group 1 jason zeigler cherelyn green brian eddy aaron phillips jason zeigler cherelyn green brian...

29
Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Upload: luke-jasper

Post on 15-Dec-2015

224 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Group 1Group 1

Jason ZeiglerCherelyn Green

Brian EddyAaron Phillips

Jason ZeiglerCherelyn Green

Brian EddyAaron Phillips

Page 2: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

IntroductionIntroductionObjectives:•Use risk assessment methods to estimate security investments.•Categorize risks in the Risk Assessment Cube•Calculate an expected loss•Optimize return on investment for security•Creating a complete organizational profile.

Objectives:•Use risk assessment methods to estimate security investments.•Categorize risks in the Risk Assessment Cube•Calculate an expected loss•Optimize return on investment for security•Creating a complete organizational profile.

Page 3: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Importance of Risk AssessmentImportance of Risk Assessment

• What is Risk Assessment?

- A step in the risk management process that identifies risk factors in order to avoid incidents.

• Gets attention of management officials

• A Basic Requirement of ISO 17799

- The ISO17799 is an international standard for the best practices in information security.

• What is Risk Assessment?

- A step in the risk management process that identifies risk factors in order to avoid incidents.

• Gets attention of management officials

• A Basic Requirement of ISO 17799

- The ISO17799 is an international standard for the best practices in information security.

Page 4: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Importance of Risk AssessmentImportance of Risk Assessment

• Raises the Status of Information Security Budgets

- Difficult to get funding (competing business priorities)

- Application of Risk Management techniques to IT investments (expensive servers, software, etc.)

• Raises the Status of Information Security Budgets

- Difficult to get funding (competing business priorities)

- Application of Risk Management techniques to IT investments (expensive servers, software, etc.)

Page 5: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Importance of Risk AssessmentImportance of Risk Assessment• Assess the Expected Average Cost of a

Loss

- Expected value concept helps make decisions about the financial impact of an outcome (theft of trade secrets, network intrusion)

Expected Cost - Model used to assess and justify investments

in digital security.

Marginal Cost

- Estimates investment in security investments.

• Assess the Expected Average Cost of a Loss

- Expected value concept helps make decisions about the financial impact of an outcome (theft of trade secrets, network intrusion)

Expected Cost - Model used to assess and justify investments

in digital security.

Marginal Cost

- Estimates investment in security investments.

Page 6: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Risk Assessment CubeRisk Assessment Cube

• Cube that provides structure for categorizing risks along three dimensions1) The Probability of an Incident

(0%-100%, rare to common) 2) Severity of the Outcome or Loss (direct and indirect financial impacts, range

from low to high) 3) Duration of Impact (incidents contained, extends over time)

• Cube that provides structure for categorizing risks along three dimensions1) The Probability of an Incident

(0%-100%, rare to common) 2) Severity of the Outcome or Loss (direct and indirect financial impacts, range

from low to high) 3) Duration of Impact (incidents contained, extends over time)

Page 7: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

EXPECTED LOSS VALUE ESTIMATIONS

EXPECTED LOSS VALUE ESTIMATIONS

Page 8: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Expected Loss ComputationExpected Loss Computation

• Expected value of either a gain or a loss is used extensively to evaluate the consequences of business decisions during particular time segment, which is usually one year.

• Expected loss = (Amount of loss) * (Probability of loss)

• Two incidents on pg. 68• A benefit of the expected loss method is the ability

to standardize the costs of incidents for comparison purposes.

• Businesses commonly apply this expectation principle when they invest in door locks, alarm systems, and safety devices to protect against loss of break-in, fire, casualty, and legal liability.

• Expected value of either a gain or a loss is used extensively to evaluate the consequences of business decisions during particular time segment, which is usually one year.

• Expected loss = (Amount of loss) * (Probability of loss)

• Two incidents on pg. 68• A benefit of the expected loss method is the ability

to standardize the costs of incidents for comparison purposes.

• Businesses commonly apply this expectation principle when they invest in door locks, alarm systems, and safety devices to protect against loss of break-in, fire, casualty, and legal liability.

Page 9: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Marginal Cost-Benefit Analysis-An Application of Expected Value

Marginal Cost-Benefit Analysis-An Application of Expected Value

• The issue of industry standards and defenses against negligence was addressed by Judge Learned Hand in 1947. He outlined his standard for negligence and liability based on economic model of marginal cost-benefit analysis in his decision in US vs Carroll Towing Company (2d Cir. 1947).

• According to marginal analysis, the firm is negligent if and only if the marginal costs of safeguards are greater than the marginal benefits of those safeguards.

• Expected value method is used to calculate expected costs and benefits.– Expected costs & benefits = (Probability of a security breach) *

(Avg. expected loss or benefit)

• The issue of industry standards and defenses against negligence was addressed by Judge Learned Hand in 1947. He outlined his standard for negligence and liability based on economic model of marginal cost-benefit analysis in his decision in US vs Carroll Towing Company (2d Cir. 1947).

