790 likes | 933 Views
Risk Management. October 1998. What is RISK MANAGEMENT? The process concerned with identification, measurement, control and minimization of security risks in information systems to a level commensurate with the value of the assets protected.
E N D
Risk Management October 1998
What is RISK MANAGEMENT? • The process concerned with identification, measurement, control and minimization of security risks in information systems to a level commensurate with the value of the assets protected. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug.1997)
Course Objective • The student will be able to DETERMINE a risk index.
Introduction to Risk Management Identify the Risk Areas Re-evaluate the Risks Assess the Risks Risk Management Cycle Implement Risk Management Actions Develop Risk Management Plan Risk Assessment Risk Mitigation
Balance of Risk Management • Risk Management Risk Ignorance • Risk Avoidance
RISK - The likelihood that a particular threat using a specific attack, will exploit a particular vulnerability of a system that results in an undesirable consequence. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
THREAT -Any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or the denial of service. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
Definition of Likelihood • LIKELIHOOD of the threat occurring is the estimation of the probability that a threat will succeed in achieving an undesirable event.
Considerations in Assessing the Likelihood of Threat • Presence of threats • Tenacity of threats • Strengths of threats • Effectiveness of safeguards
Two Schools of Thought on Likelihood Calculation Assume Don’t Assume
ATTACK • An attempt to gain unauthorized access to an information system’s services, resources, or information, or the attempt to compromise an information system’s integrity, availability, or confidentiality, as applicable. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
VULNERABILITY -Weakness in an information system, cryptographic system, or other components (e.g... , system security procedures, hardware design, internal controls) that could be exploited by a threat. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
CONSEQUENCE • A consequence is that which logically or naturally follows an action or condition.
RM/RA RISK MANAGEMENT RISK ASSESSMENT RISK MITIGATION
RISK ASSESSMENT -A process of analyzing THREATS to and VULNERABILITIES of an information system and the POTENTIAL IMPACT the loss of information or capabilities of a system would have. The resulting analysis is used as a basis for identifying appropriate and cost-effective counter-measures. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
Benefits of Risk Assessment • Increased awareness • Assets, vulnerabilities, and controls • Improved basis for decisions • Justification of expenditures
Risk Assessment Process • Identify assets • Determine vulnerabilities • Estimate likelihood of exploitation • Compute expected loss
Identify Assets • People, documentation, supplies
Properties of Value Analysis • -Confidentiality • -Integrity • -Availability • -Non-repudiation
Definition • -Confidentiality: Assurance that information is • not disclosed to unauthorized persons, • processes, or devices. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
Definition • - Integrity: Quality of an information system reflecting • the logical correctness and reliability of the • operating system; the logical completeness of the • hardware and software implementing the protection • mechanisms; and the consistency of the data • structures and occurrence of the stored data. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
Definition • -Availability: Timely, reliable access to data and • information services for authorized users. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
Definition • -Non-repudiation: Assurance the sender of data is • provided with proof of delivery and the recipient is • provided with proof of the sender’s identity, so neither • can later deny having processed the data. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)
Determine Vulnerabilities Open Communications Lines Open Network
Risk Measure • RISK MEASURE is a description of the kinds and degrees of risk to which the organization or system is exposed.
Communicating Risk • To be useful, the measurement should reflect what is truly important to the organization.
Primary Risk Calculation Methodologies Quantitative & Qualitative
Qualitative Example: • “The system is weak in this area and we know that our adversary has the capability and motivation to get to the data in the system so the likelihood of this event occurring is high.”
Examples of documented risk assessment systems • Aggregated Countermeasures Effectiveness (ACE) Model • Risk Assessment Tool • Information Security Risk Assessment Model (ISRAM) • Dollar-based OPSEC Risk Analysis (DORA) • Analysis of Networked Systems Security Risks (ANSSR) • Profiles • NSA ISSO INFOSEC Risk Assessment Tool
Formula for Risk mkt/40 = 9j*X dv + zqm/ {2a} bc = wxyz lm +op * dz = tgm\bvd 2b or n2b
Threat and Vulnerability Revisited The capability or intention to exploit, or any circumstance or event with the potential to cause harm such as a hacker. A weakness in a system that can be exploited.
Threat + Vulnerability
Likelihood • The Likelihood of a successful attack is the probability that an adversary would succeed in carrying out an attack.
Factors influencing an attack • Level of threat • Vulnerabilities • Countermeasures applied
Determine Level of Threat • Criteria for evaluating the level of threat: • History • Capability • Intention or motivation