6 - 1 Information Risk Management - SANS ©2001 1 Risk Management The Big Picture – Part VI Risk Assessment and Auditing Now that we know the tools and the primary concepts, this part of the course is designed to help you pull everything together. This section is especially important if you need to present security proposals to management. Your next slide, titled Risk Management – Where do I Start presents the roadmap we showed you almost at the beginning of the course. We will bet you have a much clearer idea of how to analyze risks and establish a security infrastructure at this point. Let’s go take a look at the roadmap! 6 - 2 Risk Management: The Big Picture - SANS ©2001 2 Information Risk Management - SANS ©2001 2 Risk Management – Where do I Start? • Write the security policy (with business input) • Analyze risks, or identify industry practice for due care; analyze vulnerabilities • Set up a security infrastructure • Design controls, write standards for each technology • Decide what resources are available, prioritize countermeasures, and implement top priority countermeasures you can afford • Conduct periodic reviews and possibly tests • Implement intrusion detection and incident response This slide is the result of a long international flight. Several top experts in information security were on the plane and this is the roadmap they developed. So far in the entire course, we haven’t read a slide to you so please relax and listen: • Write the security policy (with business input) • Analyze risks, or identify industry practice for due care; analyze vulnerabilities • Set up a security infrastructure • Design controls, write standards for each technology • Decide what resources are available, prioritize countermeasures, and implement top priority countermeasures you can afford • Conduct periodic reviews and possibly tests • Implement intrusion detection and incident response Students that complete Security Essentials certification are well on their way to accomplishing each of these tasks, you will learn how to do policy and about the tools you can use for controls and tests. As we enter this last section, we are going to change our approach. So far in the courseware you have seen a lot of tools, now let’s work to bring these tools into a framework for risk management. 6 - 3 Risk Management: The Big Picture - SANS ©2001 3 Information Risk Management - SANS ©2001 3 The Three Risk Choices • Accept the risk as is • Mitigate or reduce the risk • Transfer the risk (insurance model) It is critical to have an understanding of risk management to properly choose and deploy intrusion detection and response assets. To manage risk, one must be able to assess it. In this section of the course we will cover the basic theory of risk assessment. We will also talk about three methods of risk assessment: Qualitative, quantitative, and knowledge-based (also known as best practices). Whether or not we explicitly choose, we have exactly three options and we do choose between: Acceptance, mitigation, and transference. When we accept the risk, this means we make no changes in policy or process. This decision means that we judge the risk of a given threat to be inconsequential in the greater scheme of things. If we feel the threat is significant and could cause harm to our business or enterprise, then we have the option of taking action to protect operations by reducing the risk. A firewall or system patch are obvious examples of risk mitigation. Transferring the risk is sometimes a workable technique. The classic example is to buy insurance. This means that you do not have to fully protect yourself against a catastrophic threat. Instead, for a fee you pass this risk to a risk broker that insures you up to some limit against the threat. A real world example of this is hacker insurance. The insurance company still expects you to have a firewall and patches, but insures you should these fail. 6 - 4 Risk Management: The Big Picture - SANS ©2001 4 Information Risk Management - SANS ©2001 4 Risk Management Questions • What could happen? (what is the threat) • If it happened, how bad could it be? (impact of threat) • How often could it happen? (frequency of threat - annualized) • How reliable are the answers to the above three questions? (recognition of uncertainty) In order to decide between the choices (accept, mitigate, or transfer risk) we want to make, we analyze the risk to better understand it. What exactly are we afraid of? What is it - can we name it specifically or is it just a vague, uneasy feeling? If the threat is successful, how bad will it hurt? What is the probable extent of the damage? How often is this likely to occur? Is this more like a hundred year flood, or a hot day in Biloxi, Mississippi? We are more willing to accept the risk of a threat that is not likely to happen often. But, if something can damage us on a daily basis, this is a significant problem. Finally, how do we know? In the cyberworld, how accurate are our risk calculations when new program or operating system vulnerabilities are discovered weekly? 