• According to marginal analysis, the firm is negligent if and only if the marginal costs of safeguards are greater than the marginal benefits of those safeguards.

• Expected value method is used to calculate expected costs and benefits.– Expected costs & benefits = (Probability of a security breach) *

(Avg. expected loss or benefit)

Page 10: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Balancing Expected Loss with the Cost of Security Defenses

Balancing Expected Loss with the Cost of Security Defenses

• Expected losses from an incident can be a benchmark for investments in defenses to defend against them. There are several standard methods for managing business risk.

• Three common approaches:– Try to mitigate the loss by implementing preventative

measures– Transfer the risk to another party by outsourcing the

secure management of a network, mission-critical databases, or ecommerce application

– Transfer the remaining risk using insurance

• Expected losses from an incident can be a benchmark for investments in defenses to defend against them. There are several standard methods for managing business risk.

• Three common approaches:– Try to mitigate the loss by implementing preventative

measures– Transfer the risk to another party by outsourcing the

secure management of a network, mission-critical databases, or ecommerce application

– Transfer the remaining risk using insurance

Page 11: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

CHALLENGES IN ESTIMATING LOSS OF DIGITAL ASSETS

CHALLENGES IN ESTIMATING LOSS OF DIGITAL ASSETS

Page 12: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Intangible AssetsIntangible Assets

• Digital assets are intangible, so their value may only become fully understood in the actual event of loss.

• Example: one of the most valuable business assets is information maintained in the customer database

• Digital assets are intangible, so their value may only become fully understood in the actual event of loss.

• Example: one of the most valuable business assets is information maintained in the customer database

Page 13: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Replication Increases Exposure and Probability of a Loss

Replication Increases Exposure and Probability of a Loss

• Physical assets tend to exist in only one place and therefore must only be protected in one instance.

• Ironically, one of the ways in which to protect digital assets is to retain multiple backup copies.

• The adoption of client-server and distributed computing architectures has created an environment in which documents are stored on many networked devices.

• Physical assets tend to exist in only one place and therefore must only be protected in one instance.

• Ironically, one of the ways in which to protect digital assets is to retain multiple backup copies.

• The adoption of client-server and distributed computing architectures has created an environment in which documents are stored on many networked devices.

Page 14: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Outsourcing Places Data and Documents Out of Control

Outsourcing Places Data and Documents Out of Control

• If business operations are outsourced or conducted in cooperation with a business partner, valuable information often must reside on networks that lie outside of organizational control.

• This creates a situation in which one is reliant on the efforts of that partner to protect the shared asset. This practice is very widespread.

• If business operations are outsourced or conducted in cooperation with a business partner, valuable information often must reside on networks that lie outside of organizational control.

• This creates a situation in which one is reliant on the efforts of that partner to protect the shared asset. This practice is very widespread.

Page 15: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Knowledge Assets are Difficult to Replace

Knowledge Assets are Difficult to Replace

• Digital assets may have direct monetary value, like a bank account balance, or indirect value, derived from their associated knowledge or goodwill.

• The information most commonly resident on computers and networks is structured data. Structured data is expressed as numbers with defined attributes. Figure 5.4 pg. 71

• It is now common to capture and store unstructured information through the use of what is known as Knowledge Management (KM).

• KM assets are much harder to identify, inventory, and replace if lost.

• Digital assets may have direct monetary value, like a bank account balance, or indirect value, derived from their associated knowledge or goodwill.

• The information most commonly resident on computers and networks is structured data. Structured data is expressed as numbers with defined attributes. Figure 5.4 pg. 71

• It is now common to capture and store unstructured information through the use of what is known as Knowledge Management (KM).

• KM assets are much harder to identify, inventory, and replace if lost.

Page 16: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Mission-Critical Software Applications

Mission-Critical Software Applications

• Beyond data and knowledge, customized software can have significant value.

• If a business has made a major investment in a proprietary customer contact application, that asset could be exposed in two ways.– It provides a competitive advantage– An employee or hacker could disable it

• Therefore, such an asset has value not only from the point of view of development costs but also from the expected loss of revenue if it was sabotaged.

• Beyond data and knowledge, customized software can have significant value.

• If a business has made a major investment in a proprietary customer contact application, that asset could be exposed in two ways.– It provides a competitive advantage– An employee or hacker could disable it

• Therefore, such an asset has value not only from the point of view of development costs but also from the expected loss of revenue if it was sabotaged.

Page 17: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Denial of Service RiskDenial of Service Risk

• Often the most direct economic impact of a digital attack is the significant loss of productivity that can result from even the more “benign” forms of malware.

