Upload
anitian
View
5.113
Download
3
Embed Size (px)
DESCRIPTION
Anitian's Rapid Risk Assessment is a revolutionary new way to approach risk. It is an accelerated version of the NIST 800-30 methodology designed to put Business Risk Intelligence into the hands of executive leadership to fuel informed, data-driven decision making.
Citation preview
intelligent information securityANITIAN
RAPID RISK ASSESSMENTA NEW APPROACH TO RISK
intelligent information securityANITIAN
Overview
Intent • Discuss the problems with current risk assessment
techniques• Introduce Rapid Risk Assessment, a new way to do risk
assessments
Outline1. The Risk Environment2. Failure of Current Risk Assessment Practices3. Preparing for Rapid Risk Assessment 4. The Rapid Risk Assessment Process
intelligent information securityANITIAN
Speaker: Andrew Plato• President / CEO of Anitian • 20 years of experience in IT & security• Completed thousands of security assessments & projects• Discovered SQL injection attack tactic in 1995• Helped develop first in-line IPS engine (BlackICE) • Co-developed RiskNow™ - Rapid Risk Assessment approach • Championed movement toward practical, pragmatic information
security solutions
intelligent information securityANITIAN
We enlighten, protect and empower great security leaders. We believe security will make the world a better place. • Security is necessary for innovation and growth• Security can be empowering when it is practical and pragmatic• Good security comes from rational, scientific methods of
analysis
ANITIAN
intelligent information securityANITIAN
THE RISK ENVIRONMENT
intelligent information securityANITIAN
What is Risk Assessment?• Answers a simple questions:
• What could harm the organization?• How bad would it be?• How do we prevent it?
• Risk assessment aims to: • Identify threats • Determine the risk of those threats• Craft reasonable remedies to mitigate, transfer or accept risk• Help protect the business/organization and its assets • Empower leadership to make sensible risk decisions
intelligent information securityANITIAN
Increasing Emphasis on Risk Assessment• Always been a PCI requirement (12.1.2)• HIPAA Omnibus reinforces need for risk assessment
• Assessment to define risk management program (which in turn defines the controls that meet the standard)
• Breach notification now require risk analysis of any suspected breach to determine if notification is necessary
• FFIEC 2011 Supplement mandated new things to assess• Defines specific issues to analyze concerning authentication• Reinforced the need for annual assessments • Mandated assessments on banking applications • Outlined requirements to reperform assessments when there
are changes
intelligent information securityANITIAN
Increased Scrutiny • From HIPAA Omnibus:
“…we expect these risk assessments to be thorough, completed in good faith, and for the conclusions reached to be reasonable.”
• Regulations are demanding more risk assessments • Regulators are shifting focus to look at risk assessments• Business leaders are demanding better risk analysis
• So what’s the problem?
intelligent information securityANITIAN
THE FAILURE CURRENT RISK ASSESSMENT PRACTICES
intelligent information securityANITIAN
Something Is Not Right Here• For years, people have been complaining about risk assessment:
• “Why does this take so long?”• “This is just a paperwork exercise”• “What am I supposed to do with this?”• “Where are the problems?• “How do I fix the problems?” • “Are we in danger?”• “What do all these numbers, charts and worksheets mean?”• “This is just a meaningless regulatory requirement!”
• We were not the only ones…
intelligent information securityANITIAN
Practitioners are Questioning Risk Assessment
Source: http://www.networkworld.com/news/tech/2012/101512-risk-management-263379.html
intelligent information securityANITIAN
With Mixed Results
For any risk management method … we must ask …“How do we know it works?” If we can’t answer that question, then our most important risk management strategy should be to find a way to answer it and adopt a risk assessment and risk mitigation method that does work.
