Sem 004
- 3. Risk Analysis Versus Risk Assessment Thomas R. Peltier, SecureWorld Expo
- 4. “threats into risk”? What was I thinking?!? Risk Analysis Versus Risk Assessment Thomas R. Peltier, SecureWorld Expo
- 5. Risk Analysis Versus Risk Assessment Thomas R. Peltier, SecureWorld Expo
- 7. Calculates risk based upon actuarial tables What do you actually need?
- 9. averse tolerant What posture is required? Is mine different?
- 10. ► ► ► ►
- 11. • A more precise semantic – articulate the components of risk • Capture mental risk “arithmetic” • Substitute probability • JGERR: Rigorous, lightweight risk calculation for security practitioners
- 15. Bald Tire Risk Rating?
- 16. Risk Term Definition Threat Entity that can harm Vulnerability Weakness that has impact Exploit Method to exercise a vulnerability Exposure Availability of vulnerability for exploitation Impact Damage or loss from exploitation of vulnerability by a threat
- 17. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 17 1. The vulnerability is exposed to a credible, active threat capable of exploitation1 2. The exercise of the vulnerability will have a significant impact 1.“attack vector”
- 18. A credible threat exercising an exploit on an exposed vulnerability
- 19. ► ► ► ► ►
- 21. ► ► ► ► 1. An “attack vector”, as defined 2. Garnered from a presentation at RSA
- 22. 1. Information security risk assessment
- 23. ► • • • ► • • • ► Let risk owner decide
- 25. Credits • Rakesh Bharania & Catherine Blackadder Nelson • Vinay Bansal & the Cisco “Web Arch” team • Jack Jones & FAIR • John and Ann-Marie Borrelli & the KnowledgeConnect forum participants • That unnamed trust researcher at RSA • The Information Security Risk Methodology working group at Cisco Systems, Inc: Doug Dexter, Marc Passey, Richard Puckett, Jim Borne, Brook Schoenfield
- 26. Formal Definitions Vulnerability Any weakness, administrative process, or act or physical exposure that makes an asset susceptible to exploit by a threat Threat A potential cause of an unwanted impact to a system or organization. (ISO 13335-1) Exposure The potential damage to or loss of an asset from a given threat and/or vulnerability after consideration of existing controls Impact The overall (worst case scenario) loss expected when a threat exploits a vulnerability against an asset Exploit A means of using a vulnerability in order to cause a compromise of business activities or information security
- 27.
- 29. ► ► ► ► ► ► ►
- 33. ► ► ► ►
- 39. ► ► ► ► ► ►
- 40. ► ► ► ►
- 42. ► ► ► The Risk Management Framework (NIST Special Publication 800-37).
- 43. Risk can be seen as relating to the probability of uncertain future The product of the probability of a hazard resulting in an adverse event, times the severity of the event
- 45. ► ► ► ► ISO31000: 2009 Risk Management Standard ► National Initiative for Cybersecurity Education (Cybersecurity Workforce Framework)
- 48. ► ► ►
- 51. :