formal risk assessment workshop

Created by Praveen Joseph Vackayil

Information Security Risk Assessment Workshop

Praveen Joseph VackayilDeepak Umapathy



DISCLAIMER


• Explore perspectives and incite thoughts

on the risk assessment process

• Re-visit the basic concepts of risk

• Perform a risk assessment based on a formal methodology

Workshop Objectives


• Questions are welcome

• Share your knowledge

• Mobile phones – you know what to do

Ground Rules


• I. An Introduction to Risk Assessment

• II. Basic Concepts

• III. Lunch

• IV. Case Study: Implementing an NIST SP 800-30 Risk Assessment

Agenda


So Let’s Go


I. An Introduction to Risk Assessment


What is Risk?


The Concept of Risk

Risk exists in daily life

Risk may be a part of a profession or sport


The Concept of Risk• We can’t always predict the future. At least

not accurately.• Risk is a consideration of how something we

value (asset) can be affected • by a negative entity (threat) • and lead to a less than ideal outcome

(impact)• since it is not protected enough

(vulnerability)


Threat SourceThreat Outcome

Players in a Risk Assessment

Asset Vulnerability


Asset

Textbook DefinitionInterpreted Definition:Risk is the probability that a threat, exploiting a vulnerability that exists in an asset of certain value, will cause an undesired impact.

Threat Undesired ImpactVulnerability

RISK ECOSYSTEM


What is Risk Assessment?


What is Risk Assessment?• Risk Assessment is nothing but people

being people• It is an extension of human nature and a

satiation of a basic human need:

CONTROL

TOBE

IN


Some Perspectives on RA in the Outside World

The jaguar hides its prey atop trees


Some Perspectives on RA in the Outside World

Name some things you see in this picture which remind you of risk assessment


Formalizing Risk Assessment

• Formalizing a Risk Assessment is a way of providing it with a systematic mechanism of– Measurement (defining metrics)–Repetition (process-specific and not person-

specific)–Comparison (between different business

verticals, for instance)Note: We will be visiting formal methodologies in the later slides


Why do we need Risk Assessment?

Or do we need it at all?


Murphy’s Law

If anything can go wrong, it will


Do We Really Need Risk Assessment?

Case i: I am trying to check all the boxes in my compliance checklist. I don’t need a separate risk assessment as such.–A compliance standard is a universal set of

instructions–Risk Assessment is the tool through which

the standard is tailored to the unique circumstances of your environment

Note: Risk assessment is mandated by most compliance standards today – eg. PCI, ISO 27001, HIPAA, etc.



Case ii: We have annual third party audits. We don’t need risk assessment.–Risk assessment Audit–An audit is a discovery of what HAS

already gone wrong–Risk Assessment is the discovery of

what CAN go wrong in the near or distant future



Case iii: I don’t see the point. We did a risk assessment last year and no one followed through with remediation.–Risk Assessment: • ‘If you can’t measure it, you can’t manage

it.’–Risk Management:• ‘Knowing is not enough, we must apply.’



Case iv: Everything eventually boils down to the numbers. There is a cost involved in an RA. How do I justify this investment?

RA Cost RA Benefit

• Time and effort• Productivity is hit when

business team is facing risk assessors

• RA Training Costs• RA Consultant• RA Tool

?

• Not having a security incident is the ROI of any security investment.

• A key objective of RA is to ensure the security budget is not exceeded.


II. Basic Concepts


A Sample Risk Assessment Workflow

Risk Frame Threat Source and Threat Event

Impact Likelihood of Occurrence Vulnerability

Risk Score Risk Response


Risk Frame• Identification of the

– Organizational priorities. Eg. Purpose of the RA– Scope – Assets (e.g., organizational entities covered, business functions

affected by the RA)– Team Structure within the organization– Assumptions and Constraints– Information sources – Risk management guidance on the Risk Model, Analysis

Approach, Assessment Approach, Qualitative Scale to be used for Risk Score, etc.