Hubbard, Douglas W. (2009-04-06). The Failure of Risk Management: Why It's Broken and How to Fix It. John Wiley and Sons. Kindle Edition.
intelligent information securityANITIAN
The Problem• Current practices are…
• Too slow• Incomprehensible to leadership• Failing to provide clear actionable steps to reduce risk• Failing to protect the business
How did this happen?
intelligent information securityANITIAN
Fail 1: Arcane Language• Language affects not only comprehension, but also acceptance• Overly complex, arcane language is inefficient and inaccessible • Risk management theories devolve into nitpicking paperwork
exercises that nobody reads• Consider this definition from OCTAVE for Defined Evaluation
Activities: Implementing defined evaluation activities helps to institutionalize the evaluation process in the organization, ensuring some level of consistency in the application of the process. It also provides a basis upon which the activities can be tailored to fit the needs of a particular business line or group.
intelligent information securityANITIAN
Fail 2: The Fallacy of Numbers• Using numbers does not make analysis more “true”• If a number is arrived at from a subjective assessment, then its
use in any calculations is equally subjective • Charts full of numbers may “feel” empirical, but they’re not• Its impossible to establish true value for IT asset• Misleading, creates a false sense of accuracy • Creates a false scale that does not translate into real-world
thinking
intelligent information securityANITIAN
Fail 3: Time Consuming• IT risk is volatile, dynamic and has a short shelf life • Any risk assessment over 90-180 days old is stale • NIST, OCTAVE, FAIR are too time consuming• Risk assessments need to be done in 30 days or less• Surveys and questionnaires do not work, people ignore them• Risk assessment is not a consensus of opinions
intelligent information securityANITIAN
Fail 4: Probability Can Be Flawed
On a long enough time line, the survival rate for everybody drops to zero. Jack, Fight Club, 1999• Lack of time context makes any assessment of probability
fundamentally flawed. • Humans are naturally bad at assessing the probability of risks.• Fallacy of backtesting • Breach statistics are flawed, since most do not report breaches
intelligent information securityANITIAN
Fail 5: Lack of Evidence• Current risk assessment methodologies focus heavily on process
and documentation• People omit negative information on surveys or questionnaires • Without technical testing, how do you prove if vulnerabilities
are real or not? • Leadership must be able to trust that assessment conclusions
are valid
intelligent information securityANITIAN
We Need a New Way to do Risk Assessment• Risk assessment needs to be more useful.• How can this process produce tangible ways to reduce risk? • The volatility of modern IT makes IT risk assessment a
fundamentally qualitative effort• Since the effort is qualitative, the skill of the assessor is
paramount to obtaining accurate assessments• How do we improve risk assessment to make it:
• More accurate• More responsive to business needs• More actionable• Quicker
intelligent information securityANITIAN
Introducing Rapid Risk Assessment• Accelerates the risk assessment process• Integrated technical testing• Trades precision and some accuracy for efficiency and usability • Focuses on simplicity and clarity • Dismisses theory and conjecture in place of decisive action• Explains risk in simple, business-friendly terminology• Uses a set time frame for probability • Simplifies the assignment of value• Uses a “lens” to categorize and contextualize threats• Establishes authority to make risk judgments • Fully vetted for PCI, HIPAA, FFIEC, NERC
intelligent information securityANITIAN
PREPARING FOR RAPID RISK ASSESSMENTS
intelligent information securityANITIAN
1. Get Everybody to Agree on the Core Six Words• Risk is an over-used word that is often misunderstood. • Get everybody using proper risk terminology
Threat: Something bad that might happen Vulnerability: A weakness a threat could exploit Impact: How bad a threat can damage the businessProbability: How likely a threat is in a given timeframe Control: Something that mitigates threatRisk: An assessment of a threat based upon its
probability and impact in relation to therelevant controls
intelligent information securityANITIAN
2. Simplify the Content • No theories, no complex worksheets, no “risk management”
terms• Simple, business language that states risk in plain, matter-of-fact
way• Express risk as it *is* without conjecture or indecisiveness• Use active voice in all risk documentations • Should be able to sum up the entire assessment effort in a few
bullet points
intelligent information securityANITIAN
3. Conduct Technical Testing • Test in-scope assets for vulnerabilities• Assign IT savvy people to the risk team with skills in:
• Systems administration• Network design, architecture, management • Security analysis • Application lifecycle management • Database administration• IT practices, procedures, policies development
• Must know how an IT department runs, if you ever hope to identify its weaknesses
intelligent information securityANITIAN
4. Sell Risk Assessment to Leadership• Management must support the risk assessment effort • Must have access to business process owners and IT custodians • Need ability to test or access to testing data• Authority to decisively analyze technologies • Ability to built credibility and authority through experience,
