IT Security Management-

Risk Assessment
 Overview

 security requirements means asking

 what assets do we need to protect?
 how are those assets threatened?
 what can we do to counter those threats?
 IT security management answers these
 determining security objectives and risk profile
 perform security risk assessment of assets
 select, implement, monitor controls
IT Security Management

 IT Security Management: a process used to achieve

and maintain appropriate levels of confidentiality,
integrity, availability, accountability, authenticity and
reliability. IT security management functions include:
 organizational IT security objectives, strategies and policies
 determining organizational IT security requirements
 identifying and analyzing security threats to IT assets
 identifying and analyzing risks
 specifying appropriate safeguards
 monitoring the implementation and operation of safeguards
 developing and implement a security awareness program
 detecting and reacting to incidents
ISO 27000 Security Standards
ISO27000 a proposed standard which will define the vocabulary and definitions used in
the 27000 family of standards.
ISO27001 defines the information security management system specification and
requirements against which organizations are formally certified. It replaces
the older Australian and British national standards AS7799.2 and BS7799.2.
ISO27002 currently published and better known as ISO17799, this standard specifies a
code of practice detailing a comprehensive set of information security control
(ISO17799) objectives and a menu of best-practice security controls. It replaces the older
Australian and British national standards AS7799.1 and BS7799.1.
ISO27003 a proposed standard containing implementation guidance on the use of the
27000 series of standards following the “Plan-Do-Check-Act” process quality
cycle. Publication is proposed for late 2008.
ISO27004 a draft standard on information security management measurement to help
organizations measure and report the effectiveness of their information
security management systems. It will address both the security management
processes and controls. Publication is proposed for 2007.
ISO27005 a proposed standard on information security risk management. It will replace
the recently released British national standard BS7799.3. Publication is
proposed for 2008/9.
ISO13335 provides guidance on the management of IT security. This standard
comprises a number of parts. Part 1 defines concepts and models for
information and communications technology security management. Part 2,
currently in draft, will provide operational guidance on ICT security. These
replace the older series of 5 technical reports ISO/IEC TR 13335 parts 1-5.
IT Security
Management
Process
Security Risk Assessment

 critical component of process

 else may have vulnerabilities or waste money
 ideally examine every asset vs risk
 not feasible in practice
 choose one of possible alternatives based on
organization’s resources and risk profile
 baseline
 informal
 formal
 combined
 Baseline Approach
 use “industry best practice”
 easy, cheap, can be replicated
 but gives no special consideration to org
 may give too much or too little security
 implement safeguards against most common threats
 baseline recommendations and checklist documents available from various
bodies
 alone only suitable for small organizations
Informal Approach
 conduct informal, pragmatic risk analysis on organization’s IT systems
 exploits knowledge and expertise of analyst
 fairly quick and cheap
 does address some org specific issues
 some risks may be incorrectly assessed
 skewed by analysts views, varies over time
 suitable for small to medium sized orgs
Detailed Risk Analysis

 most comprehensive alternative

 assess using formal structured process
 with a number of stages
 identify likelihood of risk and consequences
 hence have confidence controls appropriate
 costly and slow, requires expert analysts
 may be a legal requirement to use
 suitable for large organizations with IT systems critical
to their business objectives
Combined Approach
 combines elements of other approaches
 initial baseline on all systems
 informal analysis to identify critical risks
 formal assessment on these systems
 iterated and extended over time
 better use of time and money resources
 better security earlier that evolves
 may miss some risks early
 recommended alternative for most orgs
Detailed Risk
Analysis Process
 Terminology

asset: anything that has value to the organization

threat: a potential cause of an unwanted incident which may result in harm to

a system or organization

vulnerability: a weakness in an asset or group of assets which can be exploited

by a threat

risk: the potential that a given threat will exploit vulnerabilities of an asset or
group of assets to cause loss or damage to the assets.
 Asset Identification
 identify assets
 “anything which needs to be protected”
 of value to organization to meet its objectives
 tangible or intangible
 in practice try to identify significant assets
 draw on expertise of people in relevant areas of organization to identify
key assets
 identify and interview such personnel
 see checklists in various standards
Threat Identification
 to identify threats or risks to assets asK
 who or what could cause it harm?
 how could this occur?
 threats are anything that hinders or prevents an asset providing
appropriate levels of the key security services:
 confidentiality, integrity, availability, accountability, authenticity and
reliability
 assets may have multiple threats
 Threat Sources

