Risk Management Acknowledgments Material is sourced from: CISM® Review Manual 2012, © 2011, ISACA. All rights reserved. Used by permission. All-in-One CISSP Exam Guide, 4th Ed. / Shon Harris, McGraw Hill, 2008 Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Reviewers/Contributors: Todd Burri, Kahili Cheng Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation. Objectives Students should be able to: Define risk management process: risk management, risk assessment, risk analysis, risk appetite, risk treatment, accept residual risk Define treat risk terms: risk acceptance/risk retention, risk avoidance, risk mitigation/risk reduction, risk transference Describe threat types: natural, unintentional, intentional, intentional (nonphysical) Define threat agent types: hacker/crackers, criminals, terrorists, industry spies, insiders Perform risk analysis using techniques: qualitative, quantitative Define vulnerability, SLE, ARO, ALE, due diligence, due care How Much to Invest in Security? How much is too much? Firewall Intrusion Detection/Prevention Guard Biometrics Virtual Private Network Encrypted Data & Transmission Card Readers Policies & Procedures Audit & Control Testing Antivirus / Spyware Wireless Security How much is too little? Hacker attack Internal Fraud Loss of Confidentiality Stolen data Loss of Reputation Loss of Business Penalties Legal liability Theft & Misappropriation Security is a Balancing Act between Security Costs & Losses Risk Management Structure Internal Factors External Factors Risk Mgmt Strategies are determined by both internal & external factors Risk Tolerance or Appetite: The level of risk that management is comfortable with Risk Management Process What to investigate? What to consider? Identification What assets & risks exist? Analysis What does this risk cost? What priorities shall we set? Evaluation What controls can we use? Avoid Reduce Transfer Accept Residual Risk Retain Risk Communication & Monitoring Risk Risk Assessment Treatment Establish Scope & Boundaries Risk Appetite Do you operate your computer with or without antivirus software? Do you have antispyware? Do you open emails with forwarded attachments from friends or follow questionable web links? Have you ever given your bank account information to a foreign emailer to make $$$? What is your risk appetite? If liberal, is it due to risk acceptance or ignorance? Companies too have risk appetites, decided after evaluating risk Continuous Risk Mgmt Process Risk Appetite Risks change with time as business & environment changes Controls degrade over time and are subject to failure Countermeasures may open new risks Identify & Assess Risks Develop Risk Mgmt Plan Proactive Monitoring Implement Risk Mgmt Plan Security Evaluation: Risk Assessment Five Steps include: 1. Assign Values to Assets: 2. Determine Loss due to Threats & Vulnerabilities 3. Weekly, monthly, 1 year, 10 years? Compute Expected Loss 5. Confidentiality, Integrity, Availability Estimate Likelihood of Exploitation 4. Where are the Crown Jewels? Loss = Downtime + Recovery + Liability + Replacement Risk Exposure = ProbabilityOfVulnerability * $Loss Treat Risk Survey & Select New Controls Reduce, Transfer, Avoid or Accept Risk Risk Leverage = (Risk exposure before reduction) – (risk exposure after reduction) / (cost of risk reduction) Step 1: Determine Value of Assets Identify & Determine Value of Assets (Crown Jewels): Assets include: IT-Related: Information/data, hardware, software, services, documents, personnel Other: Buildings, inventory, cash, reputation, sales opportunities What is the value of this asset to the company? How much of our income can we attribute to this asset? How much would it cost to recover this? How much liability would we be subject to if the asset were compromised? Helpful websites: www.attrition.org Determine Cost of Assets Costs Tangible $ Sales Risk: Product A Risk: Product B Product C Risk: Intangible: High/Med/Low Replacement Cost= Cost of loss of integrity= Cost of loss of availability= Cost of loss of confidentiality= Replacement Cost= Cost of loss of integrity= Cost of loss of availability= Cost of loss of