voorwaartse%20risk%20management%202012
DESCRIPTION
http://www.crow.nl/Downloads/Congressen/Congres%20Risicomanagement%202012/Voorwaartse%20risk%20management%202012.pptTRANSCRIPT
Business survival binnen de cyberketen:Voorwaartse risicobeheersing nodig
Ronald Paansvrije Universiteit amsterdam
9 oktober 2012File: PaansR Voorwaartse risk management© 2012, version 1.0Email: [email protected]
2Research for Risk Management
Agenda
RISK MANAGEMENT• Methods for IT• Specific threats
• Research at Vrije Universiteit Amsterdam
Parts of this research were a joint operation with European companies such as CapGemini, and some ideas have been stimulated by our colleague Marco van der Vet
3Research for Risk Management
Introduction: Pyramid of IT
Web
Websoftware
Infrastructure (Cloud)
Application
Housing
DATAMiddleware / Connectivity
HousingO
ffice Autom
ation
Vulnerabilit
ies
Weaknesses
ExternalThreats
OWASPIncidentsFraud, abuse
OWASP = Open Web Application Security Project
Pyramid of IT• Web access, business logic and business rules,
interactive and batch application• Connections to own applications and external parties• Data base management systems, query systems• !!! DATA !!! = information• Infrastructure: servers and networks, virtualization• Housing: Computer room or data center
InternalThreats
Obstruction, error
Incidents
Fraud, abuse
4Research for Risk Management
We are overwhelmed by new security concerns
Security has moved from an IT issue to an ongoing business concern
STUXNETCausing damage to
process controllers
refining uranium
WIKILEAKSAbuse of key sensitive
information
Unauthorized release of military and diplomatic notes and reports. Damage to worldwide foreign relations
DIGINOTARCompromising
trusted SSL certificates
SSL certificates used for social media and websites of the Dutch government. Hacker caused chaos
OV-CHIPKAARTPayment card for
public transportation hacked Etc.
Etc.Etc.
Etc.
WIKILEAKSDenied hosting by
providersAmazon terminated hosting contract. Other providers rejected a request for hosting no business anymore
DUQUStealing information
The development of Duqu took tens of millions dollars. It is asumed three countries participated. In contrast to Stuxnet, which attempts to damage nuclear equipment, Duqu focuss on stealing information
Comodo’s Registration Authority was compromised, allowing several bogus SSL certificates to be issued
COMODOHackers issued fraudulent SSL
certificates FLAMEDORIFE
LDORIFEL 2
5Research for Risk Management
Attacks from everywhere
People
Peop
lePeople
Web
Websoftware
Cloud (Infrastructure)
Applica-tion
Housing
Data (multi Value)
Middleware
Housing
Office A
utomation
OV-CHIPKAART
DUQU
STUXNET
COMODO
HOSTING DENIED
Peop
le
DIGINOTAR
WIKILEAKS
Each threat uses multiple points of attack
ETC.
ETC.
ETC.
Next attack?
6Research for Risk Management
Specific situation of your organization ???
Web
Websoftware
Infrastructure
Application
Housing
Data
Middleware
Housing
Office A
utomation
OWASPIncidents
Aspects• Changes in mission• Changes in organisation• Changes in market• Changes in legislation• Etc.
ExternalThreats
Fraud, abuseV
ulne
rabi
litie
s
Aspects1. Governance is not effective2. No central knowledge base on present and future threats3. Business lacks consistency and focus on customer security4. Designing new e-services in a threatening e-world5. Value of information and service delivery increases fastly6. No vulnerability check on new projects7. No secure software development: no training, no awareness campaigns8. Testing is incomplete9. No maturity model for software and data security10.Insufficient monitoring of people and actual security threats
Weaknesses
OWASP = Open Web Application Security Project
Obstruction, error
Aspects• Possible demotivation• Move activities offshore• Too many projects• Errors, sloppiness• Fraud and intentional abuse• Etc.
InternalThreats
Fraud, abuse
7Research for Risk Management
Web
Websoftware
Infrastructure
Application
Housing
Data
Middleware
Housing
Office A
utomation
Web
Websoftware
Infrastructure
Application
Housing
Data
Middleware
Housing
Office A
utomation
And now we move it into the cloud
OWASPIncidents
Aspects• Changes in mission• Changes in organisation• Changes in market• Changes in legislation• Etc.
