Information Systems Risk Management CMGT 442 Information Systems Risk Management Philip Robbins – November 21, 2012 (Week 2) University of Phoenix Mililani Campus

Objectives: Week 2 Risk Assessment (Part 1) Review Week 1: Concepts LT Activity: Week 1 & Week 2 Article Readings Stuxnet Week 2: Components of Risk Quiz #2 Review Week 2: Questions Assignments: IDV & LT Papers Review Information Sharing Articles 2

Review: Information Security Services 3

Review: Information Assurance Services (IAS) ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer. 4

Review: NIST SP 800-30 5

Review: NIST SP 800-30 6

Learning Team Activity Activity: Review Week 1 & 2 ‘Article’ Readings 15 minutes: Read Articles 10 minutes: Answer article questions 10 minutes: Present your article to the class Submit for credit. 7

LT Activity: Week 1 Article Readings Barr (2011) What special issues must be addressed for a risk management strategy that supports user-facing, web-based systems? What are the risks associated with disruption of these systems? Ledford (2012) What special issues must be considered for corporate data which are not fully digitized? What are the risks associated with the loss of this data? What recovery procedures do you recommend for these situations? 8

LT Activity: Week 2 Article Readings Keston (2008) How important is enterprise identity management for reducing risk throughout the enterprise? Explain why a viable risk management strategy must include, at a minimum, a solid enterprise identity management process. Vosevich (2011) What software must be considered to provide adequate security management across the enterprise? 9

Future Risks Weapons in Cyberspace: Are we at war? Cyber Crime vs. Cyber Warfare vs. Cyber Conflict 10

Break? This is probably time for a break…

Review: Risk Definition What is Risk? thus Units for measurement: Confidentiality, Integrity, Availability Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI. 12

Defining Risk Risk is conditional, NOT independent. 13 Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI. 13

“Risk Loss Confidence” Defining Risk Expected Value of Risk = Product of Risks Risk is never zero: “We can never be 100% confident for protection” Risk Dimension (units): confidence in the loss of ISS, C-I-A “Risk Loss Confidence” Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI. 14

Risk Behavior Risk Loss Confidence Increases through interconnections with other network enclaves (risks)! Network Enclave #1 Network Enclave #3 Network Enclave #2 15

Risk Behavior RiskEV = R1 x R2 x R3 RiskEV = LOW x MED x HIGH Network Enclave #1 R1 = LOW Network Enclave #3 R3 = HIGH R2 = MED Network Enclave #2 16

Risk Behavior RiskEV = R1 x R2 x R3 RiskEV = LOW x MED x HIGH RiskEV = HIGH Network Enclave #1 R1 = LOW Network Enclave #3 R3 = HIGH R2 = MED Network Enclave #2 17

Risk Behavior RiskEV = R1 x R2 x R3 RiskEV = LOW x MED x HIGH RiskEV = HIGH Network Enclave #1 R1 = LOW Network Enclave #3 R3 = HIGH R2 = MED Network Enclave #2 18

Risk Behavior: REV & RLC Expected Value and Risk Loss Confidence vs. Cumulative Risk Product Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI. 19

Total Risk How do we quantify total risk? - Average the risk to each Information Security Service: Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI. 20

MAC Levels

Classification (i.e. SECRET & higher) (i.e. PII, FOUO) (i.e. UNCLASS)

Risk Component: Threats Rapid growth of Advanced Persistent Threats (APTs) Half million cases of cyber related incidents in 2012. - Is this a problem? - What about vulnerabilities associated with interconnections? - How does risk management help deal with APTs? Source: US-CERT 23

Risk Component: Threats Threat – Exploitation Matrix Vulnerability Vector Exploit Type Human / User Technical / System Environmental Unintended Negligence, Ignorance, Lack of Training System Faults; Logical, Physical Natural Calamities Exposure OPSEC Violations Weak Disclosure Policy Weak Classification Guidance Poor Design Design Flaws Poor Quality Intrusion Social Engineering, Manipulation Lack of Training, Drills Malicious Software (Malware) Mis-Configurations Easiest Exploits Most Attended To Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.

