SlideShare une entreprise Scribd logo

It risk assessment_methodology

Bruno Mmassy
Bruno Mmassy
TechnologieBusiness
1  sur  34
Télécharger pour lire hors ligne
RISK ASSESSMENT AND MANAGEMENT Presented by Jeff Kimmelman Vigilinx Digital Security Solutions Introduction ! Who Am I? ! Purpose of Talk ! High Level Agenda Copyright (c) 2002 by Vigilinx 2 1
Who Am I? ! Jeff Kimmelman ! Principal Security Architect ! Vigilinx Digital Security Solutions ! jeff.kimmelman@vigilinx.com ! Areas of Expertise: ! Assessment ! Policy ! Design ! Software Copyright (c) 2002 by Vigilinx 3 Experience ! IT related since 1982 ! Worked in DoD secure environments ! Developed cryptographic software ! Designed and maintained secure global WANs ! Directed BBN/GTE/Baltimore Security Consulting Group Copyright (c) 2002 by Vigilinx 4 2
Purpose of Talk ! Define risk ! Propose an assessment methodology ! Discuss risk mitigation strategies ! Avoid overly technical digression Copyright (c) 2002 by Vigilinx 5 High Level Agenda ! Security Terminology ! Risk Assessment ! The “Risk Equation” ! Likelihood ! Impact ! Addressing Risk ! Establish Policy ! Implement Countermeasures ! Maintain Vigilance ! Concluding Remarks Copyright (c) 2002 by Vigilinx 6 3
Security Terminology Security – A Definition se•cu•ri•ty (si kyoor’ i tē), n., pl. –ties, adj. –n. 1. freedom from danger, risk, etc.; safety. 2. Freedom from care, anxiety, or doubt; well-founded confidence. 3. Something that secures or makes safe; protection; defense. … [1400-50; late ME securytye, securite(e) < L sēcūritās. … ] (Webster’s New Universal Unabridged Dictionary) ! Security is a GOAL, not a STATE OF BEING. ! Security is everyone’s responsibility. Copyright (c) 2002 by Vigilinx 8 4
Important Terms ! Flaw ! Weakness ! Vulnerability ! Exploit ! Attack ! Adversary ! Threat Copyright (c) 2002 by Vigilinx 9 Flaw ! Imperfection of a system ! Found in design, implementation or execution ! Concealed or exposed ! Known or unknown ! Source of weakness or vulnerability ! Not always exploitable Copyright (c) 2002 by Vigilinx 10 5
Weakness ! Attribute of a system or defense ! Insufficient to resist expected attack – lack of strength ! Not necessarily due to a flaw ! Source of vulnerability ! Not always exploitable Copyright (c) 2002 by Vigilinx 11 Vulnerability ! Feature of system or defense ! Sometimes (often) undiscovered ! Caused by flaws and weaknesses ! Always exploitable ! Target of adversaries Copyright (c) 2002 by Vigilinx 12 6
Exploit ! Methodology for attack ! Takes advantage of one or more vulnerabilities ! Repeatable ! Always “succeeds” ! Used in an attack Copyright (c) 2002 by Vigilinx 13 Attack ! Prosecution of an exploit (an instance) ! Defined objective ! Can be undetected or detected ! Sometimes (often) unsuccessful ! Performed by a motivated adversary Copyright (c) 2002 by Vigilinx 14 7
Adversary ! Agent (person or corporate) ! Motivated ! Often unscrupulous ! Goals: ! Competition ! Defamation ! Financial gain ! Notoriety ! Information ! May or may not have means & knowledge Copyright (c) 2002 by Vigilinx 15 Threat ! Adversary ! Possesses means and knowledge ! Actively targeting ! Known or unknown Copyright (c) 2002 by Vigilinx 16 8
Countermeasures ! Methodology for defense ! Technological or procedural ! Types: ! Detection ! Resistance ! Avoidance ! Counter-attack ! Usually specific to an exploit Copyright (c) 2002 by Vigilinx 17 Countermeasures: Defense in Depth TECHNOLOGY PROCEDURE Management, Monitoring, Information Auditing, Response Application System Network Physical Copyright (c) 2002 by Vigilinx 18 9
Security Countermeasures Include a Lot ENABLERS Technology Processes People Operational Infrastructure RISK REGIONS RISK REGIONS Protective Boundary Exogenous Exogenous Factors Copyright (c) 2002 by Vigilinx 19 Security is an Arms Race Easy Attack Frequency of Attack Chosen Security Countermeasure Complex Attack Time Copyright (c) 2002 by Vigilinx 20 10
Risk Assessment Risk ! Measures importance ! Determines relevance of vulnerabilities ! Useful for setting programmatic priority ! Varies over time Copyright (c) 2002 by Vigilinx 22 11
The Risk Equation Impact x Likelihood = Risk Impact x Likelihood = Risk ! Universal: Applies to all types of risk ! Uniform: Enables comparison ! Objective: Track over time Copyright (c) 2002 by Vigilinx 23 Risk is Two Dimensional Impact x Likelihood = Risk Impact x Likelihood = Risk High Risk Attack 2 Attack 4 Impact " Attack 1 Attack 3 Low Risk Likelihood " Copyright (c) 2002 by Vigilinx 24 12
Impact Impact x Likelihood = Risk Impact x Likelihood = Risk ! Measures the level of “pain” to the organization ! Examples: ! Financial: Loss or cost to repair ! Operational: Lost time, production or delivery ! Reputation: Loss of customer or consumer confidence ! Competitive: Reduction of market advantage ! Regulatory: Legal liability ! Fiduciary: Fiduciary liability Copyright (c) 2002 by Vigilinx 25 Likelihood Impact x Likelihood = Risk Impact x Likelihood = Risk ! Measures the probability of feeling the impact ! Contributors: ! Known exploits ! Motivated adversaries ! Adequacy of countermeasures Copyright (c) 2002 by Vigilinx 26 13
Performing the Assessment ! Requires experience ! Two approaches: ! Vulnerability driven ! Asset driven ! Combine for greatest effect Copyright (c) 2002 by Vigilinx 27 Vulnerability Driven Analysis 1. Search for known vulnerabilities 2. Tabulate and estimate severity 3. Determine what assets are affected 4. Assign impact value 5. Consider adversaries and their motivations 6. Assign likelihood 7. Tabulate and report Copyright (c) 2002 by Vigilinx 28 14
