6 - 1
Information Risk Management - SANS
©2001
1
Risk Management
The Big Picture – Part VI
Risk Assessment and Auditing
Now that we know the tools and the primary concepts, this part of the course is designed to help you
pull everything together. This section is especially important if you need to present security
proposals to management. Your next slide, titled Risk Management – Where do I Start presents the
roadmap we showed you almost at the beginning of the course. We will bet you have a much clearer
idea of how to analyze risks and establish a security infrastructure at this point. Let’s go take a look
at the roadmap!
6 - 2
Risk Management: The Big Picture - SANS
©2001
2
Information Risk Management - SANS
©2001
2
Risk Management – Where do I
Start?
• Write the security policy (with business input)
• Analyze risks, or identify industry practice for due
care; analyze vulnerabilities
• Set up a security infrastructure
• Design controls, write standards for each technology
• Decide what resources are available, prioritize
countermeasures, and implement top priority
countermeasures you can afford
• Conduct periodic reviews and possibly tests
• Implement intrusion detection and incident response
This slide is the result of a long international flight. Several top experts in information security were
on the plane and this is the roadmap they developed. So far in the entire course, we haven’t read a
slide to you so please relax and listen:
• Write the security policy (with business input)
• Analyze risks, or identify industry practice for due care; analyze vulnerabilities
• Set up a security infrastructure
• Design controls, write standards for each technology
• Decide what resources are available, prioritize countermeasures, and implement top priority
countermeasures you can afford
• Conduct periodic reviews and possibly tests
• Implement intrusion detection and incident response
Students that complete Security Essentials certification are well on their way to accomplishing each
of these tasks, you will learn how to do policy and about the tools you can use for controls and tests.
As we enter this last section, we are going to change our approach. So far in the courseware you
have seen a lot of tools, now let’s work to bring these tools into a framework for risk management.
6 - 3
Risk Management: The Big Picture - SANS
©2001
3
Information Risk Management - SANS
©2001
3
The Three Risk Choices
• Accept the risk as is
• Mitigate or reduce the risk
• Transfer the risk (insurance model)
It is critical to have an understanding of risk management to properly choose and deploy intrusion
detection and response assets. To manage risk, one must be able to assess it. In this section of the
course we will cover the basic theory of risk assessment. We will also talk about three methods of
risk assessment: Qualitative, quantitative, and knowledge-based (also known as best practices).
Whether or not we explicitly choose, we have exactly three options and we do choose between:
Acceptance, mitigation, and transference.
When we accept the risk, this means we make no changes in policy or process. This decision means
that we judge the risk of a given threat to be inconsequential in the greater scheme of things.
If we feel the threat is significant and could cause harm to our business or enterprise, then we have
the option of taking action to protect operations by reducing the risk. A firewall or system patch are
obvious examples of risk mitigation.
Transferring the risk is sometimes a workable technique. The classic example is to buy insurance.
This means that you do not have to fully protect yourself against a catastrophic threat. Instead, for a
fee you pass this risk to a risk broker that insures you up to some limit against the threat. A real
world example of this is hacker insurance. The insurance company still expects you to have a
firewall and patches, but insures you should these fail.
6 - 4
Risk Management: The Big Picture - SANS
©2001
4
Information Risk Management - SANS
©2001
4
Risk Management Questions
• What could happen? (what is the threat)
• If it happened, how bad could it be? (impact
of threat)
• How often could it happen? (frequency of
threat - annualized)
• How reliable are the answers to the above
three questions? (recognition of
uncertainty)
In order to decide between the choices (accept, mitigate, or transfer risk) we want to make, we
analyze the risk to better understand it.
What exactly are we afraid of? What is it - can we name it specifically or is it just a vague, uneasy
feeling?
If the threat is successful, how bad will it hurt? What is the probable extent of the damage?
How often is this likely to occur? Is this more like a hundred year flood, or a hot day in Biloxi,
Mississippi? We are more willing to accept the risk of a threat that is not likely to happen often.
