CHAPTER 6: PERFORMING A RISK ASSESSMENT

CHAPTER 6:PERFORMING A RISK ASSESSMENT IS 413D - Risk Analysis Management by Dr Sapiah

CHAPTER 6 TOPICS This chapter covers the following topics: What to consider when selecting a risk assessment methodology How to identify the management structure How to identify assets and activities How to identify and evaluate relevant threats How to identify and evaluate relevant vulnerabilities How to identify and evaluate countermeasures How to select a methodology based on the assessment needs How to develop mitigating recommendations IS 413D - Risk Analysis Management by DrSapiah

LEARNING OUTCOMES When you complete this chapter, you will be able to: • Select an appropriate risk assessment methodology • Define the operational characteristics and mission of the system to be assessed • State the importance of reviewing previous findings and status • Describe the relevance of a management structure to a risk assessment • Identify the types of assets to include in a risk assessment • List steps to identify and evaluate threats • List actions to identify and evaluate vulnerabilities • List actions to identify and evaluate countermeasures • Describe the difference between in-place and planned countermeasures • Describe the process used to assess threats, vulnerabilities, and exploits • Describe the process used to develop mitigation recommendations • Describe the results of a risk assessment • List best practices for performing risk assessments IS 413D - Risk Analysis Management by Dr Sapiah

SELECTING A RISK ASSESSMENT METHODOLOGY In general, a risk assessment involves the following steps: Identify the management structure Identify assets and activities to address. Identify and evaluate relevant threats. Identify and evaluate relevant vulnerabilities. Identify and evaluate relevant countermeasures. Assess threats, vulnerabilities, and exploits. Evaluate risks. Develop recommendations to mitigate risks. Present recommendations to management. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING THE MANAGEMENT STRUCTURE An organization may have the following sections for IT management: Network infrastructure—This section is responsible for all the routers and switches in the network. It may include all the firewalls. User And Computer Management—This section performs the day-to-day management of the network and accounts. It may also include basic security measures. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING THE MANAGEMENT STRUCTURE E-mail servers—Some larger organizations have 10 or more e-mail servers to manage e-mail. Trained personnel are dedicated to primarily managing these servers and also manage spam filtering and malicious attachments. Web servers—An organization can have dozens of Web servers configured in one or more Web farms. A Web farm can generate a significant amount of revenue and have dedicated personnel to manage it. Database servers—Many organizations have a large amount of data stored in databases. Large databases are stored on dedicated servers. Configuration and change management—This section oversees configuration and changes to either all servers or all systems. The team may be responsible for building new servers and also coordinate and document all change requests. IS 413D - Risk Analysis Management by DrSapiah

IDENTIFYING ASSETS & ACTIVITIES WITHIN RISK ASSESSMENT BOUNDARIES Asset valuation is the process of determining the fair market value of an asset. This is one of the first priorities of risk management. You can determine the value from the replacement value of the asset. You can determine the value based on either what the asset provides to the organization, or the cost to recover the asset. It’s also possible to determine the value using a combination of both values. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING ASSETS & ACTIVITIES WITHIN RISK ASSESSMENT BOUNDARIES When considering the value of an asset, you can look at it from different perspectives: • Replacement value—This is the cost to purchase a new asset in its place. For example, if a laptop fails or is stolen, the price to purchase a new laptop with similar hardware and software may be $1,500. • Recovery value—This is the cost to get the asset operational after a failure. For example, if the hard drive on a server fails, you wouldn’t replace the entire server. Instead, you’d replace the hard drive and take steps to recover the system. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING ASSETS & ACTIVITIES WITHIN RISK ASSESSMENT BOUNDARIES There are several elements to consider when determining the value of different assets. These include: System access and system availability System functions Hardware assets Software assets Personnel assets Data and information assets Facilities and supplies IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING ASSETS & ACTIVITIES WITHIN RISK ASSESSMENT BOUNDARIES System Access and System Availability Access and availability refers to how and when the asset needs to be available. Some assets need to be available 24 hours a day, 7 days a week. Other assets only need to be available Monday through Friday during business hours. The more available the asset needs to be, the more risks you have related to outages. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING ASSETS & ACTIVITIES WITHIN RISK ASSESSMENT BOUNDARIES System Functions If a system provides a service, you should consider the functions of the system when determining the asset’s value. Of particular importance is how the functions are performed: manually or through automation. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING ASSETS & ACTIVITIES WITHIN RISK ASSESSMENT BOUNDARIES Hardware Assets Hardware assets are any assets that you can physically touch. This includes computers such as laptops, workstations, and servers. It also includes network devices such as routers, switches, and firewalls. IS 413D - Risk Analysis Management by DrSapiah

