DATADRIVEN SECURITY Risk Management for Homeland Security

1
(No Transcript)
2
DATA-DRIVEN SECURITYRisk Management for
Homeland Security

• Caroline R. Hamilton,
• President Founder
• RiskWatch, Inc.

3
WHY SECURITY PROGRAMS NEED A RISK MANAGEMENT
APPROACH
IF YOU CANT MEASURE IT, YOU CANT MANAGE
IT!
--Peter Drucker
4
WORST THREAT ENVIRONMENT IN RECENT HISTORY

• Highly Charged Threat Environment
• September 11th
• International Terrorists - Al Quada, Tigers
• Uncertainty about how to proceed
• Many Security Organizations Still Unfunded

5
SECURITY AS A BUSINESS FUNCTION

• Problems with both Security and Privacy
• Growth of E-Business (e-health, e-commerce)
  is FORCING GOOD SECURITY
• Global standards are emerging, i.e. ISO-IEC 17799
• Aim for a holistic security program integrating
  corporate (physical) security and information
  security.

6
PHYSICAL SECURITY AND COMPUTER SECURITY HAVE TO
WORK TOGETHER
7
OTHER INFLUENCES

• Increase in Security Requirements
• Increase in PENALTIES FINES
• More Government Involvement in Security standards
  at infrastructure companies

8
Changing Face of Terrorism

• Identified terrorist groups - based on ideology
  and born in economic inequality
• Protest groups today are terrorists of tomorrow
• Underlying issues are unlikely to be solved
• Preventing terrorism becomes a chess game.

9
COMBATING TERRORISM REPORT BY THE GENERAL
ACCOUNTING OFFICE September 15, 2001
The risk assessment concept has been validated as
a new way to manage risk and security by the U.S.
General Accounting Office, who reported, We have
previously reported on the value of a new
approach of using sound threat and risk
assessments ... for focusing programs and
investments to combat terrorism.
(GAO/T-NSIAD-99-112).
10
U.S. Government Accounting Office -(GAO) REPORT
-- Serious Weaknesses Put U.S. State Department
and FAA Operations at Risk
Washington D.C. , May 19, 1998
We obtained access to the State Dept. networks by
breaching physical security finding user account
information on active terminals. We found user
identification and passwords taped to one of the
computers. and were able to access the LAN
server and obtain supervisor-level access.
11
The reason our penetration tests were successful
is that the State Department didnt perform risk
assessments-- so they could not prioritize what
needed to be protected and to what extent.
12
WHAT MANAGEMENT WANTS TO KNOW ABOUT SECURITY..

• What vulnerabilities/weaknesses are present in
  the organization today?
• Whats the current threat level?
• How can we measure effectiveness of security?
• How much should we spend on new security features?

13
RISKWATCH PRODUCTS

• RiskWatch for Information Systems
• RiskWatch for Physical Security
• RiskWatch 17799 (ISO 17799)
• HIPAA-Watch
• DITSCAP Certification Accreditation
• NIACAP Certification Accreditation

14
WHATS RISKWATCH?

• Woman-owned company specializing in risk
  assessment software since 1988 in Annapolis,
  Maryland
• Served on NSA Rating Model Workshop NIST-CSE
  Model Builders Workshop
• Working Group to Write DOD Directive on Risk
  Management under OSD
• Member, Maritime Security Council

15
RiskWatch Clients
16
DOD/Commercial Users

• DIA
• DISA
• LIWA
• NSA - OIG
• Joint Chiefs of Staff
• Office of Naval Intelligence
• U.S. Army
• Joint Warfighters
• NATO/NAMSA
• TRICARE

• Crowley Marine
• Dynegy
• Equistar/Lyondell
• General Electric
• KPMG
• Lockheed Martin
• ManTech
• PeDeVeSa
• PWC
• Ryder Logistics
• SAIC
• Wells Fargo Bank

17
FEDERAL AGENCIES

• U.S. Department of Commerce
• Canadian Dept. of National Defence
• U.S. Department of Defense
• U.S. Department of Energy
• Department of Health and Human Services
• U.S. Department of Justice (FBI)
• FDA
• U.S. Department of the Treasury
• Federal Aviation Administration
• NASA
• National Security Agency

18
BENEFITS FOR USERS

• Thousands of Questions
• Automated Question Utility
• Free Upgrades for the first year
• Free Training in Annapolis Every Month
• Tech Support
• User Group Conferences

19
ELEMENTS OF A METRICS-BASED RISK ASSESSMENT
APPROACH
ASSETS THREATS VULNERABILITIES LOSSES SAFEGUARDS
20
SAMPLE ASSET CATEGORIES
INFORMATION ASSETS Accounting Systems Cash Commun
ication Systems Data Centers Databases Evidence Fa
cilities Networks Personnel System Software
PHYSICAL ASSETS Airplanes Cash Customers Evidence
Facilities Fire Systems Monitoring
Equipment Personnel Production Resources Real
Property Security Systems
21
(No Transcript)
22
COLLECTING ASSET DATA

• Ability to import asset data from other parts of
  the organization
• What are proper methods for quantifying asset
  values? Criticality? Sensitivity?
• How can you quickly determine Present Day
  Replacement Values?
• How can you quantify the impact to your Companys
  reputation?

