Risk Mgmt

1
Risk Management
October 1998
2

• What is RISK MANAGEMENT?
• The process concerned with identification,
  measurement, control and minimization of security
  risks in information systems to a level
  commensurate with the value of the assets
  protected.

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI No. 4009,
Aug. 1997)
3

• Course Objective
• The student will be able to DETERMINE a risk
  index.

4

• Introduction to Risk Management

Identify the Risk Areas

Re-evaluate the Risks
Assess the Risks
Risk Management Cycle
Implement Risk Management Actions
Develop Risk Management Plan
Risk Assessment
Risk Mitigation
5

• Balance of Risk Management

Risk Management
Risk Ignorance
Risk Avoidance
6

• RISK
• - The likelihood that a particular threat
  using a specific attack, will exploit a
  particular vulnerability of a system that results
  in an undesirable consequence.

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI No. 4009,
Aug. 1997)
7

• THREAT
• -Any circumstance or event with the potential
  to cause harm to an information system in the
  form of destruction, disclosure, adverse
  modification of data, and/or the denial of
  service.

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI No. 4009,
Aug. 1997)
8

• Threat Example - Hackers

9

• Threat Example - Electrical Storms

10

• Definition of Likelihood
• LIKELIHOOD of the threat occurring is the
  estimation of the probability that a threat will
  succeed in achieving an undesirable event.

11

• Considerations in Assessing the Likelihood of
  Threat
• Presence of threats
• Tenacity of threats
• Strengths of threats
• Effectiveness of safeguards

12

• Statistical Threat Data

13

• Two Schools of Thought on Likelihood Calculation

Assume Dont Assume
14

• ATTACK
• An attempt to gain unauthorized access to an
  information systems services, resources, or
  information, or the attempt to compromise an
  information systems integrity, availability, or
  confidentiality, as applicable.

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI No. 4009,
Aug. 1997)
15

• VULNERABILITY
• -Weakness in an information system,
  cryptographic system, or other components
  (e.g... , system security procedures, hardware
  design, internal controls) that could be
  exploited by a threat.

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI No. 4009,
Aug. 1997)
16

• Vulnerability Example

17

• CONSEQUENCE
• A consequence is that which logically or
  naturally follows an action or condition.

18

• RM/RA

RISK MANAGEMENT
RISK ASSESSMENT
RISK MITIGATION
19

• RISK ASSESSMENT
• -A process of analyzing THREATS to
• and VULNERABILITIES of an information system
  and the POTENTIAL IMPACT the loss of information
  or capabilities of a system would have. The
  resulting analysis is used as a basis for
  identifying appropriate and cost-effective
  counter-measures.

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI No. 4009,
Aug. 1997)
20

• Why Risk Assessment?

21

• Benefits of Risk Assessment
• Increased awareness
• Assets, vulnerabilities, and controls
• Improved basis for decisions
• Justification of expenditures

22

• Risk Assessment Process
• Identify assets
• Determine vulnerabilities
• Estimate likelihood of exploitation
• Compute expected loss

23

• Identify Assets
• People, documentation, supplies

24

• Properties of Value Analysis
• -Confidentiality
• -Integrity
• -Availability
• -Non-repudiation

25

• Definition
• -Confidentiality Assurance that information
  is
• not disclosed to unauthorized persons,
• processes, or devices.

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI No. 4009,
Aug. 1997)
26

• Definition
• - Integrity Quality of an information system
  reflecting
• the logical correctness and reliability of
  the
• operating system the logical completeness of
  the
• hardware and software implementing the
  protection
• mechanisms and the consistency of the data
• structures and occurrence of the stored data.
  

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI No. 4009,
Aug. 1997)
27

• Definition
• -Availability Timely, reliable access to data
  and
• information services for authorized users.

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI No. 4009,
Aug. 1997)
28

• Definition
• -Non-repudiation Assurance the sender of data
  is
• provided with proof of delivery and the
  recipient is
• provided with proof of the senders identity,
  so neither
• can later deny having processed the data.

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI No. 4009,
Aug. 1997)
29

• Determine Vulnerabilities

Open Communications Lines
Open Network
30

• Likelihood

31

• Expected Loss

32

• Risk Measure
• RISK MEASURE is a description of the kinds and
  degrees of risk to which the organization or
  system is exposed.

33

• Communicating Risk
• To be useful, the measurement should reflect what
  is truly important to the organization.

34

• How do we calculate risk?

35

• Primary Risk Calculation Methodologies

Quantitative Qualitative
36

• The Quantitative Method

37

• The Qualitative Method

38

• Qualitative Example
• The system is weak in this area and we know that
  our adversary has the capability and motivation
  to get to the data in the system so the
  likelihood of this event occurring is high.

39

• Quantitative and Qualitative Merged

40

• Delphi Approach

41

• Probability Density Function

42

• Examples of documented risk assessment systems
• Aggregated Countermeasures Effectiveness (ACE)
  Model
• Risk Assessment Tool
• Information Security Risk Assessment Model
  (ISRAM)
• Dollar-based OPSEC Risk Analysis (DORA)
• Analysis of Networked Systems Security Risks
  (ANSSR)
• Profiles
• NSA ISSO INFOSEC Risk Assessment Tool

43

• Formula for Risk

mkt/40 9jX
dv zqm/ 2a bc wxyz
lm op dz tgm\bvd
2b or n2b
44

• Threat and Vulnerability Revisited

The capability or intention to exploit, or any
circumstance or event with the potential to cause
harm such as a hacker. A weakness in a system
that can be exploited.
45

• Threat
• Vulnerability

46

• Likelihood Vs. Consequence

47

• Likelihood
• The Likelihood of a successful attack is the
  probability that an adversary would succeed in
  carrying out an attack.

