Rapid Risk Assessment

intelligent information securityANITIAN

RAPID RISK ASSESSMENTA NEW APPROACH TO RISK


Overview

Intent • Discuss the problems with current risk assessment

techniques• Introduce Rapid Risk Assessment, a new way to do risk

assessments

Outline1. The Risk Environment2. Failure of Current Risk Assessment Practices3. Preparing for Rapid Risk Assessment 4. The Rapid Risk Assessment Process


Speaker: Andrew Plato• President / CEO of Anitian • 20 years of experience in IT & security• Completed thousands of security assessments & projects• Discovered SQL injection attack tactic in 1995• Helped develop first in-line IPS engine (BlackICE) • Co-developed RiskNow™ - Rapid Risk Assessment approach • Championed movement toward practical, pragmatic information

security solutions


We enlighten, protect and empower great security leaders. We believe security will make the world a better place. • Security is necessary for innovation and growth• Security can be empowering when it is practical and pragmatic• Good security comes from rational, scientific methods of

analysis

ANITIAN


THE RISK ENVIRONMENT


What is Risk Assessment?• Answers a simple questions:

• What could harm the organization?• How bad would it be?• How do we prevent it?

• Risk assessment aims to: • Identify threats • Determine the risk of those threats• Craft reasonable remedies to mitigate, transfer or accept risk• Help protect the business/organization and its assets • Empower leadership to make sensible risk decisions


Increasing Emphasis on Risk Assessment• Always been a PCI requirement (12.1.2)• HIPAA Omnibus reinforces need for risk assessment

• Assessment to define risk management program (which in turn defines the controls that meet the standard)

• Breach notification now require risk analysis of any suspected breach to determine if notification is necessary

• FFIEC 2011 Supplement mandated new things to assess• Defines specific issues to analyze concerning authentication• Reinforced the need for annual assessments • Mandated assessments on banking applications • Outlined requirements to reperform assessments when there

are changes


Increased Scrutiny • From HIPAA Omnibus:

“…we expect these risk assessments to be thorough, completed in good faith, and for the conclusions reached to be reasonable.”

• Regulations are demanding more risk assessments • Regulators are shifting focus to look at risk assessments• Business leaders are demanding better risk analysis

• So what’s the problem?


THE FAILURE CURRENT RISK ASSESSMENT PRACTICES


Something Is Not Right Here• For years, people have been complaining about risk assessment:

• “Why does this take so long?”• “This is just a paperwork exercise”• “What am I supposed to do with this?”• “Where are the problems?• “How do I fix the problems?” • “Are we in danger?”• “What do all these numbers, charts and worksheets mean?”• “This is just a meaningless regulatory requirement!”

• We were not the only ones…


Practitioners are Questioning Risk Assessment

Source: http://www.networkworld.com/news/tech/2012/101512-risk-management-263379.html


With Mixed Results

For any risk management method … we must ask …“How do we know it works?” If we can’t answer that question, then our most important risk management strategy should be to find a way to answer it and adopt a risk assessment and risk mitigation method that does work.

Hubbard, Douglas W. (2009-04-06). The Failure of Risk Management: Why It's Broken and How to Fix It. John Wiley and Sons. Kindle Edition.


The Problem• Current practices are…

• Too slow• Incomprehensible to leadership• Failing to provide clear actionable steps to reduce risk• Failing to protect the business

How did this happen?


Fail 1: Arcane Language• Language affects not only comprehension, but also acceptance• Overly complex, arcane language is inefficient and inaccessible • Risk management theories devolve into nitpicking paperwork

exercises that nobody reads• Consider this definition from OCTAVE for Defined Evaluation

Activities: Implementing defined evaluation activities helps to institutionalize the evaluation process in the organization, ensuring some level of consistency in the application of the process. It also provides a basis upon which the activities can be tailored to fit the needs of a particular business line or group.


Fail 2: The Fallacy of Numbers• Using numbers does not make analysis more “true”• If a number is arrived at from a subjective assessment, then its

use in any calculations is equally subjective • Charts full of numbers may “feel” empirical, but they’re not• Its impossible to establish true value for IT asset• Misleading, creates a false sense of accuracy • Creates a false scale that does not translate into real-world

thinking


Fail 3: Time Consuming• IT risk is volatile, dynamic and has a short shelf life • Any risk assessment over 90-180 days old is stale • NIST, OCTAVE, FAIR are too time consuming• Risk assessments need to be done in 30 days or less• Surveys and questionnaires do not work, people ignore them• Risk assessment is not a consensus of opinions


Fail 4: Probability Can Be Flawed

On a long enough time line, the survival rate for everybody drops to zero. Jack, Fight Club, 1999• Lack of time context makes any assessment of probability

fundamentally flawed. • Humans are naturally bad at assessing the probability of risks.• Fallacy of backtesting • Breach statistics are flawed, since most do not report breaches