Searching for Known Vulnerabilities Flaws Vulnerability Weaknesses ! Research known threat databases ! Use scanning tools ! Review technology and procedures ! Test users (social engineering) " Grade ease of exploitation Copyright (c) 2002 by Vigilinx 29 Network and System Vulnerabilities ! Network: ! Unnecessary pathways ! Unsecured data-streams ! System: ! Unhardened systems ! Unprotected administrator logon ! Exposed management interfaces Copyright (c) 2002 by Vigilinx 30 15
Application and Operations Vulnerabilities ! Application: ! Unneeded services ! Buffer overflows ! Lack of or weak authentication ! Operations ! Lack of change control program ! No monitoring or intrusion detection ! Easy access to backup media Copyright (c) 2002 by Vigilinx 31 Determine Affected Assets Likeli- Vulnerability hood Asset Impact Risk No Web 1 Med Password Anon Low Required FTP Modem Med Pool • Most vulnerabilities affect multiple assets • Can’t determine likelihood yet Copyright (c) 2002 by Vigilinx 32 16
Gauge the Impact Impact x Likelihood = Risk Impact x Likelihood = Risk ! Is there money at stake? ! Can private information be revealed? ! Would an attack embarrass the organization? ! Could a targeted system be used as a “stepping stone?” ! Would an attack advance the cause of information warfare or terrorism? ! Will competitive advantage be lost? Copyright (c) 2002 by Vigilinx 33 Identify Your Adversaries Adversary + Motivation + Capability = Threat Adversary + Motivation + Capability = Threat ! Internet Hacker ! Insider ! Thief ! Terrorist ! Industrial Spy Copyright (c) 2002 by Vigilinx 34 17
Gauge the Likelihood Adversary + Motivation + Capability = Threat Adversary + Motivation + Capability = Threat ! Depends on: ! Threat ! Complexity ! Examples: ! DoS or DDoS on an Online Banking Application ! Threat: Medium, Complexity: Low ! Modify Stock Price Quote: ! Threat: High, Complexity: Medium ! Execute Unauthorized Transactions ! Threat: High, Complexity: Very High Copyright (c) 2002 by Vigilinx 35 Tabulate and Report Likeli- Vulnerability hood Asset Impact Risk No Med Web 1 Med Med Password Low Anon Low Very Required FTP Low High Modem Med High Pool " Many assessments stop at vulnerability and don’t consider impact Copyright (c) 2002 by Vigilinx 36 18
Asset Driven Analysis 1. Inventory information assets 2. Estimate impact 3. Trace information back to technology 4. Analyze for vulnerabilities 5. Consider adversaries and their motivations 6. Assign likelihoods 7. Tabulate and report Copyright (c) 2002 by Vigilinx 37 Asset Table Likeli- Asset Impact Vulnerability hood Risk Web 1 Med Unpatched High High IIS No Med Med Password Open NBT High High ports " This is just the vulnerability driven table “turned inside out” Copyright (c) 2002 by Vigilinx 38 19
Risk Leads to Priority Risk = Impact x Likelihood Very High Risk Potential Impact Very Medium Risk Low Risk Likelihood of Attack Copyright (c) 2002 by Vigilinx 39 Addressing Risk 20
Risk Management Program ! Establish Policy ! Implement Countermeasures ! Maintain Vigilance Copyright (c) 2002 by Vigilinx 41 Security Policy – What Is It? ! Who? ! What’s prohibited? ! What’s required? ! What’s permitted? Copyright (c) 2002 by Vigilinx 42 21
Policy Statements ! Most corporate policies must be translated to concrete statements. ! Major elements: ! Information Classification ! System Criticality ! Operational Context Copyright (c) 2002 by Vigilinx 43 Information Classification ! Information classification streamlines policy statement and enforcement. ! CAVEAT: Over-classification leads to excessive cost and added overhead. ! CAVEAT: Some collections of unclassified data become sensitive when aggregated. Copyright (c) 2002 by Vigilinx 44 22
An Example of Information Classification INFORMAT ION CLASSIFICAT ION GUIDELINES Classification Level Examples Personally Restricted Personnel Records Identifiable Consumer Account Information Information (PII) Company Restricted Plans for Reduction in Force Financial Results Confidential Product Development Plans Business Expansion Strategies Customers Restricted Customer Plant Designs Billing and Payables Customer Non-Disclosure Information Confidential Customer Names Sales and Delivery Records Vendor Restricted Vendor Non-Disclosure Information Contracts Confidential Business Unit Specific Price Lists Copyright (c) 2002 by Vigilinx 45 Criticality ! Criticality is a quality of operational systems. ! It depends upon the importance of a network, system or application. ! Criticality motivates reliability measures. Copyright (c) 2002 by Vigilinx 46 23
Example of Criticality Criticality Definition Low This application, system, or network asset is non-essential to Corporate, business unit or departmental operations. Outages can be tolerated for a period of two weeks or more. Medium This asset is important for normal corporate, business unit or departmental operations, but is not essential. An outage of up to 48 hours can be tolerated. High This asset is essential and critical to corporate, business unit or department operations. Ideally, it is designed with full reliability. Outages should be kept to a minimum, generally less than 30 minutes. Copyright (c) 2002 by Vigilinx 47 Operational Context ! Facilities (systems and networks) are certified to the maximum classification level permitted. ! “Guards” ensure that information does not pass to an unauthorized environment. Copyright (c) 2002 by Vigilinx 48 24
Example of Operational Context Copyright (c) 2002 by Vigilinx 49 Create a Policy Hierarchy Policies Requirements Standards Configurations Copyright (c) 2002 by Vigilinx 50 25
