Risk Analysis

COEN 250

Risk Management

Risk Management consists ofRisk AssessmentRisk MitigationRisk Evaluation and Assessment

Risk Management allowsBalance operational and economic costs of

protective measures

Risk Management andSystem Development Life Cycle Phase 1 – Initiation

Need for IT system is expressed, scope is documented Identified risks are for

Developing system requirements Including security requirements Security strategy of operations

Phase 2 – Development or Acquisition IT system is Designed, Purchased, Programmed, Developed Risks identified during this phase are used to

Support security analyses of system Might lead to architecture and design trade-offs during development

Risk Management andSystem Development Life Cycle Phase 3 – Implementation

System features are configured, enabled, tested, verified Risk management supports assessment of system

implementation against requirements and modeled operational environment

Phase 4 – Operation or Maintenance System performs its functions

Typically: modification on an ongoing basis Risk Management activities:

System reauthorization / reaccreditation Periodic Triggered by changes in system Triggered by changes in operational production environment

Risk Management andSystem Development Life Cycle Phase 5 – Disposal

Disposition of Information Hardware Software

Activities Moving Archiving Discarding Destroying Sanitizing

Risk management: Ensure proper disposal of software and hardware Proper handling of residual data System migration conducted securely and systematically

Risk Management andSystem Development Life Cycle Risk management is management responsibility

Senior management Ensures effective application of necessary resources to develop

mission capabilities Need to asses and incorporate results of risk management into

decision making process Chief Information Officer (CIO)

Responsible for planning, budgeting, and performance of IT Includes Information Security components

Systems and Information Owners Responsible for ensuring existence of proper controls Have to approve and sign off to changes in IT system Need to understand role of risk management

Risk Management andSystem Development Life Cycle

Business and Functional Managers Have authority and responsibility to make trade-off decisions Need to be involved in risk management

Information System Security Officer (ISSO) Responsible for security program, including risk management Play leading role for methodology of risk management Act as consultant to senior management

IT Security Practitioners Responsible for proper implementation Must support risk management process to identify new potential risks Must implement new security controls

Security Awareness Trainers Proper use of systems is instrumental in risk mitigation and IT resource

protection Must understand risk management Must incorporate risk assessment into training programs

Risk Assessment

Risk depends on Likelihood of a given threat-source exercising

a particular potential vulnerability Resulting impact of the adverse event

Hypothetical 2003 Example

Polish hacker N@te upset at Polish control of Multinational Division Central South Iraq

His hacker group wants to attack www.wp.mil.plFinds out

www.wp.mil.pl runs Apache Runs old version of OpenSSL vulnerable to a

buffer overflow attack

Bejtlich: The Tao of Network Security Monitoring

Hypothetical 2003 Example

Bejtlich: The Tao of Network Security Monitoring

Factor Description Assessment Rationale

Threat N@te and his buddies

5/5 Has capability and intention

Vulnerability Unpatched OpenSLL process

5/5 Vuln. gives N@te root access. No countermeasures deployed

Asset Value Military spends more than $10,000 annually

4/5 Damage to Polish prestige, costs of web server

Risk Loss of integrity and control of web server and site

100/125

Hypothetical 2003 Example

Polish military does not know N@te, but knows about its exposure

Needs to know about vulnerability Risk assessment changes dramatically

once vulnerability is recognized

Vulnerability Threat

February 2002 SNMP vulnerabilitySNMP widespread network management tool.Potentially affected most network devices.However, NO exploits were discovered.