23
THREATS

• Kidnapping
• Natural Disasters
• Storms/Hurricanes/
• Cold, Frost, Snow, Ice
• Tornados, Tsunami, Lightning
• Misuse of Corporate Resources
• Modification of Data
• Power Loss
• Rioting, Civil Disorders
• Sabotage
• Terrorist Acts
• Theft of Information
• Vandalism

• Accidents
• Arson
• Assault Simple, Sexual,
• Aggravated
• Blackmail
• Bomb Threats
• Chemical Contamination
• Errors
• Explosions, Major-Minor
• Extortion
• False Alarms
• Fraud, Embezzlement

24
IDENTIFYING THREAT DATA

• Quantified threat data is hard to find.
• Categories of Threats
• Natural Disasters, Criminal Activity
• Hackers, Corporate Espionage
• Collect data from Web Sources, government data,
  weather data, crime casts, global info services,
  access control systems, incident logs.
• Use data from internally collected sources

25
(No Transcript)
26
Discovering Vulnerabilities

• Vulnerabilities specific by organization
• Goes to the lowest common denominator
• Includes the whole organization
• Electronic surveys will increase accuracy and
  speed of survey collection

27
(No Transcript)
28
Quantifying Vulnerabilities

• Respondent Questionnaires have to be measurable,
  using real numbers
• Must be able to be easily aggregated
• Must include full audit trails for tracking
  identified weaknesses.

29
LOSS CATEGORIES

• Delays and Denials of Service
• Disclosure
• Direct Loss (Building Blows Up)
• Life (Employees, Customers)
• Modification of Data
• Related Direct (Cleaning up After)
• Reputation (Credibility)

30
SAFEGUARDS

• Alarm Systems
• Background Checks
• Barriers
• Biometric Controls
• Bomb Threat Procedures
• Bomb Detection Identification
• CCTV Cameras
• Disaster Recovery Planning
• Emergency Response Planning
• Entry Controls
• Fire Controls

• Guard Services
• Incident Reporting
• Incident Response
• Intrusion Detection
• Lock Key Controls
• Monitoring Systems
• Risk Assessment
• Security Planning
• Security Policies
• Security Staff
• Technical Surveillance
• Training Programs
• Visitor Controls

31
Additional Safeguard Cost Elements To Consider
in Calculating Return On Investment (R.O.I.)
The Initial Cost of Fully Implementing the
Safeguard The Annual Cost of Operating the
Safeguard The Annual Cost of Maintenance and
Testing The Safeguard Life Cycle
32
SAFEGUARDS
33
CUSTOMIZING QUESTIONS

• Questions Follow Audit Format
• Control Standard, Question Statement
• and Related Vulnerability
• Users Set Threshold for Compliance
• Each Question Validates Compliance with Standards
• Users can Add, Delete or Modify Questions

34
(No Transcript)
35
(No Transcript)
36
RESULTS FROM THE RISK ASSESSMENTS

• Measurable data which can be benchmarked
• Prove validity of findings with full audit trails
• Use of recognized statistical probability models
• Complete reports, tailored for management

37
APPLYING THE RISK ASSESSMENT MODEL

• Homeland Security
• Aviation Security
• Maritime Security
• Compliance with Privacy Standards
• Critical Infrastructure Protection
• GISRA

38
AUTOMATING THE RISK MANAGEMENT SYSTEM HARDENS A
SECURITY PROGRAM
RISK ASSESSMENT DETERMINES WHAT CONTROLS ARE
NEEDED TO PROTECT AN ORGANIZATIONS ASSETS,
BOTH ADEQUATELY AND COST-EFFECTIVELY.
39
VULNERABILITY ASSESSMENT RESULTS
40
BREAKDOWN OF THE NON-COMPLIANT VULNERABILITIES
Data Integrity (12.0)
15 Others (26.0)
Procedures (12.0)
Access Control (10.0)
Audit Trails (6.0)
Disclosure (6.0)
Policy (10.0)
Reliability (8.0)
Accountability (10.0)
41
VULNERABILITY DISTRIBUTION CHART
42
How To Calculate Return on Investment

• Finish Disaster Recovery Plan 20001
• Random Password Generation 12001
• Distribute Security Policy 9431
• Mandatory Security Awareness Training 751
• Penetration Testing 501

43
SAFEGUARD REPORT -- RECOMMENDED CONTROLS BY
RETURN ON INVESTMENT
44
RiskWatch Reports Writes the Complete Report
for You

• Assets.
• The asset replacement costs by category and
  combined.
• Vulnerabilities.
• Percentage of compliance vs. non-compliance.
• How vulnerabilities are distributed by
  category. The risk analysis
• identified 35 vulnerabilities covering
  twenty-two vulnerability areas
• Lack of package control at store entrances.
• Inadequate training of security guards.
• The level and extent of security training of
  store personnel..
• Threats
• Threat profile for your organization
• Executive Summary automatically generated

45
RISKWATCH PRICING

• Single User Licenses
• 5-pak,
• 10-pak
• Site Licenses
• Agency-level Licenses

46
THE BOTTOM LINE

• Security Problems will Continue to Increase as
  Terrorism Continues
• Measuring and Managing Security by Return on
  Investment gives you the best bang for the buck
  
• Risk Assessment is the best way to quantify areas
  of weakness and focus security controls.

47
FOR MORE INFORMATION
CHAMILTON_at_RISKWATCH.COM RiskWatch, Inc.
2568 A Riva Rd., Suite 300 Annapolis,
MD 21401