Risk Management The Big Picture – Part VI

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:61

0
64
lượt xem
11

Risk Management The Big Picture – Part VI

Mô tả tài liệu

Now that we know the tools and the primary concepts, this part of the course is designed to help you pull everything together. This section is especially important if you need to present security proposals to management. Your next slide, titled Risk Management – Where do I Start presents the roadmap we showed you almost at the beginning of the course. We will bet you have a much clearer idea of how to analyze risks and establish a security infrastructure at this point. Let’s go take a look at the roadmap!...

Chủ đề:

Bình luận(0)

Lưu

Nội dung Text: Risk Management The Big Picture – Part VI

1. Risk Management The Big Picture – Part VI Risk Assessment and Auditing Information Risk Management - SANS ©2001 1 Now that we know the tools and the primary concepts, this part of the course is designed to help you pull everything together. This section is especially important if you need to present security proposals to management. Your next slide, titled Risk Management – Where do I Start presents the roadmap we showed you almost at the beginning of the course. We will bet you have a much clearer idea of how to analyze risks and establish a security infrastructure at this point. Let’s go take a look at the roadmap! 6-1
2. Risk Management – Where do I Start? • Write the security policy (with business input) • Analyze risks, or identify industry practice for due care; analyze vulnerabilities • Set up a security infrastructure • Design controls, write standards for each technology • Decide what resources are available, prioritize countermeasures, and implement top priority countermeasures you can afford • Conduct periodic reviews and possibly tests • Implement intrusion detection and incident response Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 2 This slide is the result of a long international flight. Several top experts in information security were on the plane and this is the roadmap they developed. So far in the entire course, we haven’t read a slide to you so please relax and listen: • Write the security policy (with business input) • Analyze risks, or identify industry practice for due care; analyze vulnerabilities • Set up a security infrastructure • Design controls, write standards for each technology • Decide what resources are available, prioritize countermeasures, and implement top priority countermeasures you can afford • Conduct periodic reviews and possibly tests • Implement intrusion detection and incident response Students that complete Security Essentials certification are well on their way to accomplishing each of these tasks, you will learn how to do policy and about the tools you can use for controls and tests. As we enter this last section, we are going to change our approach. So far in the courseware you have seen a lot of tools, now let’s work to bring these tools into a framework for risk management. 6-2
3. The Three Risk Choices • Accept the risk as is • Mitigate or reduce the risk • Transfer the risk (insurance model) Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 3 It is critical to have an understanding of risk management to properly choose and deploy intrusion detection and response assets. To manage risk, one must be able to assess it. In this section of the course we will cover the basic theory of risk assessment. We will also talk about three methods of risk assessment: Qualitative, quantitative, and knowledge-based (also known as best practices). Whether or not we explicitly choose, we have exactly three options and we do choose between: Acceptance, mitigation, and transference. When we accept the risk, this means we make no changes in policy or process. This decision means that we judge the risk of a given threat to be inconsequential in the greater scheme of things. If we feel the threat is significant and could cause harm to our business or enterprise, then we have the option of taking action to protect operations by reducing the risk. A firewall or system patch are obvious examples of risk mitigation. Transferring the risk is sometimes a workable technique. The classic example is to buy insurance. This means that you do not have to fully protect yourself against a catastrophic threat. Instead, for a fee you pass this risk to a risk broker that insures you up to some limit against the threat. A real world example of this is hacker insurance. The insurance company still expects you to have a firewall and patches, but insures you should these fail. 6-3
4. Risk Management Questions • What could happen? (what is the threat) • If it happened, how bad could it be? (impact of threat) • How often could it happen? (frequency of threat - annualized) • How reliable are the answers to the above three questions? (recognition of uncertainty) Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 4 In order to decide between the choices (accept, mitigate, or transfer risk) we want to make, we analyze the risk to better understand it. What exactly are we afraid of? What is it - can we name it specifically or is it just a vague, uneasy feeling? If the threat is successful, how bad will it hurt? What is the probable extent of the damage? How often is this likely to occur? Is this more like a hundred year flood, or a hot day in Biloxi, Mississippi? We are more willing to accept the risk of a threat that is not likely to happen often. But, if something can damage us on a daily basis, this is a significant problem. Finally, how do we know? In the cyberworld, how accurate are our risk calculations when new program or operating system vulnerabilities are discovered weekly? 6-4
