Security Risk Management

1. Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec marcus.murray@truesec.se

2. Agenda • What is Risk Management? • Security Strategy • Mission and Vision • Security Principles • Risk Based Decision Model • Tactical Prioritization • Representative Risks and Tactics

3. What is Risk Management? • The process of measuring assets and calculating risk! • Something we all do! (More or less)

13. Risk Based Security Strategy Corporate Security Mission and Vision Security Operating Principles Risk Based Decision Model Tactical Prioritization

14. Mission and Vision Operating Principles Risk Based Decision Model Assess Risk Tactical Prioritization Define Policy Audit Controls Information Security Mission Prevent malicious or unauthorized use that results in the loss of Company Intellectual property or productivity by systematically assessing, communicating and mitigating risks to digital assets

15. Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Information Security Vision • Key Client Assurances • My Identity is not compromised • Resources are secure and available • Data and communications are private • Clearly defined roles and accountability • Timely response to risks and threats An IT environment comprised of services, applications and infrastructure that implicitly provides availability, privacy and security to any client.

16. Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Security Operating Principles • Management Commitment • Manage risk according to business objectives • Define organizational roles and responsibilities • Users and Data • Manage to practice of Least Privilege • Privacy strictly enforced • Application and System Development • Security built into development lifecycle • Layered defense and reduced attack surface • Operations and Maintenance • Security integrated into Operations Framework • Monitor, audit, and response functions aligned to operational functions

17. Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Enterprise Risk Model High Unacceptable Risk Risk assessment drives to acceptable risk Impact to Business (Defined by Business Owner) Acceptable Risk Low Low Probability of Exploit (Defined by Corporate Security) High

18. Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Components of Risk Assessment Asset Threat Vulnerability Mitigation What are you trying toassess? What are you afraid of happening? How could the threat occur? What is currently reducing the risk? Impact Probability What is the impact to the business? How likely is the threat giventhe controls? + = Current Level of Risk What is the probability that the threat will overcome controls to successfully exploit the vulnerability and impact the asset?

19. Mission and Vision OperatingPrinciples Risk Based Decision Model Tactical Prioritization Risk Management Process and Roles CorpSec PrioritizeRisks Security Policy Compliance 1 2 5 Engineering and Operations SecuritySolutions &Initiatives Sustained Operations 3 4 Tactical Prioritization

20. Mission and Vision OperatingPrinciples Risk Based Decision Model Tactical Prioritization Tactical Prioritization by Environment Data Center Client Prioritized Risks Policies and mitigation tactics appropriate for each environment Unmanaged Client RAS Extranet

21. Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Risk Analysis by Asset Class Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks Host Application Unauthenticated access to applications, unchecked memory allocations Assets Network Data sniffing on the wire, network fingerprinting Account Compromise of integrity or privacy of accounts Trust Unmanaged trusts enable movement among environments

22. Representative Risks and Tactics Enterprise Risks Tactical Solutions Unpatched Devices Secure Environment Remediation Embody Trustworthy Computing Unmanaged Devices Network Segmentation via IPSec Remote & Mobile Users Secure Remote User Single-Factor Authentication 2-Factor for RAS & Administrators Focus Controls Across Key Assets Managed Source Initiatives

23. Mitigate risk to the infrastructure through implementation of key strategies 1. Securethe Network Perimeter 2. Securethe NetworkInterior 3. SecureKey Assets 4.Enhance Monitoring and Auditing • Secure Wireless • Smart Cards for RAS • Secure Remote User • Next Generation AV • Messaging Firewall • Direct Connections • IDC Network Cleanup • Eliminate Weak Passwords • Acct Segregation • Patch Management (SMS/WUS/SUS) • NT4 Domain Migration • Network Segmentation • Smart Cards for Admin Access • Regional Security Assessment • Automate Vulnerability Scans • Secure Source Code Assets • Lab Security Audit • Network Intrusion Detection System • Host Intrusion Detection Systems • Automate Security Event Analysis • Use MOM for Server Integrity Checking • Use ACS for real-time security log monitoring Security Solutions and Initiatives

24. More information • www.microsoft.se/technet • www.microsoft.se/security • www.truesec.se/events • www.itproffs.se

25. Marcus Murray marcus.murray@truesec.se