Risk Analysis

COEN 250
Risk Management
 Risk Management consists of
 Risk Assessment
 Risk Mitigation
 Risk Evaluation and Assessment

 Risk Management allows

 Balance operational and economic costs of
protective measures
Risk Management and
System Development Life Cycle
 Phase 1 – Initiation
 Need for IT system is expressed, scope is documented
 Identified risks are for
 Developing system requirements
 Including security requirements
 Security strategy of operations
 Phase 2 – Development or Acquisition
 IT system is Designed, Purchased, Programmed, Developed
 Risks identified during this phase are used to
 Support security analyses of system
 Might lead to architecture and design trade-offs during development
Risk Management and
System Development Life Cycle
 Phase 3 – Implementation
 System features are configured, enabled, tested, verified
 Risk management supports assessment of system
implementation against requirements and modeled operational
environment
 Phase 4 – Operation or Maintenance
 System performs its functions
 Typically: modification on an ongoing basis
 Risk Management activities:
 System reauthorization / reaccreditation
 Periodic
 Triggered by changes in system
 Triggered by changes in operational production environment
Risk Management and
System Development Life Cycle
 Phase 5 – Disposal
 Disposition of
 Information
 Hardware
 Software
 Activities
 Moving
 Archiving
 Discarding
 Destroying
 Sanitizing
 Risk management:
 Ensure proper disposal of software and hardware
 Proper handling of residual data
 System migration conducted securely and systematically
Risk Management and
System Development Life Cycle
 Risk management is management responsibility
 Senior management
 Ensures effective application of necessary resources to develop
mission capabilities
 Need to asses and incorporate results of risk management into
decision making process
 Chief Information Officer (CIO)
 Responsible for planning, budgeting, and performance of IT
 Includes Information Security components
 Systems and Information Owners
 Responsible for ensuring existence of proper controls
 Have to approve and sign off to changes in IT system
 Need to understand role of risk management
Risk Management and
System Development Life Cycle
 Business and Functional Managers
 Have authority and responsibility to make trade-off decisions
 Need to be involved in risk management
 Information System Security Officer (ISSO)
 Responsible for security program, including risk management
 Play leading role for methodology of risk management
 Act as consultant to senior management
 IT Security Practitioners
 Responsible for proper implementation
 Must support risk management process to identify new potential risks
 Must implement new security controls
 Security Awareness Trainers
 Proper use of systems is instrumental in risk mitigation and IT resource
protection
 Must understand risk management
 Must incorporate risk assessment into training programs
Risk Assessment
 Risk depends on
 Likelihood of a given threat-source exercising
a particular potential vulnerability
 Resulting impact of the adverse event
Hypothetical 2003 Example
 Polish hacker N@te upset at Polish control
of Multinational Division Central South Iraq
 His hacker group wants to attack
www.wp.mil.pl
 Finds out
 www.wp.mil.pl runs Apache
 Runs old version of OpenSSL vulnerable to a
buffer overflow attack

Bejtlich: The Tao of Network Security Monitoring

Hypothetical 2003 Example
Factor Description Assessment Rationale

Threat N@te and his 5/5 Has capability and

buddies intention

Vulnerability Unpatched 5/5 Vuln. gives N@te

OpenSLL process root access. No
countermeasures
deployed

Asset Value Military spends 4/5 Damage to Polish

more than $10,000 prestige, costs of
annually web server

Risk Loss of integrity and 100/125

control of web
server and site

Bejtlich: The Tao of Network Security Monitoring

Hypothetical 2003 Example
 Polish military does not know N@te, but
knows about its exposure
 Needs to know about vulnerability
 Risk assessment changes dramatically
once vulnerability is recognized
Vulnerability  Threat
 February 2002 SNMP vulnerability
 SNMP widespread network management tool.
 Potentially affected most network devices.
 However, NO exploits were discovered.
Vulnerability  Threat
 Windows RPC vulnerability of 2003
 Dozens of exploits
 Blaster worm caused > $1.000.000.000
damage
Risk Assessment
 Step 1: System Characterization
 Collect system related information
 Hardware
 Software
 Connectivity
 Data and information
 Users and support
 System mission
 System and data criticality and sensitivity
 …
Risk Assessment
 Step 2: Threat Identification
 Threat Source Identification
 Natural events:
 Floods, fires, earthquakes, …
 Human threats:
 Unintentional acts
 Deliberate actions
 Consider motivations and actions
 Environmental threats
 Long-term power failure, pollution, chemicals, liquid leakage
Risk Assessment
 Step 3: Vulnerability Identification
 Varieson SDLC phase
 Sources
 Previous risk assessment documents
 IT system audits and logs
 Vulnerability lists (NIST I-CAT, CERT, SANS,
SecurityFocus.com)
 Security advisories
 Vendor advisories
 System software security analyses
Risk Assessment
 Step 3: Vulnerability Identification
 Security Testing
 Automated vulnerability scanning tools
 Penetration testing