Fail 5: Lack of Evidence• Current risk assessment methodologies focus heavily on process

and documentation• People omit negative information on surveys or questionnaires • Without technical testing, how do you prove if vulnerabilities

are real or not? • Leadership must be able to trust that assessment conclusions

are valid


We Need a New Way to do Risk Assessment• Risk assessment needs to be more useful.• How can this process produce tangible ways to reduce risk? • The volatility of modern IT makes IT risk assessment a

fundamentally qualitative effort• Since the effort is qualitative, the skill of the assessor is

paramount to obtaining accurate assessments• How do we improve risk assessment to make it:

• More accurate• More responsive to business needs• More actionable• Quicker


Introducing Rapid Risk Assessment• Accelerates the risk assessment process• Integrated technical testing• Trades precision and some accuracy for efficiency and usability • Focuses on simplicity and clarity • Dismisses theory and conjecture in place of decisive action• Explains risk in simple, business-friendly terminology• Uses a set time frame for probability • Simplifies the assignment of value• Uses a “lens” to categorize and contextualize threats• Establishes authority to make risk judgments • Fully vetted for PCI, HIPAA, FFIEC, NERC


PREPARING FOR RAPID RISK ASSESSMENTS


1. Get Everybody to Agree on the Core Six Words• Risk is an over-used word that is often misunderstood. • Get everybody using proper risk terminology

Threat: Something bad that might happen Vulnerability: A weakness a threat could exploit Impact: How bad a threat can damage the businessProbability: How likely a threat is in a given timeframe Control: Something that mitigates threatRisk: An assessment of a threat based upon its

probability and impact in relation to therelevant controls


2. Simplify the Content • No theories, no complex worksheets, no “risk management”

terms• Simple, business language that states risk in plain, matter-of-fact

way• Express risk as it *is* without conjecture or indecisiveness• Use active voice in all risk documentations • Should be able to sum up the entire assessment effort in a few

bullet points


3. Conduct Technical Testing • Test in-scope assets for vulnerabilities• Assign IT savvy people to the risk team with skills in:

• Systems administration• Network design, architecture, management • Security analysis • Application lifecycle management • Database administration• IT practices, procedures, policies development

• Must know how an IT department runs, if you ever hope to identify its weaknesses


4. Sell Risk Assessment to Leadership• Management must support the risk assessment effort • Must have access to business process owners and IT custodians • Need ability to test or access to testing data• Authority to decisively analyze technologies • Ability to built credibility and authority through experience,

language, and engagement


THE RAPID RISK ASSESSMENT PROCESS


1. Establish Scope & Lens• Scope: what assets are in scope (can be anything)• Lens: how will you look at the assets?

• Data types: customer, internal, security, etc.• System: server, workstation, infrastructure• Application: user, customer, financial, etc. • Location: Offices, divisions, etc.

• The Lens is what makes Rapid Risk Assessment work: • Provides a contextual framework for analyzing data• It helps focus the effort • It aids greatly in comprehension


2. Interview Stakeholders• No questionnaires or surveys, conduct face to face discussions • Questions should be open-ended, and encourage venting:

• Chase the rabbit (data) • Focus on current state • Document answers

Leadership • “How would you kill this company?” Business process owners

• “What is critical? • “How would you cause harm?” • “How bad would it be?”

IT custodians • “Walk me through how you manage this environment.”


3. Test the Environment• Scan and test all in-scope assets

• Vulnerability scanning• Penetration testing • Web application testing• Database testing • Configuration analysis (sample as needed)

• Review AV / IPS / Firewall logs (sample and spot check)• Are people following security policies? • Risk analysis must be grounded in REAL data, not feelings, ideas,

theories, or personal interpretations • This is where hands-on IT experience is a must


4. Define Threats & Correlate Data• Define threats: something bad that could happen • Organize threats into simplified categories

• Technical: threat to systems, hardware, applications, etc. • Operational: threats that affect practices, procedures, or

business functions• Relational: threat to a relationship between groups, people

or third parties • Physical: threats to facilities, offices, etc. • Reputational (optional): threats to the organization’s

reputation, perception, or public opinion • Keep threats simple (see examples next slide) • Avoid compound or cascading threats


Threat Samples• Good Threat Definitions

• Theft of confidential data• Malware infection• Denial of service attack • Theft of sensitive authentication data

• Bad Threat Definitions• Lack of alignment to organizational policies with guidelines

set forth by the security committee means staff is not properly implementing security controls.

• A hacker breaks into the election system and uses the data to threaten people and influence politicians

• Missing patches on systems


5. Define Probability & Impact ScaleProbability:

Impact:

Metric DescriptionCertain <95% likelihood of occurrence within the next 12 months. High 50-95% likelihood of occurrence within the next 12 months. Medium 20-49% likelihood of occurrence within the next 12 months. Low 1-20% likelihood of occurrence within the next 12 months. Negligible >1% likelihood of occurrence within the next 12 months.

