BSIDESOK 2017 Greg Guhin - Security Risk Management: Risk Assessment and Beyond

good afternoon and welcome to the three o'clock session here gonna go ahead and get this kicked off so I'm going to be reviewing a probably the most sexy information security discipline that's risk management so introduce myself I've been in the Tulsa area for about four years now working at the Bank of Oklahoma have experience in both banking healthcare and then before that I spent a considerable amount of time doing small business network consulting up in Alaska after I got out of the army so I'm going to go into the the first slide here and just do a little bit of discussion on risk-based decisions how you make decisions and whether they are going to be strategic or tactical

decisions that you make based on risk outcomes just a few questions for the audience how many people out here are in management positions raise your hand what's the general size of the organization's you're working for is it less than a thousand employees anybody in larger organizations with more than 5,000 employees so do the majority of your organizations have a well-thought-out information security strategy anybody willing to offer up any feedback on that starting to develop it so I'm going to try to go through how you can make both strategic decisions and then also tactical decisions based on risk and some of the strategic ones are going to be around your budget how do I create a budget to

look for opportunities to introduce new technologies do I need visibility into cloud applications and what drives me into purchasing a tool do I go to a conference and all the vendors tell me they've got the greatest do I make my purchasing decisions based on that user groups recommendations from peers or do I make a risk-based decision based on threats existing controls and where there might be gaps the more tactical decisions come in place when you give an asset of risk score based on that asset risk or do I need a pen test is this a internet-facing application does it have critical data do I need to have either internal or external penetration tests done do I need to implement multi-factor

authentication do we need to have access reviews for this application based on some risk interval or if this is an engagement with a vendor do I need to do due diligence on that vendor so so those are some of the tactical questions that you can answer based on the risk so some of the the gates that risk enters your organization that I've found are through new products and services that are introduced and I'm lucky to work in an organization that has some pretty good pipelines through the vendor management and the project management that we can interject security within these existing processes so within the vendor management process we can look to vet new vendors project management any new

projects or major changes in systems will be coming through that project management pipeline other places there are more operational or change controls in smaller projects that might be come through a request system and then the places that we don't have visibility are some of the shadow IT how do we assess the risk in shadow IT use of cloud services that might not be coming through our our procurement generals put on a corporate card so some things that don't even come through the General Accounting where you would have some accountability for a budget we're looking at tools cloud access security broker visibility and web and proxy logs they try to identify those shadow IT processes so risk management 101 is

first you need to assign an inherent risk value to whatever you are evaluating the examples that are going to come later are going to be an asset value inherent risk or do you have a system right now do you have an information security classification system where you can categorize your assets if you don't have one you can look at FIPS 199 if you are in the government sector you probably already are using FIPS 199 which is going to give you a confidential confidentiality integrity and availability impact level at a high medium or low and then it will use a high watermark if you have high in any of those categories you would apply controls based on that Highway

mark we haven't used a custom risk profile that combines the data elements the volume of data and the position my the industry that I represent is very heavily into protecting customer information the places that you've come from it might be employee data intellectual property or it might be an availability where you're in manufacturing and you need to have the systems up and available 99.999 so your information security is really driven around the the productivity and availability so the second part of the risk equation is what controls do I have in place to help mitigate that risk to lower that risk level some places if you are just starting out you can look at control frameworks to give your

organization a better head start on developing a risk and control matrix so the NIST 853 and the cybersecurity framework different sets of ISO 27001 to three and then the Sands critical security controls those are good frameworks to borrow from when you create your own control framework so once you've identified the controls that you are going to document and apply as mitigations you have to figure out how you're going to assign effectiveness so the risk management we really want to take away a lot of subjectivity and introduce math so there's going to be some math later in this so I hope everybody is willing to count by multiples of fives with me so we look at

the design of our control and using the CMMI you know how mature is that control is it really a non-existent from a zero is it ad hoc or is it at that really high five where you have a control that you're gathering metrics on and you're basing your process improvements on those metrics you're collecting second part is the metrics and K R is that you use to see whether that control is effective or not so once you've established your inherent risk you've used your controls to help mitigate that risk you can come up with a residual risk based on the different layered controls that you've applied to help lower that risk so one of the first

