Process Coleman Kane Coleman.Kane@ge.com January 14, 2015 Security Process 1 / 12
is the practice of discovering the vulnerabilties posed by an environment, determining their negative risk impact, and documenting these observations for future planning. In some cases, this may drive modifications to a network or business practice to eliminate the vulnerability or reduce its exposure. In other cases, one might implement montioring to notify in the event that an identified vulnerability is being exploited in the environment. Security Process 2 / 12
Actively developing field As many methodologies as commercial providers OWASP approach describes six steps to develop a risk analysis Security Process 3 / 12
Generalized equation: Risk = * Identify what exposures you would like to assess the risk of use the process to calculate the / of those exposures Security Process 4 / 12
Determine what exposure you are concerned about. Some considerations for this: What might a breach objective be? Who might attempt, vs. who would not? What aspects of your business should be in scope / out of scope? What type of attack is in/out of scope? What would your loss cost be? Coming up with realistic and well-defined scenarios/scopes that you are developing to will ensure the assessment is meaningful for your business cases. Security Process 5 / 12
Two primary contributors to this: Threat Agent factors factors Come up with rating criteria, and a scoring system (for example, 0-9) Security Process 6 / 12
Better adversaries are expected to have greater success in successfully exposing you. You may grade your adversaries based upon arbitrarily-selected, applicable criteria. Skill level: Red teaming skills(9), Network programming skills (7), Scritping skills (4), No skills (1) Motive: Funding level, priority level - Nation-state (9), Criminal activity (6), Opporutnist (3) Opportunity: Situational characteristics to increase (9) or decrease (0) the likelihood of attacking Size: Size of threat agent group, resourcing which can be applied to the attack: Lone actor (1), Small team (3), Army unit (7), Internet-scale (9) Security Process 7 / 12
Ease of discovery / Security-through-obscurity Ease of exploit Awareness Intrusion detection / instrumentation Many of these items are under direct control of the entity being assessed, and therefore provide the starting measurements for improvement projects Security Process 8 / 12
Technical impact, losses of: Confidentiality, integrity, availability, accountability Business impact: Financial damage, Reputational damage, Non-compliance, Privacy violation Security Process 9 / 12
Use the & computations earlier to calculate an average value for the purpose of reporting the risk rating. Reporting options: May choose Low/Medium/High/Critical level descriptors May want to apply weightings to certain criteria May want to report where recipient is in relation to peers Frequency of activity/breaches at current risk rating level Security Process 10 / 12
Determine what to fix. Using the vulnerability ratings, you can scope improvment projects based upon lower-scoring vulnerability factors. Options can be reported alongside implementation costs to assist in project selection and planning. Security Process 11 / 12
Competing principles: Threat landscape is not a constant, but an ever-changing dynamic system is most meaningful when it can be kept constant across multiple measurement cycles As time goes on, you ll want to use knowledge of reported activity to inform changes. Possibly overlay "old" and "new" rating systems in reports, to illustrate ongoing improvement while ensuring that reporitng is kept up to date Security Process 12 / 12