Presented by: Andrew Plato, Anitian
Abstract: Understanding, managing and responding to risk is one of the core functions of any information security program. However, for many organizations risk assessment is cumbersome and time consuming process. IT leaders, as well as security regulations, are demanding risk management practices that can deliver quick and actionable results.
Rapid Risk Assessment is a new approach to risk management that dramatically reduces the time, effort, and complexity for IT security risk assessment. Using the existing principles of risk management defined in NIST 800-30 documents, Rapid Risk Assessment can deliver more actionable and reliable results empowering business leaders to make sound decisions about risk. The key to this approach is a unique combination of skills, organization, and documentation that accelerates every aspect of the risk management process.
This presentation shows why current risk management tactics are failing and how Rapid Risk Assessment can correct those deficiencies.
4. SECURITY:ServicesSolutionsSupport
Why
AniFan?
• AniFan
is
the
only
security
firm…
• Focused
on
pracFcal,
pragmaFc
informaFon
security
• Able
to
deliver
compliance
quickly
&
affordably
• That
does
not
push
products
• Who
rejects
using
fear
to
sell
• Dedicates
research
efforts
to
benefit
our
clients,
not
our
press-‐releases
• Implements
business-‐friendly
security
• Remains
honest
and
independent
7. SECURITY:ServicesSolutionsSupport
What
is
Risk
Assessment?
• SystemaFc
and
objecFve
determinaFon
of
the
seriousness
of
threats.
• Good
risk
assessment
aims
to:
• IdenFfy
the
threats
that
affect
an
enFty
(company,
network,
systems,
applicaFon,
etc.)
• Qualify
and
quanFfy
those
threats
• Crae
reasonable
remedies
to
reduce,
eliminate,
accept
or
transfer
the
risk
• Help
protect
the
business/organizaFon
and
its
assets
• Empower
leadership
to
make
sensible
investments
in
security
controls
and
processes
8. SECURITY:ServicesSolutionsSupport
Increasing
Emphasis
on
Risk
Assessment
• Always
been
a
PCI
requirement
(12.1.2)
• HIPAA
Omnibus
reinforces
need
for
risk
assessment
• Assessment
to
define
risk
management
program
(which
in
turn
defines
the
controls
that
meet
the
standard)
• Breach
noFficaFon
now
require
risk
analysis
of
any
suspected
breach
to
determine
if
noFficaFon
is
necessary
• FFIEC
2011
Supplement
mandated
new
things
to
assess
• Defines
specific
issues
to
analyze
concerning
authenFcaFon
• Reinforced
the
need
for
annual
assessments
• Mandated
assessments
on
banking
applicaFons
• Outlined
requirements
to
reperform
assessments
when
there
are
changes
9. SECURITY:ServicesSolutionsSupport
Increased
ScruFny
• From
HIPAA
Omnibus:
“…we
expect
these
risk
assessments
to
be
thorough,
completed
in
good
faith,
and
for
the
conclusions
reached
to
be
reasonable.”
• RegulaFons
are
demanding
more
risk
assessments
• Regulators
are
shieing
focus
to
look
at
risk
assessments
• Business
leaders
are
demanding
beRer
risk
analysis
• So
what’s
the
problem?
11. SECURITY:ServicesSolutionsSupport
Something
Is
Not
Right
Here
• Companies
were
consistently
complaining
about
their
IT
risk
assessments:
• “Why
does
this
take
so
long?”
• “This
is
just
a
paperwork
exercise”
• “What
am
I
supposed
to
do
with
this?”
• “Where
are
the
problems?
• “How
do
I
fix
the
problems?”
• “Are
we
in
danger?”
• “What
do
all
these
numbers,
charts
and
worksheets
mean?”
• “This
is
just
a
meaningless
regulatory
requirement!”
• We
were
not
the
only
ones…
13. SECURITY:ServicesSolutionsSupport
With
Mixed
Results
For
any
risk
management
method
…
we
must
ask
…“How
do
we
know
it
works?”
If
we
can’t
answer
that
ques=on,
then
our
most
important
risk
management
strategy
should
be
to
find
a
way
to
answer
it
and
adopt
a
risk
assessment
and
risk
mi=ga=on
method
that
does
work.
Hubbard,
Douglas
W.
(2009-‐04-‐06).
The
Failure
of
Risk
Management:
Why
It's
Broken
and
How
to
Fix
It.
John
Wiley
and
Sons.
Kindle
EdiWon.
