copyright 1998, countermeasures, inc. the buddy system ® security risk analysis a world-class...

Copyright 1998, Countermeasures, Inc.

The BUDDY SYSTEM® Security Risk Analysis

A World-class Product!A World-class Product!


The ConcernsThe Concerns

Loss of confidentiality Loss of trust Loss of availability Total loss of asset Compliance


Security Program Profile

Phase 1Phase 1

Risk AnalysisRisk Analysis

The process of The process of determining current determining current loss potentialloss potential

Phase 2Phase 2

Risk ManagementRisk Management

The process of The process of improving and improving and monitoring loss monitoring loss potentialpotential


Risk AnalysisRisk Analysis

First Diagnose...…then prescribe First Diagnose...…then prescribe (You (You must know your risks before you can must know your risks before you can manage them)manage them)

Disciplined approach to a management Disciplined approach to a management problemproblem

ProactiveProactive

A procedure for assessing the risk to important assets


Why do a Risk Analysis?Why do a Risk Analysis?

Provide Management with critical Provide Management with critical InformationInformation

Prerequisite for Prerequisite for Risk ManagementRisk Management Satisfy RequirementsSatisfy Requirements Reduce Losses due to threat activityReduce Losses due to threat activity Policy or Regulatory CompliancePolicy or Regulatory Compliance YOU do several every day!YOU do several every day!


A Risk Analysis will:A Risk Analysis will:

Discover which assets are criticalDiscover which assets are critical Discover in-place countermeasuresDiscover in-place countermeasures Identify applicable threatsIdentify applicable threats Calculate vulnerabilitiesCalculate vulnerabilities Calculate anticipated lossesCalculate anticipated losses Recommend corrective actionsRecommend corrective actions


Risk Analysis & ManagementScope Define what the task will encompass

ParticipantsIdentify what/who will be surveyed and who will be otherwise involved

DE

FIN

ITIO

N P

HA

SE Procedure Define the procedure for data

collection and risk analysis.

Collect Data

Analysis

Reporting

AN

AL

YS

IS P

HA

SE

Collect data on items included in scope. Set time frame for completion

Analyze completed surveys; “what-if” modeling; compliance measurements

Create and edit reports; submit same to management; revise as necessary


ManagementDecision

DE

CIS

ION

P

HA

SE

Obtain concurrence with analyst recommendations and trade-offs

Submit Risk Analysis Report

Advise management of analysis results and recommendations

RIS

K M

AN

AG

EM

EN

T P

HA

SE

Assign/TrackActions

Report whenactions arecomplete

ContinuouslyMonitor

Cause the approved actions to be implemented

A final report to management shows the updated security posture

Once a desirable security posture is attained, it must be monitored


Risk Analysis Task Definition

What will be included?What will be included? How will the data be collected?How will the data be collected? Who will participate?Who will participate? What reports will be required?What reports will be required? Who will receive the report?Who will receive the report? Schedule for data collectionSchedule for data collection Schedule for analysis and reportingSchedule for analysis and reporting


Step 1: Identify AssetsStep 1: Identify Assets

Assets are anything with Assets are anything with value and worth protecting value and worth protecting or preserving.or preserving.

Identify Assets


Asset DetailsAsset Details

Determine valueDetermine value If shared with other resourcesIf shared with other resources If critical to the organization or If critical to the organization or

functionfunction OwnershipOwnership Physical locationPhysical location Part of inventory?Part of inventory?


Step 2: Identify ThreatsStep 2: Identify Threats

Identify Applicable Identify Applicable Threats and their Threats and their frequency of frequency of occurrenceoccurrence

Threats are events or actions with the potential to cause an impact upon assets.