– Risk response guidance including, for example, risk tolerance– Risk monitoring guidance


Role of Organizational Structure on Risk Perception

Nature of risks varies with the level of hierarchy being assessed.

Organization

TierBusiness Process

Tier

Information System Tier


Analysis Approach

Asset/Impact-oriented

Threat-oriented

Threat SourceThreat Event

caused by the Threat Source

Vulnerability Impact

Vulnerability-oriented

Critical AssetImpact that can compromise the

Asset

Threat Event that can cause

the impact

Threat Source that leads to this

Threat Event

Vulnerabilities and Pre-disposing Conditions

Threat Event that exploits the

VulnerabilityThreat Source Impact


Assessment Approach: Qualitative vs Quantitative Measurement


Qualitative Quantitative

• High Medium Low• Red, Green, Yellow

Numeric

Easy to calculate May include complex formulae

Less accurate, but gets the job done Precise. Useful in $ estimations

Difficult to convince stakeholders, since it is based on subjective judgement

Easier to convince stakeholders

Risk = f (Asset Value, Threat probability, Level of Vulnerability)

Basic concepts to be noted:SLE=Asset Value x Exposure FactorALE= SLE x ARO

Assessment Approach: Qualitative vs Quantitative Measurement


A Word on Assets• Anything of value to the organization• Perception of value is tied to the purpose of

the risk assessment– Eg. If in a compliance RA, the value of the asset depends on

the compliance requirement. In PCI, card data is the most important asset, and hence gets highest Asset Value.

– If the RA aims at capturing process inefficiencies and optimizing cost, money is the most important asset.

– For the purpose of ISRA, information is usually the most important asset.


Characterizing AssetsAsset Name: DB ServerAsset Category: Supporting AssetAsset Type: HardwareAsset Owner: Head of IT DeptAsset Custodian: Database AdministratorAsset Value: • Impact if C is compromised:

VH• Impact if I is compromised: VH• Impact if A is compromised: MTotal Asset Value: VH


Malicious outsider defaces the corporate website

Threat Source and Threat Event

Employee loses company confidential data in a laptop

Non-adversarial Threat Source

Adversarial Threat Source

Intent: To take control of the web server and deface the website

Targeting: Web server

Capability: Proficiency in hacking tools like MetasploitKnowledge of the systems architecture

Range of Effects: Loss of confidential data if the laptop falls into the wrong and capable hands

Threat Event

Threat Event

Website is defaced by a malicious outsider

Company data is misused by an unknown third party


Threat Shifting• Change in attack approach based on

controls perception.Time

domain

Target domain

Resource Domain

Attack method

Influencers:• Path of least resistance• Path with quicker and

more benefit


• A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source

Vulnerabilities


Vulnerabilities

• Controls are absent• Controls are not efficient• Controls are no longer relevantThe ever-changing threat landscape can render the current control eco-system obsolete. Eg. Shellshock bash vulnerability.


Pre-disposing ConditionsAn existing condition within an environment that can increase or decrease the likelihood of a threat.Eg. • Indonesia is prone to earthquakes.• We use Windows XP on all our desktops. Risk increases• We operate out of a city with low crime rate


Likelihood of OccurrenceQuestions to Ask:• Will the threat event occur/be initiated by a threat

source successfully? • Will the threat event cause an adverse impact

successfully?

Likelihood of Occurrence=f (Likelihood of Threat Event Initiation/Occurrence, Likelihood of Threat Event causing Adverse Impact)


Impact• Magnitude of harm caused due to the

disclosure, modification, destruction/loss of sensitive data.

• Impact may cascade to entities even external to the scoped environment.

Eg. Financial loss,reputational loss, productivity loss, loss of existing clients.


Risk Model

Risk Model• Threat• Likelihood• Vulnerability• Pre-disposing Condition• Impact

Risk Factors Risk

Risk models define the risk factors to be assessed and the relationships among those factors.