steps that I mentioned is evaluating the risk what is that inherent risk and like I said in our process we are very data-centric we are looking at what type of data we are trying to protect so is it customer protected PII then NP fi is non-public financial information account numbers pH I protected health information are you in a HIPAA or hi-tech regulated industry PCI data employee data or is it something more just along the lines of company confidential or proprietary intellectual property and what's the volume of data you know if there was a breach what is going to be the impact due to the volume of Records so pony Mountain comes out with the value of a breached record

yearly and we've kind of settled in around that a hundred and fifty dollar hard cost for a single record it's going to cost in making the customer whole coming up with any direct cost related to the breach of that data so we use that to extrapolate out if we have a system with customer data that has X number of Records times 150 dollars that's going to be the direct cost of a breach for that we use that in the math later on and how does the position of the data affect your risk score on that inherent is it directly exposed to the Internet is it internal in unstructured is it internal in database internal and

a web app all those things factor into the probability that that data is going to be a victim of a compromise another other things you need to do to evaluate the risk or are we outsourcing specific critical business processes or are we bringing in professional staff to help augment our existing workforce so on to that control development there's kind of a three lines of defense model that's being circulated amongst a lot of COSO bound companies so the first line of defense is that that control or process performer so within this lifecycle you need to develop a control catalog earlier I had a couple references if you do not have an existing control catalog you can look to the NIST ISO to come up

with a list of controls and these can range from you know I have firewalls I have virus off where I have data loss prevention I use encryption to more personnel security controls you know I do background in hiring checks I have NDA's and I have confidentiality agreements so once I have identified those controls people are performing those controls we want to test them to see if they're effective so the second line of defense is an independent risk management view of this and these might be self assessments based on questionnaires it might be observation of configurations and it could be the threat modeling which is what I'm going to go through in the the second part of

this presentation and then the third part the third line of defense is independent audit or independent security assessments and there are many different flavors of audits the American Association of CPAs has sock one sock twos sock threes if you are familiar with these audit reports you will know that your you want as much as possible to get a type to where you have the listing of the controls that have been tested and the results of those not just the opinion and of the auditor other independent audits and certifications are the PCI DSS the ISO 27000 series of certifications and then individual pen test results so it could be an application pen test and network pen

test anything that you can use to help validate the effectiveness of the controls that you have designed so that human element that I brought in a little bit on that last slide the personnel security controls some of the things that you need to make are make sure are in place both at your organization or if you are outsourcing or bringing in staff augmentation go through that onboarding process is your company or the company that you're relying on for staffing doing proper background checks credit checks drug tests is it just a one-time occurrence before hire or they done throughout the the term of employment are they done at different levels for people that have access to different

levels of information what are the termination procedures how fast can we remove access when somebody has left the company is there a privacy policy that you distribute and people and have people adhere to and attest to either through signing something through a physical signature or an electronic @test ation and then what's the security awareness and training policy and curriculum are you properly training your people to identify risks and are they able to act as that human firewall that human shield we all know that the the primary vector of attack is coming through social engineering how well can we educate our employees to be that boundary control because the boundary control is not a firewall anymore the

boundary control is somebody in a browser or somebody in their email application so once we've gone through and we found risk we've mitigated it to the best of our ability or so these are the different risk treatment options you know when you look at doing something that has business value you look at what is the value of that service or product in relation to the risk so I've identified risk what can I do with it can I mitigate it do I have direct mitigating controls or compensating controls that can help reduce that risk to a level that is acceptable is the risk owner just willing to accept certain risk you know if that business value is going to result in an income

stream of millions of dollars per month I might be willing to accept a higher level of risk than I would if that was a very small portion of the total company revenue stream and then I can transfer the risk I can buy insurance and the insurance usually comes in two different flavors there's an error and emissions policy that's covers you from your people doing dumb things so if you have somebody working in say a wire room and they are not following their procedures that they should be that's a human error and you would have a policy your errors and omissions policy should help you cover that loss exposure or cyber liability policy would be that breach if

