FORESEC Academy
FORESEC Academy Security Essentials (III)
RISK MANAGEMENT AND
AUDITING
FORESEC Academy
Risk Management - Where do I
Start?
 Write the security policy (with
business input)
 Analyze risks, or identify industry
practice for due care; analyze
vulnerabilities
FORESEC Academy
Risk Management - Where do I
Start (cont’d)?
 Set up a security infrastructure
 Design controls, write standards for each
technology
 Decide what resources are available, prioritize
countermeasures, and implement top priority
countermeasures you can afford
 Conduct periodic reviews and possibly tests
 Implement intrusion detection and incident
response
FORESEC Academy
Define Risk
 Risk = Vulnerability x Threat
 Vulnerability is a weakness in a system that
can be exploited
 Threat is any event that can cause an
undesirable outcome
FORESEC Academy
The Three Risk Choices
 Accept the risk as is
 Mitigate or reduce the risk
 Transfer the risk (insurance model)
FORESEC Academy
Risk Management Questions
 What could happen? (what is the threat)
 If it happened, how bad could it be? (impact
of threat)
 How often could it happen? (frequency of
threat - annualized)
 How reliable are the answers to the above
three questions? (recognition of
uncertainty)
FORESEC Academy
Risk Requires Uncertainty
If you have reason to believe there is no uncertainty,
there is no risk. For example, jumping out of an airplane
two miles up without a parachute isn't risky; it is suicide.
For such an action, there is a close to 1.0 probability you
will go splat when you hit the ground and almost 0.0
probability you will survive.
Probability ranges between 0.0 and 1.0 though people
often express it as a percent.
FORESEC Academy
SLE vs ALE
 SLE - Single Loss Expectancy
The loss from a single event
 ALE - Annualized Loss Expectancy
Annual expected loss based on a
threat
FORESEC Academy
Single Loss Expectancy
(SLE - one shot)
 Asset value x exposure factor = SLE
 Exposure factor: 0 - 100% of loss
to asset
 Example Nuclear bomb/small town
($90M x 100% = $90M)
FORESEC Academy
Annualized Loss Expectancy
(ALE - multi-hits)
 SLE x Annualized rate occurrence = Annual
Loss Expectancy (ALE)
 Annual loss is the frequency the threat is
expected to occur
 Example, web surfing on the job
- SLE: 1000 employees, 25% waste an hour per
week surfing, $50/hr x 250 = $12,500
- ALE: They do it every week except when on
vacation: $12,500 x 50 = $625,000
FORESEC Academy
Quantitative vs. Qualitative
 Qualitative is easier to calculate but its
results are more subjective
 Qualitative is much easier to accomplish
 Qualitative succeeds at identifying high
risk areas
 Quantitative is far more valuable as a
business decision tool since it works in
metrics, usually dollars
FORESEC Academy
Qualitative - Another Risk
Assessment Approach
 Banded values: High, medium, low
 Asset value and safeguard cost can
be tied to monetary value, but not
the rest of the model
 Very commonly used
FORESEC Academy
Best Practice Risk Assessment
 System administration is a high turnover
job for large organizations,
which affects continuity
 System administrators tend to be
focused on having the .trains run on
time.
 Security configuration may not be
understood or implemented
FORESEC Academy
Best Practice
 No single organization or person is
likely to produce best practice
 Consensus of many organizations
and stringent review
 Examples:
- Center for Internet Security
FORESEC Academy
Foresec Securing 2000 SBS
3.1.2.3.1 Additional Restrictions for Anonymous
Connections.
The default choice for this setting is “None” Rely on
default permissions..” The other choices are “No Access
Without Explicit Anonymous Permissions," and “Do Not
Allow Enumeration of SAM Accounts and Shares.”
Select “No Access Without Explicit Permissions.”
FORESEC Academy
Windows 2000 Checklist
 Checklist approach designed for two persons
(check and double check) to configure a
Windows 2000 system to at least minimal
acceptable security.
FORESEC Academy
Business Case for Risk
Management
 In order to present the business case,
we need to convey the “Big Picture”
 We are now familiar with these core
technologies and how they play
together:
- Host and Network-based Intrusion
Detection
- Vulnerability Scanners and Honeypots
- Firewalls
FORESEC Academy
Business Case - Applications
 Organization has no intrusion detection
and you are presenting the case for
standing up a capability
 Organization has rudimentary capability
and you want to upgrade
 Organization has central monitoring and
you are presenting the case for a
departmental capability
FORESEC Academy
Business Case - Applications(2)
 Many managers are uncomfortable
when confronted with actual data about
attacks and vulnerabilities.
 You can often use any existing source
of data (firewall logs, system logs) to
leverage additional intrusion detection
financing by showing them a .smoking
gun..
FORESEC Academy
Threat Vectors
 Outsider attack from network
 Outsider attack from telephone
 Insider attack from local network
 Insider attack from local system
 Attack from malicious code
FORESEC Academy
Outsider Attack - Internet
 Newspaper, web articles on attacks at




other places, if it happens to them.
Hacking web sites: www.antionline.com
Firewall/Intrusion Detection logs are an
excellent source for specific threats
System audit trail logs are as well
Demo an intrusion detection system