Risk Analysis
COEN 250
Risk Management

Risk Management consists of
 Risk Assessment
 Risk
Mitigation
 Risk Evaluation and Assessment

Risk Management allows
 Balance
operational and economic costs of
protective measures
Risk Management and
System Development Life Cycle

Phase 1 – Initiation


Need for IT system is expressed, scope is documented
Identified risks are for

Developing system requirements



Including security requirements
Security strategy of operations
Phase 2 – Development or Acquisition


IT system is Designed, Purchased, Programmed, Developed
Risks identified during this phase are used to

Support security analyses of system

Might lead to architecture and design trade-offs during development
Risk Management and
System Development Life Cycle

Phase 3 – Implementation



System features are configured, enabled, tested, verified
Risk management supports assessment of system
implementation against requirements and modeled operational
environment
Phase 4 – Operation or Maintenance

System performs its functions


Typically: modification on an ongoing basis
Risk Management activities:

System reauthorization / reaccreditation



Periodic
Triggered by changes in system
Triggered by changes in operational production environment
Risk Management and
System Development Life Cycle

Phase 5 – Disposal

Disposition of




Activities






Information
Hardware
Software
Moving
Archiving
Discarding
Destroying
Sanitizing
Risk management:



Ensure proper disposal of software and hardware
Proper handling of residual data
System migration conducted securely and systematically
Risk Management and
System Development Life Cycle

Risk management is management responsibility

Senior management



Chief Information Officer (CIO)



Ensures effective application of necessary resources to develop
mission capabilities
Need to asses and incorporate results of risk management into
decision making process
Responsible for planning, budgeting, and performance of IT
Includes Information Security components
Systems and Information Owners



Responsible for ensuring existence of proper controls
Have to approve and sign off to changes in IT system
Need to understand role of risk management
Risk Management and
System Development Life Cycle

Business and Functional Managers



Information System Security Officer (ISSO)




Responsible for security program, including risk management
Play leading role for methodology of risk management
Act as consultant to senior management
IT Security Practitioners




Have authority and responsibility to make trade-off decisions
Need to be involved in risk management
Responsible for proper implementation
Must support risk management process to identify new potential risks
Must implement new security controls
Security Awareness Trainers



Proper use of systems is instrumental in risk mitigation and IT resource
protection
Must understand risk management
Must incorporate risk assessment into training programs
Risk Assessment

Risk depends on
 Likelihood
of a given threat-source exercising
a particular potential vulnerability
 Resulting impact of the adverse event
Hypothetical 2003 Example
Polish hacker N@te upset at Polish control
of Multinational Division Central South Iraq
 His hacker group wants to attack
www.wp.mil.pl

 Finds
out
www.wp.mil.pl runs Apache
 Runs old version of OpenSSL vulnerable to a
buffer overflow attack

Bejtlich: The Tao of Network Security Monitoring
Hypothetical 2003 Example
Factor
Description
Assessment
Rationale
Threat
N@te and his
buddies
5/5
Has capability and
intention
Vulnerability
Unpatched
OpenSLL process
5/5
Vuln. gives N@te
root access. No
countermeasures
deployed
Asset Value
Military spends
more than $10,000
annually
4/5
Damage to Polish
prestige, costs of
web server
Risk
Loss of integrity and
control of web
server and site
100/125
Bejtlich: The Tao of Network Security Monitoring
Hypothetical 2003 Example
Polish military does not know N@te, but
knows about its exposure
 Needs to know about vulnerability
 Risk assessment changes dramatically
once vulnerability is recognized

Vulnerability  Threat

February 2002 SNMP vulnerability
 SNMP
widespread network management tool.
 Potentially affected most network devices.
 However, NO exploits were discovered.
Vulnerability  Threat

Windows RPC vulnerability of 2003
 Dozens
of exploits
 Blaster worm caused > $1.000.000.000
damage
Risk Assessment

Step 1: System Characterization
 Collect








system related information
Hardware
Software
Connectivity
Data and information
Users and support
System mission
System and data criticality and sensitivity
…
Risk Assessment

Step 2: Threat Identification
 Threat

Natural events:


Floods, fires, earthquakes, …
Human threats:



Source Identification
Unintentional acts
Deliberate actions
 Consider motivations and actions
Environmental threats

