1 / 29

Risk 1

Risk 1. CST 481/598. Many thanks to Jeni Li. Risk. Potential negative impact to an asset Probability of a loss A function of three variables The probability of a threat The probability of a vulnerability The potential impact A measurable quantity. Types of Risk. Technical

nishi
Download Presentation

Risk 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk 1 CST 481/598 Many thanks to Jeni Li

  2. Risk • Potential negative impact to an asset • Probability of a loss • A function of three variables • The probability of a threat • The probability of a vulnerability • The potential impact • A measurable quantity

  3. Types of Risk • Technical • Information Security • Business • Where measured • How Measured • Who cares – stakeholdersregulatory requirements, corporate governance • CIA – Confidentiality, Integrity, Availability

  4. Asset • "An asset is a resource controlled by the enterprise as a result of past events and from which future economic benefits are expected to flow to the enterprise.” • IOW, the stuff that has value to your company and its ability to conduct its business operations

  5. Asset (examples) • Information • Customer records • Sales leads • Intellectual property • Business transaction records • Systems • Workstations, servers, network infrastructure • People • Staff, clientele • Products (may be outside our scope)

  6. Impact • The magnitude of a potential loss • The seriousness of an event

  7. Vulnerability • A weakness that provides the opportunity for a threat to occur • Examples • Operating system vulnerabilities • Exploitable Web applications • Staff members susceptible to social engineering • Server room located directly below the bathrooms?

  8. Threat • A possible danger that might exploit a vulnerability • Anything that could cause harm to your assets • May be accidental or intentional

  9. Types of threats • Accidental • Natural disasters • Earthquake, fire, flood, lightning • True accidents • Unintentional misuse or damage by employees • Other unintended threats • Power grid outage

  10. Types of threats • Intentional (aka, malicious) • Caused by a threat agent • Examples • Corporate espionage • Terrorist attack • Hacktivism

  11. Threat agent • An individual or group that will implement the threat. Needs the following factors: • Motivation • Why does the attacker want to attack? • Capability • Skills and resources • Opportunity • Physical or electronic access to the target • Catalyst • Something that causes the attacker to act

  12. Types of threat agents • Nation state sponsored • Terrorist • Pressure (activist) group • Commercial organization • Criminal group • Hacker group • Disgruntled insider

  13. Threat vector • The path or tool used by a threat agent • Examples • Spam, instant messaging, a specific worm • Sniffer, keystroke logger, dumpster diving • Pipe bomb, truck bomb

  14. Threat inhibitors • Factors that influence the threat agent not to carry out the attack against the target

  15. Threat amplifiers • Factors that encourage the threat agent to carry out the attack against the target

  16. Controls • Measures taken to eliminate or mitigate risk • Examples • Physical security (e.g., locks, barriers) • Personnel security (e.g., background checks, training) • Procedural security (e.g., policies/other documents) • Technical security (hardware, software) • Must be cost-effective • Sometimes the best control is no control at all

  17. The general process • Identification • Assessment • Treatment plan • Development • Implementation • Review/evaluation

  18. Identification • Assets • Vulnerabilities • Threats • Threat vectors • Threat agents

  19. Assessment • Estimate or measure the risk • Can be qualitative or quantitative • Qualitative is good for comparing risks • Quantitative is good for determining ROI

  20. (probability of event) x (impact of event) = risk

  21. Australian standard technical risk assessment • EC: Adequacy of Existing Controls 1 (excellent) to 7 (none) • L: Likelihood of the Risk Occurring 1 (may never occur) to 5 (is expected to occur) • I: Impact/Consequence 1 (minimal to no impact) to 5 (total destruction) Risk = (7*EC + 3*L + 4*I)/84

  22. Cost Effectiveness Analysis • Asset value (AV) • Exposure factor (EF) • Single loss expectancy (SLE) • Annualized rate of occurrence (ARO) • Annualized loss expectancy (ALE)

  23. Estimate • Asset value: What’s it worth to you? • Tangible and intangible • If we lost this asset, we would lose $... • Exposure factor: How bad would it be? • Percentage of asset loss caused by a threat • 0 to 100% • Annualized rate of occurrence • How many times per year could it happen? • Once in 5 years = 1/5

  24. Calculate • Single loss expectancy • SLE = AV x EF • Annualized loss expectancy • ALE = ARO x SLE

  25. Compare • ALE before safeguard/control • ALE after safeguard/control • Cost to deploy safeguard/control • ALEb – ALEa – Cost = Value of safeguard • Careful how you define those costs!

  26. Risk treatment plan • How will you handle each risk? • Avoidance (get out of the business) • Mitigation (apply a safeguard/control) • Retention (live with it) • Transfer (buy insurance)

  27. Other approaches exist • Multi-Attribute Risk Assessment, • Security Attribute Evaluation Method • Monte Carlo analysis • CCTA Risk Analysis/Management Method (CRAMM) • Enterprise risk management • … and so on

  28. What’s important about each asset? • Confidentiality • Integrity • Availability • Non-repudiability

  29. Infosec Assessment Method(ology) • Uses the CIA model • Identify information assets • Build an information criticality matrix • Identify systems • Build a systems criticality matrix • Determine most critical systems • Identify safeguards/controls

More Related