rapid risk assessment: a new approach to risk management
DESCRIPTION
Presented by: Andrew Plato, Anitian Abstract: Understanding, managing and responding to risk is one of the core functions of any information security program. However, for many organizations risk assessment is cumbersome and time consuming process. IT leaders, as well as security regulations, are demanding risk management practices that can deliver quick and actionable results. Rapid Risk Assessment is a new approach to risk management that dramatically reduces the time, effort, and complexity for IT security risk assessment. Using the existing principles of risk management defined in NIST 800-30 documents, Rapid Risk Assessment can deliver more actionable and reliable results empowering business leaders to make sound decisions about risk. The key to this approach is a unique combination of skills, organization, and documentation that accelerates every aspect of the risk management process. This presentation shows why current risk management tactics are failing and how Rapid Risk Assessment can correct those deficiencies.TRANSCRIPT
SECURITY:\\Services\Solutions\Support
RAPID RISK ASSESSMENT A NEW APPROACH TO IT RISK MANAGEMENT
SECURITY:\\Services\Solutions\Support
Biography
• Andrew Plato, CISSP, CISM, QSA • President / CEO – AniFan Enterprise Security • 20 years of experience in IT & security • Completed thousands of security assessments & projects • Discovered SQL injecFon aRack tacFc in 1995 • Helped develop first in-‐line IPS engine (BlackICE) • Championed movement toward pracFcal, pragmaFc
informaFon security soluFons
SECURITY:\\Services\Solutions\Support
AniFan Overview
• Compliance PCI, NERC, HIPAA, FFIEC
• Services PenetraFon tesFng, web applicaFon tesFng, code review, incident response, risk assessment
• Technologies UTM/NGFW, IPS, SIEM, MDM
• Support Managed security, staff augmentaFon
• Leadership Industry analysis, CIO advisory services
SECURITY:\\Services\Solutions\Support
Why AniFan?
• AniFan is the only security firm… • Focused on pracFcal, pragmaFc informaFon security • Able to deliver compliance quickly & affordably • That does not push products • Who rejects using fear to sell • Dedicates research efforts to benefit our clients, not our press-‐releases
• Implements business-‐friendly security • Remains honest and independent
SECURITY:\\Services\Solutions\Support
PresentaFon Outline
• The Risk Assessment Environment • Failure of Current Risk Assessment PracFces • Preparing for a Rapid Risk Assessment • The Rapid Risk Assessment Process
SECURITY:\\Services\Solutions\Support
THE RISK ASSESSMENT ENVIRONMENT
Rapid Risk Assessment
SECURITY:\\Services\Solutions\Support
What is Risk Assessment?
• SystemaFc and objecFve determinaFon of the seriousness of threats.
• Good risk assessment aims to: • IdenFfy the threats that affect an enFty (company, network, systems, applicaFon, etc.)
• Qualify and quanFfy those threats • Crae reasonable remedies to reduce, eliminate, accept or transfer the risk
• Help protect the business/organizaFon and its assets • Empower leadership to make sensible investments in security controls and processes
SECURITY:\\Services\Solutions\Support
Increasing Emphasis on Risk Assessment
• Always been a PCI requirement (12.1.2) • HIPAA Omnibus reinforces need for risk assessment • Assessment to define risk management program (which in turn defines the controls that meet the standard)
• Breach noFficaFon now require risk analysis of any suspected breach to determine if noFficaFon is necessary
• FFIEC 2011 Supplement mandated new things to assess • Defines specific issues to analyze concerning authenFcaFon • Reinforced the need for annual assessments • Mandated assessments on banking applicaFons • Outlined requirements to reperform assessments when there are changes
SECURITY:\\Services\Solutions\Support
Increased ScruFny
• From HIPAA Omnibus: “…we expect these risk assessments to be thorough, completed in good faith, and for the conclusions reached to be reasonable.”
• RegulaFons are demanding more risk assessments • Regulators are shieing focus to look at risk assessments • Business leaders are demanding beRer risk analysis • So what’s the problem?
