Professional Documents
Culture Documents
Security Management
If no major security
incidents happened
recently, why bother?
compliance out of
compulsion
Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
Risk analysis
Process:
Scope
Who is it for?
Data Collection
Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
Risk analysis
Process:
Vulnerability analysis
Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
Risk analysis
Process:
Vulnerability analysis
ple
x a m
e
Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
Risk analysis
Process:
Vulnerability analysis
ple
x a m
e
Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
Risk analysis
Process:
Threat analysis
ple
m
exa
Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
Risk analysis
Process:
Sources: http://blog.securestate.com/acceptance-is-the-first-step/
http://executive-education.insead.edu/ressources_edp/library/ckfinder/userfiles/images/executive_education/ssss.png
Qualitative risk analysis
Different (relative) levels of
the risks’ probabilities and
impacts be defined.
Definitions of probability
levels and impact levels
are tailored to the
individual settings.
Risk urgency
Collaterals and
interdependencies
Sources: http://m.engineering.queensu.ca/Outreach/EngineeringStudents/files/PMBOK3rdEnglish.pdf
What is it really worth?
Quantitative risk analysis
Sources: http://www.sans.org/reading-room/whitepapers/auditing/quantitative-risk-analysis-step-by-step-849
Quantitative risk analysis
Advantages (if done “correctly”)
Is it worth it?
Example
Cost to business
30 minutes downtime = $ 30*30*10*100
= $ 900,000
vs
Cost to business
5 minutes downtime = $ (5*30*10*100 + 800,000)
= $ 950,000
Example
BuyAnyTime Inc. does a consumer survey to
conclude, that in fact, if they have more than 10
minutes downtime per day, their reputation will suffer,
leading to 2% customer attrition.
vs = $ (30*30*10*100) + $(1410*30*10*2)
= $ 1,746,000
Cost to business
5 minutes downtime = $ (5*30*10*100 + 800,000)
= $ 950,000
Quantitative risk analysis
Need to take into account
where
Recommend remedy
Source: http://danielmiessler.com/writing/vulnerability_assessment_penetration_test/
Vulnerability Assessment
Exploratory:
Identification and
prioritization of
vulnerabilities
In terms of severity
It terms of likelihood of
occurrence
Fault tree analysis
Fault tree analysis (FTA) is a top down, deductive
failure analysis in which an undesired state of a system
is analyzed using Boolean logic to combine a series of
lower-level events.
ple
x a m key-logger
e
password
password cracked
phishing guessed
unauthorized
ineffective access to email
hardware stolen two-factor
not deployed authorization
Note: FTA is a general purpose technique used for system reliability and safety engineering, risk assessment
eLearning task: Read http://en.wikipedia.org/wiki/Fault_tree_analysis
Attack trees
Conceptual diagrams showing how an asset, or target, might be
attacked, possibly qualifying an attack in multiple dimensions
Note: Attack trees are closely related to, but not the same as fault trees, see http://en.wikipedia.org/wiki/
Attack_tree for more discussions
Attack trees
Represent the attacks and countermeasures as a tree
structure
Source: https://www.schneier.com/paper-attacktrees-ddj-ft.html
Attack trees
Two kinds of intermediate nodes
phishing unauthorized
AND
pick
pocket access to email
hardware 2FA
lost stolen ineffective
not
from office deployed
desk
Attack trees
Qualified with additional attributes, e.g., probability
p1
ple key logger
e xam
password
p2 ??
Breaking cracked
into house password
p3 guessed
phishing unauthorized
AND
pick
pocket access to email
hardware
stolen 2FA
lost ineffective
not
from office deployed
desk
Attack trees
Qualified with additional attributes, e.g., time
3 months
ple key logger
x a m
e
20 hours
password
Breaking cracked
into house password
guessed
1 day 2 months
phishing unauthorized
AND
pick
pocket access to email
1 day hardware
stolen 2FA
lost ineffective
not possible
not
from office deployed
desk not applicable
not possible
Attack trees
device
cost-effective
layered defence
Can be made as
Its possible to Can be used to
detailed as possible,
combine multiple identify the
but also, templates of
qualifiers (e.g., time, “preferred” attack
attack sub-trees can
money, probability) vectors.
be reused
Event tree analysis
Event tree analysis (ETA) is a forward, bottom up, logical
modeling technique for both success and failure that explores
responses through a single initiating event and lays a path for
assessing probabilities of the outcomes and overall system
analysis
unauthorized
successful access to email
Note: ETA is also a general purpose technique, and allows probabilistic risk assessment
eLearning task: Read http://en.wikipedia.org/wiki/Event_tree_analysis
Probabilistic risk assessment
Event tree can be used for probabilistic risk assessment
ple
x a m
e
Source: www.iso27001security.com/ISO27k_FMEA_spreadsheet.xlsx
FMEA in ISO27k
FMEA in ISO27k
The only constant is change
Risk analysis needs to be “current”
ISCM
Information security continuous monitoring (ISCM) is
defined as maintaining ongoing awareness of
information security, vulnerabilities, and threats to
support organizational risk management decisions.
“continuous” frequent
Source: http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf
ISCM
Tier 1 risk management
activities address high-
level information security
governance policy as it
relates to risk to the
organization as a whole,
to its core missions, and
to its business functions.
ISCM
Tier 2 criteria for continuous
monitoring of information
security are defined by how
core mission/business
processes are prioritized
with respect to the overall
goals and objectives of the
organization, the types of
information needed to
successfully execute the
stated mission/business
processes, and the
organization-wide
information security
program strategy.
ISCM
ISCM activities at Tier 3
address risk management
from an information system
perspective. These activities
include ensuring that all
system-level security controls
(technical, operational, and
management controls) are
implemented correctly,
operate as intended,
produce the desired outcome
with respect to meeting the
security requirements for the
system, and continue to be
effective over time.
Wrap-up: Risk Assessment
No perfect security
Limited resources