language, and engagement
intelligent information securityANITIAN
THE RAPID RISK ASSESSMENT PROCESS
intelligent information securityANITIAN
1. Establish Scope & Lens• Scope: what assets are in scope (can be anything)• Lens: how will you look at the assets?
• Data types: customer, internal, security, etc.• System: server, workstation, infrastructure• Application: user, customer, financial, etc. • Location: Offices, divisions, etc.
• The Lens is what makes Rapid Risk Assessment work: • Provides a contextual framework for analyzing data• It helps focus the effort • It aids greatly in comprehension
intelligent information securityANITIAN
2. Interview Stakeholders• No questionnaires or surveys, conduct face to face discussions • Questions should be open-ended, and encourage venting:
• Chase the rabbit (data) • Focus on current state • Document answers
Leadership • “How would you kill this company?” Business process owners
• “What is critical? • “How would you cause harm?” • “How bad would it be?”
IT custodians • “Walk me through how you manage this environment.”
intelligent information securityANITIAN
3. Test the Environment• Scan and test all in-scope assets
• Vulnerability scanning• Penetration testing • Web application testing• Database testing • Configuration analysis (sample as needed)
• Review AV / IPS / Firewall logs (sample and spot check)• Are people following security policies? • Risk analysis must be grounded in REAL data, not feelings, ideas,
theories, or personal interpretations • This is where hands-on IT experience is a must
intelligent information securityANITIAN
4. Define Threats & Correlate Data• Define threats: something bad that could happen • Organize threats into simplified categories
• Technical: threat to systems, hardware, applications, etc. • Operational: threats that affect practices, procedures, or
business functions• Relational: threat to a relationship between groups, people
or third parties • Physical: threats to facilities, offices, etc. • Reputational (optional): threats to the organization’s
reputation, perception, or public opinion • Keep threats simple (see examples next slide) • Avoid compound or cascading threats
intelligent information securityANITIAN
Threat Samples• Good Threat Definitions
• Theft of confidential data• Malware infection• Denial of service attack • Theft of sensitive authentication data
• Bad Threat Definitions• Lack of alignment to organizational policies with guidelines
set forth by the security committee means staff is not properly implementing security controls.
• A hacker breaks into the election system and uses the data to threaten people and influence politicians
• Missing patches on systems
intelligent information securityANITIAN
5. Define Probability & Impact ScaleProbability:
Impact:
Metric DescriptionCertain <95% likelihood of occurrence within the next 12 months. High 50-95% likelihood of occurrence within the next 12 months. Medium 20-49% likelihood of occurrence within the next 12 months. Low 1-20% likelihood of occurrence within the next 12 months. Negligible >1% likelihood of occurrence within the next 12 months.
Metric DescriptionCritical Catastrophic effect on the Data Asset. High Serious impact on the Data Asset's functionality. Medium Threat may cause some intermittent impact on the Data Asset, but would not
lead to extended problems. Low Impact on the Data Asset is small and limited. Would not cause any disruption
in core functions. Negligible Data Asset remains functional for the business with no noticeable slowness or
downtime.
intelligent information securityANITIAN
6. Build a Threat Matrix• A spreadsheet that defines each threat with the following
attributes:
• Threat name• Threat type • Affected assets • Vulnerabilities • Impact • Impact type
• Mitigating controls • Probability • Risk • Risk Mitigation • Residual Risk
intelligent information securityANITIAN
Risk Matrix ExampleThreat Threat Type
Affected Systems, Processes or Place
AffectedData Types Vulnerabilities Impact
Impact Type Mitigating Controls Probability Risk Risk Type Risk Mitigation Residual Risk
A data center disaster puts the systems off line for an indefinite period of time
•Physical •SampleCorp•123SampleApp
•ePHI•PII
•The current SampleCorp and 123SampleApp production systems have no geographical diversity
Critical •Availability
•The IO Data center appears to be a very w ell designed and w ell run facility, w ith multiply redundant pow er and netw ork connectivity.