SECURITY:\\Services\Solutions\Support
THE FAILURE OF CURRENT RISK ASSESSMENT PRACTICES
Rapid Risk Assessment
SECURITY:\\Services\Solutions\Support
Something Is Not Right Here
• Companies were consistently complaining about their IT risk assessments: • “Why does this take so long?” • “This is just a paperwork exercise” • “What am I supposed to do with this?” • “Where are the problems? • “How do I fix the problems?” • “Are we in danger?” • “What do all these numbers, charts and worksheets mean?” • “This is just a meaningless regulatory requirement!”
• We were not the only ones…
SECURITY:\\Services\Solutions\Support
PracFFoners are QuesFoning Risk Assessment
Source: h*p://www.networkworld.com/news/tech/2012/101512-‐risk-‐management-‐263379.html
SECURITY:\\Services\Solutions\Support
With Mixed Results
For any risk management method … we must ask …“How do we know it works?” If we can’t answer that ques=on, then our most important risk management strategy should be to find a way to answer it and adopt a risk assessment and risk mi=ga=on method that does work. Hubbard, Douglas W. (2009-‐04-‐06). The Failure of Risk Management: Why It's Broken and How to Fix It. John Wiley and Sons. Kindle EdiWon.
SECURITY:\\Services\Solutions\Support
The Problem
• Current pracFces are… • Slow • Complex • Incomprehensible to management • Fail to provide clear acFonable steps to reduce risk
• Why?
SECURITY:\\Services\Solutions\Support
Arcane Language
• Language affects not only comprehension, but also acceptance • Overly complex, arcane language is inefficient and inaccessible • Risk management theories devolve into nitpicking paperwork
exercises that nobody reads • Consider this definiFon from OCTAVE for Defined EvaluaFon
AcFviFes: Implemen=ng defined evalua=on ac=vi=es helps to ins=tu=onalize the evalua=on process in the organiza=on, ensuring some level of consistency in the applica=on of the process. It also provides a basis upon which the ac=vi=es can be tailored to fit the needs of a par=cular business line or group.
SECURITY:\\Services\Solutions\Support
The Fallacy of Numbers
• Using numbers does not make analysis more “true” • If a number is arrived at from a subjecFve assessment, then its
use in any calculaFons is equally subjecFve • Charts full of numbers may “feel” empirical, but they’re not • Its impossible to establish true value for IT asset • Misleading, creates a false sense of accuracy • Creates a false scale that does not translate into real-‐world
thinking
SECURITY:\\Services\Solutions\Support
Time Consuming
• IT risk is volaFle, dynamic and has a short shelf life • Any risk assessment over 90-‐180 days old is stale • NIST, OCTAVE, FAIR are nice ideas, but too Fme consuming • Spending a year on a risk assessment is too long • A good enterprise risk assessment should be done in under 30
days • DocumentaFon is Fme consuming • Risk assessment is not a consensus of opinions, it’s an
assessment from a single person or group that understands risk
SECURITY:\\Services\Solutions\Support
Probability Can Be Flawed
• On a long enough =me line, the survival rate for everybody drops to zero. Jack, Fight Club, 1999
• Lack of Fme context makes any assessment of probability fundamentally flawed.
