desk drawer next to the computer in the office.” M. Ciampa, “Security+ Guide to Network Sec. Fundamentals”, 3rd Edition, pp. 303
Risk is all around us… “Investing in stocks carries a risk …” “Car speeding carries a risk …” “An outdate anti-virus software carries a risk …”
Risk Management “The process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.”
which are endangered by Risk Terminology Threats Vulnerabilities Exposure Risk Safeguards Assets which are endangered by exploit which results in which is which is mitigated by which protect Two steps Risk assessment Risk treatment
Risk Terminology Asset, Threat, Vulnerability & Risk in Info. Sec. Two steps Risk assessment Risk treatment Asset, Threat, Vulnerability & Risk in Info. Sec. http://en.wikipedia.org/wiki/File:2010-T10-ArchitectureDiagram.png
which are endangered by Assets Threats Vulnerabilities Exposure Risk Safeguards Assets which are endangered by exploit which results in which is which is mitigated by which protect Two steps Risk assessment Risk treatment
Asset Identification http://www.misutilities.com/ Source: Course Technology/Cengage Learning
Importance of Assets Classifying/Categorization
Asset Identification: Asset Ranking Assets should be ranked so that most valuable assets get highest priority when managing risks Questions to consider when determining asset value / rank: 1) Which info. asset is most critical to overall success of org.? Example: Amazon’s ranking assets Amazon’s network consists of regular desktops and web servers. Web servers that advertise company’s products and receive orders 24/7 - critical. Desktops used by customer service department – not so critical. Source: Course Technology/Cengage Learning
Asset Identification: Asset Ranking 2) Which info. asset generates most revenue? 3) Which info. asset generates highest profitability? Example: Amazon’s ranking assets At Amazon.com, some servers support book sales (resulting in highest revenue), while others support sales of beauty products (resulting in highest profit). Source: Course Technology/Cengage Learning
Importance of Assets Example: Weighted asset ranking (NIST SP 800-30) Not all asset ranking questions/categories may be equally important to the company. A weighting scheme could be used to account for this …
which are endangered by Risk Terminology Threats Vulnerabilities Exposure Risk Safeguards Assets which are endangered by exploit which results in which is which is mitigated by which protect
Threat Identification
Threat Identification (cont’d.) Research conducted to find the main threats facing organizations Here are the top 12 (wieghted score achieved when CIO gave top threat 5, next one 4, and so on.) Source: Adapted from M. E. Whitman. Enemy at the gates: Threats to information security. Communications of the ACM, August 2003. Reprinted with permission Weighted ranks of threats to information security
which are endangered by Risk Terminology Threats Vulnerabilities Exposure Risk Safeguards Assets which are endangered by exploit which results in which is which is mitigated by which protect Two steps Risk assessment Risk treatment
Vulnerability Assessment Table 8-4 Vulnerability assessment of a DMZ router Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Vulnerability Assessment Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Vulnerability Assessment Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
The TVA Worksheet Table 8-5 Sample TVA spreadsheet Source: Course Technology/Cengage Learning
which are endangered by Risk Terminology Threats Vulnerabilities Exposure Risk Safeguards Assets which are endangered by exploit which results in which is which is mitigated by which protect
Introduction to Risk Assessment The goal is to create a method to evaluate the relative risk of each listed vulnerability Figure 8-3 Risk identification estimate factors Source: Course Technology/Cengage Learning
Risk Determination – Example 1 Asset A has a value of 50 and has one vulnerability, which has a likelihood of 1.0 with no current controls. Your assumptions and data are 90% accurate
Risk Determination – Example 2 Asset B has a value of 100 and has two vulnerabilities: vulnerability #2 has a likelihood of 0.5 with a current control that addresses 50% of its risk vulnerability #3 has a likelihood of 0.1 with no current controls. Your assumptions and data are 80% accurate
Qualitative Risk Analysis Evaluate opinions, feelings, ideas Scenarios Brainstorming Delphi technique Storyboarding Focus groups Surveys, questionnaires, checklists One-on-one meetings, interviews
Qualitative Risk Assessment For a given scope of assets, identify: Vulnerabilities Threats Threat probability (Low / medium / high) Impact (Low / medium / high) Countermeasures
Example of Qualitative Risk Assessment Threat Impact Initial Probability Counter- measure Residual Probability Flood damage H L Water alarms Theft Key cards, surveillance, guards Logical intrusion M Intrusion prevention system
Quantitative Risk Assessment Extension of a qualitative risk assessment. Metrics for each risk are: Asset value: replacement cost and/or income derived through the use of an asset Exposure Factor (EF): portion of asset's value lost through a threat (also called impact) Single Loss Expectancy (SLE) = Asset ($) x EF (%)
Quantitative Risk Assessment Metrics (cont.) Annualized Rate of Occurrence (ARO) Probability of loss in a year, % Annual Loss Expectancy (ALE) = SLE x ARO
Example of Quantitative Risk Assesment Theft of a laptop computer, with the data encrypted Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?
Example of Quantitative Risk Assesment Dropping a laptop computer and breaking the screen Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?
Qualitative vs. Quantitative
Table 8-9 Ranked vulnerability risk worksheet Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Documenting the Results of Risk Assessment Goals of the risk management process To identify information assets and their vulnerabilities To rank them according to the need for protection In preparing this list, a wealth of factual information about the assets and the threats they face is collected The final summarized document is the ranked vulnerability risk worksheet