SlideShare una empresa de Scribd logo

Rapid Risk Assessment: A New Approach to Risk Management

EnergySec
EnergySec

Presented by: Andrew Plato, Anitian Abstract: Understanding, managing and responding to risk is one of the core functions of any information security program. However, for many organizations risk assessment is cumbersome and time consuming process. IT leaders, as well as security regulations, are demanding risk management practices that can deliver quick and actionable results. Rapid Risk Assessment is a new approach to risk management that dramatically reduces the time, effort, and complexity for IT security risk assessment. Using the existing principles of risk management defined in NIST 800-30 documents, Rapid Risk Assessment can deliver more actionable and reliable results empowering business leaders to make sound decisions about risk. The key to this approach is a unique combination of skills, organization, and documentation that accelerates every aspect of the risk management process. This presentation shows why current risk management tactics are failing and how Rapid Risk Assessment can correct those deficiencies.

TecnologíaEmpresariales
1 de 40
Descargar para leer sin conexión
SECURITY:ServicesSolutionsSupport RAPID  RISK  ASSESSMENT   A  NEW  APPROACH  TO  IT  RISK  MANAGEMENT  
SECURITY:ServicesSolutionsSupport Biography   •  Andrew  Plato,  CISSP,  CISM,  QSA     •  President  /  CEO  –  AniFan  Enterprise  Security   •  20  years  of  experience  in  IT  &  security   •  Completed  thousands  of  security  assessments  &  projects   •  Discovered  SQL  injecFon  aRack  tacFc  in  1995   •  Helped  develop  first  in-­‐line  IPS  engine  (BlackICE)     •  Championed  movement  toward  pracFcal,  pragmaFc   informaFon  security  soluFons    
SECURITY:ServicesSolutionsSupport AniFan  Overview   •  Compliance    PCI,  NERC,  HIPAA,  FFIEC   •  Services        PenetraFon  tesFng,  web  applicaFon  tesFng,        code  review,  incident  response,  risk          assessment   •  Technologies      UTM/NGFW,  IPS,  SIEM,  MDM   •  Support    Managed  security,  staff  augmentaFon     •  Leadership    Industry  analysis,  CIO  advisory  services      
SECURITY:ServicesSolutionsSupport Why  AniFan?   •  AniFan  is  the  only  security  firm…   •  Focused  on  pracFcal,  pragmaFc  informaFon  security   •  Able  to  deliver  compliance  quickly  &  affordably   •  That  does  not  push  products   •  Who  rejects  using  fear  to  sell   •  Dedicates  research  efforts    to  benefit  our  clients,  not  our   press-­‐releases   •  Implements  business-­‐friendly  security   •  Remains  honest  and  independent    
SECURITY:ServicesSolutionsSupport PresentaFon  Outline   •  The  Risk  Assessment  Environment   •  Failure  of  Current  Risk  Assessment  PracFces   •  Preparing  for  a  Rapid  Risk  Assessment   •  The  Rapid  Risk  Assessment  Process  
SECURITY:ServicesSolutionsSupport THE  RISK  ASSESSMENT   ENVIRONMENT   Rapid  Risk  Assessment  
SECURITY:ServicesSolutionsSupport What  is  Risk  Assessment?   •  SystemaFc  and  objecFve  determinaFon  of  the  seriousness  of   threats.     •  Good  risk  assessment  aims  to:     •  IdenFfy  the  threats  that  affect  an  enFty  (company,  network,   systems,  applicaFon,  etc.)     •  Qualify  and  quanFfy  those  threats     •  Crae  reasonable  remedies  to  reduce,  eliminate,  accept  or   transfer  the  risk   •  Help  protect  the  business/organizaFon  and  its  assets     •  Empower  leadership  to  make  sensible  investments  in   security  controls  and  processes    
SECURITY:ServicesSolutionsSupport Increasing  Emphasis  on  Risk  Assessment   •  Always  been  a  PCI  requirement  (12.1.2)   •  HIPAA  Omnibus  reinforces  need  for  risk  assessment   •  Assessment  to  define  risk  management  program  (which  in   turn  defines  the  controls  that  meet  the  standard)   •  Breach  noFficaFon  now  require  risk  analysis  of  any   suspected  breach  to  determine  if  noFficaFon  is  necessary   •  FFIEC  2011  Supplement  mandated  new  things  to  assess   •  Defines  specific  issues  to  analyze  concerning  authenFcaFon   •  Reinforced  the  need  for  annual  assessments     •  Mandated  assessments  on  banking  applicaFons     •  Outlined  requirements  to  reperform  assessments  when   there  are  changes    
SECURITY:ServicesSolutionsSupport Increased  ScruFny     •  From  HIPAA  Omnibus:   “…we  expect  these  risk  assessments  to  be  thorough,  completed   in  good  faith,  and  for  the  conclusions  reached  to  be   reasonable.”   •  RegulaFons  are  demanding  more  risk  assessments     •  Regulators  are  shieing  focus  to  look  at  risk  assessments   •  Business  leaders  are  demanding  beRer  risk  analysis     •  So  what’s  the  problem?    
SECURITY:ServicesSolutionsSupport THE  FAILURE  OF  CURRENT  RISK   ASSESSMENT  PRACTICES   Rapid  Risk  Assessment  
SECURITY:ServicesSolutionsSupport Something  Is  Not  Right  Here   •  Companies  were  consistently  complaining  about  their  IT  risk   assessments:     •  “Why  does  this  take  so  long?”   •  “This  is  just  a  paperwork  exercise”   •  “What  am  I  supposed  to  do  with  this?”   •  “Where  are  the  problems?   •  “How  do  I  fix  the  problems?”     •  “Are  we  in  danger?”   •  “What  do  all  these  numbers,  charts  and  worksheets  mean?”   •  “This  is  just  a  meaningless  regulatory  requirement!”     •  We  were  not  the  only  ones…    
SECURITY:ServicesSolutionsSupport PracFFoners  are  QuesFoning  Risk  Assessment     Source:  h*p://www.networkworld.com/news/tech/2012/101512-­‐risk-­‐ management-­‐263379.html  
SECURITY:ServicesSolutionsSupport With  Mixed  Results   For  any  risk  management  method   …  we  must  ask  …“How  do  we  know   it  works?”  If  we  can’t  answer  that   ques=on,  then  our  most  important   risk  management  strategy  should   be  to  find  a  way  to  answer  it  and   adopt  a  risk  assessment  and  risk   mi=ga=on  method  that  does  work.     Hubbard,  Douglas  W.  (2009-­‐04-­‐06).  The  Failure   of  Risk  Management:  Why  It's  Broken  and  How   to  Fix  It.  John  Wiley  and  Sons.  Kindle  EdiWon.    
SECURITY:ServicesSolutionsSupport The  Problem   •  Current  pracFces  are…   •  Slow   •  Complex     •  Incomprehensible  to  management     •  Fail  to  provide  clear  acFonable  steps  to  reduce  risk   •  Why?      
