Risky Business
Craig A Schiller, CISSP-ISSMP, ISSAP
© 2005 Hawkeye Security Training LLC
Information Security Mission
The mission of [your security organization] is to establish and maintain the
confidentiality, integrity, and availability of information assets through the
application of people, process, and technology in a manner that:
1. Facilitates compliance with applicable law
2. Demonstrates due care and due diligence
3. Satisfies documented technical, functional, and business requirements
4. Conforms to recognized standards, guidelines, methods or practices
5. Establishes and maintains an acceptable level of risk using recognized risk
management practices and appropriate administrative, physical, and technical
safeguards
From “Due Care or Do Not Care”,
David R. Furnas, CISM, CISSP
May 13, 2004
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 2
Information Security Mission
If you know the enemy and know yourself, you need not fear the result of a
hundred battles.
If you know yourself but not the enemy, for every victory gained you will
also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every
battle.
From “The Art of War”,
Sun Tsu ~453–221 B.C.
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 3
Risk Management Issues
Until roughly the 1970s, the field of risk was largely dominated by
engineers, economists and epidemiologists, who calculated risk
based on historical data and knowledge of existing systems and
vectors. But over the past 30 years, exponential increases in both the
volume of advancements in science and technology and the velocity
at which they have been introduced into practical use have fueled an
ongoing debate about the risks these advancements engender — how
the risks are assessed, and how they are managed (and by whom) —
in an increasingly interdependent world.
From “RISK: THE ART AND THE SCIENCE OF CHOICE
Denise Caruso
Oct 2002
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 4
Information Security Mission
The central issue, as seen by a wide range of concerned scientists,
public policy makers, citizens and other stakeholders, is the difficulty of
accurately assessing risks, given the sparseness and uncertainty of
scientific knowledge about most new discoveries and technologies.
These uncertainties have highlighted the shortcomings of purely
quantitative assessment measures and, over the past two decades,
prompted a growing acknowledgment by risk experts (in theory, if not
yet in widespread practice) of the co-equal importance of subjective
factors, including values, for understanding risk.
From “RISK: THE ART AND THE SCIENCE OF CHOICE
Denise Caruso
Oct 2002
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 5
Risk Management
Risk Management
The process concerned with identification, measurement, control and
minimization of security risks in information systems to a level commensurate
with the value of the assets protected.
Risk Assessment
A process of analyzing THREATS to and VULNERABILITIES of an information
system and the POTENTIAL IMPACT the loss of information or capabilities of a
system would have. The resulting analysis is used as a basis for identifying
appropriate and cost-effective counter-measures.
National Information Systems Security (INFOSEC) Glossary,
NSTISSI No. 4009, Aug. 1997
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 6
Risk Management
Risk Management
Risk Assessment
Boundaries
• System
Boundaries
• Analysis
and
Assessment
Boundaries
Analysis:
• Asset Identification
• Threat Identification
• Vulnerability
Identification
• Impact Assessment
• Likelihood Assessment
• Safeguard Identification
and Selection
• Risk Mitigation Analysis
• Cost/Benefit Analysis
Risk
Measures
Acceptance
Test
Actions:
• Change
Requirements
• Change System
• Change
Environment
Uncertainty Analysis
Preparation
Analysis
Deliverables
Decisions
NIST Risk Management Model ref in GAISP
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 7
Risk Management
Information Security Management, Learning from Leading Organizations. Securing Information Technology (IT) Systems, GAO Report October 1996
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 8
In the Deming (Shewart) PDCA cycle
PLAN
ACT
DO
CHECK
…workers PLAN preventive measures by finding the causes of
variations, managers and workers cooperatively DO the plans,
CHECK by observing the results, and ACT by analyzing the
results, noting the lessons learned and the predictions made.
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 9
Risk Management
Asset - Information or Info Systems
Asset Value - see the slide on
information valuation
Vulnerability - A weakness or absence of
a risk reducing safeguard. Associated
with the asset or the controls protecting
assets.
Threat - A potential event which may
have an undesirable impact
Exposure = Asset + vulnerability +
absence of safeguard
Incident = Asset + Realized threat +
unmitigated vulnerability
© 2005 Hawkeye
Security Training LLC
Exposure Factor(EF) - A measure of the potential
magnitude of loss or impact on the value of an
asset. It can be expressed as a percent from 0100% of asset value loss arising from a threat
event
Risk is the likelihood of a given threat exploiting a
particular potential vulnerability, which would result
in adverse impact to the organization.
Risk Measures - the degree of risk associated
with one or more risk scenarios
Residual Risk - Portion of risk remaining after
security measures have been applied.