Sample Risk Model

Recall the earlier slide


NIST SP 800-30 Risk Model

• Risk is the

Likelihood

• that a Threat Source

will exploit• a

Vulnerability with Severity

And/or

• A Pre-disposing Condition with Pervasiveness

And initiate a• Threat Event

Leading to

An adverse Impact


Timing your Risk Assessment

• Just before acquiring a new company• Just before an audit• Just after deploying new laptops • Before starting operations in a new facility• Every month for all assets• Never.

You be the Judge


Continuous Risk Assessment

• Annual Risk Assessment• Real-time updates to the Risk

Assessment via a Feedback LoopScope

Identify

AssessManage

Document


Continuous Risk Assessment


Continuous Risk AssessmentThoughts• Does it really work?– No tracker/reminder on the RA– Job rotations/staff leave the team– Disconnect between the risk assessor and the asset

custodians

• Is everyone that committed to security?– Top management commitment to security may not

drill down to the grass-root levels


Formal Risk AssessmentA Formal Risk Assessment is one that is:

• Measurable• Comparable• Repeatable

A Formal approach:• Is tried and tested• Reduces re-work in devising new methodologies every

year• Leads to consistency which in turn allows integration of

RA with audit and other activities• Establishes a process and reduces people-dependency


Formal Risk Assessment

Do we really need to use a formal risk assessment methodology?

• Yes• No


Formal Risk AssessmentDevelop a new RA methodology Adopt an existing formal RA methodology

RA METHODOLOGY:• A new methodology must be developed, tried and

revised. This is in some ways re-invention of the wheel

• A tried and tested methodology already exists. It needs to be shortlisted and adopted.

• Corresponding RA template may be available

RISK ASSESSORS:• Develop an in-house talent pool that is well versed with

the methodology. Training costs extra.• Hire RA personnel with relevant

experience/certification. Resource costs extra.

COMPATIBILITY :• It will be created as per the organization’s unique

environment.• The existing methodology may need to be tweaked to

suit the organization’s environment, structure and culture.

Eg. Primary and supporting assets may be selected according to the org-structure.

ASSET OWNERS/CUSTODIANS:• Factors that encourage user adoption may be built-in

while developing the methodology.Eg. Qualitative risk calculation is used, since it is easier for all to understand.

• Ways to enable user adoption of the methodology must be developed.

Eg. The survey-based approach of OCTAVE may not work in an organization where people don’t respond to emails.

PREVIOUS REFERENCES:• Not sure if it will succeed/fail since there is no prior user

experience/reviews to refer to

• Tried and tested. Known to have succeeded.• Common pitfalls will be readily available based on other

users’ experiences. These can be addressed accordingly.


Formal RA Methodologies

3 popular RA methodologies:

• ISO 27005• OCTAVE• NIST SP 800-30


ISO 27005• Developed by International Organization for

Standardization (ISO)• Suitable for technology as well as process RA• Concept of primary and supporting asset can

be adapted to most organizational scenarios• ISRA=Risk Identification->Risk Estimation-

>Risk Evaluation• It’s USP: Asset Characterization


ISO 27005 Workflow

Description of ISRA• Scope and

Boundaries• Org structure• Risk

Acceptance Criteria

• RA Team

Risk Analysis: Risk Identification• Scope• Assets• Threats• Existing

Controls• Vulnerabilities• Impact

Risk Analysis: Risk Estimation• Qualitative• Quantitative

Risk Evaluation• Risk Value vs

Risk Acceptance Criteria

• Accept• Mitigate• Transfer• Avoid


OCTAVE• Developed by SEI-CMU• Most suited for assessing risks within organizational

processes• Emphasizes a workshop-based approach over a tool

approach• Built for large organizations, so interviews are broken

across hierarchies and disciplines• Pareto’s Principle: 80% of the effects come from 20%

of the causes• It’s USP: Threat Profiling• OMIG is available for free from CERT.org


OCTAVE Risk Assessment Flow

Organizational View• P1: Senior

Management Knowledge

• P2: Operational Management Knowledge

• P3: Staff Knowledge

• P4: Threat Profiling

Technological View• P5: Identify Key

Technoology Components within a System of Interest

• P6: Evaluate Selected Components (Run a VA, Nipper Scan, run a DB review tool, etc.)