• Humans are naturally bad at assessing the probability of risks. • Fallacy of backtesFng
SECURITY:\\Services\Solutions\Support
Lack of Evidence
• Risk assessment methodologies focus heavily on process, and very liRle on evidence
• Custodians and business process owners withhold informaFon • The security of an environment can be tested in a controlled,
raFonal manner • Without tesFng, the enFre analysis is one-‐sided • TesFng can cut through conjecture and prove (or disprove) the
severity of a threat
SECURITY:\\Services\Solutions\Support
The Challenge
• Risk assessment needs to be more useful. • How can this process produce tangible ways to reduce risk? • The volaFlity of modern IT makes IT risk assessment a
fundamentally qualita=ve effort • Since the effort is qualitaFve, the skill of the assessor is
paramount to obtaining accurate assessments • How do we improve risk assessment to make it: • More accurate • More responsive to business needs • More acFonable • Quicker
SECURITY:\\Services\Solutions\Support
PREPARATION Rapid Risk Assessment
SECURITY:\\Services\Solutions\Support
Features of Rapid Risk Assessment
• Aims to speed up the risk assessment process & make it more useful to the business
• Trades precision and some accuracy for efficiency and usability • Focuses on simplicity and clarity • Dismisses theory and conjecture in place of decisive acFon • Explains risk in simple, business-‐friendly terminology • Uses a set Fme frame for probability • Simplifies the assignment of value • Uses a “lens” that focuses and frames assessment effort • Establishes authority to make risk judgments • Leverages new technologies such as Allgress
SECURITY:\\Services\Solutions\Support
Rapid Risk Assessment Outline
• Prerequisites • Advanced wriFng skills • Hands on IT skills • Authority
1. Establish Scope & Lens 2. Interview Stakeholders 3. Test the Environment 4. Define Threats & Correlate Data 5. Define Probability & Impact Scale 6. Document Risks 7. Develop AcFon Plan
SECURITY:\\Services\Solutions\Support
Prerequisite: Advanced WriFng Skills
• No theories, no complex worksheets, no “risk management” terms
• Simple, business language that states risk in plain, maRer-‐of-‐fact way
• Establishes authority • States risk as it *is* without conjecture or indecisiveness • AcFve voice • Should be able to sum up the enFre assessment effort in a few
bullet points
SECURITY:\\Services\Solutions\Support
Prerequisite: Hands-‐on IT Skills
• Must have in-‐depth understanding of IT operaFons • Systems administraFon • Network design, architecture, management • Security analysis • ApplicaFon lifecycle management • Database administraFon • IT pracFces, procedures, policies development • Must know how an IT department runs, if you ever hope to
idenFfy its weaknesses
SECURITY:\\Services\Solutions\Support
Prerequisite: Authority
• Management must definiFvely endorse and support risk assessment
• Must have access to stakeholders • Ability to scan, test and evaluate technology • Authority to decisively analyze technologies • Ability to built credibility and authority through experience,
language, and engagement
SECURITY:\\Services\Solutions\Support
THE PROCESS Rapid Risk Assessment
SECURITY:\\Services\Solutions\Support
#1 -‐ Establish Scope & Lens
• Scope – what assets are in scope (hopefully all of them) • Lens – how will you look at the assets? • Data types – customer, internal, security, etc. • System – server, workstaFon, infrastructure • ApplicaFon – user, customer, financial, etc.
• The Lens is what makes Rapid Risk Assessment work: • Provides a contextual framework for analyzing data • It helps focus the effort • It aids greatly in comprehension
SECURITY:\\Services\Solutions\Support
#2 -‐ Interview Stakeholders
• Develop a set of quesFons specific to the business role: • IT custodians – technical quesFons • Business process owners – criFcality & usage
• Define value in context of the enFre business using simple terms: cri=cal, high, medium, low, none
• Focus on current state • Be careful with “forward looking” data – chasing a moving
target • Catalog results
SECURITY:\\Services\Solutions\Support
#3 – Test the Environment
• Vulnerability scans of all in-‐scope systems, apps or locaFons of data
• Conduct penetraFon tests • Web applicaFon tesFng • Database tesFng • ConfiguraFon analysis (sample as needed) • AV / IPS / Firewall logs (sample and spot check) • Risk determinaFon must be based on REAL data, not feelings,
ideas, theories, or personal interpretaFons • This is where hands-‐on IT experience is a must
SECURITY:\\Services\Solutions\Support
#4 – Define Threats & Correlate Data
• Organize threats into simplified categories • Technical – threat to systems, hardware, applicaFons, etc. • OperaFonal – threats that affect pracFces, procedures, or business funcFons
• RelaFonal – threat to a relaFonship between groups, people or third parFes
• Physical – threats to faciliFes, offices, etc. • ReputaFonal (opFonal) – threats to the organizaFon’s reputaFon, percepFon, or public opinion
• Correlate threats to assessment data • Keep threats simple
SECURITY:\\Services\Solutions\Support
Threat Samples
• Good Threat DefiniFons • Thee of confidenFal data • Malware infecFon • Denial of service aRack • Thee of sensiFve authenFcaFon data
• Bad Threat DefiniFons • Lack of alignment to organizaFonal policies with guidelines set forth by the security commiRee means staff is not properly implemenFng security controls.