Risky Business
Risk Biz- 10
Risk Management
Quantitative Method
Single Loss Expectancy - SLE = Asset Value * Exposure Factor
Annual Rate of Occurrence - ARO = ALR (Annualized Loss Rate)*
Annual Loss Expectancy - ALE = SLE*ARO
ALE represents the amount of money the company stands to
lose if nothing is done
A total ALE and a prioritized list by asset ALE is reported. The act of
discovery is more valuable than the number itself.
Three sortings of the list are useful, ordered by Loss(SLE), Frequency
(ARO), and the product of loss and frequency(Asset based ALE)
* The term Annualized is used to account for events that happen less often than once a year
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 11
Quantitative Method Issues
Asset Value – Loss estimates
Effects of incomplete data and uncertainty
Scientific Notation and accuracy
Exposure Factor
Historical data – Where does threat data come from?
Strategy is enterprise focused not asset focused
Defense in Depth (Layered Defense)
Prospect Theory
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 12
Asset Value & Loss Estimates
What is the value of an entity of information?
Cost paid for it
Loss of Market Share
Cost to develop it
Regulatory penalties for loss
Cost to recover it
Loss of income while unavailable
Who’s value do you use?
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 13
Loss Estimates
In practice three types of answers are given:
•
We’re the most valuable group in the company (Wild
Exaggeration)
•
We don’t want you to interfere (Gross
Underestimation)
•
To the best of our knowledge estimate (May or may
not be right)
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 14
Effect on Quantitative Calculations
Single Loss Expectancy - ??SLE?? = ?Asset Value?* ?Exposure
Factor?
Annual Rate of Occurrence - ARO = ALR (Annualized Loss Rate)*
Annual Loss Expectancy - ALE = ??SLE??*?ARO?
How can you rely on these results with this much variability- missing information?
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 15
Scientific Notation & Accuracy
Primary drive of Quantitative RM is to base answers on a great deal
of detailed information.
Theory of Scientific Notation dictates that all of the data collected can
only be as precise as the least precise data collected.
1.2345 x 105
1.2 x105
This drives Risk Management recommendations to be broad answers with
very low granularity.
One Risk Management expert claims he can give an 80% accurate prediction
of the results of Risk Management without ever visiting the company.
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 16
Exposure Factor
Exposure Factor(EF) - A measure of the potential magnitude of loss
or impact on the value of an asset. It can be expressed as a percent
from 0-100% of asset value loss arising from a threat event
What happens when loss of a particular asset means loss
of the Enterprise?
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 17
Threat Data
Where does threat data come from?
Where your RM product get it’s threat data?
Do you update the threat data?
What about local threat information?
After incident loss data usually not gathered or validated
Historical data inaccurate or incomplete
Where is your incident data kept?
Does it include losses from internally developed software?
Does it include privacy related losses?
Some threats are not discussed
Executive Treatment – Powerful individuals with access to the
most sensitive information are excluded from security measures
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 18
Qualitative Method Risk Management
Instead of using Dollars and arriving at an Annual Loss Expectancy,
Qualitative method determines a prioritized risk estimate usually using
a Delphi method to tap corporate knowledge of past incidents.
Asset Value\ and Probability* of occurrence are replaced with a High
Medium or Low value designator. Under the covers, H,M, and L are
replaced with a scalar (3,2,1) so that calculations and sorting can be
done. Permits the inclusion of non-monetary forms of asset value
without an arbitrary conversion to currency.
H value, H (frequent) occurrence and
L value, L occurrence are easy to disposition
Is M value, M occurrence higher or lower priority than
L value, H occurrence?
*Probability can be interpreted as a measureable objective quantity or as a degree of confidence in the occurrence
of an event.
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 19
Risk Management Process overview
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 20
Tactical issues
Easier than Quantitative – none of that pesky detail
Wide variability in interpretation of High, Medium, Low
•
No way to check since you keep none of that
pesky detail which would be necessary to
validate each interpretation
Decisions are only as good as the data visible to the
Delphi participants
•
NASA comparison Delphi to actual incident
Data Base
Mantra of “Avoid Detail” is Qualitative’s undoing,
although, because the detail is not gathered you have
no way of knowing how wrong you are.
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 21
Strategic issues
Strategy is enterprise focused not asset focused
Risk Management is tactical (Asset Focused)
Defense in Depth (Layered Defense)
A Safeguard that can’t come out of asset focused
analysis
There are never enough budget dollars, following a
strictly risk driven prioritization scheme would leave
many systems with no protection.
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 22
Kahnemam & Tversky 1979 Prospect Theory
80% chance
of winning
$4000
20% chance
Of winning nothing
Or
100% Chance
Of Receiving $3000
80% choose the $3,000 certainty (Risk Adverse)
80% chance
of losing
$4000
20% chance
Of Breaking In
Or
100% Chance
Of Losing $3000
Now 92% chose the gamble!
When the choice involves gains we are risk adverse
When the choice involves losses we are risk seekers
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 23
Failure of Invariance
Asked subjects to imagine a rare disease is breaking out in some community
and is expected to kill 600 people. Two different programs are available to deal
with the threat.