Vulnerability Threat

Windows RPC vulnerability of 2003Dozens of exploitsBlaster worm caused > $1.000.000.000

damage

Risk Assessment

Step 1: System Characterization Collect system related information

Hardware Software Connectivity Data and information Users and support System mission System and data criticality and sensitivity …

Risk Assessment

Step 2: Threat Identification Threat Source Identification

Natural events: Floods, fires, earthquakes, …

Human threats: Unintentional acts Deliberate actions

Consider motivations and actions Environmental threats

Long-term power failure, pollution, chemicals, liquid leakage

Risk Assessment

Step 3: Vulnerability Identification Varies on SDLC phase Sources

Previous risk assessment documents IT system audits and logs Vulnerability lists (NIST I-CAT, CERT, SANS,

SecurityFocus.com) Security advisories Vendor advisories System software security analyses

Risk Assessment

Step 3: Vulnerability IdentificationSecurity Testing

Automated vulnerability scanning tools Penetration testing Security Test and Evaluation (ST&E)

Develop a test plan Test Effectiveness of security controls

See NIST SP 800-42

Risk Assessment

Step 3: Vulnerability Identification Develop a Security Requirements Checklist

Management Security Assignment of responsibilities Continuity of support Incident response capability Periodic review of security controls Personnel clearance and background investigations Risk assessment Separation of duties System authorization and reauthorization System or application security plan

Risk Assessment

Step 3: Vulnerability Identification Develop a Security Requirements Checklist

Operational Security Control of air-borne contaminants Controls to ensure the quality of the electrical power supply Data media access and disposal External data distribution and labeling Facility protection (e.g., computer room, data center, office) Humidity control Temperature control Workstations, laptops, and stand-alone personal computers

Risk Assessment

Step 3: Vulnerability Identification Develop a Security Requirements Checklist

Technical Security Communications (e.g., dial-in, system interconnection, routers) Cryptography Discretionary access control Identification and authentication Intrusion detection Object reuse System audit

Risk Assessment

Step 3: Vulnerability IdentificationOutcome: A list of system vulnerabilities that

could be exercised by a potential threat source

Risk Assessment

Control Analysis Control Methods

Technical methods Safeguards built into computer hardware, software, firmware

Nontechnical methods Management and operational controls

Security policies Operational procedures Personnel security Physical security Environmental security

Risk Assessment

Control CategoriesPreventive controlsDetective controls

Risk Assessment

Control AnalysisCompare security requirements checklist to

validate security (non)-compliance

Output:List of current or planned controls

Risk Assessment

Step 5: Likelihood determinationGoverning factors

Threat source motivation and capability Nature of vulnerability Existence and effectiveness of current controls

Assign likelihood levels

Risk Assessment

Step 6: Impact AnalysisRequires

System mission System and data criticality System and data sensitivity

Can typically be described in Loss of integrity Loss of availability Loss of confidentiality

Risk Assessment

Step 6: Impact AnalysisCan be done quantitatively or qualitatively

Risk Assessment

Step 7: Risk determinationRisk Level Matrix

Composed of threat likelihood and impact

Determines risk scaleRisk Scale

Used to determine and prioritize activities

Risk Assessment

Control Recommendations Reduce risks to data and system to acceptable level Base evaluation on

Effectiveness Legislation and regulation Organizational policy Operational impact Safety and reliability

Perform cost benefit analysis

Risk Assessment

Step 9: Result DocumentationRisk assessment report

Describes threats and vulnerabilities Measures risk Provides recommendations for control

implementation

Risk Mitigation

Prioritizing Evaluating Implementing

Appropriate risk-reducing controls

Risk Mitigation Options

Risk Assumption To accept the potential risk and continue operating the IT system or to

implement controls to lower the risk to an acceptable level Risk Avoidance

To avoid the risk by eliminating the risk cause and/or consequence Risk Limitation

To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability

Risk Planning To manage risk by developing a risk mitigation plan that prioritizes,

implements, and maintains controls Research and Acknowledgment

To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability

Risk Transference To transfer the risk by using other options to compensate for the loss, such

as purchasing insurance.

Risk Mitigation

Risk Mitigation

Control ImplementationPrioritize ActionsEvaluate Recommended Control OptionsConduct Cost-Benefit AnalysisSelect ControlAssign ResponsibilityDevelop a Safeguard Implementation Plan Implement Selected Control(s)