Threat ExamplesThreat Examples

Natural hazardsNatural hazards Human errorHuman error FireFire TheftTheft

Unstable power Hardware failure Software failure Masquerading as

authorized employee


Threat DetailsThreat Details JustificationJustification

Why applicableWhy applicable Why the frequencyWhy the frequency

Frequency of occurrenceFrequency of occurrence historical recordshistorical records empirical knowledgeempirical knowledge


Step 3: In-place CountermeasuresStep 3: In-place Countermeasures

Identify In-Place Identify In-Place CountermeasuresCountermeasures

Countermeasures are Countermeasures are devices, processes, devices, processes, actions and/or actions and/or procedures which have procedures which have the propensity to reduce the propensity to reduce vulnerabilityvulnerability

They only count if they’re in-place!


Countermeasure ExamplesCountermeasure Examples

ProceduresProcedures

Management supportManagement support

Contingency planContingency plan

Metal DetectorMetal Detector

Virus softwareVirus software

Perimeter FencesPerimeter Fences

Training

Power conditioning

Backup procedures

Access controls

CCTV

Guards


Step 4: VulnerabilitiesStep 4: Vulnerabilities

Determine Vulnerabilities

Vulnerabilities are a condition of weakness.

A weakness might allow threats

to have an impact on assets.


Vulnerability ExamplesVulnerability Examples

Unauthorized accessUnauthorized access Natural hazardsNatural hazards Unstable powerUnstable power Terrorist ActivityTerrorist Activity

Key person dependencyUser or operator errorsFireTheft of Resources

Susceptibility to:


Quantify VulnerabilitiesQuantify Vulnerabilities

A risk analysis process must identify areas of A risk analysis process must identify areas of vulnerabilities and their levels.vulnerabilities and their levels.

Vulnerability levels are calculated Based on in-place countermeasures


Step 5: Calculate LossStep 5: Calculate Loss

Calculate Estimated Loss:(VL*Asset Cost * TV) = SLE And, SLE * Threat Multiplier = ALE

Where:

VL= Vulnerability level

Tv= Threat Value

SLE= Single Loss Expectancy

ALE= Annual Loss Expectancy

Loss is a measure of the impact upon assets by one or more manifested threats.

Impact is a calculated value.


Impact?Impact?

Manifested Manifested ThreatsThreats

+ + VulnerabilityVulnerability

= IMPACT

This is called risk.


Impact CategoriesImpact Categories

Disclosure (Confidentiality lost)Disclosure (Confidentiality lost)

Destruction (Complete loss)Destruction (Complete loss)

Distrust (Available but questionable)Distrust (Available but questionable)

Denial of Service (Not available)Denial of Service (Not available)

Which category(ies) should be avoided?


How Does it all Fit

Together?

How Does it all Fit

Together?COUNTERMEASURES

VULNERABILITY

ASSET

THREAT THREAT

THREAT THREATTHREAT

IMPACT

MODIFICATION

DISTRUST

DENIAL OF SERVICEDESTRUCTION


Step 6: RecommendationsStep 6: Recommendations

Recommend Corrective Action

There are many ways to reduce expected loss from threat activity.

Each corrective action is a countermeasure.


Types of ActionTypes of Action

Operational trade-offOperational trade-off Some countermeasures Some countermeasures requiredrequired by regulation by regulation

contingency plancontingency plan security trainingsecurity training

DiscretionaryDiscretionary countermeasures countermeasures


Reports Should...Reports Should...

Show procedures usedShow procedures used Be management orientedBe management oriented Be concise Be concise Contain no jargon Contain no jargon Show conclusions Show conclusions Include recommendationsInclude recommendations Show appropriate references Show appropriate references Provide trade-off justificationProvide trade-off justification


The Risk Management ProcessThe Risk Management Process

Understand current risk postureUnderstand current risk posture Determine actions needed to adjustDetermine actions needed to adjust Assign and track actionsAssign and track actions MonitorMonitor MaintainMaintain

Risk management is the process of establishing and maintaining an appropriate security posture


Common Processes

Resources must be appliedResources must be applied Time must be spentTime must be spentAnd, with either process,And, with either process, management must management must decide... decide...

