Risk Management Controlling Risk Weakness is a better
Risk Management: Controlling Risk “Weakness is a better teacher than strength. Weakness must learn to understand the obstacles that strength brushes aside. ” …. Mason Cooley (1927 – 2002) Presented by: Molly Coplen, Dan Hein, and Dinesh Raveendran 1 EECS 711 Chapter 8 Risk Management: Controlling Risk
Chapter Overview • • • Risk Control Strategies Managing Risk Feasibility and Cost-Benefit Analysis Recommended Control Practices The OCTAVE Method Microsoft Risk Management Approach 2 EECS 711 Chapter 8 Risk Management: Controlling Risk
Risk Management Risk management is the process used by managers, auditors, and other professionals to identify vulnerabilities in an organization’s information systems and to assure the confidentiality, integrity, and availability of all the components in the organization’s information system. 3 EECS 711 Chapter 8 Risk Management: Controlling Risk
Risk Control Strategies Four strategies: • Avoidance • Transference • Mitigation • Acceptance 4 EECS 711 Chapter 8 Risk Management: Controlling Risk
Avoidance – applying safeguards that eliminate or reduce the remaining uncontrolled risks – attempts to prevent the exploitation of the vulnerability Avoidance is the preferred approach as it seeks to avoid risk rather than deal with it after it has been realized. 5 EECS 711 Chapter 8 Risk Management: Controlling Risk
Avoidance is accomplished through……. . 1. 2. 3. 4. Policy Training and education Countering threats Implementation of technical security controls and safeguards 6 EECS 711 Chapter 8 Risk Management: Controlling Risk
Transference The control approach that attempts to shift the risks to other assets, other processes, or other organizations. 7 EECS 711 Chapter 8 Risk Management: Controlling Risk
Mitigation The control approach that attempts to reduce, by means of planning and preparation, the damage caused by the exploitation of a vulnerability. 8 EECS 711 Chapter 8 Risk Management: Controlling Risk
9 EECS 711 Chapter 8 Risk Management: Controlling Risk
Acceptance is the choice to do nothing to protect an information asset from risk, and to accept the outcome from any resulting exploitation. The control assumes that it can be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not justify the security expenditure. 10 EECS 711 Chapter 8 Risk Management: Controlling Risk
Acceptance Valid practice if management has …. • Determined the level of risk posed to the information asset • Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability • Approximated the potential loss that could result from attacks 11 EECS 711 Chapter 8 Risk Management: Controlling Risk
Acceptance Valid practice if management has …. • Performed a thorough cost-benefit analysis • Evaluated controls using each appropriate type of feasibility analysis report • Determined that the particular function, service, information, or asset did not justify the cost of protection 12 EECS 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk appetite (or risk tolerance) describes the quantity and nature of the risk that organizations are willing to accept, as they evaluate the trade-offs between perfect security and unlimited accessibility. 13 EECS 711 Chapter 8 Risk Management: Controlling Risk
14 14 EECS 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk Residual risk is what is left after vulnerabilities have been controlled as much as possible – the risk that has not been completely removed, shifted, or incorporated into plans. The goal of information security is not to bring residual risk to zero, rather it is to bring residual risk in line with an organization’s risk appetite. 15 EECS 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk – Strategy Selection • When a vulnerability (flaw or weakness) exists, implement security controls to reduce the likelihood of a vulnerability being exercised. • When a vulnerability can be exploited, apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. 16 EECS 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk – Strategy Selection (continued) • When the attacker’s potential gain is greater than the cost of attack, apply protections to increase the attacker’s costs, or reduce the attacker’s gain by using technical or managerial controls. • When the potential loss is substantial, build protections to limit the extent of the attack, thereby reducing the potential for loss. 17 EECS 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk The control strategy articulates which of the four fundamental risk-reducing approaches will be used, how the various approaches might be combined, and justifies the findings by referencing the feasibility studies. 18 EECS 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk Once a control strategy has been selected and implemented, controls should be monitored and measured on an ongoing basis to determine their effectiveness and to estimate the remaining risk. 19 EECS 711 Chapter 8 Risk Management: Controlling Risk
