Information Technology Security:Information Technology Security:Fitting Into the Big PictureBrandon Hoffman, KPMG LLP
Fitting Into the Big PictureBrandon Hoffman, KPMG LLP
Topics for DiscussionTopics for Discussion
IT Security in the BusinessRisk, Audit Support, Compliance
Policies, Standards, and ProceduresIT Security’s Role in Creation and
EnforcementTypical IT Security Technical Work
Intrusion Detection/PreventionEthical Hacking/Penetration Testing
IT Security in the BusinessRisk, Audit Support, Compliance
Policies, Standards, and ProceduresIT Security’s Role in Creation and
EnforcementTypical IT Security Technical Work
Intrusion Detection/PreventionEthical Hacking/Penetration Testing
The CISO AgendaThe CISO Agenda
Core FunctionsCore Functions
BusinessBusiness
Regulatory Regulatory ComplianceCompliance
TechnologyTechnologyEnablementEnablement
Alignment with Business Goals / ObjectivesAlignment with Business Goals / ObjectivesBrand Protection & EnhancementBrand Protection & Enhancement
Linkage to EnterpriseLinkage to Enterprise Risk MgmtRisk Mgmt
Metrics / BenchmarkingMetrics / Benchmarking
Business ContinuityBusiness Continuity
Compliance / Internal AuditCompliance / Internal Audit
Disaster RecoveryDisaster Recovery
StrategyStrategyPrivacy / Security BreachPrivacy / Security Breach
Vulnerability / Patch ManagementVulnerability / Patch ManagementStaffing SupportStaffing Support
High AvailabilityHigh Availability
Identity ManagementIdentity Management
M&AM&A Executive / Board ReportingExecutive / Board Reporting
Mobile ComputingMobile Computing
Evolving ThreatsEvolving Threats
Managing 3rd Party Risk (Outsourcers)Managing 3rd Party Risk (Outsourcers)Culture / AwarenessCulture / Awareness
CISOCISO
RiskRisk
IT Security performs a critical role in assessing risk in the organization.
Vulnerability ScanningPenetration Testing Industry Trends IT StrategyFamiliarity with Audit and
Compliance measures
IT Security performs a critical role in assessing risk in the organization.
Vulnerability ScanningPenetration Testing Industry Trends IT StrategyFamiliarity with Audit and
Compliance measures
Audit SupportAudit Support
In many cases, IT Security is heavily relied upon to perform in depth testing required by an audit organization. Security is enlisted by audit because:
Technical expertise Familiarity with current issues
from internal testingFamiliarity with Policies,
Standards, and Procedures
In many cases, IT Security is heavily relied upon to perform in depth testing required by an audit organization. Security is enlisted by audit because:
Technical expertise Familiarity with current issues
from internal testingFamiliarity with Policies,
Standards, and Procedures
ComplianceCompliance
Compliance may relate to internal compliance or external compliance.
Internal compliance:Policies and StandardsSecurity and Configuration baselinesFramework use – ISO, COBIT, ITIL,
GAISP, NISTBest Practices
Compliance may relate to internal compliance or external compliance.
Internal compliance:Policies and StandardsSecurity and Configuration baselinesFramework use – ISO, COBIT, ITIL,
GAISP, NISTBest Practices
Compliance cont’dCompliance cont’d
External compliance:SOX (Sarbanes Oxley)
COSO FrameworkHIPAAPCISafe Harbor
External compliance:SOX (Sarbanes Oxley)
COSO FrameworkHIPAAPCISafe Harbor
Internal PolicyInternal Policy
IT Security is regularly tasked with creation and enforcement of IT policies, standards, and procedures. Creation and enforcement of these documents require:
Understanding of audit roles and procedures Familiarity with all systems, networks, and
applications Compliance considerations
IT Security is regularly tasked with creation and enforcement of IT policies, standards, and procedures. Creation and enforcement of these documents require:
Understanding of audit roles and procedures Familiarity with all systems, networks, and
applications Compliance considerations
Internal Policy cont’dInternal Policy cont’d
Definitions: A Policy is a set of directional statements and
requirements aiming to protect corporate values, assets and intelligence. Policies serve as the foundation for related standards, procedures and guidelines.
