Rapid Risk Assessment

1
www.anitian.com | info@anitian.com
SECURITY:ServicesSolutionsSupport
RAPID RISK ASSESSMENT
A NEW APPROACH TO IT RISK MANAGEMENT
Biography
• Andrew Plato, CISSP, CISM, QSA
• President / CEO – Anitian Enterprise Security
• 20 years of experience in IT & security
• Completed thousands of security assessments & projects
• Discovered SQL injection attack tactic in 1995
• Helped develop first in‐line IPS engine (BlackICE)
• Championed movement toward practical, pragmatic
information security solutions

2
Anitian Overview
• Compliance PCI, NERC, HIPAA, FFIEC
• Services Penetration testing, web application testing,
code review, incident response, risk
assessment
• Technologies UTM/NGFW, IPS, SIEM, MDM
• Support Managed security, staff augmentation
• Leadership Industry analysis, CIO advisory services
Why Anitian?
• Anitian is the only security firm…
• Focused on practical, pragmatic information security
• Able to deliver compliance quickly & affordably
• That does not push products
• Who rejects using fear to sell
• Dedicates research efforts to benefit our clients, not our
press‐releases
• Implements business‐friendly security
• Remains honest and independent

3
Presentation Outline
• The Risk Assessment Environment
• Failure of Current Risk Assessment Practices
• Preparing for a Rapid Risk Assessment
• The Rapid Risk Assessment Process
THE RISK ASSESSMENT
ENVIRONMENT
Rapid Risk Assessment

4
What is Risk Assessment?
• Systematic and objective determination of the seriousness of
threats.
• Good risk assessment aims to:
• Identify the threats that affect an entity (company, network,
systems, application, etc.)
• Qualify and quantify those threats
• Craft reasonable remedies to reduce, eliminate, accept or
transfer the risk
• Help protect the business/organization and its assets
• Empower leadership to make sensible investments in
security controls and processes
Increasing Emphasis on Risk Assessment
• Always been a PCI requirement (12.1.2)
• HIPAA Omnibus reinforces need for risk assessment
• Assessment to define risk management program (which in
turn defines the controls that meet the standard)
• Breach notification now require risk analysis of any
suspected breach to determine if notification is necessary
• FFIEC 2011 Supplement mandated new things to assess
• Defines specific issues to analyze concerning authentication
• Reinforced the need for annual assessments
• Mandated assessments on banking applications
• Outlined requirements to reperform assessments when
there are changes

5
Increased Scrutiny
• From HIPAA Omnibus:
“…we expect these risk assessments to be thorough, completed
in good faith, and for the conclusions reached to be
reasonable.”
• Regulations are demanding more risk assessments
• Regulators are shifting focus to look at risk assessments
• Business leaders are demanding better risk analysis
• So what’s the problem?
THE FAILURE OF CURRENT RISK
ASSESSMENT PRACTICES

6
Something Is Not Right Here
• Companies were consistently complaining about their IT risk
assessments:
• “Why does this take so long?”
• “This is just a paperwork exercise”
• “What am I supposed to do with this?”
• “Where are the problems?
• “How do I fix the problems?”
• “Are we in danger?”
• “What do all these numbers, charts and worksheets mean?”
• “This is just a meaningless regulatory requirement!”
• We were not the only ones…
Practitioners are Questioning Risk Assessment
Source: http://www.networkworld.com/news/tech/2012/101512‐risk‐management‐
263379.html

7
With Mixed Results
For any risk management method
… we must ask …“How do we know
it works?” If we can’t answer that
question, then our most important
risk management strategy should
be to find a way to answer it and
adopt a risk assessment and risk
mitigation method that does work.
Hubbard, Douglas W. (2009‐04‐06). The Failure
of Risk Management: Why It's Broken and How
to Fix It. John Wiley and Sons. Kindle Edition.
The Problem
• Current practices are…
• Slow
• Complex
• Incomprehensible to management
• Fail to provide clear actionable steps to reduce risk
• Why?

