1 of 24
2 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:07
3 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:09
Intr
oduc
tion
Abstract
4 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:10
Intr
oduc
tion
Abstract
5 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:12
Intr
oduc
tion
Objective
To ensure that IT related risks are identified, analyzed and presented in order to ensure information security for the organization.
To identify measures or controls to be taken to mitigate the risk to an acceptable level.
1
2
3
4
6 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:14
7 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:15
Risk
Man
agem
ent
Generic Approach
8 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:17
Risk
Man
agem
ent
Generic Process
Risk Decision Point 2Treatment satisfactory
Risk Decision Point 1Assessment satisfactory
Context Establishment
Reduction Retention Avoidance Transfer
Risk
Mon
itori
ng a
nd R
evie
w
Risk
Ass
essm
ent
Risk Treatment
Reference: ISO/IEC 27005
Risk Acceptance
Risk
Com
mun
icat
ion
Risk Evaluation
Risk Estimation
Risk Identification
Risk
Ana
lysi
s
Yes
No
Yes
No
9 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:20
10 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:21
Risk
Ass
essm
ent
Methodology
11 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:24
Likelihood
The goal is to identify the potential threat-sources and develop a list of system vulnerabilities that could be exploited by the potential threat-sources.
Risk
Ass
essm
ent
Likelihood Description Score
Rare Rarely happen or very unlikely to happen 1
Unlikely Not seen within last 5 years or unlikely to happen 2
Moderate Seen within last 5 years but not within last year or likely to happen 3
Likely Seen within last year or very likely to happen 4
Most likely Happens on a regular basis or most likely to happen 5
12 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:26
Impact Level and Scoring – Mission Critical Scenario
The goal is to measure level of risk and determine the adverse impact resulting from a successful threat exercise of a vulnerability.
Risk
Ass
essm
ent
Impact Level Description Score
InsignificantImpact that would not cause any exposure of information, any effects to national security, any injury, any unauthorized entry, any asset loss, or no system or operation disruption.
1
MinorImpact that would cause exposure of Restricted information, “undesirable effects” to national security, less than minor injury, undetected or delay in the detection of unauthorized entry with no asset loss or access to sensitive materials, or no system or operation disruption.
2
Major
Impact that would cause exposure of Confidential information, “damage” or be “prejudicial” to national security, or harmful to national interest, national reputation, Government activities or to individual, or cause embarrassment or difficulty to administration, or give benefits to foreign powers, bringing limited financial losses to the Organization, minor injury not requiring hospitalization, undetected or delay in the detection of unauthorized entry resulting in limited access to assets or sensitive materials, or no mission impairment, or minor system and operation disruption.
3
Material
Impact that would cause exposure of Secret information, “serious damage” to national security, interest and reputation, give great benefits to foreign powers, bringing significant financial losses to the Organization, severe injury to human resources, loss of valuable asset resulting from undetected or unauthorized access, unacceptable mission delays, or unacceptable system and operation disruption.
4
Catastrophic
Impact that would cause exposure of Top Secret information, “exceptionally grave damage” to national security, bringing physical or financial losses to the Organization, loss of life, loss of critical assets, significant impairment of mission over extended period of time, or catastrophic or widespread loss of systems services.
5
13 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:27
Risk Matrix and Impact LevelR
isk
Ass
essm
ent
Low riskNo mitigation requiredAction must be taken to maintain the risk
level and implemented in long-term plan
Critical risk, immediate action required Risk mitigation is required to lower the risk to an
acceptable level Action must be taken ASAP
High risk, management attention needed. Risk mitigation is required to lower the risk to an
acceptable level Implementation plan must be developed and
included in short-term plan
Medium risk Risk mitigation may required to maintain or
reduce the risk level Implementation plan must be developed and
included in mid-term plan
14 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:31
Risk
Ass
essm
ent
Risk Treatment Process
Risk Decision Point 2
Risk Decision Point 1
Risk Assessment Results
Reduction Retention Avoidance Transfer
Risk Treatment Options
SatisfactoryAssessment
Residual Risk
SatisfactoryTreatment
Risk
Tre
atm
ent
15 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:32
Risk
Ass
essm
ent
Risk Treatment Process – continue
Risk reduction involves approaches that reduce the probability of the vulnerability being triggered or reduce the impact when the vulnerability is triggered. Reducing a risk most often involves putting in place controls.