20 EECS 711 Chapter 8 Risk Management: Controlling Risk
Managing Risk At a minimum, each information assetthreat pair should have a documented control strategy that clearly identifies any residual risk that remains after the proposed strategy has been executed. 21 EECS 711 Chapter 8 Risk Management: Controlling Risk
Feasibility Studies and Cost. Benefit Analysis • Determines the level of risk posed to the information asset • Identifying the advantages and disadvantages of implementing a control • Value of information assets • Dollar-denominated expenses and savings from economic cost avoidance • Non economic feasibility criteria 22 EECS 711 Chapter 8 Risk Management: Controlling Risk
Cost-Benefit Analysis (CBA) • Economic feasibility: • Evaluating a project that implements information security controls and safeguards. • Start this analysis by valuing the information assets and determine the loss in value if compromised. • Decision making process of not spending more to protect an asset is CBA or an economic feasibility study. 23 EECS 711 Chapter 8 Risk Management: Controlling Risk
Cost • Difficult to determine the cost for safeguarding • Items that could affect the cost: • Cost of development or acquisition of hardware, software, and services. • Training fees • Cost of implementation • Service costs • Cost of maintenance 24 EECS 711 Chapter 8 Risk Management: Controlling Risk
Benefit • Value to the organization of using controls to prevent losses associated with a specific vulnerability • Determined by • Valuing the information asset or asset exposed by the vulnerability • How much of that value is at risk • How much risk exists for the asset • The result is expressed as annualized loss expectancy 25 EECS 711 Chapter 8 Risk Management: Controlling Risk
Asset Valuation • Process of assigning financial value to each information asset • Involves the estimation of actual or perceived costs • It can be selected from any or all of those associated • Design, development, installation, maintenance, protection, recovery and defense against loss or litigation 26 EECS 711 Chapter 8 Risk Management: Controlling Risk
Asset Valuation • • • Value retained from the cost of creating the information asset Value retained from past maintenance of the information asset Value implied by the cost of replacing the information Value from providing the information Value acquired from the cost of protecting the information Value to owners Value of intellectual property Value to adversaries Loss of productivity while the information assets are unavailable Loss of revenue while the information assets are unavailable 27 EECS 711 Chapter 8 Risk Management: Controlling Risk
Asset Valuation • • This process yields the estimate of potential loss per risk A single loss expectancy (SLE) is the calculation of the value associated with the most likely loss from an attack – 28 SLE = asset value (AV) * exposure factor (EF) where EF = the percentage loss that would occur from a given vulnerability being exploited EECS 711 Chapter 8 Risk Management: Controlling Risk
Asset Valuation • • Annualized rate of occurrence (ARO) indicates how often you expect a specific type of attack to occur Annualized loss expectancy (ALE) indicates the overall loss potential per risk – ALE = SLE * ARO 29 EECS 711 Chapter 8 Risk Management: Controlling Risk
The CBA formula • CBA determines whether a control alternative is worth its associated cost – 30 CBA = ALE (pre-control) – ALE (post-control) –ACS where ALE (pre-control) = ALE of the risk before the implementation of the control ALE (post-control) = ALE examined after the control has been in place for a period of time ACS = annual cost of the safeguard EECS 711 Chapter 8 Risk Management: Controlling Risk
Asset Valuation As Frederick Avolio states in his article “Best Practices in Network Security” Security is an investment, not an expense. Investing in computer and network security measures that meet changing business requirements and risks makes it possible to satisfy changing business requirements without hurting the business’s viability. 31 EECS 711 Chapter 8 Risk Management: Controlling Risk
