Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
-
Upload
oscar-stafford -
Category
Documents
-
view
223 -
download
4
Transcript of Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
Visual 3. 1
Lesson 3Lesson 3
Risk AssessmentRisk Assessmentand and
Risk MitigationRisk Mitigation
Visual 3. 2
Objective 4Objective 4
At the end of Lesson 3, you will be At the end of Lesson 3, you will be able to describe:able to describe:– several approaches to risk assessment, several approaches to risk assessment, – considerations in developing and considerations in developing and
selecting countermeasures,selecting countermeasures,– the importance of the management the importance of the management
decision, and decision, and – reasons why risk management is really reasons why risk management is really
an art instead of a sciencean art instead of a science
Visual 3. 3
The Variable Nature of the The Variable Nature of the Elements of RiskElements of Risk
Visual 3. 4
Risk is CommonplaceRisk is Commonplace
Visual 3. 5
Qualitative DataQualitative Data
Description ofDescription of– qualities,qualities,– elements, orelements, or– ingredients of a variableingredients of a variable
This is nota nice day
Visual 3. 6
Quantitative DataQuantitative Data
Allows the variable to be measuredAllows the variable to be measured Numerical values may be assigned Numerical values may be assigned
based on measured observationsbased on measured observations
Temp 75 FHumid 45%Bar 29.35"
o
Visual 3. 7
Purpose of Risk AssessmentPurpose of Risk Assessment(Bottom Line)(Bottom Line)
Permit managers to make Permit managers to make reasoned decisions regarding risk reasoned decisions regarding risk to the organization’s missionto the organization’s mission
Visual 3. 8
Using Risk Management Terms -Using Risk Management Terms -The Catcher at RiskThe Catcher at Risk
Visual 3. 9
Risk Assessment - Questions to Risk Assessment - Questions to Be AnsweredBe Answered
What is the relationship of the system to What is the relationship of the system to the customer’s mission? the customer’s mission?
What are all of the undesirable events What are all of the undesirable events that could happen and affect the mission?that could happen and affect the mission?
How could they happen?How could they happen? Realistically, what are the chances of Realistically, what are the chances of
them happening? them happening? Suppose such an event happens, how Suppose such an event happens, how
much damage could be done?much damage could be done?
Visual 3. 10
Performing a Risk AssessmentPerforming a Risk Assessment
Define the purpose of the assessmentDefine the purpose of the assessment Identify the product or system Identify the product or system Select assessment approachSelect assessment approach Gather informationGather information Develop attack scenariosDevelop attack scenarios Estimate risk parametersEstimate risk parameters Produce assessment reportProduce assessment report
Visual 3. 11
Define the Purpose of the Define the Purpose of the AssessmentAssessment
What is the general situation?What is the general situation? What decisions are to be made as What decisions are to be made as
a result of the risk assessment?a result of the risk assessment? Who will make the decisions?Who will make the decisions?
Visual 3. 12
Identify and Bound the Product or Identify and Bound the Product or System - System -
Decide on Scope or Depth of Decide on Scope or Depth of AssessmentAssessment
Visual 3. 13
Organize for the AssessmentOrganize for the Assessment
IndividualIndividual IndividualsIndividuals Group or team of individualsGroup or team of individuals GroupsGroups
Visual 3. 14
Define RelationshipsDefine Relationships
How will individuals, groups, etc., How will individuals, groups, etc., work together performing the work together performing the tasks of:tasks of:– data collectiondata collection– analysisanalysis– synthesissynthesis– conclusionsconclusions– recommendationsrecommendations
Visual 3. 15
What do Analysts do?What do Analysts do?