6 - 5 Risk Management: The Big Picture - SANS ©2001 5 Information Risk Management - SANS ©2001 5 Risk Requires Uncertainty If you have reason to believe there is no uncertainty, there is no risk. For example, jumping out of an airplane two miles up without a parachute isn’t risky; it is suicide. For such an action there is a 1.0 probability you will go splat when you hit the ground and almost 0.0 probability you will survive. Probability ranges between 0.0 and 1.0 though people often express it as a percent. Jumping out of an airplane with a parachute involves risk. If you were to try the James Bond stunt of jumping out of an airplane without a chute, you are committing suicide, but you aren’t doing anything risky. Risk involves uncertainty. Let’s tie this back to the information assurance world. If you run a DNS server that has known vulnerabilities and is neither patched nor shielded by the perimeter, it is certainly going to be compromised. It might not happen in a single day, but it will happen over the course of a year. In the same way that gravity is the compelling reason jumping from a plane without a chute is near-certain death, the continuous probing and poking of exposed systems on the Internet is the compelling reason the box will be compromised. So what? How bad can a compromise be? Well, once they compromise the box they have the ability to manipulate the addresses associated with the names of the network entities (such as computers) at your site. These names and addresses are often used to identify which computers are allowed to access other computers - your organization’s trust model. If you have valuable assets, that may be what happens. Or they may just create weird system domains and hit systems all over the Internet, giving your organization a bad name. 6 - 6 Risk Management: The Big Picture - SANS ©2001 6 Information Risk Management - SANS ©2001 6 What is an Unacceptable Risk? • You can define the threat. • If it happened, it would be bad. (high impact) • If one shot didn’t kill you, and then it hit you again and again. (frequent threat) • There is high certainty the threat exists, it is high impact, and potentially could occur multiple times. So, it would seem that running an unpatched, unshielded DNS server is not an acceptable risk. To have an unacceptable risk, there has to be a defined threat. They will compromise the DNS server, most likely via a buffer overflow. How bad would it be? If they chose to manipulate the trust model and had several days to work without being detected - such as over the Christmas holidays - they could make considerable headway at owning the entire organization’s information assets. You might never get them dislodged. What if they chose simply to use your box to attack others? People are usually forgiving if it only happens once, but there are domains that have been compromised a number of times. These are not usually respected and may even be blocked. One of the classics is the Brazilian Research Network. This loose group of addresses has been the source of hundreds and hundreds of attacks against Internet hosts. The price? Besides being a standing joke, legitimate users continue to find their access blocked. 6 - 7 Risk Management: The Big Picture - SANS ©2001 7 Information Risk Management - SANS ©2001 7 Single Loss Expectancy (SLE - one shot) • Asset value x exposure factor = SLE • Exposure factor: 0 - 100% of loss to asset • Example Nuclear bomb/small town ($90M x 100% = $90M) How much financial loss am I willing to accept in a single event? It all comes down to money in the end. When considering one shot, or Single Loss Expectancy (SLE), we consider the value of the information resource asset. Example: A company’s top salesman accounts for 25% of their $40 million in revenue, or $10 million. His client contact list and fee schedule is stored on his laptop and is not encrypted. If it fell into the wrong hands it would be worth at least 10% of its value to the competition ($1 million) and possibly more if they can finesse the information. So we find we can calculate a minimum approximate SLE, but there is uncertainty as to a maximum value. Another example: An author takes a royalty of $100,000 to write a book. He receives partial payments every 25% of the project. What is the SLE if his hard drive crashes at the 70% mark and the data is not recoverable? $25,000 x 80% or $20,000, unless he has been sending chapters in as they are done. 6 - 8 Risk Management: The Big Picture - SANS ©2001 8 Information Risk Management - SANS ©2001 8 Annualized Loss Expectancy (ALE - multi-hits) • SLE x Annualized rate occurrence = Annual Loss Expectancy (ALE) • Annual loss is the frequency the threat is expected to occur • Example, web surfing on the job – SLE: 1000 employees, 25% waste an hour per week surfing, $50/hr x 250 = $12,500 – ALE: They do it every week except when on vacation: $12,500 x 50 = $625,000 If you are screaming, “But what if??”, relax - we understand. Again, a main point of the chapter is uncertainty, this is what drives the “what ifs”. The key question, however, is how much continuing risk am I willing to accept? Even if you can survive a given event (possibly sadder but wiser) can you survive it six times? This is the notion of annualized risk. It applies well to shoplifting. We expect to lose 9% of revenue over N occurrences. The information about expected losses due to cyber attacks is much harder to come up with, as organizations do not tend to share this type of information so it is only available in the micro-view of a given organization. 