SECURITY:ServicesSolutionsSupport Arcane  Language   •  Language  affects  not  only  comprehension,  but  also  acceptance   •  Overly  complex,  arcane  language  is  inefficient  and  inaccessible     •  Risk  management  theories  devolve  into  nitpicking  paperwork   exercises  that  nobody  reads   •  Consider  this  definiFon  from  OCTAVE  for  Defined  EvaluaFon   AcFviFes:     Implemen=ng  defined  evalua=on  ac=vi=es  helps  to   ins=tu=onalize  the  evalua=on  process  in  the  organiza=on,   ensuring  some  level  of  consistency  in  the  applica=on  of  the   process.  It  also  provides  a  basis  upon  which  the  ac=vi=es  can  be   tailored  to  fit  the  needs  of  a  par=cular  business  line  or  group.  
SECURITY:ServicesSolutionsSupport The  Fallacy  of  Numbers   •  Using  numbers  does  not  make  analysis  more  “true”   •  If  a  number  is  arrived  at  from  a  subjecFve  assessment,  then  its   use  in  any  calculaFons  is  equally  subjecFve     •  Charts  full  of  numbers  may  “feel”  empirical,  but  they’re  not   •  Its  impossible  to  establish  true  value  for  IT  asset   •  Misleading,  creates  a  false  sense  of  accuracy     •  Creates  a  false  scale  that  does  not  translate  into  real-­‐world   thinking    
SECURITY:ServicesSolutionsSupport Time  Consuming   •  IT  risk  is  volaFle,  dynamic  and  has  a  short  shelf  life     •  Any  risk  assessment  over  90-­‐180  days  old  is  stale     •  NIST,  OCTAVE,  FAIR  are  nice  ideas,  but  too  Fme  consuming   •  Spending  a  year  on  a  risk  assessment  is  too  long   •  A  good  enterprise  risk  assessment  should  be  done  in  under  30   days     •  DocumentaFon  is  Fme  consuming   •  Risk  assessment  is  not  a  consensus  of  opinions,  it’s  an   assessment  from  a  single  person  or  group  that  understands  risk    
SECURITY:ServicesSolutionsSupport Probability  Can  Be  Flawed   •  On  a  long  enough  =me  line,  the  survival  rate  for  everybody   drops  to  zero.    Jack,  Fight  Club,  1999   •  Lack  of  Fme  context  makes  any  assessment  of  probability   fundamentally  flawed.     •  Humans  are  naturally  bad  at  assessing  the  probability  of  risks.   •  Fallacy  of  backtesFng    
SECURITY:ServicesSolutionsSupport Lack  of  Evidence   •  Risk  assessment  methodologies  focus  heavily  on  process,  and   very  liRle  on  evidence     •  Custodians  and  business  process  owners  withhold  informaFon   •  The  security  of  an  environment  can  be  tested  in  a  controlled,   raFonal  manner   •  Without  tesFng,  the  enFre  analysis  is  one-­‐sided   •  TesFng  can  cut  through  conjecture  and  prove  (or  disprove)  the   severity  of  a  threat  
SECURITY:ServicesSolutionsSupport The  Challenge   •  Risk  assessment  needs  to  be  more  useful.   •  How  can  this  process  produce  tangible  ways  to  reduce  risk?     •  The  volaFlity  of  modern  IT  makes  IT  risk  assessment  a   fundamentally  qualita=ve  effort   •  Since  the  effort  is  qualitaFve,  the  skill  of  the  assessor  is   paramount  to  obtaining  accurate  assessments   •  How  do  we  improve  risk  assessment  to  make  it:   •  More  accurate   •  More  responsive  to  business  needs   •  More  acFonable   •  Quicker    
SECURITY:ServicesSolutionsSupport PREPARATION   Rapid  Risk  Assessment  
SECURITY:ServicesSolutionsSupport Features  of  Rapid  Risk  Assessment   •  Aims  to  speed  up  the  risk  assessment  process  &  make  it  more   useful  to  the  business   •  Trades  precision  and  some  accuracy  for  efficiency  and  usability     •  Focuses  on  simplicity  and  clarity     •  Dismisses  theory  and  conjecture  in  place  of  decisive  acFon   •  Explains  risk  in  simple,  business-­‐friendly  terminology   •  Uses  a  set  Fme  frame  for  probability     •  Simplifies  the  assignment  of  value   •  Uses  a  “lens”  that  focuses  and  frames  assessment  effort   •  Establishes  authority  to  make  risk  judgments     •  Leverages  new  technologies  such  as  Allgress    
SECURITY:ServicesSolutionsSupport Rapid  Risk  Assessment  Outline   •  Prerequisites   •  Advanced  wriFng  skills   •  Hands  on  IT  skills   •  Authority     1.  Establish  Scope  &  Lens   2.  Interview  Stakeholders   3.  Test  the  Environment   4.  Define  Threats  &  Correlate  Data   5.  Define  Probability  &  Impact  Scale     6.  Document  Risks   7.  Develop  AcFon  Plan  
SECURITY:ServicesSolutionsSupport Prerequisite:  Advanced  WriFng  Skills   •  No  theories,  no  complex  worksheets,  no  “risk  management”   terms   •  Simple,  business  language  that  states  risk  in  plain,  maRer-­‐of-­‐ fact  way   •  Establishes  authority     •  States  risk  as  it  *is*  without  conjecture  or  indecisiveness   •  AcFve  voice     •  Should  be  able  to  sum  up  the  enFre  assessment  effort  in  a  few   bullet  points    
SECURITY:ServicesSolutionsSupport Prerequisite:  Hands-­‐on  IT  Skills   •  Must  have  in-­‐depth  understanding  of  IT  operaFons   •  Systems  administraFon   •  Network  design,  architecture,  management     •  Security  analysis     •  ApplicaFon  lifecycle  management     •  Database  administraFon   •  IT  pracFces,  procedures,  policies  development   •  Must  know  how  an  IT  department  runs,  if  you  ever  hope  to   idenFfy  its  weaknesses  
SECURITY:ServicesSolutionsSupport Prerequisite:  Authority   •  Management  must  definiFvely  endorse  and  support  risk   assessment     •  Must  have  access  to  stakeholders     •  Ability  to  scan,  test  and  evaluate  technology     •  Authority  to  decisively  analyze  technologies     •  Ability  to  built  credibility  and  authority  through  experience,   language,  and  engagement    
SECURITY:ServicesSolutionsSupport THE  PROCESS   Rapid  Risk  Assessment  
SECURITY:ServicesSolutionsSupport #1  -­‐  Establish  Scope  &  Lens   •  Scope  –  what  assets  are  in  scope  (hopefully  all  of  them)   •  Lens  –  how  will  you  look  at  the  assets?   •  Data  types  –  customer,  internal,  security,  etc.   •  System  –  server,  workstaFon,  infrastructure   •  ApplicaFon  –  user,  customer,  financial,  etc.     •  The  Lens  is  what  makes  Rapid  Risk  Assessment  work:     •  Provides  a  contextual  framework  for  analyzing  data   •  It  helps  focus  the  effort     •  It  aids  greatly  in  comprehension    
