Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessment Richard Newman

Published byBaard Evensen Modified over 6 years ago

Similar presentations

Presentation on theme: "Risk Assessment Richard Newman"— Presentation transcript:

1 Risk Assessment Richard Newman

2 Six Phases of Security Process
1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement defenses 5. Monitor defenses 6. Recover from attacks Continuous Improvement Model – use 5 and 6 to update, revise, improve all phases

3 Systems Engineering Process
1. Planning – requirements, resources, expectations 2. Trade-off analysis - Solution development Solution analysis Solution comparisons Solution selection 3. Development and implementation Realize selected solution 4. Verification Formal verification, validation, testing 5. Iteration Use feedback from each stage and from deployment to improve

4 Deming Cycle (PDCA) 1. Plan – 2. Do - 3. Check - 4. Act -
Objectives, processes 2. Do - Implement process 3. Check - Measure results vs. expected results 4. Act - Analyze differences, find causes, revise processes ISO , used with ISO for IT A.k.a. Shewhart Cycle (father of statistical quality control) Motorola “Six Sigma” Boyd's OODA Cycle (Observe, Orient, Decide, Act) - Military

5 Threats Potential source of harm Threat classes Knowledge Resources
Motive Threat classes Script kiddies/ankle biters Cracker Phone phreak Hacker – Black hat/white hat Organized crime Corporate crime Government group

6 Risk Level Risk level changes over time
Asset visibility Asset owner visibility Resource availability Access to assets Motivation changes Knowledge of vulnerabilities Requires continuous re-evaluation Must also consider consequences of breach

7 Identifying Assets 1. Hardware 2. Purchased software
Off-the shelf replacement cost/customization 2. Purchased software Cost/installation/customization 4. Developed software 5. Statutorily protected data Health/Financial/Academic/... 6. Organizational data Work products (designs/analyses/reports/...) Planning (marketing/engineering/financial/...) Contacts (customers/vendors/associates/etc.) 7. Activities Production/communication/...

8 Implementing Protection
Controls - Hardware Software Processes Costs - Up front cost to buy/develop/train/install/configure On-going operational costs – inconvenience/monitoring/reconfiguration Performance costs – CPU slowdown/human delay Cost vs. Effectiveness

9 Risk Assessment Identify Risks - Prioritize Risks - Identify assets
Identify threat agents Identify attacks Prioritize Risks - Estimate likelihood of attacks Estimate impact of attacks Calculate relative significance of attacks

10 Threat agents revisited
Outsiders Property thieves Vandals Identity thieves Botnet operators Con artists Competitors Insiders Embezzlers Housemates/coworkers Malicious acquaintances Maintenance crews Administrators “Natural” threats Hurricane/tornado/earthquake/hail/rain/flooding/terrorism/war/...

11 Security Properties/Goals
Confidentiality All disclosures only reveal information to authorized recipients in accordance with policy Integrity All changes are are performed by authorized entities, and are consistent with integrity policy Availability Assets available to authorized users when needed with performance required

12 Security Services Confidentiality Integrity Availability
Restrict access to information to authorized recipients in accordance with policy Integrity Only allow changes that are are performed by authorized entities, and are consistent with integrity policy Availability Ensure assets are available to authorized users when needed with performance required Authentication Establish that entity that sent message/made access is correctly identified Non-repudiation Ensure that an entity that performs action/makes statement cannot deny it later

13 Information Attacks Physical theft Denial of Service
Computing resource physically removed Denial of Service Use of computing resource is lost Subversion/Modification Asset modified to act on behalf of attacker (trojan horse) Authentic artifact modified to suit attacker Masquerade/spoofing Attacker takes on identity of another when accessing resources Disclosure Information revealed contrary to policy (passive attack) Forgery/Replay Attacker produces artifact that appears authentic Attacker repeats authentic message

14 NIST Recommendations 1. System Characterization
2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Documentation

15 SEI OCTAVE Process Phase 1 – Build Asset-based Threat Profiles
Identify assets, threats, organizational risks Phase 2 – Identify Infrastructure Vulnerabilities Analyze infrastructure resources for vulnerabilities Phase 3 – Develop Security Strategy and Plans Recommend and implement controls

16 OCTAVE Allegro 1. Establish risk measurement criteria
2. Develop information asset profile 3. Identify information asset containers 4. Identify areas of concern 5. Identify threat scenarios 6. Identify risks 7. Analyze risks 8. Select mitigation approach

Download ppt "Risk Assessment Richard Newman"

Similar presentations

OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Information Security EDU 5815 1. IT Security Terms EDU 5815 2.

Information Security EDU IT Security Terms EDU
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Introducing Computer and Network Security

Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
Introduction to Network Defense

Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google