Formal Risk Assessment Workshop

Created by Praveen Joseph Vackayil
Praveen Joseph Vackayil
Deepak Umapathy

• Explore perspectives and incite thoughts
on the risk assessment process
• Re-visit the basic concepts of risk
• Perform a risk assessment based on a
formal methodology

• Questions are welcome
• Share your knowledge
• Mobile phones – you know
what to do

• I. An Introduction to Risk Assessment
• II. Basic Concepts
• III. Lunch 
• IV. Case Study: Implementing an NIST SP
800-30 Risk Assessment

Created by Praveen Joseph VackayilRisk exists in daily life
Risk may be a part of a profession or sport

• We can’t always predict the future. At least
not accurately.
• Risk is a consideration of how something we
value (asset) can be affected
• by a negative entity (threat)
• and lead to a less than ideal outcome
(impact)
• since it is not protected enough
(vulnerability)

Threat Source
Threat Outcome
Asset Vulnerability

Asset
Interpreted Definition:
Risk is the probability that a threat, exploiting a vulnerability that exists in an
asset of certain value, will cause an undesired impact.
Threat
Undesired Impact
Vulner
ability
RISK ECOSYSTEM

• Risk Assessment is nothing but people
being people
• It is an extension of human nature and a
satiation of a basic human need:

The jaguar hides its prey atop trees

Name some things you see in this picture which remind you of risk assessment

• Formalizing a Risk Assessment is a
way of providing it with a
systematic mechanism of
– Measurement (defining metrics)
–Repetition (process-specific and not person-
specific)
–Comparison (between different business
verticals, for instance)
Note: We will be visiting formal methodologies in the later slides

If anything can go wrong, it will

Case i: I am trying to check all the boxes
in my compliance checklist. I don’t need a
separate risk assessment as such.
–A compliance standard is a universal
set of instructions
–Risk Assessment is the tool through
which the standard is tailored to the
unique circumstances of your
environment Note: Risk assessment is mandated by most
compliance standards today – eg. PCI, ISO
27001, HIPAA, etc.

Case ii: We have annual third party
audits. We don’t need risk
assessment.
–Risk assessment ≠ Audit
–An audit is a discovery of what HAS
already gone wrong
–Risk Assessment is the discovery of
what CAN go wrong in the near or
distant future

Case iii: I don’t see the point. We did
a risk assessment last year and no
one followed through with
remediation.
–Risk Assessment:
• ‘If you can’t measure it, you can’t manage
it.’
–Risk Management:
• ‘Knowing is not enough, we must apply.’

Case iv: Everything eventually boils down
to the numbers. There is a cost involved in
an RA. How do I justify this investment?
RA Cost RA Benefit
• Time and effort
• Productivity is hit when
business team is facing risk
assessors
• RA Training Costs
• RA Consultant
• RA Tool
?
• Not having a security incident is the ROI of any
security investment.
• A key objective of RA is to ensure the security
budget is not exceeded.

Risk Frame
Threat Source and
Threat Event
Impact
Likelihood of
Occurrence
Vulnerability
Risk Score Risk Response

• Identification of the
– Organizational priorities. Eg. Purpose of the RA
– Scope
– Assets (e.g., organizational entities covered, business functions
affected by the RA)
– Team Structure within the organization
– Assumptions and Constraints
– Information sources
– Risk management guidance on the Risk Model, Analysis
Approach, Assessment Approach, Qualitative Scale to be used
for Risk Score, etc.
– Risk response guidance including, for example, risk tolerance
– Risk monitoring guidance

Nature of risks varies with the level of hierarchy being assessed.
Organization
Tier
Business Process
Tier
Information System Tier

Asset/Impact-oriented
Threat-oriented
Threat Source
Threat Event
caused by the
Threat Source
Vulnerability Impact
Vulnerability-oriented
Critical Asset
Impact that can
compromise the
Asset
Threat Event
that can cause
the impact
Threat Source
that leads to this
Threat Event
Vulnerabilities and Pre-
disposing Conditions
Threat Event
that exploits the
Vulnerability
Threat Source Impact

