300 likes | 441 Views
IT Risk Management Threats, Vulnerabilities, Controls and the Measurement of Risk. Welcome Presented by Marc D’Aloisio and Frank Ward DOIT IT Security. Introduction. Today’s presentation will focus on the world of threats our information systems inhabit
E N D
IT Risk ManagementThreats, Vulnerabilities, Controls and the Measurement of Risk Welcome Presented by Marc D’Aloisio and Frank Ward DOIT IT Security
Introduction • Today’s presentation will focus on the world of threats our information systems inhabit • We will determine whether all threats are of equal concern and the essential step of pairing of threats with vulnerabilities • Finally we will discuss the objective evaluation of existing controls
Agenda • Introduction • Here a threat, there a threat • A threat is only real if… • Know yourself, know your enemies • All IT is “Risky Business” • Knowing what you need to know • The (legitimate) art of intrusion
Introduction • One way to differentiate threats is their potential impact on an organization • When is a threat not a “real” threat? • A threat is not a threat without a vulnerability • Know yourself, know your enemies • Risk Management Frameworks • Objectivity Through Ethical Hacking
Here a threat, there a threat If you asked me to name the three scariest threats facing the human race, I would give the same answer that most people would: nuclear war, global warming and Windows.Dave BarryMiami Herald
Here a threat, there a threat • There are many Threat listings; • SANS/FBI Top 25 • McAfee & Symantec • MITRE CVE • CERT • MS-ISAC • Special Reports such as the CSIS Cybersecurity report for the 44th Presidency
A Threat is only real if…. • The number of documented threats to IT systems is growing daily • Should we be afraid of everything? • Is every threat a threat to you? • How do you identify the real threats to your IT environment?
Know yourself, know your enemies Security is always going to be a cat and mouse game because there'll be people out there that are hunting for the zero day award, you have people that don't have configuration management, don't have vulnerability management, don't have patch management. Kevin Mitnick
Know yourself, know your enemies • We know the threats are out there, we need to know what vulnerabilities exist in our environment • Only when we pair real threats with real vulnerabilities can we begin to understand the real risks associated with the ownership and operation of information systems • A logical framework is needed for the identification and evaluation of threats and the real risks they represent is needed
All IT is “Risky Business” • Organizations have been developing strategies and frameworks to assist in managing financial risk for decades • Over the past dozen years IT risk management frameworks have also been established • Current IT Risk Management Frameworks include; • FISMA and NIST • ISO 19977:2005 • OCTAVE • COBIT
All IT is “Risky Business” • In recognition of its interdependent relationships with the Federal Government the State of Connecticut follows FISMA/NIST Standards • FISMA - Federal Information Security Management Act • NIST – National Institute of Standards and Technology Special Publications define specific guidelines and best practices to assist in implementing FISMA requirements. • The State has adapted NIST guidelines, SP 800-30, SP 800-18 and SP 800-53, for the development of its own Risk Analysis Methodology.
RISK ANALYSIS METHODOLOGY PROCESS FLOW Interviews System Requirements STEP ONE Hardware Documentation System Design System Security Profile(s) Software Documentation SDM Documentation System Functionality Roles and Responsibilities System Event Logs MITRE CVE Database Prior Technical Evaluations Threat and Prior Risk Analyses STEP TWO Vulnerability Matrix Prior System Audits Threat and Vulnerability Identification Incident Response Logs Regulatory Environments Vulnerability Scans Public Domain Authoritative Checklists Mapped to NIST 800-53 Control Catalog Custom Checklists Mapped to NIST 800-53 Control Catalog Listing of Current and Planned Controls STEP THREE Mapped to the NIST 800 - 53 Control Analysis NIST 800 - 53 Control Catalog Threat Source Motivation Likelihood Ratings For Each Threat and Vulnerability Pairing Threat Capacity STEP FOUR Nature of Vulnerability Likelihood Determination Effectiveness of Current And Planned Controls BIA from Prior BCP / DR Impact Ratings For Each Threat and Vulnerability Pairing Asset Criticality STEP FIVE STEP FIVE Data Criticality Impact Analysis Impact Analysis Data Sensitivity Regulatory Requirements Risk Level Ratings For Each Threat and Vulnerability Pairing Likelihood Ratings STEP SIX X Risk Determination Impact Analysis Ratings Detailed Control Recommendations Grouped by Risk Level STEP SEVEN Output from Steps 2, 3, 4, 5 & 6 above Control Recommendations Remediation Workplans Providing Resource Requirements, Priorities, Roles & Responsibilities STEP EIGHT Remediation Workplans State of Ct Risk Analysis Process
Knowing what you need to know • What regulatory environments are your systems operating within? • What systems are you responsible for? • What categories/classifications of data exist within your systems? • Where does your data originate? • Who owns the data? • Who uses your data and how is your data used? • Answers to the above and additional questions are use to develop a System Security Profile based on NIST 800-18.
Knowing what you need to know • Interviews are not enough • Systems need to be evaluated against objective standards • DISA Checklists, NSA Guides, National Checklist program (NIST) • Automated vulnerability and control assessment tools are absolute necessities for enterprise evaluations
The (legitimate) art of intrusion • The good guys and the bad guys utilize similar tools, techniques and knowledge • Ethical hacking is defined as discovering and verifying system vulnerabilities to help secure enterprise data • It is important to pick the right tools and perform the right tests • Inside-out versus outside-in • The DOIT testing toolkit includes….
The (legitimate) art of intrusion • Nessus, DISA Gold Disk, AppScan and AppDetective • Screenshots of each……..
Nessus Tenable Networks Useful for: Discovery Configuration Auditing Vulnerability Analysis
AppScan IBM – Rational Web Application Vulnerability Scanner Good for lots more Site crawl for data Error Analysis
AppDetective Application Security, Inc. Database vulnerability scanner Outside In vs. Inside Out
DISA Gold Disk Defense Information Systems Agency Automates DISA checklists Inside out audit Windows 2000 (Professional, Member Server, Domain Controller) Windows XP Windows 2003 (Member Server, Domain Controller) Desktop applications (e.g., Microsoft Office, Netscape Navigator, Internet Explorer, Antivirus products) Internet Information Services Versions 5.0 and 6.0
Risk Management In closing, knowing your true risk has an added benefit: You know when it’s appropriate to lose sleep over you IT infrastructure and when it’s not…