Risk Based Security and Self Protection Powerpoint

Editor's Notes

• #6: 1 Change such as new product launches or the introductions of new technology are all on the rise having a complicating impact on the strength of cybersecurity. 2 Mobility and consumerization. The adoption of mobile computing has resulted in the blurring of organizational boundaries. IT is getting closer to the user and further from the organization. The use of the Internet, smartphones and tablets (in combination with BYOD) has made organizations data accessible everywhere. 3 We live and operate in an ecosystem of digitally connected entities, people and data. All increasing the likelihood of exposure to cybercrime in both the work and home environment. 4 Cloud-based services, third party data management and storage, open up new channels of risk that previously did not exist. It is very common to hear about security concerns for shadow IT. 5 Infrastructure for traditionally closed operational technology systems are now being given IP addresses. Cyber threats are now making their way out of the back-office systems and into critical infrastructures such as power generation and transportation systems which of course is a high concern for Homeland Security.
• #7: Dell Secureworks has reported over 830,000 victims of the Cryptowall ransomware with demand starting at $500 each. We keep hearing about state sponsored Dedicated Denial of Service attacks by Russia or China. Hactivists such as Anonymous making political statements. And lastly, Lone wolf hacker or Black Hat who is just having some malicious fun. The attacking power of cyber criminals is increasing at an astonishing speed. Attackers have access to significant funding; they are more patient and sophisticated than ever before; and they are looking for vulnerabilities in the whole operating environment — including people and processes.
• #8: So what are the defenses currently in place? 1) Firewalls were the first widely deployed network security technology when the Internet was a baby. It’s basic job is to inspect that traffic and to decide what traffic is allowed to go from outside to inside, and from inside to outside. However, network traffic has changed quite a bit in the past couple decades. 2) Unfortunately, this adds complexity and cost, as each new technology means a new device to deploy, a new set of policies to configure, and a new management console to monitor.
• #9: In response to the limitations to the traditional method of network security, Next Generation Firewalls have evolved to fill the need. NGFWs or Web Application Firewalls are an important part of an Information Security plan, but not the end all be all. It becomes an important part of an Information Security Architecture.
• #10: How do we avoid the recent data breaches of Sony Entertainment or the health care provider, Anthem. For example, in Anthem’s case, they are considered HIPPA compliant but their data was not encrypted because it didn’t need to be. Being compliant does not mean you avoid or mitigate risk and the impact or consequences that will be experienced.
• #11: In addition to less money, IT is given more responsibilities Not every organization has a dedicated security team Shortage of staff or lack of training Being reactive versus proactive. This is were having a framework is necessary to help identify your cybersecurity risks.
• #13: Compliance is a big factor for heavily regulated industries such as healthcare and financial institutions. Could be internal or external. Recent issued threats or assessment of a risk Companies that are leading edge or want to do the rght thing
• #14: As you can see from the survey, compliance has the greatest response for a risk management program, but it becomes just one factor in the risk profile. Even in a risk-based program, compliance doesn’t go away entirely with the regulations still being there. Department heads and managers have to start thinking in terms of acceptable risk levels versus compliance requirements from a checklist. It's a change in mindset of an organization. It is the moment an "ahha!“ moment for the entire organization when everyone understands the difference is.
• #15: Lets take a look at what you get with a Risk Management model. Tolerance for risk changes over time. It is dynamic and fluid.
• #17: It needs the involvement from senior leaders/executives providing the strategic vision; to mid-level leaders planning projects; to individuals on the front lines operating the information systems. frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk and (iv) monitor risk on an ongoing basis The Risk Management Process model shows a continues loop feedback across all levels. Where the risk frame is defined at the strategic level down to the front lines where Information Security systems are monitored.
• #18: The first component of risk management addresses how organizations frame risk or the risk context. The Risk Context is the environment in which risk-based decisions are made The purpose of this step is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk. The risk frame establishes a foundation for managing risk and the boundaries for risk-based decisions.
