Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
- 1. Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure Jim Basney <jbasney@ncsa.illinois.edu> URISC@SC17 This material is based upon work supported by the National Science Foundation under grant number 1547272. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.
- 2. Risk Assessment: Motivation Implement cybersecurity “best practices” Create an inventory of your project's assets Think critically about potential risks Develop risk mitigations Understand accepted risks
- 3. Risk Assessment Tools Risk Self-Evaluation Spreadsheet https://goo.gl/9x1NdQ Risk Assessment Table http://trustedci.org/guide/docs/RAtable Copies also in https://go.ncsa.illinois.edu/URISC
- 4. Risk Self-Evaluation: Sections Policy and Procedure Host Protection Network Security Physical Security Monitoring and Logging
- 7. Risk Self-Evaluation: Potential Strategies View project as a whole Divide project into parts Conceptual components Location-based Existing vs Planned Have personnel fill out what they know
- 9. I Did the Risk Self-Evaluation! Now What? Address any issues Mitigated = “Partial”, “No”, or “Unknown” Schedule a re-check in 3 months Give report to management Start a more complete Risk Assessment http://trustedci.org/guide/docs/RAtable
- 10. Risk Assessment Process Risk Assessment Table http://trustedci.org/guide/docs/RAtable CTSC Guide to Developing Cybersecurity Programs https://trustedci.org/guide NIST 800-30: Risk Management Guide for Information Technology Systems http://doi.org/10.6028/NIST.SP.800-30
- 11. 1. System Characterization Describe the system resources used by the project Break down the system by location, function, information flow, etc. Use an Information Asset Inventory https://trustedci.org/guide/docs/IAI
- 12. 2. Threat Identification Threat is the potential for a particular source to exploit a particular vulnerability toward a malicious end. Threats consist of sources (e.g., humans, natural disasters, power outages), motivations (e.g., monetary gain, espionage), and actions (e.g., hacking, social engineering). Identifying threats often involves looking at old attack data and noting which threats are applicable today.
- 13. 3. Vulnerability Identification A vulnerability is a flaw or weakness in a system’s security procedures, design, implementation, or internal controls that could potentially be exercised by a threat agent to result in a breach or violation of the system's security policy. The Risk Assessment Table reflects the vulnerabilities as a combination of the columns “Asset”, “Attack Surface”, and “Threat Description”.
- 14. 4. Control Analysis Security controls are mechanisms put in place to mitigate the risk of threats being being realized by exploiting vulnerabilities. Controls can be administrative (e.g., policies, standards, guidelines, training and other processes), technical/logical (e.g., authentication and authorization systems, file permissions, firewalls, intrusion detection systems, etc.), or physical (e.g., locked file cabinets, secured data centers, cameras, fences, etc.). The “Current Controls” column of the Risk Assessment Table lists any controls in place for the associated risk. The “Control Effectiveness” column is an estimation of how effective the current control is, using a scale from 1 (ineffective) to 5 (extremely effective). Control Effectiveness 5 Extremely effective 4 Very effective 3 Moderately effective 2 Minimally effective 1 Ineffective
- 15. 5. Likelihood Determination When ranking likelihood, consider not only the specifics of the vulnerability, but also motivation and capability of a potential threat source. Likelihood Estimation 5 Constant or extremely frequent, > 85% 4 Very frequent, 60% - 85% 3 Somewhat frequent, 30% - 60% 2 Infrequent, 10% - 30% 1 Rarely, if ever, < 10%
- 16. 6. Impact Analysis The impact of any exploit depends upon (1) the mission of the project, (2) the criticality of the vulnerable system or data, and (3) the sensitivity of the affected system or data. Impact from a security incident could affect the integrity, availability, or confidentiality of a system or data. Depending on the subsystem affected, we could be concerned more with one kind of impact than another. However, the impact on each of these three properties should be considered for any potential exploit. On method to make the impact of an exploited vulnerability more concrete is to estimate a dollar amount for the impact of an incident. Impact Estimation 5 Catastrophic, > $1M 4 Major, $250K - $1M 3 Moderate, $50K - $250K 2 Minor, up to $50K 1 Insignificant, ~$100s
- 17. Sort the Risk Assessment Table by “Residual Risk” to find the vulnerabilities which have a high risk, taking into account the current controls in place. These are the risks that should be addressed first. 7. Risk Determination & Recommendations Inherent Risk = Likelihood * Impact Risk 20 – 25 Very High 14 – 19 High 9 – 13 Medium 4 – 8 Low 0 – 3 Negligible Residual Risk = Inherent Risk * (6-Control Effectiveness)/5
- 18. Risk Assessment Table: Discussion
- 19. 19 Cybersecurity Guides and Tools ● Addressing concerns unique to science ● Policy templates: Acceptable Use, Access Control, Asset Management, Disaster Recovery, Incident Response, Inventory, Awareness, Physical Security, ... ● Risk assessment table ● Securing commodity IT ● Self-assessment Tool ● Identity Management Best Practices https://trustedci.org/guide