15. SECURITY:ServicesSolutionsSupport
Arcane
Language
• Language
affects
not
only
comprehension,
but
also
acceptance
• Overly
complex,
arcane
language
is
inefficient
and
inaccessible
• Risk
management
theories
devolve
into
nitpicking
paperwork
exercises
that
nobody
reads
• Consider
this
definiFon
from
OCTAVE
for
Defined
EvaluaFon
AcFviFes:
Implemen=ng
defined
evalua=on
ac=vi=es
helps
to
ins=tu=onalize
the
evalua=on
process
in
the
organiza=on,
ensuring
some
level
of
consistency
in
the
applica=on
of
the
process.
It
also
provides
a
basis
upon
which
the
ac=vi=es
can
be
tailored
to
fit
the
needs
of
a
par=cular
business
line
or
group.
16. SECURITY:ServicesSolutionsSupport
The
Fallacy
of
Numbers
• Using
numbers
does
not
make
analysis
more
“true”
• If
a
number
is
arrived
at
from
a
subjecFve
assessment,
then
its
use
in
any
calculaFons
is
equally
subjecFve
• Charts
full
of
numbers
may
“feel”
empirical,
but
they’re
not
• Its
impossible
to
establish
true
value
for
IT
asset
• Misleading,
creates
a
false
sense
of
accuracy
• Creates
a
false
scale
that
does
not
translate
into
real-‐world
thinking
17. SECURITY:ServicesSolutionsSupport
Time
Consuming
• IT
risk
is
volaFle,
dynamic
and
has
a
short
shelf
life
• Any
risk
assessment
over
90-‐180
days
old
is
stale
• NIST,
OCTAVE,
FAIR
are
nice
ideas,
but
too
Fme
consuming
• Spending
a
year
on
a
risk
assessment
is
too
long
• A
good
enterprise
risk
assessment
should
be
done
in
under
30
days
• DocumentaFon
is
Fme
consuming
• Risk
assessment
is
not
a
consensus
of
opinions,
it’s
an
assessment
from
a
single
person
or
group
that
understands
risk
18. SECURITY:ServicesSolutionsSupport
Probability
Can
Be
Flawed
• On
a
long
enough
=me
line,
the
survival
rate
for
everybody
drops
to
zero.
Jack,
Fight
Club,
1999
• Lack
of
Fme
context
makes
any
assessment
of
probability
fundamentally
flawed.
• Humans
are
naturally
bad
at
assessing
the
probability
of
risks.
• Fallacy
of
backtesFng
19. SECURITY:ServicesSolutionsSupport
Lack
of
Evidence
• Risk
assessment
methodologies
focus
heavily
on
process,
and
very
liRle
on
evidence
• Custodians
and
business
process
owners
withhold
informaFon
• The
security
of
an
environment
can
be
tested
in
a
controlled,
raFonal
manner
• Without
tesFng,
the
enFre
analysis
is
one-‐sided
• TesFng
can
cut
through
conjecture
and
prove
(or
disprove)
the
severity
of
a
threat
20. SECURITY:ServicesSolutionsSupport
The
Challenge
• Risk
assessment
needs
to
be
more
useful.
• How
can
this
process
produce
tangible
ways
to
reduce
risk?