8
Arcane Language
• Language affects not only comprehension, but also acceptance
• Overly complex, arcane language is inefficient and inaccessible
• Risk management theories devolve into nitpicking paperwork
exercises that nobody reads
• Consider this definition from OCTAVE for Defined Evaluation
Activities:
Implementing defined evaluation activities helps to
institutionalize the evaluation process in the organization,
ensuring some level of consistency in the application of the
process. It also provides a basis upon which the activities can be
tailored to fit the needs of a particular business line or group.
The Fallacy of Numbers
• Using numbers does not make analysis more “true”
• If a number is arrived at from a subjective assessment, then its
use in any calculations is equally subjective
• Charts full of numbers may “feel” empirical, but they’re not
• Its impossible to establish true value for IT asset
• Misleading, creates a false sense of accuracy
• Creates a false scale that does not translate into real‐world
thinking

9
Time Consuming
• IT risk is volatile, dynamic and has a short shelf life
• Any risk assessment over 90‐180 days old is stale
• NIST, OCTAVE, FAIR are nice ideas, but too time consuming
• Spending a year on a risk assessment is too long
• A good enterprise risk assessment should be done in under 30
days
• Documentation is time consuming
• Risk assessment is not a consensus of opinions, it’s an
assessment from a single person or group that understands risk
Probability Can Be Flawed
• On a long enough time line, the survival rate for everybody
drops to zero. Jack, Fight Club, 1999
• Lack of time context makes any assessment of probability
fundamentally flawed.
• Humans are naturally bad at assessing the probability of risks.
• Fallacy of backtesting

10
Lack of Evidence
• Risk assessment methodologies focus heavily on process, and
very little on evidence
• Custodians and business process owners withhold information
• The security of an environment can be tested in a controlled,
rational manner
• Without testing, the entire analysis is one‐sided
• Testing can cut through conjecture and prove (or disprove) the
severity of a threat
The Challenge
• Risk assessment needs to be more useful.
• How can this process produce tangible ways to reduce risk?
• The volatility of modern IT makes IT risk assessment a
fundamentally qualitative effort
• Since the effort is qualitative, the skill of the assessor is
paramount to obtaining accurate assessments
• How do we improve risk assessment to make it:
• More accurate
• More responsive to business needs
• More actionable
• Quicker

11
PREPARATION
Features of Rapid Risk Assessment
• Aims to speed up the risk assessment process & make it more
useful to the business
• Trades precision and some accuracy for efficiency and usability
• Focuses on simplicity and clarity
• Dismisses theory and conjecture in place of decisive action
• Explains risk in simple, business‐friendly terminology
• Uses a set time frame for probability
• Simplifies the assignment of value
• Uses a “lens” that focuses and frames assessment effort
• Establishes authority to make risk judgments
• Leverages new technologies such as Allgress

12
Rapid Risk Assessment Outline
• Prerequisites
• Advanced writing skills
• Hands on IT skills
• Authority
1. Establish Scope & Lens
2. Interview Stakeholders
3. Test the Environment
4. Define Threats & Correlate Data
5. Define Probability & Impact Scale
6. Document Risks
7. Develop Action Plan
Prerequisite: Advanced Writing Skills
• No theories, no complex worksheets, no “risk management”
terms
• Simple, business language that states risk in plain, matter‐of‐
fact way
• Establishes authority
• States risk as it *is* without conjecture or indecisiveness
• Active voice
• Should be able to sum up the entire assessment effort in a few
bullet points

13
Prerequisite: Hands‐on IT Skills
• Must have in‐depth understanding of IT operations
• Systems administration
• Network design, architecture, management
• Security analysis
• Application lifecycle management
• Database administration
• IT practices, procedures, policies development
• Must know how an IT department runs, if you ever hope to
identify its weaknesses
Prerequisite: Authority
• Management must definitively endorse and support risk
assessment
• Must have access to stakeholders
• Ability to scan, test and evaluate technology
• Authority to decisively analyze technologies
• Ability to built credibility and authority through experience,
language, and engagement

14
THE PROCESS
#1 ‐ Establish Scope & Lens
• Scope – what assets are in scope (hopefully all of them)
• Lens – how will you look at the assets?
• Data types – customer, internal, security, etc.
• System – server, workstation, infrastructure
• Application – user, customer, financial, etc.
• Lens creates the context for analysis.
• It helps focus the effort

15
#2 ‐ Interview Stakeholders
• Develop a set of questions specific to the business role:
• IT custodians – technical questions
• Business process owners – criticality & usage
• Define value in context of the entire business using simple
terms: critical, high, medium, low, none
• Focus on current state
• Be careful with “forward looking” data – chasing a moving
target
• Catalog results
#3 – Test the Environment
• Vulnerability scans of all in‐scope systems, apps or locations of
data
• Conduct penetration tests
• Web application testing
• Database testing
• Configuration analysis (sample as needed)
• AV / IPS / Firewall logs (sample and spot check)
• Risk determination must be based on REAL data, not feelings,
ideas, theories, or personal interpretations
• This is where hands‐on IT experience is a must

