Rapid Risk Assessment: A New Approach to Risk Management

SECURITY:\\Services\Solutions\Support

RAPID RISK ASSESSMENT A NEW APPROACH TO IT RISK MANAGEMENT


Biography

•  Andrew Plato, CISSP, CISM, QSA •  President / CEO – AniFan Enterprise Security •  20 years of experience in IT & security •  Completed thousands of security assessments & projects •  Discovered SQL injecFon aRack tacFc in 1995 •  Helped develop first in-‐line IPS engine (BlackICE) •  Championed movement toward pracFcal, pragmaFc

informaFon security soluFons


AniFan Overview

•  Compliance PCI, NERC, HIPAA, FFIEC

•  Services PenetraFon tesFng, web applicaFon tesFng, code review, incident response, risk assessment

•  Technologies UTM/NGFW, IPS, SIEM, MDM

•  Support Managed security, staff augmentaFon

•  Leadership Industry analysis, CIO advisory services


Why AniFan?

•  AniFan is the only security firm… •  Focused on pracFcal, pragmaFc informaFon security •  Able to deliver compliance quickly & affordably •  That does not push products •  Who rejects using fear to sell •  Dedicates research efforts to benefit our clients, not our press-‐releases

•  Implements business-‐friendly security •  Remains honest and independent


PresentaFon Outline

•  The Risk Assessment Environment •  Failure of Current Risk Assessment PracFces •  Preparing for a Rapid Risk Assessment •  The Rapid Risk Assessment Process


THE RISK ASSESSMENT ENVIRONMENT

Rapid Risk Assessment


What is Risk Assessment?

•  SystemaFc and objecFve determinaFon of the seriousness of threats.

•  Good risk assessment aims to: •  IdenFfy the threats that affect an enFty (company, network, systems, applicaFon, etc.)

•  Qualify and quanFfy those threats •  Crae reasonable remedies to reduce, eliminate, accept or transfer the risk

•  Help protect the business/organizaFon and its assets •  Empower leadership to make sensible investments in security controls and processes


Increasing Emphasis on Risk Assessment

•  Always been a PCI requirement (12.1.2) •  HIPAA Omnibus reinforces need for risk assessment •  Assessment to define risk management program (which in turn defines the controls that meet the standard)

•  Breach noFficaFon now require risk analysis of any suspected breach to determine if noFficaFon is necessary

•  FFIEC 2011 Supplement mandated new things to assess •  Defines specific issues to analyze concerning authenFcaFon •  Reinforced the need for annual assessments •  Mandated assessments on banking applicaFons •  Outlined requirements to reperform assessments when there are changes


Increased ScruFny

•  From HIPAA Omnibus: “…we expect these risk assessments to be thorough, completed in good faith, and for the conclusions reached to be reasonable.”

•  RegulaFons are demanding more risk assessments •  Regulators are shieing focus to look at risk assessments •  Business leaders are demanding beRer risk analysis •  So what’s the problem?


THE FAILURE OF CURRENT RISK ASSESSMENT PRACTICES

Rapid Risk Assessment


Something Is Not Right Here

•  Companies were consistently complaining about their IT risk assessments: •  “Why does this take so long?” •  “This is just a paperwork exercise” •  “What am I supposed to do with this?” •  “Where are the problems? •  “How do I fix the problems?” •  “Are we in danger?” •  “What do all these numbers, charts and worksheets mean?” •  “This is just a meaningless regulatory requirement!”

•  We were not the only ones…


PracFFoners are QuesFoning Risk Assessment

Source: h*p://www.networkworld.com/news/tech/2012/101512-‐risk-‐management-‐263379.html


With Mixed Results

For any risk management method … we must ask …“How do we know it works?” If we can’t answer that ques=on, then our most important risk management strategy should be to find a way to answer it and adopt a risk assessment and risk mi=ga=on method that does work. Hubbard, Douglas W. (2009-‐04-‐06). The Failure of Risk Management: Why It's Broken and How to Fix It. John Wiley and Sons. Kindle EdiWon.


The Problem

•  Current pracFces are… •  Slow •  Complex •  Incomprehensible to management •  Fail to provide clear acFonable steps to reduce risk

•  Why?


Arcane Language

•  Language affects not only comprehension, but also acceptance •  Overly complex, arcane language is inefficient and inaccessible •  Risk management theories devolve into nitpicking paperwork

exercises that nobody reads •  Consider this definiFon from OCTAVE for Defined EvaluaFon

AcFviFes: Implemen=ng defined evalua=on ac=vi=es helps to ins=tu=onalize the evalua=on process in the organiza=on, ensuring some level of consistency in the applica=on of the process. It also provides a basis upon which the ac=vi=es can be tailored to fit the needs of a par=cular business line or group.


