Risk Assessment

By:
Ashwin
Vignesh
Madhu
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

Objective
Risk Assessment Process
Not unique to the IT environment
Provide the desired level of mission support
depending on the budget
Well-structured risk management
methodology
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

Introduction
The process of enumerating risks
Determining their classifications
Assigning probability and impact scores
Associating controls with each risk
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

Risk
Risk Assessment measures
Magnitude of the potential loss L
Probability p that the loss will occur
Risk R can be expressed as
R = L * p (or)
Risk = Impact * Likelihood
Risk (Cont..)
Risk = PA * (1-PE) * C
PA the likelihood of adversary attack
PE - the security system effectiveness
(1- PE) - the adversary success
C consequence of loss of the asset
High L and low p low L and high p
Treated differently in practice
Given nearly equal priority in dealing
Risk Management Cycle
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

RA Methodologies
CCTA Risk Analysis and Management Method
(CRAMM)
Consultative, Objective and Bi-functional Risk
Analysis (COBRA)
RuSecure
Operationally Critical Threat, Asset, and Vulnerability
Evaluation (OCTAVE)
Failure Mode and Effects Analysis (FMEA)
British Standard (BS)
RA Methodologies (Cont..)
Methods support in
Detecting critical places and parts in organization
Detecting risk factors
Collecting data about risk factors
Evaluation and estimation of risk
Generate report of risk management process
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

CRAMM
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

COBRA
COBRA
Two modules
COBRA Risk Consultant
ISO Compliance Analyst
Support in process of evaluating risk security
Evaluation steps
Building queries
Risk evaluation
Constructing reports
Contains library of countermeasures
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

RuSecure
RuSecure
RuSecure
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

British Standard
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

Hierarchical Criteria Model
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

Common Failures in RA
Poor executive support
High cost of implementation
Untimely response
Insufficient accountability
Inability to qualitatively measure control
environment
Infrequent in assessment
Inaccurate data
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

Elements of good RA
Provides clear instructions
Simplifies user Response
Identifies support contacts
Focuses on leaders as well as executors
Provides feedback to users and Risk leaders
Has a broad Scope
Identifies User for follow up if necessary and
applicable
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

OCTAVE
Operationally Critical Threat, Asset, and Vulnerability
Evaluation (OCTAVE)
Effective security risk evaluation
Considers both organizational and technological
issues
Self-directed
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

Characteristics
Identify information-related assets
Focus risk analysis activities on critical assets
Consider the relationships among critical assets, the
threats to those assets, and vulnerabilities
Evaluate risks in an operational context - how they
are used to conduct an organizations business
Create a protection strategy for risk mitigation
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

OCTAVE Process
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

Criteria
Principle
Fundamental concepts driving the nature of the
evaluation, and defining the philosophy behind
the evaluation process
Attribute
Distinctive qualities, or characteristics, of the
evaluation
Output
Define the outcomes that an analysis team must
achieve during each phase
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

Examples
Examples
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

OCTAVE Method Process
Phase 1: Build Asset-Based Threat Profiles
Process 1: Identify Senior Management
Knowledge
Process 2: Identify Operational Area Knowledge
Process 3: Identify Staff Knowledge
Process 4: Create Threat Profiles
OCTAVE Method Process
Phase 2: Identify Infrastructure Vulnerabilities
Process 5: Identify Key Components
Process 6: Evaluate Selected Components
Phase 3: Develop Security Strategy and Plans
Process 7: Conduct Risk Analysis An organizational set
of impact evaluation criteria are defined to establish the
impact value
Process 8: Develop Protection Strategy The team
develops an organization-wide protection strategy to
improve the organizations security practices
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

Choosing Methods
Depending on organization size
Depending on organization hierarchical structure
Structured or Open-Ended Method
Analysis team composition
IT resources
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model


Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology

Our Methodology
Policies and procedures
Requirement analysis
Network Topology
Categorizing the network
Scanning based on categorization
Analysis of vulnerabilities
Use different scanning tools
Penetration testing
Risk strategy
Mitigation of risk
References
NIST Risk Management Guide for Information
Technology Systems
http://www.gao.gov/special.pubs/ai00033.pdf
http://en.wikipedia.org/wiki/Risk_management
http://en.wikipedia.org/wiki/Risk_assessment
http://www.sandia.gov/ram
http://www.carnet.hr/CUC/cuc2004/program/radovi/a
5_baca/a5_full.pdf
http://www.octave.org
Thank You