16
#4 – Define Threats & Correlate Data
• Organize threats into simplified categories
• Technical – threat to systems, hardware, applications, etc.
• Operational – threats that affect practices, procedures, or
business functions
• Relational – threat to a relationship between groups, people
or third parties
• Physical – threats to facilities, offices, etc.
• Reputational (optional) – threats to the organization’s
reputation, perception, or public opinion
• Correlate threats to assessment data
• Keep threats simple
Threat Samples
• Good Threat Definitions
• Theft of confidential data
• Malware infection
• Denial of service attack
• Theft of sensitive authentication data
• Bad Threat Definitions
• Lack of alignment to organizational policies with guidelines
set forth by the security committee means staff is not
properly implementing security controls.
• Use of telnet among staff is threatening PCI compliance
requirements.
• Missing patches on systems

17
#5 ‐ Define Probability & Impact Scale
Probability
Impact
Metric Description
Certain <95% likelihood of occurrence within the next 12 months.
High 50‐95% likelihood of occurrence within the next 12 months.
Medium 20‐49% likelihood of occurrence within the next 12 months.
Low 1‐20% likelihood of occurrence within the next 12 months.
Negligible >1% likelihood of occurrence within the next 12 months.
Metric Description
Critical Catastrophic effect on the Data Asset.
High Serious impact on the Data Asset's functionality.
Medium Threat may cause some intermittent impact on the Data Asset, but would
not lead to extended problems.
Low Impact on the Data Asset is small and limited. Would not cause any
disruption in core functions.
Negligible Data Asset remains functional for the business with no noticeable slowness
or downtime.
#6 ‐ Document Risks
• Condense, simplify and focus on the problem
• Threat – How the asset is at risk
• Vulnerabilities – The vulnerabilities relevant to the risk
• Recommendation – Tangible actions to remediate the risk
• Impact – Simplified 5 point score (critical, high, medium, low,
none)
• Probability – Simplified 5 point score (certain, high, medium,
low, negligible)
• Risk – Simplified product of Impact * Probability (critical, high,
medium, low, negligible)

18
Documentation Sample
Threat Vulnerabilities Recommendation
Impact
Probability
Risk
Malware
infection
 Outdated anti‐
virus
 Lack of anti‐
virus on 36% of
servers
 32 high ranked
vulnerabilities
on in‐scope
systems
 Lack of virus
scanning at the
network layer
 Endpoint antivirus must be installed on all hosts.
 All endpoint antivirus must be updated daily
 All systems must have new patches applied within
30 days of release.
 Company must deploy a more robust patch
management platform.
 Implement a core firewall that can perform virus
scanning at the network layer.
H C H
Online Version Using Allgress

19
#7 – Develop an Action Plan
• Summarize all the recommendations into a single, prioritized list
• Simplify into tangible tasks
• GOOD: Implement third party patch management. IBM BigFix,
Dell Kace, and GFI Languard are all viable products to consider.
Require solution to patch all systems within 30 days of a new
patch.
• BAD: IT management procedures need updating to align with
best practices.
Don’t
• Try to change the culture of the business
• Let perfection become the enemy of good
• Cite any kind of risk management theory – nobody cares
• Use a lot of risk terminology
• Say more than you need to
• Document indecision
• Add complexity when it offers no improvement in clarity
• Use inaccessible matrices, worksheets, or process flows
• Insert charts or graphs when they don’t aid in comprehension

20
Do
• Use simple language. Plain English descriptions
• Establish authority with experience, language, and presence
• Simplify, condense, clarify
• Identify tangible, actionable recommendations
• Help management make decisions about risk
• Focus on the likely
Thank You
EMAIL: info@anitian.com for a
copy of the presentation
WEB: www.anitian.com
BLOG: blog.anitian.com
CONTACT: Andrew Plato, CISSP, CISM, QSA
President / CEO
andrew.plato@anitian.com
888‐ANITIAN

Rapid Risk Assessment

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (6)

Similar to Rapid Risk Assessment

Similar to Rapid Risk Assessment (20)

More from InnoTech

More from InnoTech (20)

Recently uploaded

Recently uploaded (20)

Rapid Risk Assessment