Risk Reduction Overviewrro.sourceforge.net/downloads/ares4.pdfOlivier Sessink, Hellen Havinga 1 Risk...

Olivier Sessink, Hellen Havinga 1

Risk Reduction Overviewfor

Risk Management

Dr. ir. Olivier D.T. SessinkHead of section Innovation & ResearchJoint IT command, Ministry of Defense

Ir. Hellen N.J. HavingaEnterprise security architectCentral Information Services, Rijkswaterstaat


ContentsContents

• Introduction to Risk Management• IT Risk management challenges• Objectives• The Risk Reduction Overview method• Risk Reduction Overview benefits• Evaluation


ISO27005 Risk ManagementISO27005 Risk Management


Risk acceptanceRisk acceptance

Chance * Impact

Measures


Why is risk management hard ?Why is risk management hard ?

• Threats and the chance that they might cause damage are unknown external factors



• (Known) vulnerabilities change with high rate

Vulnerable? Exploit ? Patch?• IT changes continuously affecting

chance and damage



• Cost of damage is hard to estimateSensitive information leaked? Business process interupted ?

Loss of trust ? Reputation damage?



In large organisations the situation is even worse :• Large number of roles & people

involved in risk management• Large numbers of interconnected

systems• Different requirements from different

business units


Our supplier has the right to remotely administrate

our copiers

Risk acceptance in large organizationsRisk acceptance in large organizations

We need easy file sharing with this marketing firm.

Protect our intellectual property !!

We cannot risk losing our customer records !

I want to use my private phone on the company

network !If we cannot keep secrets secure our partners will

stop to coorperate with us!

If this system goes down, all our production goes

down !

If I'm not allowed to run this software I'll do this at

home.

But we need dropbox to send our designs to the

factory !?


Existing methodsExisting methods

Existing methods (such as CRAMM and IRAM) include generic baseline measures.

However : the relation between these baseline measures and the residual risk is not clear


How can we improve the situation ?How can we improve the situation ?

Objectives: present an overview such that:

• Residual risks can be evaluated• The relation between risk, measures and

residual risk is clear• It is useful for people in different roles

and with different background• It is applicable for a design or

implemented system


Risk Reduction OverviewRisk Reduction Overview

M1 Users are instructed how to handle untrusted

attachments from outside and never to send confidential data outside the organization

M3Anti-malware

product W blocks malware on the email

server

M4Anti-malware

product X blocksmalware on the

desktop computers

M2A firewall only allows SMTP

communication with the email server

M6Intrusion detection

monitors SMTP traffic to the email server for

attacks

M5Data-leakage

is installed to detectconfidential data leaks

I1Malware enters the network via

email attachments

I2Email attachments

contain Confidential data

and leak out

I3Computers on the

network are attacked from the internet

R1Malware that does

not need user interaction, or phishing

email is activated on the network

R2Users forget or

ignore the instructionand still sendConfidential

data by email

R3The email server is

attacked over SMTPfrom the internet

F1New malware ortargeted attack

malware that doesn'tneed activation or issomehow activated

by the user stillenters the net-work via emailattachments

F2Confidential data

that is illegally sent by an employee and

not detected by product Y may

still leak

F3An attack from

Internet over SMTP which is not de-

tected by the IDS may compromise the

confidentialnetwork

F4 A misconfigured

firewall allows com-puters on the networkto be attacked from

the internet

Initial risk

Residual risk

Final residual risk

Measure

Risk reduction flow

M#

R#

F#

I #


RRO application and benefitsRRO application and benefits

• Drawing forces to rethink design decisions• Unneeded measures and effect of the

measures is easily identified• Missing risks are easily identified• Realism of risk reduction is easily evaluated• Final residual risks are directly visible• Impact of changes is easily derived• Future designs can re-use risk reduction

patterns


RRO EvaluationRRO Evaluation

Several years of use:

• Dutch Ministry of Defence, Joint IT command

– Information security of military and national sensitive information

• Rijkswaterstaat (national civil infrastructure and waterway agency)

– Cyber security of vital infrastructure


Evaluation results 1/2Evaluation results 1/2

• The RRO has been found to be beneficial in all seven mentioned application areas.

• First time reviewers with different backgrounds find the RRO intuitive and easy to understand

• Reviewers indicate they need less time to review measures and residual risk

• Reviewers indicate the RRO gives far more overview than traditional design documents


Evaluation results 2/2Evaluation results 2/2

• Business owners point out that the RRO enables them to discuss measures with IT specialist – something they found very difficult in the past

Which is exactly what ISO 27005 risk management requires


Risk Reduction OverviewRisk Reduction Overview

Makes communication about risks, measures and residual risk possible

between people with various different roles and backgrounds.

http://rro.sourceforge.net/

Questions ?

http://rro.sourceforge.net/

Risk Reduction Overviewrro.sourceforge.net/downloads/ares4.pdfOlivier Sessink, Hellen Havinga 1 Risk...

Documents

Transcript of Risk Reduction Overviewrro.sourceforge.net/downloads/ares4.pdfOlivier Sessink, Hellen Havinga 1 Risk...