analisis de riesgos o-ism3
DESCRIPTION
TRANSCRIPT
1
FIST Conference November/Madrid 2008 @
Risk Assessment ISM3-StyleVicente Aceituno, 2008
2
About me
� Vice president of the FIST Conferences association.� www.fistconference.org
� President of the ISSA Spain chapter.� www.issa-spain.org
� Author of a number of articles:� Google: vaceituno wikipedia
� Director of the ISM3 Consortium� The consortium promotes ISM3, an ISMS standard.� ISM3 is the main source for this presentation.� www.ism3.com
3
Standards
Magerit
Canadian Risk Management Guide
AS 4360BS 7799-3:2005
SP800-30Octave
MarionISO 13335-2
ISF method
Mehari
EbiosDutch A&K analysis
Cramm
ISO 27005
4
ImpactAssets
Value
Cost
ThreatsFrequency
Weaknesses
Countermeasures
RA Method Design
Likelihood
Exposure
5
Complexity
Likelihood * Threats * Vulnerabilities * Countermeasured * Asset Value * Exposure = N6
6
RA Method Design
� Threat Taxonomy
� Countermeasures Taxonomy
� Model
� Scope
� Depth
� Threat Likelihood
� Asset Value
� Correct? Useful?
7
Threat Taxonomy
� Pretty Long Lists
� Magerit: Accidental Natural, Accidental Industrial, Accidental Error, Deliberada, etc…
� Against Confidenciality, against Integrity, againts Availability et al.
� ISM3-RA uses:
1. Destruction /Corruption /Loss of valid information or systems.
2. Aging of information &Outdated systems
3. Underperformance OR Interruption of valid system services &Failure of authorized access
4. Failure to destroy expired information or systems &Failure to stop systems at will
5. Unauthorized access, eavesdropping, theft and disclosure of information or systems AND Improper use of authorized access to information or systems
6. Improper recording of access to information or systems / (anon or otherwise)
8
Countermeasures Taxonomy
� ISO 27001 Controls
� PCI DSS Controls
� Cobit Controls
� Custom Made Lists
� Etc…
� ISM3-RA uses ISM3 Processes
9
Model
� No Model
� Assets (Mostly Technical)
� Servers, Databases, Networks, etc (Purely Technical)
� ISM3-RA uses Environments and Business Functions
10
ISM3-RA Environments
InternalNetworkDMZ Mobile
UsersInternalUsers
WiFiNetworks
� Environments
11
ISM3-RA Business Model
Governance
Infrastructure
Hu
man
Resources
Production
Logistics
Adm
inistrationIT
Advertising
Research
Procurem
ent
Sales
Business
Intelligence
Financing /
Accounting
Maintenance
Relationships
Legal
� Business Functions
12
Scope
� The more choice on the side of the certificate aspirant, the less value in the certification.
� The wider the scope, the higher the cost.
� ISM3-RA uses the scope of whole companies.
13
Depth
� The higher the level of detail, the more complex and costly.
� The depth should match the kind of decisions we want to support.
� ISM3-RA uses management-level depth.
Environments
14
Threat Likelihood
� Normally there is no data enough to know how likely is a threat.
� The multiplicity and evolution of threats make likelihood of threats very difficult to model.
� ISM3-RA uses a qualitative scale of likelihood. (from very high to very low)
15
Asset Value
� Euros
� High – Medium – Low
� Magerit: Disponibilidad, integridad, confidencialidad, autenticidad, trazabilidad.
� ISM3-RA uses “The more important Business Functions depend on Environments, the more valuable”
16
Correct? Useful?
� Anyone can create a “correct” RA method.
� But, is it useful?
17
Utility
HIGH
MEDIUM
LOW
18
Utility
300
200
100
19
Utility – Added Value
� What are we learning that we don’t know already? (Non-Banal Analysis)
� What are important threats to the organization?
� What should I do?
� How safe am I? / How likely is that an incident will happen?
� How much will I lose this year?
� How much should I invest this year?
20
Limitaciones de validez
21
Quantitative RA
Risk = Impact * Probability
Risk
Impact
Probability
22
Accounting value of the company
Expected Loss[$]
Probability[% / year]
1000
0
Last year’s losses
$ per year
Probability of discontinuation of the company per year
Quantitative RA
23
ISO27005Establish Context
Risk
Com
munication
Risk
Monitoring
andR
eview
Risk Treatment
Risk Evaluation
Risk Estimation
Risk Identification
Risk Assessment
Risk Analysis
Risk Acceptance
Accept risk?
Acceptable results?
Establish Context
Risk
Com
munication
Risk
Monitoring
andR
eview
Risk Treatment
Risk Evaluation
Risk Estimation
Risk Identification
Risk Assessment
Risk Analysis
Risk Acceptance
Accept risk?
Acceptable results?
24
Utility Challenges
• Lack of real data
• Are opinions valid data?
