Page 1

Business survival binnen de cyberketen: Voorwaartse risicobeheersing nodig

ile: PaansR Voorwaartse risk management Š 2012, version 1.0 mail: ronald.paans@noordbeek.com

Ronald Paans vrije Universiteit amsterdam 9 oktober 2012


Agenda

RISK RISKMANAGEMENT MANAGEMENT •• Methods Methodsfor forIT IT •• Specific Specificthreats threats •• Research Researchat atVrije VrijeUniversiteit UniversiteitAmsterdam Amsterdam

Parts of this research were a joint operation with European companies such as CapGemini, and some ideas have been stimulated by our colleague Marco van der Vet Research for Risk Management

2


Introduction: Pyramid of IT

Web software Application

den t

s Fra ud, abu se

External Threats

be W

Inc i

AS P

Middleware / Connectivity

DATA Infrastructure (Cloud)

Vu ln er ab

ili tie s

Housing

Weaknesses

OWASP = Open Web Application Security Project Research for Risk Management

ation Autom Office

OW

or r r e on, i t c tru s b O nts e d i Inc e bus a , ud a r F

Internal Threats

Housing

Pyramid of IT • Web access, business logic and business rules, interactive and batch application • Connections to own applications and external parties • Data base management systems, query systems • !!! DATA !!! = information • Infrastructure: servers and networks, virtualization • Housing: Computer room or data center 3


We are overwhelmed by new security concerns

Security has moved from an IT issue to an ongoing business concern DIGINOTAR WIKILEAKS Abuse of key sensitive information Unauthorized release of military and diplomatic notes and reports. Damage to worldwide foreign relations

WIKILEAKS Denied hosting by providers Amazon terminated hosting contract. Other providers rejected a request for hosting ďƒ no business anymore

Research for Risk Management

Compromising trusted SSL certificates

STUXNET Causing damage to process controllers refining uranium

SSL certificates used for social media and websites of the Dutch government. Hacker caused chaos

DUQU Stealing information The development of Duqu took tens of millions dollars. It is asumed three countries participated. In contrast to Stuxnet, which attempts to damage nuclear equipment, Duqu focuss on stealing FLAME information DORIFE L OV-CHIPKAART DORIFEL

Payment card for public transportation hacked

COMODO Hackers issued fraudulent SSL certificates Comodo’s Registration Authority was compromised, allowing several bogus SSL certificates to be issued

2

Etc.

Etc.

Etc.

Etc.

4


Attacks from everywhere Each threat uses multiple points of attack

Pe op le

le op Pe

DIGINOTA R

STUXNE T

be W

Pe op le

WIKILEAKS

Middleware Data (multi Value) Cloud (Infrastructure) Housing

ation Autom Office

Web Applicasoftware tion

COMOD O

Housing

People

DUQ U

Next attack? ETC.

ETC.

HOSTING DENIED

Research for Risk Management

OVCHIPKAART

ET C .

5


Specific situation of your organization ??? OW

AS P

Inc ide nt

Web Application software

s

use

be W

Fra ud, ab

Aspects • Changes in mission • Changes in organisation • Changes in market • Changes in legislation • Etc.

Middleware Data Infrastructure

bili ti

es

Housing

Vul ner a

Weaknesses

ation Autom Office

External Threats

OWASP = Open Web Application Security Project

Research for Risk Management

Housing

or Internal r r e on, i t c Threats tru s b O use b a ud, a r F Aspects • Possible demotivation • Move activities offshore • Too many projects • Errors, sloppiness • Fraud and intentional abuse • Etc.

Aspects 1. Governance is not effective 2. No central knowledge base on present and future threats 3. Business lacks consistency and focus on customer security 4. Designing new e-services in a threatening e-world 5. Value of information and service delivery increases fastly 6. No vulnerability check on new projects 7. No secure software development: no training, no awareness campaigns 8. Testing is incomplete 9. No maturity model for software and data security 10.Insufficient monitoring of people and actual security threats 6


And now we move it into the cloud OW

AS P

Inc ide nt

s

use

bebeWW

Fra ud, ab

Weaknesses

Vul ner a

bili ti

es

Aspects • Changes in mission • Changes in organisation • Changes in market • Changes in legislation • Etc.

OWASP = Open Web Application Security Project

Research for Risk Management

ionon omoamt ati e uAtut fifcfeicA OfO

External Threats

Web Application Web Application software software Middleware Middleware Data Data Infrastructure Infrastructure Housing Housing Housing Housing

or Internal r r e on, i t c Threats tru s b O use b a ud, a r F Aspects • Possible demotivation • Move activities offshore • Too many projects • Errors, sloppiness • Fraud and intentional abuse • Etc.

Aspects 1. Governance is not effective 2. No central knowledge base on present and future threats 3. Business lacks consistency and focus on customer security 4. Designing new e-services in a threatening e-world 5. Value of information and service delivery increases fastly 6. No vulnerability check on new projects 7. No secure software development: no training, no awareness campaigns 8. Testing is incomplete 9. No maturity model for software and data security 10.Insufficient monitoring of people and actual security threats 7


Security

ation Autom Office

be W

Web Application software Middleware Data Infrastructure Housing

Housing

Is the cloud itself secure? NO !

Research for Risk Management

8


Risk considerations ENISA: Main (high) risk that have been identified are • Lock In • Loss of Governance • Compliance challenges, lack of audit and assurance • Isolation failure • Cloud provider malicious insider – high privilege access abuse • Subpoena and e-discovery • Changes of jurisdiction (location of data) • Data protection • Network Management http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment http://www.enisa.europa.eu/act/rm/files/deliverables/ cloud-computing-information-assurance-framework

Research for Risk Management

9


The Risk Carousel

Identify

PRESENT

Threaths E-world

ur uct Str

FUTURE

BUSINESS Governance

Output

Pe op le

People in IT

Vulnerabilities Inte l l i ge nce

Combine

Analyze Research for Risk Management

s er

Technology

Us

Collect

Assess Judge

Threaths IT

Work process

ed

Conclude

Input

Mitigate

le op Pe

PAST

Cu

RISKS:

ed r u t uc r t S t en d i c In

st o me rs

Risk Assessment

sk i R us o u tin ing n o SOLL C or t i n Mo Improve

GAP10

IST


Example: low probability, catastrophic impact EXAMPLE: Threat for continuity • 26 December 2004 Sumatra-Andaman tsunami in Indonesië, Thailand etc. – Economies damages, data centers and IT organizations disappeared, still lack of production capacity for IT hardware

• 11 March 2011 Tohoku-Oki earthquake and mega-tsunami in Japan, resulting in Fukushima melt down – Severe damage for Japanese economy with impact on many Western business processes (cars, chips, disks etc.)

• Frequency of mega-tsunami on Plain of Sendai is approximately 0,9×10-3/annum, i.e. once per 900 year – – – – –

1.000-500 BC based upon analysing sediment layers in ground (estimated 900 BC) 1 AD ditto 9 July 869 Jogan earthquake and tsunami are well documented and marked Fukushima: first nuclear production 26 March 1971, 2006/2007 tsunami risk studied 2011 Tohoku-Oki1, almost identical to 900 BC, 1 AD and 896 AD  melt down

General question about such risk with low probability and catastrophic impact • When was the last volcanic outburst in the Netherlands? • When was the last tsunami in the Netherlands? • What was the damage? • When can we expect the “next one”? NASA, Wikipedia 2007: The probability of a Sendai earthquake with a magnitude of Mw 8.1–8.3 was estimated as 99% within the 11 30 years following 2007 Research for Risk Management 1


Zuidwal vulcano Vulcano in the Netherlands • Revealed during investigation for gas drilling • (Very) active 160 to 148 million year ago (Jura) • 1 km high, situated 2 km under the island Griend • Is still 30 0C hotter than its environment • See: Wikipedia and VPRO site

Research for Risk Management

The walled town Stedeke Grint with a church and monastry disappeared due to the Sint-Lucia flood in 1287

12


TSUNAMI

Example: Doggerland Storegga tsunami

Last tsunami in the Netherlands • 2de Storegga slide • Waves up to 25 meter on Shetland islands • Dated 6,000-6,200 BC • Estimate: October 6,125 BC • Center of (our) neolithic civilization was Doggerland • This center is destroyed • Thereafter no trace of our ancestors during centuries • Division between cultures in Engeland and the continent

Doggerland

Research for Risk Management

Source: ‘Tsunami sedimentary facies deposited by the Storegga tsunami in shallow marine basins and coastal lakes, western Norway’ Stein Bondevik, in Sedimentology 1997 The next one?: Storegga is now stable. Exploding volcano at IJsland?13 Meteorite in North Sea? Our location is dangerous


EMC sponsored European Disaster Recovery Survey 2011 “Data Today Gone Tomorrow: How Well Companies Are Poised For IT Recovery” AutomatiseringsGids: The Netherlands • Number 12 in world wide Risk Top 15 • Number 2 as risky Western country • Major risk: flooding • ((( In my personal opinion, picture is biased )))

Research for Risk Management

EMC VansonBourne report, 23 November 2011 Paper in AutomatiseringsGids, 7 December 2011

14


NOT very confident

EMC: Organizations NOT very confident to recover

Research for Risk Management

15


ISO IT security

Research for Risk Management

Overview of ISO standards related to information security

16


ISO 27001 process 01 0 27 ISO S 70 02 4 SA E 3 t ic a c h A a t S IS ro p ap

, t c fa � n I ip . h y s r sa tizen s e i c Ne o d c o “g

Research for Risk Management

17


Method for risk analysis

Literature (Wikipedia) METHOD FOR RISK MANAGEMENT The conventional standard methods consist of the following elements, performed, more or less, in the following order • Identify, characterize, and assess threats • Assess the vulnerability of critical assets to specific threats • Determine the risk, i.e. the expected consequences of specific types of attacks on specific assets • Identify ways to reduce those risks • Prioritize risk reduction measures based on a cost effective strategy

Research for Risk Management

Keywords • Threat • Weakness • i=1ΣN Likelihoodi x Impacti • Risk mitigation • Priorities Determining the probability and the impact is a real challenge

18


USA IT risk analysis: NIST 800-30

Network Application

Step 1. System Characterization

• Scope • Highest value

Step 2. Threat Identification

Relevant threats

Operating system

Step 4. Control Analysis

• Information • Software

Step 5. Likelihood Determination

C I A A

= Confidentiality = Integrity = Availability = Auditability

Relevant vulnerabilities

Step 3. Vulnerability Identification

i=1

ΣN Likelihoodi×Impacti

Step 6. Impact Analysis (Loss of CIAA) Step 7. Risk Determination Step 8. Control Recommendations Step 9. Results Documentation

Research for Risk Management

Expected damage: net risk Additional controls

Residual risks 19


Opinion: risk management OPINION All methods for risk analysis use almost the same approach

“View the past, and you may expect it to continue in the future” However • Today threats are developing fast, much faster than some years ago (more advanced hacking technologies: StuxNet, Duqu, OV-chipcard etc.) • Organized crime and some governments become more active, due to the gains (botnets, denial of service, Cyber attacks etc.) • Errors with risk analysis due to an incorrect scope, time frame etc. (Fukushima, using selected earthquakes and ignoring Plain of Sendai) • Calculating “likelihood” x “impact” – Historical values are often not available (“likelihood” is unknown) – Impact depends on the severity of the incident (“impact” is unknown)

• Benefits cannot be quantified, complicating the decision process on mitigating controls

“We must also view present risks and the risks of tomorrow” Research for Risk Management

20


COSO mapping le p o pe SO? o N CO in

COSO model

Risk assessment (risks in the past)

??

Information security architecture

Governance Work process Technology

??

COSO is not looking forward?

Intelligence (future risks)

Continuous Risk Monitoring (present risks)

COSO looks at TODAY. Your security architecture should view TOMORROW Research for Risk Management

21


The Risk Carousel

Identify

PRESENT

Threaths E-world

ur uct Str

FUTURE

BUSINESS Governance

Output

Pe op le

People in IT

Vulnerabilities Inte l l i ge nce

Combine

Analyze Research for Risk Management

s er

Technology

Us

Collect

Assess Judge

Threaths IT

Work process

ed

Conclude

Input

Mitigate

le op Pe

PAST

Cu

RISKS:

ed r u t uc r t S t en d i c In

st o me rs

Risk Assessment

sk i R us o u tin ing n o SOLL C or t i n Mo Improve

GAP22

IST


Centrum voor Informatiebeveiliging en Privacybescherming De Stuurgroep Compacte Rijksdienst richt expertisecentra in waarin overheidsinstellingen de krachten gaan bundelen. EÊn hiervan is het Centrum voor Informatiebeveiliging & Privacy (CIP) CIP is begin 2012 opgericht met als doelstelling: • Participanten te ondersteunen bij het zodanig veilig krijgen en houden van hun informatievoorziening dat Participanten elkaar kunnen vertrouwen op het gebied van de integriteit en beschikbaarheid van hun onderlinge gegevensstromen en burgers kunnen vertrouwen op de integriteit, de beschikbaarheid en de vertrouwelijkheid van de gegevens en diensten die zij via de aangeboden kanalen afnemen bij de Participanten Het Centrum biedt kennis aan, maakt kennis toegankelijk en levert concrete diensten aan de Participanten Het Centrum gebruikt een aantal Kennispartners binnen en buiten de overheid Voor de toekomstige bedreigingen wordt er gewerkt aan scenariodenken, het opstellen van draaiboeken en het inrichten van een robuuste e-overheid

Research for Risk Management

23

Voorwaartse%20risk%20management%202012  

http://www.crow.nl/Downloads/Congressen/Congres%20Risicomanagement%202012/Voorwaartse%20risk%20management%202012.ppt

Read more
Read more
Similar to
Popular now
Just for you