• Use of telnet among staff is threatening PCI compliance requirements.
• Missing patches on systems
SECURITY:\\Services\Solutions\Support
#5 -‐ Define Probability & Impact Scale Probability Impact
Metric DescripFon Certain <95% likelihood of occurrence within the next 12 months. High 50-‐95% likelihood of occurrence within the next 12 months. Medium 20-‐49% likelihood of occurrence within the next 12 months. Low 1-‐20% likelihood of occurrence within the next 12 months.
Negligible >1% likelihood of occurrence within the next 12 months.
Metric DescripFon CriWcal Catastrophic effect on the Data Asset. High Serious impact on the Data Asset's funcWonality. Medium Threat may cause some intermi*ent impact on the Data Asset, but would
not lead to extended problems. Low Impact on the Data Asset is small and limited. Would not cause any
disrupWon in core funcWons. Negligible Data Asset remains funcWonal for the business with no noWceable slowness
or downWme.
SECURITY:\\Services\Solutions\Support
#6 -‐ Document Risks
• Condense, simplify and focus on the problem • Threat – How the asset is at risk • VulnerabiliFes – The vulnerabiliFes relevant to the risk • RecommendaFon – Tangible acFons to remediate the risk • Impact – Simplified 5 point score (criFcal, high, medium, low,
none) • Probability – Simplified 5 point score (certain, high, medium,
low, negligible) • Risk – Simplified product of Impact * Probability (criFcal, high,
medium, low, negligible)
SECURITY:\\Services\Solutions\Support
DocumentaFon Sample
Threat VulnerabiliFes RecommendaFon Impa
ct
Prob
ability
Risk
Malware infecWon
• Outdated anW-‐virus
• Lack of anW-‐virus on 36% of servers
• 32 high ranked vulnerabiliWes on in-‐scope systems
• Lack of virus scanning at the network layer
• Endpoint anWvirus must be installed on all hosts. • All endpoint anWvirus must be updated daily • All systems must have new patches applied within
30 days of release. • Company must deploy a more robust patch
management plaborm. • Implement a core firewall that can perform virus
scanning at the network layer.
H C H
SECURITY:\\Services\Solutions\Support
Online Version Using Allgress
SECURITY:\\Services\Solutions\Support
#7 – Develop an AcFon Plan
• Summarize all the recommendaFons into a single, prioriFzed list • Simplify into tangible tasks • GOOD: Implement third party patch management. IBM BigFix,
Dell Kace, and GFI Languard are all viable products to consider. Require solu=on to patch all systems within 30 days of a new patch.
• BAD: IT management procedures need upda=ng to align with best prac=ces.
SECURITY:\\Services\Solutions\Support
Don’t
• Try to change the culture of the business • Let perfecFon become the enemy of good • Cite any kind of risk management theory – nobody cares • Use a lot of risk terminology • Say more than you need to • Document indecision • Add complexity when it offers no improvement in clarity • Use inaccessible matrices, worksheets, or process flows • Insert charts or graphs when they don’t aid in comprehension
SECURITY:\\Services\Solutions\Support
Do
• Use simple language. Plain English descripFons • Establish authority with experience, language, and presence • Simplify, condense, clarify • IdenFfy tangible, acFonable recommendaFons • Help management make decisions about risk • Focus on the likely
SECURITY:\\Services\Solutions\Support
Thank You EMAIL: [email protected] WEB: www.aniFan.com BLOG: blog.aniFan.com SLIDES: hRp://slidesha.re/11UaeFN