Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session - PowerPoint PPT Presentation

Risk Assessment – the Heart of Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY

Session Overview • Warm-up Quiz • Introduction to our security challenge • What is Risk-based Security? • The language of risk – some definitions • What role does a risk assessment play? • Risk Mitigation Triangle • The process of risk assessment • Lessons Learned R I S K B A S E D S E C U R I T Y . C O M

Ready for a Quiz? R I S K B A S E D S E C U R I T Y . C O M

True or False? 1. Conducting a risk assessment is optional for most organizations. False 2. As long as we “check -the- box” and are compliant with legal, regulatory and contractual requirements, we should be good. False 3. Risk assessments can often focus on business processes, or groups of assets rather than individual assets. True 4. A risk-based approach to information security works best if it involves stakeholders from throughout an organization. True 5. Risk assessments are plagued by subjectivity which means they simply cannot be relied upon. False 6. A risk-based security program should be closely aligned with the goals of the organization. True R I S K B A S E D S E C U R I T Y . C O M

True or False? 7. The only acceptable risk assessment is performed by risk assessment experts. False False 8. Risk assessments only need to be done once. False 9. Security professionals are ultimately responsible for accepting residual risks. 10. If you don’t have all the data, risk assessments are a waste of time. False 11.A proper risk assessment can help you prioritize security spending. True 12.Risk is the effect of uncertainty on objectives both positive and negative. True 13.A risk-based strategy applies more security resources to your most sensitive assets. True R I S K B A S E D S E C U R I T Y . C O M

How did you do? R I S K B A S E D S E C U R I T Y . C O M

Introduction to our Challenge R I S K B A S E D S E C U R I T Y . C O M

Everyone has information security risk. R I S K B A S E D S E C U R I T Y . C O M

But the risk is even bigger than we think. R I S K B A S E D S E C U R I T Y . C O M

Bad Guys R I S K B A S E D S E C U R I T Y . C O M

Data Breaches 40,419 9,000,000,000 8000 Beaches All Time 8,000,000,000 7000 7,000,000,000 6000 6,000,000,000 5000 5,000,000,000 Records 4000 4,000,000,000 Incidents 3000 3,000,000,000 2000 2019 YTD: 2,000,000,000 3,004 Breaches and 2..7 Billion 1000 1,000,000,000 Records - 0 2014 2015 2016 2017 2018 R I S K B A S E D S E C U R I T Y . C O M

Software Vulnerabilities Annual Vulnerabilities 25,000 20,000 15,000 10,000 5,000 0 2011 2012 2013 2014 2015 2016 2017 2018 2019 YTD 8,319 R I S K B A S E D S E C U R I T Y . C O M

Software Vulnerabilities 200,000 175,000 150,000 Annual Vulns 125,000 Cumulative 100,000 75,000 50,000 2019 YTD 25,000 203,846 0 2011 2012 2013 2014 2015 2016 2017 2018 R I S K B A S E D S E C U R I T Y . C O M

The problem: more risk than money … R I S K B A S E D S E C U R I T Y . C O M

But it ’s even wor se… R I S K B A S E D S E C U R I T Y . C O M

Most organizations lack a formal risk assessment process and are forced to be reactive or arbitrary when applying security controls. …leading to ineffective security programs. R I S K B A S E D S E C U R I T Y . C O M

We need to evolve beyond Information Security “Whack a Mole” R I S K B A S E D S E C U R I T Y . C O M

We need to make sure we focus on the “assets” that matter, and; The greatest threats to our organizations. R I S K B A S E D S E C U R I T Y . C O M

Information security teams need to implement risk-based security. R I S K B A S E D S E C U R I T Y . C O M

What do we mean by risk-based security? R I S K B A S E D S E C U R I T Y . C O M

Risk - based security identifies the true risks to an organization's most valuable assets and directs spending where it's needed most. A risk-based approach performs an assessment of the threats facing an organization and the vulnerabilities in its current operating environment. R I S K B A S E D S E C U R I T Y . C O M

How do we move this concept forward, and make some real progress? R I S K B A S E D S E C U R I T Y . C O M

Risk Criteria Assets Assessment Probability Analysis Residual Risk Risk-based Risk Score Risk Security Treatment Threats Vulnerabilities Likelihood Consequence Exposure R I S K B A S E D S E C U R I T Y . C O M

A risk-based security approach, speaks the language of risk assessment. (And Information Security) R I S K B A S E D S E C U R I T Y . C O M

