ANALYZING RISK

1
ANALYZING RISK

• Chapter 2

2
ANALYZING RISK

• Security Risk Management Process
• Assessment
• Implementation
• Operations

3
SECURITY RISK MANAGEMENT

• Helps security designers identify the most
  effective way to spend security budget
• Reduces the risk of overlooking significant
  vulnerabilities
• Has three phases
• Assessment
• Implementation
• Operations

4
SECURITY RISK MANAGEMENT PHASES
5
ASSEMBLING A SECURITY-RISK MANAGEMENT TEAM

• Project manager
• Security subject-matter expert (you!)
• IT managers
• Other managers as needed

6
PHASE 1 ASSESSMENT

• Step 1 Inventory Security Policies
• Step 2 Assess Assets
• Step 3 Assess Threats
• Step 4 Assess Risks
• Step 5 Create a Security Action Plan

7
ASSESSMENT STEP 1 INVENTORY SECURITY POLICIES

• First, identify policies that are currently in
  place
• Missing policies will be created during the
  implementation phase

8
ASSESSMENT STEP 2 ASSESS ASSETS

• Inventory every asset in your organization that
  is worthy of protection
• Two approaches Quantitative and qualitative
• Qualitative approach relies on estimations of
  value for each asset, such as very important or
  not important.
• Quantitative approach uses dollar amounts to
  value assets, such as 10,000,000.

9
ASSESSMENT STEP 3 ASSESS THREATS

• Use threat modeling to identify security threats
  and each assets vulnerability to the threat.
• Use the same qualitative or quantitative approach
  used in Step 2
• Qualitative approach estimates the vulnerability
  of an asset to a threat
• Quantitative approach calculates the exposure
  factor (EF) as the percent damage a threat could
  do to an asset

10
THREAT AGENT

• The attacker
• Malicious attackers
• Nonmalicious attackers
• Mechanical failures
• Catastrophic events

11
ASSESSMENT STEP 4 ASSESS RISKS

• Consider both the value of the asset and the
  vulnerability to a particular risk to assess each
  threat-and-asset pairs risk
• Use this step to prioritize your vulnerabilities
• Qualitative Combine values created in steps 3
  and 4 (next slide)
• Quantitative Use a formula to calculate risk

12
QUALITATIVELY ASSESS RISKS
13
QUANTITATIVELY ASSESS RISKS

• SLE AV EF
• Estimate ARO
• ALE SLE ARO

14
ASSESSMENT STEP 5 CREATE A SECURITY ACTION PLAN

• For each risk you identify, choose one or more
  responses
• Mitigate
• React To
• Transfer
• Research
• Accept
• Choose countermeasures qualitatively or
  quantitatively

15
QUALITATIVELY PLAN COUNTERMEASURES

• For each risk, brainstorm with managers and
  engineers familiar with the asset
• Consult with security experts familiar with
  protecting against the threat
• Keep countermeasure costs in line with the level
  of risk
• Consider using defense-in-depth by using multiple
  countermeasures of different types
• Do not spend more on a countermeasure than an
  asset is worth

16
QUANTITATIVELY PLAN COUNTERMEASURES

• For each risk, brainstorm to identify multiple
  countermeasures
• Determine the value of each countermeasure using
  the formula
• V ALE1 ALE2 C
• Add those countermeasures that add the most value
  to the security action plan
• If a countermeasure has a negative value, the
  countermeasure is not worth the expense
• Consider adding multiple countermeasures

17
PHASE 2 IMPLEMENTATION

• Step 1 Develop Countermeasures
• Step 2 Test Countermeasures
• Step 3 Implement Countermeasures

18
IMPLEMENTATION STEP 1 DEVELOP COUNTERMEASURES

• Specify configurations for countermeasures in the
  Security Action Plan
• Design a management solution for security fixes
• Develop a monitoring solution
• Specify auditing requirements
• Create an incident response team
• Develop operational policies and procedures

