2. 2
www.anitian.com | info@anitian.com
SECURITY:ServicesSolutionsSupport
Anitian Overview
• Compliance PCI, NERC, HIPAA, FFIEC
• Services Penetration testing, web application testing,
code review, incident response, risk
assessment
• Technologies UTM/NGFW, IPS, SIEM, MDM
• Support Managed security, staff augmentation
• Leadership Industry analysis, CIO advisory services
SECURITY:ServicesSolutionsSupport
Why Anitian?
• Anitian is the only security firm…
• Focused on practical, pragmatic information security
• Able to deliver compliance quickly & affordably
• That does not push products
• Who rejects using fear to sell
• Dedicates research efforts to benefit our clients, not our
press‐releases
• Implements business‐friendly security
• Remains honest and independent
4. 4
www.anitian.com | info@anitian.com
SECURITY:ServicesSolutionsSupport
What is Risk Assessment?
• Systematic and objective determination of the seriousness of
threats.
• Good risk assessment aims to:
• Identify the threats that affect an entity (company, network,
systems, application, etc.)
• Qualify and quantify those threats
• Craft reasonable remedies to reduce, eliminate, accept or
transfer the risk
• Help protect the business/organization and its assets
• Empower leadership to make sensible investments in
security controls and processes
SECURITY:ServicesSolutionsSupport
Increasing Emphasis on Risk Assessment
• Always been a PCI requirement (12.1.2)
• HIPAA Omnibus reinforces need for risk assessment
• Assessment to define risk management program (which in
turn defines the controls that meet the standard)
• Breach notification now require risk analysis of any
suspected breach to determine if notification is necessary
• FFIEC 2011 Supplement mandated new things to assess
• Defines specific issues to analyze concerning authentication
• Reinforced the need for annual assessments
• Mandated assessments on banking applications
• Outlined requirements to reperform assessments when
there are changes
8. 8
www.anitian.com | info@anitian.com
SECURITY:ServicesSolutionsSupport
Arcane Language
• Language affects not only comprehension, but also acceptance
• Overly complex, arcane language is inefficient and inaccessible
• Risk management theories devolve into nitpicking paperwork
exercises that nobody reads
• Consider this definition from OCTAVE for Defined Evaluation
Activities:
Implementing defined evaluation activities helps to
institutionalize the evaluation process in the organization,
ensuring some level of consistency in the application of the
process. It also provides a basis upon which the activities can be
tailored to fit the needs of a particular business line or group.
SECURITY:ServicesSolutionsSupport
The Fallacy of Numbers
• Using numbers does not make analysis more “true”
• If a number is arrived at from a subjective assessment, then its
use in any calculations is equally subjective
• Charts full of numbers may “feel” empirical, but they’re not
• Its impossible to establish true value for IT asset
• Misleading, creates a false sense of accuracy
• Creates a false scale that does not translate into real‐world
thinking
9. 9
www.anitian.com | info@anitian.com
SECURITY:ServicesSolutionsSupport
Time Consuming
• IT risk is volatile, dynamic and has a short shelf life
• Any risk assessment over 90‐180 days old is stale
• NIST, OCTAVE, FAIR are nice ideas, but too time consuming
• Spending a year on a risk assessment is too long
• A good enterprise risk assessment should be done in under 30
days
• Documentation is time consuming
• Risk assessment is not a consensus of opinions, it’s an
assessment from a single person or group that understands risk
SECURITY:ServicesSolutionsSupport
Probability Can Be Flawed
• On a long enough time line, the survival rate for everybody
drops to zero. Jack, Fight Club, 1999
• Lack of time context makes any assessment of probability
fundamentally flawed.
• Humans are naturally bad at assessing the probability of risks.
• Fallacy of backtesting
12. 12
www.anitian.com | info@anitian.com
SECURITY:ServicesSolutionsSupport
Rapid Risk Assessment Outline
• Prerequisites
• Advanced writing skills
• Hands on IT skills
• Authority
1. Establish Scope & Lens
2. Interview Stakeholders
3. Test the Environment
4. Define Threats & Correlate Data
5. Define Probability & Impact Scale
6. Document Risks
7. Develop Action Plan
SECURITY:ServicesSolutionsSupport
Prerequisite: Advanced Writing Skills
• No theories, no complex worksheets, no “risk management”
terms
• Simple, business language that states risk in plain, matter‐of‐
fact way
• Establishes authority
• States risk as it *is* without conjecture or indecisiveness
• Active voice
• Should be able to sum up the entire assessment effort in a few
bullet points
13. 13
www.anitian.com | info@anitian.com
SECURITY:ServicesSolutionsSupport
Prerequisite: Hands‐on IT Skills
• Must have in‐depth understanding of IT operations
• Systems administration
• Network design, architecture, management
• Security analysis
• Application lifecycle management
• Database administration
• IT practices, procedures, policies development
• Must know how an IT department runs, if you ever hope to
identify its weaknesses
SECURITY:ServicesSolutionsSupport
Prerequisite: Authority
• Management must definitively endorse and support risk
assessment
• Must have access to stakeholders
• Ability to scan, test and evaluate technology
• Authority to decisively analyze technologies
• Ability to built credibility and authority through experience,
language, and engagement
15. 15
www.anitian.com | info@anitian.com
SECURITY:ServicesSolutionsSupport
#2 ‐ Interview Stakeholders
• Develop a set of questions specific to the business role:
• IT custodians – technical questions
• Business process owners – criticality & usage
• Define value in context of the entire business using simple
terms: critical, high, medium, low, none
• Focus on current state
• Be careful with “forward looking” data – chasing a moving
target
• Catalog results
SECURITY:ServicesSolutionsSupport
#3 – Test the Environment
• Vulnerability scans of all in‐scope systems, apps or locations of
data
• Conduct penetration tests
• Web application testing
• Database testing
• Configuration analysis (sample as needed)
• AV / IPS / Firewall logs (sample and spot check)
• Risk determination must be based on REAL data, not feelings,
ideas, theories, or personal interpretations
• This is where hands‐on IT experience is a must
16. 16
www.anitian.com | info@anitian.com
SECURITY:ServicesSolutionsSupport
#4 – Define Threats & Correlate Data
• Organize threats into simplified categories
• Technical – threat to systems, hardware, applications, etc.