IDENTIFYING ASSETS & ACTIVITIES WITHIN RISK ASSESSMENT BOUNDARIES Software Assets Software assets include both the operating systems and the applications. The operating system is what allows the computer to operate. This could be a Microsoft operating system such as Windows 7 or Windows Server 2008. Applications allow you to perform tasks. For example, Microsoft Word is an application that allows you to create and edit documents. IS 413D - Risk Analysis Management by DrSapiah

IDENTIFYING ASSETS & ACTIVITIES WITHIN RISK ASSESSMENT BOUNDARIES Personnel Assets Personnel assets are also very important to value. An organization that is able to retain personnel often has fewer problems than an organization with a high turnover rate. There are specific things an organization can do to retain valued personnel. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING ASSETS & ACTIVITIES WITHIN RISK ASSESSMENT BOUNDARIES Data and Information Assets Public data—This data is freely available to anyone. It may be available via public sources such as news releases or other publications. Private data—This is internal data. It includes data on employees and customers. Due to its delicate nature, personal data should be protected. Proprietary data—This is highly valuable data. It deserves a lot of protection. If this data is lost, it could seriously affect the company’s profitability. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING ASSETS & ACTIVITIES WITHIN RISK ASSESSMENT BOUNDARIES Facilities and Supplies The facilities and supplies are needed to run your business. You’ll need this information when calculating your insurance needs. Insurance is one of those items you always want to have but never want to use. It provides a layer of protection if you suffer a loss. However, the loss is rarely painless. Even if the insurance company covers the loss, the process is difficult. IS 413D - Risk Analysis Management by DrSapiah