SECURITY:ServicesSolutionsSupport #2  -­‐  Interview  Stakeholders   •  Develop  a  set  of  quesFons  specific  to  the  business  role:     •  IT  custodians  –  technical  quesFons   •  Business  process  owners  –  criFcality  &  usage     •  Define  value  in  context  of  the  enFre  business  using  simple   terms:  cri=cal,  high,  medium,  low,  none   •  Focus  on  current  state     •  Be  careful  with  “forward  looking”  data  –  chasing  a  moving   target   •  Catalog  results  
SECURITY:ServicesSolutionsSupport #3  –  Test  the  Environment   •  Vulnerability  scans  of  all  in-­‐scope  systems,  apps  or  locaFons  of   data     •  Conduct  penetraFon  tests   •  Web  applicaFon  tesFng   •  Database  tesFng     •  ConfiguraFon  analysis  (sample  as  needed)   •  AV  /  IPS  /  Firewall  logs  (sample  and  spot  check)   •  Risk  determinaFon  must  be  based  on  REAL  data,  not  feelings,   ideas,  theories,  or  personal  interpretaFons     •  This  is  where  hands-­‐on  IT  experience  is  a  must    
SECURITY:ServicesSolutionsSupport #4  –  Define  Threats  &  Correlate  Data   •  Organize  threats  into  simplified  categories   •  Technical  –  threat  to  systems,  hardware,  applicaFons,  etc.     •  OperaFonal  –  threats  that  affect  pracFces,  procedures,  or   business  funcFons   •  RelaFonal  –  threat  to  a  relaFonship  between  groups,  people   or  third  parFes     •  Physical  –  threats  to  faciliFes,  offices,  etc.     •  ReputaFonal  (opFonal)  –  threats  to  the  organizaFon’s   reputaFon,  percepFon,  or  public  opinion     •  Correlate  threats  to  assessment  data   •  Keep  threats  simple  
SECURITY:ServicesSolutionsSupport Threat  Samples   •  Good  Threat  DefiniFons   •  Thee  of  confidenFal  data   •  Malware  infecFon   •  Denial  of  service  aRack     •  Thee  of  sensiFve  authenFcaFon  data   •  Bad  Threat  DefiniFons   •  Lack  of  alignment  to  organizaFonal  policies  with  guidelines   set  forth  by  the  security  commiRee  means  staff  is  not   properly  implemenFng  security  controls.     •  Use  of  telnet  among  staff  is  threatening  PCI  compliance   requirements.     •  Missing  patches  on  systems  
SECURITY:ServicesSolutionsSupport #5  -­‐  Define  Probability  &  Impact  Scale   Probability               Impact     Metric     DescripFon   Certain   <95%  likelihood  of  occurrence  within  the  next  12  months.       High   50-­‐95%  likelihood  of  occurrence  within  the  next  12  months.       Medium   20-­‐49%  likelihood  of  occurrence  within  the  next  12  months.       Low   1-­‐20%  likelihood  of  occurrence  within  the  next  12  months.       Negligible   >1%  likelihood  of  occurrence  within  the  next  12  months.       Metric     DescripFon   CriWcal   Catastrophic  effect  on  the  Data  Asset.     High   Serious  impact  on  the  Data  Asset's  funcWonality.     Medium   Threat  may  cause  some  intermi*ent  impact  on  the  Data  Asset,  but  would   not  lead  to  extended  problems.     Low   Impact  on  the  Data  Asset  is  small  and  limited.  Would  not  cause  any   disrupWon  in  core  funcWons.     Negligible   Data  Asset  remains  funcWonal  for  the  business  with  no  noWceable  slowness   or  downWme.    
SECURITY:ServicesSolutionsSupport #6  -­‐  Document  Risks   •  Condense,  simplify  and  focus  on  the  problem   •  Threat  –  How  the  asset  is  at  risk   •  VulnerabiliFes  –  The  vulnerabiliFes  relevant  to  the  risk     •  RecommendaFon  –  Tangible  acFons  to  remediate  the  risk     •  Impact  –  Simplified  5  point  score  (criFcal,  high,  medium,  low,   none)     •  Probability  –  Simplified  5  point  score  (certain,  high,  medium,   low,  negligible)     •  Risk  –  Simplified  product  of  Impact  *  Probability  (criFcal,  high,   medium,  low,  negligible)    
SECURITY:ServicesSolutionsSupport DocumentaFon  Sample   Threat   VulnerabiliFes   RecommendaFon   Impact   Probability   Risk   Malware   infecWon   •  Outdated  anW-­‐ virus   •  Lack  of  anW-­‐ virus  on  36%  of   servers   •  32  high  ranked   vulnerabiliWes   on  in-­‐scope   systems     •  Lack  of  virus   scanning  at  the   network  layer   •  Endpoint  anWvirus  must  be  installed  on  all  hosts.   •  All  endpoint  anWvirus  must  be  updated  daily   •  All  systems  must  have  new  patches  applied  within   30  days  of  release.   •  Company  must  deploy  a  more  robust  patch   management  plaborm.     •  Implement  a  core  firewall  that  can  perform  virus   scanning  at  the  network  layer.     H   C   H
SECURITY:ServicesSolutionsSupport Online  Version  Using  Allgress  
SECURITY:ServicesSolutionsSupport #7  –  Develop  an  AcFon  Plan   •  Summarize  all  the  recommendaFons  into  a  single,  prioriFzed  list     •  Simplify  into  tangible  tasks   •  GOOD:  Implement  third  party  patch  management.  IBM  BigFix,   Dell  Kace,  and  GFI  Languard  are  all  viable  products  to  consider.   Require  solu=on  to  patch  all  systems  within  30  days  of  a  new   patch.     •  BAD:  IT  management  procedures  need  upda=ng  to  align  with   best  prac=ces.    
SECURITY:ServicesSolutionsSupport Don’t     •  Try  to  change  the  culture  of  the  business     •  Let  perfecFon  become  the  enemy  of  good   •  Cite  any  kind  of  risk  management  theory  –  nobody  cares   •  Use  a  lot  of  risk  terminology   •  Say  more  than  you  need  to   •  Document  indecision   •  Add  complexity  when  it  offers  no  improvement  in  clarity   •  Use  inaccessible  matrices,  worksheets,  or  process  flows   •  Insert  charts  or  graphs  when  they  don’t  aid  in  comprehension    
SECURITY:ServicesSolutionsSupport Do   •  Use  simple  language.  Plain  English  descripFons   •  Establish  authority  with  experience,  language,  and  presence     •  Simplify,  condense,  clarify   •  IdenFfy  tangible,  acFonable  recommendaFons   •  Help  management  make  decisions  about  risk     •  Focus  on  the  likely    
SECURITY:ServicesSolutionsSupport Thank  You     EMAIL:      andrew.plato@aniFan.com     WEB:    www.aniFan.com   BLOG:          blog.aniFan.com   SLIDES:    hRp://slidesha.re/11UaeFN    

