640 likes | 879 Views
Risk Management. Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu. Theory Practice. Learning by Doing. IST 515. Objectives. This module will familiarize you with the following:
E N D
Risk Management Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Theory Practice Learning by Doing IST 515
Objectives This module will familiarize you with the following: • The basic terminology used in risk management • The role and importance of risk management practices. • The identification of asset, threat, and vulnerability. • Risk assessment methodologies. • Risk assessment process. • Risk management principles. • Controls to identify, rate, and reduce the risk to specific information assets.
Readings • Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the CISSP CBK, Auerbach, 2007. Domain 1 (Required). • Stoneburner, G., Goguen, A. and Feringa, A., “Risk Management Guide for Information Technology Systems,” NIST SP 800-30, July 2002. (Required) • Stine, K., Kissel, R., Barker, W. C., Fahlsing, J. and Gulick, J., “Guide for Mapping Types of Information and Information Systems to Security Categories,” NIST SP 800-60, August 2008. • Wikipedia, “Failure Mode and Effects Analysis,” http://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis • Marquis, H., “Ten Steps to Do It Yourself CRAMM,” 2006. http://www.itsmsolutions.com/newsletters/DITYvol2iss8.htm
Readings - Examples • Tan, D., “Quantitative Risk Analysis Step-By-Step,” SANS Institute, 2002. • R. Marchany, “Conducting a Risk Analysis,” in Mark Luker and Rodney Petersen (Eds), Computer and Network Security in Higher Education, Chapter 3, EDUCAUSE. (STAR Project). • H. P. In, Y.-G. Kim, T. Lee, C.-J. Moon, Y. J., and I. Kim, "A Security Risk Analysis Model for Information Systems," D.-K. Baik (Ed.): AsiaSim 2004, LNAI 3398, Springer, pp. 505513, 2005. (Quantitative Method)
Essential Terminologies Vulnerability: • A flaw or weakness in a system security procedures, design, implementation, or internal controls that could be exercised and result in a security breach or a violation of the system’s security policy. Threat: • The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Threat-Source: • Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.
Risk Assessment Risk Management Assets Data Facilities Hardware Software Safeguards Threat Vulnerability Threat Risk Vulnerability Threat • Risk avoidance. • Risk transfer. • Risk mitigation. • Risk acceptance. Safeguards (NIST-SP-800-12)
Essential Terminologies Risk: • The possibility of loss (American Heritage Dictionary). • The net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence (NIST SP 800-30). • A function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of the adverse event on the organization. Risk Management: • The technique or profession of assessing, minimizing, and preventing accidental loss to a business, as through the use of insurance, safety measures (Random House Dictionary). • Reduces risks by defining and controlling threats and vulnerabilities ((ISC)2). • The process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level (NIST SP 800-30).
Examples of Critical Assets • People and skills • Goodwill • Intellectual Property • Hardware/Software • Data • Documentation • Supplies • Physical plant • Money Logical Asset Value Physical Asset
Common Computer Threats • Errors and omissions. • Fraud and theft. • Employee sabotage. • Loss of physical and infrastructure support. • Malicious hackers. • Industrial espionage. • Malicious code. • Threats to personal privacy. • Insider threats.
Common Threat Sources • Natural Threats. Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events. • Human Threats. Malicious outsider or insider, terrorist, spy political, human intervention. • Environmental Threats. Long-term power failure, pollution, chemicals, liquid leakage. • Technical Threats. Hardware/software failure, malicious code, unauthorized use. • Physical Threats. Closed-circuit TV failure, perimeter defense failure. • Operational Threats. Automated or manual process.
Vulnerabilities • Flaw or weakness in system that can be exploited to violate system integrity. • Security Procedures • Design • Implementation • Threats triggervulnerabilities: • Accidental • Malicious
Vulnerability Sources • Previous risk assessment document of the IT system assessed. • Audit reports, system anomaly reports, security review reports, and system test and evaluation reports. • Vulnerability lists such as NIST I-CAT vulnerability database (http://icat.nist.gov) • Security advisors. • Vendor advisories. • Commercial computer/incident/emergency response teams and post list (e.g., SecurityFocus.com) • Information Assurance Vulnerability Alert and bulletins for military systems. • System software security analyses.