A Standard is a set of practices and benchmarks employed to comply with the requirements set forth in policies. A standard should always be a derivation of a policy, as it is the second step in the process of a company’s policy propagation.
A Procedure is a set of step-by-step instructions for implementing policy requirements and executing standard practices.
Definitions: A Policy is a set of directional statements and
requirements aiming to protect corporate values, assets and intelligence. Policies serve as the foundation for related standards, procedures and guidelines.
A Standard is a set of practices and benchmarks employed to comply with the requirements set forth in policies. A standard should always be a derivation of a policy, as it is the second step in the process of a company’s policy propagation.
A Procedure is a set of step-by-step instructions for implementing policy requirements and executing standard practices.
Internal Policy cont’dInternal Policy cont’d
Policy creation and enforcement cycle
Policy creation and enforcement cycle
Policy Business CasePolicy Business Case
A top 5 global food retailer has a massive IT/IS infrastructure and good governance….but no real policies!
Policies are the foundation for enforcing IT compliance and governance.
What policies were written for the client…
A top 5 global food retailer has a massive IT/IS infrastructure and good governance….but no real policies!
Policies are the foundation for enforcing IT compliance and governance.
What policies were written for the client…
Policy Business Case cont’d
Policy Business Case cont’d
Policies written for IT Security: Acceptable Use Policy Information Classification & Ownership Policy Risk Assessment & Mitigation Policy Access Control Policy Network Configuration and Communication Policy Remote Access Policy Business Continuity Policy Incident Response Policy Third Party Data Sharing Policy System Implementation & Maintenance Secure Application Development Cryptography & Key Management Mobile Computing Physical & Environmental Security
Policies written for IT Security: Acceptable Use Policy Information Classification & Ownership Policy Risk Assessment & Mitigation Policy Access Control Policy Network Configuration and Communication Policy Remote Access Policy Business Continuity Policy Incident Response Policy Third Party Data Sharing Policy System Implementation & Maintenance Secure Application Development Cryptography & Key Management Mobile Computing Physical & Environmental Security
Intrusion DetectionIntrusion Detection
Intrusion Detection Systems are just what they seem to be.
Detect and Alert Host Based and Network Based
How they work? Statistical Modeling Heuristics Trending
End result? Similar to home security system
Intrusion Detection Systems are just what they seem to be.
Detect and Alert Host Based and Network Based
How they work? Statistical Modeling Heuristics Trending
End result? Similar to home security system
Intrusion Prevention Systems
Intrusion Prevention Systems
Actively participates in defense of security violations
Host based IPS:Resident to the host machine. Monitors
system calls and inbound traffic. Creates a baseline and can prevent internal “bad” behavior through system controls.
Typically works in conjunction with Anti-virus
Sandboxing – Creates isolated “scratch” disk space to run untrusted platforms or applications from untrusted third parties
Actively participates in defense of security violations
Host based IPS:Resident to the host machine. Monitors
system calls and inbound traffic. Creates a baseline and can prevent internal “bad” behavior through system controls.