you are well there are certain as with any insurance you need to go through a pre-screening process to get cyber liability insurance you need to prove that you do have certain controls in place and they will reimburse you for any losses due to a breach just a quick slide here if you have a lot of third-party contracts here are some of the clauses that you need to make sure are in your third-party and vendor contracts you know the indemnification and liable imitation of liability you know what is a material breach due to an information security control failure so if I am hosting data with X company you know within that contract how can I get out of that

contract if they fail to meet their obligations that they have that we are setting here within these clauses you know a privacy and confidentiality hiren stealer turret guidance that you might have as a company your the examples i've used are GLBA HIPAA PCI DSS if you are in other industries you may have some that that I am not aware of clause for incident response and data breach notification so if there is a breach when are they going to notify who are they going to notify get that in the contract business continuity you want to make sure that you are guaranteed an RTO and an RPO within the contract a right to audit you say you're going to do all these good

things I've gone through the due diligence do I have the right to audit are you going to give me that independent audit report the penetration test results or can I come do an on-site audit and then the contract term and auto-renewal make sure that you look how far in advance do I need to terminate this contract is it 90 days is it Auto renew at 180 days make sure that you have that on some type of tickler and then contract exit how do I get my data back what are you going to do with that data in your systems if you're replicating it to five different data centers make sure you get a contract clause that say they will destroy that

data after the contract is exited so the second part of the talk is going to use a a methodology that's roughly based on the Carnegie Mellon octave Allegro information security risk assessment methodology so this is an asset focused risk assessment and it's best conducted in a workshop style so rather than having your security and risk management people sit in a room and try to figure out what the biggest threats are for the business invite the lines of business invite the the relationship managers to sit in a workshop style to talk it out to vet their ideas on what risk is so the actual octave Allegro is in four phases I added the fifth phase in the

presentation just to talk about how you use the results to drive your strategy discussions so the first phase is you need to develop a risk measurement criteria you might have an existing enterprise risk management program that is going to make that easy for you anybody in the audience have Enterprise Risk Management and there are organization that has a already has a risk methodology assessment scales developed a little bit so if you don't have one some of the things to take into consideration is what are you going to use that risk scale traditionally low moderate high a three point scale we chose to use a five point scale going from very low to very high you can name

them however you want so if you have a high likelihood and a high impact that highest inherent risk score is going to be a 25 and then the the control score so to come up with your residual risk ratings you're going to have to have some way to reduce the risk through these controls in your math so within this specific risk assessment we chose to use two factors the design and effectiveness to come up with a 25 point scale that we then brought back to a five-point scale I'll walk through that a little bit it gets a little bit confusing but information security is all about layers so you're not going to have a single control that really

mitigates all the risk so during your scenario analysis you need to look at the different layers of controls you might have one control that's very effective one that is not effective at all but the aggregate layered controls should give you a better feeling in the end that I have I didn't really know what my risk is the residual risk to a specific scenario so the high high watermark here is a very well designed and highly effective being that 25

so this is very small type kind of wanted to obfuscate some of the details here trade secrets probably get fired but so this is the impact in likelihood scales here so come up with some numeric equivalents so in the examples of high here we have examples that are in different enterprise risk categories so you might have a reputational impact you might have a financial impact you might have productivity or availability impact and different descriptions of those in in the the different categories and then your likelihood you know from almost certain to rare based on this is your scale you know a rare could be happens every ten years there's really no actuarial tables that are going to tell

you how to build an information security risk model so a lot of this is subjective and needs to be tailored to your organization so once you have your your risk measurement you need to classify and categorize your assets so I've used the example here of a form that we have that goes through and lists the possible data elements within an application database data set and then it applies some probability and then volumetric multipliers on here so if I have a hundred and thirty thousand records I've already said that's a hundred and fifty dollars per record that's going to give me a high risk what type of data is it is an employee data is it your employee data is it a subset