19
SPECIFY CONFIGURATIONS FOR COUNTERMEASURES

• Mitigate risks
• Develop Group Policy objects and specify
  configuration settings
• Design backup and restore solutions
• Transfer risks Identify insurance plan for risks
  that you transfer
• React to risks Develop contingency plan

20
DESIGN A MANAGEMENT SOLUTION FOR SECURITY FIXES

• Everything with software needs security fixes
• Servers
• Clients
• Routers
• Firewalls
• Work with software vendors to identify
  vendor-specific notification and update processes

21
DEVELOP A MONITORING SOLUTION

• Reduce downtime by detecting failures before
  users can complain
• You must detect failures of all critical assets
• For best results, write scripts to test
  application transactions for success
• Develop reactive intrusion detection system
  countermeasures where specified in the Security
  Action Plan

22
SPECIFY AUDITING REQUIREMENTS

• Configuration management
• User management
• Manual intrusion detection
• Create automated auditing tools as needed

23
CREATE AN INCIDENT RESPONSE TEAM

• Responsibilities include
• Responding to security incidents
• Developing incident handling guidelines
• Preparing paths and procedures of escalation to
  law enforcement
• Conducting training and awareness activities
• Performing research on viruses
• Conducting system attack studies

24
DEVELOP OPERATIONAL POLICIES AND PROCEDURES

• Policies and procedures are countermeasures for
  human vulnerabilities
• Work with legal and human resources to develop
  them

25
IMPLEMENTATION STEP 2 TEST COUNTERMEASURES

• Test countermeasures to verify that they
• Can be deployed successfully
• Protect assets as expected
• Are compatible with applications
• Do not interfere with user productivity

26
IMPLEMENTATION STEP 3 IMPLEMENT COUNTERMEASURES

• Deploy your new countermeasures and policies
• Use a staged deployment. Start with IT.
• Gather feedback from users about the affects of
  the changes, and modify plans and configurations
  as needed
• Be prepared to roll back changes if unsolvable
  problems arise

27
PHASE 3 OPERATIONS

• Step 1 Maintain Security
• Step 2 Respond to Incidents
• Step 3 Assess New Risks
• Step 4 Deploy New Countermeasures

28
OPERATIONS STEP 1 MAINTAIN SECURITY

• Security degrades over time in large environments
  because administrators change hardened software
  configurations
• Tools you can use to identify changed
  configurations
• Security Configuration and Analysis
• Resultant Set of Policy
• GPResult
• Microsoft Baseline Security Analyzer (MBSA)

29
SECURITY CONFIGURATION AND ANALYSIS
30
RESULTANT SET OF POLICY
31
OPERATIONS STEP 2 RESPOND TO INCIDENTS

• When you detect an active threat or a compromise,
  call the incident response team into action
• Execute your contingency plan
• Perform a postmortem review to learn from the
  incident
• Identify the cost of the compromise
• Examine the effectiveness of the incident
  response team
• Adjust policies and countermeasures to protect
  from the threat in the future

32
OPERATIONS STEP 3 ASSESS NEW RISKS

• Your security landscape changes over time
• Your organization adds new assets that need
  protection
• New vulnerabilities are discovered in existing
  assets
• New types of threats appear
• Someone must be responsible for ongoing security
  it is an interesting job.

33
OPERATIONS STEP 4 DEPLOY NEW COUNTERMEASURES

• When you identify new assets, vulnerabilities,
  and threats, you may need to deploy new
  countermeasures
• Use abbreviated version of Phase 2 to identify,
  test, and deploy the countermeasure
• New countermeasures might be
• Adjusted firewall rules
• Modified computer configuration
• New or changed security policies and procedures

34
SUMMARY

• Use the Security Risk Management process to
  logically identify the most efficient way to
  improve your organizations security. It has
  three phases
• Phase 1 Assessment
• Phase 2 Implementation
• Phase 3 Operations
• At the end of the process, you will understand
  your organizations security risks, and will have
  reduced them to a manageable level