Typically works in conjunction with Anti-virus
Sandboxing – Creates isolated “scratch” disk space to run untrusted platforms or applications from untrusted third parties
Intrusion Prevention cont’d
Intrusion Prevention cont’d
Network based IPS has several operating modes or implementations:Inline IPS is directly inline with the
data stream similar to a firewallGateway Interaction performs packet
analysis interactively with the router/firewall
Network based IPS has several operating modes or implementations:Inline IPS is directly inline with the
data stream similar to a firewallGateway Interaction performs packet
analysis interactively with the router/firewall
Intrusion Prevention cont’d
Intrusion Prevention cont’d
Network intrusion prevention action methods:Content based – Inspects packet
contents for unique sequences or “signatures” to prevent known attacks
Protocol analysis – Decodes known protocols to detect anomalous behavior
Rate based – Used to prevent Denial of Service attacks
Network intrusion prevention action methods:Content based – Inspects packet
contents for unique sequences or “signatures” to prevent known attacks
Protocol analysis – Decodes known protocols to detect anomalous behavior
Rate based – Used to prevent Denial of Service attacks
IPS Business Case 1IPS Business Case 1Company X requires a homogeneous solution due to
compliance and governance restrictions. The facts: Cisco is the network hardware provider for all
communications. All connections need to be monitored:
VOIP Hosts Gateways VPN Routers and Switches Ingress/Egress traffic (Firewall)
The aggregation point for analysis and statistics must be built on a windows server platform
The solution must be licensed The solution should not be built on open source code Support from the vendor must be highly available regardless
of cost
Company X requires a homogeneous solution due to compliance and governance restrictions. The facts:
Cisco is the network hardware provider for all communications.
All connections need to be monitored: VOIP Hosts Gateways VPN Routers and Switches Ingress/Egress traffic (Firewall)
The aggregation point for analysis and statistics must be built on a windows server platform
The solution must be licensed The solution should not be built on open source code Support from the vendor must be highly available regardless
of cost
IPS Business Case 1 cont’d
IPS Business Case 1 cont’d
How do you choose?How do you choose?
© 2008 Gartner, Inc. and/or its Affiliates. All Rights
Reserved.
IPS Business Case 1 cont’d
IPS Business Case 1 cont’d
Cisco SolutionsPoints to consider: Homogeneous
solution Proprietary Code Base Supreme Support Current Vendor Management easy but
not intuitive Fewer vulnerability
signatures Cost
Cisco SolutionsPoints to consider: Homogeneous
solution Proprietary Code Base Supreme Support Current Vendor Management easy but
not intuitive Fewer vulnerability
signatures Cost
Sourcefire SolutionsPoints to consider: Homogeneous solution Visionary Leader Controls SNORT signature
engine Cost Potentially lacking
support New vendor Technically complicated Open Source based
Sourcefire SolutionsPoints to consider: Homogeneous solution Visionary Leader Controls SNORT signature
engine Cost Potentially lacking
support New vendor Technically complicated Open Source based
IPS Business Case 1 cont’d
IPS Business Case 1 cont’d
Cisco wins based on the scorecard of requirements.Cisco wins based on the scorecard of requirements.
© 2007 Cisco Systems, Inc. All rights reserved.
IPS Business Case 1 cont’d
IPS Business Case 1 cont’d
Protection At All LayersProtection At All Layers
© 2007 Cisco Systems, Inc. All rights reserved.
Ethical HackingEthical Hacking
Ethical hacking is a very common profession within the IT security industry.
White hat, Grey hat, Black hatSometimes synonymous with
penetration testing – A method of assessing the security posture of a system or network by simulating an “attack”
Ethical hacking is a very common profession within the IT security industry.
White hat, Grey hat, Black hatSometimes synonymous with
penetration testing – A method of assessing the security posture of a system or network by simulating an “attack”
Ethical Hacking cont’dEthical Hacking cont’d
Most current computer protocols were designed in a time when security was not a consideration. Times have changed:
Most current computer protocols were designed in a time when security was not a consideration. Times have changed:
Source: CERT
Ethical Hacking cont’dEthical Hacking cont’d
Why perform an ethical hack?Determine flaws and vulnerabilitiesProvide a quantitative metric for
evaluating systems and networksMeasure against pre-established
baselinesDetermine risk to the organizationDesign mitigating controls
Why perform an ethical hack?Determine flaws and vulnerabilitiesProvide a quantitative metric for
evaluating systems and networksMeasure against pre-established
baselinesDetermine risk to the organizationDesign mitigating controls
Ethical Hacking cont’dEthical Hacking cont’d
We will now explore some free tools and simple techniques to break into a machine.
