Jason Zeigler - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Jason Zeigler

Description:

Digital assets may have direct monetary value, like a bank account balance, or ... formed by the FBI to share knowledge and coordinate defenses against cyber ... – PowerPoint PPT presentation

Number of Views:15
Avg rating:3.0/5.0
Slides: 30
Provided by: jas83
Category:
Tags: jason | zeigler

less

Transcript and Presenter's Notes

Title: Jason Zeigler


1
Group 1
  • Jason Zeigler
  • Cherelyn Green
  • Brian Eddy
  • Aaron Phillips

2
Introduction
  • Objectives
  • Use risk assessment methods to estimate security
    investments.
  • Categorize risks in the Risk Assessment Cube
  • Calculate an expected loss
  • Optimize return on investment for security
  • Creating a complete organizational profile.

3
Importance of Risk Assessment
  • What is Risk Assessment?
  • - A step in the risk management process that
    identifies risk factors in order to avoid
    incidents.
  • Gets attention of management officials
  • A Basic Requirement of ISO 17799
  • - The ISO17799 is an international standard for
    the best practices in information security.

4
Importance of Risk Assessment
  • Raises the Status of Information Security Budgets
  • - Difficult to get funding (competing business
    priorities)
  • - Application of Risk Management techniques
    to IT investments (expensive servers, software,
    etc.)

5
Importance of Risk Assessment
  • Assess the Expected Average Cost of a Loss
  • - Expected value concept helps make decisions
    about the financial impact of an outcome (theft
    of trade secrets, network intrusion)
  • Expected Cost
  • - Model used to assess and justify
    investments in digital security.
  • Marginal Cost
  • - Estimates investment in security investments.

6
Risk Assessment Cube
  • Cube that provides structure for categorizing
    risks along three dimensions
  • 1) The Probability of an Incident
  • (0-100, rare to common)
  • 2) Severity of the Outcome or Loss
  • (direct and indirect financial impacts,
    range from low to high)
  • 3) Duration of Impact
  • (incidents contained, extends over time)

7
EXPECTED LOSS VALUE ESTIMATIONS
8
Expected Loss Computation
  • Expected value of either a gain or a loss is used
    extensively to evaluate the consequences of
    business decisions during particular time
    segment, which is usually one year.
  • Expected loss (Amount of loss) (Probability
    of loss)
  • Two incidents on pg. 68
  • A benefit of the expected loss method is the
    ability to standardize the costs of incidents for
    comparison purposes.
  • Businesses commonly apply this expectation
    principle when they invest in door locks, alarm
    systems, and safety devices to protect against
    loss of break-in, fire, casualty, and legal
    liability.

9
Marginal Cost-Benefit Analysis-An Application of
Expected Value
  • The issue of industry standards and defenses
    against negligence was addressed by Judge Learned
    Hand in 1947. He outlined his standard for
    negligence and liability based on economic model
    of marginal cost-benefit analysis in his decision
    in US vs Carroll Towing Company (2d Cir. 1947).
  • According to marginal analysis, the firm is
    negligent if and only if the marginal costs of
    safeguards are greater than the marginal benefits
    of those safeguards.
  • Expected value method is used to calculate
    expected costs and benefits.
  • Expected costs benefits (Probability of a
    security breach) (Avg. expected loss or
    benefit)

10
Balancing Expected Loss with the Cost of Security
Defenses
  • Expected losses from an incident can be a
    benchmark for investments in defenses to defend
    against them. There are several standard methods
    for managing business risk.
  • Three common approaches
  • Try to mitigate the loss by implementing
    preventative measures
  • Transfer the risk to another party by outsourcing
    the secure management of a network,
    mission-critical databases, or ecommerce
    application
  • Transfer the remaining risk using insurance

11
CHALLENGES IN ESTIMATING LOSS OF DIGITAL ASSETS
12
Intangible Assets
  • Digital assets are intangible, so their value may
    only become fully understood in the actual event
    of loss.
  • Example one of the most valuable business assets
    is information maintained in the customer
    database

13
Replication Increases Exposure and Probability of
a Loss
  • Physical assets tend to exist in only one place
    and therefore must only be protected in one
    instance.
  • Ironically, one of the ways in which to protect
    digital assets is to retain multiple backup
    copies.
  • The adoption of client-server and distributed
    computing architectures has created an
    environment in which documents are stored on many
    networked devices.

14
Outsourcing Places Data and Documents Out of
Control
  • If business operations are outsourced or
    conducted in cooperation with a business partner,
    valuable information often must reside on
    networks that lie outside of organizational
    control.
  • This creates a situation in which one is reliant
    on the efforts of that partner to protect the
    shared asset. This practice is very widespread.

15
Knowledge Assets are Difficult to Replace
  • Digital assets may have direct monetary value,
    like a bank account balance, or indirect value,
    derived from their associated knowledge or
    goodwill.
  • The information most commonly resident on
    computers and networks is structured data.
    Structured data is expressed as numbers with
    defined attributes. Figure 5.4 pg. 71
  • It is now common to capture and store
    unstructured information through the use of what
    is known as Knowledge Management (KM).
  • KM assets are much harder to identify, inventory,
    and replace if lost.

16
Mission-Critical Software Applications
  • Beyond data and knowledge, customized software
    can have significant value.
  • If a business has made a major investment in a
    proprietary customer contact application, that
    asset could be exposed in two ways.
  • It provides a competitive advantage
  • An employee or hacker could disable it
  • Therefore, such an asset has value not only from
    the point of view of development costs but also
    from the expected loss of revenue if it was
    sabotaged.

