of 49
5/24/2018 Risk Presentation
1/49
Risk Assessment
By:AshwinVignesh
Madhu
5/24/2018 Risk Presentation
2/49
Overview
Objective Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
3/49
Overview
Objective Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
4/49
Object ive
Risk Assessment Process
Not unique to the IT environment
Provide the desired level of mission support
depending on the budget
Well-structured risk management
methodology
5/24/2018 Risk Presentation
5/49
Overview
Objective Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
6/49
In t roduct ion
The process of enumerating risks
Determining their classifications
Assigning probability and impact scores Associating controls with each risk
5/24/2018 Risk Presentation
7/49
Overview
Objective Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
8/49
Risk
Risk Assessment measures
Magnitude of the potential loss L
Probability p that the loss will occur
Risk R can be expressed as
R = L * p (or)
Risk = Impact * Likelihood
5/24/2018 Risk Presentation
9/49
Risk (Con t..)
Risk = PA * (1-PE) * C PAthe likelihood of adversary attack
PE - the security system effectiveness
(1- PE) - the adversary success Cconsequence of loss of the asset
High L and low plow L and high p
Treated differently in practice
Given nearly equal priority in dealing
5/24/2018 Risk Presentation
10/49
Risk Management Cyc le
5/24/2018 Risk Presentation
11/49
Overview
Objective Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
12/49
RA Methodolog ies
CCTA Risk Analysis and Management Method
(CRAMM)
Consultative, Objective and Bi-functional Risk
Analysis (COBRA) RuSecure
Operationally Critical Threat, Asset, and Vulnerability
Evaluation (OCTAVE)
Failure Mode and Effects Analysis (FMEA)
British Standard (BS)
5/24/2018 Risk Presentation
13/49
RA Methodo log ies (Con t..)
Methods support in
Detecting critical places and parts in organization
Detecting risk factors
Collecting data about risk factors
Evaluation and estimation of risk
Generate report of risk management process
5/24/2018 Risk Presentation
14/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
15/49
CRAMM
5/24/2018 Risk Presentation
16/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
17/49
COBRA
COBRA Two modules
COBRA Risk Consultant
ISO Compliance Analyst
Support in process of evaluating risk security
Evaluation steps
Building queries
Risk evaluation Constructing reports
Contains library of countermeasures
5/24/2018 Risk Presentation
18/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies
CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
19/49
RuSecure
5/24/2018 Risk Presentation
20/49
RuSecure
5/24/2018 Risk Presentation
21/49
RuSecure
5/24/2018 Risk Presentation
22/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
23/49
Bri tish Standard
5/24/2018 Risk Presentation
24/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
25/49
Hierarch ical Criteria Model
5/24/2018 Risk Presentation
26/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process
Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
27/49
Common Fai lures in RA
Poor executive support
High cost of implementation
Untimely response
Insufficient accountability
Inability to qualitatively measure control
environment
Infrequent in assessment Inaccurate data
5/24/2018 Risk Presentation
28/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
29/49
Elements o f good RA
Provides clear instructions Simplifies user Response
Identifies support contacts
Focuses on leaders as well as executors Provides feedback to users and Risk leaders
Has a broad Scope
Identifies User for follow up if necessary andapplicable
5/24/2018 Risk Presentation
30/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
31/49
OCTAVE
Operationally Critical Threat, Asset, and Vulnerability
Evaluation (OCTAVE)
Effective security risk evaluation
Considers both organizational and technologicalissues
Self-directed
5/24/2018 Risk Presentation
32/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
33/49
Character ist ics
Identify information-related assets
Focus risk analysis activities on critical assets
Consider the relationships among critical assets, the
threats to those assets, and vulnerabilities Evaluate risks in an operational context - how they
are used to conduct an organizations business
Create a protection strategy for risk mitigation
5/24/2018 Risk Presentation
34/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
35/49
OCTAVE Process
5/24/2018 Risk Presentation
36/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process Criteria
Examples
OCTAVE Methodology Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
37/49
Criteria
Principle Fundamental concepts driving the nature of the
evaluation, and defining the philosophy behind
the evaluation process
Attribute
Distinctive qualities, or characteristics, of the
evaluation
Output Define the outcomes that an analysis team must
achieve during each phase
5/24/2018 Risk Presentation
38/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology
5/24/2018 Risk Presentation
39/49
Examples
5/24/2018 Risk Presentation
40/49
Examples
O i
5/24/2018 Risk Presentation
41/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology
OCTAVE M th d P
5/24/2018 Risk Presentation
42/49
OCTAVE Method Process
Phase 1: Build Asset-Based Threat Profiles
Process 1: Identify Senior Management
Knowledge
Process 2: Identify Operational Area Knowledge Process 3: Identify Staff Knowledge
Process 4: Create Threat Profiles
OCTAVE M th d P
5/24/2018 Risk Presentation
43/49
OCTAVE Method Process
Phase 2: Identify Infrastructure Vulnerabilities Process 5: Identify Key Components
Process 6: Evaluate Selected Components
Phase 3: Develop Security Strategy and Plans Process 7: Conduct Risk AnalysisAn organizational set
of impact evaluation criteria are defined to establish the
impact value
Process 8: Develop Protection StrategyThe team
develops an organization-wide protection strategy to
improve the organizations security practices
O i
5/24/2018 Risk Presentation
44/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology
Ch i M th d
5/24/2018 Risk Presentation
45/49
Choosing Methods
Depending on organization size
Depending on organization hierarchical structure
Structured or Open-Ended Method
Analysis team composition
IT resources
Overview
5/24/2018 Risk Presentation
46/49
Overview
Objective
Introduction
Risk
Risk Management Cycle
RA Methodologies CRAMM
COBRA
RuSecure
British Standard
Hierarchical Criteria
Model
Common Failures in RA
Elements of Good RA
OCTAVE
Characteristics
Process Criteria
Examples
OCTAVE Methodology
Choosing Methodology
Our Methodology
Our Methodology
5/24/2018 Risk Presentation
47/49
Our Methodology
Policies and procedures
Requirement analysis
Network Topology
Categorizing the network
Scanning based on categorization
Analysis of vulnerabilities
Use different scanning tools
Penetration testing
Risk strategy
Mitigation of risk
References
5/24/2018 Risk Presentation
48/49
References
NISTRisk Management Guide for Information
Technology Systems
http://www.gao.gov/special.pubs/ai00033.pdf
http://en.wikipedia.org/wiki/Risk_management http://en.wikipedia.org/wiki/Risk_assessment
http://www.sandia.gov/ram
http://www.carnet.hr/CUC/cuc2004/program/radovi/a
5_baca/a5_full.pdf
http://www.octave.org
5/24/2018 Risk Presentation
49/49
Thank You