confidentiality= Replacement Cost= Cost of loss of integrity= Cost of loss of availability= Cost of loss of confidentiality= Matrix of Loss Scenario (taken from CISM Exhibit 2.16) Size of Loss Repu- Lawtation suit Loss Fines/ Reg. Loss Market Loss Exp. Yearly Loss Hacker steals customer data; publicly blackmails company 1-10K Recor ds $1M$20M $1M$10M $1M$35M $1M$5M $10M Employee steals strategic plan; sells data to competitor 3-year Min. Min. Min. $20M $2M Backup tapes and Cust. data found in garbage; makes front-page news 10M Recor ds $20M $20M $10M $5M $200K Contractor steals employee data; sells data to hackers 10K Recor ds $5M $10M Min. Min. $200K Step 1: Determine Value of Assets Asset Name Laptop $ Value Direct Loss: Replacement $1,000 Equipment $10,000 $ Value Consequential Financial Loss Mailings= $130 x #Cust Reputation = $9,000 $2k per day in income Work book Confidentiality, Integrity, and Availability Notes Conf., Avail. Breach Notification Law Availability (e.g., due to fire or theft) Step 2: Determine Loss Due to Threats Natural: Flood, fire, cyclones, rain/hail/snow, plagues and earthquakes Unintentional: Fire, water, building damage/collapse, loss of utility services, and equipment failure Intentional: Fire, water, theft, vandalism Intentional, non-physical: Fraud, espionage, hacking, identity theft, malicious code, social engineering, phishing, denial of service Threat Agent Types Hackers/ Crackers Criminals Terrorists Industry Spies Insiders Challenge, rebellion Financial gain, Disclosure/ destruction of info. Destruction/ revenge/ extortion Competitive advantage Opportunity, personal issues Unauthorized access Fraud, computer crimes DOS, info warfare Info theft, econ. exploitation Fraud/ theft, malware, abuse Step 2: Determine Threats Due to Vulnerabilities System Vulnerabilities Misinterpretation: Behavioral: Poorly-defined procedures, Disgruntled employee, employee error, uncontrolled processes, Insufficient staff, poor network design, Inadequate mgmt, improperly configured Inadequate compliance equipment enforcement Coding Problems: Security ignorance, poorly-defined requirements, defective software, unprotected communication Physical Vulnerabilities: Fire, flood, negligence, theft, kicked terminals, no redundancy Step 3: Estimate Likelihood of Exploitation Best sources: Past experience National & international standards & guidelines: NIPC, OIG, FedCIRC, mass media Specialists and expert advice Economic, engineering, or other models Market research & analysis Experiments & prototypes If no good numbers emerge, estimates can be used, if management is notified of guesswork Likelihood of Exploitation: Sources of Losses Lost laptop/device 35% Third party or outsourcer 21% Electronic backup 19% Paper records 9% Malicious insider or code 9% Hacked system 7% Source: 2006 Annual Study: Cost of a Data Breach, PGP/Vontu Evaluation of 31 organizations Step 4: Compute Expected Loss Risk Analysis Strategies Qualitative: Prioritizes risks so that highest risks can be addressed first Based on judgment, intuition, and experience May factor in reputation, goodwill, nontangibles Quantitative: Measures approximate cost of impact in financial terms Semiquantitative: Combination of Qualitative & Quantitative techniques Step 4: Compute Loss Using Qualitative Analysis Qualitative Analysis is used: As a preliminary look at risk With non-tangibles, such as reputation, image -> market share, share value When there is insufficient information to perform a more quantified analysis Vulnerability Assessment Quadrant Map Snow emergency Intruder Work book Threat (Probability) Hacker/Criminal Malware Disgruntled Employee Vulnerability (Severity) Flood Spy Fire Terrorist Step 4: Compute Loss Using Semi-Quantitative Analysis 1. 2. 3. 4. 5. Impact Insignificant: No meaningful impact Minor: Impacts a small part of the business, < $1M Major: Impacts company brand, >$1M Material: Requires external reporting, >$200M Catastrophic: Failure or downsizing of company Likelihood 1. 2. 3. 4. 