analisis de riesgos o-ism3

1

FIST Conference November/Madrid 2008 @

Risk Assessment ISM3-StyleVicente Aceituno, 2008

2

About me

� Vice president of the FIST Conferences association.� www.fistconference.org

� President of the ISSA Spain chapter.� www.issa-spain.org

� Author of a number of articles:� Google: vaceituno wikipedia

� Director of the ISM3 Consortium� The consortium promotes ISM3, an ISMS standard.� ISM3 is the main source for this presentation.� www.ism3.com

3

Standards

Magerit

Canadian Risk Management Guide

AS 4360BS 7799-3:2005

SP800-30Octave

MarionISO 13335-2

ISF method

Mehari

EbiosDutch A&K analysis

Cramm

ISO 27005

4

ImpactAssets

Value

Cost

ThreatsFrequency

Weaknesses

Countermeasures

RA Method Design

Likelihood

Exposure

5

Complexity

Likelihood * Threats * Vulnerabilities * Countermeasured * Asset Value * Exposure = N6

6

RA Method Design

� Threat Taxonomy

� Countermeasures Taxonomy

� Model

� Scope

� Depth

� Threat Likelihood

� Asset Value

� Correct? Useful?

7

Threat Taxonomy

� Pretty Long Lists

� Magerit: Accidental Natural, Accidental Industrial, Accidental Error, Deliberada, etc…

� Against Confidenciality, against Integrity, againts Availability et al.

� ISM3-RA uses:

1. Destruction /Corruption /Loss of valid information or systems.

2. Aging of information &Outdated systems

3. Underperformance OR Interruption of valid system services &Failure of authorized access

4. Failure to destroy expired information or systems &Failure to stop systems at will

5. Unauthorized access, eavesdropping, theft and disclosure of information or systems AND Improper use of authorized access to information or systems

6. Improper recording of access to information or systems / (anon or otherwise)

8

Countermeasures Taxonomy

� ISO 27001 Controls

� PCI DSS Controls

� Cobit Controls

� Custom Made Lists

� Etc…

� ISM3-RA uses ISM3 Processes

9

Model

� No Model

� Assets (Mostly Technical)

� Servers, Databases, Networks, etc (Purely Technical)

� ISM3-RA uses Environments and Business Functions

10

ISM3-RA Environments

InternalNetworkDMZ Mobile

UsersInternalUsers

WiFiNetworks

� Environments

11

ISM3-RA Business Model

Governance

Infrastructure

Hu

man

Resources

Production

Logistics

Adm

inistrationIT

Advertising

Research

Procurem

ent

Sales

Business

Intelligence

Financing /

Accounting

Maintenance

Relationships

Legal

� Business Functions

12

Scope

� The more choice on the side of the certificate aspirant, the less value in the certification.

� The wider the scope, the higher the cost.

� ISM3-RA uses the scope of whole companies.

13

Depth

� The higher the level of detail, the more complex and costly.

� The depth should match the kind of decisions we want to support.

� ISM3-RA uses management-level depth.

Environments

14

Threat Likelihood

� Normally there is no data enough to know how likely is a threat.

� The multiplicity and evolution of threats make likelihood of threats very difficult to model.

� ISM3-RA uses a qualitative scale of likelihood. (from very high to very low)

15

Asset Value

� Euros

� High – Medium – Low

� Magerit: Disponibilidad, integridad, confidencialidad, autenticidad, trazabilidad.

� ISM3-RA uses “The more important Business Functions depend on Environments, the more valuable”

16

Correct? Useful?

� Anyone can create a “correct” RA method.

� But, is it useful?

17

Utility

HIGH

MEDIUM

LOW

18

Utility

300

200

100

19

Utility – Added Value

� What are we learning that we don’t know already? (Non-Banal Analysis)

� What are important threats to the organization?

� What should I do?

� How safe am I? / How likely is that an incident will happen?

� How much will I lose this year?

� How much should I invest this year?

20

Limitaciones de validez

21

Quantitative RA

Risk = Impact * Probability

Risk

Impact

Probability

22

Accounting value of the company

Expected Loss[$]

Probability[% / year]

1000

0

Last year’s losses

$ per year

Probability of discontinuation of the company per year

Quantitative RA

23

ISO27005Establish Context

Risk

Com

munication

Risk

Monitoring

andR

eview

Risk Treatment

Risk Evaluation

Risk Estimation

Risk Identification

Risk Assessment

Risk Analysis

Risk Acceptance

Accept risk?

Acceptable results?

Establish Context

Risk

Com

munication

Risk

Monitoring

andR

eview

Risk Treatment

Risk Evaluation

Risk Estimation

Risk Identification

Risk Assessment

Risk Analysis

Risk Acceptance

Accept risk?

Acceptable results?

24

Utility Challenges

• Lack of real data

• Are opinions valid data?

