View
215
Download
0
Embed Size (px)
Citation preview
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Overview●Objective● Introduction●Risk
Risk Management Cycle
●RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
●Common Failures in RA●Elements of Good RA●OCTAVE●Characteristics●Process●Criteria●Examples●OCTAVE Methodology●Choosing Methodology●Our Methodology
Objective
● Risk Assessment Process Not unique to the IT environment
● Provide the desired level of mission support depending on the budget
● Well-structured risk management methodology
Overview●Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Introduction
● The process of enumerating risks● Determining their classifications● Assigning probability and impact scores● Associating controls with each risk
Overview● Objective● Introduction●Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Risk
● Risk Assessment measures Magnitude of the potential loss L Probability p that the loss will occur
● Risk R can be expressed as R = L * p (or) Risk = Impact * Likelihood
Risk (Cont..)● Risk = PA * (1-PE) * C
PA – the likelihood of adversary attack PE - the security system effectiveness (1- PE) - the adversary success C – consequence of loss of the asset
● High L and low p – low L and high p Treated differently in practice Given nearly equal priority in dealing
Overview● Objective● Introduction● Risk
Risk Management Cycle
●RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
RA Methodologies
● CCTA Risk Analysis and Management Method (CRAMM)
● Consultative, Objective and Bi-functional Risk Analysis (COBRA)
● RuSecure● Operationally Critical Threat, Asset, and Vulnerability
Evaluation (OCTAVE)● Failure Mode and Effects Analysis (FMEA)● British Standard (BS)
RA Methodologies (Cont..)
● Methods support in Detecting critical places and parts in organization Detecting risk factors Collecting data about risk factors Evaluation and estimation of risk Generate report of risk management process
Overview● Objective● Introduction● Risk
Risk Management Cycle
●RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Overview● Objective● Introduction● Risk
Risk Management Cycle
●RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
COBRA● COBRA
Two modules● COBRA Risk Consultant● ISO Compliance Analyst
Support in process of evaluating risk security Evaluation steps
● Building queries● Risk evaluation● Constructing reports
Contains library of countermeasures
Overview● Objective● Introduction● Risk
Risk Management Cycle
●RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
●Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Common Failures in RA
● Poor executive support● High cost of implementation● Untimely response● Insufficient accountability● Inability to qualitatively measure control
environment● Infrequent in assessment● Inaccurate data
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA●Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Elements of good RA
● Provides clear instructions● Simplifies user Response● Identifies support contacts● Focuses on leaders as well as executors● Provides feedback to users and Risk leaders● Has a broad Scope● Identifies User for follow up if necessary and
applicable
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA●OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
OCTAVE
● Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
● Effective security risk evaluation ● Considers both organizational and technological
issues● Self-directed
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE●Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Characteristics
● Identify information-related assets● Focus risk analysis activities on critical assets● Consider the relationships among critical assets, the
threats to those assets, and vulnerabilities● Evaluate risks in an operational context - how they
are used to conduct an organization’s business● Create a protection strategy for risk mitigation
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics●Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process●Criteria● Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Criteria
● Principle Fundamental concepts driving the nature of the
evaluation, and defining the philosophy behind the evaluation process
● Attribute Distinctive qualities, or characteristics, of the
evaluation● Output
Define the outcomes that an analysis team must achieve during each phase
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria●Examples● OCTAVE Methodology● Choosing Methodology● Our Methodology
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples●OCTAVE Methodology● Choosing Methodology● Our Methodology
OCTAVE Method Process
● Phase 1: Build Asset-Based Threat Profiles Process 1: Identify Senior Management
Knowledge Process 2: Identify Operational Area Knowledge Process 3: Identify Staff Knowledge Process 4: Create Threat Profiles
OCTAVE Method Process
● Phase 2: Identify Infrastructure Vulnerabilities Process 5: Identify Key Components Process 6: Evaluate Selected Components
● Phase 3: Develop Security Strategy and Plans Process 7: Conduct Risk Analysis – An organizational set
of impact evaluation criteria are defined to establish the impact value
Process 8: Develop Protection Strategy – The team develops an organization-wide protection strategy to improve the organization’s security practices
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology●Choosing Methodology● Our Methodology
Choosing Methods
● Depending on organization size● Depending on organization hierarchical structure● Structured or Open-Ended Method● Analysis team composition● IT resources
Overview● Objective● Introduction● Risk
Risk Management Cycle
● RA Methodologies CRAMM COBRA RuSecure British Standard Hierarchical Criteria
Model
● Common Failures in RA● Elements of Good RA● OCTAVE● Characteristics● Process● Criteria● Examples● OCTAVE Methodology● Choosing Methodology●Our Methodology
Our Methodology● Policies and procedures● Requirement analysis● Network Topology● Categorizing the network● Scanning based on categorization● Analysis of vulnerabilities
Use different scanning tools Penetration testing
● Risk strategy● Mitigation of risk
References
● NIST – Risk Management Guide for Information Technology Systems
● http://www.gao.gov/special.pubs/ai00033.pdf● http://en.wikipedia.org/wiki/Risk_management● http://en.wikipedia.org/wiki/Risk_assessment● http://www.sandia.gov/ram● http://www.carnet.hr/CUC/cuc2004/program/radovi/
a5_baca/a5_full.pdf● http://www.octave.org