Qualitative Quantitative
• High Medium Low
• Red, Green, Yellow
Numeric
Easy to calculate May include complex formulae
Less accurate, but gets the job done Precise. Useful in $ estimations
Difficult to convince stakeholders, since it is
based on subjective judgement
Easier to convince stakeholders
Risk = f (Asset Value, Threat probability, Level
of Vulnerability)
Basic concepts to be noted:
SLE=Asset Value x Exposure Factor
ALE= SLE x ARO

• Anything of value to the organization
• Perception of value is tied to the purpose of
the risk assessment
– Eg. If in a compliance RA, the value of the asset depends on
the compliance requirement. In PCI, card data is the most
important asset, and hence gets highest Asset Value.
– If the RA aims at capturing process inefficiencies and
optimizing cost, money is the most important asset.
– For the purpose of ISRA, information is usually the most
important asset.

Asset Name: DB Server
Asset Category: Supporting
Asset
Asset Type: Hardware
Asset Owner: Head of IT Dept
Asset Custodian: Database
Administrator
Asset Value:
• Impact if C is compromised:
VH
• Impact if I is compromised: VH
• Impact if A is compromised: M
Total Asset Value: VH

Malicious outsider defaces the
corporate website
Employee loses company
confidential data in a laptop
Non-adversarial
Threat Source
Adversarial Threat
Source
Intent: To take control of
the web server and deface
the website
Targeting: Web server
Capability: Proficiency in
hacking tools like Metasploit
Knowledge of the systems
architecture
Range of Effects: Loss of
confidential data if the laptop
falls into the wrong and
capable hands
Threat Event
Threat Event
Website is
defaced by a
malicious
outsider
Company data is
misused by an
unknown third
party

• Change in attack approach based on
controls perception.
Time
domain
Target
domain
Resource
Domain
Attack
method
Influencers:
• Path of least resistance
• Path with quicker and
more benefit

• A vulnerability is a weakness in an information
system, system security procedures, internal
controls, or implementation that could be exploited
by a threat source

• Controls are absent
• Controls are not efficient
• Controls are no longer relevant
The ever-changing threat landscape can render
the current control eco-system obsolete. Eg.
Shellshock bash vulnerability.

An existing condition within an environment that can
increase or decrease the likelihood of a threat.
Eg.
• Indonesia is prone to earthquakes.
• We use Windows XP on all our desktops. Risk increases
• We operate out of a city with low crime rate

Questions to Ask:
• Will the threat event occur/be initiated by a threat
source successfully?
• Will the threat event cause an adverse impact
successfully?
Likelihood of Occurrence=f (Likelihood of Threat Event
Initiation/Occurrence, Likelihood of Threat Event
causing Adverse Impact)

• Magnitude of harm caused due to the
disclosure, modification, destruction/loss of
sensitive data.
• Impact may cascade to entities even external to
the scoped environment.
Eg. Financial loss,
reputational loss,
productivity loss,
loss of existing clients.

Risk Model
• Threat
• Likelihood
• Vulnerability
• Pre-disposing Condition
• Impact
Risk Factors Risk
Risk models define the risk factors to be
assessed and the relationships among
those factors.

Recall the earlier slide

• Risk is the
Likelihood
• that a Threat
Source
will exploit
• a
Vulnerability
with Severity
And/or
• A Pre-disposing
Condition with
Pervasiveness
And initiate a
• Threat Event
Leading to
An adverse
Impact

• Just before acquiring a new company
• Just before an audit
• Just after deploying new laptops
• Before starting operations in a new facility
• Every month for all assets
• Never. 
You be the Judge

• Annual Risk Assessment
• Real-time updates to the Risk
Assessment via a Feedback Loop
Scope
Identify
AssessManage
Document

Thoughts
• Does it really work?
– No tracker/reminder on the RA
– Job rotations/staff leave the team
– Disconnect between the risk assessor and the asset
custodians
• Is everyone that committed to security?
– Top management commitment to security may not
drill down to the grass-root levels

A Formal Risk Assessment is one that is:
• Measurable
• Comparable
• Repeatable
A Formal approach:
• Is tried and tested
• Reduces re-work in devising new methodologies every
year
• Leads to consistency which in turn allows integration of
RA with audit and other activities
• Establishes a process and reduces people-dependency