Negligible Medium •Reputational•Financial•Regulatory•Legal
Implement the follow ing components of the Common Control Framew ork:•Develop a secondary location w ith a recent backup copy of the data. Anitian
Low
A disaster interrupts business processes
•Operational •SampleCorp•123SampleApp
•ePHI•PII
•A formal Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP) does not exist for critical systems and applications
High •Availability
•123SampleApp and SampleCorp are not highly time sensitive applications, and a short-duration dow ntime w ould not critically impact business. •Business operations could theoretically be resumed by reconstructing databases from original sources in a moderate amount of time, but no formal business resumption test has been performed.
Low Medium •Reputational•Financial•Regulatory•Legal
Implement the follow ing components of the Common Control Framew ork:•Develop and test a formal BCP and DRP
Low
A disaster interrupts business processes
•Operational•Physical
•All corporate and production systems
•BSD •A formal Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP) does not exist for critical systems and applications•The current SampleCorp and 123SampleApp production systems have no geographical diversity
High •Availability
•123SampleApp and SampleCorp are not highly time sensitive applications, and a short-duration dow ntime w ould not critically impact business. •Business operations could theoretically be resumed by reconstructing databases from original sources in a moderate amount of time, but no formal business resumption test has been performed.•The IO Data center appears to be a very w ell designed and w ell run facility, w ith multiply redundant pow er and netw ork connectivity.
Low Medium •Reputational•Financial•Regulatory•Legal
Implement the follow ing components of the Common Control Framew ork:•Develop and test a formal BCP and DRP•Develop a secondary location w ith a recent backup copy of the data. Anitian understands that this is already under consideration, and SampleCorp should move ahead w ith its plans.
Low
intelligent information securityANITIAN
7. Develop an Business Risk Intelligence Report • Summarize risks to the business• List the top 10 most serious threats • Simplify the data into:
• Threat, • Vulnerabilities• Recommendation • Rankings for impact, probability and risk
• Develop an Action Plan that rolls up recommendations • Make specific recommendations, no vague suggestions• Keep report under 15 pages (preferably 5-10)
intelligent information securityANITIAN
Business Risk Intelligence Report Sample
Threat Vulnerabilities Recommendation
Impact
Probability
Risk
Malware infection
Outdated anti-virus Lack of anti-virus on 36%
of servers 32 high ranked
vulnerabilities on in-scope systems
Lack of virus scanning at the network layer
Endpoint antivirus must be installed on all hosts.
All endpoint antivirus must be updated daily
All systems must have new patches applied within 30 days of release.
Company must deploy a more robust patch management platform.
Implement a core firewall that can perform virus scanning at the network layer.
H C C
intelligent information securityANITIAN
Action Plan Example# Action Description Estimate Effort1. Integrate
all critical devices with SIEM
Complete the SIEM deployment, aggregating system- and application-level logs for all critical application and security monitoring devices.
Tune event correlation, incident thresholds and alerting.
Integrate alerting with incident response plan.
This work is critical because currently little or no automated review or alerting for unauthorized access to PHI occurs.
200-280 hours
High
intelligent information securityANITIAN
Do Not…• Try to change the culture of the business • Let perfection become the enemy of good• Cite any kind of risk management theory, nobody cares• Send out questionnaires, surveys or spreadsheets, nobody will
do them correctly • Use a lot of risk terminology, nobody understand them• Document indecision, shows weakness • Create complexity to make things feel more important • Create phony numbers to make it feel true • Use inaccessible matrices, worksheets, or process flows • Waste time with sensationalist threats• Involve anybody who sells you equipment in the process
intelligent information securityANITIAN
Do• Use simple language • Define simplistic threats • List simple vulnerabilities • Keep impact and probability simple • Establish authority with experience, language, and presence • Identify tangible, actionable recommendations• Help management make decisions about risk • Focus on the likely
intelligent information securityANITIAN
Thank YouEMAIL: [email protected]: www.anitian.comBLOG: blog.anitian.comSLIDES: http://bit.ly/anitianCALL: 888-ANITIAN