5. Risk Requires Uncertainty If you have reason to believe there is no uncertainty, there is no risk. For example, jumping out of an airplane two miles up without a parachute isn’t risky; it is suicide. For such an action there is a 1.0 probability you will go splat when you hit the ground and almost 0.0 probability you will survive. Probability ranges between 0.0 and 1.0 though people often express it as a percent. Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 5 Jumping out of an airplane with a parachute involves risk. If you were to try the James Bond stunt of jumping out of an airplane without a chute, you are committing suicide, but you aren’t doing anything risky. Risk involves uncertainty. Let’s tie this back to the information assurance world. If you run a DNS server that has known vulnerabilities and is neither patched nor shielded by the perimeter, it is certainly going to be compromised. It might not happen in a single day, but it will happen over the course of a year. In the same way that gravity is the compelling reason jumping from a plane without a chute is near-certain death, the continuous probing and poking of exposed systems on the Internet is the compelling reason the box will be compromised. So what? How bad can a compromise be? Well, once they compromise the box they have the ability to manipulate the addresses associated with the names of the network entities (such as computers) at your site. These names and addresses are often used to identify which computers are allowed to access other computers - your organization’s trust model. If you have valuable assets, that may be what happens. Or they may just create weird system domains and hit systems all over the Internet, giving your organization a bad name. 6-5
6. What is an Unacceptable Risk? • You can define the threat. • If it happened, it would be bad. (high impact) • If one shot didn’t kill you, and then it hit you again and again. (frequent threat) • There is high certainty the threat exists, it is high impact, and potentially could occur multiple times. Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 6 So, it would seem that running an unpatched, unshielded DNS server is not an acceptable risk. To have an unacceptable risk, there has to be a defined threat. They will compromise the DNS server, most likely via a buffer overflow. How bad would it be? If they chose to manipulate the trust model and had several days to work without being detected - such as over the Christmas holidays - they could make considerable headway at owning the entire organization’s information assets. You might never get them dislodged. What if they chose simply to use your box to attack others? People are usually forgiving if it only happens once, but there are domains that have been compromised a number of times. These are not usually respected and may even be blocked. One of the classics is the Brazilian Research Network. This loose group of addresses has been the source of hundreds and hundreds of attacks against Internet hosts. The price? Besides being a standing joke, legitimate users continue to find their access blocked. 6-6
7. Single Loss Expectancy (SLE - one shot) • Asset value x exposure factor = SLE • Exposure factor: 0 - 100% of loss to asset • Example Nuclear bomb/small town ($90M x 100% =$90M) Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 7 How much financial loss am I willing to accept in a single event? It all comes down to money in the end. When considering one shot, or Single Loss Expectancy (SLE), we consider the value of the information resource asset. Example: A company’s top salesman accounts for 25% of their $40 million in revenue, or$10 million. His client contact list and fee schedule is stored on his laptop and is not encrypted. If it fell into the wrong hands it would be worth at least 10% of its value to the competition ($1 million) and possibly more if they can finesse the information. So we find we can calculate a minimum approximate SLE, but there is uncertainty as to a maximum value. Another example: An author takes a royalty of$100,000 to write a book. He receives partial payments every 25% of the project. What is the SLE if his hard drive crashes at the 70% mark and the data is not recoverable? $25,000 x 80% or$20,000, unless he has been sending chapters in as they are done. 6-7
8. Annualized Loss Expectancy (ALE - multi-hits) • SLE x Annualized rate occurrence = Annual Loss Expectancy (ALE) • Annual loss is the frequency the threat is expected to occur • Example, web surfing on the job – SLE: 1000 employees, 25% waste an hour per week surfing, $50/hr x 250 =$12,500 – ALE: They do it every week except when on vacation: $12,500 x 50 =$625,000 Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 8 If you are screaming, “But what if??”, relax - we understand. Again, a main point of the chapter is uncertainty, this is what drives the “what ifs”. The key question, however, is how much continuing risk am I willing to accept? Even if you can survive a given event (possibly sadder but wiser) can you survive it six times? This is the notion of annualized risk. It applies well to shoplifting. We expect to lose 9% of revenue over N occurrences. The information about expected losses due to cyber attacks is much harder to come up with, as organizations do not tend to share this type of information so it is only available in the micro-view of a given organization. 6-8