Example: Requirements Specify Security Services Policies Requirements Standards Configurations ! Authentication ! Access Control ! Data Confidentiality ! Data Integrity ! Non-repudiation (X.800, Security Architecture for Open Systems Interconnection for CCITT Applications – also ISO/IEC 7498-2) Copyright (c) 2002 by Vigilinx 51 Communications Policies (Examples) ! Personally Identifiable Information (PII) may not be transmitted in the clear on the Internet. ! Transmission of corporate restricted information on any network requires data confidentiality, peer-entity authentication, and non-repudiation with proof of delivery. Copyright (c) 2002 by Vigilinx 52 26
Storage Policies (Examples) ! Permanent storage of information classified as confidential or above on web servers is prohibited. ! Caching of information classified as confidential or above on web servers is permitted during the validity period of an associated session. ! Database systems must restrict access to authenticated, authorized users of confidential information. Copyright (c) 2002 by Vigilinx 53 Example: Standards Specify Service Mechanisms Policies Requirements Standards Configurations ! Includes algorithms and parameters: ! Encipherment: DES, 3DES, RSA, key-length, etc. ! Digital signature: RSA, DSS, key-length, etc. ! Access control: authorization type, time, duration, etc. ! Integrity: MD5, SHA, HMAC, etc. ! Many more choices exist. Copyright (c) 2002 by Vigilinx 54 27
Tabulate Policy to Ensure Consistent Practice Static Application Application Internet Content Web Front- Front-end Logic Database Notes Access Server end Server Server Server Server Server Router User passwords C NA C NA U NA R NA R NA C NA U NA User password quality checking C NA C NA C NA NA NA NA NA NA NA NA NA Token based authentication R NA R NA R NA NA NA NA NA NA NA NA NA Digitial certificates NA NA NA NA NA NA NA NA NA NA R NA NA NA Session Encryption (SSL, TLS, SSH) R NA R NA NA NA NA NA NA NA NA NA U NA IPSEC (ESP) NA NA NA NA R NA R NA R NA NA NA NA NA IPSEC (AH) NA NA NA NA NA NA NA NA NA NA NA NA NA NA S/MIME NA NA NA NA NA NA NA NA NA NA NA NA NA NA PGP NA NA NA NA NA NA NA NA NA NA NA NA NA NA Software design review U NA U NA U NA U NA U NA U NA NA NA Software code review U NA U NA U NA U NA U NA U NA U NA Application vulnerability testing U NA U NA U NA R NA R NA R NA NA NA Network vulnerability testing U H U H U H R NA R NA R NA U NA Backup and recovery process NA L NA L NA L NA L NA L NA L NA L Automatic fail-over NA H NA H NA H NA H NA H NA H NA M Manual fail-over NA M NA M NA M NA M NA M NA M NA L Copyright (c) 2002 by Vigilinx 55 Recap of Policy ! Policy defines classification and rules for access/exchange. ! Policy defines criticality. ! Policy hierarchy defines security services and quality of mechanisms. Copyright (c) 2002 by Vigilinx 56 28
Implement Countermeasures TECHNOLOGY: PROCESS: PEOPLE: Firewalls Monitoring Assignment Authentication Response Training VPN Administration Awareness System IDS Change Control Background Network IDS Auditing PKI / Cryptography Continuity Intelligence Network Manager Copyright (c) 2002 by Vigilinx 57 Countermeasures: Defense in Depth TECHNOLOGY: PROCESS: PEOPLE: Firewalls Monitoring Assignment Authentication Response Training VPN Administration Awareness System IDS Change Control Background Network IDS Auditing PKI / Cryptography Continuity Intelligence Network Manager TECHNOLOGY PROCEDURE Management, Monitoring, Information Auditing, Response Application System Network Physical Copyright (c) 2002 by Vigilinx 58 29
The 10 Guiding Principles* 1. Secure the Weakest Link 2. Practice Defense in Depth 3. Fail Securely 4. Follow the Principle of Least Privilege 5. Compartmentalize 6. Keep It Simple 7. Promote Privacy 8. Remember That Hiding Secrets Is Hard 9. Be Reluctant to Trust 10. Use Your Community Resources • From Building Secure Software, John Viega and Gary McGraw Copyright (c) 2002 by Vigilinx 59 Cost vs. Risk Solutions above the line are not cost effective. Cost to Implement Chosen Solution Residual Risk Vuln #2 Vuln #3 Vuln #4 Vuln #1 Less More Effectiveness of Solution/ Impact of Threat Copyright (c) 2002 by Vigilinx 60 30
Maintain Vigilance Level of Vigilance Frequency of Attack Level of Vigilance Level of Vigilance Level of Vigilance Time Copyright (c) 2002 by Vigilinx 61 Balance Security Activities Plan Execute Appraise Copyright (c) 2002 by Vigilinx 62 31
Plan Plan Execute Appraise ! Consider: ! Future business needs ! Changing threatscape ! Tolerance to residual risk ! Establish policy ! Design security infrastructure ! Develop security procedures Copyright (c) 2002 by Vigilinx 63 Execute Plan Execute Appraise ! Implement according to design ! Operate according to procedures ! Continually improve Copyright (c) 2002 by Vigilinx 64 32
Appraise Plan Execute Appraise ! Appraise the plan: ! Does it meet the expected threats? ! Will it protect business interests? ! Are there flaws in the design? ! Is policy adequate or overly burdensome? ! Appraise the execution: ! Is the design implemented correctly? ! Has the configuration changed? ! Do procedures cover all events? ! Are operators alert? Copyright (c) 2002 by Vigilinx 65 Conclusions ! Understanding vulnerability alone is not enough! ! Risk depends upon likelihood of successful attack and its impact on the organization. ! Countermeasures include technology, procedures and people. ! Reducing risk generally requires additional cost. ! The war is never won—constant vigilance is the only way. Copyright (c) 2002 by Vigilinx 66 33
Thank You 34