Unless we identify our assets, their locations and value, how can we assess the risk and decide the amount of time, money and effort that we should spend on protecting them? ISO/IEC 27002:2013 Services Physical assets • Outsourced computing services • Computer equipment/infrastructure • Communication services • Communication equipment • Environmental conditioning services • Non IT equipment Supporting Documentation • Furniture / fixtures/storage media • Compliance Documentation Information assets • Corporate Policies and Procedures • Databases • BC/DR Plans • Data files (Hard & Soft Copies) • Archived information Intangible assets Software assets • Key employees – Intellectual Property • Application/System software • Company knowledge -Innovation • Custom Management software • Brand/Corporate culture R I S K B A S E D S E C U R I T Y . C O M

ISO/IEC 27002:2013 defines Information Security as the preservation of: Confidentiality Information Security Availability Integrity R I S K B A S E D S E C U R I T Y . C O M

Chinese Definition of Risk Danger + Opportunity R I S K B A S E D S E C U R I T Y . C O M

My Personal Definition of Risk Risk – a combination of the consequence of an event and the probability of the event happening. R I S K B A S E D S E C U R I T Y . C O M

Calculating Risk Risk – a combination of consequence and probability Consequence – The impact to the organization’s assetsof a potential breach to an asset’s Confidentiality, Integrity or Availability. [ Asset Value (AV) ] X Probability – Likelihood of a threatoccurring. (TL) X The probability of a Vulnerability Exposing an asset to the threat . (VE) R I S K B A S E D S E C U R I T Y . C O M

Consequence X Probability Risk = AV x (TL x VE) R I S K B A S E D S E C U R I T Y . C O M

Risk Assessment Triangle Security Control Security Control Security Control Threat Vulnerability Likelihood Exposure (VE) Risk (TL) Acceptable Level of Risk Residual Risk? Asset Value (AV)

The Risk Assessment Process R I S K B A S E D S E C U R I T Y . C O M

R I S K B A S E D S E C U R I T Y . C O M

Purpose, Scope & Risk Assessment Context Process Risk Assessment • ID and Prioritize Assets • ID Threats (TL) • ID Vulnerabilities (VE) • Calculate Risk Scores Communication Monitor & Renew • Compare to Risk Criteria Risk Treatment Accept Residual Risk Record & Report R I S K B A S E D S E C U R I T Y . C O M

• Identify the purpose of the assessment Purpose, Scope & Context • Identify the Assessment Scope & Context (Identify Critical ➢ Business Process/ Department Mission Description Business Processes ) ➢ Information Flow ➢ Security Requirements ➢ People & Users ➢ Physical & Logical Perimeters ➢ Network Diagram ➢ Critical Information Asset Inventory ➢ Assumptions and constraints ➢ Sources of information R I S K B A S E D S E C U R I T Y . C O M

Identify Assets & Prioritize by Impact to the Impact to the Impact to the ‘ Value’ (AV) Asset from a Asset from a Asset from a Breach in Breach in Breach in Confidentiality Integrity Availability Asset Value Asset Data 5.0 Very High; 5.0 Very High; 5.0 Very High; SCORE Name Classification 4.0 High; 4.0 High; 4.0 High; (AV) Yes – It’s time to 3.0 Medium; 3.0 Medium; 3.0 Medium; identify all your 2.0 Low; 2.0 Low; 2.0 Low; assets. 1.0 Very Low 1.0 Very Low 1.0 Very Low Web Server Sensitive 3.0 4.0 5.0 4.0 Cloud Service Confidential 5.0 5.0 5.0 5.0 Provider #1 Marketing Public 1.0 2.0 3.0 2.0 Material R I S K B A S E D S E C U R I T Y . C O M

Value (AV) Severity Description Catastrophic Severe impact to operations, extended outage, permanent loss of resource, triggers (5.0) business continuity and/or public relations procedures, complete compromise of information, damage to reputation and/or significant cost to repair with continuity of business in jeopardy Major Serious impact to operations, considerable system outage, compromise of a large amount (4.0) of information, loss of connected customers, lost client confidence with significant expenditure of resources required to repair Moderate Some impact to operations, tarnished image and loss of member confidence with significant (3.0) effort to repair Minor Small but tangible harm, may be noticeable by a limited audience, some embarrassment, (2.0) with repair efforts absorbed into normal operations Insignificant Insignificant impact to operations with minimal effort required to repair, restore or (1.0) reconfigure R I S K B A S E D S E C U R I T Y . C O M