• #19: The second component of risk management addresses how organizations assess risk within the context of the risk frame. Threats to organizations or threats directed through organizations against other organizations. For example, an attack on your information systems to gain access to one of your outside vendors through a company portal Vulnerabilities internal and external. Internal could be people or systems Consequences or impact that may occur given the potential for threats exploiting vulnerabilities Likelihood that harm will occur. The end result is a determination of risk (i.e., the degree of harm and likelihood of harm occurring).
• #20: The third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of risk assessments. (i) developing alternative courses of action for responding to risk; (ii) evaluating the alternative courses of action; (iii) determining appropriate courses of action consistent with organizational risk tolerance; and (iv) implementing risk responses based on selected courses of action. To support the risk response component, organizations describe the types of risk responses that can be implemented by either accepting, avoiding, mitigating, sharing, or transferring risk. As you can see, everything revolves around identifying the Risk Frame which drives all other decisions.
• #21: The fourth component of risk management addresses how organizations monitor risk over time. Verify that planned risk response measures are implemented and information security requirements are satisfied Determine the ongoing effectiveness of risk response measures following implementation; Identify risk-impacting changes to organizational information systems and the environments in which the systems operate.
• #22: Here we come back to the Risk Management Process model where the Frame Risk is at the center of the whole process. Basically, we start with identifying what is of value for an organization and the risk associated with that valuable asset.
• #23: How do we make Risk Management Work? The risk management process is carried out seamlessly across the three tiers with the overall objective of continuous improvement in the organization’s risk-related activities with effective communication across all tiers and among all stakeholders having a shared interest in the success of the organization.
• #24: The Multitiered Risk Management approach has distinct boundaries and accountabilities with continuing communication across all tiers. From the Organization level that frames risk, to the Mission/Business processes that assess and respond to risk, down to the operational level where risk is monitored.
• #25: Governance which is the set of responsibilities and practices exercised by those responsible for an organization such as the board of directors and/or executive management. The risk executive (function) serves as the common risk management resource. It is similar to the recommended executive position in Disaster Recovery/Business Continuity Planning. They are the single point of contact between various departments in this collaborative process. Risk tolerance is the level of risk or degree of uncertainty that is acceptable to organizations and is a key element of the risk frame. Investment strategies that generally reflect the long-term strategic goals and objectives of organizations.
• #26: A risk-aware mission/business process is one that explicitly takes into account the likely risk such a process would cause if implemented. Implementing risk-aware mission/business processes requires a thorough understanding of the organizational missions and business functions and the relationships among those functions and supporting processes. Enterprise architecture establishes a clear and direct connection from investments to measurable performance improvements. It promotes the concepts of segmentation, redundancy, and elimination of single points of failure—all concepts that can help organizations manage risk more effectively .
• #27: The information security architecture is an integral part of the organization’s enterprise architecture. It represents that portion of the enterprise architecture specifically addressing information system resilience and providing architectural information for the implementation of security capabilities. The primary purpose of the information security architecture is to ensure that mission/business process-driven information security requirements are Consistently and cost-effectively achieved in information systems The environments in which those systems operate are consistent with the organizational risk management strategy. Information security requirements defined in the segment architecture are implemented in the form of management, operational, and technical security controls. It provides a detailed roadmap that allows traceability from the highest Tier 1 strategic level down to the Tier 3 operational level. Here you see how the Information Security Architecture flows from Organization strategic level and into the environments of operation in the Miltitiered Risk Managed model
• #28: All information systems, including operational systems, systems under development, and systems undergoing modification, are in some phase of the system development life cycle.
• #30: The slide shows the integration of the Risk Management model with the Multitiered Risk Management process. As you can see, everything revolves around the Frame Risk component. The bidirectional arrows in the figure indicate that the information and communication flows among the risk management components. The execution order of the components, may be flexible and respond to the dynamic nature of the risk management process as it is applied across all three tiers.
• #31: When we look at a the NIST Cybersecurity Framework, it has direct correlations with the Risk Based Management model with the Multitiered Management approach. It has distinct boundaries, but is collaborative and flexible.
• #32: So how do we get started?