But, if something can damage us on a daily basis, this is a significant problem.
Finally, how do we know? In the cyberworld, how accurate are our risk calculations when new
program or operating system vulnerabilities are discovered weekly?
6 - 5
Risk Management: The Big Picture - SANS
©2001
5
Information Risk Management - SANS
©2001
5
Risk Requires Uncertainty
If you have reason to believe there is no uncertainty,
there is no risk. For example, jumping out of an airplane
two miles up without a parachute isn’t risky; it is suicide.
For such an action there is a 1.0 probability you will go
splat when you hit the ground and almost 0.0 probability
you will survive.
Probability ranges between 0.0 and 1.0 though people
often express it as a percent.
Jumping out of an airplane with a parachute involves risk. If you were to try the James Bond stunt of
jumping out of an airplane without a chute, you are committing suicide, but you aren’t doing
anything risky. Risk involves uncertainty. Let’s tie this back to the information assurance world.
If you run a DNS server that has known vulnerabilities and is neither patched nor shielded by the
perimeter, it is certainly going to be compromised. It might not happen in a single day, but it will
happen over the course of a year. In the same way that gravity is the compelling reason jumping
from a plane without a chute is near-certain death, the continuous probing and poking of exposed
systems on the Internet is the compelling reason the box will be compromised. So what? How bad
can a compromise be? Well, once they compromise the box they have the ability to manipulate the
addresses associated with the names of the network entities (such as computers) at your site. These
names and addresses are often used to identify which computers are allowed to access other
computers - your organization’s trust model. If you have valuable assets, that may be what
happens. Or they may just create weird system domains and hit systems all over the Internet, giving
your organization a bad name.
6 - 6
Risk Management: The Big Picture - SANS
©2001
6
Information Risk Management - SANS
©2001
6
What is an Unacceptable Risk?
• You can define the threat.
• If it happened, it would be bad. (high
impact)
• If one shot didn’t kill you, and then it
hit you again and again. (frequent
threat)
• There is high certainty the threat exists,
it is high impact, and potentially could
occur multiple times.
So, it would seem that running an unpatched, unshielded DNS server is not an acceptable risk. To
have an unacceptable risk, there has to be a defined threat. They will compromise the DNS server,
most likely via a buffer overflow. How bad would it be? If they chose to manipulate the trust model
and had several days to work without being detected - such as over the Christmas holidays - they
could make considerable headway at owning the entire organization’s information assets. You might
never get them dislodged. What if they chose simply to use your box to attack others?
People are usually forgiving if it only happens once, but there are domains that have been
compromised a number of times. These are not usually respected and may even be blocked. One of
the classics is the Brazilian Research Network. This loose group of addresses has been the source of
hundreds and hundreds of attacks against Internet hosts. The price? Besides being a standing joke,
legitimate users continue to find their access blocked.
6 - 7
Risk Management: The Big Picture - SANS
©2001
7
Information Risk Management - SANS
©2001
7
Single Loss Expectancy
(SLE - one shot)
• Asset value x exposure factor = SLE
• Exposure factor: 0 - 100% of loss
to asset
• Example Nuclear bomb/small town
($90M x 100% = $90M)
How much financial loss am I willing to accept in a single event? It all comes down to money in the
end. When considering one shot, or Single Loss Expectancy (SLE), we consider the value of the
information resource asset. Example: A company’s top salesman accounts for 25% of their $40
million in revenue, or $10 million. His client contact list and fee schedule is stored on his laptop and
is not encrypted. If it fell into the wrong hands it would be worth at least 10% of its value to the
competition ($1 million) and possibly more if they can finesse the information. So we find we can
calculate a minimum approximate SLE, but there is uncertainty as to a maximum value.
