Risk Management PDF

Cyber Security and Privacy MS6880 Risk Management Saji K Mathew, PhD Professor, Management Studies INDIAN INTITUTE OF TECHNOLOGY MADRAS Do you know? } If you know the enemy and know yourself, you need not fear the result of a hundred battles } If you know yourself but not the enemy, for every victory gained you will also suffer a defeat } If you know neither the enemy nor yourself, you will succumb in every battle -- Sun Tzu Risk management } Knowing yourself: Identifying, examining, and understanding the information and how it is processed, stored, and transmitted } Knowing the enemy: Identifying, examining, and understanding the threats facing the organization’s information assets } Risk management: The process of identifying, assessing, and reducing risks facing an organization Slide 3 Threats, attack, vulnerability, risk Attack surface Residual risk Risk identification } Risk identification begins with the process of self- examination } Managers identify the organization’s information assets, classify them into useful groups, and prioritize them by their overall importance } Identify information assets, including people, procedures, data and information, software, hardware, and networking elements } This step should be done without pre-judging the value of each asset; values will be assigned later in the process Slide 8 Organizational assets used in systems Slide 9 Identifying hardware, software, and network assets } Whether automated or manual, the inventory process requires a certain amount of planning } Determine which attributes of each of these information assets should be tracked } That will depend on the needs of the organization and its risk management efforts Slide 10 Attributes for assets } When deciding which attributes to track for each information asset, consider the following list of potential attributes: } Name } IP address } MAC address } Asset type } Serial number } Manufacturer name } Manufacturer’s model or part number } Software version, update revision, or FCO number } Physical location } Logical location } Controlling entity Slide 11 Identifying people, procedures, and data assets } Responsibility for identifying, describing, and evaluating these information assets should be assigned to managers who possess the necessary knowledge, experience, and judgment } As these assets are identified, they should be recorded via a reliable data-handling process like the one used for hardware and software Slide 12 Suggested attributes for people, procedures, and data assets } People } Data } Position name/number/ID ▶ Owner/creator/manager } Supervisor name/number/ID ▶ Size of data structure ▶ Data structure used } Security clearance level ▶ Online or offline } Special skills ▶ Location ▶ Backup procedures } Procedures } Description } Intended purpose } Software/hardware/networking elements to which it is tied } Location where it is stored for reference } Location where it is stored for update purposes Slide 13 Data classification model } Example } Public } For official use only } Sensitive } Classified } The U.S. military classification scheme (Executive Order 12958) } Unclassified data } Sensitive but unclassified (SBU) data } Confidential data } Secret data } Top Secret data Assessing values for information assets } As each information asset is identified, categorized, and classified, assign a relative value } Relative values are comparative judgments made to ensure that the most valuable information assets are given the highest priority, for example: } Which information asset is the most critical to the success of the organization? } Which information asset generates the most revenue? } Which information asset generates the highest profitability? } Which information asset is the most expensive to replace? } Which information asset is the most expensive to protect? } Which information asset’s loss or compromise would be the most embarrassing or cause the greatest liability? Slide 15 Knowing the enemy: Identify and prioritize threats and threat agents } Each threat presents a unique challenge to information security and must be handled with specific controls that directly address the particular threat and the threat agent’s attack strategy } Before threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset } In general, this process is referred to as a threat assessment Slide 16 Threats } Back doors } Brute force } Dictionary } Man-in-the –middle } Password crack } Social engineering } Phishing } Spear phishing } Vishing Threat categories Weighted ranks of threats to information security Slide 19 Vulnerability assessment } Once you have identified the information assets of the organization and documented some threat assessment criteria, you can begin to review every information asset for each threat } This review leads to the creation of a list of vulnerabilities that remain potential risks to the organization } Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset } At the end of the risk identification process, a list of assets and their vulnerabilities has been developed } This list serves as the starting point for the next step in the risk management process: risk assessment Vulnerability assessment of a DMZ router Slide 21 Threat-Vulnerability-Asset (TVA) worksheet } At the end of the risk identification process, a list of assets and their vulnerabilities has been developed } Another list prioritizes threats facing the organization based on the weighted table discussed earlier } These lists can be combined into a single worksheet Slide 22 Sample TVA Spreadsheet Slide 23 Determining the loss frequency } Describes an assessment of the likelihood of an attack combined with expected probability of success } Use external references for values that have been reviewed/adjusted for your circumstances. } Assign numeric value to likelihood, typically annual value. } Eg.: Targeted by hackers once every five years: 1/5, 20 percent } Determining an attack’s success probability by estimating quantitative value (e.g., 10 percent) for the likelihood of a successful attack; value subject to uncertainty Evaluating loss magnitude } The next step is to determine how much of an information asset could be lost in a successful attack. } Also known as loss magnitude or asset exposure } Combines the value of information asset with the percentage of asset lost in event of a successful attack } Difficulties involve: } Valuating an information asset } Estimating percentage of information asset lost during best- case, worst-case, and most likely scenarios Calculating residual risk } For the purpose of relative risk assessment, risk equals: Loss frequency TIMES loss magnitude MINUS the percentage of risk mitigated by current controls PLUS measurement uncertainty Problem Q: An ecommerce database has 10% chance of an attack this year based on industry reports (one attack in ten years). InfoSec dept reports if the infrastructure is attacked there is 50% chance of success based on current asset vulnerabilities and protection. The asset is valued at 50 in a 0-100 scale, and InfoSec informs that 80% asset will be compromised by a successful attack. Measurements are 75% accurate. Estimate risk Slide 27 Example Q: An ecommerce database has 10% chance of an attack this year based on industry reports (one attack in ten years). InfoSec dept reports if the infrastructure is attacked there is 50% chance of success based on current asset vulnerabilities and protection. The asset is values at 50 in a 0-100 scale, and InfoSec informs that 80% asset will be compromised by a successful attack. Measurements are 75% accurate. Estimate risk A: Likelihood: 0.1; Attack success probability: 0.5 Loss frequency: 0.1*0.5=0.05 Loss magnitude= 0.8*50=40 Risk=0.05*40+error=2+2*0.25=2.5 Slide 28

Risk Management PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue