logging in or signing up Risk Analysis for Dummies (The Next H.O.P.E.) foghorn Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: Embed: Flash iPad Dynamic Copy Does not support media & animations Automatically changes to Flash or non-Flash embed WordPress Embed Customize Embed URL: Copy Thumbnail: Copy The presentation is successfully added In Your Favorites. Views: 673 Category: Business & Fin.. License: Some Rights Reserved Like it (0) Dislike it (0) Added: July 19, 2010 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Risk Analysis for Dummies : Risk Analysis for Dummies Presented by Nick Leghorn Credentials : Credentials B.S., Security and Risk AnalysisThe Pennsylvania State University Risk Analyst for a government contractor NSA Certified INFOSEC Professional Speaker at The Last HOPE:“The NYC Taxi System: Privacy Vs. Utility” This talk is for… : This talk is for… IT Professionals Penetration testers Network security folk Anyone who needs to explain “risk” WARNING : WARNING The risk analysis process depends on the imagination, creativity and integrity of the individuals doing the analysis. The mere application of these techniques without appropriately talented staff does not ensure a proper and thorough risk analysis product. NOTICE : NOTICE The data, charts and information contained within this presentation are completely notional and do not represent any real data. No sensitive or otherwise classified information is contained within this presentation. FBI, please don’t arrest me. The Story of Nate and Cliff : The Story of Nate and Cliff What is “Risk”? : What is “Risk”? Seriously. There are microphones, use them! What is “Risk”? : What is “Risk”? Any uncertainty about the future Technically can be both positive and negative Security questions focus only on negative outcomes The Six Questions of Risk Management : The Six Questions of Risk Management Risk Assessment Risk management What can happen? How likely is it to happen? What are the consequences if it happens? What can be done? What are the benefits, costs and risks of each option? What are the impacts of each option on future options? The Risk Equation : The Risk Equation Risk is the combination of probability of an event probability of an outcome given that event the value of that event and outcome pair For every event and outcome Scope : Scope Scope protector threat asset is the set of Scope : Scope Asset Something which provides a benefit to the possessor Something which the protector is charged with safekeeping Protector The entity charged with safekeeping of the asset An entity where the loss of the asset would be harmful Threat An entity with the desire to deny the asset to the protector A force which could destroy, disrupt, or otherwise harm the asset For Nate and Cliff… : For Nate and Cliff… Protector: Nate and the NOC Threat: “Hackers” Asset: Company information Back to the equation… : Back to the equation… Probability? Calculating probability : Calculating probability “Of all the things than can happen, how likely is each one?” Universe as a box… Coin Flip Calculating probability : Calculating probability “Of all the things than can happen, how likely is each one?” Universe as a box… Coin Flip Calculating probability : Calculating probability “Of all the things than can happen, how likely is each one?” Universe as a box… The size of each “box” is the probability Strive for MECE Coin Flip Heads Tails Coin rolls away and is lost Slide 18: “You must not say ‘never.’ That is a lazy slurring-over of the facts. Actually, [risk analysis] predicts only probabilities. A particular event may be infinitesimally probable, but the probability is always greater than zero.” Second Foundation (Isaac Asimov) Calculating probability : Calculating probability Past data Events of concern / total events 3 successful attacks / 30,000 attempts = 0.0001 probability “Binning your gut” Low, Medium, High Remember: : Remember: Probability must be calculated for BOTH Probability of an event Probability of an outcome GIVEN that the event has taken place Why does “valuation” matter? : Why does “valuation” matter? Some events are more concerning than others Death in a car accident Death in a plane crash Value of the (e,o) pair can be monetary, time based, goodwill based, whatever is of most concern The process : The process The process : The process The process : The process The process : The process The process : The process The process : The process The process : The process The process : The process The process : The process Method 1: The Simple Chart : Method 1: The Simple Chart THIS IS NOT A “RISK MATRIX”! Method 2: The Probabilistic Chart : Method 2: The Probabilistic Chart (Probability of event)*(Probability of outcome given event) Method 3: Annualized Loss Expectancy : Method 3: Annualized Loss Expectancy (Probability from last page)*(Loss from event) Shortcuts and Methodologies : Shortcuts and Methodologies How to use a “Factor based Model” : How to use a “Factor based Model” “Factor Based Models” provide a formula for quick and easy assessment of a range of items and rank ordering of them. WARNING: This system only provides a RELATIVE ranking of the items listed. How to use a “Factor based Model” : How to use a “Factor based Model” Assign a range of numbers to each factor Try to use even ranges of numbers (1-4) Ensure that the higher the number, the more it points towards whatever the issue at hand is Evaluate each factor using that range Add up the combined score CARVER: Target Selection : CARVER: Target Selection Criticality Accessibility Recoverability Vulnerability Effect Recognizability CARVER Analysis: The Next HOPE : CARVER Analysis: The Next HOPE Scale: 1-6 6 = Contributes highly to attack success probability 1 = Does not contribute to attack success probability P: HOPE Staff | A: Enjoyment of attendees | T: Rouge attendee CARVER Analysis: The Next HOPE : CARVER Analysis: The Next HOPE Scale: 1-6 6 = Contributes highly to attack success probability 1 = Does not contribute to attack success probability P: HOPE Staff | A: Enjoyment of attendees | T: Rouge attendee EVIL DONE: Target Selection : EVIL DONE: Target Selection Exposed Vital Iconic Legitimate Destructible Occupied Near Easy DSHARPP: Target Selection : DSHARPP: Target Selection Demography Symbology History Accessibility Recuperability Population Proximity CRAVED: Attractiveness of Assets : CRAVED: Attractiveness of Assets Concealable Removable Available Valuable Enjoyable Disposable MURDEROUS: Weapon Selection : MURDEROUS: Weapon Selection Multipurpose Undetectable Removable Destructive Enjoyable Reliable Obtainable Uncomplicated Safe ESEER: Facilitation of crime : ESEER: Facilitation of crime Easy Safe Excusable Enticing Rewarding HOPE: Ease of social engineering : HOPE: Ease of social engineering Hour of the day Oversight by manager Pressure Encouragement Scales : Scales Scales are IMPORTANT : Scales are IMPORTANT Let’s assume a FBM of: A+B+C+D A: 1-4 Vulnerability B: $ of damages C: Time to return to operation (Seconds) D: Lives lost For: Ships? Buildings? Troops? Types of scales : Types of scales Nominal Binning, no order (apples, pears, oranges) Ordinal Hierarchical, no calculations (High, medium, low) Interval Hierarchy and calculations (1, 2, 4, 8, 16) Natural Interval with countable items (deaths, $, time) Let’s bring this all together : Let’s bring this all together Nate’s presentation Risk Analysis of Corporate Systems : Risk Analysis of Corporate Systems Presented by Nate Problem at Issue : Attackers are attempting to penetrate our network to steal, destroy or alter corporate data NOC has been tasked with securing against these attacks Problem at Issue Attacks over the last 3 years : Attacks over the last 3 years Effects of attacks on other companies : Andrews Co. Victim of a penetration, customer data leaked Loss of revenue from loss of goodwill: $2.4M Revenue dedicated to fixing systems: $10M TNH Inc. Victim of a lengthy Denial of Service attack Loss of revenue from inability to do business: $30M Revenue dedicated to upgrading systems: $12M Effects of attacks on other companies Recommendations : Implement an IDS Detects attacks $10,000 to install, $1,000/year in upkeep Tighten firewall Stops intruders $5,000 to install, $500/year in upkeep Install WEP at POS facilities Tightens security $10 in equipment & $5 in labor per facility ($10+$5)*50,000 = $750,000 No upkeep costs Recommendations Cost benefit analysis : Cost benefit analysis As we can see by the above numbers, by spending 766,500 this year we can mitigate the possible effects of an attack which (on average) will cost $15M. Thus, the loss will be approx. $14,233,500 less than without the recommended upgrades. Annualized Loss Expectancy : Annualized Loss Expectancy The End : The End (Of the presentation within a presentation) Remember these? : Remember these? Risk Assessment Risk management What can happen? How likely is it to happen? What are the consequences if it happens? What can be done? What are the benefits, costs and risks of each option? What are the impacts of each option on future options? Things to remember… : Things to remember… Use common sense! If something looks wrong, it usually is Scope the question Don’t bite off more than you can chew Use proper scales Remember the 6 questions of risk FBMs are quick and easy, but be careful! Check your work! Academic integrity BEFORE making managers happy Questions? : Questions? Full presentation (including slides, resources, audio & video): Blog.NickLeghorn.com Slide 61: “You must not say ‘never.’ That is a lazy slurring-over of the facts. Actually, [risk analysis] predicts only probabilities. A particular event may be infinitesimally probable, but the probability is always greater than zero.” Second Foundation (Isaac Asimov) You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Risk Analysis for Dummies (The Next H.O.P.E.) foghorn Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: Embed: Flash iPad Dynamic Copy Does not support media & animations Automatically changes to Flash or non-Flash embed WordPress Embed Customize Embed URL: Copy Thumbnail: Copy The presentation is successfully added In Your Favorites. Views: 673 Category: Business & Fin.. License: Some Rights Reserved Like it (0) Dislike it (0) Added: July 19, 2010 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Risk Analysis for Dummies : Risk Analysis for Dummies Presented by Nick Leghorn Credentials : Credentials B.S., Security and Risk AnalysisThe Pennsylvania State University Risk Analyst for a government contractor NSA Certified INFOSEC Professional Speaker at The Last HOPE:“The NYC Taxi System: Privacy Vs. Utility” This talk is for… : This talk is for… IT Professionals Penetration testers Network security folk Anyone who needs to explain “risk” WARNING : WARNING The risk analysis process depends on the imagination, creativity and integrity of the individuals doing the analysis. The mere application of these techniques without appropriately talented staff does not ensure a proper and thorough risk analysis product. NOTICE : NOTICE The data, charts and information contained within this presentation are completely notional and do not represent any real data. No sensitive or otherwise classified information is contained within this presentation. FBI, please don’t arrest me. The Story of Nate and Cliff : The Story of Nate and Cliff What is “Risk”? : What is “Risk”? Seriously. There are microphones, use them! What is “Risk”? : What is “Risk”? Any uncertainty about the future Technically can be both positive and negative Security questions focus only on negative outcomes The Six Questions of Risk Management : The Six Questions of Risk Management Risk Assessment Risk management What can happen? How likely is it to happen? What are the consequences if it happens? What can be done? What are the benefits, costs and risks of each option? What are the impacts of each option on future options? The Risk Equation : The Risk Equation Risk is the combination of probability of an event probability of an outcome given that event the value of that event and outcome pair For every event and outcome Scope : Scope Scope protector threat asset is the set of Scope : Scope Asset Something which provides a benefit to the possessor Something which the protector is charged with safekeeping Protector The entity charged with safekeeping of the asset An entity where the loss of the asset would be harmful Threat An entity with the desire to deny the asset to the protector A force which could destroy, disrupt, or otherwise harm the asset For Nate and Cliff… : For Nate and Cliff… Protector: Nate and the NOC Threat: “Hackers” Asset: Company information Back to the equation… : Back to the equation… Probability? Calculating probability : Calculating probability “Of all the things than can happen, how likely is each one?” Universe as a box… Coin Flip Calculating probability : Calculating probability “Of all the things than can happen, how likely is each one?” Universe as a box… Coin Flip Calculating probability : Calculating probability “Of all the things than can happen, how likely is each one?” Universe as a box… The size of each “box” is the probability Strive for MECE Coin Flip Heads Tails Coin rolls away and is lost Slide 18: “You must not say ‘never.’ That is a lazy slurring-over of the facts. Actually, [risk analysis] predicts only probabilities. A particular event may be infinitesimally probable, but the probability is always greater than zero.” Second Foundation (Isaac Asimov) Calculating probability : Calculating probability Past data Events of concern / total events 3 successful attacks / 30,000 attempts = 0.0001 probability “Binning your gut” Low, Medium, High Remember: : Remember: Probability must be calculated for BOTH Probability of an event Probability of an outcome GIVEN that the event has taken place Why does “valuation” matter? : Why does “valuation” matter? Some events are more concerning than others Death in a car accident Death in a plane crash Value of the (e,o) pair can be monetary, time based, goodwill based, whatever is of most concern The process : The process The process : The process The process : The process The process : The process The process : The process The process : The process The process : The process The process : The process The process : The process Method 1: The Simple Chart : Method 1: The Simple Chart THIS IS NOT A “RISK MATRIX”! Method 2: The Probabilistic Chart : Method 2: The Probabilistic Chart (Probability of event)*(Probability of outcome given event) Method 3: Annualized Loss Expectancy : Method 3: Annualized Loss Expectancy (Probability from last page)*(Loss from event) Shortcuts and Methodologies : Shortcuts and Methodologies How to use a “Factor based Model” : How to use a “Factor based Model” “Factor Based Models” provide a formula for quick and easy assessment of a range of items and rank ordering of them. WARNING: This system only provides a RELATIVE ranking of the items listed. How to use a “Factor based Model” : How to use a “Factor based Model” Assign a range of numbers to each factor Try to use even ranges of numbers (1-4) Ensure that the higher the number, the more it points towards whatever the issue at hand is Evaluate each factor using that range Add up the combined score CARVER: Target Selection : CARVER: Target Selection Criticality Accessibility Recoverability Vulnerability Effect Recognizability CARVER Analysis: The Next HOPE : CARVER Analysis: The Next HOPE Scale: 1-6 6 = Contributes highly to attack success probability 1 = Does not contribute to attack success probability P: HOPE Staff | A: Enjoyment of attendees | T: Rouge attendee CARVER Analysis: The Next HOPE : CARVER Analysis: The Next HOPE Scale: 1-6 6 = Contributes highly to attack success probability 1 = Does not contribute to attack success probability P: HOPE Staff | A: Enjoyment of attendees | T: Rouge attendee EVIL DONE: Target Selection : EVIL DONE: Target Selection Exposed Vital Iconic Legitimate Destructible Occupied Near Easy DSHARPP: Target Selection : DSHARPP: Target Selection Demography Symbology History Accessibility Recuperability Population Proximity CRAVED: Attractiveness of Assets : CRAVED: Attractiveness of Assets Concealable Removable Available Valuable Enjoyable Disposable MURDEROUS: Weapon Selection : MURDEROUS: Weapon Selection Multipurpose Undetectable Removable Destructive Enjoyable Reliable Obtainable Uncomplicated Safe ESEER: Facilitation of crime : ESEER: Facilitation of crime Easy Safe Excusable Enticing Rewarding HOPE: Ease of social engineering : HOPE: Ease of social engineering Hour of the day Oversight by manager Pressure Encouragement Scales : Scales Scales are IMPORTANT : Scales are IMPORTANT Let’s assume a FBM of: A+B+C+D A: 1-4 Vulnerability B: $ of damages C: Time to return to operation (Seconds) D: Lives lost For: Ships? Buildings? Troops? Types of scales : Types of scales Nominal Binning, no order (apples, pears, oranges) Ordinal Hierarchical, no calculations (High, medium, low) Interval Hierarchy and calculations (1, 2, 4, 8, 16) Natural Interval with countable items (deaths, $, time) Let’s bring this all together : Let’s bring this all together Nate’s presentation Risk Analysis of Corporate Systems : Risk Analysis of Corporate Systems Presented by Nate Problem at Issue : Attackers are attempting to penetrate our network to steal, destroy or alter corporate data NOC has been tasked with securing against these attacks Problem at Issue Attacks over the last 3 years : Attacks over the last 3 years Effects of attacks on other companies : Andrews Co. Victim of a penetration, customer data leaked Loss of revenue from loss of goodwill: $2.4M Revenue dedicated to fixing systems: $10M TNH Inc. Victim of a lengthy Denial of Service attack Loss of revenue from inability to do business: $30M Revenue dedicated to upgrading systems: $12M Effects of attacks on other companies Recommendations : Implement an IDS Detects attacks $10,000 to install, $1,000/year in upkeep Tighten firewall Stops intruders $5,000 to install, $500/year in upkeep Install WEP at POS facilities Tightens security $10 in equipment & $5 in labor per facility ($10+$5)*50,000 = $750,000 No upkeep costs Recommendations Cost benefit analysis : Cost benefit analysis As we can see by the above numbers, by spending 766,500 this year we can mitigate the possible effects of an attack which (on average) will cost $15M. Thus, the loss will be approx. $14,233,500 less than without the recommended upgrades. Annualized Loss Expectancy : Annualized Loss Expectancy The End : The End (Of the presentation within a presentation) Remember these? : Remember these? Risk Assessment Risk management What can happen? How likely is it to happen? What are the consequences if it happens? What can be done? What are the benefits, costs and risks of each option? What are the impacts of each option on future options? Things to remember… : Things to remember… Use common sense! If something looks wrong, it usually is Scope the question Don’t bite off more than you can chew Use proper scales Remember the 6 questions of risk FBMs are quick and easy, but be careful! Check your work! Academic integrity BEFORE making managers happy Questions? : Questions? Full presentation (including slides, resources, audio & video): Blog.NickLeghorn.com Slide 61: “You must not say ‘never.’ That is a lazy slurring-over of the facts. Actually, [risk analysis] predicts only probabilities. A particular event may be infinitesimally probable, but the probability is always greater than zero.” Second Foundation (Isaac Asimov)