• Mixing opinions with arithmetics is a bit like mixing magic and physics.
• The higher the investment, the lower the risk.
• Return of investment is always positive.
• Risk Assessment can be difficult and expensive.
25
ISM3-RA
InternalNetworkDMZ Mobile
UsersInternalUsers
WiFiNetworks
Governance
Infrastructure
Hu
man
Resources
Production
Logistics
Adm
inistrationIT
Advertising
Research
Procurem
ent
Sales
Business
Intelligence
Financing /
Accounting
Maintenance
Relationships
Legal
26
ISM3-RA
InternalNetworkDMZ Mobile
UsersInternalUsers
WiFiNetworks
Governance
Infrastructure
Hu
man
Resources
Production
Logistics
Adm
inistrationIT
Advertising
Research
Procurem
ent
Sales
Business
Intelligence
Financing /
Accounting
Maintenance
Relationships
Legal
27
Ejemplo ISM3-RA
Relative Weight of Business Functions
0
20
40
60
80
100
120
Gover
nanc
eRes
earch
Adver
tising
Busin
ess I
ntellig
ence
Human
Reso
urce
s
Inform
at ion
Tec
hnolog
y
Legal
Relatio
nships
Admini
strat
ion
Financ
ing /
Accou
nting
Infra
struc
tureLo
gist ic
sM
aintena
ncePro
cure
ment
Produ
ction
Sales
28
Ejemplo ISM3-RA
Relative Protection per Environment
0,0000
0,2000
0,4000
0,6000
0,8000
1,0000
1,2000
Internet SSCC Oficinas Host SSAA Terceros UsuariosMobiles
Personal
29
Ejemplo ISM3-RA
Relative Reliance on Environments
0
5000
10000
15000
20000
25000
Gover
nance
Resear
chAdve
rtising
Business
Intellig
ence
Human
Resour
ces
Info
rmat
ion T
echnolo
gy
LegalRela
tions
hipsAdm
inistra
tion
F inancin
g / Acc
ountin
gIn
frastru
cture
Logistic
sMaint
enance
Procu
rem
entPro
duction
Sales
30
Ejemplo ISM3-RA
Relative Environment Criticality
0
5000
10000
15000
20000
25000
30000
35000
Internet SSCC Oficinas Host SSAA Terceros UsuariosMobiles
Personal
31
Ejemplo ISM3-RA
Risk per Business Function
0,000000
0,000050
0,000100
0,000150
0,000200
0,000250
0,000300
0,000350
0,000400
0,000450
Govern
anceRese
arch
Adverti
sing
Business
I nte
ll igenc
e
Human R
esourc
es
Inform
ation T
echnolo
gy
LegalRela
tionsh
ipsAdministra
tion
Financing /
Accountin
gInfra
structu
reLo
gistics
Maintena
ncePro
curement
Produc
tion
Sales
PersonalUsuarios MobilesTercerosSSAAHostOficinasSSCC
32
Ejemplo ISM3-RA
Risk to Technical Environment per Threat
0,00000000
0,00100000
0,00200000
0,00300000
0,00400000
0,00500000
0,00600000
SSCC Oficinas Host SSAA Terceros Usuarios Mobiles
Improper recording of access toinf ormation or systems / (anon or otherw ise)
Unauthor ized access, eavesdropping,thef t and disc losure of information orsystems ANDImproper use of author ized access toinf ormation or systems
Failure to destroy expired information orsystems &Failure to s top systems at w ill
Underperf ormance OR Interruption ofvalid system serv ices &Failure of authorized access
Aging of inf ormation &Outdated systems
Destruction /Cor ruption /Loss of valid information or systems
33
1. Viable System Model http://en.wikipedia.org/wiki/Viable_System_Model
2. RA Method Inventory http://www.enisa.europa.eu/rmra/rm_home.html
3. EL CISNE NEGRO: EL IMPACTO DE LO ALTAMENTE IMPROBABLE, NICHOLAS TALEB, NASSIM, ISBN: 9788449320774
4. Magerit, Canadian Risk Management Guide, SP800-30, AS 4360, Marion, Ebios, Cramm, ISO 13335-2, ISF method, Mehari, Octave, Dutch A&K analysis
5. Scales of Measuremente - Wikipedia
References
34
Creative CommonsAttribution-NoDerivs 2.0
Attribution. You must give the original author credit.
For any reuse or distribution, you must make clear to others the license terms of this work.
Any of these conditions can be waived if you get permission from the author.
Your fair use and other rights are in no way affected by the above.
This work is licensed under the Creative Commons Attribution-NoDerivs License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
You are free:
•to copy, distribute, display, and perform this work
•to make commercial use of this work
Under the following conditions:
No Derivative Works. You may not alter, transform, or build upon this work.
35
THANK YOU
Vicente Aceituno
Madrid, November 2008
@www.fistconference.org