Lesson 23 - Risk Management Notes

Risk Management

• A detailed process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk.

• The primary goal of risk management is to reduce risk to an acceptable level, which depends on factors like the organization, asset value, and budget.

Risk Management Best Practices

• Every decision starts with looking at risk.

• Determine the value of your assets.

• Evaluate and identify cost-effective solutions.

• Safeguards are proactive, while countermeasures are reactive.

Risk Management Lifecycle Phases

• Risk Assessment: Categorize, classify, and evaluate assets, and identify threats and vulnerabilities.

• Risk Analysis: Qualitative and quantitative analysis.

• Risk Mitigation/Response: Reducing or avoiding risk, transferring risk, and accepting or rejecting risk.

Risk Assessment

• Looks at risks corresponding to identified parameters for a specific period and must be reevaluated periodically; managing risks is an ongoing process.

• NIST 800-30 officially outlines the following steps for risk assessment:

  • System characterization

  • Threat identification

  • Vulnerability identification

  • Control analysis

  • Likelihood determination

  • Impact analysis

  • Risk determination

  • Control recommendation

  • Results documentation

Risk Analysis

• Allows for risks to be prioritized and assign a dollar value to each risk event.

• Risk can be analyzed through a qualitative and quantitative lens.

• Qualitative analysis is subjective and uses terms like "high," "medium," and "low" to describe likelihood and severity.

DREAD Model

• DREAD is an example of a qualitative risk assessment model with five categories:

  • Damage – how bad would an attack be?

  • Reproducibility – how easy is it to reproduce the attack?

  • Exploitability – how much work is it to launch the attack?

  • Affected users – how many people will be impacted?

  • Discoverability – how easy is it to discover the threat?

  • Assigning Scores: A score can be applied to DREAD components (e.g., High is 3, Medium is 2, Low is 1).

  • Overall Score: An overall score can be calculated (e.g., High 12-15, Medium 8-11, Low 5-7).

Common Vulnerability Scoring System (CVSS)

• Components of CVSS:

  • Base metric: Used to describe exploitability and impact.

  • Temporal metric: Used to describe characteristics that evolve over the lifetime of vulnerability.

  • Environmental metric: Used to describe vulnerabilities that depend on implementation or environment.

Mitigating Risk

• Three acceptable responses to risk mitigation:

  • Reduce

  • Transfer

  • Accept

Additional Definitions (OSG Perspective)

• Risk assessment or risk analysis: The examination of an environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of the damage it would cause if it did occur, and assessing the cost of various countermeasures for each risk.This results in a sorted criticality prioritization of risks.

Risk Response Options (OSG)

• Mitigation or reduction

• Assignment or transfer

• Deterrence

• Avoidance

• Acceptance

• Reject or Ignore (Generally considered unacceptable)

NIST Risk Management Framework (RMF)

• A comprehensive, flexible, repeatable, and measurable 7-step process for managing information security and privacy risk.

• Links to NIST standards and guidelines to support implementation of risk management programs.

RMF Steps:

• Prepare: Essential activities to prepare the organization to manage security and privacy risks.

• Categorize: Categorize the system and information processed, stored, and transmitted based on an impact analysis.

• Select: Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s).

• Implement: Implement the controls and document how controls are deployed.

• Assess: Assess to determine if the controls are in place, operating as intended, and producing the desired results.

• Authorize: Senior official makes a risk-based decision to authorize the system (to operate).

• Monitor: Continuously monitor control implementation and risks to the system.

Key Documents:

• NIST SP 800-37 Revision 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

• NIST Cybersecurity Framework [NIST CSF] can be aligned with the RMF and implemented using established NIST risk management processes.

Multi-Level Approach to Risk Management (SP 800-39):

• Addresses security and privacy risk at the organization level, the mission/business process level, and the information system level.

• Communication and reporting are bi-directional information flows across the three levels to ensure that risk is addressed throughout the organization.

Risk Management Tiers (SP 800-39):

• Tier 1: Addresses risk from an organizational perspective.