Whether manual or automated, the same steps must be accomplished in risk analysis and risk management...


The Automated Paradigm

Less in-house resourcesLess in-house resources A more consistent procedureA more consistent procedure Repeatable resultsRepeatable results More acceptable resultsMore acceptable results Less resources and timeLess resources and time Less costLess cost

Lets you accomplish all of the steps with:


Introducing…...


About the BUDDY SYSTEM®

Data collectionData collection Vulnerability analysisVulnerability analysis ““What-if” modelingWhat-if” modeling Risk analysis and reportingRisk analysis and reporting Risk managementRisk management Special functionsSpecial functions

A fully automated risk analysis and management tool for:


The Methodology

Based on years of actual risk analysis Based on years of actual risk analysis experience experience

Proven through 10 years of useProven through 10 years of use Tested and accepted world-wideTested and accepted world-wide Fully documented in our Technical ManualFully documented in our Technical Manual Based on 5 published axiomsBased on 5 published axioms


Axiom 1

The same population of threats exist for all.The same population of threats exist for all.

Postulation: The population of threats is infinite in number and variety. Any given threat in the population will manifest itself at an undetermined and uncontrolled frequency. The same threat population exists for all systems and all locations. Only the likelihood of threat occurrence varies.


Axiom 2

The frequency of occurrence of a threat The frequency of occurrence of a threat cannot be altered.cannot be altered.

Postulation: Apparent alteration to the frequency of occurrence of threats are, in reality, countermeasures. These countermeasures reduce the level of vulnerability to the manifested threat, not how often the threat occurs.


Axiom 3 (Primary)

As the level of in-place countermeasures As the level of in-place countermeasures increases, vulnerability decreases.increases, vulnerability decreases.

Postulation: The level of vulnerability to threats is reduced by the implementation of countermeasures. Some countermeasures have a greater propensity to offset vulnerability than others. The level of vulnerability and the relative value of each countermeasure said to reduce it can be expressed numerically.


As Countermeasures increase (vertical axis), vulnerability level

decreases (horizontal axis)


Axiom 4

All countermeasures have vulnerabilities.All countermeasures have vulnerabilities.

Postulation: A vulnerability level of ZERO can never be obtained since all countermeasures have vulnerabilities themselves. One or more vulnerabilities can be identified for any given countermeasure.


Axiom 5

An acceptable level of vulnerability can be An acceptable level of vulnerability can be obtained by the implementation of counter-obtained by the implementation of counter-measures.measures.

Postulation: There exists a mix of countermeasures that can achieve any arbitrary level of vulnerability. By adding countermeasures, the vulnerability level can be adjusted to a level commensurate with the importance, sensitivity or classification level of the information being processed.


Three Main Modules SurveySurvey

Used for data collectionUsed for data collection Fully automaticFully automatic

AnalysisAnalysis Vulnerability analysisVulnerability analysis Risk analysis and managementRisk analysis and management

MaintenanceMaintenance Dataset engineDataset engine


Installation

Registered VersionRegistered Version Trial VersionTrial Version Stand Alone (Survey Only)Stand Alone (Survey Only) Install on a network or standalone computerInstall on a network or standalone computer Windows 95, 98, or NTWindows 95, 98, or NT


Implementation Process

Configure dataset(s)Configure dataset(s) Distribute datasets/surveysDistribute datasets/surveys Interface with usersInterface with users Collect completed surveysCollect completed surveys Analyze completed surveys Analyze completed surveys Prepare and submit reportsPrepare and submit reports Manage approved actionsManage approved actions


Data Collection Methods

Over the network (best)Over the network (best) Distribution on floppy disks or CDDistribution on floppy disks or CD Install on a notebookInstall on a notebook Interviews by an expertInterviews by an expert