9. Qualitative - Another Risk Assessment Approach • Banded values: High, medium, low • Asset value and safeguard cost can be tied to monetary value, but not the rest of the model • Very commonly used Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 9 For most applications the best approach is the financial one, with the exceptions of critical systems (such as nuclear plant control) and weapon systems. However, it does take a lot more effort to quantify what the value of things are, and so the qualitative approach is far more popular. The single biggest problem with the qualitative approach is in the implementation - people tend to mark “low risk” even if it is other than that. Or they mark “medium” or “high” for their pet peeves as opposed to actually calculating the risk. 6-9
10. Quantitative vs. Qualitative • Qualitative is easier to calculate, but its results are more subjective • Qualitative is much easier to accomplish • Qualitative succeeds at identifying high risk areas • Quantitative is far more valuable as a business decision tool since it works in metrics, usually dollars Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 10 The main point between the two approaches is that qualitative is much easier and when done well, can certainly identify the areas that need attention. This is because as soon as an area is marked high risk, you know you need to look into it. There is still another approach to risk assessment. This is the knowledge-based or best practices approach. There is much more up-front work required to implement this, but the results are more accurate and consistent. 6 - 10
11. Best Practice Risk Assessment • System administration is a high- turnover job for large organizations, which affects continuity • System administrators tend to be focused on having the “trains run on time” • Security configuration may not be understood or implemented Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 11 In many organizations, there is a large amount of staff rotation and employee turnover, particularly in the fields of system administration and network security. This fact, combined with the need to simply keep the systems up and running with a minimum support staff, leads to dangerous situations where security and safety are often neglected. A best practice risk assessment can help an organization that does not have the in-house ability to perform a more formal risk assessment. This type of risk assessment is based on checklists built by the consensus of many security professionals. New automated tools make these risk assessments simple and easy to perform by most system administrators. 6 - 11
12. Best Practice • No single organization or person is likely to produce best practice • Consensus of many organizations and stringent review will • Examples: – SANS Research Consensus Projects – Center for Internet Security Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 12 One of the powerful ideas that is developing is the use of consensus tools to test and score the security of a system. In this case we will look at a level 1 test. A level 1 test is one that everyone ought to be able to pass if they are running their system at an acceptable risk. 6 - 12
13. Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 13 We have downloaded the Windows 2000 tool from the Center for Internet Security, www.cisecurity.org and run the test. As you can see, we have a bit of work that we need to do. Your next slide is from Microsoft Update. Let’s download the critical fixes, reboot a few times, and see how we are doing. 6 - 13
14. Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 14 This shot is Microsoft’s web site. We expect that everyone knows about update, but as you will see, getting a perfect score just isn’t that simple. 6 - 14
15. Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 15 Even after downloading all the Security patches that Microsoft has on the update site, the scoring tool tells us we need to pick up two more. If we select the 'Hotfixes Needed' button we can get the names of the missing patches. Also, you will notice that we have a zero score for restrict anonymous. This is a big problem for Windows computers, so we will fix this next. 6 - 15
16. Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 16 To get to this screen, we have gone to Start Programs Administrative Tools Local Security Policy Security Options. The current setting on the system is to allow anyone to enumerate all the information about our system. This would allow even more detailed reconnaissance than the example that we looked at with the Mitnick attack. Therefore we will disable this. On the next slide you see the Local Security Policy after rebooting. 6 - 16
17. Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 17 Now as you can see, we have disabled trivial enumeration of our system. 6 - 17
18. Risk Management: The Big Picture SANS ©2001 Information Risk Management - - SANS ©2001 18 After we went in and changed the restrict anonymous setting to 2, which increased the security, our score increased to a 3.3. There’s more to be fixed, like the two additional hotfixes, but we’ll move along to our next best practice, the SANS Securing Windows NT Step-by-step booklet. 6 - 18