Risk Assessment By: Ashwin Vignesh Madhu. Overview ● Objective ● Introduction ● Risk Risk...

Risk Assessment

By:AshwinVigneshMadhu

Overview● Objective● Introduction● Risk

Risk Management Cycle

● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria

Model

● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology

Overview●Objective● Introduction●Risk


●RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria

Model

●Common Failures in RA●Elements of Good RA●OCTAVE●Characteristics●Process●Criteria●Examples●OCTAVE Methodology●Choosing Methodology●Our Methodology

Objective

● Risk Assessment Process Not unique to the IT environment

● Provide the desired level of mission support depending on the budget

● Well-structured risk management methodology

Overview●Objective● Introduction● Risk



Model


Introduction

● The process of enumerating risks● Determining their classifications● Assigning probability and impact scores● Associating controls with each risk

Overview● Objective● Introduction●Risk



Model


Risk

● Risk Assessment measures Magnitude of the potential loss L Probability p that the loss will occur

● Risk R can be expressed as R = L * p (or) Risk = Impact * Likelihood

Risk (Cont..)● Risk = PA * (1-PE) * C

PA – the likelihood of adversary attack PE - the security system effectiveness (1- PE) - the adversary success C – consequence of loss of the asset

● High L and low p – low L and high p Treated differently in practice Given nearly equal priority in dealing




Model


RA Methodologies

● CCTA Risk Analysis and Management Method (CRAMM)

● Consultative, Objective and Bi-functional Risk Analysis (COBRA)

● RuSecure● Operationally Critical Threat, Asset, and Vulnerability

Evaluation (OCTAVE)● Failure Mode and Effects Analysis (FMEA)● British Standard (BS)

RA Methodologies (Cont..)

● Methods support in Detecting critical places and parts in organization Detecting risk factors Collecting data about risk factors Evaluation and estimation of risk Generate report of risk management process




Model


COBRA● COBRA

Two modules● COBRA Risk Consultant● ISO Compliance Analyst

Support in process of evaluating risk security Evaluation steps

● Building queries● Risk evaluation● Constructing reports

Contains library of countermeasures




Model


RuSecure




Model


British Standard




Model


Hierarchical Criteria Model




Model

●Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology

Common Failures in RA

● Poor executive support● High cost of implementation● Untimely response● Insufficient accountability● Inability to qualitatively measure control

environment● Infrequent in assessment● Inaccurate data




Model

● Common Failures in RA●Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology

Elements of good RA

● Provides clear instructions● Simplifies user Response● Identifies support contacts● Focuses on leaders as well as executors● Provides feedback to users and Risk leaders● Has a broad Scope● Identifies User for follow up if necessary and

applicable




Model

● Common Failures in RA● Elements of Good RA●OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology

OCTAVE

● Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

● Effective security risk evaluation ● Considers both organizational and technological

issues● Self-directed




Model

● Common Failures in RA● Elements of Good RA● OCTAVE●Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology

Characteristics

● Identify information-related assets● Focus risk analysis activities on critical assets● Consider the relationships among critical assets, the

threats to those assets, and vulnerabilities● Evaluate risks in an operational context - how they

are used to conduct an organization’s business● Create a protection strategy for risk mitigation




Model

● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics●Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology

OCTAVE Process




Model

● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process●Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology

Criteria

● Principle Fundamental concepts driving the nature of the

evaluation, and defining the philosophy behind the evaluation process

● Attribute Distinctive qualities, or characteristics, of the

evaluation● Output

Define the outcomes that an analysis team must achieve during each phase




Model

● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria●Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology

Examples




Model

● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples●OCTAVE Methodology● Choosing Methodology● Our Methodology

OCTAVE Method Process

● Phase 1: Build Asset-Based Threat Profiles Process 1: Identify Senior Management

Knowledge Process 2: Identify Operational Area Knowledge Process 3: Identify Staff Knowledge Process 4: Create Threat Profiles

OCTAVE Method Process

● Phase 2: Identify Infrastructure Vulnerabilities Process 5: Identify Key Components Process 6: Evaluate Selected Components

● Phase 3: Develop Security Strategy and Plans Process 7: Conduct Risk Analysis – An organizational set

of impact evaluation criteria are defined to establish the impact value

Process 8: Develop Protection Strategy – The team develops an organization-wide protection strategy to improve the organization’s security practices




Model

● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology●Choosing Methodology● Our Methodology

Choosing Methods

● Depending on organization size● Depending on organization hierarchical structure● Structured or Open-Ended Method● Analysis team composition● IT resources




Model

● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology●Our Methodology

Our Methodology● Policies and procedures● Requirement analysis● Network Topology● Categorizing the network● Scanning based on categorization● Analysis of vulnerabilities

Use different scanning tools Penetration testing

● Risk strategy● Mitigation of risk

References

● NIST – Risk Management Guide for Information Technology Systems

● http://www.gao.gov/special.pubs/ai00033.pdf● http://en.wikipedia.org/wiki/Risk_management● http://en.wikipedia.org/wiki/Risk_assessment● http://www.sandia.gov/ram● http://www.carnet.hr/CUC/cuc2004/program/radovi/

a5_baca/a5_full.pdf● http://www.octave.org

Thank You

Risk Assessment By: Ashwin Vignesh Madhu. Overview ● Objective ● Introduction ● Risk Risk...

Documents

Transcript of Risk Assessment By: Ashwin Vignesh Madhu. Overview ● Objective ● Introduction ● Risk Risk...