Other Feasibility Studies • • Organizational Feasibility Operational Feasibility Technical Feasibility Political Feasibility 32 EECS 711 Chapter 8 Risk Management: Controlling Risk
Organizational Feasibility • Examines how well the proposed information security alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization • Organization should not invest in technology that changes its fundamental ability to explore certain avenues and opportunities. 33 EECS 711 Chapter 8 Risk Management: Controlling Risk
Operational Feasibility • Known as Behavioral feasibility • Refers to user acceptance and support, management acceptance and support and the system’s compatibility with the requirements of the organization’s stakeholders. • User involvement – method to obtain user acceptance and support – can be achieved by three simple actions; Communicate, educate and involve – Can reduce resistance to change, and build resilience for change 34 EECS 711 Chapter 8 Risk Management: Controlling Risk
Technical Feasibility • Examines whether the organization has or can acquire the technology necessary to implement and support them • Also examines whether the organization has the technological expertise needed to manage the new technology 35 EECS 711 Chapter 8 Risk Management: Controlling Risk
Political Feasibility • Considers what can and cannot occur based on the consensus and relationships among the communities of interest. • Information security community is assigned a budget, which they then allocate to activities and projects, making decision about how to spend the money using their own judgment. 36 EECS 711 Chapter 8 Risk Management: Controlling Risk
Alternatives to Feasibility Analysis • Benchmarking • Adopt a certain minimum level of security • Best business practices, balancing the need to access information with adequate protection • Gold standard • Government recommendations and best practices • A baseline is derived by comparing measured actual performance against established standards for the measured category 37 EECS 711 Chapter 8 Risk Management: Controlling Risk
Viewpoint – Risk Management By Dr. Whitman • In world of Info. Sec, there are three types of peoples • Those who understand the importance of Info. Sec • Those who don’t • Those who think they do but really don’t • Top 5 threats to Info. Sec are all people problems. • SETA are designed for the second type of people. • The third type represent the biggest threat as they are misinformed or misguided. 38 EECS 711 Chapter 8 Risk Management: Controlling Risk
Recommended Risk Control Practices Cost benefit and feasibility analysis, focused on controlling individual assetthreat pairs can quickly become complex: • Each control affects more than one asset-threat pair. • As each control is applied, ALE must be recomputed as threats to down-stream (e. g. behind a firewall) assets may have also been mitigated. 39 EECS 711 Chapter 8 Risk Management: Controlling Risk
Recommended Risk Control Practices: Continued The complexity of risk control, such as CBA, motivates alternatives: • Qualitative measures – scales (for example 1 -10), representing relative degrees of threat likelihood, asset exposure, and/or asset value. • Delphi Technique – Group consensus with respect to establishing values/scales used in both quantitative and qualitative assessment. 40 EECS 711 Chapter 8 Risk Management: Controlling Risk
Risk Management Approaches Existing risk management approaches provide a tried and true pattern to follow. • OCTAVE – Operationally Critical Threat, Asset, and Vulnerability Evaluation • Microsoft Risk Management Approach 41 EECS 711 Chapter 8 Risk Management: Controlling Risk
OCTAVE Overview OCTAVE uses a three-phase approach to provide comprehensive situational awareness: Phase 1 – Build Asset-Based Threat Profiles: What are our assets, what threats exist, and what countermeasures already exist? Phase 2 – Identify Infrastructure Vulnerabilities: What are the operational and technological vulnerabilities allowing unauthorized action? Phase 3 – Develop Security Strategy and Plans: What are the impacts (from 1 & 2) to the corporate mission? What are the needed mitigation options? 42 EECS 711 Chapter 8 Risk Management: Controlling Risk
OCTAVE: Important Aspects 1. Self-directed – organization’s personnel are involved (via analysis team) in process management and information analysis 2. Analysis team – interdisciplinary team representing various communities of interest 3. Workshop-based – information gathering and decision making done using workshops organized by analysis team 4. Catalogs of information – catalogs of practices, threats, and vulnerabilities 43 EECS 711 Chapter 8 Risk Management: Controlling Risk