• The
volaFlity
of
modern
IT
makes
IT
risk
assessment
a
fundamentally
qualita=ve
effort
• Since
the
effort
is
qualitaFve,
the
skill
of
the
assessor
is
paramount
to
obtaining
accurate
assessments
• How
do
we
improve
risk
assessment
to
make
it:
• More
accurate
• More
responsive
to
business
needs
• More
acFonable
• Quicker
22. SECURITY:ServicesSolutionsSupport
Features
of
Rapid
Risk
Assessment
• Aims
to
speed
up
the
risk
assessment
process
&
make
it
more
useful
to
the
business
• Trades
precision
and
some
accuracy
for
efficiency
and
usability
• Focuses
on
simplicity
and
clarity
• Dismisses
theory
and
conjecture
in
place
of
decisive
acFon
• Explains
risk
in
simple,
business-‐friendly
terminology
• Uses
a
set
Fme
frame
for
probability
• Simplifies
the
assignment
of
value
• Uses
a
“lens”
that
focuses
and
frames
assessment
effort
• Establishes
authority
to
make
risk
judgments
• Leverages
new
technologies
such
as
Allgress
23. SECURITY:ServicesSolutionsSupport
Rapid
Risk
Assessment
Outline
• Prerequisites
• Advanced
wriFng
skills
• Hands
on
IT
skills
• Authority
1. Establish
Scope
&
Lens
2. Interview
Stakeholders
3. Test
the
Environment
4. Define
Threats
&
Correlate
Data
5. Define
Probability
&
Impact
Scale
6. Document
Risks
7. Develop
AcFon
Plan
24. SECURITY:ServicesSolutionsSupport
Prerequisite:
Advanced
WriFng
Skills
• No
theories,
no
complex
worksheets,
no
“risk
management”
terms
• Simple,
business
language
that
states
risk
in
plain,
maRer-‐of-‐
fact
way
• Establishes
authority
• States
risk
as
it
*is*
without
conjecture
or
indecisiveness
• AcFve
voice
• Should
be
able
to
sum
up
the
enFre
assessment
effort
in
a
few
bullet
points
25. SECURITY:ServicesSolutionsSupport
Prerequisite:
Hands-‐on
IT
Skills
• Must
have
in-‐depth
understanding
of
IT
operaFons
• Systems
administraFon
• Network
design,
architecture,
management
• Security
analysis
• ApplicaFon
lifecycle
management
• Database
administraFon
• IT
pracFces,
procedures,
policies
development
• Must
know
how
an
IT
department
runs,
if
you
ever
hope
to
idenFfy
its
weaknesses
26. SECURITY:ServicesSolutionsSupport
Prerequisite:
Authority
• Management
must
definiFvely
endorse
and
support
risk
assessment
• Must
have
access
to
stakeholders
• Ability
to
scan,
test
and
evaluate
technology
• Authority
to
decisively
analyze
technologies
• Ability
to
built
credibility
and
authority
through
experience,
language,
and
engagement
28. SECURITY:ServicesSolutionsSupport
#1
-‐
Establish
Scope
&
Lens
• Scope
–
what
assets
are
in
scope
(hopefully
all
of
them)
• Lens
–
how
will
you
look
at
the
assets?
• Data
types
–
customer,
internal,
security,
etc.
• System
–
server,
workstaFon,
infrastructure
• ApplicaFon
–
user,
customer,
financial,
etc.
• The
Lens
is
what
makes
Rapid
Risk
Assessment
work:
• Provides
a
contextual
framework
for
analyzing
data
• It
helps
focus
the
effort
• It
aids
greatly
in
comprehension
29. SECURITY:ServicesSolutionsSupport
#2
-‐
Interview
Stakeholders
• Develop
a
set
of
quesFons
specific
to
the
business
role:
• IT
custodians
–
technical
quesFons
• Business
process
owners
–
criFcality
&
usage
• Define
value
in
context
of
the
enFre
business
using
simple
terms:
cri=cal,
high,
medium,
low,
none
• Focus
on
current
state
• Be
careful
with
“forward
looking”
data
–
chasing
a
moving
target
• Catalog
results
30. SECURITY:ServicesSolutionsSupport
#3
–
Test
the
Environment
• Vulnerability
scans
of
all
in-‐scope
systems,
apps
or
locaFons
of
data
• Conduct
penetraFon
tests
• Web
applicaFon
tesFng
• Database
tesFng
• ConfiguraFon
analysis
(sample
as
needed)
• AV
/
IPS
/
Firewall
logs
(sample
and
spot
check)
• Risk
determinaFon
must
be
based
on
REAL
data,
not
feelings,
ideas,
theories,
or
personal
interpretaFons
• This
is
where
hands-‐on
IT
experience
is
a
must
31. SECURITY:ServicesSolutionsSupport
#4
–
Define
Threats
&
Correlate
Data
• Organize
threats
into
simplified
categories
• Technical
–
threat
to
systems,
hardware,
applicaFons,
etc.
• OperaFonal
–
threats
that
affect
pracFces,
procedures,
or
business
funcFons
• RelaFonal
–
threat
to
a
relaFonship
between
groups,
people
or
third
parFes
• Physical
–
threats
to
faciliFes,
offices,
etc.
• ReputaFonal
(opFonal)
–
threats
to
the
organizaFon’s
reputaFon,
percepFon,
or
public
opinion
• Correlate
threats
to
assessment
data
• Keep
threats
simple
32. SECURITY:ServicesSolutionsSupport
Threat
Samples
• Good
Threat
DefiniFons
• Thee
of
confidenFal
data
• Malware
infecFon
• Denial
of
service
aRack
• Thee
of
sensiFve
authenFcaFon
data
• Bad
Threat
DefiniFons
• Lack
of
alignment
to
organizaFonal
policies
with
guidelines
set
forth
by
the
security
commiRee
means
staff
is
not
properly
implemenFng
security
controls.