Program A
Program B
200 People Saved
33% Everyone will Be Saved 67% No One Will Be Saved
72 % choose Program A, the risk adverse answer
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 24
Failure of Invariance
Asked subjects to imagine a rare disease is breaking out in some community
and is expected to kill 600 people. Two different programs are available to deal
with the threat.
Program C
400 of 600 would Die
Program D
67% Everyone Would Die
33% No One Would Die
78% choose Program D, the risk seekers answer.
•According to Tversky, The major driving force is
•“loss aversion” - people hate losing.
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 25
Failure of Invariance
The dilemma for risk management is
“preferences can be manipulated by changes in
the reference points.”
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 26
Final Issue
Should the manager who benefits from the
project make the risk decision?
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 27
A Framework for Information Security
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 28
Origins of Security Requirements
Regulations
International & Federal Laws
Court Cases
Legal Constructs
Due Care & Due Diligence Standards
Industry and Professional Constructs
ISO 17799, GaSSP, Auditing Standards (CobIT), Internal
Control Standards
Global Company Policy
Customer Expectations
Threats & Risk Assessments
Information Security Policy
Local Implementation
Practices
© 2005 Hawkeye
Security Training LLC
Procedures
Risky Business
Risk Biz- 29
GAISP
(Generally Accepted Information Security Principles)
 Generally Accepted Information Security Principles incorporate the
consensus, at a particular time, as to the principles, standards,
conventions, and mechanisms that information security practitioners
should employ, that information processing products should provide, and
that information owners should acknowledge to ensure the security of
information and information systems.



Pervasive principles - Few in number, fundamental in nature, and rarely
changing, provide general guidance to establish and maintain the security of
information. These principles form the basis of Broad Functional Principles
and Detailed Principles. Security of information is achieved through the
preservation of appropriate confidentiality, integrity, and availability.
Broad Functional principles - Subordinate to one or more pervasive
principles, are more numerous, specific, provide guidance for the operational
accomplishment of the pervasive principles, and guide the development of
more Detailed principles, changing only when reflecting major developments
in technology or other affecting issues
Detailed principles - Subordinate to one or more of the Broad Functional
Principles, numerous, specific, emergent, and changing frequently as
technology and other affecting issues evolve. preservation of accuracy and
completeness.
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 30
GASSP -2
 Pervasive Principles - founded on the Guidelines for Security of
Information Systems, developed by the Information Computer and
Communications Policy (ICCP) Committee and endorsed and published
by the Organization for Economic Cooperation and Development
(OECD).
Accountability
Integration
Awareness
Timeliness
Ethics
Assessment
Multidisciplinary
Equity
Proportionality
 Broad Functional principles
Information Security Policy
Education and Awareness
Accountability
Information Management
Environmental Management
Personnel Qualifications
System Integrity
© 2005 Hawkeye
Security Training LLC
Information Systems Life Cycle
Access Control
Operational Continuity and Contingency Planning
Information Risk Management
Network and Infrastructure Security
Legal Regulatory, and Contractual requirements
Ethical Practices
Risky Business
Risk Biz- 31
ISO 17799
 Comprehensive guidance on range of
controls for implementing information
security
 Divided into 10 sections
Security Policy
Security Organization
Asset Classification and Control
Personnel Security
Physical Security
© 2005 Hawkeye
Security Training LLC
Communications and Operations Management
Access Control
System Development & Maintenance
Business Continuity
Compliance
Risky Business
Risk Biz- 32
CobIT
 (Control Objectives for Information and related Technologies)
 Phased Control Objectives for IT governance
 Developed by ISACA (Internal Auditors)
Planning
Acquisition
and
and
Organizational Implementation
Delivery
and
Support
Monitoring
COSO
(Committee of Sponsoring Organizations of the Treadway Commission)
Control
Risk
Control
Environment Management Activities
© 2005 Hawkeye
Security Training LLC
Risky Business
Information
&
Monitoring
Communication
Risk Biz- 33
Baseline Method
•
•
•
•
•
•
•
•
•
•
•
Determine critical applications and information
Use a set of control objectives such as CobIT or an accepted
security standard such as ISO 17799
Perform gap analysis
Determine a minimum baseline from the above set that all
applications and information must meet.
Analysis specific risks, using the above set, related to the critical
applications and information
Select appropriate safeguards to address the risks
Evaluate the effectiveness of the design
Adjust the Design,
Implement the safeguards
Evaluate the effectiveness of the implementation
Adjust the implementation
Leverages security and audit standards, Uses risk analysis for
safeguards above the baseline. Uses Deming-Shewart to
continuously improve
© 2005 Hawkeye
Security Training LLC
Risky Business
Risk Biz- 34