17
Denial of Service Risk
  • Often the most direct economic impact of a
    digital attack is the significant loss of
    productivity that can result from even the more
    benign forms of malware.
  • Worms like Code Red did not actually destroy
    data, rather they paralyzed networks and services
    through self-replication, creating enormous
    network traffic jams that made it impossible
    for legitimate traffic to get through.

18
Valuation of Digital Assets and Risks
19
Valuation of Digital Assets and Risks
  • There are two main ways to assign economic value
    to digital assets impact on revenue and loss
    prevention
  • Software Assets - The main risk is not the loss
    of software but the loss of usage as the software
    is restored. The potential loss is estimated by
    tracking the average revenue generated by the
    Website per hour. The average is then multiplied
    by downtime. Other software products are designed
    to enhanced productivity. Expected loss is
    calculated by taking the percentage of production
    increase over the downtime

20
Digital Assets, cont.
  • Knowledge Assets It is the unique knowledge and
    data within an organization that creates value at
    risk. The danger lies in what the attackers do
    with the information, as the information lost may
    include trade secrets, customer lists, or theft
    or sensitive partner data. The knowledge may be
    used by competitors or as the basis for
    litigation
  • Goodwill goodwill is the accumulation of
    knowledge, experience, public image, and the body
    of customer relationships the firm has developed
    over its lifetime. The more reliant the firm is
    on technology to manage its knowledge and face
    its markets, the more vulnerable goodwill is to
    digital assault. Goodwill is important for
    customer peace of mind, therefore it should
    figure into the DLM investment model

21
Sources of Information for Risk Estimations
  • Research and Consulting firms Firms such as
    CSI, the FBI, and CERT release information,
    reports, and surveys with detailed breakdowns of
    industries, types of attack, magnitude of loss,
    and other important information.
  • Infragard An alliance of the public and private
    sectors of the formed by the FBI to share
    knowledge and coordinate defenses against cyber
    terror.

22
Sources of Information for Risk Estimations
  • Technical Tools Firewalls, intrusion detection
    technology, and network administration tools keep
    detailed logs of activity. Analysis of these logs
    can provide insight into frequency and nature of
    attacks.
  • Business Partners and Industry Groups Business
    Partners may provide their experience and
    expertise in an attempt to coordinate security
    around common data and processes.

23
Symantecs Internet Security Threat Report
  • According to Symantecs Internet Security Threat
    Report, banking and utilities are the most
    at-risk sectors for threat of attack by malicious
    code. Both industries have the finances to
    protect their systems, and the most to lose if
    they dont.
  • Symantec recorded an average of 987 attacks per
    company in the power and energy sector Nonprofit
    organizations had an average of 869 attacks per
    company telecoms had 845 high-tech had 753
    banking and finance had 689
  • In terms of severity the top three were power and
    energy, banking and finance, and nonprofit

24
Overall Risk Evaluation
25
Overall Risk Evaluation
  • Assess The Current Situation
  • Digital Liability Model
  • People, Process, Security Policies Vs.
    Technology
  • Key to Success
  • Policy And Process Perspective
  • The effectiveness of the policy and auditing
    tools for managing and migrating risk need to be
    tested. All policy documents related to
    information security, such as AUP, should be
    examined for completeness, clarity, and
    compliance as part of the audit. Audit results
    can make the policy far more defensible if it
    becomes evidence in a legal action. Other
    policies that are usually included pertain to
    privacy, outsourcing of processes that involve
    sensitive data, password maintenance, and remote
    access to company networks.
  • Testing awareness
  • Gauges effectiveness of current training and
    documentation efforts
  • Strong policies combination of weak readers
    viruses

26
Overall Risk Evaluation
  • Organizational Perspective
  • Assigning responsibility for DLM-related issues
    is also a part of the picture. This can be a
    problem issue in larger firms where this
    responsibility has become fragmented. Not
    uncommon to have a network administrator and a
    network security administrator, with the latter
    reporting to the former. Aligns well, but weakens
    DLM responsibilities
  • Regardless of whether or not responsibility for
    network security and physical security is
    combined in the organization, the two are
    interrelated and should be assessed together.
  • Example Microsoft servers pg 77 gray area.

27
Overall Risk Evaluation
  • Audits w/ Trading Partners/Cusomers
  • If business operations demand network connections
    to partners and customers, then their levels of
    information security are equally important. Some
    larger concerns may require and subsidize an
    audit and enhancements to the security
    infrastructure to meet their standards.
  • A proper assessment can only come with the help
    of a complete audit of the current security
    infrastructure using a reputable an qualified
    third party. So why the third party?
  • Some companies stage an unannounced attack using
    known hacker methods or white hat hackers hired
    for the purpose. White hat hackers are ethical
    hackers who search for weakness in the computer
    systems or business applications. May include
    introduction of malware, such as backdoors or
    benign viruses, to test whether they were
    detected by the defensive technology.

28
Summary
  • Security needs to be managed
  • Reasons security programs are under funded
    because most enterprises do not know what they
    have to lose and do not appreciate all the way
    they can lose it
  • Key is to properly identify and quantify all
    value at risk by creating a risk exposure profile
  • An estimate of loss can be made on the basis of a
    justifiable DLM budget
  • Awareness on the part of IT people, can optimize
    the return of security investments
  • Overall security depends on the balancing cost
    and risk through the appropriate use of both
    technology and policy

29
QUESTIONS??
Write a Comment
User Comments (0)
About PowerShow.com