Recomendados

Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through Security
EnergySec
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development Presentation
EnergySec
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
EnergySec
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six Sigma
EnergySec
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
EnergySec
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It Right
Resilient Systems
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Phil Agcaoili
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
Resilient Systems
 

Recomendados

Achieving Compliance Through Security
Achieving Compliance Through SecurityAchieving Compliance Through Security
Achieving Compliance Through Security
EnergySec
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development Presentation
EnergySec
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
EnergySec
 
Structured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six SigmaStructured NERC CIP Process Improvement Using Six Sigma
Structured NERC CIP Process Improvement Using Six Sigma
EnergySec
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
EnergySec
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It Right
Resilient Systems
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Phil Agcaoili
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
Resilient Systems
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
Resilient Systems
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Security metrics
Security metrics Security metrics
Security metrics
PRAYAGRAJ11
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
eeaches
 
Network operations center best practices (3)
Network operations center best practices (3)Network operations center best practices (3)
Network operations center best practices (3)
Gabby Nizri
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
Suresh Kanniappan
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
Chaitanya Bhatt
 
Incident Response: Security's Special Teams
Incident Response: Security's Special TeamsIncident Response: Security's Special Teams
Incident Response: Security's Special Teams
Resilient Systems
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
Priyanka Aash
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
Goutama Bachtiar
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
Lumension
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
Nikhil Soni
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
MichaelSadeghiPhDABD
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
centralohioissa
 
Risk management in Healthcare
Risk management in HealthcareRisk management in Healthcare
Risk management in Healthcare
Nadeem Baig
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
Steve Bishop
 

Más contenido relacionado

La actualidad más candente

How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
Resilient Systems
 
Network operations center best practices (3)
Network operations center best practices (3)Network operations center best practices (3)
Network operations center best practices (3)
Gabby Nizri
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
Incident Response: Security's Special Teams
Incident Response: Security's Special TeamsIncident Response: Security's Special Teams
Incident Response: Security's Special Teams
Resilient Systems
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
Lumension
 

La actualidad más candente (20)

How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Security metrics
Security metrics Security metrics
Security metrics
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
Network operations center best practices (3)
Network operations center best practices (3)Network operations center best practices (3)
Network operations center best practices (3)
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security Metrics
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
 
Incident Response: Security's Special Teams
Incident Response: Security's Special TeamsIncident Response: Security's Special Teams
Incident Response: Security's Special Teams
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
 

Destacado

Example security risk assessment tool july 2010
Example security risk assessment tool july 2010Example security risk assessment tool july 2010
Example security risk assessment tool july 2010
WarrenGreen
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment Report
Divya Kothari
 
Come See What’s Cooking in My Lab
Come See What’s Cooking in My LabCome See What’s Cooking in My Lab
Come See What’s Cooking in My Lab
EnergySec
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments
EnergySec
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator Display
EnergySec
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun Intended
EnergySec
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
EnergySec
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
EnergySec
 
How I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart MeterHow I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart Meter
EnergySec
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles Away
EnergySec
 
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
Jane Alexander
 

Destacado (20)

Risk management in Healthcare
Risk management in HealthcareRisk management in Healthcare
Risk management in Healthcare
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
 
Example security risk assessment tool july 2010
Example security risk assessment tool july 2010Example security risk assessment tool july 2010
Example security risk assessment tool july 2010
 
JPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment ReportJPMorgan Chase & Co. -Risk Assessment Report
JPMorgan Chase & Co. -Risk Assessment Report
 
Come See What’s Cooking in My Lab
Come See What’s Cooking in My LabCome See What’s Cooking in My Lab
Come See What’s Cooking in My Lab
 
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
Energy Challenges for Wales: The Flexible Integrated Energy Systems (FLEXIS) ...
 
Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration Understanding Hacker Tools and Techniques: A live Demonstration
Understanding Hacker Tools and Techniques: A live Demonstration
 
6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments6 Tools for Improving IT Operations in ICS Environments
6 Tools for Improving IT Operations in ICS Environments
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator Display
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun Intended
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
 
Energy Biographies Final Research report
Energy Biographies Final Research reportEnergy Biographies Final Research report
Energy Biographies Final Research report
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
 
How I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart MeterHow I learned to Stop Worrying and Start Loving the Smart Meter
How I learned to Stop Worrying and Start Loving the Smart Meter
 
Building an Incident Response Team
Building an Incident Response TeamBuilding an Incident Response Team
Building an Incident Response Team
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles Away
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & Co
 
Security Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for BeginnersSecurity Updates Matter: Exploitation for Beginners
Security Updates Matter: Exploitation for Beginners
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...
 

Similar a Rapid Risk Assessment: A New Approach to Risk Management

Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision making
drewz lin
 
Resume - Sanjit Mitra
Resume - Sanjit MitraResume - Sanjit Mitra
Resume - Sanjit Mitra
Sanjit Mitra
 
Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance program
Siddharth Janakiram
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 
The Keys to Unlocking Safety Culture
The Keys to Unlocking Safety CultureThe Keys to Unlocking Safety Culture
The Keys to Unlocking Safety Culture
Medgate Inc.
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
Emma Kelly
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
PECB
 

Similar a Rapid Risk Assessment: A New Approach to Risk Management (20)

Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision making
 
Agile and the nature of decision making
Agile and the nature of decision makingAgile and the nature of decision making
Agile and the nature of decision making
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Resume - Sanjit Mitra
Resume - Sanjit MitraResume - Sanjit Mitra
Resume - Sanjit Mitra
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
CISSP 8 Domains.pdf
CISSP 8 Domains.pdfCISSP 8 Domains.pdf
CISSP 8 Domains.pdf
 
Neupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessmentsNeupart webinar 1: Four shortcuts to better risk assessments
Neupart webinar 1: Four shortcuts to better risk assessments
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
Aetna information security assurance program
Aetna information security assurance programAetna information security assurance program
Aetna information security assurance program
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
 
CNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program ManagementCNIT 160 Ch 4b: Security Program Management
CNIT 160 Ch 4b: Security Program Management
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
 
The Keys to Unlocking Safety Culture
The Keys to Unlocking Safety CultureThe Keys to Unlocking Safety Culture
The Keys to Unlocking Safety Culture
 
2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory
 
SDLC & DevSecOps
SDLC & DevSecOpsSDLC & DevSecOps
SDLC & DevSecOps
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 

Más de EnergySec

Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
EnergySec
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
EnergySec
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
EnergySec
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
EnergySec
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
EnergySec
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of Reach
EnergySec
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
EnergySec
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
EnergySec
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
EnergySec
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With Scissors
EnergySec
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
EnergySec
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
EnergySec
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
EnergySec
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
EnergySec
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
EnergySec
 

Más de EnergySec (20)

Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
Patrick Miller - Tackling Tomorrow's Biggest Cybersecurity Problems with Real...
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
Steve Parker - The Internet of Everything: Cyber-defense in an Age of Ubiquit...
 
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber SecurityDaniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
 
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementLessons Learned For NERC CIPv5 Compliance & Configuration Change Management
Lessons Learned For NERC CIPv5 Compliance & Configuration Change Management
 
Explore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWsExplore the Implicit Requirements of the NERC CIP RSAWs
Explore the Implicit Requirements of the NERC CIP RSAWs
 
Wireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of ReachWireless Sensor Networks: Nothing is Out of Reach
Wireless Sensor Networks: Nothing is Out of Reach
 
Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!Please, Come and Hack my SCADA System!
Please, Come and Hack my SCADA System!
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleNERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role
 
Industrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With ScissorsIndustrial Technology Trajectory: Running With Scissors
Industrial Technology Trajectory: Running With Scissors
 
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A...
 
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
 
Where Cyber Security Meets Operational Value
Where Cyber Security Meets Operational ValueWhere Cyber Security Meets Operational Value
Where Cyber Security Meets Operational Value
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
SAP’s Utilities Roadmap Overview, The Evolution of Regulatory Compliance and ...
 
Industry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working TogetherIndustry Reliability and Security Standards Working Together
Industry Reliability and Security Standards Working Together
 
What the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each OtherWhat the Department of Defense and Energy Sector Can Learn from Each Other
What the Department of Defense and Energy Sector Can Learn from Each Other
 

Último

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Último (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Rapid Risk Assessment: A New Approach to Risk Management

