risk management

Risk ManagementRisk Management

October 1998

• What is RISK MANAGEMENT?

– The process concerned with identification, measurement, control and minimization of security risks in information systems to a level commensurate with the value of the assets protected.

(Definition from National Information Systems Security

(INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

Course Objective

– The student will be able to DETERMINE a risk index.

• Introduction to Risk Management

Implement RiskManagement

Actions

Identifythe

Risk Areas

Re-evaluatethe Risks

Develop RiskManagement

Plan

Risk Management

Cycle

Assess the Risks

Risk Assessment

Risk Mitigation

• Balance of Risk Management

Risk Ignorance

Risk Management

Risk Avoidance

• RISK

- The likelihood that a particular threat using a specific attack, will exploit a particular vulnerability of a system that results in an undesirable consequence.

(Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

• THREAT

-Any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or the denial of service.


• Threat Example - Hackers

• Threat Example - Electrical Storms

• Definition of Likelihood

– LIKELIHOOD of the threat occurring is the estimation of the probability that a threat will succeed in achieving an undesirable event.

• Considerations in Assessing the Likelihood of Threat

– Presence of threats– Tenacity of threats– Strengths of threats– Effectiveness of safeguards

• Statistical Threat Data

• Two Schools of Thought on Likelihood Calculation

AssumeAssume

Don’t Don’t AssumeAssume

• ATTACK

– An attempt to gain unauthorized access to an information system’s services, resources, or information, or the attempt to compromise an information system’s integrity, availability, or confidentiality, as applicable.


• VULNERABILITY

-Weakness in an information system, cryptographic system, or other components (e.g... , system security procedures, hardware design, internal controls) that could be exploited by a threat.


• Vulnerability Example

• CONSEQUENCE

– A consequence is that which logically or naturally follows an action or condition.

• RM/RA

RISKRISKMANAGEMENTMANAGEMENT

RISKRISKMITIGATIONMITIGATION

RISKASSESSMENT

• RISK ASSESSMENT

-A process of analyzing THREATS to

and VULNERABILITIES of an information system and the POTENTIAL IMPACT the loss of information or capabilities of a system would have. The resulting analysis is used as a basis for identifying appropriate and cost-effective counter-measures.


• Why Risk Assessment?

• Benefits of Risk Assessment

– Increased awareness– Assets, vulnerabilities, and controls– Improved basis for decisions– Justification of expenditures

• Risk Assessment Process

– Identify assets– Determine vulnerabilities– Estimate likelihood of exploitation– Compute expected loss

• Identify Assets– People, documentation, supplies

•Properties of Value Analysis

-Confidentiality -Integrity -Availability -Non-repudiation

•Definition -Confidentiality: Assurance that information is not disclosed to unauthorized persons, processes, or devices.


•Definition

- Integrity: Quality of an information system reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.


•Definition -Availability: Timely, reliable access to data and information services for authorized users.


•Definition

-Non-repudiation: Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data.


• Determine Vulnerabilities

Open Network

Open CommunicationsLines

• Likelihood

• Expected Loss

• Risk Measure

– RISK MEASURE is a description of the kinds and degrees of risk to which the organization or system is exposed.

• Communicating Risk

– To be useful, the measurement should reflect what is truly important to the organization.

• How do we calculate risk?

• Primary Risk Calculation Methodologies

QQuantitativeuantitative

&&QQualitativeualitative

• The Quantitative Method

• The Qualitative Method

• Qualitative Example:

– “The system is weak in this area and we know that our adversary has the capability and motivation to get to the data in the system so the likelihood of this event occurring is high.”

• Quantitative and Qualitative Merged

• Delphi Approach

• Probability Density Function

• Examples of documented risk assessment systems– Aggregated Countermeasures Effectiveness

(ACE) Model– Risk Assessment Tool – Information Security Risk Assessment

Model (ISRAM)– Dollar-based OPSEC Risk Analysis

(DORA)– Analysis of Networked Systems Security

Risks (ANSSR)– Profiles– NSA ISSO INFOSEC Risk Assessment

Tool

• Formula for Risk

dv + zqm/ {2a} bc = wxyz

dv + zqm/ {2a} bc = wxyz

lm +op * dz = tgm\bvd

lm +op * dz = tgm\bvd

2b 2b oror n2b n2b

mkt/40 = 9j*Xmkt/40 = 9j*X

• Threat and Vulnerability Revisited

The capability or intention to exploit, or any circumstance or event with the potential to cause harm such as a hacker.

A weakness in a system that can be exploited.

Threat

++

Vulnerability

• Likelihood Vs. Consequence

• Likelihood

– The Likelihood of a successful attack is the probability that an adversary would succeed in carrying out an attack.

• Factors influencing an attack

– Level of threat– Vulnerabilities– Countermeasures applied

• Determine Level of Threat

– Criteria for evaluating the level of threat:• History

• Capability

• Intention or motivation

• Determine Vulnerabilities

• Criteria for Evaluating the Vulnerability

– Number of vulnerabilities– Nature of vulnerability– Countermeasures

• COUNTERMEASURE

– A countermeasure is an action, device, procedure, or technique used to eliminate or reduce one or more vulnerabilities.

• Examples of Countermeasures– Procedures:

• security policies and procedures

• training

• personnel transfer

– Hardware:• doors, window bars, fences

• paper shredder

• alarms, badges

– Manpower:• guard force

• CONSEQUENCE

– A consequence is that which logically or naturally follows an action or condition.