Another example: An author takes a royalty of $100,000 to write a book. He receives partial
payments every 25% of the project. What is the SLE if his hard drive crashes at the 70% mark and
the data is not recoverable? $25,000 x 80% or $20,000, unless he has been sending chapters in as
they are done.
6 - 8
Risk Management: The Big Picture - SANS
©2001
8
Information Risk Management - SANS
©2001
8
Annualized Loss Expectancy
(ALE - multi-hits)
• SLE x Annualized rate occurrence = Annual
Loss Expectancy (ALE)
• Annual loss is the frequency the threat is
expected to occur
• Example, web surfing on the job
– SLE: 1000 employees, 25% waste an hour per
week surfing, $50/hr x 250 = $12,500
– ALE: They do it every week except when on
vacation: $12,500 x 50 = $625,000
If you are screaming, “But what if??”, relax - we understand. Again, a main point of the chapter is
uncertainty, this is what drives the “what ifs”. The key question, however, is how much continuing
risk am I willing to accept?
Even if you can survive a given event (possibly sadder but wiser) can you survive it six times? This
is the notion of annualized risk. It applies well to shoplifting. We expect to lose 9% of revenue over
N occurrences.
The information about expected losses due to cyber attacks is much harder to come up with, as
organizations do not tend to share this type of information so it is only available in the micro-view of
a given organization.
6 - 9
Risk Management: The Big Picture - SANS
©2001
9
Information Risk Management - SANS
©2001
9
Qualitative - Another Risk
Assessment Approach
• Banded values: High, medium, low
• Asset value and safeguard cost can
be tied to monetary value, but not
the rest of the model
• Very commonly used
For most applications the best approach is the financial one, with the exceptions of critical systems
(such as nuclear plant control) and weapon systems. However, it does take a lot more effort to
quantify what the value of things are, and so the qualitative approach is far more popular.
The single biggest problem with the qualitative approach is in the implementation - people tend to
mark “low risk” even if it is other than that. Or they mark “medium” or “high” for their pet peeves
as opposed to actually calculating the risk.
6 - 10
Risk Management: The Big Picture - SANS
©2001
10
Information Risk Management - SANS
©2001
10
Quantitative vs. Qualitative
• Qualitative is easier to calculate, but its
results are more subjective
• Qualitative is much easier to accomplish
• Qualitative succeeds at identifying high
risk areas
• Quantitative is far more valuable as a
business decision tool since it works in
metrics, usually dollars
The main point between the two approaches is that qualitative is much easier and when done well,
can certainly identify the areas that need attention. This is because as soon as an area is marked high
risk, you know you need to look into it.
There is still another approach to risk assessment. This is the knowledge-based or best practices
approach. There is much more up-front work required to implement this, but the results are more
accurate and consistent.
6 - 11
Risk Management: The Big Picture - SANS
©2001
11
Information Risk Management - SANS
©2001
11
Best Practice Risk Assessment
• System administration is a high-
turnover job for large organizations,
which affects continuity
• System administrators tend to be
focused on having the “trains run on
time”
• Security configuration may not be
understood or implemented
In many organizations, there is a large amount of staff rotation and employee turnover, particularly
in the fields of system administration and network security. This fact, combined with the need to
simply keep the systems up and running with a minimum support staff, leads to dangerous situations
where security and safety are often neglected.
A best practice risk assessment can help an organization that does not have the in-house ability to
perform a more formal risk assessment. This type of risk assessment is based on checklists built by
the consensus of many security professionals. New automated tools make these risk assessments
simple and easy to perform by most system administrators.
6 - 12
Risk Management: The Big Picture - SANS
©2001
12
Information Risk Management - SANS
©2001
12
Best Practice
• No single organization or person is
likely to produce best practice
• Consensus of many organizations
and stringent review will
•Examples:
– SANS Research Consensus Projects
– Center for Internet Security
One of the powerful ideas that is developing is the use of consensus tools to test and score the
security of a system. In this case we will look at a level 1 test. A level 1 test is one that everyone
ought to be able to pass if they are running their system at an acceptable risk.
6 - 13
Risk Management: The Big Picture - SANS
©2001
13
Information Risk Management - SANS
©2001
13
We have downloaded the Windows 2000 tool from the Center for Internet Security,
www.cisecurity.org and run the test. As you can see, we have a bit of work that we need to do.
Your next slide is from Microsoft Update. Let’s download the critical fixes, reboot a few times, and
see how we are doing.
6 - 14
Risk Management: The Big Picture - SANS
©2001
14
Information Risk Management - SANS
©2001
14
This shot is Microsoft’s web site. We expect that everyone knows about update, but as you will see,
getting a perfect score just isn’t that simple.
6 - 15
Risk Management: The Big Picture - SANS
©2001
15
Information Risk Management - SANS
©2001
15
Even after downloading all the Security patches that Microsoft has on the update site, the scoring
tool tells us we need to pick up two more. If we select the 'Hotfixes Needed' button we can get the
names of the missing patches. Also, you will notice that we have a zero score for restrict
anonymous. This is a big problem for Windows computers, so we will fix this next.
6 - 16
Risk Management: The Big Picture - SANS
©2001
16
Information Risk Management - SANS
©2001
16
To get to this screen, we have gone to Start Æ Programs Æ Administrative Tools Æ Local Security
Policy Æ Security Options. The current setting on the system is to allow anyone to enumerate all the
information about our system. This would allow even more detailed reconnaissance than the
example that we looked at with the Mitnick attack. Therefore we will disable this. On the next slide
you see the Local Security Policy after rebooting.
6 - 17
Risk Management: The Big Picture - SANS
©2001
17
Information Risk Management - SANS
©2001
17
Now as you can see, we have disabled trivial enumeration of our system.
6 - 18
Risk Management: The Big Picture - SANS
©2001
18
Information Risk Management - SANS
©2001
18
After we went in and changed the restrict anonymous setting to 2, which increased the security, our
score increased to a 3.3. There’s more to be fixed, like the two additional hotfixes, but we’ll move
along to our next best practice, the SANS Securing Windows NT Step-by-step
booklet.
6 - 19
Risk Management: The Big Picture - SANS
©2001
19
Information Risk Management - SANS
©2001
19
SANS’ Securing NT SBS
* Action 3.1.1 Disable the display of the last logged on username by setting the
following registry value. If the value does not already exist, it must be created. With REGEDT32 this
is done with the Edit menu, Add Value. Enter the Name "DontDisplayLastUsername” exactly as
shown and then use the String Editor to enter a "1". Also, you can use the C2 Configuration
Manager from the NT Resource kit instead of using REGEDT32.
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DontDisplayLastUsername
Type: REG_SZ
Value: 1
Note: In some situations it might be preferable to allow the display of the last logged
on user. Certain users may not be able to remember their user name, and this would keep the
administrator from having to tell them each time they logged on. Another reason to display the last
logged on username is because it will quickly let you know if someone else logged onto the
machine. Not displaying the last logged on user name will only keep novice hackers from finding
out which users exist on the machine. It is trivial for a determined hacker to get that information.
Therefore, many administrators do not bother hiding the last logged on user name.
A similar project - also a community development effort - is the SANS Securing Windows NT Step-
by-step booklet. This is on its third revision and the current editors are Jason Fossen and Stephen
Northcutt.
6 - 20
Risk Management: The Big Picture - SANS
©2001
20
Information Risk Management - SANS
©2001
20
Windows 2000 Checklist
• Checklist approach designed for two
persons (check and double check) to
configure an Windows 2000 system to
at least minimal acceptable security
• Draws on SANS’ Securing Windows
2000 Step-by-step
• 80/20 rule applies
Every pilot understands the effectiveness of checklists. A checklist is used to make sure the
helicopter or plane is ready to take off and also used before landing. One crew member reads the
item, the other verifies it, and states that it is correct. This is a powerful technique and prevents you
from doing something stupid like trying to take off without your wings attached to your airplane, and
yes, it really has happened!
This check and double check technique is crucial for knowledge-based risk assessment. One person
who knows security and risk in general and another that knows the specific technology make the
ideal team to work with the system owner to evaluate the system.
Let’s look at a specific example of a checklist from the Naval Surface Warfare Center. These have
been developed for a number of operating systems, but we will examine part of one developed for
Windows 2000. This and the previous project are related to one another. The main difference is that
in the SBS booklet the detailed information is shown up front, and is in the help files on the NSWC
checklist.
6 - 21
/>NAVAL SURFACE WARFARE CENTER, DAHLGREN DIVISION
WINDOWS 2000 COMPUTER RISK ASSESSMENT
Risk Assessment/Countermeasure Analysis/Security Test and
Evaluation (ST&E) for Microsoft Windows 2000 Computer Systems.
Threat and Countermeasure Check List. Mark each as True, False, or NA - not applicable.
a. Threat/Vulnerability: Unauthorized System Access
Operating Countermeasures:
Auditing.
(__) Auditing is configured to minimally audit -
Account Logon Events (Success and Failure)
Account Management (Success and Failure)
Logon Events (Success and Failure)
Object Access (Failure)
Policy Change (Success and Failure)
Privilege Use (Failure)
System Events (Success and Failure)
The person that knows security and risk in general (often an auditor or security officer) reads the
items to the person more familiar with the specific technology. This person checks each item and
fills in the checklist.
At the end of each section, the security officer makes the determination as to the overall risk posture
of the system.
6 - 22
Risk Management: The Big Picture - SANS
©2001
22
Information Risk Management - SANS
©2001
22
Windows 2000 Form Summary
• Benefits
– Reasonably good tool for minimal OS
security
– Good form “layout”
•Limits
– Needs a list of applicable patches
– Where to get them
– Tool to determine patch status
The NSWC checklist or the SANS Securing Windows 2000 Step-by-step checklist are not the final
answer. Teams are continually re-evaluating these, fixing problems, reacting to new threats.
However, these can help an organization or individual get up to speed fast.
6 - 23
Risk Management: The Big Picture - SANS
©2001
23
Information Risk Management - SANS
©2001
23
Business Case for Risk
Management
• In order to present the business case
we need to convey the “Big Picture”
• We are now familiar with these core
technologies and how they play
together:
– Host- and Network-Based Intrusion
Detection
– Vulnerability Scanners and Honeypots
–Firewalls
In a sense, this is the section that everything points to. Intrusion detection is expensive; it has a cost.
It is wise to consider the cost and the benefits before embarking on this journey. You have spent the
day learning about the big picture. The real question is, can you explain it to your management?
Can you show them how the technologies we have talked about play together?
6 - 24
Risk Management: The Big Picture - SANS
©2001
24
Information Risk Management - SANS
©2001
24
Business Case For Risk
Management (2)
• We have been introduced to a
basic risk assessment process; can
we apply this process to the
business case for intrusion
detection?
– If there is a ‘big picture’ can we apply
what we have learned to our real
world environment?
The real test of this course’s value is whether you can apply what you have learned here in your
organization. Every situation is different; a financial institution has different priorities than a
military organization, for example. As we work through this next section, think about your
organization and whether these concepts apply. If you have ideas that would help me balance or
improve this, please send me e-mail at
6 - 25
Risk Management: The Big Picture - SANS
©2001
25
Information Risk Management - SANS
©2001
25
Business Case - Applications
• Organization has no intrusion detection
and you are presenting the case for
standing up a capability
• Organization has rudimentary capability
and you want to upgrade
• Organization has central monitoring and
you are presenting the case for a
departmental capability
These are the primary situations that this section of the course has been tailored to meet. Often, to
satisfy these conditions you will need a business case for the expenses and investment.