FORESEC Academy

RISK MANAGEMENT AND AUDITING

FORESEC Academy Security Essentials (III)

FORESEC Academy

Risk Management - Where do IStart? Write the security policy (with

business input) Analyze risks, or identify industry

practice for due care; analyze vulnerabilities

FORESEC Academy

Risk Management - Where do I

Start (cont’d)? Set up a security infrastructure Design controls, write standards for each

technology Decide what resources are available, prioritize

countermeasures, and implement top priority countermeasures you can afford

Conduct periodic reviews and possibly tests Implement intrusion detection and incident

response

FORESEC Academy

Define Risk

Risk = Vulnerability x Threat Vulnerability is a weakness in a

system that can be exploited Threat is any event that can cause

an undesirable outcome

FORESEC Academy

The Three Risk Choices

Accept the risk as is Mitigate or reduce the risk Transfer the risk (insurance model)

FORESEC Academy

Risk Management Questions

What could happen? (what is the threat)

If it happened, how bad could it be? (impact of threat)

How often could it happen? (frequency of threat - annualized)

How reliable are the answers to the abovethree questions? (recognition ofuncertainty)

FORESEC Academy

Risk Requires Uncertainty

If you have reason to believe there is no uncertainty, there is no risk. For example, jumping out of an airplane two miles up without a parachute isn't risky; it is suicide. For such an action, there is a close to 1.0 probability you will go splat when you hit the ground and almost 0.0 probability you will survive.

Probability ranges between 0.0 and 1.0 though peopleoften express it as a percent.

FORESEC Academy

SLE vs ALE

SLE - Single Loss ExpectancyThe loss from a single event

ALE - Annualized Loss ExpectancyAnnual expected loss based on athreat

FORESEC Academy

Single Loss Expectancy(SLE - one shot)

Asset value x exposure factor = SLE Exposure factor: 0 - 100% of loss

to asset Example Nuclear bomb/small town

($90M x 100% = $90M)

FORESEC Academy

Annualized Loss Expectancy

(ALE - multi-hits) SLE x Annualized rate occurrence = AnnualLoss Expectancy (ALE)

Annual loss is the frequency the threat isexpected to occur

Example, web surfing on the job - SLE: 1000 employees, 25% waste an hour per week surfing, $50/hr x 250 = $12,500 - ALE: They do it every week except when on vacation: $12,500 x 50 = $625,000

FORESEC Academy

Quantitative vs. Qualitative Qualitative is easier to calculate but

its results are more subjective

Qualitative is much easier to accomplish

Qualitative succeeds at identifying high risk areas

Quantitative is far more valuable as abusiness decision tool since it works inmetrics, usually dollars

FORESEC Academy

Qualitative - Another Risk

Assessment Approach Banded values: High, medium, low Asset value and safeguard cost can

be tied to monetary value, but not the rest of the model

Very commonly used

FORESEC Academy

Best Practice Risk Assessment

System administration is a high turnoverjob for large organizations,which affects continuity

System administrators tend to befocused on having the .trains run ontime.

Security configuration may not beunderstood or implemented

FORESEC Academy

Best Practice

No single organization or person islikely to produce best practice

Consensus of many organizationsand stringent review

Examples: - Center for Internet Security

FORESEC Academy

Foresec Securing 2000 SBS3.1.2.3.1 Additional Restrictions for Anonymous Connections.The default choice for this setting is “None” Rely on default permissions..” The other choices are “No Access Without Explicit Anonymous Permissions," and “Do Not Allow Enumeration of SAM Accounts and Shares.”

Select “No Access Without Explicit Permissions.”

FORESEC Academy

Windows 2000 Checklist

Checklist approach designed for two persons (check and double check) to configure a Windows 2000 system to at least minimal acceptable security.

FORESEC Academy

Business Case for RiskManagement

In order to present the business case, we need to convey the “Big Picture”

We are now familiar with these core technologies and how they play together:- Host and Network-based Intrusion Detection- Vulnerability Scanners and Honeypots- Firewalls

FORESEC Academy

Business Case - Applications

Organization has no intrusion detectionand you are presenting the case forstanding up a capability

Organization has rudimentary capabilityand you want to upgrade

Organization has central monitoring andyou are presenting the case for adepartmental capability

FORESEC Academy

Business Case - Applications(2)

Many managers are uncomfortablewhen confronted with actual data aboutattacks and vulnerabilities.

You can often use any existing sourceof data (firewall logs, system logs) toleverage additional intrusion detectionfinancing by showing them a .smokinggun..

FORESEC Academy

Threat Vectors

Outsider attack from network Outsider attack from telephone Insider attack from local network Insider attack from local system Attack from malicious code

FORESEC Academy

Outsider Attack - Internet Newspaper, web articles on attacks

atother places, if it happens to them.

Hacking web sites: www.antionline.com

Firewall/Intrusion Detection logs are anexcellent source for specific threats

System audit trail logs are as well Demo an intrusion detection system