5. Rare Unlikely: Not seen within the last 5 years Moderate: Occurred in last 5 years, but not in last year Likely: Occurred in last year Frequent: Occurs on a regular basis Risk = Impact * Likelihood SemiQuantitative Impact Matrix Catastrophic (5) Impact Material (4) Major (3) Minor (2) Insignificant (1) Rare(1) Unlikely(2) Moderate(3) Likelihood Likely (4) Frequent(5) Step 4: Compute Loss Using Quantitative Analysis Single Loss Expectancy (SLE): The cost to the organization if one threat occurs once Eg. Stolen laptop= Replacement cost + Cost of installation of special software and data Assumes no liability SLE = Asset Value (AV) x Exposure Factor (EF) With Stolen Laptop EF > 1.0 Annualized Rate of Occurrence (ARO): Probability or frequency of the threat occurring in one year If a fire occurs once every 25 years, ARO=1/25 Annual Loss Expectancy (ALE): The annual expected financial loss to an asset, resulting from a specific threat ALE = SLE x ARO Risk Assessment Using Quantitative Analysis Quantitative: Cost of HIPAA accident with insufficient protections SLE = $50K + (1 year in jail:) $100K = $150K Plus loss of reputation… Estimate of Time = 10 years or less = 0.1 Annualized Loss Expectancy (ALE)= $150 x .1 =$15K Annualized Loss Expectancy Asset Value-> 1 Yr 5 Yrs 10 Yrs 20 Yrs $1K $10K $100K $1M 1K 200 100 50 10K 2K 1K 1K 100K 20K 10K 5K 1000K 200K 100K 50K Asset Costs $10K Risk of Loss 20% per Year Over 5 years, average loss = $10K Spend up to $2K each year to prevent loss Quantitative Risk Work book Asset Threat Single Loss Expectancy (SLE) Buildi ng Fire Laptop Stolen $1M $1K + $9K (breach notif) Annualized Rate of Occurrence (ARO) .05 (20 years) Annual Loss Expectancy (ALE) 0.2 (5 years) $1K $50K Step 5: Treat Risk Risk Acceptance: Handle attack when necessary E.g.: Comet hits Ignore risk if risk exposure is negligible Risk Avoidance: Stop doing risky behavior E.g.: Do not use Social Security Numbers Risk Mitigation: Implement control to minimize vulnerability E.g. Purchase & configure a firewall Risk Transference: Pay someone to assume risk for you E.g., Buy malpractice insurance (doctor) While financial impact can be transferred, legal responsibility cannot Risk Planning: Implement a set of controls Input Hardware, software Company history Intelligence agency data: NIPC, OIG Audit & test results Current and Planned Controls Threat motivation/ capacity Business Impact Analysis Data Criticality & Sensitivity analysis Likelihood of threat exploitation Magnitude of impact Plan for risk NIST Risk Assessment Methodology Activity System Characterization Identify Threats Output System boundary System functions System/data criticality System/data sensitivity Identify Vulnerabilities List of threats & vulnerabilities Analyze Controls List of current & planned controls Determine Likelihood Likelihood Rating Analyze Impact Impact Rating Determine Risk Documented Risks Recommend Controls Recommended Controls Document Results Risk Assessment Report Control Types Compensating Control Threat Creates Deterrent Control Reduces likelihood of Reduces likelihood of Corrective Control Attack Vulnerability Detective Control Decreases Preventive Control Results in Impact THREAT Deterrent control R i s k P r o b a b i l i t y Mitigating control Detective control Preventive control V U L N E R A B I L I T Y Corrective control I M P A C T Residual risk Controls & Countermeasures Cost of control should never exceed the expected loss assuming no control Countermeasure = Targeted Control Aimed at a specific threat or vulnerability Problem: Firewall cannot process packets fast enough due to IP packet attacks Solution: Add border router to eliminate invalid accesses Analysis of Risk vs. Controls Workbook Risk ALE or Score Control Cost of Control Stolen Laptop $1K Encryption ($9K Breach Notif. Law) Disk Failure $3K per day RAID Hacker $9K Breach Notif. Law Firewall Cost of Some Controls is shown in Case Study Appendix $60 $750 $1K Extra Step: Step 6: Risk Monitoring Stolen Laptop In investigation $2k, legal issues HIPAA Incident Response Procedure being defined – incident response $200K Cost overruns Internal audit investigation $400K HIPAA: Physical security Training occurred $200K Security Dashboard, Heat chart or Stoplight Chart Report to Mgmt