Reduce
Risk retention means accepting the loss when it occurs. Risk retention is a viable strategy for small-impact risks where the cost of insuring against the risk would be greater over time than the total losses sustained. Plans should be put in place to manage the consequences of these risks if they should occur, including identifying a means of financing the risk. Risks can also be retained by default, i.e. when there is a failure to identify and/or appropriately transfer or otherwise treat risks.
Retain
Risk avoidance means simply not performing the activity that carries the risk. Risk avoidance can occur inappropriately if individuals or organizations are unnecessarily risk-averse. Inappropriate risk avoidance may increase the significance of other risks or may lead to the loss of opportunities for gain.
Avoidance
Risk transfer means passing the risk on to another party that is willing to accept the risk, typically by contract, partnership and/or joint ventures. Insurance is an example of risk transfer using contracts. The transfer of a risk to other parties, or physical transfer to other places, will reduce the risk for the original organization, but may not diminish the overall level of risk to society. Where risks are transferred in whole or in part, the organization transferring the risk has acquired a new risk, in that the organization to which the risk has been transferred, may not manage the risk effectively.
Transfer
16 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:34
Risk
Ass
essm
ent
Risk Acceptance
Risk acceptance can be defined as the decision and approval by high authority party to accept the remaining risk after the treatment process is concluded. Once accepted, residual risks are considered as risks that the high authority party knowingly takes. The level and extent of accepted risks comprise one of the major parameters of the Risk Management process. In other words, the higher the accepted residual risks, the less the work involved in managing risks (and inversely).
Assess Treatment Options Develop Treatment Plan Implementation Plan
A number of options may be considered and applied either individually or in combination. Selection of the most appropriate option involves balancing the cost of implementing each option against the benefits derived from it. In general, the cost of managing risks needs to be commensurate with the benefits obtained.
Plans should document how the chosen options shall be implemented. The treatment plan should identify responsibilities, schedules, expected outcome of treatments, budgeting, performance measures and the review process to be set in place.
Implementation treatment plan should document how the chosen options shall be implemented and approve by the management and/or project sponsors.
17 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:35
Risk
Ass
essm
ent
Risk Communication
Perceptions of risk can vary due to differences in assumptions, concepts and the needs, issues and concerns of stakeholders as they relate to risk or the issues under discussion.
Risk communication should be carried out in order to achieve the following: To provide assurance of the outcome of the organization's risk management. To collect risk information. To share the results from the risk assessment and present the risk treatment plan. To avoid or reduce both occurrence and consequence of information security breaches due to the
lack of mutual understanding among decision makers and stakeholders. To support decision-making. To obtain new information security knowledge. To co-ordinate with other parties and plan responses to reduce consequences of any incident. To give decision makers and stakeholders a sense of responsibility about risks. To improve awareness.
18 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:39
Risk
Ass
essm
ent
Risk Communication
Risks are not static. Threats, vulnerabilities, likelihood or consequences may change abruptly without any indication. Therefore constant monitoring is necessary to detect these changes
This monitoring and review activities should continuously monitored and addressed (but not limited to): New assets that have been included in the risk management scope. Necessary modification of asset values, e.g. due to changed business requirements. New threats that could be active both outside and inside the organization and that have not been assessed. Possibility that new or increased vulnerabilities could allow threats to exploit these new or changed
vulnerabilities. Identified vulnerabilities to determine those becoming exposed to new or re-emerging threats. Increased impact or consequences of assessed threats, vulnerabilities and risks In aggregation resulting in
an unacceptable level of risk Information security incidents. Legal and environmental. Impact criteria. Risk acceptance criteria. Necessary resources.
