Risk Management and Auditing
description
Transcript of Risk Management and Auditing
FORESEC Academy
RISK MANAGEMENT AND AUDITING
FORESEC Academy Security Essentials (III)
FORESEC Academy
Risk Management - Where do IStart? Write the security policy (with
business input) Analyze risks, or identify industry
practice for due care; analyze vulnerabilities
FORESEC Academy
Risk Management - Where do I
Start (cont’d)? Set up a security infrastructure Design controls, write standards for each
technology Decide what resources are available, prioritize
countermeasures, and implement top priority countermeasures you can afford
Conduct periodic reviews and possibly tests Implement intrusion detection and incident
response
FORESEC Academy
Define Risk
Risk = Vulnerability x Threat Vulnerability is a weakness in a
system that can be exploited Threat is any event that can cause
an undesirable outcome
FORESEC Academy
The Three Risk Choices
Accept the risk as is Mitigate or reduce the risk Transfer the risk (insurance model)
FORESEC Academy
Risk Management Questions
What could happen? (what is the threat)
If it happened, how bad could it be? (impact of threat)
How often could it happen? (frequency of threat - annualized)
How reliable are the answers to the abovethree questions? (recognition ofuncertainty)
FORESEC Academy
Risk Requires Uncertainty
If you have reason to believe there is no uncertainty, there is no risk. For example, jumping out of an airplane two miles up without a parachute isn't risky; it is suicide. For such an action, there is a close to 1.0 probability you will go splat when you hit the ground and almost 0.0 probability you will survive.
Probability ranges between 0.0 and 1.0 though peopleoften express it as a percent.
FORESEC Academy
SLE vs ALE
SLE - Single Loss ExpectancyThe loss from a single event
ALE - Annualized Loss ExpectancyAnnual expected loss based on athreat
FORESEC Academy
Single Loss Expectancy(SLE - one shot)
Asset value x exposure factor = SLE Exposure factor: 0 - 100% of loss
to asset Example Nuclear bomb/small town
($90M x 100% = $90M)
FORESEC Academy
Annualized Loss Expectancy
(ALE - multi-hits) SLE x Annualized rate occurrence = AnnualLoss Expectancy (ALE)
Annual loss is the frequency the threat isexpected to occur
Example, web surfing on the job - SLE: 1000 employees, 25% waste an hour per week surfing, $50/hr x 250 = $12,500 - ALE: They do it every week except when on vacation: $12,500 x 50 = $625,000
FORESEC Academy
Quantitative vs. Qualitative Qualitative is easier to calculate but
its results are more subjective
Qualitative is much easier to accomplish
Qualitative succeeds at identifying high risk areas
Quantitative is far more valuable as abusiness decision tool since it works inmetrics, usually dollars
FORESEC Academy
Qualitative - Another Risk
Assessment Approach Banded values: High, medium, low Asset value and safeguard cost can
be tied to monetary value, but not the rest of the model
Very commonly used
FORESEC Academy
Best Practice Risk Assessment
System administration is a high turnoverjob for large organizations,which affects continuity
System administrators tend to befocused on having the .trains run ontime.
Security configuration may not beunderstood or implemented
FORESEC Academy
Best Practice
No single organization or person islikely to produce best practice
Consensus of many organizationsand stringent review
Examples: - Center for Internet Security
FORESEC Academy
Foresec Securing 2000 SBS3.1.2.3.1 Additional Restrictions for Anonymous Connections.The default choice for this setting is “None” Rely on default permissions..” The other choices are “No Access Without Explicit Anonymous Permissions," and “Do Not Allow Enumeration of SAM Accounts and Shares.”
Select “No Access Without Explicit Permissions.”
FORESEC Academy
Windows 2000 Checklist
Checklist approach designed for two persons (check and double check) to configure a Windows 2000 system to at least minimal acceptable security.
FORESEC Academy
Business Case for RiskManagement
In order to present the business case, we need to convey the “Big Picture”
We are now familiar with these core technologies and how they play together:- Host and Network-based Intrusion Detection- Vulnerability Scanners and Honeypots- Firewalls
FORESEC Academy
Business Case - Applications
Organization has no intrusion detectionand you are presenting the case forstanding up a capability
Organization has rudimentary capabilityand you want to upgrade
Organization has central monitoring andyou are presenting the case for adepartmental capability
FORESEC Academy
Business Case - Applications(2)
Many managers are uncomfortablewhen confronted with actual data aboutattacks and vulnerabilities.
You can often use any existing sourceof data (firewall logs, system logs) toleverage additional intrusion detectionfinancing by showing them a .smokinggun..
FORESEC Academy
Threat Vectors
Outsider attack from network Outsider attack from telephone Insider attack from local network Insider attack from local system Attack from malicious code
FORESEC Academy
Outsider Attack - Internet Newspaper, web articles on attacks
atother places, if it happens to them.
Hacking web sites: www.antionline.com
Firewall/Intrusion Detection logs are anexcellent source for specific threats
System audit trail logs are as well Demo an intrusion detection system