IDENTIFYING & EVALUATING RELEVANT THREATS A threat is any potential danger. The danger can be to the data, the hardware, or the systems. A threat assessment is the process of identifying threats. Figure 6-4. This shows the relationship between threats, attacks, vulnerabilities, and loss. A threat creates an attack. The attack exploits a vulnerability. When the threat/vulnerability pair occurs, it results in a loss. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING RELEVANT THREATS You can use one of two primary methods to identify threats. They are: Review historical data Modeling IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING RELEVANT THREATS Reviewing Historical Data When reviewing historical data, you can look for the following events: Attacks—If your Web site was attacked before, it’s likely to be attacked again. Natural events—If hurricanes have hit your location before, they likely will do so in the future. Accidents—Accidents can be any accidental event that affects confidentiality, integrity, or availability. Equipment failures—Equipment failures result in outages. Some systems are more prone to failure than others. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING RELEVANT THREATS Modeling Threat modeling is a process used to identify possible threats on a system. This model provides information on: The system—This includes background information on the system. Threat profile—This is a list of threats. It identifies what the attacker may try to do to the system, including possible goals of the attack. Threat analysis—Threat analysis includes review existing controls to determine their effectiveness against the threatand prioritize them. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING RELEVANT VULNERABILITIES Two things relates to vulnerabilities: All systems have vulnerabilities—You can’t eliminate all vulnerabilities any more than you can eliminate all risks. Your goal is to identify the relevant vulnerabilities. Not all vulnerabilities result in a loss—It’s only when the threat and vulnerability come together as a threat/vulnerability pair that a loss occurs. The two primary assessments are: Vulnerability assessments Exploit assessments IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING RELEVANT VULNERABILITIES Vulnerability Assessments A vulnerability assessment is a process used to discover weaknesses in a system. The assessment will then prioritize the vulnerabilities to determine which weaknesses are relevant. Vulnerability assessments can be performed internally or externally. An internal assessment attempts to discover weaknesses from within the network. An external assessment attempts to discover what attackers outside the company may see. The assessment often starts by gathering information. Vulnerability scanners perform network reconnaissance. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING RELEVANT VULNERABILITIES Vulnerability Assessment may have multiple goals, such as: Identify IP addresses—Ping scanner tools identify which IP addresses are in use. If the system responds to a ping, you know it is operational with this IP address. Identify names—You can use “who is” tools to identify the name of a computer from the IP address. This works for computers on the Internet. Identify operating systems—A fingerprinting tool can tell you what operating system is running on an IP address. The tool sends traffic to and receives traffic from the system. It then analyzes the traffic to determine which operating system is running. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING RELEVANT VULNERABILITIES Identify open ports—A port scan identifies open ports. This tells you which protocols are running and what services are running. For example, if port 80 is open, the Hypertext Transfer Protocol (HTTP) protocol is running on the system. This indicates it is a Web server. Identify weak passwords—A password cracker determines the password for one or more accounts. The success of the password cracker largely depends on the strength of the password. In other words, a password cracker can discover weak passwords. Capture data—Data transferred over the network can be captured and analyzed. You can then read any data that has been transferred in clear text, or unencrypted. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING RELEVANT VULNERABILITIES Some of the commonly used vulnerability assessments tools are: Nmap—Nmapis a network mapping tool. It combines a ping scanner to discover IP addresses with a port scanner to determine open ports. Nessus—Nessus is a commercial product that provides a full suite of additional tools. It can detect common vulnerabilities in the configuration of a system. SATAN—SATAN is an acronym for Security Administrator Tool for Analyzing Networks. It was very popular in the 1990s SAINT—SAINT is an acronym for System Administrator’s Integrated Network Tool. It is a full suite of vulnerability tools. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING RELEVANT VULNERABILITIES Exploit Assessments An exploit assessment attempts to discover what vulnerabilities an attacker can exploit. Exploit assessments are also referred to as “penetration tests.” You usually start an exploit assessment with a vulnerability assessment. After you discover weaknesses, you attempt the exploit. There is a significant difference between the exploit assessment and the vulnerability assessment. Specifically, an exploit assessment is intrusive. The goal is to test the exploit. If the exploit assessment is successful, it can disrupt operations. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING COUNTERMEASURES A countermeasure is a security control or a safeguard. You implement a countermeasure to reduce a risk. You can reduce a risk by reducing vulnerabilities or by reducing the impact of the threat. When identifying and evaluating the countermeasures, you should consider: In-place controls—These are controls that are currently installed in the operational system. Planned controls—These are controls that have a specified implementation date. Control categories—Controls fall into three primary categories: administrative controls, technical controls, and physical controls. When reviewing all of the controls, you should consider the purpose. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING COUNTERMEASURES In-Place Countermeasures If the control is in place, you can measure its effectiveness. Ideally, countermeasures are as effective as you expect them to be. Planned Countermeasures You can evaluate the current systems to ensure the original threats and vulnerabilities still exist. Additional tools or techniques may also exist that will allow you to enhance the original recommendations. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING COUNTERMEASURES Control Categories There are several ways that controls are organized or classified. One of the popular methods is to define them based on these three categories: Administrative security controls Technical security controls Physical security controls IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING COUNTERMEASURES Administrative Security Controls Administrative security controls are the controls in place in response to the rules and guidelines directed by upper-level management. These include several specific controls. However, one important point about administrative controls is that they are implemented with a written document. Some examples of administrative controls are: Policies and procedures. Security plans. Insurance. Personnel checks. Awareness and training. Rules of behavior IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING COUNTERMEASURES Technical Security Control A technical security control uses computers or software to protect systems. The benefit is that the control is automated. You can set it once and it will consistently enforce the control. Some examples of technical controls are: Login identifier—Users are required to provide credentials before you grant access to the system. This is also referred to as authentication. Three primary factors of authentication exist: Something you know, such as a user name and password Something you have, such as a smart card Something you are, as captured by biometrics Session timeout—Many systems automatically time out after a period of inactivity. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING COUNTERMEASURES Technical Security Control System logs—System logs log activity performed by systems, users, or attackers. Audit trails—You can use many types of audit logs to create an audit trail. A security log can log all access to specific files. Input validation—Applications can use data range and reasonableness checks to validate data before using it. Firewalls—Network firewalls can control traffic coming in and out of a network. Host-based firewalls can restrict traffic for individual systems. Encryption—You can encrypt data when it is stored on a drive or when it is transmitted over a network. This provides confidentiality of the data. IS 413D - Risk Analysis Management by Dr Sapiah

IDENTIFYING & EVALUATING COUNTERMEASURES Physical Security Controls Locked Doors—You can lock server rooms to protect your servers. You can lock wiring closets that host routers and switches. Guards and Access Logs—You can have guards control access to sensitive areas. You can use an access log to list individuals who are authorized access. Video Cameras—Cameras can monitor areas on a continuous basis. Many closed circuit television (CCTV) systems can record data from multiple cameras. Fire Detection And Suppression—A fire can destroy a significant amount of data and hardware in a very short period. Water Detection—Some areas are prone to flooding. When water is detected, pumps can be turned on automatically to remove the water. IS 413D - Risk Analysis Management by Dr Sapiah