Recommandé

Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security InvestmentConferencias FIST
 
Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?
Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?
Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?Lumension
 
Cyber defense: Understanding and Combating the Threat
Cyber defense: Understanding and Combating the ThreatCyber defense: Understanding and Combating the Threat
Cyber defense: Understanding and Combating the ThreatIBM Government
 
Safetower demo presetation1
Safetower demo presetation1Safetower demo presetation1
Safetower demo presetation1spate.safetower
 
Safetower demo presetationcompressed
Safetower demo presetationcompressedSafetower demo presetationcompressed
Safetower demo presetationcompressedspate.safetower
 
2012 Reenergize the Americas 3B: Charles Hamilton
2012 Reenergize the Americas 3B: Charles Hamilton2012 Reenergize the Americas 3B: Charles Hamilton
2012 Reenergize the Americas 3B: Charles HamiltonReenergize
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
Network rail counter metal theft aerial platform 20111111
Network rail counter metal theft aerial platform 20111111 Network rail counter metal theft aerial platform 20111111
Network rail counter metal theft aerial platform 20111111 COHORTSLLP
 

Recommandé

Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security InvestmentConferencias FIST
 
Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?
Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?
Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?Lumension
 
Cyber defense: Understanding and Combating the Threat
Cyber defense: Understanding and Combating the ThreatCyber defense: Understanding and Combating the Threat
Cyber defense: Understanding and Combating the ThreatIBM Government
 
Safetower demo presetation1
Safetower demo presetation1Safetower demo presetation1
Safetower demo presetation1spate.safetower
 
Safetower demo presetationcompressed
Safetower demo presetationcompressedSafetower demo presetationcompressed
Safetower demo presetationcompressedspate.safetower
 
2012 Reenergize the Americas 3B: Charles Hamilton
2012 Reenergize the Americas 3B: Charles Hamilton2012 Reenergize the Americas 3B: Charles Hamilton
2012 Reenergize the Americas 3B: Charles HamiltonReenergize
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
Network rail counter metal theft aerial platform 20111111
Network rail counter metal theft aerial platform 20111111 Network rail counter metal theft aerial platform 20111111
Network rail counter metal theft aerial platform 20111111 COHORTSLLP
 
Alternative Weapons Summit
Alternative Weapons SummitAlternative Weapons Summit
Alternative Weapons Summitcassie111
 
CRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeCRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeKrisValerio
 
CHAPTER 6 (listed on E7 Bibs) Safety & Survival NAVEDTRA 14145
CHAPTER 6 (listed on E7 Bibs) Safety & Survival NAVEDTRA 14145CHAPTER 6 (listed on E7 Bibs) Safety & Survival NAVEDTRA 14145
CHAPTER 6 (listed on E7 Bibs) Safety & Survival NAVEDTRA 14145Glenn Mallo
 
Maritime Homeland Security 2009pdf
Maritime Homeland Security 2009pdfMaritime Homeland Security 2009pdf
Maritime Homeland Security 2009pdfjmanthey
 
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation ThreatsWeaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation ThreatsLumension
 
Greiman
GreimanGreiman
GreimanNASAPMC
 
Threat Modeling / iPad
Threat Modeling / iPadThreat Modeling / iPad
Threat Modeling / iPadSylvain Maret
 
Airport Entry Management Systems and Security
Airport Entry Management Systems and SecurityAirport Entry Management Systems and Security
Airport Entry Management Systems and SecurityMestizo Enterprises
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksIBM
 
Risk engineering decision tools for risk management support
Risk engineering decision tools for risk management supportRisk engineering decision tools for risk management support
Risk engineering decision tools for risk management supportGlobal Risk Forum GRFDavos
 
New Technologies for Airport Security
New Technologies for Airport SecurityNew Technologies for Airport Security
New Technologies for Airport SecurityBala2212
 
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...TEO LT, AB
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
Port &amp; Maritime Security 2011
Port &amp; Maritime Security 2011Port &amp; Maritime Security 2011
Port &amp; Maritime Security 2011Tina_Karas
 
Sample managemen tby kananika
Sample managemen tby kananikaSample managemen tby kananika
Sample managemen tby kananikaBruno Mmassy
 
Biodiversity 2009
Biodiversity 2009Biodiversity 2009
Biodiversity 2009Bruno Mmassy
 
1 3.3 - dna structure
1 3.3 - dna structure1 3.3 - dna structure
1 3.3 - dna structurecafergy
 
Research methodology lectures new prof.. mbassa
Research methodology lectures new prof.. mbassaResearch methodology lectures new prof.. mbassa
Research methodology lectures new prof.. mbassaBruno Mmassy
 
Nucleotide structure
Nucleotide structureNucleotide structure
Nucleotide structureBruno Mmassy
 
Methodology for-assessment-biodiversity
Methodology for-assessment-biodiversityMethodology for-assessment-biodiversity
Methodology for-assessment-biodiversityBruno Mmassy
 
Unit 2 Notes
Unit 2 NotesUnit 2 Notes
Unit 2 NotesBruce Coulter
 

Contenu connexe

Tendances

Alternative Weapons Summit
Alternative Weapons SummitAlternative Weapons Summit
Alternative Weapons Summitcassie111
 
CRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeCRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeKrisValerio
 
CHAPTER 6 (listed on E7 Bibs) Safety & Survival NAVEDTRA 14145
CHAPTER 6 (listed on E7 Bibs) Safety & Survival NAVEDTRA 14145CHAPTER 6 (listed on E7 Bibs) Safety & Survival NAVEDTRA 14145
CHAPTER 6 (listed on E7 Bibs) Safety & Survival NAVEDTRA 14145Glenn Mallo
 
Maritime Homeland Security 2009pdf
Maritime Homeland Security 2009pdfMaritime Homeland Security 2009pdf
Maritime Homeland Security 2009pdfjmanthey
 
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation ThreatsWeaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation ThreatsLumension
 
Threat Modeling / iPad
Threat Modeling / iPadThreat Modeling / iPad
Threat Modeling / iPadSylvain Maret
 
Airport Entry Management Systems and Security
Airport Entry Management Systems and SecurityAirport Entry Management Systems and Security
Airport Entry Management Systems and SecurityMestizo Enterprises
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber securitynsheel
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksIBM
 
Risk engineering decision tools for risk management support
Risk engineering decision tools for risk management supportRisk engineering decision tools for risk management support
Risk engineering decision tools for risk management supportGlobal Risk Forum GRFDavos
 
New Technologies for Airport Security
New Technologies for Airport SecurityNew Technologies for Airport Security
New Technologies for Airport SecurityBala2212
 
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...TEO LT, AB
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human errorAnup Narayanan
 
Port &amp; Maritime Security 2011
Port &amp; Maritime Security 2011Port &amp; Maritime Security 2011
Port &amp; Maritime Security 2011Tina_Karas
 

Tendances (15)

Alternative Weapons Summit
Alternative Weapons SummitAlternative Weapons Summit
Alternative Weapons Summit
 
CRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeCRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff Crume
 
CHAPTER 6 (listed on E7 Bibs) Safety & Survival NAVEDTRA 14145
CHAPTER 6 (listed on E7 Bibs) Safety & Survival NAVEDTRA 14145CHAPTER 6 (listed on E7 Bibs) Safety & Survival NAVEDTRA 14145
CHAPTER 6 (listed on E7 Bibs) Safety & Survival NAVEDTRA 14145
 
Maritime Homeland Security 2009pdf
Maritime Homeland Security 2009pdfMaritime Homeland Security 2009pdf
Maritime Homeland Security 2009pdf
 
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation ThreatsWeaponised Malware & APT Attacks: Protect Against Next-Generation Threats
Weaponised Malware & APT Attacks: Protect Against Next-Generation Threats
 
Greiman
GreimanGreiman
Greiman
 
Threat Modeling / iPad
Threat Modeling / iPadThreat Modeling / iPad
Threat Modeling / iPad
 
Airport Entry Management Systems and Security
Airport Entry Management Systems and SecurityAirport Entry Management Systems and Security
Airport Entry Management Systems and Security
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
 
Risk engineering decision tools for risk management support
Risk engineering decision tools for risk management supportRisk engineering decision tools for risk management support
Risk engineering decision tools for risk management support
 
New Technologies for Airport Security
New Technologies for Airport SecurityNew Technologies for Airport Security
New Technologies for Airport Security
 
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
Dr. Uwe Jendricke. Kibernetinis saugumas Vokietijos Federacinėje Respublikoje...
 
A model for reducing information security risks due to human error
A model for reducing information security risks due to human errorA model for reducing information security risks due to human error
A model for reducing information security risks due to human error
 
Port &amp; Maritime Security 2011
Port &amp; Maritime Security 2011Port &amp; Maritime Security 2011
Port &amp; Maritime Security 2011
 

En vedette

Sample managemen tby kananika
Sample managemen tby kananikaSample managemen tby kananika
Sample managemen tby kananikaBruno Mmassy
 
1 3.3 - dna structure
1 3.3 - dna structure1 3.3 - dna structure
1 3.3 - dna structurecafergy
 
Research methodology lectures new prof.. mbassa
Research methodology lectures new prof.. mbassaResearch methodology lectures new prof.. mbassa
Research methodology lectures new prof.. mbassaBruno Mmassy
 
Nucleotide structure
Nucleotide structureNucleotide structure
Nucleotide structureBruno Mmassy
 
Methodology for-assessment-biodiversity
Methodology for-assessment-biodiversityMethodology for-assessment-biodiversity
Methodology for-assessment-biodiversityBruno Mmassy
 
Family rhabdoviridae
Family rhabdoviridaeFamily rhabdoviridae
Family rhabdoviridaeBruno Mmassy
 

En vedette (8)

Sample managemen tby kananika
Sample managemen tby kananikaSample managemen tby kananika
Sample managemen tby kananika
 
Biodiversity 2009
Biodiversity 2009Biodiversity 2009
Biodiversity 2009
 
1 3.3 - dna structure
1 3.3 - dna structure1 3.3 - dna structure
1 3.3 - dna structure
 
Research methodology lectures new prof.. mbassa
Research methodology lectures new prof.. mbassaResearch methodology lectures new prof.. mbassa
Research methodology lectures new prof.. mbassa
 
Nucleotide structure
Nucleotide structureNucleotide structure
Nucleotide structure
 
Methodology for-assessment-biodiversity
Methodology for-assessment-biodiversityMethodology for-assessment-biodiversity
Methodology for-assessment-biodiversity
 
Unit 2 Notes
Unit 2 NotesUnit 2 Notes
Unit 2 Notes
 
Family rhabdoviridae
Family rhabdoviridaeFamily rhabdoviridae
Family rhabdoviridae
 

Similaire à It risk assessment_methodology

Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 servicesCade Zvavanjanja
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...Andris Soroka
 