  • 1. SECURITY:ServicesSolutionsSupport RAPID  RISK  ASSESSMENT   A  NEW  APPROACH  TO  IT  RISK  MANAGEMENT  
  • 2. SECURITY:ServicesSolutionsSupport Biography   •  Andrew  Plato,  CISSP,  CISM,  QSA     •  President  /  CEO  –  AniFan  Enterprise  Security   •  20  years  of  experience  in  IT  &  security   •  Completed  thousands  of  security  assessments  &  projects   •  Discovered  SQL  injecFon  aRack  tacFc  in  1995   •  Helped  develop  first  in-­‐line  IPS  engine  (BlackICE)     •  Championed  movement  toward  pracFcal,  pragmaFc   informaFon  security  soluFons    
  • 3. SECURITY:ServicesSolutionsSupport AniFan  Overview   •  Compliance    PCI,  NERC,  HIPAA,  FFIEC   •  Services        PenetraFon  tesFng,  web  applicaFon  tesFng,        code  review,  incident  response,  risk          assessment   •  Technologies      UTM/NGFW,  IPS,  SIEM,  MDM   •  Support    Managed  security,  staff  augmentaFon     •  Leadership    Industry  analysis,  CIO  advisory  services      
  • 4. SECURITY:ServicesSolutionsSupport Why  AniFan?   •  AniFan  is  the  only  security  firm…   •  Focused  on  pracFcal,  pragmaFc  informaFon  security   •  Able  to  deliver  compliance  quickly  &  affordably   •  That  does  not  push  products   •  Who  rejects  using  fear  to  sell   •  Dedicates  research  efforts    to  benefit  our  clients,  not  our   press-­‐releases   •  Implements  business-­‐friendly  security   •  Remains  honest  and  independent    
  • 5. SECURITY:ServicesSolutionsSupport PresentaFon  Outline   •  The  Risk  Assessment  Environment   •  Failure  of  Current  Risk  Assessment  PracFces   •  Preparing  for  a  Rapid  Risk  Assessment   •  The  Rapid  Risk  Assessment  Process  
  • 6. SECURITY:ServicesSolutionsSupport THE  RISK  ASSESSMENT   ENVIRONMENT   Rapid  Risk  Assessment  
  • 7. SECURITY:ServicesSolutionsSupport What  is  Risk  Assessment?   •  SystemaFc  and  objecFve  determinaFon  of  the  seriousness  of   threats.     •  Good  risk  assessment  aims  to:     •  IdenFfy  the  threats  that  affect  an  enFty  (company,  network,   systems,  applicaFon,  etc.)     •  Qualify  and  quanFfy  those  threats     •  Crae  reasonable  remedies  to  reduce,  eliminate,  accept  or   transfer  the  risk   •  Help  protect  the  business/organizaFon  and  its  assets     •  Empower  leadership  to  make  sensible  investments  in   security  controls  and  processes    
  • 8. SECURITY:ServicesSolutionsSupport Increasing  Emphasis  on  Risk  Assessment   •  Always  been  a  PCI  requirement  (12.1.2)   •  HIPAA  Omnibus  reinforces  need  for  risk  assessment   •  Assessment  to  define  risk  management  program  (which  in   turn  defines  the  controls  that  meet  the  standard)   •  Breach  noFficaFon  now  require  risk  analysis  of  any   suspected  breach  to  determine  if  noFficaFon  is  necessary   •  FFIEC  2011  Supplement  mandated  new  things  to  assess   •  Defines  specific  issues  to  analyze  concerning  authenFcaFon   •  Reinforced  the  need  for  annual  assessments     •  Mandated  assessments  on  banking  applicaFons     •  Outlined  requirements  to  reperform  assessments  when   there  are  changes    
  • 9. SECURITY:ServicesSolutionsSupport Increased  ScruFny     •  From  HIPAA  Omnibus:   “…we  expect  these  risk  assessments  to  be  thorough,  completed   in  good  faith,  and  for  the  conclusions  reached  to  be   reasonable.”   •  RegulaFons  are  demanding  more  risk  assessments     •  Regulators  are  shieing  focus  to  look  at  risk  assessments   •  Business  leaders  are  demanding  beRer  risk  analysis     •  So  what’s  the  problem?    
  • 10. SECURITY:ServicesSolutionsSupport THE  FAILURE  OF  CURRENT  RISK   ASSESSMENT  PRACTICES   Rapid  Risk  Assessment  
  • 11. SECURITY:ServicesSolutionsSupport Something  Is  Not  Right  Here   •  Companies  were  consistently  complaining  about  their  IT  risk   assessments:     •  “Why  does  this  take  so  long?”   •  “This  is  just  a  paperwork  exercise”   •  “What  am  I  supposed  to  do  with  this?”   •  “Where  are  the  problems?   •  “How  do  I  fix  the  problems?”     •  “Are  we  in  danger?”   •  “What  do  all  these  numbers,  charts  and  worksheets  mean?”   •  “This  is  just  a  meaningless  regulatory  requirement!”     •  We  were  not  the  only  ones…    
  • 12. SECURITY:ServicesSolutionsSupport PracFFoners  are  QuesFoning  Risk  Assessment     Source:  h*p://www.networkworld.com/news/tech/2012/101512-­‐risk-­‐ management-­‐263379.html  
  • 13. SECURITY:ServicesSolutionsSupport With  Mixed  Results   For  any  risk  management  method   …  we  must  ask  …“How  do  we  know   it  works?”  If  we  can’t  answer  that   ques=on,  then  our  most  important   risk  management  strategy  should   be  to  find  a  way  to  answer  it  and   adopt  a  risk  assessment  and  risk   mi=ga=on  method  that  does  work.     Hubbard,  Douglas  W.  (2009-­‐04-­‐06).  The  Failure   of  Risk  Management:  Why  It's  Broken  and  How   to  Fix  It.  John  Wiley  and  Sons.  Kindle  EdiWon.    
  • 14. SECURITY:ServicesSolutionsSupport The  Problem   •  Current  pracFces  are…   •  Slow   •  Complex     •  Incomprehensible  to  management     •  Fail  to  provide  clear  acFonable  steps  to  reduce  risk   •  Why?      
  • 15. SECURITY:ServicesSolutionsSupport Arcane  Language   •  Language  affects  not  only  comprehension,  but  also  acceptance   •  Overly  complex,  arcane  language  is  inefficient  and  inaccessible     •  Risk  management  theories  devolve  into  nitpicking  paperwork   exercises  that  nobody  reads   •  Consider  this  definiFon  from  OCTAVE  for  Defined  EvaluaFon   AcFviFes:     Implemen=ng  defined  evalua=on  ac=vi=es  helps  to   ins=tu=onalize  the  evalua=on  process  in  the  organiza=on,   ensuring  some  level  of  consistency  in  the  applica=on  of  the   process.  It  also  provides  a  basis  upon  which  the  ac=vi=es  can  be   tailored  to  fit  the  needs  of  a  par=cular  business  line  or  group.  