SELECTING METHODOLOGY BASED ON ASSESSMENT NEEDS Once you have identified and evaluated the elements individually, you need to calculate the associated risk. Chapter 5 explored the two primary methodologies that you can use. These are: Quantitative Qualitative IS 413D - Risk Analysis Management by Dr Sapiah

SELECTING METHODOLOGY BASED ON ASSESSMENT NEEDS Quantitative The quantitative method uses predefined formulas. You need to use the data you collected to identify the following values: Single loss expectancy (SLE)—This is the expected loss for any single incident. You express this in monetary terms, such as $1,000. Annual rate of occurrence (ARO)—This is the number of times you expect the loss to occur each year. For example, the risk may have occurred four times last year, so the ARO is four. Annual loss expectancy (ALE)—You can calculate ALE as SLE x ARO. For example, it could be $1,000 x 4 or $4,000. Safeguard or control value—This is the cost of the countermeasure or the control. You express this in monetary terms. IS 413D - Risk Analysis Management by Dr Sapiah

SELECTING METHODOLOGY BASED ON ASSESSMENT NEEDS Qualitative A qualitative methodology uses the opinions of experts to determine two primary data points: Probability—This is the likelihood that the risk will occur. You can express it in words, such as Low, Medium, or High. You can also express it in a percentage, such as 10 percent, 50 percent, or 100 percent. Impact—This identifies the magnitude of the loss if the risk occurs. You can express it in words, such as Low, Medium, or High. You can also express it as a number in a range, such as 1 to 10 or 1 to 100. The probability and impact allows you to rank the risks. IS 413D - Risk Analysis Management by Dr Sapiah

DEVELOPING MITIGATING RECOMMENDATIONS Develop Mitigating Recommendations After performing the analysis, you can provide specific recommendations. These recommendations should mitigate the risks. You can include the data you’ve collected to support the recommendations. Supporting data may include: Threat/vulnerability pairs Estimate of cost and time to implement Estimate of operational impact Cost-benefit analysis IS 413D - Risk Analysis Management by Dr Sapiah

DEVELOPING MITIGATING RECOMMENDATIONS Threat/Vulnerability Pairs The recommended controls should address specific risks. As a reminder, a risk occurs when a threat exploits a vulnerability. If a threat doesn’t exist to exploit a vulnerability, a risk doesn’t exist. Similarly, if a vulnerability doesn’t exist that a threat can exploit, a risk doesn’t exist. IS 413D - Risk Analysis Management by Dr Sapiah

DEVELOPING MITIGATING RECOMMENDATIONS Estimate of Cost and Time to Implement You should include the cost of the control in the recommendation. This will be included in the cost- benefit analysis. It’s important to accurately identify this cost by including both direct and indirect costs. The direct cost is the purchase of the control. The indirect costs could include the man hours needed to learn the control. They could also include the cost of training. A common mistake is underestimating the costs needed to implement a control. IS 413D - Risk Analysis Management by Dr Sapiah

DEVELOPING MITIGATING RECOMMENDATIONS Estimate of Operational Impact Countermeasures can sometimes consume so many system resources that the system is unable to perform its primary job. You can identify the operational impact of a control as negligible, low, medium, high, or overwhelming. Ideally, a control will have very little impact on normal operations. If the impact is too high, you may not be able to use the control. IS 413D - Risk Analysis Management by Dr Sapiah

PRESENT RISK ASSESSMENT RESULTS After you complete the RA, you create a report documenting the results. This report should include two phases. In the first phase, you present the recommendations to management. As a reminder, management decides which recommendations to implement. It’s possible that management won’t approve every recommendation. Management may determine that the Cost-Benefit-Analysis for a recommendation doesn’t justify the cost. IS 413D - Risk Analysis Management by Dr Sapiah

PRESENT RISK ASSESSMENT RESULTS For another recommendation, they may decide they want to accept the risk. Any risk that remains after controls are implemented is a residual risk. Because management decides which controls to implement, management is also responsible for the residual risks. In the second phase, you document the decisions made by management. You then create a plan of actions and milestones (POAM). You can use the POAM to track and monitor the controls. The POAM helps ensure the controls are implemented. It also helps track the actual costs. IS 413D - Risk Analysis Management by Dr Sapiah

CHAPTER 6: PERFORMING A RISK ASSESSMENT