• Mixing opinions with arithmetics is a bit like mixing magic and physics.

• The higher the investment, the lower the risk.

• Return of investment is always positive.

• Risk Assessment can be difficult and expensive.

25

ISM3-RA

InternalNetworkDMZ Mobile

UsersInternalUsers

WiFiNetworks

Governance

Infrastructure

Hu

man

Resources

Production

Logistics

Adm

inistrationIT

Advertising

Research

Procurem

ent

Sales

Business

Intelligence

Financing /

Accounting

Maintenance

Relationships

Legal

26

ISM3-RA

InternalNetworkDMZ Mobile

UsersInternalUsers

WiFiNetworks

Governance

Infrastructure

Hu

man

Resources

Production

Logistics

Adm

inistrationIT

Advertising

Research

Procurem

ent

Sales

Business

Intelligence

Financing /

Accounting

Maintenance

Relationships

Legal

27

Ejemplo ISM3-RA

Relative Weight of Business Functions

0

20

40

60

80

100

120

Gover

nanc

eRes

earch

Adver

tising

Busin

ess I

ntellig

ence

Human

Reso

urce

s

Inform

at ion

Tec

hnolog

y

Legal

Relatio

nships

Admini

strat

ion

Financ

ing /

Accou

nting

Infra

struc

tureLo

gist ic

sM

aintena

ncePro

cure

ment

Produ

ction

Sales

28

Ejemplo ISM3-RA

Relative Protection per Environment

0,0000

0,2000

0,4000

0,6000

0,8000

1,0000

1,2000

Internet SSCC Oficinas Host SSAA Terceros UsuariosMobiles

Personal

29

Ejemplo ISM3-RA

Relative Reliance on Environments

0

5000

10000

15000

20000

25000

Gover

nance

Resear

chAdve

rtising

Business

Intellig

ence

Human

Resour

ces

Info

rmat

ion T

echnolo

gy

LegalRela

tions

hipsAdm

inistra

tion

F inancin

g / Acc

ountin

gIn

frastru

cture

Logistic

sMaint

enance

Procu

rem

entPro

duction

Sales

30

Ejemplo ISM3-RA

Relative Environment Criticality

0

5000

10000

15000

20000

25000

30000

35000

Internet SSCC Oficinas Host SSAA Terceros UsuariosMobiles

Personal

31

Ejemplo ISM3-RA

Risk per Business Function

0,000000

0,000050

0,000100

0,000150

0,000200

0,000250

0,000300

0,000350

0,000400

0,000450

Govern

anceRese

arch

Adverti

sing

Business

I nte

ll igenc

e

Human R

esourc

es

Inform

ation T

echnolo

gy

LegalRela

tionsh

ipsAdministra

tion

Financing /

Accountin

gInfra

structu

reLo

gistics

Maintena

ncePro

curement

Produc

tion

Sales

PersonalUsuarios MobilesTercerosSSAAHostOficinasSSCC

32

Ejemplo ISM3-RA

Risk to Technical Environment per Threat

0,00000000

0,00100000

0,00200000

0,00300000

0,00400000

0,00500000

0,00600000

SSCC Oficinas Host SSAA Terceros Usuarios Mobiles

Improper recording of access toinf ormation or systems / (anon or otherw ise)

Unauthor ized access, eavesdropping,thef t and disc losure of information orsystems ANDImproper use of author ized access toinf ormation or systems

Failure to destroy expired information orsystems &Failure to s top systems at w ill

Underperf ormance OR Interruption ofvalid system serv ices &Failure of authorized access

Aging of inf ormation &Outdated systems

Destruction /Cor ruption /Loss of valid information or systems

33

1. Viable System Model http://en.wikipedia.org/wiki/Viable_System_Model

2. RA Method Inventory http://www.enisa.europa.eu/rmra/rm_home.html

3. EL CISNE NEGRO: EL IMPACTO DE LO ALTAMENTE IMPROBABLE, NICHOLAS TALEB, NASSIM, ISBN: 9788449320774

4. Magerit, Canadian Risk Management Guide, SP800-30, AS 4360, Marion, Ebios, Cramm, ISO 13335-2, ISF method, Mehari, Octave, Dutch A&K analysis

5. Scales of Measuremente - Wikipedia

References

34

Creative CommonsAttribution-NoDerivs 2.0

Attribution. You must give the original author credit.

For any reuse or distribution, you must make clear to others the license terms of this work.

Any of these conditions can be waived if you get permission from the author.

Your fair use and other rights are in no way affected by the above.

This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

You are free:

•to copy, distribute, display, and perform this work

•to make commercial use of this work

Under the following conditions:

No Derivative Works. You may not alter, transform, or build upon this work.

35

THANK YOU

Vicente Aceituno

Madrid, November 2008

@www.fistconference.org