 Security Test and Evaluation (ST&E)

 Develop a test plan
 Test Effectiveness of security controls

 See NIST SP 800-42

Risk Assessment
 Step 3: Vulnerability Identification
 Develop a Security Requirements Checklist
 Management Security
 Assignment of responsibilities
 Continuity of support
 Incident response capability
 Periodic review of security controls
 Personnel clearance and background investigations
 Risk assessment
 Separation of duties
 System authorization and reauthorization
 System or application security plan
Risk Assessment
 Step 3: Vulnerability Identification
 Develop a Security Requirements Checklist
 Operational Security
 Control of air-borne contaminants
 Controls to ensure the quality of the electrical power supply
 Data media access and disposal
 External data distribution and labeling
 Facility protection (e.g., computer room, data center, office)
 Humidity control
 Temperature control
 Workstations, laptops, and stand-alone personal computers
Risk Assessment
 Step 3: Vulnerability Identification
 Develop a Security Requirements Checklist
 Technical Security
 Communications (e.g., dial-in, system interconnection, routers)
 Cryptography
 Discretionary access control
 Identification and authentication
 Intrusion detection
 Object reuse
 System audit
Risk Assessment
 Step 3: Vulnerability Identification
 Outcome: A listof system vulnerabilities that
could be exercised by a potential threat
source
Risk Assessment
 Control Analysis
 Control Methods
 Technical methods
 Safeguards built into computer hardware, software, firmware
 Nontechnical methods
 Management and operational controls
 Security policies
 Operational procedures
 Personnel security
 Physical security
 Environmental security
Risk Assessment
 Control Categories
 Preventive controls
 Detective controls
Risk Assessment
 Control Analysis
 Compare security requirements checklist to
validate security (non)-compliance

 Output:
 List of current or planned controls
Risk Assessment
 Step 5: Likelihood determination
 Governing factors
 Threat source motivation and capability
 Nature of vulnerability

 Existence and effectiveness of current controls

 Assign likelihood levels

Risk Assessment
 Step 6: Impact Analysis
 Requires
 System mission
 System and data criticality

 System and data sensitivity

 Can typically be described in

 Loss of integrity
 Loss of availability

 Loss of confidentiality
Risk Assessment
 Step 6: Impact Analysis
 Can be done quantitatively or qualitatively
Risk Assessment
 Step 7: Risk
determination
 Risk Level Matrix
 Composed of threat
likelihood and impact
 Determines risk scale

 Risk Scale
 Used to determine and
prioritize activities
Risk Assessment
 Control Recommendations
 Reduce risks to data and system to acceptable level
 Base evaluation on
 Effectiveness
 Legislation and regulation
 Organizational policy
 Operational impact
 Safety and reliability
 Perform cost benefit analysis
Risk Assessment
 Step 9: Result Documentation
 Risk assessment report
 Describes threats and vulnerabilities
 Measures risk

 Provides recommendations for control

implementation
Risk Mitigation
 Prioritizing
 Evaluating
 Implementing
Appropriate risk-reducing controls
Risk Mitigation
 Options
 Risk Assumption
 To accept the potential risk and continue operating the IT system or to
implement controls to lower the risk to an acceptable level
 Risk Avoidance
 To avoid the risk by eliminating the risk cause and/or consequence
 Risk Limitation
 To limit the risk by implementing controls that minimize the adverse impact
of a threat’s exercising a vulnerability
 Risk Planning
 To manage risk by developing a risk mitigation plan that prioritizes,
implements, and maintains controls
 Research and Acknowledgment
 To lower the risk of loss by acknowledging the vulnerability or flaw and
researching controls to correct the vulnerability
 Risk Transference
 To transfer the risk by using other options to compensate for the loss, such
as purchasing insurance.
Risk Mitigation
Risk Mitigation
 Control Implementation
 Prioritize Actions
 Evaluate Recommended Control Options
 Conduct Cost-Benefit Analysis
 Select Control
 Assign Responsibility
 Develop a Safeguard Implementation Plan
 Implement Selected Control(s)