19 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:43
20 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:44
Risk Identification ExampleR
isk
Ass
essm
ent N
o/I
D
Ass
et
Ow
ner
Thr
eat
Vul
nera
bilit
ies
Cur
rent
C
ont
rol
Plan
ned
Cont
rol
Prim
ary
Secu
rity
C
onc
ern
Like
lihood
Impac
t
Score
A1 Central DB Ahmed –business
function A
Abuse of rights
There are 8 administrator account which may allow user to log on using these account and knowingly or unknowingly perform damaging actions.
None Limit administrator account to at least 1 or 2 account only.
N(None-
repudiation)
3 5 15
A2 Web Portal A
Ahmed –business
function A
Sabotage Ineffective user registration, deregistration and logging functionalities
Syslog None I(Integrity)
1 4 4
A3 Router John –business
function B
Passwdcracking
Network device may configured with common, default and/or weak passwords configuration.
Policy and procedure
None C(Confidentiality)
2 4 8
21 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:45
Risk Treatment Options ExampleR
isk
Ass
essm
ent
No/ID Risk Treatment Justification Risk Owner
A1 15 Reduce a) There are 8 administrator account which may allow user to log on using these account and knowingly or unknowingly perform damaging actions.
b) Logging management system is not sufficient to detect changes in the central DB.
c) There are no database firewall implemented to monitor administrator access and activities.
Ahmed – business function A
A2 4 Avoid a) Implement NAC or similar security control.
b) Logging management system is not sufficient to detect changes in the central DB.
c) There are no database firewall implemented to monitor administrator access and activities.
Ahmed – business function A
A3 8 Retain a) Current default password is not an ‘easy to guess’ password.
b) Last incident was 8 years back.
John – business function B
22 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:47
Risk Treatment Plan ExampleR
isk
Ass
essm
ent
No/ID Risk Treatment Plan Risk Owner Resolve By
A1 15 Reduce Limit administrator account to at least 1 or 2 account only:
a) Setup a test server to simulate the requirement and observe the impact to the systems.
b) Develop a proper access control matrix.
Ahmed – business function A
ASAP30/09/2013
A2 4 Avoid a) Replace logging management system with sufficient security control to detect changes in the central DB.
b) Implement database firewall.
c) Implement data integrity solution such as tripwire.
Ahmed – business function A
Long-term
A3 8 Retain Conduct security audit, vulnerability assessment and hardening exercise.
John – business function B
Mid-term01/01/2014
23 of 24
Half seaman, half geek, sometimes musician, partial comedian, probably not a politician, virtually busy, generally muslim, mostly harmless, definitely not a cyber terrorist.
[email protected]://shaolininteger.blogspot.com | http://my.linkedin.com/in/shaolinint 16 August 201322:26:48
Risk Implementation Treatment Plan ExampleR
isk
Ass
essm
ent
No/ID Plan Risk OwnerResourceRequired
ResolveBy
Expected Outcome Cost
A1 Limit administrator account to at least 1 or 2 account only:
a) Setup a test server to simulate the requirement and observe the impact to the systems.
b) Develop a proper access control matrix.
Ahmed –business function
A
1 x Server administrator
1 x DB administrator
1 x Technical Security Engineer
ASAP30/09/2013
Administrator is limit to 1 or 2 account onlyand other users are only allow based on their roles.
MYR 5k
A2 a) Replace logging management system with sufficient security control to detect changes in the central DB.
b) Implement database firewall.
c) Implement data integrity solution such as tripwire.
Ahmed –business function
A
1 x Technical Security Consultant
Long-term The system is effectively monitor user registration, deregistration and logging functionalities
MYR 150k
A3 Conduct security audit,vulnerability assessment and hardening exercise.
John – business function B
1 x Technical Security Consultant
1 x Technical Security Engineer
Mid-term01/01/2014
Hardened network device, al passwords are set and comply to security policy, and password cracking attempt should be logged and monitored.
MYR 200k
24 of 24