status of security Metrics showing current performance Outstanding issues Newly arising issues How handled – when resolution is expected Training Importance of following policies & procedures Clean desk policy Incident or emergency response Authentication & access control Privacy and confidentiality Recognizing and reporting security incidents Recognizing and dealing with social engineering Security Control Baselines & Metrics Baseline: A measurement of performance Metrics are regularly and consistently measured, quantifiable, inexpensively collected Leads to subsequent performance evaluation E.g. How many viruses is help desk reporting? 90 80 70 Stolen Laptop Virus/Worm % Misuse 60 50 40 30 20 10 0 Year 1 Year 2 Year 3 Year 4 (Company data - Not real) Risk Management Risk Management is aligned with business strategy & direction Risk mgmt must be a joint effort between all key business units & IS Business-Driven (not Technology-Driven) Steering Committee: • Sets risk management priorities • Define Risk management objectives to achieve business strategy Risk Management Roles Governance & Sr Mgmt: Info. Security Mgr Allocate resources, assess Develops, collaborates, and & use risk assessment results manages IS risk mgmt process Business Managers (Process Owners) Make difficult decisions relating to priority to achieve business goals System / Info Owners Responsible to ensure controls in place to address CIA. Sign off on changes Chief Info Officer IT planning, budget, performance incl. risk IT Security Practitioners Implement security requirem into IT systems: network, system, DB, app, admin. Security Trainers Develop appropriate training materials, including risk assessment, to educate end users. Due Diligence Due Diligence = Did careful risk assessment (RA) Due Care = Implemented recommended controls from RA Liability minimized if reasonable precautions taken Senior Mgmt Support Question Risk Assessment includes: 1. The steps: risk analysis, risk treatment, risk acceptance, and risk monitoring 2. Answers the question: What risks are we prone to, and what is the financial costs of these risks? 3. Assesses controls after implementation 4. The identification, financial analysis, and prioritization of risks, and evaluation of controls Question Risk Management includes: 1. The steps: risk analysis, risk treatment, risk acceptance, and risk monitoring 2. Answers the question: What risks are we prone to, and what is the financial costs of these risks? 3. Assesses controls after implementation 4. The identification, financial analysis, and prioritization of risks, and evaluation of controls Question The FIRST step in Security Risk Assessment is: 1. Determine threats and vulnerabilities 2. Determine values of key assets 3. Estimate likelihood of exploitation 4. Analyze existing controls Question 1. 2. 3. 4. Single Loss Expectancy refers to: The probability that an attack will occur in one year The duration of time where a loss is expected to occur (e.g., one month, one year, one decade) The cost of losing an asset once The average cost of loss of this asset per year Question 1. 2. 3. 4. The role(s) responsible for deciding whether risks should be accepted, transferred, or mitigated is: The Chief Information Officer The Chief Risk Officer The Chief Information Security Officer Enterprise governance and senior business management Question 1. 2. 3. 4. Which of these risks is best measured using a qualitative process? Temporary power outage in an office building Loss of consumer confidence due to a malfunctioning website Theft of an employee’s laptop while traveling Disruption of supply deliveries due to flooding Question 1. 2. 3. 4. The risk that is assumed after implementing controls is known as: Accepted Risk Annualized Loss Expectancy Quantitative risk Residual risk Question 1. 2. 3. 4. The primary purpose of risk management is to: Eliminate all risk Find the most cost-effective controls Reduce risk to an acceptable level Determine budget for residual risk Question 1. 2. 3. 