  • 16. SECURITY:ServicesSolutionsSupport The  Fallacy  of  Numbers   •  Using  numbers  does  not  make  analysis  more  “true”   •  If  a  number  is  arrived  at  from  a  subjecFve  assessment,  then  its   use  in  any  calculaFons  is  equally  subjecFve     •  Charts  full  of  numbers  may  “feel”  empirical,  but  they’re  not   •  Its  impossible  to  establish  true  value  for  IT  asset   •  Misleading,  creates  a  false  sense  of  accuracy     •  Creates  a  false  scale  that  does  not  translate  into  real-­‐world   thinking    
  • 17. SECURITY:ServicesSolutionsSupport Time  Consuming   •  IT  risk  is  volaFle,  dynamic  and  has  a  short  shelf  life     •  Any  risk  assessment  over  90-­‐180  days  old  is  stale     •  NIST,  OCTAVE,  FAIR  are  nice  ideas,  but  too  Fme  consuming   •  Spending  a  year  on  a  risk  assessment  is  too  long   •  A  good  enterprise  risk  assessment  should  be  done  in  under  30   days     •  DocumentaFon  is  Fme  consuming   •  Risk  assessment  is  not  a  consensus  of  opinions,  it’s  an   assessment  from  a  single  person  or  group  that  understands  risk    
  • 18. SECURITY:ServicesSolutionsSupport Probability  Can  Be  Flawed   •  On  a  long  enough  =me  line,  the  survival  rate  for  everybody   drops  to  zero.    Jack,  Fight  Club,  1999   •  Lack  of  Fme  context  makes  any  assessment  of  probability   fundamentally  flawed.     •  Humans  are  naturally  bad  at  assessing  the  probability  of  risks.   •  Fallacy  of  backtesFng    
  • 19. SECURITY:ServicesSolutionsSupport Lack  of  Evidence   •  Risk  assessment  methodologies  focus  heavily  on  process,  and   very  liRle  on  evidence     •  Custodians  and  business  process  owners  withhold  informaFon   •  The  security  of  an  environment  can  be  tested  in  a  controlled,   raFonal  manner   •  Without  tesFng,  the  enFre  analysis  is  one-­‐sided   •  TesFng  can  cut  through  conjecture  and  prove  (or  disprove)  the   severity  of  a  threat  
  • 20. SECURITY:ServicesSolutionsSupport The  Challenge   •  Risk  assessment  needs  to  be  more  useful.   •  How  can  this  process  produce  tangible  ways  to  reduce  risk?     •  The  volaFlity  of  modern  IT  makes  IT  risk  assessment  a   fundamentally  qualita=ve  effort   •  Since  the  effort  is  qualitaFve,  the  skill  of  the  assessor  is   paramount  to  obtaining  accurate  assessments   •  How  do  we  improve  risk  assessment  to  make  it:   •  More  accurate   •  More  responsive  to  business  needs   •  More  acFonable   •  Quicker    
  • 22. SECURITY:ServicesSolutionsSupport Features  of  Rapid  Risk  Assessment   •  Aims  to  speed  up  the  risk  assessment  process  &  make  it  more   useful  to  the  business   •  Trades  precision  and  some  accuracy  for  efficiency  and  usability     •  Focuses  on  simplicity  and  clarity     •  Dismisses  theory  and  conjecture  in  place  of  decisive  acFon   •  Explains  risk  in  simple,  business-­‐friendly  terminology   •  Uses  a  set  Fme  frame  for  probability     •  Simplifies  the  assignment  of  value   •  Uses  a  “lens”  that  focuses  and  frames  assessment  effort   •  Establishes  authority  to  make  risk  judgments     •  Leverages  new  technologies  such  as  Allgress    
  • 23. SECURITY:ServicesSolutionsSupport Rapid  Risk  Assessment  Outline   •  Prerequisites   •  Advanced  wriFng  skills   •  Hands  on  IT  skills   •  Authority     1.  Establish  Scope  &  Lens   2.  Interview  Stakeholders   3.  Test  the  Environment   4.  Define  Threats  &  Correlate  Data   5.  Define  Probability  &  Impact  Scale     6.  Document  Risks   7.  Develop  AcFon  Plan  
  • 24. SECURITY:ServicesSolutionsSupport Prerequisite:  Advanced  WriFng  Skills   •  No  theories,  no  complex  worksheets,  no  “risk  management”   terms   •  Simple,  business  language  that  states  risk  in  plain,  maRer-­‐of-­‐ fact  way   •  Establishes  authority     •  States  risk  as  it  *is*  without  conjecture  or  indecisiveness   •  AcFve  voice     •  Should  be  able  to  sum  up  the  enFre  assessment  effort  in  a  few   bullet  points    
  • 25. SECURITY:ServicesSolutionsSupport Prerequisite:  Hands-­‐on  IT  Skills   •  Must  have  in-­‐depth  understanding  of  IT  operaFons   •  Systems  administraFon   •  Network  design,  architecture,  management     •  Security  analysis     •  ApplicaFon  lifecycle  management     •  Database  administraFon   •  IT  pracFces,  procedures,  policies  development   •  Must  know  how  an  IT  department  runs,  if  you  ever  hope  to   idenFfy  its  weaknesses  
  • 26. SECURITY:ServicesSolutionsSupport Prerequisite:  Authority   •  Management  must  definiFvely  endorse  and  support  risk   assessment     •  Must  have  access  to  stakeholders     •  Ability  to  scan,  test  and  evaluate  technology     •  Authority  to  decisively  analyze  technologies     •  Ability  to  built  credibility  and  authority  through  experience,   language,  and  engagement    
  • 28. SECURITY:ServicesSolutionsSupport #1  -­‐  Establish  Scope  &  Lens   •  Scope  –  what  assets  are  in  scope  (hopefully  all  of  them)   •  Lens  –  how  will  you  look  at  the  assets?   •  Data  types  –  customer,  internal,  security,  etc.   •  System  –  server,  workstaFon,  infrastructure   •  ApplicaFon  –  user,  customer,  financial,  etc.     •  The  Lens  is  what  makes  Rapid  Risk  Assessment  work:     •  Provides  a  contextual  framework  for  analyzing  data   •  It  helps  focus  the  effort     •  It  aids  greatly  in  comprehension    
  • 29. SECURITY:ServicesSolutionsSupport #2  -­‐  Interview  Stakeholders   •  Develop  a  set  of  quesFons  specific  to  the  business  role:     •  IT  custodians  –  technical  quesFons   •  Business  process  owners  –  criFcality  &  usage     •  Define  value  in  context  of  the  enFre  business  using  simple   terms:  cri=cal,  high,  medium,  low,  none   •  Focus  on  current  state     •  Be  careful  with  “forward  looking”  data  –  chasing  a  moving   target   •  Catalog  results  