  • Implements risk framing, providing context for all risk management activities.

• Tier 2: Addresses risk from a mission/business process perspective.

  • Informed by the risk context, risk decisions, and risk activities at Tier 1.

  • Includes:

    • Defining mission/business processes.

    • Prioritizing mission/business processes.

    • Defining information requirements, criticality/sensitivity, and information flows.

    • Incorporating information security requirements.

    • Establishing an enterprise architecture with embedded information security architecture.

• Tier 3: Addresses risk from an information system perspective.

  • Guided by the risk context, risk decisions, and risk activities at Tiers 1 and 2.

  • Includes:

    • Categorizing organizational information systems.

    • Allocating security controls.

    • Managing the selection, implementation, assessment, authorization, and ongoing monitoring of allocated security controls.

NIST SP 800-53 and SP 800-53B

• NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems.

• Includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk.

• SP 800-53 is 492 pages and lists over 1,000 controls.

Risk Register

• A document used as a risk management tool and to fulfill regulatory compliance, acting as a repository for all risks identified.

Typical Risk Register Contents:

• A risk category to group similar risks.

• The risk breakdown structure identification number.

• A brief description or name of the risk to make the risk easy to discuss.

• The impact (or consequence) if event actually occurs rated on an integer scale.

• The probability or likelihood of its occurrence rated on an integer scale.

• The Risk Score (or Risk Rating) is the multiplication of Probability and Impact and is often used to rank the risks.

• Common mitigation steps (e.g. within IT projects) are Identify, Analyze, Plan Response, Monitor and Control,

Visualization

• A Risk register plots the impact of a given risk over of its probability.

• The presented example deals with some issues which can arise on a usual Saturday-night party.

• This “dot plot” is an easy way to visualize the critical risks

• In this case “Fire” is both high probability and high impact, so should be addressed first

Residual Risk

• $ALE = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO)$

• $ALE = SLE * ARO$

• $ALE = Asset Value (AV) * Exposure Factor (EF) * ARO$

• $ALE = AV * EF * ARO$

• Example: A flood will do $2 million in damage to a building, and that is expected every 50 years:

  • ALE = $2,000,000 * 0.02 = $40,000

• Example: A lightning strike will burn out half of the 50 workstations in a facility ($100k in workstations) because there are 2 separate circuits, and a lightning strike is expected once every 20 years:

  • ALE = $100,000 (AV) * 50\% (EF) * 0.05 (ARO) = $2,500

Total Risk/Inherent Risk

• The amount of risk an organization would face if no safeguards were implemented.

• $Total Risk = Threats * Vulnerabilities * Asset Value$

Controls Gap

• The amount of risk that is reduced by implementing safeguards.

Residual Risk

• The risk that remains once safeguards, security controls, and countermeasures are implemented.

• $Residual Risk = Total Risk – Controls Gap$

• $Residual risk = (inherent risk) – (impact of risk controls)$

• To make a safeguard cost-effective, we need:

  • Residual Risk + Cost of Safeguard < Inherent Risk

• If the above isn’t true, then we do not implement the safeguard since it “Isn’t worth it.”

War in the Clausewitzian sense is an all-or-nothing endeavor; victory in its totality is the objective.

The seven steps in the NIST Risk Management Framework (RMF) are:

1. Prepare: Activities to prepare the organization to manage risks.

2. Categorize: Categorize the system and information based on impact analysis.

3. Select: Select NIST SP 800-53 controls to protect the system based on risk assessments.

4. Implement: Implement the controls and document their deployment.

5. Assess: Assess if controls are in place, operating as intended, and producing desired results.

6. Authorize: A senior official makes a risk-based decision to authorize the system to operate.

7. Monitor: Continuously monitor control implementation and risks to the system.

Cyber Operations In Warfare

Cyber operations do not directly enhance the speed at which ground forces maneuver.

Ways that cyber enhances conflict can be used is:

• hinder information sharing

• psychological operations against foreign armies

• immobilize targets with digital components

• enhance recruitment and training tool for warriors around the world.