Metric DescriptionCritical Catastrophic effect on the Data Asset. High Serious impact on the Data Asset's functionality. Medium Threat may cause some intermittent impact on the Data Asset, but would not

lead to extended problems. Low Impact on the Data Asset is small and limited. Would not cause any disruption

in core functions. Negligible Data Asset remains functional for the business with no noticeable slowness or

downtime.


6. Build a Threat Matrix• A spreadsheet that defines each threat with the following

attributes:

• Threat name• Threat type • Affected assets • Vulnerabilities • Impact • Impact type

• Mitigating controls • Probability • Risk • Risk Mitigation • Residual Risk


Risk Matrix ExampleThreat Threat Type

Affected Systems, Processes or Place

AffectedData Types Vulnerabilities Impact

Impact Type Mitigating Controls Probability Risk Risk Type Risk Mitigation Residual Risk

A data center disaster puts the systems off line for an indefinite period of time

•Physical •SampleCorp•123SampleApp

•ePHI•PII

•The current SampleCorp and 123SampleApp production systems have no geographical diversity

Critical •Availability

•The IO Data center appears to be a very w ell designed and w ell run facility, w ith multiply redundant pow er and netw ork connectivity.

Negligible Medium •Reputational•Financial•Regulatory•Legal

Implement the follow ing components of the Common Control Framew ork:•Develop a secondary location w ith a recent backup copy of the data. Anitian

Low

A disaster interrupts business processes

•Operational •SampleCorp•123SampleApp

•ePHI•PII

•A formal Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP) does not exist for critical systems and applications

High •Availability

•123SampleApp and SampleCorp are not highly time sensitive applications, and a short-duration dow ntime w ould not critically impact business. •Business operations could theoretically be resumed by reconstructing databases from original sources in a moderate amount of time, but no formal business resumption test has been performed.

Low Medium •Reputational•Financial•Regulatory•Legal

Implement the follow ing components of the Common Control Framew ork:•Develop and test a formal BCP and DRP

Low

A disaster interrupts business processes

•Operational•Physical

•All corporate and production systems

•BSD •A formal Disaster Recovery Plan (DRP) or Business Continuity Plan (BCP) does not exist for critical systems and applications•The current SampleCorp and 123SampleApp production systems have no geographical diversity

High •Availability

•123SampleApp and SampleCorp are not highly time sensitive applications, and a short-duration dow ntime w ould not critically impact business. •Business operations could theoretically be resumed by reconstructing databases from original sources in a moderate amount of time, but no formal business resumption test has been performed.•The IO Data center appears to be a very w ell designed and w ell run facility, w ith multiply redundant pow er and netw ork connectivity.

Low Medium •Reputational•Financial•Regulatory•Legal

Implement the follow ing components of the Common Control Framew ork:•Develop and test a formal BCP and DRP•Develop a secondary location w ith a recent backup copy of the data. Anitian understands that this is already under consideration, and SampleCorp should move ahead w ith its plans.

Low


7. Develop an Business Risk Intelligence Report • Summarize risks to the business• List the top 10 most serious threats • Simplify the data into:

• Threat, • Vulnerabilities• Recommendation • Rankings for impact, probability and risk

• Develop an Action Plan that rolls up recommendations • Make specific recommendations, no vague suggestions• Keep report under 15 pages (preferably 5-10)


Business Risk Intelligence Report Sample

Threat Vulnerabilities Recommendation

Impact

Probability

Risk

Malware infection

Outdated anti-virus Lack of anti-virus on 36%

of servers 32 high ranked

vulnerabilities on in-scope systems

Lack of virus scanning at the network layer

Endpoint antivirus must be installed on all hosts.

All endpoint antivirus must be updated daily

All systems must have new patches applied within 30 days of release.

Company must deploy a more robust patch management platform.

Implement a core firewall that can perform virus scanning at the network layer.

H C C


Action Plan Example# Action Description Estimate Effort1. Integrate

all critical devices with SIEM

Complete the SIEM deployment, aggregating system- and application-level logs for all critical application and security monitoring devices.

Tune event correlation, incident thresholds and alerting.

Integrate alerting with incident response plan.

This work is critical because currently little or no automated review or alerting for unauthorized access to PHI occurs.

200-280 hours

High


Do Not…• Try to change the culture of the business • Let perfection become the enemy of good• Cite any kind of risk management theory, nobody cares• Send out questionnaires, surveys or spreadsheets, nobody will

do them correctly • Use a lot of risk terminology, nobody understand them• Document indecision, shows weakness • Create complexity to make things feel more important • Create phony numbers to make it feel true • Use inaccessible matrices, worksheets, or process flows • Waste time with sensationalist threats• Involve anybody who sells you equipment in the process


Do• Use simple language • Define simplistic threats • List simple vulnerabilities • Keep impact and probability simple • Establish authority with experience, language, and presence • Identify tangible, actionable recommendations• Help management make decisions about risk • Focus on the likely


Thank YouEMAIL: [email protected]: www.anitian.comBLOG: blog.anitian.comSLIDES: http://bit.ly/anitianCALL: 888-ANITIAN

Technology

Rapid Risk Assessment