Do we really need to use a formal risk
assessment methodology?
• Yes
• No

Develop a new RA methodology Adopt an existing formal RA methodology
RA METHODOLOGY:
• A new methodology must be developed, tried and
revised. This is in some ways re-invention of the
wheel
• A tried and tested methodology already exists. It needs
to be shortlisted and adopted.
• Corresponding RA template may be available
RISK ASSESSORS:
• Develop an in-house talent pool that is well versed with
the methodology. Training costs extra.
• Hire RA personnel with relevant
experience/certification. Resource costs extra.
COMPATIBILITY :
• It will be created as per the organization’s unique
environment.
• The existing methodology may need to be tweaked to
suit the organization’s environment, structure and
culture.
Eg. Primary and supporting assets may be selected
according to the org-structure.
ASSET OWNERS/CUSTODIANS:
• Factors that encourage user adoption may be built-in
while developing the methodology.
Eg. Qualitative risk calculation is used, since it is easier for all
to understand.
• Ways to enable user adoption of the methodology must
be developed.
Eg. The survey-based approach of OCTAVE may not work in
an organization where people don’t respond to emails.
PREVIOUS REFERENCES:
• Not sure if it will succeed/fail since there is no prior user
experience/reviews to refer to
• Tried and tested. Known to have succeeded.
• Common pitfalls will be readily available based on other
users’ experiences. These can be addressed
accordingly.

3 popular RA methodologies:
• ISO 27005
• OCTAVE
• NIST SP 800-30

• Developed by International Organization for
Standardization (ISO)
• Suitable for technology as well as process RA
• Concept of primary and supporting asset can
be adapted to most organizational scenarios
• ISRA=Risk Identification->Risk Estimation-
>Risk Evaluation
• It’s USP: Asset Characterization

Description
of ISRA
•Scope and
Boundaries
•Org structure
•Risk
Acceptance
Criteria
•RA Team
Risk
Analysis:
Risk
Identificatio
n
•Scope
•Assets
•Threats
•Existing
Controls
•Vulnerabilities
•Impact
Risk
Analysis:
Risk
Estimation
•Qualitative
•Quantitative
Risk
Evaluation
•Risk Value vs
Risk
Acceptance
Criteria
•Accept
•Mitigate
•Transfer
•Avoid

• Developed by SEI-CMU
• Most suited for assessing risks within organizational
processes
• Emphasizes a workshop-based approach over a tool
approach
• Built for large organizations, so interviews are broken
across hierarchies and disciplines
• Pareto’s Principle: 80% of the effects come from 20%
of the causes
• It’s USP: Threat Profiling
• OMIG is available for free from CERT.org

Organizational
View
• P1: Senior
Management
Knowledge
• P2: Operational
Management
Knowledge
• P3: Staff
Knowledge
• P4: Threat
Profiling
Technological View
• P5: Identify Key
Technoology
Components
within a System
of Interest
• P6: Evaluate
Selected
Components
(Run a VA,
Nipper Scan, run
a DB review tool,
etc.)
Risk Analysis
• Conduct Risk
Analysis
• Develop
Protection
Strategy
Key Outputs:
Assets, Security
Requirements, Areas of
Concern, Vulnerabilities,
Threats
Key Outputs:
Key Technological Assets
and their vulnerabilities
Key Outputs:
Risks and Protection
strategy

• The Federal Information Security Management Act (FISMA) is an
information security act for all federal bodies in the US
• FISMA requires NIST to develop and issue mandatory standards
for all US federal agencies called FIPS – Federal Information
Processing Standards
– Eg. FIPS 140 talks about Cryptography requirements, FIPS 199
talks about classification of information
• Special Publications (SPs) are guidance documents developed by
NIST to support FIPS.

Risk
Likelihood
of
Occurrence
Level of
Impact

I. Risk
Framing
II.
Conduct
the RA
III.
Maintain
the RA
I. Identify:
• Purpose of RA
• Scope and
Assets
• Assumptions
and
Constraints
• Information
Sources
• Risk Model
• Analysis
Approach
I. Identify:
• Threat Source
• Threat Event
• Vulnerability &
Pre-disposing
Condition
II. Calculate
• Likelihood
• Impact
• Risk Level
III.
Communicate
I. Monitor Risk
Factors
II. Update the
RA

• Read aloud the case study in the hand-
outs issued to you.

