performing a cyber security risk assessment
DESCRIPTION
National Webcast Initiative. Performing a Cyber Security Risk Assessment. Why? When? and How?. Cyber Security Workshop. August 26, 2004 3:00pm – 4:00pm Eastern. National Webcast Initiative. Joint Partnership between MS-ISAC and DHS US-CERT - PowerPoint PPT PresentationTRANSCRIPT
Cyber Security WorkshopCyber Security Workshop
Performing a Cyber Security Performing a Cyber Security Risk AssessmentRisk Assessment
Why? When? and How?
National Webcast Initiative
August 26, 2004
3:00pm – 4:00pm Eastern
Joint Partnership between MS-ISAC and DHS US-CERT
Coordinated through the New York State Office of Cyber Security and Critical Infrastructure Coordination and the New York State Forum
William F. Pelgrin
National Webcast InitiativeNational Webcast Initiative
94 Federal Government94 Federal Government 491 State Government491 State Government 117 Local Government117 Local Government 145 Academia, non-profit145 Academia, non-profit
Webcast Attendees
AccentureAccenture AT&TAT&T AonAon Computer Computer
AssociatesAssociates CDW-GCDW-G CGICGI CMACMA D&D ConsultingD&D Consulting Ernst & YoungErnst & Young GartnerGartner HPHP IICIIC
Jay Dee SystemsJay Dee Systems KeaneKeane MicrosoftMicrosoft Nortel NetworksNortel Networks NovellNovell NYSTECNYSTEC OracleOracle SAICSAIC SASSAS SybaseSybase SymantecSymantec VeritasVeritas
Current Listing of Vendors Current Listing of Vendors Interested In ParticipationInterested In Participation
This listing will continue to evolve over time
Introduction and Opening RemarksIntroduction and Opening Remarks• William Pelgrin,William Pelgrin, Chair of the Multi-State ISAC; Chair of the Multi-State ISAC;
Director, New York State Office of Cyber Security Director, New York State Office of Cyber Security and Critical Infrastructure Coordinationand Critical Infrastructure Coordination
• Lawrence C. Hale,Lawrence C. Hale, Deputy Director, National Deputy Director, National Cyber Security Division, US CERT, Department of Cyber Security Division, US CERT, Department of Homeland SecurityHomeland Security
Performing a Cyber Security Risk Assessment• Graeme Payne, CA, CISSP, CISM, CISA; Partner,
Security & Technology Solutions, Ernst & Young • Rick Trapp, Vice President, Product
Management, Computer Associates
Today’s SpeakersToday’s Speakers 3:00pm-3:15pm
3:15pm-4:00pm
US-CERT – established in September 2003 and is the operational arm of the National Cyber Security Division at the Department of Homeland Security.
US-CERT is the nation’s focal point for preventing, protecting against, and responding to cyber security threats and vulnerabilities. US-CERT interacts with all federal agencies, private industry, the research community, state and local governments, and others on a 24x7 basis to disseminate timely and actionable cyber security information.
US-CERT US-CERT
US-CERT and the Multi-State ISAC are working together on a number of programs, including this webcast series, to help enhance our Nation’s cyber security readiness and response.
The Multi-State ISAC has recently become a member of the HSIN/US-CERT portal, which provides a secure mechanism for sharing information between and among partners, improving cyber preparedness, readiness and response capabilities.
US-CERT also hosts a public website, at www.us-cert.gov, which provides a wealth of information regarding cyber security – helpful tips for protecting against cyber security threats; cyber security alerts and bulletins, as well as the ability to sign up to receive free cyber security alerts via email.
US-CERT US-CERT
Graeme PayneErnst & Young
Rick TrappComputer Associates
CA, CISSP, CISM, CISAPartner, Security & Technology Solutions
Vice President, Product Management
Today’s ObjectivesToday’s Objectives
Identify Identify reasonsreasons for performingfor performing a a CyberSecurity Risk AssessmentCyberSecurity Risk Assessment
Identify Identify key componentskey components of a of a CyberSecurity Risk AssessmentCyberSecurity Risk Assessment
Understand Understand considerations in considerations in performingperforming a CyberSecurity Risk a CyberSecurity Risk AssessmentAssessment
Today’s AgendaToday’s Agenda
Developing a Common LanguageDeveloping a Common Language Why Perform Cyber Security Why Perform Cyber Security
Assessments?Assessments? When to perform a CyberSecurity When to perform a CyberSecurity
Risk Assessment?Risk Assessment? How to perform a CyberSecurity Risk How to perform a CyberSecurity Risk
AssessmentAssessment Q&AQ&A
Developing a Common Developing a Common LanguageLanguage
What is a Risk Assessment?What is a Risk Assessment?
Source: GAO/AIMD-00-33
DefinitionsDefinitions
Refer: Glossary of Terms
Partners
Customers
Contractors
Hackers
Malware
Spam
Why Perform CyberSecurity Why Perform CyberSecurity Risk Assessments?Risk Assessments?
The Need for CyberSecurity Risk The Need for CyberSecurity Risk AssessmentsAssessments
Reported vulnerabilities rose from 417 in Reported vulnerabilities rose from 417 in 1999 to 3,784 in 2003 (CERT Coordination 1999 to 3,784 in 2003 (CERT Coordination Center)Center)
2004 CSI/FBI Computer Crime and Security 2004 CSI/FBI Computer Crime and Security Survey respondents reported nearly $142 Survey respondents reported nearly $142 million in total losses as a result of million in total losses as a result of computer security incidentscomputer security incidents
Helpful Hint
Objectives of a CyberSecurity Risk Objectives of a CyberSecurity Risk AssessmentAssessment
BaselineBaseline• Where am I today?Where am I today?• What controls do I have in place?What controls do I have in place?