ExternalThreats
Fraud, abuseV
ulne
rabi
litie
s
Aspects1. Governance is not effective2. No central knowledge base on present and future threats3. Business lacks consistency and focus on customer security4. Designing new e-services in a threatening e-world5. Value of information and service delivery increases fastly6. No vulnerability check on new projects7. No secure software development: no training, no awareness campaigns8. Testing is incomplete9. No maturity model for software and data security10.Insufficient monitoring of people and actual security threats
Weaknesses
OWASP = Open Web Application Security Project
Obstruction, error
Aspects• Possible demotivation• Move activities offshore• Too many projects• Errors, sloppiness• Fraud and intentional abuse• Etc.
InternalThreats
Fraud, abuse
8Research for Risk Management
Web
Websoftware
Infrastructure
Application
Housing
Data
Middleware
Housing
Office A
utomation
Security
Is the cloud itself secure?
NO !
9Research for Risk Management
Risk considerations
ENISA: Main (high) risk that have been identified are• Lock In• Loss of Governance• Compliance challenges, lack of audit and assurance• Isolation failure• Cloud provider malicious insider – high privilege access abuse• Subpoena and e-discovery• Changes of jurisdiction (location of data)• Data protection• Network Management
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessmenthttp://www.enisa.europa.eu/act/rm/files/deliverables/
cloud-computing-information-assurance-framework
10Research for Risk Management
The Risk Carousel
People in ITPeop
le
Cus
tom
ers People Users
Governance
Work process
Technology
Input Output
ThreathsE-world
ThreathsIT
Vulnerabilities
BUSINESS
RISKS: PAST PRESENTFUTURE
SOLL
IST
GAP
Improve
Continuous Risk
Monitoring
Identify
Judge
Mitigate AssessRisk Assessment
Structu
red
Incident
Collect
Combine
Analyze
Conclude
Intelligence
Structured
11Research for Risk Management
Example: low probability, catastrophic impact
EXAMPLE: Threat for continuity• 26 December 2004 Sumatra-Andaman tsunami in Indonesië, Thailand etc.
– Economies damages, data centers and IT organizations disappeared, still lack of production capacity for IT hardware
• 11 March 2011 Tohoku-Oki earthquake and mega-tsunami in Japan, resulting in Fukushima melt down– Severe damage for Japanese economy with impact on many Western business processes
(cars, chips, disks etc.)• Frequency of mega-tsunami on Plain of Sendai is approximately 0,9×10-3/annum, i.e.
once per 900 year– 1.000-500 BC based upon analysing sediment layers in ground (estimated 900 BC)– 1 AD ditto– 9 July 869 Jogan earthquake and tsunami are well documented and marked– Fukushima: first nuclear production 26 March 1971, 2006/2007 tsunami risk studied– 2011 Tohoku-Oki1, almost identical to 900 BC, 1 AD and 896 AD melt down
1 NASA, Wikipedia 2007: The probability of a Sendai earthquake with a magnitude of Mw 8.1–8.3 was estimated as 99% within the 30 years following 2007
General question about such risk with low probability and catastrophic impact• When was the last volcanic outburst in the Netherlands?• When was the last tsunami in the Netherlands?• What was the damage?• When can we expect the “next one”?
12Research for Risk Management
Zuidwal vulcano
Vulcano in the Netherlands• Revealed during investigation for gas drilling• (Very) active 160 to 148 million year ago (Jura)• 1 km high, situated 2 km under the island Griend• Is still 30 0C hotter than its environment• See: Wikipedia and VPRO site
The walled town Stedeke Grint with a church and monastry disappeared due to the Sint-Lucia flood in 1287
13Research for Risk Management
Example: Doggerland Storegga tsunami
TSU
NA
MI
Source: ‘Tsunami sedimentary facies deposited by the Storegga tsunami in shallow marine basins and coastal lakes, western Norway’Stein Bondevik, in Sedimentology 1997 The next one?: Storegga is now stable. Exploding volcano at IJsland? Meteorite in North Sea? Our location is dangerous
Doggerland
Source: ‘Tsunami sedimentary facies deposited by the Storegga tsunami in shallow marine basins and coastal lakes, western Norway’Stein Bondevik, in Sedimentology 1997
Last tsunami in the Netherlands• 2de Storegga slide• Waves up to 25 meter on
Shetland islands• Dated 6,000-6,200 BC• Estimate: October 6,125 BC• Center of (our) neolithic
civilization was Doggerland• This center is destroyed• Thereafter no trace of our
ancestors during centuries • Division between cultures in
Engeland and the continent
14Research for Risk Management
AutomatiseringsGids:The Netherlands• Number 12 in world
wide Risk Top 15• Number 2 as risky
Western country• Major risk: flooding• ((( In my personal