OCTAVE: Analysis Team Tasks of the analysis team: 1. Facilitate knowledge elicitation workshops 2. Gather necessary supporting data 3. Analyze threat and risk information 4. Develop a protection strategy 5. Develop mitigation plans 44 EECS 711 Chapter 8 Risk Management: Controlling Risk
Process and Activities Per Phase Preparing for OCTAVE Phase 1: Build Asset-Based Threat Profiles – Process 1: Identify Senior Management Knowledge – Process 2: Identify Operational Area Management Knowledge – Process 3: Identify Staff Knowledge – Process 4: Create Threat Profiles Phase 2: Identify Infrastructure Vulnerabilities – Process 5: Identify Key Components – Process 6: Evaluate Selected Components Phase 3: Develop Security Strategy and Plans – Process 7: Conduct Risk Analysis – Process 8: Develop Protection Strategy 45 EECS 711 Chapter 8 Risk Management: Controlling Risk
Preparing for OCTAVE Preparation is critical for a successful evaluation. Required activities follow: 1. Obtain senior management sponsorship of OCTAVE 2. Select analysis team members 3. Train analysis team 4. Select operational areas to participate in OCTAVE 5. Select participants 6. Coordinate logistics 7. Brief all participants 46 EECS 711 Chapter 8 Risk Management: Controlling Risk
OCTAVE: Phase 1 • The analysis team holds level-tailored workshops with staff members to identify important assets and business impact if the assets are compromised. • The management level workshops are separate from the staff level workshops. • The purpose of the workshops are to elicit: – – – 47 Important assets and their relative values Perceived threats to the assets Security requirements Current protection strategy practices Current organizational vulnerabilities EECS 711 Chapter 8 Risk Management: Controlling Risk
Phase 1 Processes Process 1 -3: Common activities: • Identify assets and relative priorities. • Identify areas of concern. • Identify security requirements for the most important assets. • Capture knowledge of protection strategy and organizational vulnerabilities. 48 EECS 711 Chapter 8 Risk Management: Controlling Risk
Phase 1 Processes Continued Process 4: Create threat profiles from earlier process steps. • Group assets, security requirements, and areas of concern by organizational level. • Select critical assets. • Refine security requirements for critical assets. • Identify threats to critical assets. 49 EECS 711 Chapter 8 Risk Management: Controlling Risk
OCTAVE: Phase 2 Perform a technology evaluation, often using a catalog of vulnerabilities such as CVE to identify vulnerabilities in key systems and components. Example tests: • • • Reviewing firewall configuration Checking the security of public Web servers Performing a comprehensive review of all operating systems Identifying services running and/or available on hosts Listing all system user accounts Identifying known vulnerabilities in routers, switches, remote access servers, operating systems, and specific services and applications • Identifying known configuration errors • Looking for signs of intrusion (Trojans, system file alteration) • Checking file ownership and permissions 50 EECS 711 Chapter 8 Risk Management: Controlling Risk
OCTAVE: Phase 2 Processes • Process 5: Identify Key Components – Identify system of interest. – Identify key classes of components. – Identify infrastructure components to examine. • Process 6: Evaluate Selected components – Run vulnerability evaluation tools (e. g. Metasploit) on selected infrastructure components. – Review technology vulnerabilities and summarize results. 51 EECS 711 Chapter 8 Risk Management: Controlling Risk
OCTAVE: Phase 3 Develop security strategy and plans by analyzing how specific threats affect specific assets with respect to confidentiality, availability, and/or integrity. The goal of this phase is to reduce risk. – Implementing new security practices within the organization – Taking the actions necessary to maintain the existing security practices – Fixing identified vulnerabilities 52 EECS 711 Chapter 8 Risk Management: Controlling Risk
OCTAVE: Phase 3 Process • Process 7: Conduct Risk Analysis – Identify the impact of threats to critical assets. – Create risk evaluation criteria. – Evaluate the impact of threats to critical assets. • Process 8: Develop Protection Strategy – – – Consolidate protection strategy information (WS 1). Create protection strategy (WS 1). Create mitigation plans (WS 1). Create an action list (WS 1). Review risk information (WS 2). Review and refine protection strategy, mitigation plans, and action list (WS 2). – Create next steps (WS 2). 53 EECS 711 Chapter 8 Risk Management: Controlling Risk
