Embed Size (px)
Citation preview
Agenda
• Terminologies• Understand Risk • Risk Assessment Process• Q && A
Information Security Principle
• CIA Triad : Confidentiality, Integrity and Availability
Which is more “Risky”?• In a lone forest area, waking up in front of a Tiger (Or) In a
lone forest area, sleeping in front of a Lion?
• Going on a lone holiday trip to Kandhahar in Afghanistan, or Aleppo in Syria?
• Giving your wife a debit card, or a credit card for shopping?
Few Key Terms• Asset and its criticality(CPE:
cpe:/a:microsoft:sql_server:8.0.6001:beta)• Vulnerability(CVE : CVE-2014-100009 )• Threat(CWE)• Exposure• Likelyhood• Countermeasure/Security Controls• Risk( Risk Acceptance, Risk Rating, Risk Value\Risk Score,
Residual Risk, Risk Register, Risk Management etc. ): (CVSS: Base Score: 5.5)
• CVE, CPE, CWE, CVSS, XCCDF, OVAL
Risk Function• Risk = f(A, V, T, C, P, P..)
• In simple, Risk = Likelihood * Severity
• Vulnerability <-> Threat ( 1 to m mapping )
• Risk can be measure quantitatively and qualitatively. EX : Assign weights and numeric values to risk.
• Note: Risk is not “certain”. Its purely “probabilistic” and “objective”
Questions?• Latitude : -33.8718406 Longitude : 151.2082923
• RFC : rfc2616
• What does “Allium Cepa” mean?
EX: Client Server App Risk Assessment
• Decompose the solution• Identify Client side threats.• Identify Server side threats.• Identify Interactions(data and control flows) and their threats.• Identify Storage mechanisms involved and threats.• Identify different actors\users involved and threats.
Client Server DB
Risk Classifications• Application\Software security( Client, Server, Interactions,
Data, Transport, Authentication etc. )• Infrastructure security (Deployment Security Controls)• Process, Business, Documentation, Legal security (Licenses,
Data theft etc)
Risk Assessment Process• Iterative Process, document oriented, Audit and Analysis.
1. Identify Risk Goals and Objectives.2. Identify team members, stakeholders.3. Tag the application based upon criticality : RED\ Orange\ Blue4. Decompose the application, breakdown the application in to its
components, its interactions(internal and external)5. Identify the data and control flows.6. Identify Vulnerabilities and Threats.7. Follow a template of your choice in noting down vulnerabilities,
threat, Countermeasures items 8. Risk rate individual items and calculate final Risk or Risk Score.9. Prepare and update Risk Deliverables, Risk Report, Risk
Acceptance, Risk Mitigation documents.
Risk Matrix\Risk Management• Known Risk Analysis and Rating processes. No common “T-Shirt” fit for all.
DREAD : Damage, Reproducibility, Exploitability, Affected Users, Discoverability
STRIDE : Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service.
• Risk Artifacts: Design Docs(HLD\LLD), Functional Spec, Requirement Docs, Operational Docs, Process Docs.
• At what stage, we do Threat Modeling? Requirements <->Design <-> Implementation <-> Transition
• Risk Deliverables: Risk Summary Report, Risk Registers.
• Note : Code Reviews are not part of Risk Assessment, they will complement the Risk Assessment but are not the must.
Sample 1: Risk Matrix
Sample 2 : Risk Matrix
Defenses : Defense in Depth (Countermeasures)
Questions and Answers?• Latitude : -33.8718406 Longitude : 151.2082923
Ans : 220 Pitt Street, Sydney New South Wales
• RFC : rfc2616
Ans : Http
• What does “Allium Cepa” mean?
Ans : Onion
***Keep it Simple, Stupid (KISS). Don’t complicate Risk Assessment, depends upon maturity model, you can keep it simple to complex.
References• https://www.owasp.org/index.php/Threat_Risk_Modeling • https://cve.mitre.org/ • https://nvd.nist.gov/ • https://Google.com
Thank You Q && A
If (I know){ return “will answer”;}Else{ return “will find out and let you know”;}
Santhosh Kumar [email protected]