 threats may be
 natural “acts of god”
 man-made and either accidental or deliberate
 should consider human attackers
 motivation
 capability
 resources
 probability of attack
 deterrence
 any previous history of attack on org
Threat Identification
 depends on risk assessors experience
 uses variety of sources
 natural threat chance from insurance stats
 lists of potential threats in standards, IT security surveys, info from
governments
 tailored to organization’s environment
 and any vulnerabilities in its IT systems
Vulnerability Identification

 identify exploitable flaws or weaknesses in

organization’s IT systems or processes
 hence determine applicability and significance of threat
to organization
 need combination of threat and vulnerability to create
a risk to an asset
 again can use lists of potential vulnerabilities in
standards etc
Introduction to Risk Assessment

 The goal is to create a method to evaluate the

relative risk of each listed vulnerability
 It is not the presence of a vulnerability that matters
but the associated risk
 Simple model – risk R, probability of risk event P and
value lost by risk event V satisfy R = PV

Figure 8-3 Risk identification estimate factors

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

18
 Analyze Risks

 specify likelihood of occurrence of each

identified threat to asset given existing controls
 management, operational, technical processes and
procedures to reduce exposure of org to some risks
 specify consequence should threat occur
 hence derive overall risk rating for each threat
Risk = probability threat occurs x cost to organization
 in practice very hard to determine exactly use
qualitative not quantitative, ratings for each aim
to order resulting risks in order to treat them
More complex model

 Extended risk formula

R = Pa Ps V
 Where Pa = Probability of attack and
Ps = Probability that the attack successfully
exploits the vulnerability
V = value lost by successful exploitation of
vulnerability

20
 Another formula

 Extended Whitman’s Risk Formula

R = P*V*(1 – CC + UK)
where P = probability that a vulnerability is exploited,
V = value of asset,
CC = fraction of risk mitigated by current control,
UK = fraction of risk not fully known (uncertainty of
knowledge)

21
In words…

Uncertainty: Impossible to know everything about every

vulnerability
The degree to which a current control can reduce risk is also subject
to estimation error
Uncertainty isFigure
estimated byidentification
8-3 Risk the manager using
estimate judgment/experience
factors

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

22
Risk Determination Example
 Asset A has a value of 50 and has one vulnerability, which has
a likelihood of 1.0 with no current controls. Your assumptions
and data are 90% accurate
 Asset B has a value of 100 and has two vulnerabilities:
vulnerability #2 has a likelihood of 0.5 with a current control
that addresses 50% of its risk; vulnerability # 3 has a
likelihood of 0.1 with no current controls. Your assumptions
and data are 80% accurate
 The resulting ranked list of risk ratings for the three
vulnerabilities is as follows:
 Asset A: Vulnerability 1 rated as 55 = (50 × 1.0) – 0% + 10%
 Asset B: Vulnerability 2 rated as 35 = (100 × 0.5) – 50% +
20%
 Asset B: Vulnerability 3 rated as 12 = (100 × 0.1) – 0 % +
20%
Management of Information Security, 3rd ed.

23
Documenting the Results
of Risk Assessment
 Goals of the risk management process
 To identify information assets and their
vulnerabilities
 To rank them according to the need for protection
 In preparing this list, a wealth of factual
information about the assets and the threats
they face is collected
 Information about the controls that are already
in place is also collected
 The final summarized document is the ranked
vulnerability risk worksheet
Management of Information Security, 3rd ed.