Disclaimer: Don’t Try This At Home
Statute 1030, Fraud and Related Activity in Connection with Computers, specifically states that whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage or impairs medical treatment, can receive a fine or imprisonment of five to 20 years. http://www.usdoj.gov/criminal/cybercrime/1030NEW.htm
Cyber Security Enhancement Act 2002 implicates life sentences for hackers who 'recklessly' endanger the lives of others, and several U.S. statutes address cyber crime.
http://www.usdoj.gov/criminal/cybercrime/homeland_CSEA.htm
We will now explore some free tools and simple techniques to break into a machine.
Disclaimer: Don’t Try This At Home
Statute 1030, Fraud and Related Activity in Connection with Computers, specifically states that whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage or impairs medical treatment, can receive a fine or imprisonment of five to 20 years. http://www.usdoj.gov/criminal/cybercrime/1030NEW.htm
Cyber Security Enhancement Act 2002 implicates life sentences for hackers who 'recklessly' endanger the lives of others, and several U.S. statutes address cyber crime.
http://www.usdoj.gov/criminal/cybercrime/homeland_CSEA.htm
Wanna Break In?Wanna Break In?
The first step in any ethical hack is to obtain information in the most stealth fashion.
The first step in any ethical hack is to obtain information in the most stealth fashion.
USE NMAP!!
NMAPNMAP
Powerful free linux tool – www.insecure.orgSyntax:
nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
Powerful free linux tool – www.insecure.orgSyntax:
nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
NMAP cont’dNMAP cont’d
HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -PN: Treat all hosts as online -- skip host discovery -PS/PA/PU[portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver --traceroute: Trace hop path to each host
SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan
HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -PN: Treat all hosts as online -- skip host discovery -PS/PA/PU[portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver --traceroute: Trace hop path to each host
SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan
NMAP cont’dNMAP cont’d
PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports more common than <ratio>SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-intensity <level>: Set from 0 (light) to 9 (try all
probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for
debugging)
PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports --port-ratio <ratio>: Scan ports more common than <ratio>SERVICE/VERSION DETECTION: -sV: Probe open ports to determine service/version info --version-intensity <level>: Set from 0 (light) to 9 (try all
probes) --version-light: Limit to most likely probes (intensity 2) --version-all: Try every single probe (intensity 9) --version-trace: Show detailed version scan activity (for
debugging)
NMAP cont’dNMAP cont’d
OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressivelyTIMING AND PERFORMANCE: Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T<0-5>: Set timing template (higher is faster) --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes --min-parallelism/max-parallelism <time>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time. --max-retries <tries>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up on target after this long --scan-delay/--max-scan-delay <time>: Adjust delay between probes --min-rate <number>: Send packets no slower than <number> per
second --max-rate <number>: Send packets no faster than <number> per
second
OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressivelyTIMING AND PERFORMANCE: Options which take <time> are in milliseconds, unless you append 's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m). -T<0-5>: Set timing template (higher is faster) --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes --min-parallelism/max-parallelism <time>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round trip time. --max-retries <tries>: Caps number of port scan probe retransmissions. --host-timeout <time>: Give up on target after this long --scan-delay/--max-scan-delay <time>: Adjust delay between probes --min-rate <number>: Send packets no slower than <number> per
second --max-rate <number>: Send packets no faster than <number> per
second
NMAP cont’dNMAP cont’d
FIREWALL/IDS EVASION AND SPOOFING: -f; --mtu <val>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e <iface>: Use specified interface -g/--source-port <portnum>: Use given port number --data-length <num>: Append random data to sent packets --ip-options <options>: Send packets with specified ip options --ttl <val>: Set IP time-to-live field --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP checksum
FIREWALL/IDS EVASION AND SPOOFING: -f; --mtu <val>: fragment packets (optionally w/given MTU) -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys -S <IP_Address>: Spoof source address -e <iface>: Use specified interface -g/--source-port <portnum>: Use given port number --data-length <num>: Append random data to sent packets --ip-options <options>: Send packets with specified ip options --ttl <val>: Set IP time-to-live field --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address --badsum: Send packets with a bogus TCP/UDP checksum
NMAP cont’dNMAP cont’d
OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use twice or more for greater effect) -d[level]: Set or increase debugging level (Up to 9 is meaningful) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --log-errors: Log errors/warnings to the normal-format output file --append-output: Append to rather than clobber specified output files --resume <filename>: Resume an aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Nmap.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
OUTPUT: -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable format, respectively, to the given filename. -oA <basename>: Output in the three major formats at once -v: Increase verbosity level (use twice or more for greater effect) -d[level]: Set or increase debugging level (Up to 9 is meaningful) --reason: Display the reason a port is in a particular state --open: Only show open (or possibly open) ports --packet-trace: Show all packets sent and received --iflist: Print host interfaces and routes (for debugging) --log-errors: Log errors/warnings to the normal-format output file --append-output: Append to rather than clobber specified output files --resume <filename>: Resume an aborted scan --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML --webxml: Reference stylesheet from Nmap.Org for more portable XML --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
VulnerabilitiesVulnerabilities
Find any hosts worthwhile? Your nest step should be scanning for exploitable vulnerabilities.