The Fallacy of Numbers

•  Using numbers does not make analysis more “true” •  If a number is arrived at from a subjecFve assessment, then its

use in any calculaFons is equally subjecFve •  Charts full of numbers may “feel” empirical, but they’re not •  Its impossible to establish true value for IT asset •  Misleading, creates a false sense of accuracy •  Creates a false scale that does not translate into real-‐world

thinking


Time Consuming

•  IT risk is volaFle, dynamic and has a short shelf life •  Any risk assessment over 90-‐180 days old is stale •  NIST, OCTAVE, FAIR are nice ideas, but too Fme consuming •  Spending a year on a risk assessment is too long •  A good enterprise risk assessment should be done in under 30

days •  DocumentaFon is Fme consuming •  Risk assessment is not a consensus of opinions, it’s an

assessment from a single person or group that understands risk


Probability Can Be Flawed

•  On a long enough =me line, the survival rate for everybody drops to zero. Jack, Fight Club, 1999

•  Lack of Fme context makes any assessment of probability fundamentally flawed.

•  Humans are naturally bad at assessing the probability of risks. •  Fallacy of backtesFng


Lack of Evidence

•  Risk assessment methodologies focus heavily on process, and very liRle on evidence

•  Custodians and business process owners withhold informaFon •  The security of an environment can be tested in a controlled,

raFonal manner •  Without tesFng, the enFre analysis is one-‐sided •  TesFng can cut through conjecture and prove (or disprove) the

severity of a threat


The Challenge

•  Risk assessment needs to be more useful. •  How can this process produce tangible ways to reduce risk? •  The volaFlity of modern IT makes IT risk assessment a

fundamentally qualita=ve effort •  Since the effort is qualitaFve, the skill of the assessor is

paramount to obtaining accurate assessments •  How do we improve risk assessment to make it: •  More accurate •  More responsive to business needs •  More acFonable •  Quicker


PREPARATION Rapid Risk Assessment


Features of Rapid Risk Assessment

•  Aims to speed up the risk assessment process & make it more useful to the business

•  Trades precision and some accuracy for efficiency and usability •  Focuses on simplicity and clarity •  Dismisses theory and conjecture in place of decisive acFon •  Explains risk in simple, business-‐friendly terminology •  Uses a set Fme frame for probability •  Simplifies the assignment of value •  Uses a “lens” that focuses and frames assessment effort •  Establishes authority to make risk judgments •  Leverages new technologies such as Allgress


Rapid Risk Assessment Outline

•  Prerequisites •  Advanced wriFng skills •  Hands on IT skills •  Authority

1.   Establish Scope & Lens 2.   Interview Stakeholders 3.   Test the Environment 4.   Define Threats & Correlate Data 5.   Define Probability & Impact Scale 6.   Document Risks 7.   Develop AcFon Plan


Prerequisite: Advanced WriFng Skills

•  No theories, no complex worksheets, no “risk management” terms

•  Simple, business language that states risk in plain, maRer-‐of-‐fact way

•  Establishes authority •  States risk as it *is* without conjecture or indecisiveness •  AcFve voice •  Should be able to sum up the enFre assessment effort in a few

bullet points


Prerequisite: Hands-‐on IT Skills

•  Must have in-‐depth understanding of IT operaFons •  Systems administraFon •  Network design, architecture, management •  Security analysis •  ApplicaFon lifecycle management •  Database administraFon •  IT pracFces, procedures, policies development •  Must know how an IT department runs, if you ever hope to

idenFfy its weaknesses


Prerequisite: Authority

•  Management must definiFvely endorse and support risk assessment

•  Must have access to stakeholders •  Ability to scan, test and evaluate technology •  Authority to decisively analyze technologies •  Ability to built credibility and authority through experience,

language, and engagement


THE PROCESS Rapid Risk Assessment


#1 -‐ Establish Scope & Lens

•  Scope – what assets are in scope (hopefully all of them) •  Lens – how will you look at the assets? •  Data types – customer, internal, security, etc. •  System – server, workstaFon, infrastructure •  ApplicaFon – user, customer, financial, etc.