4. Due Diligence ensures that An organization has exercised the best possible security practices according to best practices An organization has exercised acceptably reasonable security practices addressing all major security areas An organization has implemented risk management and established the necessary controls An organization has allocated a Chief Information Security Officer who is responsible for securing the organization’s information assets Question 1. 2. 3. 4. ALE is: The average cost of loss of this asset, for a single incident An estimate using quantitative risk management of the frequency of asset loss due to a threat An estimate using qualitative risk management of the priority of the vulnerability ALE = SLE x ARO Jamie Ramon MD Doctor Chris Ramon RD Dietician Terry Pat Licensed Software Consultant Practicing Nurse HEALTH FIRST CASE STUDY Analyzing Risk Step 1: Define Assets Step 1: Define Assets Consider Consequential Financial Loss Asset Name Medical DB Daily Operation (DO) Medical Malpractice (M) HIPAA Liability (H) Notification Law Liability (NL) $ Value $ Value Confidentiality, Integrity, Direct Loss: Consequentia and Availability Notes l Financial Replacement Loss C? I? A? Step 1: Define Assets Consider Consequential Financial Loss Asset Name $ Value $ Value Confidentiality, Integrity, Direct Loss: Consequentia and Availability Notes l Financial Replacement Loss Medical DB DO+M_H+NL Daily Operation (DO) $ Medical Malpractice (M) $ HIPAA Liability (H) $ Notification Law Liability (NL) $ C IA HIPAA Criminal Penalties $ Penalty Imprisonment Up to $50K Up to one year Up to $100K Up to 5 years Up to $500K Up to 10 years Offense Wrongful disclosure of individually identifiable health information …committed under false pretenses … with intent to sell, achieve personal gain, or cause malicious harm Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, … Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation Normal threats: Threats common to all organizations Inherent threats: Threats particular to your specific industry Known vulnerabilities: Previous audit reports indicate deficiencies. Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation Slow Down Business 1 week 2 1 year Temp. Shut Down Business Threaten Business Threat (Probability) Hacker/Criminal Loss of Electricity Snow Emergency 1 Malware Pandemic Failed Disk Tornado/Wind Storm Stolen Laptop 5 years (.2) Stolen Backup Tape(s) 10 years (.1) Vulnerability (Severity) Flood 20 years (.05) 4 50 years (.02) Earthquake Social Engineering Intruder Fire 3 Step 4: Compute Expected Loss Step 5: Treat Risk Step 4: Compute E(Loss) ALE = SLE * ARO Asset Threat Single Annual Annual Loss ized Loss Expect Rate of Expect ancy Occurr ancy (ALE) ence (SLE) Step 5: Treat Risk (ARO) Risk Acceptance: Handle attack when necessary Risk Avoidance: Stop doing risky behavior Risk Mitigation: Implement control to minimize vulnerability Risk Transference: Pay someone to assume risk for you Risk Planning: Implement a set of controls Reference Slide # Slide Title Source of Information 6 Risk Management Process CISM: page 97 Exhibit 2.2 8 Continuous Risk Mgmt Process CISM: page 97 Exhibit 2.3 9 Security Evaluation: Risk Assessment CISM: page 100 12 Matric of Loss Scenario CISM: page 114 Exhibit 2.15 14 Step 2: Determine Loss Due to Threats CISM: page 105 16 Step 2: Determine Threats Due to Vulnerabilities CISM: page 105 17 Step 3: Estimate Likelihood of Exploitation CISM: page 107-110 18 Likelihood of Exploitation Sources of Losses CISM: page 118 Exhibit 2.11 19 Step 4; Compute Expected Loss Risk Analysis Strategies CISM: page 108- 110 20 Step 4: Compute Loss Using Qualitative Analysis CISM: page 108 22 Step 4: Compute Loss Using Semi- Quantitative Analysis CISM: page 108,109 23 SemiQuantitative Impact Matrix CISM: page 109 Exhibit 2.12 24 Step 4: Compute Loss Using Quantitative Analysis CISM: page 109, 110 26 Annualized Loss Expectancy CISM: page 110 28 Step 5: Treat Risk CISM: page 110, 111 29 NIST Risk Assessment Methodology CISM: page 102 Exhibit 2.7 30 Control Types CISM: page 186 Exhibit 3.18 32 Controls & Countermeasures CISM: page 184, 185 36 Security Control Baselines & Metrics CISM: page 191-193 37 Risk Management CISM: page 91, 92 38 Risk Management Roles CISM: page 94