Long-term power failure, pollution, chemicals, liquid leakage
Risk Assessment

Step 3: Vulnerability Identification
 Varies
on SDLC phase
 Sources






Previous risk assessment documents
IT system audits and logs
Vulnerability lists (NIST I-CAT, CERT, SANS,
SecurityFocus.com)
Security advisories
Vendor advisories
System software security analyses
Risk Assessment

Step 3: Vulnerability Identification
 Security
Testing
Automated vulnerability scanning tools
 Penetration testing
 Security Test and Evaluation (ST&E)

Develop a test plan
 Test Effectiveness of security controls


See NIST SP 800-42
Risk Assessment

Step 3: Vulnerability Identification
 Develop a Security Requirements
 Management Security









Checklist
Assignment of responsibilities
Continuity of support
Incident response capability
Periodic review of security controls
Personnel clearance and background investigations
Risk assessment
Separation of duties
System authorization and reauthorization
System or application security plan
Risk Assessment

Step 3: Vulnerability Identification
 Develop a Security Requirements
 Operational Security








Checklist
Control of air-borne contaminants
Controls to ensure the quality of the electrical power supply
Data media access and disposal
External data distribution and labeling
Facility protection (e.g., computer room, data center, office)
Humidity control
Temperature control
Workstations, laptops, and stand-alone personal computers
Risk Assessment

Step 3: Vulnerability Identification
 Develop

a Security Requirements Checklist
Technical Security







Communications (e.g., dial-in, system interconnection, routers)
Cryptography
Discretionary access control
Identification and authentication
Intrusion detection
Object reuse
System audit
Risk Assessment

Step 3: Vulnerability Identification
 Outcome: A list
of system vulnerabilities that
could be exercised by a potential threat
source
Risk Assessment

Control Analysis
 Control

Technical methods


Methods
Safeguards built into computer hardware, software, firmware
Nontechnical methods

Management and operational controls
 Security policies
 Operational procedures
 Personnel security
 Physical security
 Environmental security
Risk Assessment

Control Categories
 Preventive
controls
 Detective controls
Risk Assessment

Control Analysis
 Compare
security requirements checklist to
validate security (non)-compliance

Output:
 List
of current or planned controls
Risk Assessment

Step 5: Likelihood determination
 Governing
factors
Threat source motivation and capability
 Nature of vulnerability
 Existence and effectiveness of current controls

 Assign
likelihood levels
Risk Assessment

Step 6: Impact Analysis
 Requires
System mission
 System and data criticality
 System and data sensitivity

 Can
typically be described in
Loss of integrity
 Loss of availability
 Loss of confidentiality

Risk Assessment

Step 6: Impact Analysis
 Can
be done quantitatively or qualitatively
Risk Assessment

Step 7: Risk
determination
 Risk
Level Matrix
Composed of threat
likelihood and impact
 Determines risk scale

 Risk

Scale
Used to determine and
prioritize activities
Risk Assessment

Control Recommendations
 Reduce
risks to data and system to acceptable level
 Base evaluation on





Effectiveness
Legislation and regulation
Organizational policy
Operational impact
Safety and reliability
 Perform
cost benefit analysis
Risk Assessment

Step 9: Result Documentation
 Risk
assessment report
Describes threats and vulnerabilities
 Measures risk
 Provides recommendations for control
implementation

Risk Mitigation
Prioritizing
 Evaluating
 Implementing
Appropriate risk-reducing controls

Risk Mitigation

Options

Risk Assumption


Risk Avoidance


To manage risk by developing a risk mitigation plan that prioritizes,
implements, and maintains controls
Research and Acknowledgment


To limit the risk by implementing controls that minimize the adverse impact
of a threat’s exercising a vulnerability
Risk Planning


To avoid the risk by eliminating the risk cause and/or consequence
Risk Limitation


To accept the potential risk and continue operating the IT system or to
implement controls to lower the risk to an acceptable level
To lower the risk of loss by acknowledging the vulnerability or flaw and
researching controls to correct the vulnerability
Risk Transference

To transfer the risk by using other options to compensate for the loss, such
as purchasing insurance.
Risk Mitigation
Risk Mitigation

Control Implementation
 Prioritize Actions
 Evaluate
Recommended Control Options
 Conduct Cost-Benefit Analysis
 Select Control
 Assign Responsibility
 Develop a Safeguard Implementation Plan
 Implement Selected Control(s)