Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security as Risk Management

Published byOlivia Sims Modified over 6 years ago

Similar presentations

Presentation on theme: "Security as Risk Management"— Presentation transcript:

1 Security as Risk Management
If perfect security is not possible, what should be done? Manage Risk How to assess risk? Assess the asset Probability of successful attack Estimate losses Coping with risk Risk avoidance, compliance, mitigation, acceptance, transfer All Rights Reserved. 12/27/2018

2 Shift Focus to Risk Management
Perfect security is impossible – focus on managing risk. Need a systematic way to assess risk NIST has publications that describe a process for risk assessment NIST : Guide for Applying the Risk Management Framework to Federal Information Systems NIST : Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations All Rights Reserved. 12/27/2018

3 Computer Security Triad: Traditional Hexad: Parker 2002
Confidentiality Access Control Integrity Correctness and consistency Availability Constancy and timely access Hexad: Parker 2002 Possession or Control Leave credit card at a restaurant by mistake Authenticity Claim / assignment of authorship: signature on paper Utility Lost decryption key would reduce the usefulness of the data All Rights Reserved. 12/27/2018

4 Cyber Defense Stages Prevention Detection Location Isolation
Information Sharing Breach Reporting Restoration Firewall Detect Prevention Detection Location Isolation Breach reporting and notification Forensics Remediation Recovery All Rights Reserved. 12/27/2018

5 NIST Publication All Rights Reserved. 12/27/2018

6 NIST Framework Core Structure
Framework for Improving Critical Infrastructure Cybersecurity, V1.0, NIST, Feb 2014 All Rights Reserved. 12/27/2018

7 NIST All Rights Reserved. 12/27/2018

8 NIST (462 pages) All Rights Reserved. 12/27/2018

9 NIST All Rights Reserved. 12/27/2018

10 ENISA Threat Landscape 2014
All Rights Reserved. 12/27/2018

11 ENISA Threat Landscape 2014
All Rights Reserved. 12/27/2018

12 Mapping Attacks to Cyber Kill Chain
Stage Web based Attack Denial of Service Malicious Code: Worms, Trojans Phishing Insider Threat Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on Objectives ENISA Threat Landscape 2014 All Rights Reserved. 12/27/2018

13 Attack Steps: Get In, Stay In, Act
IPS, IDS, Firewall, DLP, ACL All Rights Reserved. 12/27/2018

14 Four Generations of Security
4th Generation Resilience Restoration Recovery 3rd Generation Intrusion Tolerance Survivability Situational Awareness Hardening of OS 2nd Generation Firewall IDS VPN DLP Perimeter Defense 1st Generation Trusted Computing Access Control List Cryptography All Rights Reserved. 12/27/2018

15 Next Gen DevOps Includes Security
DevOps facilitates experimentation and rapid changes SCIT reduces the exposure time of the active sprint Dev Ops SCIT Security Layer Controls Exposure Time of Each Sprint All Rights Reserved. 12/27/2018

16 SCIT Secures DevOps SCIT Constantly Restores Servers To Uncontaminated
State All Rights Reserved. 12/27/2018

Download ppt "Security as Risk Management"

Similar presentations

© Ravi Sandhu www.list.gmu.edu Introduction to Information Security Ravi Sandhu.

© Ravi Sandhu Introduction to Information Security Ravi Sandhu.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
E-Commerce Security and Fraud Issues and Protections

E-Commerce Security and Fraud Issues and Protections
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Computer Crime and Information Technology Security

Computer Crime and Information Technology Security
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
BUSINESS B1 Information Security.

BUSINESS B1 Information Security.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.
Computer Science and Engineering 1 Cloud ComputingSecurity.

Computer Science and Engineering 1 Cloud ComputingSecurity.
Chapter 12 by Lisa Reeves Bertin Securing Information in a Network.

Chapter 12 by Lisa Reeves Bertin Securing Information in a Network.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Similar presentations

Ads by Google