• Determination of the Consequence of the Attack

– “The worse the consequence of a threat harming the system, the greater the risk”

AttackAttack ConsequenceConsequence SuccessSuccess

• Risk Calculation Process– determine:

• the threat

• the vulnerability

• the likelihood of attack

• the consequence of an attack

– apply this formula by: • postulating attacks

• estimating the likelihood of a successful attack

• evaluating the consequences of those successful attacks

• NSA ISSO Risk Assessment Methodology

– Developed in the NSA Information Systems Security Organization

– Used for INFOSEC Products and Systems– Can Use During Entire life Cycle– Not Widely Used Outside of DI

• The NSA ISSO Risk Assessment Process

– Understanding the system– Developing attack scenarios– Understanding the severity of the consequences– Creating a risk plane– Generating a report

• The Risk Plane

X -axisX -axis

The likelihood of a successful attackThe likelihood of a successful attack

Y -axisY -axis

The severity of theConsequences ofthat successful attack.

• Risk Index

Risk Index, as defined by the “Yellow Book”, is the disparity between the minimum clearance or authorization of system users and the maximum sensitivity of data processed by a system.

• Risk Index– Minimum User Clearance=Rmin– Maximum Data Sensitivity=Rmax– Risk Index=Rmax - Rmin

• Rating Scale for Minimum User Clearance (Rmin)

MINIMUM USER CLEARANCE RATING(Rmin)

Uncleared (U) 0Not Cleared but Authorized Access to Sensitive UnclassifiedInformation (N)

1

Confidential (C) 2Secret (S) 3Top Secret (TS)/Current Background Investigation (BI) 4Top Secret (TS)/Current Special Background Investigation(SBI)

5

One Category (1C) 6Multiple Categories (MC) 7

• Rating Scale for Maximum Data Sensitivity (Rmax)

Maximum DataSensitivity RatingsWithout Categories

Rating(Rmax)

Maximum Data Sensitivity With Categories Rating(Rmax)

Unclassified (U) 0 N/ANot Classified But

Sensitive1 Unclassified but Sensitive With One or More

Categories2

Confidential (C) 2 Confidential With One or More Categories 3Secret (S) 3 Secret With No More Than One Category

Containing Secret Data

Secret With Two or More CategoriesContaining Secret Data

4

5Top Secret (TS) 5 Top Secret With One or More Categories

With No More Than one CategoryContaining Secret or Top Secret Data

Top Secret With Two or More CategoriesContaining Secret or Top Secret Data

6

7

• Computer Security Requirements

RISKINDEX

MODE MINIMUM CRITERIA FOROPEN ENVIRONMENTS

MINIMUM CRITERIA FORCLOSED ENVIRONMENTS

0 Dedicated None None0 System High C2 C21 Compartmented

MultilevelB1 B1

2 CompartmentedMultilevel

B2 B2

3 Multilevel B3 B24 Multilevel A1 B35 Multilevel * A16 Multilevel * *7 Multilevel * *

* = Security Requirements Beyond State of the Art

• Automated Risk Assessment Tools

• NIST Special Publication 500-174

• LAVA

LLosAAlamosVVulnerability and Risk AAssessment Tool

• Threats Considered by LAVA

– natural and environmental hazards– accidental and intentional on-site human threats

(including the authorized insider)– off-site human threats

• RiskPAC

– a knowledge-based system that uses a questionnaire metaphor to interact with the user and measure risk in government-related and other topics.

• A.L.E.

AAnnualized

LLoss

EExposure Calculator

• RISKWATCH

1

2

3

45

6

7

• Risk Management Research Laboratory

• Risk Mitigation

– Risk Mitigation is any step taken to reduce risk.

• Residual Risk

– Portion of risk remaining after security measures have been applied.


• Residual Risk and Safeguards

• Summary

– Risk Mitigation– Risk Calculation Methods– Risk Index

Sampling of General INFOSEC Resources on the Web

•Defense Information Systems Agency (DISA) Awareness and Training Facility: http://www.disa.mil/ciss/cissitf.html•Information Security News: http://www.infosecnews.com/•Information Security Mall: http://niim.bus.utexas.edu/•National INFOSEC Education Colloquium: http://www.infosec.jmu.edu/ncisse•International Information Systems Security Certification Consortium: http://www.isc2.org/•National Institute for Standards and Technology (NIST) Computer Security Clearinghouse:http://csrc.nist.gov/welcome.html•National INFOSEC Telecommunications and Information Systems Security Committee(NSTISSC):http://www.nstissc.gov•President’s Commission on Critical Infrastructure Protection: http://www.pccip.gov/•Security Site Links: http://www.sscs.net/resources/secsites_list.htm

Sampling of Web Addresses for Colleges and Universities with INFOSEC Courses, Programs, Centers

•Dartmouth College: http://www.dartmouth.edu/pub/security/•George Mason University Center for Secure Info Systems: http://www.isse.gmu.edu~csis/index.html•Georgia Tech Information Security Center: http://www.samnunnforum.gatech.edu/web.html•Harvard University: http://www.harvard.edu•Idaho State University: http://bibo.isu.edu/security/security.html•Indiana University: http://www.cs.indiana.edu•Iowa State: http://vulcan.ee.iastate.edu•James Madison University: http://www.jmu.edu/•National Defense University: http://www.ndu.edu/irmc/•North Carolina State University: http://www.ncsu.edu•Purdue University: http://www.cs.purdue.edu/coast.html•University of California at Davis: http://www.ucdavis.edu•University of Texas, Austin: http://wwwhost.ots.utexas.edu/mac/pub-mac-virus-html•Western Connecticut State University: http://www.wcsu.ctstateu.edu/mis/homepage.html

risk management

Documents

information systems

information systems

loss of information

system security procedures

risk index

risk managementoctober

particular threat

cryptographic system