Security Technology Arms Race - Hack in the Box 2021 keynote
Security Technology Arms Race - Hack in the Box 2021 keynoteSecurity Technology Arms Race - Hack in the Box 2021 keynote
Security Technology Arms Race - Hack in the Box 2021 keynoteMarkDowd13
 
Dod IA Pen Testing Brief
Dod IA Pen Testing BriefDod IA Pen Testing Brief
Dod IA Pen Testing BriefDavid McGuire
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityAndrew Wong
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceAndris Soroka
 
Countering Violent Extremism In Urban Environments Through Design Issue
Countering Violent Extremism In Urban Environments Through Design IssueCountering Violent Extremism In Urban Environments Through Design Issue
Countering Violent Extremism In Urban Environments Through Design Issuezadok001
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5DaveEdwards12
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyananthakrishnansblit
 
Cyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiCyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiamallblitz0
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programsSecurity BSides London
 
Ghioni Fabio The Importance of System Availability in Corporate Critical Infr...
Ghioni Fabio The Importance of System Availability in Corporate Critical Infr...Ghioni Fabio The Importance of System Availability in Corporate Critical Infr...
Ghioni Fabio The Importance of System Availability in Corporate Critical Infr...Fabio Ghioni
 
Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012henkpieper
 
Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Global Business Events
 

Similaire à It risk assessment_methodology (20)

Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 services
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
DSS ITSEC CONFERENCE - Q1 Labs - Intelligent network security - next genera...
 
Day1
Day1Day1
Day1
 
Security Technology Arms Race - Hack in the Box 2021 keynote
Security Technology Arms Race - Hack in the Box 2021 keynoteSecurity Technology Arms Race - Hack in the Box 2021 keynote
Security Technology Arms Race - Hack in the Box 2021 keynote
 
Dod IA Pen Testing Brief
Dod IA Pen Testing BriefDod IA Pen Testing Brief
Dod IA Pen Testing Brief
 
Untitled (1).pptx
Untitled (1).pptxUntitled (1).pptx
Untitled (1).pptx
 
Untitled (1).pptx
Untitled (1).pptxUntitled (1).pptx
Untitled (1).pptx
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep Security
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
 
Countering Violent Extremism In Urban Environments Through Design Issue
Countering Violent Extremism In Urban Environments Through Design IssueCountering Violent Extremism In Urban Environments Through Design Issue
Countering Violent Extremism In Urban Environments Through Design Issue
 
Insecurity in security products v1.5
Insecurity in security products v1.5Insecurity in security products v1.5
Insecurity in security products v1.5
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
Cyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochiCyber security courses in Kerala , kochi
Cyber security courses in Kerala , kochi
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
 
Ghioni Fabio The Importance of System Availability in Corporate Critical Infr...
Ghioni Fabio The Importance of System Availability in Corporate Critical Infr...Ghioni Fabio The Importance of System Availability in Corporate Critical Infr...
Ghioni Fabio The Importance of System Availability in Corporate Critical Infr...
 
Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
 
Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?
 

Plus de Bruno Mmassy

Processing the crime scene
Processing the crime sceneProcessing the crime scene
Processing the crime sceneBruno Mmassy
 
Molecular forensics 2
Molecular forensics 2Molecular forensics 2
Molecular forensics 2Bruno Mmassy
 
Medical aspects of human identification
Medical aspects of human identificationMedical aspects of human identification
Medical aspects of human identificationBruno Mmassy
 
Forensic chemistry introduction
Forensic chemistry introductionForensic chemistry introduction
Forensic chemistry introductionBruno Mmassy
 
Sero and phage typing bls 206
Sero and phage typing bls 206Sero and phage typing bls 206
Sero and phage typing bls 206Bruno Mmassy
 
Selected gram positives bls 206
Selected gram positives bls 206Selected gram positives bls 206
Selected gram positives bls 206Bruno Mmassy
 
Rickettsia & chlamydia bls 206
Rickettsia & chlamydia bls 206Rickettsia & chlamydia bls 206
Rickettsia & chlamydia bls 206Bruno Mmassy
 
Pathogenic anaerobe gram positive bls 206
Pathogenic anaerobe gram positive bls 206Pathogenic anaerobe gram positive bls 206
Pathogenic anaerobe gram positive bls 206Bruno Mmassy
 
Lecture 2 diagnostic molecular microbiology bls
Lecture 2 diagnostic molecular microbiology blsLecture 2 diagnostic molecular microbiology bls
Lecture 2 diagnostic molecular microbiology blsBruno Mmassy
 
Antimicrobial susceptibility test and assay bls 206
Antimicrobial susceptibility test and assay bls 206Antimicrobial susceptibility test and assay bls 206
Antimicrobial susceptibility test and assay bls 206Bruno Mmassy
 
Antimicrobial agents and mechanisms of action 2
Antimicrobial agents and mechanisms of action 2Antimicrobial agents and mechanisms of action 2
Antimicrobial agents and mechanisms of action 2Bruno Mmassy
 
Antibiotics lecture may 2010
Antibiotics lecture may 2010Antibiotics lecture may 2010
Antibiotics lecture may 2010Bruno Mmassy
 
Streptococci and enterococci bls 206
Streptococci and enterococci bls 206Streptococci and enterococci bls 206
Streptococci and enterococci bls 206Bruno Mmassy
 
Bls 107 general microbiology
Bls 107 general microbiologyBls 107 general microbiology
Bls 107 general microbiologyBruno Mmassy
 

Plus de Bruno Mmassy (20)

Antiviral 1
Antiviral 1Antiviral 1
Antiviral 1
 
Processing the crime scene
Processing the crime sceneProcessing the crime scene
Processing the crime scene
 
Molecular forensics 2
Molecular forensics 2Molecular forensics 2
Molecular forensics 2
 
