risk assessment
DESCRIPTION
By: Ashwin Vignesh Madhu. Risk Assessment. Objective Introduction Risk Risk Management Cycle RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria Model. Common Failures in RA Elements of Good RA OCTAVE Characteristics Process Criteria Examples - PowerPoint PPT PresentationTRANSCRIPT
Risk Assessment
By:AshwinVigneshMadhu
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Overview●Objective● Introduction●Risk
Risk Management Cycle
●RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
●Common Failures in RA●Elements of Good RA●OCTAVE●Characteristics●Process●Criteria●Examples●OCTAVE Methodology●Choosing Methodology●Our Methodology
Objective
● Risk Assessment Process Not unique to the IT environment
● Provide the desired level of mission support depending on the budget
● Well-structured risk management methodology
Overview●Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Introduction
● The process of enumerating risks● Determining their classifications● Assigning probability and impact scores● Associating controls with each risk
Overview● Objective● Introduction●Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Risk
● Risk Assessment measures Magnitude of the potential loss L Probability p that the loss will occur
● Risk R can be expressed as R = L * p (or) Risk = Impact * Likelihood
Risk (Cont..)● Risk = PA * (1-PE) * C
PA – the likelihood of adversary attack PE - the security system effectiveness (1- PE) - the adversary success C – consequence of loss of the asset
● High L and low p – low L and high p Treated differently in practice Given nearly equal priority in dealing
Risk Management Cycle
Overview● Objective● Introduction● Risk
Risk Management Cycle
●RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
RA Methodologies
● CCTA Risk Analysis and Management Method (CRAMM)
● Consultative, Objective and Bi-functional Risk Analysis (COBRA)
● RuSecure● Operationally Critical Threat, Asset, and Vulnerability
Evaluation (OCTAVE)● Failure Mode and Effects Analysis (FMEA)● British Standard (BS)
RA Methodologies (Cont..)
● Methods support in Detecting critical places and parts in organization Detecting risk factors Collecting data about risk factors Evaluation and estimation of risk Generate report of risk management process
Overview● Objective● Introduction● Risk
Risk Management Cycle
●RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
CRAMM
Overview● Objective● Introduction● Risk
Risk Management Cycle
●RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
COBRA● COBRA
Two modules● COBRA Risk Consultant● ISO Compliance Analyst
Support in process of evaluating risk security Evaluation steps
● Building queries● Risk evaluation● Constructing reports
Contains library of countermeasures
Overview● Objective● Introduction● Risk
Risk Management Cycle
●RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
RuSecure
RuSecure
RuSecure
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
British Standard
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Hierarchical Criteria Model
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
●Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Common Failures in RA
● Poor executive support● High cost of implementation● Untimely response● Insufficient accountability● Inability to qualitatively measure control
environment● Infrequent in assessment● Inaccurate data
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA●Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Elements of good RA
● Provides clear instructions● Simplifies user Response● Identifies support contacts● Focuses on leaders as well as executors● Provides feedback to users and Risk leaders● Has a broad Scope● Identifies User for follow up if necessary and
applicable
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA●OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
OCTAVE
● Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
● Effective security risk evaluation ● Considers both organizational and technological
issues● Self-directed
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE●Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Characteristics
● Identify information-related assets● Focus risk analysis activities on critical assets● Consider the relationships among critical assets, the
threats to those assets, and vulnerabilities● Evaluate risks in an operational context - how they
are used to conduct an organization’s business● Create a protection strategy for risk mitigation
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics●Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
OCTAVE Process
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process●Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Criteria
● Principle Fundamental concepts driving the nature of the
evaluation, and defining the philosophy behind the evaluation process
● Attribute Distinctive qualities, or characteristics, of the
evaluation● Output
Define the outcomes that an analysis team must achieve during each phase
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria●Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Examples
Examples
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples●OCTAVE Methodology● Choosing Methodology● Our Methodology
OCTAVE Method Process
● Phase 1: Build Asset-Based Threat Profiles Process 1: Identify Senior Management
Knowledge Process 2: Identify Operational Area Knowledge Process 3: Identify Staff Knowledge Process 4: Create Threat Profiles
OCTAVE Method Process
● Phase 2: Identify Infrastructure Vulnerabilities Process 5: Identify Key Components Process 6: Evaluate Selected Components
● Phase 3: Develop Security Strategy and Plans Process 7: Conduct Risk Analysis – An organizational set
of impact evaluation criteria are defined to establish the impact value
Process 8: Develop Protection Strategy – The team develops an organization-wide protection strategy to improve the organization’s security practices
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology●Choosing Methodology● Our Methodology
Choosing Methods
● Depending on organization size● Depending on organization hierarchical structure● Structured or Open-Ended Method● Analysis team composition● IT resources
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology●Our Methodology
Our Methodology● Policies and procedures● Requirement analysis● Network Topology● Categorizing the network● Scanning based on categorization● Analysis of vulnerabilities
Use different scanning tools Penetration testing
● Risk strategy● Mitigation of risk
References
● NIST – Risk Management Guide for Information Technology Systems
● http://www.gao.gov/special.pubs/ai00033.pdf● http://en.wikipedia.org/wiki/Risk_management● http://en.wikipedia.org/wiki/Risk_assessment● http://www.sandia.gov/ram● http://www.carnet.hr/CUC/cuc2004/program/radovi/
a5_baca/a5_full.pdf● http://www.octave.org
Thank You