CEO
Jeff Antony
COO and CTO
Anup Kumar
Sonia Arora–
Head, Project
Delivery
Rohit Kumar–
Manager, IT
Operations
Manoj Krishna–
Head, Physical
Security
Administration
Priya Thomas–
AVP, HR
CISO
Philip
Williams

Servers
AD, AV, SCCM, DHCP
Network
Devices
Firewall, L3 Switch
Desktops
and
Laptops

Support
Processes
Server and
desktop
administration
Network device
administration
Physical Security
Management
processes
Personnel
security
processes
Client-facing
Processes
SDLC:
Dev, Testing
Production
Support process

I. Risk
Framing
II.
Conduct
the RA
III.
Maintain
the RA
I. Identify:
• Purpose of RA
• Scope and
Assets
• Assumptions
and
Constraints
• Information
Sources
• Risk Model
• Analysis
Approach
II. Identify:
• Threat Source
• Threat Event
• Vulnerability &
Pre-disposing
Condition
III. Calculate
• Likelihood
• Impact
• Risk Level
IV.
Communicate
V. Monitor Risk
Factors
VI. Update the
RA

I. Identify:
• Purpose of RA
• Scope
• Assumptions
and Constraints
• Information
Sources
• Risk Model
• Analysis
Approach
V. Monitor Risk
Factors
VI. Update the
RA
Factors to Consider:
i. Initial RA:
• Purpose can be to identify current
security posture
• Purpose can be to capture the
starting point (baseline) of risks in the
current setup/new setup.
ii. Re-assessment
• Purpose can be to monitor risks as
part of continuous RA
• Purpose can be to evaluate risk
• Purpose can be to perform controls
testing
• Purpose can be to capture new risks
as the environment has undergone a
significant change and update an
existing RA report.

I. Identify:
• Purpose of RA
• Scope and
Assets
• Assumptions
and Constraints
• Information
Sources
• Risk Model
• Analysis
Approach
V. Monitor Risk
Factors
VI. Update the
RA
i. Organizational Applicability:
• Business processes within the
organization that are affected
ii. Effectiveness Time-frame
• Time-duration for which the RA
findings are going to be relevant
and can assist in risk based
decisions
iii. Technological Considerations
• With segmentation (VLANs,
firewalls, etc.), the in-scope
network can be reduced.
• In a flat network, the entire
network is in scope.

I. Identify:
• Purpose of RA
• Scope and
Assets
• Assumptions
and Constraints
• Information
Sources
• Risk Model
• Analysis
Approach
V. Monitor Risk
Factors
VI. Update the
RA
i. Consider all the stages of the risk
assessment
ii. Clarify on the following:
• The uncertainty surrounding the
risk assessment findings
• The constraints faced with
regard to resources – time,
team, etc.
• Assumptions made with the
sampling approach deployed (if
any)
• Assumptions made and
limitations of a qualitative
computation of risk

I. Identify:
• Purpose of RA
• Scope and
Assets
• Assumptions
and Constraints
• Information
Sources
• Risk Model
• Analysis
Approach
Consider the methods to be used in risk identification
i. People Risks
• Interviews with relevant personnel
• Review of records ( eg. BGV records)
• External Source: Previous employers
ii. Process Risks
• Walkthrough of the process
• Interviews with relevant personnel
iii. Technology Risks
• Review of desktop hardening
• Review of server config
• Nipper scan of firewall configs
• Vulnerability Assessments
• External Source: Security advisories
from CERT, SANS, etc.

I. Identify:
• Purpose of RA
• Scope
• Assumptions
and Constraints
• Information
Sources
• Risk Model
• Analysis
Approach
Recall the earlier slides:
Documentation of a risk model includes:
i. Identification of risk factors – ie threats,
vulnerabilities and pre-disposing conditions,
likelihood and impact
ii. Identification of the relationships between
the above risk factors

I. Identify:
• Purpose of RA
• Scope and
Assets
• Assumptions
and Constraints
• Information
Sources
• Risk Model
• Analysis
Approach
Recall the earlier slide:

V. Monitor Risk
Factors
VI. Update the
RA
Capture the following aspects:
i. Type of Threat Source
• Adversarial
• Non-adversarial
ii. Characteristics of Threat Source
• Adversarial -> Capability, Intent,
Targeting
• Non-Adversarial -> Range of
Effects (Sweeping, Extensive,
Limited, Minimal, etc.)
iii. Overall Criticality Rating of Threat
Source
• Very High, High, Moderate, Low,
Very Low
II.
Conduct
the RA
I. Identify:
• Threat Source
• Threat Event
• Vulnerability &
Pre-disposing
Condition
II. Calculate
• Likelihood
• Impact
• Risk Level
III.
Communicate

V. Monitor Risk
Factors
VI. Update the
RA
i. Envision various ways through
which the Threat Source can
compromise the Asset and
cause a Threat Event
ii. Study the entire lifecycle of the
Asset to do so
iii. Think of internal and external
links /physical and logical links
from threat source to the asset
II.
Conduct
the RA
I. Identify:
• Threat Source
• Threat Event
• Vulnerability &
Pre-disposing
Condition
II. Calculate
• Likelihood
• Impact
• Risk Level
III.
Communicate

V. Monitor Risk
Factors
VI. Update the
RA
i. Take existing controls into
account when determining level
of vulnerability.
ii. Think of internal and external
entities that are a direct or
indirect characteristic of the
asset.
Eg. Glass is breakable, AC ducts can
serve as escape tunnels, strong
lights can glare out images on CCTV
cameras, etc.
II.
Conduct
the RA
I. Identify:
• Threat Source
• Threat Event
• Vulnerability &
Pre-disposing
Condition
II. Calculate
• Likelihood
• Impact
• Risk Level
III.
Communicate

V. Monitor Risk
Factors
VI. Update the
RA
II.
Conduct
the RA
I. Identify:
• Threat Source
• Threat Event
• Vulnerability &
Pre-disposing
Condition
II. Calculate
• Likelihood
• Impact
• Risk level
III.
Communicate
i. Be clear on the concept. A Threat Event
occurring is not the same as a Threat
Event causing an adverse impact.
ii. Likelihood of Occurrence implies the
Likelihood that Threat Event occurs/is
initiated AND causes an adverse Impact
iii. Likelihood that a Threat Event occurs/is
initiated depends on the Threat Source
which causes the Threat Event
iv. Likelihood that a Threat Event causes an
adverse Impact depends on the Level of
Vulnerability that affects the exposure to
the Threat Event

V. Monitor Risk
Factors
VI. Update the
RA
II.
Conduct
the RA
I. Identify:
• Threat Source
• Threat Event
• Vulnerability &
Pre-disposing
Condition
II. Calculate
• Likelihood
• Impact
• Risk level
III.
Communicate
i. Consider the most valuable
asset (in this case customer
information) that will get
compromised if the threat
source will exploit the
vulnerability
ii. Impact = f(Asset Value, Level of
Vulnerability)

V. Monitor Risk
Factors
VI. Update the
RA
II.
Conduct
the RA
I. Identify:
• Threat Source
• Threat Event
• Vulnerability &
Pre-disposing
Condition
II. Calculate
• Likelihood
• Impact
• Risk level
III.
Communicate
i. Risk = f (Likelihood of
Occurrence, Level of Impact)
ii. Recall the Risk Response
definitions to decide whether to
accept, mitigate, transfer, avoid a
risk.

V. Monitor Risk
Factors
VI. Update the
RA
II.
Conduct
the RA
I. Identify:
• Threat Source
• Threat Event
• Vulnerability &
Pre-disposing
Condition
II. Calculate
• Likelihood
• Impact
• Risk level
III.
Communicate
i. Discuss with senior
management
ii. Ensure the message percolates
down to the grass-root level

V. Monitor Risk
Factors
VI. Update the
RA
III.
Maintain
the RA
V. Monitor Risk
Factors
VI. Update the RA
i. Concept of continuous risk
assessment
ii. Link RA with multiple sources–
eg. Threat advisories from
SANS, NIST, CERT, Microsoft
patch updates, Quarterly VA
scans, data discovery scans,
end-point compliance reports,
external audit findings
iii. Update the RA Report

Email:
praveen.jvc@gmail.com
deepakumapathy@gmail.com

Formal Risk Assessment Workshop

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Formal Risk Assessment Workshop

Ähnlich wie Formal Risk Assessment Workshop (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Formal Risk Assessment Workshop