• Worms like Code Red did not actually destroy data, rather they paralyzed networks and services through self-replication, creating enormous network “traffic jams” that made it impossible for legitimate traffic to get through.

• Often the most direct economic impact of a digital attack is the significant loss of productivity that can result from even the more “benign” forms of malware.

• Worms like Code Red did not actually destroy data, rather they paralyzed networks and services through self-replication, creating enormous network “traffic jams” that made it impossible for legitimate traffic to get through.

Page 18: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Valuation of Digital Assets and Risks

Valuation of Digital Assets and Risks

Page 19: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Valuation of Digital Assets and Risks

Valuation of Digital Assets and Risks

• There are two main ways to assign economic value to digital assets – impact on revenue and loss prevention

• Software Assets - The main risk is not the loss of software but the loss of usage as the software is restored. The potential loss is estimated by tracking the average revenue generated by the Website per hour. The average is then multiplied by downtime. Other software products are designed to enhanced productivity. Expected loss is calculated by taking the percentage of production increase over the downtime

• There are two main ways to assign economic value to digital assets – impact on revenue and loss prevention

• Software Assets - The main risk is not the loss of software but the loss of usage as the software is restored. The potential loss is estimated by tracking the average revenue generated by the Website per hour. The average is then multiplied by downtime. Other software products are designed to enhanced productivity. Expected loss is calculated by taking the percentage of production increase over the downtime

Page 20: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Digital Assets, cont.Digital Assets, cont.• Knowledge Assets – It is the unique knowledge and data

within an organization that creates value at risk. The danger lies in what the attackers do with the information, as the information lost may include trade secrets, customer lists, or theft or sensitive partner data. The knowledge may be used by competitors or as the basis for litigation

• Goodwill – goodwill is the accumulation of knowledge, experience, public image, and the body of customer relationships the firm has developed over its lifetime. The more reliant the firm is on technology to manage its knowledge and face its markets, the more vulnerable goodwill is to digital assault. Goodwill is important for customer peace of mind, therefore it should figure into the DLM investment model

• Knowledge Assets – It is the unique knowledge and data within an organization that creates value at risk. The danger lies in what the attackers do with the information, as the information lost may include trade secrets, customer lists, or theft or sensitive partner data. The knowledge may be used by competitors or as the basis for litigation

• Goodwill – goodwill is the accumulation of knowledge, experience, public image, and the body of customer relationships the firm has developed over its lifetime. The more reliant the firm is on technology to manage its knowledge and face its markets, the more vulnerable goodwill is to digital assault. Goodwill is important for customer peace of mind, therefore it should figure into the DLM investment model

Page 21: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Sources of Information for Risk Estimations

Sources of Information for Risk Estimations

• Research and Consulting firms – Firms such as CSI, the FBI, and CERT release information, reports, and surveys with detailed breakdowns of industries, types of attack, magnitude of loss, and other important information.

• Infragard – An alliance of the public and private sectors of the formed by the FBI to share knowledge and coordinate defenses against cyber terror.

• Research and Consulting firms – Firms such as CSI, the FBI, and CERT release information, reports, and surveys with detailed breakdowns of industries, types of attack, magnitude of loss, and other important information.

• Infragard – An alliance of the public and private sectors of the formed by the FBI to share knowledge and coordinate defenses against cyber terror.

Page 22: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Sources of Information for Risk Estimations

Sources of Information for Risk Estimations

• Technical Tools – Firewalls, intrusion detection technology, and network administration tools keep detailed logs of activity. Analysis of these logs can provide insight into frequency and nature of attacks.

• Business Partners and Industry Groups – Business Partners may provide their experience and expertise in an attempt to coordinate security around common data and processes.

• Technical Tools – Firewalls, intrusion detection technology, and network administration tools keep detailed logs of activity. Analysis of these logs can provide insight into frequency and nature of attacks.

• Business Partners and Industry Groups – Business Partners may provide their experience and expertise in an attempt to coordinate security around common data and processes.

Page 23: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Symantec’s Internet Security Threat Report

Symantec’s Internet Security Threat Report

• According to Symantec’s Internet Security Threat Report, banking and utilities are the most at-risk sectors for threat of attack by malicious code. Both industries have the finances to protect their systems, and the most to lose if they don’t.

• Symantec recorded an average of 987 attacks per company in the power and energy sector; Nonprofit organizations had an average of 869 attacks per company; telecoms had 845; high-tech had 753; banking and finance had 689

• In terms of severity the top three were power and energy, banking and finance, and nonprofit

• According to Symantec’s Internet Security Threat Report, banking and utilities are the most at-risk sectors for threat of attack by malicious code. Both industries have the finances to protect their systems, and the most to lose if they don’t.