Microsoft Risk Management Risk management should be integrated with the general governance program for better operational decision support. Microsoft’s approach consists of for phases. 1. 2. 3. 4. 54 Assessing risk Conducting decision support Implementing controls Measuring program effectiveness EECS 711 Chapter 8 Risk Management: Controlling Risk
Assessing Risk The first step in most risk management frameworks is identification and prioritization of risks facing the organization. 1. Plan data gathering. Discuss keys to success and preparation guidance. 2. Gather risk data. Outline the data collection process and analysis. 3. Prioritize risks. Outline prescriptive steps to qualify and quantify risks. 55 EECS 711 Chapter 8 Risk Management: Controlling Risk
Conducting Decision Support The second step in Microsoft’s risk management approach is the identification and evaluation of controls. Microsoft stresses cost-benefit analysis. 1. Define functional requirements. Create the necessary requirements to mitigate the risks. 2. Select possible control solutions. Outline approach to identify mitigation solutions. 56 EECS 711 Chapter 8 Risk Management: Controlling Risk
Conducting Decision Support Continued 3. Review solution. Evaluate proposed controls against functional requirements. 4. Estimate risk reduction. Endeavor to understand reduced exposure or probability of risks. 5. Estimate solution cost. Evaluate direct and indirect costs associated with mitigation solutions. 6. Select mitigation strategy. Complete cost-benefit analysis to identify the most cost-effective mitigation solution. 57 EECS 711 Chapter 8 Risk Management: Controlling Risk
Implementing Controls Phase 3 of Microsoft’s approach involves deployments and operation of selected controls. 1. Seek holistic approach. Incorporate people, process, and technology in mitigation solution. 2. Organize by defense-in-depth. Arrange mitigation solutions across the business. 58 EECS 711 Chapter 8 Risk Management: Controlling Risk
Measuring Program Effectiveness As controls are used, and the organization evolves, the process must be closely monitored to ensure the controls continue to protect. 1. Develop a risk scorecard. Understand risk posture and progress. 2. Measure program effectiveness. Evaluate the risk management program for opportunities to improve. 59 EECS 711 Chapter 8 Risk Management: Controlling Risk
60 EECS 711 Chapter 8 Risk Management: Controlling Risk
Preliminary Tasks • Microsoft suggests the organization consider effort involved and the organizations’ own experience level. • Microsoft suggests an organization first determine its “risk management maturity”. • How is risk management maturity determined? 61 EECS 711 Chapter 8 Risk Management: Controlling Risk
COBIT: Determining Risk Management Maturity A series of questions (Table 8 -3, page 329) results in a score between 0 and 85. COBIT defines the following maturity levels: Level 0 – Lack of recognizable process; no recognition that there is even an issue. Level 1 “Ad-Hoc” – Organization recognizes issues that must be addressed, however, no standardized process is in place. Level 2 “Repeatable” – Awareness of issues. Performance indicators are being developed. Basic measurements have been identified as well as assessment methods/techniques. 62 EECS 711 Chapter 8 Risk Management: Controlling Risk
COBIT Levels Continued Level 3 “Defined” – The need to act is understood. Procedures have been standardized, documented and implemented. Balanced scorecard ideas are being adopted. Level 4 “Managed” – Full understanding of issues on all levels. IT is fully aligned with the business strategy. Continuous improvement is addressed. Level 5 “Optimized” – Continuous improvement, a forward-looking understanding of issues and solutions. Processes have been refined to a level of external best practice. 63 EECS 711 Chapter 8 Risk Management: Controlling Risk
Roles and Responsibilities Another preliminary task before implementing the Microsoft process is the definition and assignment of roles and responsibilities of individuals who will participate in the risk analysis process. See Table 8 -4 on page 330 and 331. 64 EECS 711 Chapter 8 Risk Management: Controlling Risk
Questions 65 EECS 711 Chapter 8 Risk Management: Controlling Risk
- Slides: 65