Medical aspects of human identification
Medical aspects of human identificationMedical aspects of human identification
Medical aspects of human identification
 
Forensic
ForensicForensic
Forensic
 
Forensic chemistry introduction
Forensic chemistry introductionForensic chemistry introduction
Forensic chemistry introduction
 
Dna forensic
Dna forensicDna forensic
Dna forensic
 
Sero and phage typing bls 206
Sero and phage typing bls 206Sero and phage typing bls 206
Sero and phage typing bls 206
 
Selected gram positives bls 206
Selected gram positives bls 206Selected gram positives bls 206
Selected gram positives bls 206
 
Rickettsia & chlamydia bls 206
Rickettsia & chlamydia bls 206Rickettsia & chlamydia bls 206
Rickettsia & chlamydia bls 206
 
Pathogenic anaerobe gram positive bls 206
Pathogenic anaerobe gram positive bls 206Pathogenic anaerobe gram positive bls 206
Pathogenic anaerobe gram positive bls 206
 
Lecture 2 diagnostic molecular microbiology bls
Lecture 2 diagnostic molecular microbiology blsLecture 2 diagnostic molecular microbiology bls
Lecture 2 diagnostic molecular microbiology bls
 
Antimicrobial susceptibility test and assay bls 206
Antimicrobial susceptibility test and assay bls 206Antimicrobial susceptibility test and assay bls 206
Antimicrobial susceptibility test and assay bls 206
 
Antimicrobial agents and mechanisms of action 2
Antimicrobial agents and mechanisms of action 2Antimicrobial agents and mechanisms of action 2
Antimicrobial agents and mechanisms of action 2
 
Antibiotics lecture may 2010
Antibiotics lecture may 2010Antibiotics lecture may 2010
Antibiotics lecture may 2010
 
Streptococci and enterococci bls 206
Streptococci and enterococci bls 206Streptococci and enterococci bls 206
Streptococci and enterococci bls 206
 
Bls 107 general microbiology
Bls 107 general microbiologyBls 107 general microbiology
Bls 107 general microbiology
 
Bacteriophage 1
Bacteriophage 1Bacteriophage 1
Bacteriophage 1
 
Bacterial toxins
Bacterial toxinsBacterial toxins
Bacterial toxins
 
Bacterial phage 3
Bacterial phage 3Bacterial phage 3
Bacterial phage 3
 

Dernier

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Dernier (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