Types of Risk Analysis • Quantitative: • Assigns real numbers to costs of safeguards and damage • Annual loss exposure (ALE) • Probability of event occurring • Can be unreliable/inaccurate • Qualitative: • Judges an organization’s risk to threats • Based on judgment, intuition, and experience • Ranks the seriousness of the threats for the sensitivity of the asserts • Subjective, lacks hard numbers to justify return on investment
Process of Quantitative Analysis • Seek initial management approval. • Establish a risk assessment team. • Review information currently available within the organization. • Estimate the loss – SLE (Single Loss Expectancy ) SLE = asset value (in $) × exposure factor (loss in successful threat exploit, as %) • Calculate the Annualized Rate of Occurrence (ARO) - how often a threat will be successful in exploiting a vulnerability over the period of a year (or Likelihood of Exploitation) • Calculate the Annualized Loss Expectancy (ALE): ALE = ARO × SLE
Example of Quantitative Analysis • Risk = Risk-impact x Risk-Probability • Loss of car: risk-impact is cost to replace car, e.g. $10,000 • Probability of car loss: 0.10 • Risk = 10,000 x 0.10 = 1,000 • General measured per year • Annual Loss Exposure (ALE)
Logic of Risk Analysis • RISK = Loss * Probability • Loss means the decline of asset value when an asset is exposed to some vulnerabilities. • Probability means the probability of threat-occurrence from the corresponding vulnerabilities. • Total Risk of AM3 = 100 x (0.8 x 0.5 + 0.9 x 0.7 + 0.6 x 0.4) / 3 = 100 x 1.27 / 3 = 42.3
Mitigation Effect • Applying a risk mitigation method to some vulnerabilities can reduce the rate of not only one vulnerability but also several related vulnerabilities simultaneously. • We can get the rate of risk reduction effectively with considering which vulnerabilities can be affected by selecting some risk mitigation methods. • Risk reduction after applying firewall = 100 * (0.1 * 0.5 + 0.5 * 0.7 + 0.1 * 0.4) / 3 = 100 * 0.44 / 3 = 14.7
Risk Analysis • What kind of threats can be reduced? • What are residual risks if the risk mitigations are applied? • What is the ROI of each risk mitigation? • ROI = Benefit / Cost • Benefit = (initial risk) - (residual risk after the risk mitigation method is applied) • Total Cost = Acquisition Cost + Operation Cost + Business Opportunity Cost
Process of Qualitative Assessment • Seek management approval to conduct analysis. • Form a risk assessment team. • Request related documents. • Setup interviews with organizational members to identify vulnerabilities, threats and countermeasures. • Analyze the data. Matching the threat to a vulnerability, matching threats to assets, determining how likely the threat is to exploit the vulnerability, determining the impact to the organization in the event an exploit is successful and matching current and planned countermeasures (that is, protection) to the threat–vulnerability pair. • Calculate risk. • Recommend countermeasures and calculate residual risk.
Comments Because of the time constraint, I will not continue to cover the remaining slides. As you can see, there are more materials and examples that we can cover in a class lesson. If you are interested in the topic, please read the materials by yourself or consider to take an in-depth course like IST 564 or SRA 330. Both courses cover extensively on risk management.
Assets and Their Priority + C, critical element; E, essential; N, normal STAR Project
Definition of Priority • Critical: If the loss of its function would result in the university ceasing to function as a business entity. • Essential: The loss of asset would cripple the university’s capacity to function, but it could survive for a week or so without the asset. All effort would be made to restore the function within a week. • Normal: If the loss of asset resulted in some inconvenience. STAR Project
Asset Weight Matrix to Prioritize IT Assets STAR Project
List of Controls for Critical Risks STAR Project
Summary of Compliance Matrix STAR Project
Risk Assessment Methodologies • NIST SP 800-30 and 800-66 (HIPAA). • OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation). Carnegie Mellon University. • FRAP (Facilitated Risk Analysis Process). Tom Peltier. • CRAMM (CCTA Risk Analysis and Management Method). • Spanning Tree Analysis. • Failure Modes and Effect Analysis.
Risk Assessment Process -NIST • System characterization. • Vulnerability identification. • Threat identification. • Countermeasure identification. • Likelihood determination. • Impact determination. • Risk determination. • Additional countermeasures recommendations. • Document results.
Input Risk Assessment Activities Output • System boundary • System functions • Systems and data criticality • System and data sensitivity • Hardware/software • System interfaces • Data & information • People • System mission 1. System Characterization • History of attack • Data from intelligence agencies 2. Threat Identification • Threat statement • Reports from prior risk assessment • Audit comments • Security requirements • Security test results 3. Vulnerability Identification • List of potential vulnerabilities 4. Control Analysis • Current controls • Planned controls • List of current and planned controls • Threat-source motivation • Threat capacity • Nature of vulnerability • Current controls 5. Likelihood Determination • Likelihood rating
Input Risk Assessment Activities Output • Mission impact analysis • Asset criticality assessment • Data criticality • Data sensitivity • 6. Impact Analysis • Loss of integrity • Loss of availability • Loss of confidentiality • Impact rating • Likelihood of threat exploitation • Magnitude of impact • Adequacy of planned or current controls • Risk and associated risk levels 7. Risk Determination 8. Control Recommendation • Recommended controls 9. Result Documentation • Risk assessment report
Risk Mitigation Action Points Threat Source Vulnerable Exploitable Vulnerability to attack exists System Design Yes Yes & No No No Risk No Risk Attacker’s Cost < Gain Loss Anticipated > Threshold Risk Exists Yes Yes Unacceptable Risk No No Accept Risk Accept Risk
Select Safeguard* Accept Residual Risk Implement Control Define Boundaries, Scope, and methodology Interpret Results Collect and Synthesize Data How Risk Management Work? Risk Assessment Risk Mitigation Uncertainty Uncertainty Uncertainty Uncertainty * There are many approaches to safeguard selection
Risk Management Cycle From GAO/AIMD-99-139
Risk Management Principles • Risk Avoidance. Is the practice of coming up with alternatives so that the risk in question is not realized. • Risk Transfer. Is the practice of passing on the risk in question to another entity, such as an insurance company. • Risk Mitigation. Is the practice of eliminating or significantly decreasing the level of risk presented. E.g., company can put countermeasure such as firewall, IDS etc. in place to deter malicious from accessing the highly sensitive information. • Risk Acceptance. Is the practice of simply accepting certain risk (s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.