1 / 21

Risk Management and Auditing

FORE SEC Academy Security Essentials (III ). Risk Management and Auditing. Risk Management - Where do I Start?. Write the security policy (with business input) Analyze risks, or identify industry practice for due care; analyze vulnerabilities.

lucie
Download Presentation

Risk Management and Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FORESEC AcademySecurity Essentials (III) Risk Management and Auditing

  2. Risk Management - Where do IStart? • Write the security policy (with business input) • Analyze risks, or identify industry practice for due care; analyze vulnerabilities

  3. Risk Management - Where do IStart (cont’d)? • Set up a security infrastructure • Design controls, write standards for each technology • Decide what resources are available, prioritize countermeasures, and implement top priority countermeasures you can afford • Conduct periodic reviews and possibly tests • Implement intrusion detection and incident response

  4. Define Risk • Risk = Vulnerability x Threat • Vulnerability is a weakness in a system that can be exploited • Threat is any event that can cause an undesirable outcome

  5. The Three Risk Choices • Accept the risk as is • Mitigate or reduce the risk • Transfer the risk (insurance model)

  6. Risk Management Questions • What could happen? (what is the threat) • If it happened, how bad could it be? (impact of threat) • How often could it happen? (frequency of threat - annualized) • How reliable are the answers to the above three questions? (recognition of uncertainty)

  7. Risk Requires Uncertainty If you have reason to believe there is no uncertainty, there is no risk. For example, jumping out of an airplane two miles up without a parachute isn't risky; it is suicide. For such an action, there is a close to 1.0 probability you will go splat when you hit the ground and almost 0.0 probability you will survive. Probability ranges between 0.0 and 1.0 though people often express it as a percent.

  8. SLE vs ALE • SLE - Single Loss Expectancy The loss from a single event • ALE - Annualized Loss Expectancy Annual expected loss based on a threat

  9. Single Loss Expectancy(SLE - one shot) • Asset value x exposure factor = SLE • Exposure factor: 0 - 100% of loss to asset • Example Nuclear bomb/small town ($90M x 100% = $90M)

  10. Annualized Loss Expectancy(ALE - multi-hits) • SLE x Annualized rate occurrence = Annual Loss Expectancy (ALE) • Annual loss is the frequency the threat is expected to occur • Example, web surfing on the job - SLE: 1000 employees, 25% waste an hour per week surfing, $50/hr x 250 = $12,500 - ALE: They do it every week except when on vacation: $12,500 x 50 = $625,000

  11. Quantitative vs. Qualitative • Qualitative is easier to calculate but its results are more subjective • Qualitative is much easier to accomplish • Qualitative succeeds at identifying high risk areas • Quantitative is far more valuable as a business decision tool since it works in metrics, usually dollars

  12. Qualitative - Another RiskAssessment Approach • Banded values: High, medium, low • Asset value and safeguard cost can be tied to monetary value, but not the rest of the model • Very commonly used

  13. Best Practice Risk Assessment • System administration is a high turnover job for large organizations, which affects continuity • System administrators tend to be focused on having the .trains run on time. • Security configuration may not be understood or implemented

  14. Best Practice • No single organization or person is likely to produce best practice • Consensus of many organizations and stringent review • Examples: - Center for Internet Security

  15. Foresec Securing 2000 SBS 3.1.2.3.1 Additional Restrictions for Anonymous Connections. The default choice for this setting is “None” Rely on default permissions..” The other choices are “No Access Without Explicit Anonymous Permissions," and “Do Not Allow Enumeration of SAM Accounts and Shares.” Select “No Access Without Explicit Permissions.”

  16. Windows 2000 Checklist • Checklist approach designed for two persons (check and double check) to configure a Windows 2000 system to at least minimal acceptable security.

  17. Business Case for RiskManagement • In order to present the business case, we need to convey the “Big Picture” • We are now familiar with these core technologies and how they play together: - Host and Network-based Intrusion Detection - Vulnerability Scanners and Honeypots - Firewalls

  18. Business Case - Applications • Organization has no intrusion detection and you are presenting the case for standing up a capability • Organization has rudimentary capability and you want to upgrade • Organization has central monitoring and you are presenting the case for a departmental capability

  19. Business Case - Applications(2) • Many managers are uncomfortable when confronted with actual data about attacks and vulnerabilities. • You can often use any existing source of data (firewall logs, system logs) to leverage additional intrusion detection financing by showing them a .smoking gun..

  20. Threat Vectors • Outsider attack from network • Outsider attack from telephone • Insider attack from local network • Insider attack from local system • Attack from malicious code

  21. Outsider Attack - Internet • Newspaper, web articles on attacks at other places, if it happens to them. • Hacking web sites: www.antionline.com • Firewall/Intrusion Detection logs are an excellent source for specific threats • System audit trail logs are as well • Demo an intrusion detection system

More Related