opinion, picture is biased )))
EMC sponsored European Disaster Recovery Survey 2011“Data Today Gone Tomorrow: How Well Companies Are Poised For IT Recovery”
EMC VansonBourne report, 23 November 2011Paper in AutomatiseringsGids, 7 December 2011
15Research for Risk Management
EMC: Organizations NOT very confident to recover
NO
T v
ery
conf
iden
t
16Research for Risk Management
ISO IT securityOverview of ISO standards related
to information security
17Research for Risk Management
ISO 27001 process
ISO 27001
SAS 70
ISAE 3402
Static
approach
Necessary. In fact,
“good citizenship”
18Research for Risk Management
Method for risk analysis
Literature (Wikipedia)
METHOD FOR RISK MANAGEMENTThe conventional standard methods consist of the
following elements, performed, more or less, in the following order
• Identify, characterize, and assess threats• Assess the vulnerability of critical assets to specific
threats• Determine the risk, i.e. the expected consequences
of specific types of attacks on specific assets• Identify ways to reduce those risks• Prioritize risk reduction measures based on a cost
effective strategy
Keywords• Threat• Weakness• i=1ΣN Likelihoodi x Impacti
• Risk mitigation• Priorities
Determining the probability and the impact is a real challenge
19Research for Risk Management
USA IT risk analysis: NIST 800-30
Step 1. System Characterization
Step 2. Threat Identification
Step 5. Likelihood Determination
Step 3. Vulnerability Identification
Step 4. Control Analysis
Step 6. Impact Analysis (Loss of CIAA)
Step 9. Results Documentation
Step 8. Control Recommendations
Step 7. Risk Determination
Operating system
• Information• Software
Application
Network
• Scope• Highest value
Relevant threats
Expected damage: net risk
Residual risks
Additional controls
Relevant vulnerabilities
i=1ΣN Likelihoodi×Impacti
C = ConfidentialityI = IntegrityA = AvailabilityA = Auditability
20Research for Risk Management
Opinion: risk management
OPINIONAll methods for risk analysis use almost the same approach“View the past, and you may expect it to continue in the future”However• Today threats are developing fast, much faster than some years ago
(more advanced hacking technologies: StuxNet, Duqu, OV-chipcard etc.)• Organized crime and some governments become more active, due to the
gains (botnets, denial of service, Cyber attacks etc.)• Errors with risk analysis due to an incorrect scope, time frame etc.
(Fukushima, using selected earthquakes and ignoring Plain of Sendai)• Calculating “likelihood” x “impact”
– Historical values are often not available (“likelihood” is unknown)– Impact depends on the severity of the incident (“impact” is unknown)
• Benefits cannot be quantified, complicating the decision process on mitigating controls
“We must also view present risks and the risks of tomorrow”
21Research for Risk Management
Risk assessment(risks in the past)
COSO mapping
Governance
Continuous RiskMonitoring(present risks)
COSO modelNo people
in COSO?
??
Intelligence(future risks)COSO is not
looking forward?
??
COSO looks at TODAY. Your security architecture should view TOMORROW
Information security architecture
Work process
Technology
22Research for Risk Management
The Risk Carousel
People in ITPeop
le
Cus
tom
ers People Users
Governance
Work process
Technology
Input Output
ThreathsE-world
ThreathsIT
Vulnerabilities
BUSINESS
RISKS: PAST PRESENTFUTURE
SOLL
IST
GAP
Improve
Continuous Risk
Monitoring
Identify
Judge
Mitigate AssessRisk Assessment
Structu
red
Incident
Collect
Combine
Analyze
Conclude
Intelligence
Structured
23Research for Risk Management
Centrum voor Informatiebeveiliging en Privacybescherming
De Stuurgroep Compacte Rijksdienst richt expertisecentra in waarin overheidsinstellingen de krachten gaan bundelen. Eén hiervan is het Centrum voor Informatiebeveiliging & Privacy (CIP)
CIP is begin 2012 opgericht met als doelstelling:• Participanten te ondersteunen bij het zodanig veilig krijgen en houden van
hun informatievoorziening dat Participanten elkaar kunnen vertrouwen op het gebied van de integriteit en beschikbaarheid van hun onderlinge gegevensstromen en burgers kunnen vertrouwen op de integriteit, de beschikbaarheid en de vertrouwelijkheid van de gegevens en diensten die zij via de aangeboden kanalen afnemen bij de Participanten
Het Centrum biedt kennis aan, maakt kennis toegankelijken levert concrete diensten aan de Participanten
Het Centrum gebruikt een aantal Kennispartners binnenen buiten de overheid
Voor de toekomstige bedreigingen wordt er gewerkt aanscenariodenken, het opstellen van draaiboeken en hetinrichten van een robuuste e-overheid