Risk Analysis• Conduct Risk

Analysis• Develop

Protection Strategy

Key Outputs:Assets, Security Requirements, Areas of Concern, Vulnerabilities, Threats

Key Outputs:Key Technological Assets and their vulnerabilities

Key Outputs:Risks and Protection strategy

PHASE I PHASE II PHASE III


III. Case Study: Implementing an NIST SP 800-30 RA


NIST SP 800-30: A Little Background• The Federal Information Security Management Act (FISMA) is an

information security act for all federal bodies in the US

• FISMA requires NIST to develop and issue mandatory standards for all US federal agencies called FIPS – Federal Information Processing Standards– Eg. FIPS 140 talks about Cryptography requirements, FIPS 199

talks about classification of information

• Special Publications (SPs) are guidance documents developed by NIST to support FIPS.


NIST SP 800-30: Concept of Risk

RiskLikelihood

of Occurrenc

e

Level of

Impact


NIST SP 800-30: RA Milestones

I. Risk Framing

II. Conduct the RA

III. Maintain

the RA

I. Identify:• Purpose of RA• Scope and

Assets• Assumptions

and Constraints

• Information Sources

• Risk Model• Analysis

Approach

I. Identify:• Threat Source• Threat Event• Vulnerability &

Pre-disposing Condition

II. Calculate• Likelihood• Impact• Risk LevelIII. Communicate

I. Monitor Risk FactorsII. Update the RA


Case Study

• Read aloud the case study in the hand-outs issued to you.


A Look at RPRT’s Key Personnel

CEOJeff Antony

COO and CTOAnup Kumar

Sonia Arora– Head, Project

Delivery

Rohit Kumar–Manager, IT Operations

Manoj Krishna– Head,

Physical Security

Administration

Priya Thomas– AVP, HR

CISOPhilip

Williams


A Look at RPRT’s Key Technology Infra

ServersAD, AV, SCCM, DHCP

Network DevicesFirewall, L3 Switch

Desktops and Laptops


A Look at RPRT’s Key Process Environments

Support Processes

Server and desktop

administration

Network device administration

Physical Security Management

processes

Personnel security

processes

Client-facing Processes

SDLC:Dev, Testing

Production Support process


Revisit the RA Milestones

I. Risk Framing

II. Conduct the RA

III. Maintain

the RA

I. Identify:• Purpose of RA• Scope and


and Constraints

• Information Sources

• Risk Model• Analysis

Approach

II. Identify:• Threat Source• Threat Event• Vulnerability &


III. Calculate• Likelihood• Impact• Risk LevelIV. Communicate

V. Monitor Risk FactorsVI. Update the RA


Milestone # I – Risk FramingI.

Risk Framin

g I. Identify:• Purpose of RA• Scope• Assumptions

and Constraints• Information

Sources• Risk Model• Analysis

Approach


Factors to Consider:

i. Initial RA:• Purpose can be to identify current

security posture• Purpose can be to capture the

starting point (baseline) of risks in the current setup/new setup.

ii. Re-assessment• Purpose can be to monitor risks as

part of continuous RA• Purpose can be to evaluate risk• Purpose can be to perform controls

testing• Purpose can be to capture new risks

as the environment has undergone a significant change and update an existing RA report.



Risk Framin

g I. Identify:• Purpose of RA• Scope and




Approach



i. Organizational Applicability:• Business processes within the

organization that are affectedii. Effectiveness Time-frame

• Time-duration for which the RA findings are going to be relevant and can assist in risk based decisions

iii. Technological Considerations• With segmentation (VLANs,

firewalls, etc.), the in-scope network can be reduced.