Evaluate effectiveness of security controlsEvaluate effectiveness of security controls• Where do I want to be?Where do I want to be?• Identify gaps or opportunities for improvement Identify gaps or opportunities for improvement
Establish awareness of threats and Establish awareness of threats and vulnerabilitiesvulnerabilities
Lay foundation for development of security Lay foundation for development of security improvement planimprovement plan
When to Perform a When to Perform a CyberSecurity Risk CyberSecurity Risk
AssessmentAssessment
When to PerformWhen to Perform
PeriodicPeriodic• Often event drivenOften event driven• Typically year-over-year comparisonTypically year-over-year comparison• Generally labor-intensiveGenerally labor-intensive• Most organizations start with periodic assessmentsMost organizations start with periodic assessments
ContinuousContinuous• Part of the normal workflowPart of the normal workflow• Provides “real-time” risk viewProvides “real-time” risk view• Often supported by technology and analysis toolsOften supported by technology and analysis tools• Integrated with other IT/business processesIntegrated with other IT/business processes
Helpful Hint
How to Perform a How to Perform a CyberSecurity Risk CyberSecurity Risk
AssessmentAssessment
Key StepsKey Steps
1.1. Define the objectivesDefine the objectives
2.2. Define deliverablesDefine deliverables
3.3. Establish workplan Establish workplan
4.4. Perform assessmentPerform assessment
5.5. Review results and develop risk Review results and develop risk mitigation plansmitigation plans
6.6. Plan next assessment (steps 1-5)Plan next assessment (steps 1-5)
1. Define the Objectives1. Define the Objectives
ConsiderationConsideration ExamplesExamples
Scope of assessmentScope of assessment High level – identify gaps in policies High level – identify gaps in policies and practicesand practices
Detailed – identify risks for specific Detailed – identify risks for specific assetsassets
Standards to be appliedStandards to be applied ISO17799ISO17799 HIPAA, GLBAHIPAA, GLBA NISTNIST
CoverageCoverage ComprehensiveComprehensive Representative sampleRepresentative sample
Helpful Hint
2. Determine the Deliverables2. Determine the Deliverables
ConsiderationConsideration ExamplesExamples
Intended audienceIntended audience Executive – business impactExecutive – business impact Operational – technical focusOperational – technical focus
FormatFormat Technical ReportTechnical Report Summary PresentationSummary Presentation Risk DatabaseRisk Database
DistributionDistribution InternalInternal External – consider sensitivityExternal – consider sensitivity
3. Establish the Workplan3. Establish the Workplan
ConsiderationConsideration ExamplesExamples
Documents to be Documents to be reviewedreviewed
Policies, standards, proceduresPolicies, standards, procedures System configurationSystem configuration Application design standardsApplication design standards
InterviewsInterviews Executive managementExecutive management OperationsOperations Business unitsBusiness units 33rdrd Parties Parties
Technical proceduresTechnical procedures Asset discovery and valuationAsset discovery and valuation Threat analysisThreat analysis Vulnerability analysisVulnerability analysis
Helpful Hint
3. Establish the Workplan (cont’d)3. Establish the Workplan (cont’d)
ConsiderationConsideration ExamplesExamples
Assessment toolsAssessment tools Asset inventoryAsset inventory Configuration validationConfiguration validation Vulnerability assessmentVulnerability assessment Penetration testingPenetration testing Password auditingPassword auditing Process modelingProcess modeling Documentation toolsDocumentation tools
ResourcesResources InternalInternal ExternalExternal
Helpful Hint
4. Perform the Risk Assessment4. Perform the Risk Assessment
CharacterizeSystem/Area
IdentifyThreats
IdentifyVulnerabilities
IdentifyControls
AssessRisk
Activities Example Worksteps
• Interview system owner• Review system documents
• Use threat checklist• Review external sources
• Review vulnerability sources• Perform security testing
• Review security requirements checklist• Review system documents
• Prepare likelihood/impact matrix
5. Review Results and Develop 5. Review Results and Develop Mitigation PlansMitigation Plans
5. Review Results and Develop 5. Review Results and Develop Mitigation Plans (cont’d)Mitigation Plans (cont’d)
Risk TreatmentsRisk Treatments ExamplesExamples
Accept the riskAccept the risk Trust employees to “do right thing”Trust employees to “do right thing” X% downtimeX% downtime
Reduce impact of the Reduce impact of the riskrisk
Implement controlsImplement controls Add resilienceAdd resilience
Avoid the riskAvoid the risk Shut down system or unitShut down system or unit Cancel contractCancel contract
Transfer the riskTransfer the risk Purchase insurancePurchase insurance OutsourceOutsource
Next StepsNext Steps
Perform High-Level RiskAssessment
Identify High Risk Areas
Perform Detailed RiskAssessments
Integrate Risk Assessment intoOther Processes
Design and ImplementMitigation Plans
Helpful Hint
Questions?Questions?
SummarySummary
Developing a Common LanguageDeveloping a Common Language Why Perform Cyber Security Why Perform Cyber Security
Assessments?Assessments? When to perform a CyberSecurity When to perform a CyberSecurity
Risk Assessment?Risk Assessment? How to perform a CyberSecurity Risk How to perform a CyberSecurity Risk
AssessmentAssessment
Thank you for participatingThank you for participating Future webcast sessions will offer a Future webcast sessions will offer a
variety of topicsvariety of topics Please remain online to participate in Please remain online to participate in
an interactive series of survey an interactive series of survey questions questions
Written Q and A to the presenters is Written Q and A to the presenters is available for the next 15 minutesavailable for the next 15 minutes
Thank You!Thank You!
Thank you for attending this virtual learning sessionThank you for attending this virtual learning session