Survey Execution

On a network workstation:Multi-userNo distribution/recovery

From CD or DisksOn a notebook


The Automated Survey

Environment definitionEnvironment definition

In-place countermeasures (effectiveness can In-place countermeasures (effectiveness can also be measured)also be measured)

Applicable threats and their frequencyApplicable threats and their frequency

The survey does the first 4 steps in the analysis The survey does the first 4 steps in the analysis process:process:

AssetsAssets


Data CollectionData Collection

Interface with usersInterface with users Collect and document detailsCollect and document details The best wayThe best way


Example survey screenExample survey screen

User followsUser follows the tree - topthe tree - top

to bottomto bottom


The Survey is Unique

Pre-loading of common informationPre-loading of common information User selections are immediately analyzed User selections are immediately analyzed Re-configures to fit the environmentRe-configures to fit the environment 30 minutes to complete30 minutes to complete No data volume limitationsNo data volume limitations

Automatic help screensDrop-down selection listsDrop-down selection lists


Analysis and Reporting

Determine vulnerabilitiesDetermine vulnerabilities Calculate estimated lossCalculate estimated loss Recommend corrective actionsRecommend corrective actions

TheThe next 3 steps in the risk analysis process:next 3 steps in the risk analysis process:


Analyst ActionsAnalyst Actions

Analyst recommends corrective actionsAnalyst recommends corrective actions What level of impact is acceptable?What level of impact is acceptable?

((residual riskresidual risk)) Management decidesManagement decides


Automatic Analysis

Vulnerability summaryVulnerability summary““What-if” vulnerability modelingWhat-if” vulnerability modeling


Special Functions

Instant compliance measurementInstant compliance measurement ““Closed-loop” risk managementClosed-loop” risk management Access control, with audit logsAccess control, with audit logs Automatic countermeasure effectiveness Automatic countermeasure effectiveness

measurementmeasurement Built-in awareness training for end usersBuilt-in awareness training for end users


AdaptabilityAdaptability

Information securityInformation security Physical securityPhysical security ManufacturingManufacturing MedicalMedical User can customize for ANY User can customize for ANY

use environment or applicationuse environment or application

Custom datasets:


Database Engine (Maintenance)

Add, edit, delete without limitationAdd, edit, delete without limitation

EstablishEstablish data item data item relations relations


Just Some of the Reports...Just Some of the Reports...

Survey informationSurvey information Data set configurationData set configuration Compliance informationCompliance information Security test & evaluationSecurity test & evaluation Risk analysis report - output to MSWordRisk analysis report - output to MSWord Risk management Risk management


Standard FeaturesStandard Features

Windows platforms: NT and 95, and 98Windows platforms: NT and 95, and 98 Network or stand aloneNetwork or stand alone Unlimited data sets and surveysUnlimited data sets and surveys Access control, user control, audit logsAccess control, user control, audit logs User’s group annual meetingsUser’s group annual meetings NewsletterNewsletter


Coming SoonComing Soon

WEB-based execution of the surveyWEB-based execution of the survey Internet access to upgrades and new data sets Internet access to upgrades and new data sets Multi-language capabilityMulti-language capability Cascading effect analysisCascading effect analysis Additional report templatesAdditional report templates


Our Offerings...Our Offerings...

One year of free supportOne year of free support One year of free upgradesOne year of free upgrades 2 days of training2 days of training Multiple copy discountsMultiple copy discounts Dataset customization servicesDataset customization services Specialized consulting servicesSpecialized consulting services

Countermeasures, Inc. and its distributors offer...Countermeasures, Inc. and its distributors offer...


END OF PRESENTATION

Thank you for your interest inThank you for your interest in

The BUDDY SYSTEMThe BUDDY SYSTEM

Security Risk Analysis SoftwareSecurity Risk Analysis Software

copyright 1998, countermeasures, inc. the buddy system ® security risk analysis a world-class...

Documents

risk analysis report

risk analysis management

management of analysis

risk analysis task definition

place countermeasures

reporting slide

necessary slide

important assets slide