of the data that is your very high net worth customers you know those are all going to be multipliers to this formula and then what's the access vector you know is it internal external web facing does it move money in our particular scenarios that really is weighted heavier than other systems and then based on the answers to these you can assign attributes to that asset you know is it glba PCI HIPAA is it part of our Sox audit is it in scope for any sock ones that we're doing so that is how we manually through an Excel process in an interview process assign asset values so next phase in the octave model is to identify your threats and we've

taken this a little bit more granular than some people have and break it down into the threat actor threat vector motivation and some just discussions on the tools and tactics that might be used in these scenarios so the threat actors range you know from your cyber criminal to a malicious or a negligent insider and we took the opportunity to expand on the accidental insider somebody that's not doing things on purpose but they might have a pattern of behavior that leads from being an accidental to a negligent and you're going to treat that negligent insider a little bit differently there might be some type of penalty at a certain point that you have consequences that could be up into you know

termination from employment malicious insider you know somebody that has one of these motivations on on the right-hand side there either want financial gain I want I'm just disgruntled I want revenge I want to destroy things before I leave state-sponsored hackers you know some industries and verticals are much more targeted by state-sponsored actors I know a lot of people they're here from the energy sector are well aware of those threats activists somebody that just wants to make a statement of recreational hackers somebody that's looking for ego and notoriety preys out of curiosity or fun and then what's that threat vector so we're trying to come up with a threat scenario so then we can go through in

the next step and assign layered controls to each each piece of this threat so the threat vector is the is it going to be delivered through email a compromised website watering hole is it going to be a direct attack on our company facing websites this is going to be attacked on a business partner in a hosted application there's gonna be mobile device is it going to come through removable media somebody able to come through put a USB device in a public area in your organization somebody just out of curiosity is gonna pick it up and and plug it in a vendor network unauthorized device can somebody walk into one of your locations and plug in a device you know could be a little

tiny Raspberry Pi or Wireless Wi-Fi pineapple something that could be used then to pivot into a more elaborate attack just by putting an unauthorized device on your network so once you've identified okay these are my assets this is my asset profile these are the threats let's go through and run through some scenarios on the most likely threats for each asset so you choose a threat scenario and then you identify you know what vulnerability is that threat taking advantage of is it a people or a process vulnerability is it a technical vulnerability a configuration a patching issue and then we apply the controls what controls do we have that are going to mitigate that specific threat and if you really want

to you know expand upon this look at the controls from the kill chain or the security onion level you know our mind controls very close to the data they access controls right next to the data are they boundary controls that would prevent the initial stages of an attack are they virus filtering at the email level that's even going to prevent some weaponization through that kill chain so once you've applied all these controls you can calculate a residual risk score you can report you can write your report address any gaps and findings and then you need to create a risk remediation or action plan to address the gaps so the octave Allegro that cert methodology if you register

they will send you all the information on it we've built some worksheets out of some of their examples so these are Excel screenshots of the worksheets that we've used in our scenario analysis so the first thing you want to do is what is the information asset I'm trying to protect so in this example I used just an e-commerce website so that this is something publicly available it the threat actor is most likely going to come from outside the organization we're going to run that scenario here the area of concern that we're looking at is unauthorized internet intrusion due to application vulnerabilities cyber criminals is going to be the actor the vectors going to be that company website

their motive is going to be financial gain and the potential outcome to this is going to be many things it can range from you know an interruption of service denial of service the modification of data stealing data destruction of data and what's the what's the probability that's this is going to happen so something you need to keep in mind when you are looking at inherent risk the probability is without any controls so you're creating an inherent risk number based on I have no controls and then you're going to eat away at that based on your controls so the probability that somebody is going to try to hack and compromise a public website is almost certain we know that