6 - 9 Risk Management: The Big Picture - SANS ©2001 9 Information Risk Management - SANS ©2001 9 Qualitative - Another Risk Assessment Approach • Banded values: High, medium, low • Asset value and safeguard cost can be tied to monetary value, but not the rest of the model • Very commonly used For most applications the best approach is the financial one, with the exceptions of critical systems (such as nuclear plant control) and weapon systems. However, it does take a lot more effort to quantify what the value of things are, and so the qualitative approach is far more popular. The single biggest problem with the qualitative approach is in the implementation - people tend to mark “low risk” even if it is other than that. Or they mark “medium” or “high” for their pet peeves as opposed to actually calculating the risk. 6 - 10 Risk Management: The Big Picture - SANS ©2001 10 Information Risk Management - SANS ©2001 10 Quantitative vs. Qualitative • Qualitative is easier to calculate, but its results are more subjective • Qualitative is much easier to accomplish • Qualitative succeeds at identifying high risk areas • Quantitative is far more valuable as a business decision tool since it works in metrics, usually dollars The main point between the two approaches is that qualitative is much easier and when done well, can certainly identify the areas that need attention. This is because as soon as an area is marked high risk, you know you need to look into it. There is still another approach to risk assessment. This is the knowledge-based or best practices approach. There is much more up-front work required to implement this, but the results are more accurate and consistent. [...]... attack Therefore we will disable this On the next slide you see the Local Security Policy after rebooting 6 - 16 Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 Now as you can see, we have disabled trivial enumeration of our system 6 - 17 17 Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 18 After we went in and changed the. .. checklist At the end of each section, the security officer makes the determination as to the overall risk posture of the system 6 - 21 Windows 2000 Form Summary • Benefits – Reasonably good tool for minimal OS security – Good form “layout” • Limits – Needs a list of applicable patches – Where to get them – Tool to determine patch status Risk Management: The Big Picture SANS ©2001 Information Risk Management. .. by showing them a “smoking gun” Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 26 Since management is responsible for risk, if you can show them the organization was in a measurable degree of risk they will be uncomfortable with that information The more specific and clear that information is, the more they squirm The idea is to take an inventory of the data sources... Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 12 One of the powerful ideas that is developing is the use of consensus tools to test and score the security of a system In this case we will look at a level 1 test A level 1 test is one that everyone ought to be able to pass if they are running their system at an acceptable risk 6 - 12 Risk Management: The Big Picture. .. You have spent the day learning about the big picture The real question is, can you explain it to your management? Can you show them how the technologies we have talked about play together? 6 - 23 Business Case For Risk Management (2) • We have been introduced to a basic risk assessment process; can we apply this process to the business case for intrusion detection? – If there is a big picture can... familiar with these core technologies and how they play together: – Host- and Network-Based Intrusion Detection – Vulnerability Scanners and Honeypots – Firewalls Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 23 In a sense, this is the section that everything points to Intrusion detection is expensive; it has a cost It is wise to consider the cost and the benefits... exist on the machine It is trivial for a determined hacker to get that information Therefore, many administrators do not bother hiding the last logged on user name Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 19 A similar project - also a community development effort - is the SANS Securing Windows NT Stepby-step booklet This is on its third revision and the current... that these threats are actually in use Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 29 If everything is threat-driven, how do we find the threats? Successful information security professionals need to spend some of their time thinking about how to attack Then it becomes a lot easier to enumerate the threats they might have to deal with I once reviewed the information... 14 Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 15 Even after downloading all the Security patches that Microsoft has on the update site, the scoring tool tells us we need to pick up two more If we select the 'Hotfixes Needed' button we can get the names of the missing patches Also, you will notice that we have a zero score for restrict anonymous This is a big. .. and you are presenting the case for a departmental capability Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 25 These are the primary situations that this section of the course has been tailored to meet Often, to satisfy these conditions you will need a business case for the expenses and investment 6 - 25 Business Case – Applications (2) • Many managers are uncomfortable . Information Risk Management - SANS ©2001 1 Risk Management The Big Picture – Part VI Risk Assessment and Auditing Now that we know the tools and the primary. insures you should these fail. 6 - 4 Risk Management: The Big Picture - SANS ©2001 4 Information Risk Management - SANS ©2001 4 Risk Management Questions