Risk Assessment

1
Risk Assessment A powerful weapon in modern
eSecurity warfare
2
DISCLAIMER
Craig Rosewarne

• Concilium
• - Security Analyst
• - ISO 90012000 company
• Whitehat InfoSec Group
• Chairman Founder of Section 21 Co.
• InfoSec user group of -800 volunteers
• Host monthly security forums / workshops
• Focus on security awareness
• Initiated project Mamba

DISCLAIMER THIS PRESENTATION IS BASED ON BOTH MY
PERSONAL PREFERENCES AND WORK EXPERIENCE AND
INCLUDES INPUT FROM A VARIETY OF SOURCES
ACCUMULATED OVER THE YEARS.
3
(No Transcript)
4
ASSETS
5
THREATS
6
VULNERABILITIES
7
SAFEGUARDS
8
The Core function of Information Security
-ISO/IEC 17799-
9
Security programs need a Risk Management approach

• IF YOU CANT MEASURE IT
• YOU CANT MANAGE IT!

10
Definition

• Risk assessment is the cornerstone of any
  information security program, and it is the
  fastest way to gain a complete understanding of
  an organisations security profile its
  strengths and weaknesses, its vulnerabilities and
  exposures.
• -Riskwatch-

11
Example how used
LEVEL 1 Risk assessment LEVEL 2
Vulnerability scan LEVEL 3 Penetration test
12
Why perform a RA?

• ID gaps in security framework
• ID risksthen YOU decide action plan
• Accurate IT asset valuation
• Better utilisation of InfoSec budget
• Assists with security budget justification
• Compliance with laws regulations
• Benchmark against industry best practices

13
How do modern kings undertake a Risk Assessment?
14
The battlefields of today
15
1. First steps
And
Vs
16
2. Manual versus Automated
Vs
17
Manual RAs

• The Operationally Critical Threat, Asset, and
  Vulnerability EvaluationSM (OCTAVE) approach
• Number of different workbooks presentations
• Variety of different RA spreadsheets available
  some free / some commercial / some proprietary IP

18
RA Software tools

• Variety of different tools on market to suite
  individual preferences / budgets

• COBRA

19
3. Scoping the project

• Company mission / values?
• Qualitative or Quantitative? (Gap vs ALE/ROI?)

Vs
20
3. Scoping the project

• Qualitative or Quantitative? (Gap analysis vs
  ALE/ROI?)
• Benchmark? (7799 / NIST / HIPAA / GLB?)

21
Select Benchmark
22
3. Scoping the project

• Qualitative or Quantitative? (Gap analysis vs
  ALE/ROI?)
• Benchmark (7799 / NIST / HIPAA / GLB?)
• Functional Areas (King to Stable boy?)

23
Select Functional Areas
24
3. Scoping the project

• Qualitative or Quantitative? (Gap analysis vs
  ALE/ROI?)
• Benchmark (7799 / NIST / HIPAA / GLB?)
• Functional Areas (King to Stable boy?)
• Asset Categories (Physical / Reputation?)
• Threats (Type / Occurrence / Damage?)
• Vulnerabilities (Weakness e.g. Physical security)

25
Linking ALTV
26
3. Scoping the project

• Qualitative or Quantitative? (Gap analysis vs
  ALE/ROI?)
• Benchmark (7799 / NIST / HIPAA / GLB?)
• Functional Areas (King to Stable boy?)
• Asset Categories (Financial / Reputation?)
• Threats (Type / Occurrence / Damage?)
• Vulnerabilities (Weakness e.g.. Physical
  security)
• Safeguards (Archers vs Ballista?)

27
Call to arms
28
4. Questionnaire time
29
5. Report generation
30
Important info a typical RA report can highlight?
31
Qualitative 1/2
32
Qualitative 2/2
33
Quantitative 1/4
34
Quantitative 2/4
35
Quantitative 3/4
36
Quantitative 4/4
37
Quantitative 5/6
38
Quantitative 6/6
39
Components of Risk
40
Summary

• A risk assessment is the cornerstone of any
  information security program
• Fastest way to gain insight into an
  organisations security profile
• A RA is recommended at least every 6 months or
  when re-evaluating security profile after major
  changes
• ----------------Craig Rosewarne ----------------
  craig_at_concilium.co.za
• craig_at_whitehat.org.za
• 27 83 231 4707
• -----------------------------------------------