  • 30. SECURITY:ServicesSolutionsSupport #3  –  Test  the  Environment   •  Vulnerability  scans  of  all  in-­‐scope  systems,  apps  or  locaFons  of   data     •  Conduct  penetraFon  tests   •  Web  applicaFon  tesFng   •  Database  tesFng     •  ConfiguraFon  analysis  (sample  as  needed)   •  AV  /  IPS  /  Firewall  logs  (sample  and  spot  check)   •  Risk  determinaFon  must  be  based  on  REAL  data,  not  feelings,   ideas,  theories,  or  personal  interpretaFons     •  This  is  where  hands-­‐on  IT  experience  is  a  must    
  • 31. SECURITY:ServicesSolutionsSupport #4  –  Define  Threats  &  Correlate  Data   •  Organize  threats  into  simplified  categories   •  Technical  –  threat  to  systems,  hardware,  applicaFons,  etc.     •  OperaFonal  –  threats  that  affect  pracFces,  procedures,  or   business  funcFons   •  RelaFonal  –  threat  to  a  relaFonship  between  groups,  people   or  third  parFes     •  Physical  –  threats  to  faciliFes,  offices,  etc.     •  ReputaFonal  (opFonal)  –  threats  to  the  organizaFon’s   reputaFon,  percepFon,  or  public  opinion     •  Correlate  threats  to  assessment  data   •  Keep  threats  simple  
  • 32. SECURITY:ServicesSolutionsSupport Threat  Samples   •  Good  Threat  DefiniFons   •  Thee  of  confidenFal  data   •  Malware  infecFon   •  Denial  of  service  aRack     •  Thee  of  sensiFve  authenFcaFon  data   •  Bad  Threat  DefiniFons   •  Lack  of  alignment  to  organizaFonal  policies  with  guidelines   set  forth  by  the  security  commiRee  means  staff  is  not   properly  implemenFng  security  controls.     •  Use  of  telnet  among  staff  is  threatening  PCI  compliance   requirements.     •  Missing  patches  on  systems  
  • 33. SECURITY:ServicesSolutionsSupport #5  -­‐  Define  Probability  &  Impact  Scale   Probability               Impact     Metric     DescripFon   Certain   <95%  likelihood  of  occurrence  within  the  next  12  months.       High   50-­‐95%  likelihood  of  occurrence  within  the  next  12  months.       Medium   20-­‐49%  likelihood  of  occurrence  within  the  next  12  months.       Low   1-­‐20%  likelihood  of  occurrence  within  the  next  12  months.       Negligible   >1%  likelihood  of  occurrence  within  the  next  12  months.       Metric     DescripFon   CriWcal   Catastrophic  effect  on  the  Data  Asset.     High   Serious  impact  on  the  Data  Asset's  funcWonality.     Medium   Threat  may  cause  some  intermi*ent  impact  on  the  Data  Asset,  but  would   not  lead  to  extended  problems.     Low   Impact  on  the  Data  Asset  is  small  and  limited.  Would  not  cause  any   disrupWon  in  core  funcWons.     Negligible   Data  Asset  remains  funcWonal  for  the  business  with  no  noWceable  slowness   or  downWme.    
  • 34. SECURITY:ServicesSolutionsSupport #6  -­‐  Document  Risks   •  Condense,  simplify  and  focus  on  the  problem   •  Threat  –  How  the  asset  is  at  risk   •  VulnerabiliFes  –  The  vulnerabiliFes  relevant  to  the  risk     •  RecommendaFon  –  Tangible  acFons  to  remediate  the  risk     •  Impact  –  Simplified  5  point  score  (criFcal,  high,  medium,  low,   none)     •  Probability  –  Simplified  5  point  score  (certain,  high,  medium,   low,  negligible)     •  Risk  –  Simplified  product  of  Impact  *  Probability  (criFcal,  high,   medium,  low,  negligible)    
  • 35. SECURITY:ServicesSolutionsSupport DocumentaFon  Sample   Threat   VulnerabiliFes   RecommendaFon   Impact   Probability   Risk   Malware   infecWon   •  Outdated  anW-­‐ virus   •  Lack  of  anW-­‐ virus  on  36%  of   servers   •  32  high  ranked   vulnerabiliWes   on  in-­‐scope   systems     •  Lack  of  virus   scanning  at  the   network  layer   •  Endpoint  anWvirus  must  be  installed  on  all  hosts.   •  All  endpoint  anWvirus  must  be  updated  daily   •  All  systems  must  have  new  patches  applied  within   30  days  of  release.   •  Company  must  deploy  a  more  robust  patch   management  plaborm.     •  Implement  a  core  firewall  that  can  perform  virus   scanning  at  the  network  layer.     H   C   H
  • 37. SECURITY:ServicesSolutionsSupport #7  –  Develop  an  AcFon  Plan   •  Summarize  all  the  recommendaFons  into  a  single,  prioriFzed  list     •  Simplify  into  tangible  tasks   •  GOOD:  Implement  third  party  patch  management.  IBM  BigFix,   Dell  Kace,  and  GFI  Languard  are  all  viable  products  to  consider.   Require  solu=on  to  patch  all  systems  within  30  days  of  a  new   patch.     •  BAD:  IT  management  procedures  need  upda=ng  to  align  with   best  prac=ces.    
  • 38. SECURITY:ServicesSolutionsSupport Don’t     •  Try  to  change  the  culture  of  the  business     •  Let  perfecFon  become  the  enemy  of  good   •  Cite  any  kind  of  risk  management  theory  –  nobody  cares   •  Use  a  lot  of  risk  terminology   •  Say  more  than  you  need  to   •  Document  indecision   •  Add  complexity  when  it  offers  no  improvement  in  clarity   •  Use  inaccessible  matrices,  worksheets,  or  process  flows   •  Insert  charts  or  graphs  when  they  don’t  aid  in  comprehension    
  • 39. SECURITY:ServicesSolutionsSupport Do   •  Use  simple  language.  Plain  English  descripFons   •  Establish  authority  with  experience,  language,  and  presence     •  Simplify,  condense,  clarify   •  IdenFfy  tangible,  acFonable  recommendaFons   •  Help  management  make  decisions  about  risk     •  Focus  on  the  likely    
  • 40. SECURITY:ServicesSolutionsSupport Thank  You     EMAIL:      andrew.plato@aniFan.com     WEB:    www.aniFan.com   BLOG:          blog.aniFan.com   SLIDES:    hRp://slidesha.re/11UaeFN