48

• Factors influencing an attack
• Level of threat
• Vulnerabilities
• Countermeasures applied

49

• Determine Level of Threat
• Criteria for evaluating the level of threat
• History
• Capability
• Intention or motivation

50

• Determine Vulnerabilities

51

• Criteria for Evaluating the Vulnerability
• Number of vulnerabilities
• Nature of vulnerability
• Countermeasures

52

• COUNTERMEASURE
• A countermeasure is an action, device, procedure,
  or technique used to eliminate or reduce one or
  more vulnerabilities.

53

• Examples of Countermeasures
• Procedures
• security policies and procedures
• training
• personnel transfer
• Hardware
• doors, window bars, fences
• paper shredder
• alarms, badges
• Manpower
• guard force

54

• CONSEQUENCE
• A consequence is that which logically or
  naturally follows an action or condition.

55

• Determination of the Consequence of the Attack
• The worse the consequence of a threat harming
  the system, the greater the risk

Consequence
Attack
Success
56

• Risk Calculation Process
• determine
• the threat
• the vulnerability
• the likelihood of attack
• the consequence of an attack
• apply this formula by
• postulating attacks
• estimating the likelihood of a successful attack
• evaluating the consequences of those successful
  attacks

57

• NSA ISSO Risk Assessment Methodology
• Developed in the NSA Information Systems
  Security Organization
• Used for INFOSEC Products and Systems
• Can Use During Entire life Cycle
• Not Widely Used Outside of DI

58

• The NSA ISSO Risk Assessment Process
• Understanding the system
• Developing attack scenarios
• Understanding the severity of the consequences
• Creating a risk plane
• Generating a report

59

• The Risk Plane

Y -axis
The severity of the Consequences of that
successful attack.
X -axis
The likelihood of a successful attack
60

• Risk Index

Risk Index, as defined by the Yellow Book, is
the disparity between the minimum clearance or
authorization of system users and the maximum
sensitivity of data processed by a system.
61

• Risk Index
• Minimum User ClearanceRmin
• Maximum Data SensitivityRmax
• Risk IndexRmax - Rmin

62

• Rating Scale for Minimum User Clearance (Rmin)

63

• Rating Scale for Maximum Data Sensitivity (Rmax)

64

• Computer Security Requirements

Security Requirements Beyond State of the Art
65

• Automated Risk Assessment Tools

66

• NIST Special Publication 500-174

67

• LAVA

Los Alamos Vulnerability and Risk Assessment Tool
68

• Threats Considered by LAVA
• natural and environmental hazards
• accidental and intentional on-site human threats
  (including the authorized insider)
• off-site human threats

69

• RiskPAC
• a knowledge-based system that uses a
  questionnaire metaphor to interact with the user
  and measure risk in government-related and other
  topics.

70

• A.L.E.

Annualized Loss Exposure Calculator
71

• RISKWATCH

1
7
2
6
3
5
4
72

• Risk Management Research Laboratory

73

• Risk Mitigation
• Risk Mitigation is any step taken to reduce risk.

74

• Residual Risk
• Portion of risk remaining after security measures
  have been applied.

(Definition from National Information Systems
Security (INFOSEC) Glossary, NSTISSI No. 4009,
Aug. 1997)
75

• Residual Risk and Safeguards

76

• Summary
• Risk Mitigation
• Risk Calculation Methods
• Risk Index

77
?
78

• Sampling of General INFOSEC Resources on the Web
• Defense Information Systems Agency (DISA)
  Awareness and Training Facility
  http//www.disa.mil/ciss/cissitf.html
• Information Security News http//www.infosecnews
  .com/
• Information Security Mall http//niim.bus.utexas
  .edu/
• National INFOSEC Education Colloquium
  http//www.infosec.jmu.edu/ncisse
• International Information Systems Security
  Certification Consortium http//www.isc2.org/
• National Institute for Standards and Technology
  (NIST) Computer Security Clearinghousehttp//csrc
  .nist.gov/welcome.html
• National INFOSEC Telecommunications and
  Information Systems Security Committee(NSTISSC)ht
  tp//www.nstissc.gov
• Presidents Commission on Critical Infrastructure
  Protection http//www.pccip.gov/
• Security Site Links http//www.sscs.net/resources
  /secsites_list.htm

79

• Sampling of Web Addresses for Colleges and
  Universities with INFOSEC Courses, Programs,
  Centers
• Dartmouth College http//www.dartmouth.edu/pub/s
  ecurity/
• George Mason University Center for Secure Info
  Systems http//www.isse.gmu.educsis/index.html
• Georgia Tech Information Security Center
  http//www.samnunnforum.gatech.edu/web.html
• Harvard University http//www.harvard.edu
• Idaho State University http//bibo.isu.edu/secur
  ity/security.html
• Indiana University http//www.cs.indiana.edu
• Iowa State http//vulcan.ee.iastate.edu
• James Madison University http//www.jmu.edu/
• National Defense University http//www.ndu.edu/i
  rmc/
• North Carolina State University
  http//www.ncsu.edu
• Purdue University http//www.cs.purdue.edu/coast
  .html
• University of California at Davis
  http//www.ucdavis.edu
• University of Texas, Austin http//wwwhost.ots.u
  texas.edu/mac/pub-mac-virus-html
• Western Connecticut State University
  http//www.wcsu.ctstateu.edu/mis/homepage.html