Find any hosts worthwhile? Your nest step should be scanning for exploitable vulnerabilities.
USE NESSUS!!!© Copyright 2002 - 2009 Tenable Network Security(R). All Rights Reserved.
NessusNessus
Nessus scans based on an exhaustive list of vulnerabilities for all platforms of computing. Custom scripts are written by Nessus and their team to check for a vulnerable software component.
Nessus scans based on an exhaustive list of vulnerabilities for all platforms of computing. Custom scripts are written by Nessus and their team to check for a vulnerable software component.
Nessus Sample Report
How Do We Exploit?How Do We Exploit?
Now that you have found a useful exploit, what do we use?
Now that you have found a useful exploit, what do we use?
USE METASPLOIT!!!Copyright © 2003-2009 Metasploit LLC
Metasploit ™ is a registered trademark
Contact us at msfdev[at]metasploit.com
MetaSploitMetaSploit
Metasploit was created in 2003 as a portable network game using the Perl scripting language. Later, the Metasploit Framework was then completely rewritten in the Ruby programming language. It is most notable for releasing some of the most technically sophisticated exploits to public security vulnerabilities. In addition it is a powerful tool for third party security researchers to investigate potential vulnerabilities.
Metasploit was created in 2003 as a portable network game using the Perl scripting language. Later, the Metasploit Framework was then completely rewritten in the Ruby programming language. It is most notable for releasing some of the most technically sophisticated exploits to public security vulnerabilities. In addition it is a powerful tool for third party security researchers to investigate potential vulnerabilities.
MetaSploit cont’dMetaSploit cont’dRemember the machine with vulns?? Let’s use the metasploit
framework….Remember the machine with vulns?? Let’s use the metasploit
framework….
MetaSploit cont’dMetaSploit cont’d
What else can we do now that were in???What else can we do now that were in???
Ethical Hacking cont’dEthical Hacking cont’d
Administrative items:Authorization letter – “Get out of
jail free card”Risk report
Likelihood of riskMitigation plansTrends (performed with recurring
clients)
Administrative items:Authorization letter – “Get out of
jail free card”Risk report
Likelihood of riskMitigation plansTrends (performed with recurring
clients)
Ethical Hacking cont’dEthical Hacking cont’d
Low Moderate to Low
Moderate High
Magnitude of Impact
AlmostCertain
Likely
Moderate
Unlikely
Rare
Lik
eli
ho
od
of
Oc
cu
rre
nce
Moderate to High
A
F
B
C
DE
GH
I
J
K
L
MN
O
PQ
R
Quantitative Heat Map Guide
Horizontal Axis = Impact if risk were realized Vertical Axis = Likelihood of risk being realized
Size of Bubble = Relative total instances of that issue
= Low Risk = Moderate Risk = High Risk = Critical Risk
Q & AQ & A
Any Questions?
Contact InformationBrandon Hoffman
Any Questions?
Contact InformationBrandon Hoffman