• Operational – threats that affect practices, procedures, or
business functions
• Relational – threat to a relationship between groups, people
or third parties
• Physical – threats to facilities, offices, etc.
• Reputational (optional) – threats to the organization’s
reputation, perception, or public opinion
• Correlate threats to assessment data
• Keep threats simple
SECURITY:ServicesSolutionsSupport
Threat Samples
• Good Threat Definitions
• Theft of confidential data
• Malware infection
• Denial of service attack
• Theft of sensitive authentication data
• Bad Threat Definitions
• Lack of alignment to organizational policies with guidelines
set forth by the security committee means staff is not
properly implementing security controls.
• Use of telnet among staff is threatening PCI compliance
requirements.
• Missing patches on systems
17. 17
www.anitian.com | info@anitian.com
SECURITY:ServicesSolutionsSupport
#5 ‐ Define Probability & Impact Scale
Probability
Impact
Metric Description
Certain <95% likelihood of occurrence within the next 12 months.
High 50‐95% likelihood of occurrence within the next 12 months.
Medium 20‐49% likelihood of occurrence within the next 12 months.
Low 1‐20% likelihood of occurrence within the next 12 months.
Negligible >1% likelihood of occurrence within the next 12 months.
Metric Description
Critical Catastrophic effect on the Data Asset.
High Serious impact on the Data Asset's functionality.
Medium Threat may cause some intermittent impact on the Data Asset, but would
not lead to extended problems.
Low Impact on the Data Asset is small and limited. Would not cause any
disruption in core functions.
Negligible Data Asset remains functional for the business with no noticeable slowness
or downtime.
SECURITY:ServicesSolutionsSupport
#6 ‐ Document Risks
• Condense, simplify and focus on the problem
• Threat – How the asset is at risk
• Vulnerabilities – The vulnerabilities relevant to the risk
• Recommendation – Tangible actions to remediate the risk
• Impact – Simplified 5 point score (critical, high, medium, low,
none)
• Probability – Simplified 5 point score (certain, high, medium,
low, negligible)
• Risk – Simplified product of Impact * Probability (critical, high,
medium, low, negligible)
18. 18
www.anitian.com | info@anitian.com
SECURITY:ServicesSolutionsSupport
Documentation Sample
Threat Vulnerabilities Recommendation
Impact
Probability
Risk
Malware
infection
Outdated anti‐
virus
Lack of anti‐
virus on 36% of
servers
32 high ranked
vulnerabilities
on in‐scope
systems
Lack of virus
scanning at the
network layer
Endpoint antivirus must be installed on all hosts.
All endpoint antivirus must be updated daily
All systems must have new patches applied within
30 days of release.
Company must deploy a more robust patch
management platform.
Implement a core firewall that can perform virus
scanning at the network layer.
H C H
SECURITY:ServicesSolutionsSupport
Online Version Using Allgress
19. 19
www.anitian.com | info@anitian.com
SECURITY:ServicesSolutionsSupport
#7 – Develop an Action Plan
• Summarize all the recommendations into a single, prioritized list
• Simplify into tangible tasks
• GOOD: Implement third party patch management. IBM BigFix,
Dell Kace, and GFI Languard are all viable products to consider.
Require solution to patch all systems within 30 days of a new
patch.
• BAD: IT management procedures need updating to align with
best practices.
SECURITY:ServicesSolutionsSupport
Don’t
• Try to change the culture of the business
• Let perfection become the enemy of good
• Cite any kind of risk management theory – nobody cares
• Use a lot of risk terminology
• Say more than you need to
• Document indecision
• Add complexity when it offers no improvement in clarity
• Use inaccessible matrices, worksheets, or process flows
• Insert charts or graphs when they don’t aid in comprehension