Identify threats and their characteristicsIdentify threats and their characteristics Gather and exchange informationGather and exchange information Develop attack scenariosDevelop attack scenarios
– ConfidentialityConfidentiality– IntegrityIntegrity– AvailabilityAvailability
Postulate potential consequencesPostulate potential consequences– Impact on organization's missionImpact on organization's mission
Estimate risk parametersEstimate risk parameters
Visual 3. 16
Information SourcesInformation Sources
Knowledge of Individual MembersKnowledge of Individual Members Computer Emergency Response Team Computer Emergency Response Team
Coordination Center, etc.Coordination Center, etc. Outside ExpertsOutside Experts Systems Administrators, Manager, etc.Systems Administrators, Manager, etc. UsersUsers Threat Assessments and other ReportsThreat Assessments and other Reports
Visual 3. 17
Threat CharacteristicsThreat Characteristics
Conditional LikelihoodConditional LikelihoodAn Adversary Can An Adversary Can SucceedSucceed
CapabilitCapabilityy
MotivatioMotivationn
WillingnesWillingnesss
Likelihood of Likelihood of AttackAttack
(Given Capable)(Given Capable)
Likelihood of Likelihood of SuccessSuccess (Threat Value)(Threat Value)(Given Attempted and (Given Attempted and
Capable)Capable)
Visual 3. 18
Threat SourcesThreat Sources
Nature - HistoricalNature - Historical Unintentional human error - Unintentional human error -
HistoricalHistorical Technological failure - HistoricalTechnological failure - Historical Adversarial - Threat AssessmentAdversarial - Threat Assessment
Visual 3. 19
Adversarial Threat Adversarial Threat CharacteristicsCharacteristics
Objectives - As opposed to oursObjectives - As opposed to ours IntentionsIntentions Motivation to actMotivation to act Willingness to accept riskWillingness to accept risk Willingness to accept costWillingness to accept cost Technical capabilityTechnical capability ResourcesResources
Visual 3. 20
Gather and Exchange Gather and Exchange InformationInformation
Define What the System DoesDefine What the System Does Define the EnvironmentDefine the Environment Determine Data SensitivityDetermine Data Sensitivity Identify System UsersIdentify System Users Identify vulnerabilitiesIdentify vulnerabilities
Visual 3. 21
Gather InformationGather Information
How does the system support the How does the system support the mission?mission?
Visual 3. 22
Gather InformationGather Information
Define the EnvironmentDefine the Environment
Visual 3. 23
Gather InformationGather Information
Determine Data SensitivityDetermine Data Sensitivity– including its value to an adversary including its value to an adversary
andand– value to the missionvalue to the mission
Visual 3. 24
Gather InformationGather Information
Identify System UsersIdentify System Users– and their need for the system and its and their need for the system and its
informationinformation
Visual 3. 25
Gather InformationGather Information
Identify Potential VulnerabilitiesIdentify Potential Vulnerabilities
Visual 3. 26
Develop Attack ScenariosDevelop Attack Scenarios
THREAT AGENTSTHREAT AGENTS
- Adversarial- Adversarial
- Nature- Nature
- Human error- Human error
- Technological - Technological failurefailure
TARGETSTARGETS
- Confidentiality- Confidentiality
- Integrity- Integrity
- Availability- Availability
- Others- Others
Visual 3. 27
Avenues of AttackAvenues of Attack
ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability
Network ConnectNetwork Connect Public SwitchPublic Switch Public Power Public Power
Application SWApplication SW CommunicationsCommunications Local PowerLocal Power
FirewallFirewall UPSUPS
Remote AccessRemote Access
Physical AccessPhysical Access
InsidersInsiders
CryptoCrypto
TEMPESTTEMPEST
Visual 3. 28
Determine Potential Determine Potential ConsequencesConsequences
Impact on Impact on information system, information system,
resulting in impact resulting in impact on organization's on organization's missionmission
Visual 3. 29
Estimate Risk ParametersEstimate Risk Parameters
Likelihood of SuccessLikelihood of Success– that a credible threat exists,that a credible threat exists,– with capability to attack, andwith capability to attack, and– the willingness and intention to do sothe willingness and intention to do so
ConsequencesConsequences– the degree of damage resulting from the degree of damage resulting from
an attackan attack
Visual 3. 30
Assessing RiskAssessing RiskCCOONNSSEEQQUUEENNCCEE
L I K E L I H O O DL I K E L I H O O Dof SUCCESSof SUCCESS
Visual 3. 31
Attack Scenario No. 1Attack Scenario No. 1
Coalition
Force IS
U.S. Forces IS
Coalition Force ISs heavily dependentupon Internet, fewsecurity features, lackprocedural discipline.