Risk Component: Vulnerabilities What are vulnerabilities? Any flaw or weakness that can be exploited. Poorly communicated or implemented policy Improperly configured systems or controls Inadequately trained personnel

Risk Component: Controls / Safeguards Controls are put in place to prevent exploitation of vulnerabilities. Cost of control should never exceed the cost of the impact (loss) with no control. How do I figure out what controls I need? Is there a comprehensive checklist I can use? - yes there is… it’s called: “DoDI 8500.2” Information Assurance Implementation

Risk Component: Controls / Safeguards Control checklists exist depending on your MAC and classification of your network enclave: “DoDI 8500.2” Information Assurance Implementation checklists

Risk Component: Controls / Safeguards

Risk Component: Controls / Safeguards

Residual Risk Risks that remain after all of the response strategies have been implemented. CONTROL MITIGATION THREAT VULNERABILITY RESIDUAL RISK Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.

Risk Component: Impact Loss (negative consequence) for the organization. $ (USD) Reputation Degraded Information Security Services …

Quantitative Risk Thresholds Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

Semi-Quantitative Risk Matrix SEVERE HIGH MEDIUM LOW Catastrophic (5) Material (4) Major (3) Minor (2) Insignificant (1) Impact Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12 Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5) Likelihood

Risk Concept: Exploitation & Risk By increasing severity: Exploit Risk Severity Discovery Low (Bad) Denial Low-Medium Exposure Medium Exfiltration Medium-High Deception High Takeover Severe (Worse) Discussion: Map each exploit to a Information Security Service.

Risk Responses High Accept / Transfer Avoid Low Accept Severity Frequency High Accept / Transfer Avoid Low Accept Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

Risk Responses Risk Avoidance Halt or stop activity causing risk Risk Transference Transfer the risk (i.e. buy insurance) Risk Mitigation Reduce impact with controls/safeguards Risk Acceptance Understand consequences and accept risk Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

Plan of Actions & Milestones (POA&M) Non-compliant (NC) controls / findings are listed on a POA&M.

Information Systems Risk Components Let’s recap: What are the components of Information Systems Risk? - Threats & Threat Agents - Vulnerabilities (Weakness) - Controls (Safeguards) - Impact How is each component important to understanding and managing risk? 38

Risk Component Relationship Source: Harris, S. (2010). CISSP all in one exam guide, fifth edition. McGraw-Hill, New York, NY. 39

Break? This is probably time for a break…

Quiz: Week 1 10-15 minutes

Week 2 Review Questions 42

Question #1 What is the likelihood of a threat taking advantage of a vulnerability called? A. A risk B. A residual risk C. An exposure D. A countermeasure 43

Question #1 What is the likelihood of a threat taking advantage of a vulnerability called? A. A risk B. A residual risk C. An exposure D. A countermeasure 44

Question #2 Which of the following combinations best defines risk? A. Threat coupled with a breach. B. Threat coupled with a vulnerability. C. Threat coupled with a breach of security. D. Vulnerability coupled with an attack. 45

Question #2 Which of the following combinations best defines risk? A. Threat coupled with a breach. B. Threat coupled with a vulnerability. C. Threat coupled with a breach of security. D. Vulnerability coupled with an attack. 46

Question #3 What can be defined as an event that could cause harm to information systems? A. A risk B. A threat C. A vulnerability D. A weakness 47

Question #3 What can be defined as an event that could cause harm to information systems? A. A risk B. A threat C. A vulnerability D. A weakness 48

Question #4 What is the definition of a security exposure? A. An instance of being exposed to losses from a threat B. Any potential danger to information or systems C. Any potential danger to information or systems D. Loss potential due to a threat 49

Question #4 What is the definition of a security exposure? A. An instance of being exposed to losses from a threat B. Any potential danger to information or systems C. Any potential danger to information or systems D. Loss potential due to a threat 50

Question #5 The absence of a safeguard, or a weakness in a system that may possibly be exploited, is called a? A. Threat B. Exposure C. Vulnerability D. Risk 51

Question #5 The absence of a safeguard, or a weakness in a system that may possibly be exploited, is called a? A. Threat B. Exposure C. Vulnerability D. Risk 52