• In a flat network, the entire network is in scope.



Risk Framin





Approach



i. Consider all the stages of the risk assessment

ii. Clarify on the following:• The uncertainty surrounding the

risk assessment findings• The constraints faced with

regard to resources – time, team, etc.

• Assumptions made with the sampling approach deployed (if any)

• Assumptions made and limitations of a qualitative computation of risk



Risk Framin





Approach


Consider the methods to be used in risk identificationi. People Risks

• Interviews with relevant personnel• Review of records ( eg. BGV records)• External Source: Previous employers

ii. Process Risks• Walkthrough of the process • Interviews with relevant personnel

iii. Technology Risks• Review of desktop hardening• Review of server config• Nipper scan of firewall configs• Vulnerability Assessments• External Source: Security advisories

from CERT, SANS, etc.



Risk Framin

g I. Identify:• Purpose of RA• Scope• Assumptions



Approach

Factors to Consider:Recall the earlier slides:

Documentation of a risk model includes: i. Identification of risk factors – ie threats,

vulnerabilities and pre-disposing conditions, likelihood and impact

ii. Identification of the relationships between the above risk factors



Risk Framin





Approach


Recall the earlier slide:


Milestone # II – Conduct the RA


Capture the following aspects:

i. Type of Threat Source• Adversarial• Non-adversarial

ii. Characteristics of Threat Source• Adversarial -> Capability, Intent,

Targeting• Non-Adversarial -> Range of

Effects (Sweeping, Extensive, Limited, Minimal, etc.)

iii. Overall Criticality Rating of Threat Source• Very High, High, Moderate, Low,

Very Low

II. Conduct the RA








i. Envision various ways through which the Threat Source can compromise the Asset and cause a Threat Event

ii. Study the entire lifecycle of the Asset to do so

iii. Think of internal and external links /physical and logical links from threat source to the asset

II. Conduct the RA







Factors to Consider:i. Take existing controls into

account when determining level of vulnerability.

ii. Think of internal and external entities that are a direct or indirect characteristic of the asset.

Eg. Glass is breakable, AC ducts can serve as escape tunnels, strong lights can glare out images on CCTV cameras, etc.

II. Conduct the RA







II. Conduct the RA



II. Calculate• Likelihood• Impact• Risk levelIII. Communicate

Factors to Consider:i. Be clear on the concept. A Threat Event

occurring is not the same as a Threat Event causing an adverse impact.

ii. Likelihood of Occurrence implies the Likelihood that Threat Event occurs/is initiated AND causes an adverse Impact

iii. Likelihood that a Threat Event occurs/is initiated depends on the Threat Source which causes the Threat Event

iv. Likelihood that a Threat Event causes an adverse Impact depends on the Level of Vulnerability that affects the exposure to the Threat Event




II. Conduct the RA




Factors to Consider:i. Consider the most valuable

asset (in this case customer information) that will get compromised if the threat source will exploit the vulnerability

ii. Impact = f(Asset Value, Level of Vulnerability)




II. Conduct the RA




Factors to Consider:i. Risk = f (Likelihood of Occurrence, Level of Impact)

ii. Recall the Risk Response definitions to decide whether to accept, mitigate, transfer, avoid a risk.




II. Conduct the RA




Factors to Consider:i. Discuss with senior

managementii. Ensure the message percolates

down to the grass-root level


Milestone # III – Maintain the RA


III. Maintain

the RA



i. Concept of continuous risk assessment

ii. Link RA with multiple sources– eg. Threat advisories from SANS, NIST, CERT, Microsoft patch updates, Quarterly VA scans, data discovery scans, end-point compliance reports, external audit findings

iii. Update the RA Report


Stay in TouchEmail: [email protected]@gmail.com

Thank You

mailto:[email protected]

mailto:[email protected]