once you put a node up on the internet that it's going to be scanned within seconds and it's going to be scanned continually by multiple threat actors and internal threat gathering sources so this goes through the the first part of the scenario so we've come up with our threat scenario here and what the potential impact could be or the outcome here's where you sit down with the line of business and you say what are the actual impacts going to be if this happens you know what's the reputational risks going to be if our our e-commerce site is hacked we lose a lot of credit card numbers it's unavailable for hours or days you know is this going to be in

the news for a week is it going to be in the national news what's a reputational impact to our company the financial risk you know are we going to lose income because this asset is unavailable privacy risk how many records could be breached in this on through probed activity and legal and regulatory risk you know are we going to get legal class-action lawsuits is that a likely outcome to this so we've used a high watermark here so if we have a five in any of the risk categories that is going to be our impact score so we saw in the section above that we have almost certain probability of five an impact of five so we are at that very

high portion of our inherent risk we're out of twenty five so then we go through and look at what are the different controls that we can have in place to protect that system data in in a separate so we've gone through a process to say okay the controls are effective to what level again that was that design times effectiveness on a twenty five point scale and here we have subjectively chosen in our methodology that a good baseline is four layered controls so a hundred is a very good score so if you have four layered controls at 25 each you're going to come up with a hundred and you should have you're never going to have a net zero

residual risk there's always risk but in the representation that's the best you can do so if you would look at it in you know that security onion or kill chain we've got boundary protections we've got firewalls we've got IDs IPS as you get closer to the data or at the application level we've got passwords that protect that application we've got monitoring controls in place to identify any anomalies the security information system we're actually acting on those we're not just logging we have correlative events and we are creating incidents out of that if we do find an incident how can we minimize the impact okay we've got network controls that would allow us to segment that system

off so it cannot become a pivot point and you can see in the scoring here you know some of these are highly mature and effective and some of them are not highly effective so we came up with a 92 here so if you go through another so then here at risk score was the 25 the control effectiveness was a 5 so we took that 92 out of a hundred and put it on a five-point scale that was a 5 very effective so this scenario we have highly effective controls high inherent risk so we in our process we divide that inherent risk or by the control effectiveness so we took the 25 divided by 5 so we have a residual risk score of

5 and if you look in the the heat map here's this is not a linear distribution we've we've altered the distribution of these across low moderate moderately high moderately low and high to come up with what we feel is the best representation risk for our our our organization so we're at a 5 that comes in you know in that moderate range moderately low so even though we said we have a 25 and a 25 we've used the nonlinear 'no sub this to say that we are really it's going to be very difficult to eliminate all risk

so really the last phase of this is what do you do when you do find gaps when you do find that you have certain scenarios where the same vulnerability as being used in each one of those vulnerabilities whether it's a social engineering where the the employee is the weak factor you know how do you address those gaps is it something that can be addressed through technology how do you change your strategy are you going to buy a new tool are you going to educate your employees better you know what is the most appropriate control to apply based on your risk assessment so you read in all the the books about creating an information security program

that it should be based on your risk assessment and I think a lot of people skip over the risk assessment not only in information security and their business continuity they might not do a proper business impact analysis and everybody thinks that their business process is more important and you end up with a ton of high risk and a ton of highly available systems and you're spending a lot of money so hopefully this approach will help you develop a better rationalization of how you're going to spend your money how are you're going to allocate your people and how you can evolve your strategy ongoing so risk assessments not a single thing done in a single point in time you should at

least do them annually or when there are significant changes that occur and then also as you find if you have a roadmap and a strategy if you find that there are gaps are they covered in your near-term is it on your one-year roadmap your two-year roadmap or is it something that I need to fit into a budget cycle for you know where am I at in my budget cycle make sure that you try to time that risk assessment so you can get the results in time so you can get something into that next budget cycle so if your need to have all your budget planning done by end of or middle a third quarter you know don't do your risk assessment

in the fourth quarter because then you're gonna go a whole budget cycle before you can pay for anything new I think that's I'm about out of time here and at the end of my presentation first time going through this specific presentation so I'm pretty happy on the timing opening up for questions comments if not enjoy the rest of the afternoon thank you [Applause]