Visual 3. 32
Estimate of RiskAttack Scenario #1
CCOONNSSEEQQUUEENNCCEE
LIKELIHOOD OF LIKELIHOOD OF SUCCESSSUCCESS
Y-Y-
X-X-LoLo MedMed HiHi
LoLo
MedMed
HiHi o
A-1
Visual 3. 33
o
Estimate of RiskAttacks # 1 thru 8
CCOONNSSEEQQUUEENNCCEE
LIKELIHOOD OF LIKELIHOOD OF SUCCESSSUCCESS
Y-Y-
X-X-LoLo MedMed HiHi
LoLo
MedMed
HiHi o
A-1/3/4
ooo
o
o
o
A-5
A-2/7
A-6 A-8
Visual 3. 34
Rating OverlayRating Overlay
LoLo MedMed HiHi
LoLo
MedMed
HiHi
HH
HMM
M
M ML
Visual 3. 35
o
Likelihood of SuccessAttack Scenario #1
CCOONNSSEEQQUUEENNCCEE
LIKELIHOOD OF LIKELIHOOD OF SUCCESSSUCCESS
Y-Y-
X-X-LoLo MedMed HiHi
LoLo
MedMed
HiHi o
A-1/3/4
ooo
o
o
o
A-5
A-2/7
A-6 A-8
HH
HM
M
M
M
ML
Visual 3. 36
Risk Assessment MethodologyRisk Assessment Methodology
Aids Decision MakersAids Decision Makers Promotes DiscussionPromotes Discussion Focus on Most Serious ProblemsFocus on Most Serious Problems Early Identification of RiskEarly Identification of Risk Highlights Recurring ProblemsHighlights Recurring Problems Aids Concurrent EngineeringAids Concurrent Engineering
Visual 3. 37
Risk MitigationRisk Mitigation
COUNTERMEASUR
E
MGR
RISK
Visual 3. 38
Countermeasure ConsiderationsCountermeasure Considerations What is the cost Vs. benefit?What is the cost Vs. benefit? Are we creating another vulnerability?Are we creating another vulnerability? Are people involved? If so, will they Are people involved? If so, will they
participate?participate? How long is the countermeasure How long is the countermeasure
needed?needed? How long will the countermeasure be How long will the countermeasure be
effective?effective?
Visual 3. 39
Cost Vs.. BenefitCost Vs.. Benefit
Cost inCost in– dollarsdollars– time to implementtime to implement– impact on operationsimpact on operations
Results
Visual 3. 40
The Catcher at RiskThe Catcher at Risk
Visual 3. 41
Risk Mitigation - At What Cost?Risk Mitigation - At What Cost?
Visual 3. 42
Creating New VulnerabilitiesCreating New Vulnerabilities
Law of unanticipated Law of unanticipated consequencesconsequences
New VulnerabilityRisk
Analyst
Visual 3. 43
People ConsiderationsPeople Considerations
Are people involved? Will they Are people involved? Will they participate in the solution?participate in the solution?
COUNTERMEASURE
USER
Visual 3. 44
Time ConsiderationTime Consideration
How long is the countermeasure How long is the countermeasure needed?needed?
Visual 3. 45
Time ConsiderationTime Consideration
How long will the countermeasure How long will the countermeasure be effective?be effective?
Visual 3. 46
Risk Assessment RealityRisk Assessment Reality
Are we sure of the threat?Are we sure of the threat? Have we identified all Have we identified all
vulnerabilities?vulnerabilities? Have we considered all possible Have we considered all possible
attacks?attacks? Is our estimate of consequence Is our estimate of consequence
correct?correct? Is all of this art or science?Is all of this art or science?
Visual 3. 47
Never Ending CycleNever Ending Cycle
RISKASSESSIN
G MITIGATING