•  The Lens is what makes Rapid Risk Assessment work: •  Provides a contextual framework for analyzing data •  It helps focus the effort •  It aids greatly in comprehension


#2 -‐ Interview Stakeholders

•  Develop a set of quesFons specific to the business role: •  IT custodians – technical quesFons •  Business process owners – criFcality & usage

•  Define value in context of the enFre business using simple terms: cri=cal, high, medium, low, none

•  Focus on current state •  Be careful with “forward looking” data – chasing a moving

target •  Catalog results


#3 – Test the Environment

•  Vulnerability scans of all in-‐scope systems, apps or locaFons of data

•  Conduct penetraFon tests •  Web applicaFon tesFng •  Database tesFng •  ConfiguraFon analysis (sample as needed) •  AV / IPS / Firewall logs (sample and spot check) •  Risk determinaFon must be based on REAL data, not feelings,

ideas, theories, or personal interpretaFons •  This is where hands-‐on IT experience is a must


#4 – Define Threats & Correlate Data

•  Organize threats into simplified categories •  Technical – threat to systems, hardware, applicaFons, etc. •  OperaFonal – threats that affect pracFces, procedures, or business funcFons

•  RelaFonal – threat to a relaFonship between groups, people or third parFes

•  Physical – threats to faciliFes, offices, etc. •  ReputaFonal (opFonal) – threats to the organizaFon’s reputaFon, percepFon, or public opinion

•  Correlate threats to assessment data •  Keep threats simple


Threat Samples

•  Good Threat DefiniFons •  Thee of confidenFal data •  Malware infecFon •  Denial of service aRack •  Thee of sensiFve authenFcaFon data

•  Bad Threat DefiniFons •  Lack of alignment to organizaFonal policies with guidelines set forth by the security commiRee means staff is not properly implemenFng security controls.

•  Use of telnet among staff is threatening PCI compliance requirements.

•  Missing patches on systems


#5 -‐ Define Probability & Impact Scale Probability Impact

Metric DescripFon Certain <95% likelihood of occurrence within the next 12 months. High 50-‐95% likelihood of occurrence within the next 12 months. Medium 20-‐49% likelihood of occurrence within the next 12 months. Low 1-‐20% likelihood of occurrence within the next 12 months.

Negligible >1% likelihood of occurrence within the next 12 months.

Metric DescripFon CriWcal Catastrophic effect on the Data Asset. High Serious impact on the Data Asset's funcWonality. Medium Threat may cause some intermi*ent impact on the Data Asset, but would

not lead to extended problems. Low Impact on the Data Asset is small and limited. Would not cause any

disrupWon in core funcWons. Negligible Data Asset remains funcWonal for the business with no noWceable slowness

or downWme.


#6 -‐ Document Risks

•  Condense, simplify and focus on the problem •  Threat – How the asset is at risk •  VulnerabiliFes – The vulnerabiliFes relevant to the risk •  RecommendaFon – Tangible acFons to remediate the risk •  Impact – Simplified 5 point score (criFcal, high, medium, low,

none) •  Probability – Simplified 5 point score (certain, high, medium,

low, negligible) •  Risk – Simplified product of Impact * Probability (criFcal, high,

medium, low, negligible)


DocumentaFon Sample

Threat VulnerabiliFes RecommendaFon Impa

ct

Prob

ability

Risk

Malware infecWon

•  Outdated anW-‐virus

•  Lack of anW-‐virus on 36% of servers

•  32 high ranked vulnerabiliWes on in-‐scope systems

•  Lack of virus scanning at the network layer

•  Endpoint anWvirus must be installed on all hosts. •  All endpoint anWvirus must be updated daily •  All systems must have new patches applied within

30 days of release. •  Company must deploy a more robust patch

management plaborm. •  Implement a core firewall that can perform virus

scanning at the network layer.

H C H


Online Version Using Allgress


#7 – Develop an AcFon Plan

•  Summarize all the recommendaFons into a single, prioriFzed list •  Simplify into tangible tasks •  GOOD: Implement third party patch management. IBM BigFix,

Dell Kace, and GFI Languard are all viable products to consider. Require solu=on to patch all systems within 30 days of a new patch.

•  BAD: IT management procedures need upda=ng to align with best prac=ces.


Don’t

•  Try to change the culture of the business •  Let perfecFon become the enemy of good •  Cite any kind of risk management theory – nobody cares •  Use a lot of risk terminology •  Say more than you need to •  Document indecision •  Add complexity when it offers no improvement in clarity •  Use inaccessible matrices, worksheets, or process flows •  Insert charts or graphs when they don’t aid in comprehension


Do

•  Use simple language. Plain English descripFons •  Establish authority with experience, language, and presence •  Simplify, condense, clarify •  IdenFfy tangible, acFonable recommendaFons •  Help management make decisions about risk •  Focus on the likely


Thank You EMAIL: [email protected] WEB: www.aniFan.com BLOG: blog.aniFan.com SLIDES: hRp://slidesha.re/11UaeFN

Rapid Risk Assessment: A New Approach to Risk Management

Technology

Transcript of Rapid Risk Assessment: A New Approach to Risk Management