24
 Determine Likelihood

Rating Likelihood Expanded Definition

Description
1 Rare May occur only in exceptional circumstances and may
deemed as “unlucky” or very unlikely.
2 Unlikely Could occur at some time but not expected given
current controls, circumstances, and recent events.
3 Possible Might occur at some time, but just as likely as not. It
may be difficult to control its occurrence due to
external influences.
4 Likely Will probably occur in some circumstance and one
should not be surprised if it occurred.
5 Almost Is expected to occur in most circumstances and
Certain certainly sooner or later.
Determine Consequence
Rating Consequence Expanded Definition
1 Insignificant Generally a result of a minor security breach in a single area. Impact is
likely to last less than several days and requires only minor expenditure
to rectify.
2 Minor Result of a security breach in one or two areas. Impact is likely to last
less than a week, but can be dealt with at the segment or project level
without management intervention. Can generally be rectified within
project or team resources.
3 Moderate Limited systemic (and possibly ongoing) security breaches. Impact is
likely to last up to 2 weeks and generally requires management
intervention. Will have ongoing compliance costs to overcome.
4 Major Ongoing systemic security breach. Impact will likely last 4-8 weeks
and require significant management intervention and resources to
overcome, and compliance costs are expected to be substantial. Loss of
business or organizational outcomes is possible, but not expected,
especially if this is a once off.
5 Catastrophic Major systemic security breach. Impact will last for 3 months or
more and senior management will be required to intervene for the
duration of the event to overcome shortcomings. Compliance costs are
expected to be very substantial. Substantial public or political debate
about, and loss of confidence in, the organization is likely. Possible
criminal or disciplinary action is likely.
6 Doomsday Multiple instances of major systemic security breaches. Impact duration
cannot be determined and senior management will be required to place
the company under voluntary administration or other form of major
restructuring. Criminal proceedings against senior management is
expected, and substantial loss of business and failure to meet
organizational objectives is unavoidable.
Determine Resultant Risk
Consequences
Likelihood Doomsday Catastrophic Major Moderate Minor Insignificant

Almost E E E E H H
Certain
Likely E E E H H M
Possible E E E H M L
Unlikely E E H M L L
Rare E H H M L L

Risk Level Description

Extreme (E) Will require detailed r esearch and management planning at an
executive/director level. Ongoing planning and monitoring will be required
with regular reviews. Substantial adjustment of controls to manage the
risk are expected, with costs possibly exceeding original forecasts.
High (H) Requires management attention, but management and planning can be left
to senior project or team leaders. Ongoing planning and monitoring with
regular reviews are likely, though adjustment of controls are likely to be
met from within existing resources
Medium (M) Can be managed by existing specific monitoring and response procedures.
Management by employees is suitable with appropriate monitoring and
reviews.
Low (L) Can be managed through routine procedures.
 Document in Risk Register
and Evaluate Risks

Asset Threat/ Existing Likelihood Consequence Level of Risk

Vulnerability Controls Risk Priority
Internet Router Outside Hacker Admin Possible Moderate High 1
attack password
only
Destruction of Accidental Fire None (no Unlikely Major High 2
Data Center or Flood disaster
recovery
plan)
Risk Treatment Alternatives

 accept risk (perhaps because of excessive

risk acceptance:
cost of risk treatment)
 do not proceed with the activity that
risk avoidance:
causes the risk (loss of convenience)
 risk transfer: buy insurance; outsource
 modify the uses of an asset to reduce
reduce consequence:
risk impact (e.g., offsite backup)
 reduce likelihood: implement suitable controls
Case Study: Silver Star Mines

 fictional operation of global mining company large IT infrastructure

 both common and specific software
 some directly relates to health & safety
 formerly isolated systems now networked
 decided on combined approach
 mining industry less risky end of spectrum
 management accepts moderate or low risk
 Assets

 reliability and integrity of SCADA nodes and

net
 integrity of stored file and database
information
 availability, integrity of financial system
 availability, integrity of procurement system
 availability, integrity of
maintenance/production system
 availability, integrity and confidentiality of
mail services
Threats & Vulnerabilities

 unauthorized modification of control system

 corruption, theft, loss of info
 attacks/errors affecting procurement system
 attacks/errors affecting financial system
 attacks/errors affecting mail system
 attacks/errors maintenance/production affecting system
 Risk Register
Asset Threat/ Existing Likelihood Consequence Level of Risk Priority
Vulnerability Controls Risk
Reliability and integrity Unauthorized layered Rare Major High 1
of the SCADA nodes and modification of firewalls
network control system & servers
Integrity of stored file Corruption, firewall, Possible Major Extreme 2
and database theft, loss of policies
information info
Availability and Attacks/errors firewall, Possible Moderate High 3
integrity of Financial affecting system policies
System
Availability and Attacks/errors firewall, Possible Moderate High 4
integrity of affecting system policies
Procurement System
Availability and Attacks/errors firewall, Possible Minor Medium 5
integrity of affecting system policies
Maintenance/
Production System
Availability, integrity Attacks/errors firewall, Almost Minor High 6
and confidentiality of affecting system ext mail Certain
mail services gateway
Summary
 detailed need to perform risk assessment
as part of IT security management process
 relevant security standards
 presented risk assessment alternatives
 detailed risk assessment process involves
 context including asset identification
 identify threats, vulnerabilities, risks
 analyse and evaluate risks
 Silver Star Mines case study