• Symantec recorded an average of 987 attacks per company in the power and energy sector; Nonprofit organizations had an average of 869 attacks per company; telecoms had 845; high-tech had 753; banking and finance had 689

• In terms of severity the top three were power and energy, banking and finance, and nonprofit

Page 24: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Overall Risk EvaluationOverall Risk Evaluation

Page 25: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Overall Risk EvaluationOverall Risk Evaluation• Assess The Current Situation

– Digital Liability Model• People, Process, & Security Policies Vs. Technology• Key to Success

• Policy And Process Perspective– The effectiveness of the policy and auditing tools for managing and

migrating risk need to be tested. All policy documents related to information security, such as AUP, should be examined for completeness, clarity, and compliance as part of the audit. Audit results can make the policy far more defensible if it becomes evidence in a legal action. Other policies that are usually included pertain to privacy, outsourcing of processes that involve sensitive data, password maintenance, and remote access to company networks.

– Testing awareness• Gauges effectiveness of current training and documentation efforts• Strong policies combination of weak readers = viruses

• Assess The Current Situation– Digital Liability Model

• People, Process, & Security Policies Vs. Technology• Key to Success

• Policy And Process Perspective– The effectiveness of the policy and auditing tools for managing and

migrating risk need to be tested. All policy documents related to information security, such as AUP, should be examined for completeness, clarity, and compliance as part of the audit. Audit results can make the policy far more defensible if it becomes evidence in a legal action. Other policies that are usually included pertain to privacy, outsourcing of processes that involve sensitive data, password maintenance, and remote access to company networks.

– Testing awareness• Gauges effectiveness of current training and documentation efforts• Strong policies combination of weak readers = viruses

Page 26: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Overall Risk EvaluationOverall Risk Evaluation

• Organizational Perspective– Assigning responsibility for DLM-related issues is also

a part of the picture. This can be a problem issue in larger firms where this responsibility has become fragmented. Not uncommon to have a network administrator and a network security administrator, with the latter reporting to the former. Aligns well, but weakens DLM responsibilities

– Regardless of whether or not responsibility for network security and physical security is combined in the organization, the two are interrelated and should be assessed together.

– Example: Microsoft servers pg 77 gray area.

• Organizational Perspective– Assigning responsibility for DLM-related issues is also

a part of the picture. This can be a problem issue in larger firms where this responsibility has become fragmented. Not uncommon to have a network administrator and a network security administrator, with the latter reporting to the former. Aligns well, but weakens DLM responsibilities

– Regardless of whether or not responsibility for network security and physical security is combined in the organization, the two are interrelated and should be assessed together.

– Example: Microsoft servers pg 77 gray area.

Page 27: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

Overall Risk EvaluationOverall Risk Evaluation• Audits w/ Trading Partners/Cusomers

– If business operations demand network connections to partners and customers, then their levels of information security are equally important. Some larger concerns may require and subsidize an audit and enhancements to the security infrastructure to meet their standards.

– A proper assessment can only come with the help of a complete audit of the current security infrastructure using a reputable an qualified third party. So why the third party?

– Some companies stage an unannounced attack using known hacker methods or white hat hackers hired for the purpose. White hat hackers are ethical hackers who search for weakness in the computer systems or business applications. May include introduction of malware, such as backdoors or benign viruses, to test whether they were detected by the defensive technology.

• Audits w/ Trading Partners/Cusomers– If business operations demand network connections to partners

and customers, then their levels of information security are equally important. Some larger concerns may require and subsidize an audit and enhancements to the security infrastructure to meet their standards.

– A proper assessment can only come with the help of a complete audit of the current security infrastructure using a reputable an qualified third party. So why the third party?

– Some companies stage an unannounced attack using known hacker methods or white hat hackers hired for the purpose. White hat hackers are ethical hackers who search for weakness in the computer systems or business applications. May include introduction of malware, such as backdoors or benign viruses, to test whether they were detected by the defensive technology.

Page 28: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

SummarySummary• Security needs to be managed• Reasons security programs are under funded

because most enterprises do not know what they have to lose and do not appreciate all the way they can lose it

• Key is to properly identify and quantify all value at risk by creating a risk exposure profile

• An estimate of loss can be made on the basis of a justifiable DLM budget

• Awareness on the part of IT people, can optimize the return of security investments

• Overall security depends on the balancing cost and risk through the appropriate use of both technology and policy

• Security needs to be managed• Reasons security programs are under funded

because most enterprises do not know what they have to lose and do not appreciate all the way they can lose it

• Key is to properly identify and quantify all value at risk by creating a risk exposure profile

• An estimate of loss can be made on the basis of a justifiable DLM budget

• Awareness on the part of IT people, can optimize the return of security investments

• Overall security depends on the balancing cost and risk through the appropriate use of both technology and policy

Page 29: Group 1 Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips Jason Zeigler Cherelyn Green Brian Eddy Aaron Phillips

QUESTIONS??QUESTIONS??