• Use
of
telnet
among
staff
is
threatening
PCI
compliance
requirements.
• Missing
patches
on
systems
33. SECURITY:ServicesSolutionsSupport
#5
-‐
Define
Probability
&
Impact
Scale
Probability
Impact
Metric
DescripFon
Certain
<95%
likelihood
of
occurrence
within
the
next
12
months.
High
50-‐95%
likelihood
of
occurrence
within
the
next
12
months.
Medium
20-‐49%
likelihood
of
occurrence
within
the
next
12
months.
Low
1-‐20%
likelihood
of
occurrence
within
the
next
12
months.
Negligible
>1%
likelihood
of
occurrence
within
the
next
12
months.
Metric
DescripFon
CriWcal
Catastrophic
effect
on
the
Data
Asset.
High
Serious
impact
on
the
Data
Asset's
funcWonality.
Medium
Threat
may
cause
some
intermi*ent
impact
on
the
Data
Asset,
but
would
not
lead
to
extended
problems.
Low
Impact
on
the
Data
Asset
is
small
and
limited.
Would
not
cause
any
disrupWon
in
core
funcWons.
Negligible
Data
Asset
remains
funcWonal
for
the
business
with
no
noWceable
slowness
or
downWme.
34. SECURITY:ServicesSolutionsSupport
#6
-‐
Document
Risks
• Condense,
simplify
and
focus
on
the
problem
• Threat
–
How
the
asset
is
at
risk
• VulnerabiliFes
–
The
vulnerabiliFes
relevant
to
the
risk
• RecommendaFon
–
Tangible
acFons
to
remediate
the
risk
• Impact
–
Simplified
5
point
score
(criFcal,
high,
medium,
low,
none)
• Probability
–
Simplified
5
point
score
(certain,
high,
medium,
low,
negligible)
• Risk
–
Simplified
product
of
Impact
*
Probability
(criFcal,
high,
medium,
low,
negligible)
35. SECURITY:ServicesSolutionsSupport
DocumentaFon
Sample
Threat
VulnerabiliFes
RecommendaFon
Impact
Probability
Risk
Malware
infecWon
• Outdated
anW-‐
virus
• Lack
of
anW-‐
virus
on
36%
of
servers
• 32
high
ranked
vulnerabiliWes
on
in-‐scope
systems
• Lack
of
virus
scanning
at
the
network
layer
• Endpoint
anWvirus
must
be
installed
on
all
hosts.
• All
endpoint
anWvirus
must
be
updated
daily
• All
systems
must
have
new
patches
applied
within
30
days
of
release.
• Company
must
deploy
a
more
robust
patch
management
plaborm.
• Implement
a
core
firewall
that
can
perform
virus
scanning
at
the
network
layer.
H
C
H
37. SECURITY:ServicesSolutionsSupport
#7
–
Develop
an
AcFon
Plan
• Summarize
all
the
recommendaFons
into
a
single,
prioriFzed
list
• Simplify
into
tangible
tasks
• GOOD:
Implement
third
party
patch
management.
IBM
BigFix,
Dell
Kace,
and
GFI
Languard
are
all
viable
products
to
consider.
Require
solu=on
to
patch
all
systems
within
30
days
of
a
new
patch.
• BAD:
IT
management
procedures
need
upda=ng
to
align
with
best
prac=ces.
38. SECURITY:ServicesSolutionsSupport
Don’t
• Try
to
change
the
culture
of
the
business
• Let
perfecFon
become
the
enemy
of
good
• Cite
any
kind
of
risk
management
theory
–
nobody
cares
• Use
a
lot
of
risk
terminology
• Say
more
than
you
need
to
• Document
indecision
• Add
complexity
when
it
offers
no
improvement
in
clarity
• Use
inaccessible
matrices,
worksheets,
or
process
flows
• Insert
charts
or
graphs
when
they
don’t
aid
in
comprehension
39. SECURITY:ServicesSolutionsSupport
Do
• Use
simple
language.
Plain
English
descripFons
• Establish
authority
with
experience,
language,
and
presence
• Simplify,
condense,
clarify
• IdenFfy
tangible,
acFonable
recommendaFons
• Help
management
make
decisions
about
risk
• Focus
on
the
likely