• #33: Of value or what matters. If you have a Disaster Recovery/Business Continuity Plan, than you have already started to identify critical information systems that need to be prioritized. This can help in the identification of risk to that value. 1a) Many of the most valuable assets are intangible and are typically not considered in technical approaches to information security. A company’s reputation is considered an intangible asset so how do you place a value on that asset? Maybe we need to ask Target for the value of this intangible asset? 1b) This requires us to step out of our techie role and step into that of sociologist. We need to survey the organization and engage those who are responsible for each line of business. We need to gather information about the organization’s revenue stream, its revenue per line of business, how each business unit is interrelated and can impact the revenue stream. We need to learn what the manager focuses on to keep their area running. Nearly all risk analysis methodologies require key pieces of information in order to complete the analysis. Collecting this information is a process best based in observable data and can include feedback from the organization’s environment or be based on broader industry studies. The information collected does not need to be absolute and precise and in some cases the data collected will be closer to estimations. It is important to start with a baseline that will evolve over time.
• #34: A risk assessment is the critical junction of any risk management program. It is where the various elements that affect risk are brought together and the data that has been collected is exercised. The first step is to set the objectives of the assessment. The objectives should specify the environment and assets being assessed. Some of the things we need to look at for the Methodology to assess risk are: The need to represent risk as a balanced combination of threats, vulnerabilities, and likelihood; Consider a broad range of viable threats, likelihoods and vulnerabilities; Measure risk using as much tangible data as possible; Not attempt to be absolute or force precision but rather attempt to define the probability of events and outcomes; Create meaningful analysis of probabilities (what is the likelihood of something happening) rather than possibilities (simply what can and what cannot happen); Creates meaningful information on the magnitude of an event and its impact; and Rank risk based on a normalized scale that is explicitly defined, relevant and re-usable across risk analyses of all sizes and types. Similar to the DR/BC prioritization of Information Systems. Ultimately all decisions about the treatment of risk are up to the owners of that asset. Therefore the material needs to be presented in a manner that make the stakeholders better able and enabled to make informed decisions. The risk analysis should be presented in the context of the asset owner’s own goals and objectives and in a language they understand.
• #35: A control objective will identify the risk being addressed, and will identify ways that minimize an element of that risk— whether it is reducing threats, frequency or likelihood, or mitigating the vulnerability that makes the threat viable. What is the total cost of ownership of the control? Besides simple capital costs, what are the long term costs of maintaining the control? What are the labor and maintenance costs? What are the costs of upgrades, changes and development? How flexible is the control to changes in the organization or the elements that make up the risk? Is the amount spent on the control going to be appropriate for the probable magnitude and impact of an event? If inserted back in to the risk analysis, does the control reduce the risk by an expected amount? As with any project, it is important to ensure that the implementation follows the objectives and requirements that were previously set forth. This step is one that we also are very well acquainted with, and does not operate controls differently than a non-risk based methodology. RBSM does however take an additional step that measures the effectiveness of the control itself and its operation.
• #36: In order to validate that the control is satisfying the intended objectives, it is critical to measure on an ongoing basis the effectiveness of the control in relation to the original risks it is designed to mitigate. The measures must focus on clearly identifying changes in risks.
• #37: The idea is that this is a flexible model that addresses current identified risks and any future risks that might be idnetified thorugh this model.
• #40: Some of the more recent options for helping in implementing a Risk Based Security model is RASP. 1) We need to accept that, just like us, our computers cannot distinguish good from bad. Anti-virus and other security products that claim to be able to detect malware quite simply cannot keep up. 2) The BYOD growth has helped fuel some of the growth in the perimeter security spending increase, but perimeter protection simply won’t cut it in today’s intrusion landscape;
• #41: 1)and is capable of controlling application execution and detecting and preventing real-time attacks. It is like learning karate for self defense and not waiting for the local police to arrive before it’s to late. Imagine what happens to malware that just bypassed the IPS on the new NGFW, but the application defends itself against it. 2)It protects from within the application, utilizing contextual insight so that you can be confident in identifying and stopping attacks that network security cannot see. 
• #42: These features should see all data coming in and out of the application, all events affecting the application, all executed instructions, and all database access. Once RASP is deployed into production, the application runtime environment should be able to detect attacks and protect applications with a high level of assurance.
• #43: Not sure about legacy applications, but that was an issue too when server virtualization started taking off.