It risk assessment_methodology

  • 1. RISK ASSESSMENT AND MANAGEMENT Presented by Jeff Kimmelman Vigilinx Digital Security Solutions Introduction ! Who Am I? ! Purpose of Talk ! High Level Agenda Copyright (c) 2002 by Vigilinx 2 1
  • 2. Who Am I? ! Jeff Kimmelman ! Principal Security Architect ! Vigilinx Digital Security Solutions ! jeff.kimmelman@vigilinx.com ! Areas of Expertise: ! Assessment ! Policy ! Design ! Software Copyright (c) 2002 by Vigilinx 3 Experience ! IT related since 1982 ! Worked in DoD secure environments ! Developed cryptographic software ! Designed and maintained secure global WANs ! Directed BBN/GTE/Baltimore Security Consulting Group Copyright (c) 2002 by Vigilinx 4 2
  • 3. Purpose of Talk ! Define risk ! Propose an assessment methodology ! Discuss risk mitigation strategies ! Avoid overly technical digression Copyright (c) 2002 by Vigilinx 5 High Level Agenda ! Security Terminology ! Risk Assessment ! The “Risk Equation” ! Likelihood ! Impact ! Addressing Risk ! Establish Policy ! Implement Countermeasures ! Maintain Vigilance ! Concluding Remarks Copyright (c) 2002 by Vigilinx 6 3
  • 4. Security Terminology Security – A Definition se•cu•ri•ty (si kyoor’ i tē), n., pl. –ties, adj. –n. 1. freedom from danger, risk, etc.; safety. 2. Freedom from care, anxiety, or doubt; well-founded confidence. 3. Something that secures or makes safe; protection; defense. … [1400-50; late ME securytye, securite(e) < L sēcūritās. … ] (Webster’s New Universal Unabridged Dictionary) ! Security is a GOAL, not a STATE OF BEING. ! Security is everyone’s responsibility. Copyright (c) 2002 by Vigilinx 8 4
  • 5. Important Terms ! Flaw ! Weakness ! Vulnerability ! Exploit ! Attack ! Adversary ! Threat Copyright (c) 2002 by Vigilinx 9 Flaw ! Imperfection of a system ! Found in design, implementation or execution ! Concealed or exposed ! Known or unknown ! Source of weakness or vulnerability ! Not always exploitable Copyright (c) 2002 by Vigilinx 10 5
  • 6. Weakness ! Attribute of a system or defense ! Insufficient to resist expected attack – lack of strength ! Not necessarily due to a flaw ! Source of vulnerability ! Not always exploitable Copyright (c) 2002 by Vigilinx 11 Vulnerability ! Feature of system or defense ! Sometimes (often) undiscovered ! Caused by flaws and weaknesses ! Always exploitable ! Target of adversaries Copyright (c) 2002 by Vigilinx 12 6
  • 7. Exploit ! Methodology for attack ! Takes advantage of one or more vulnerabilities ! Repeatable ! Always “succeeds” ! Used in an attack Copyright (c) 2002 by Vigilinx 13 Attack ! Prosecution of an exploit (an instance) ! Defined objective ! Can be undetected or detected ! Sometimes (often) unsuccessful ! Performed by a motivated adversary Copyright (c) 2002 by Vigilinx 14 7
  • 8. Adversary ! Agent (person or corporate) ! Motivated ! Often unscrupulous ! Goals: ! Competition ! Defamation ! Financial gain ! Notoriety ! Information ! May or may not have means & knowledge Copyright (c) 2002 by Vigilinx 15 Threat ! Adversary ! Possesses means and knowledge ! Actively targeting ! Known or unknown Copyright (c) 2002 by Vigilinx 16 8
  • 9. Countermeasures ! Methodology for defense ! Technological or procedural ! Types: ! Detection ! Resistance ! Avoidance ! Counter-attack ! Usually specific to an exploit Copyright (c) 2002 by Vigilinx 17 Countermeasures: Defense in Depth TECHNOLOGY PROCEDURE Management, Monitoring, Information Auditing, Response Application System Network Physical Copyright (c) 2002 by Vigilinx 18 9
  • 10. Security Countermeasures Include a Lot ENABLERS Technology Processes People Operational Infrastructure RISK REGIONS RISK REGIONS Protective Boundary Exogenous Exogenous Factors Copyright (c) 2002 by Vigilinx 19 Security is an Arms Race Easy Attack Frequency of Attack Chosen Security Countermeasure Complex Attack Time Copyright (c) 2002 by Vigilinx 20 10
  • 11. Risk Assessment Risk ! Measures importance ! Determines relevance of vulnerabilities ! Useful for setting programmatic priority ! Varies over time Copyright (c) 2002 by Vigilinx 22 11
  • 12. The Risk Equation Impact x Likelihood = Risk Impact x Likelihood = Risk ! Universal: Applies to all types of risk ! Uniform: Enables comparison ! Objective: Track over time Copyright (c) 2002 by Vigilinx 23 Risk is Two Dimensional Impact x Likelihood = Risk Impact x Likelihood = Risk High Risk Attack 2 Attack 4 Impact " Attack 1 Attack 3 Low Risk Likelihood " Copyright (c) 2002 by Vigilinx 24 12
  • 13. Impact Impact x Likelihood = Risk Impact x Likelihood = Risk ! Measures the level of “pain” to the organization ! Examples: ! Financial: Loss or cost to repair ! Operational: Lost time, production or delivery ! Reputation: Loss of customer or consumer confidence ! Competitive: Reduction of market advantage ! Regulatory: Legal liability ! Fiduciary: Fiduciary liability Copyright (c) 2002 by Vigilinx 25 Likelihood Impact x Likelihood = Risk Impact x Likelihood = Risk ! Measures the probability of feeling the impact ! Contributors: ! Known exploits ! Motivated adversaries ! Adequacy of countermeasures Copyright (c) 2002 by Vigilinx 26 13
  • 14. Performing the Assessment ! Requires experience ! Two approaches: ! Vulnerability driven ! Asset driven ! Combine for greatest effect Copyright (c) 2002 by Vigilinx 27 Vulnerability Driven Analysis 1. Search for known vulnerabilities 2. Tabulate and estimate severity 3. Determine what assets are affected 4. Assign impact value 5. Consider adversaries and their motivations 6. Assign likelihood 7. Tabulate and report Copyright (c) 2002 by Vigilinx 28 14
  • 15. Searching for Known Vulnerabilities Flaws Vulnerability Weaknesses ! Research known threat databases ! Use scanning tools ! Review technology and procedures ! Test users (social engineering) " Grade ease of exploitation Copyright (c) 2002 by Vigilinx 29 Network and System Vulnerabilities ! Network: ! Unnecessary pathways ! Unsecured data-streams ! System: ! Unhardened systems ! Unprotected administrator logon ! Exposed management interfaces Copyright (c) 2002 by Vigilinx 30 15
  • 16. Application and Operations Vulnerabilities ! Application: ! Unneeded services ! Buffer overflows ! Lack of or weak authentication ! Operations ! Lack of change control program ! No monitoring or intrusion detection ! Easy access to backup media Copyright (c) 2002 by Vigilinx 31 Determine Affected Assets Likeli- Vulnerability hood Asset Impact Risk No Web 1 Med Password Anon Low Required FTP Modem Med Pool • Most vulnerabilities affect multiple assets • Can’t determine likelihood yet Copyright (c) 2002 by Vigilinx 32 16
  • 17. Gauge the Impact Impact x Likelihood = Risk Impact x Likelihood = Risk ! Is there money at stake? ! Can private information be revealed? ! Would an attack embarrass the organization? ! Could a targeted system be used as a “stepping stone?” ! Would an attack advance the cause of information warfare or terrorism? ! Will competitive advantage be lost? Copyright (c) 2002 by Vigilinx 33 Identify Your Adversaries Adversary + Motivation + Capability = Threat Adversary + Motivation + Capability = Threat ! Internet Hacker ! Insider ! Thief ! Terrorist ! Industrial Spy Copyright (c) 2002 by Vigilinx 34 17
  • 18. Gauge the Likelihood Adversary + Motivation + Capability = Threat Adversary + Motivation + Capability = Threat ! Depends on: ! Threat ! Complexity ! Examples: ! DoS or DDoS on an Online Banking Application ! Threat: Medium, Complexity: Low ! Modify Stock Price Quote: ! Threat: High, Complexity: Medium ! Execute Unauthorized Transactions ! Threat: High, Complexity: Very High Copyright (c) 2002 by Vigilinx 35 Tabulate and Report Likeli- Vulnerability hood Asset Impact Risk No Med Web 1 Med Med Password Low Anon Low Very Required FTP Low High Modem Med High Pool " Many assessments stop at vulnerability and don’t consider impact Copyright (c) 2002 by Vigilinx 36 18
  • 19. Asset Driven Analysis 1. Inventory information assets 2. Estimate impact 3. Trace information back to technology 4. Analyze for vulnerabilities 5. Consider adversaries and their motivations 6. Assign likelihoods 7. Tabulate and report Copyright (c) 2002 by Vigilinx 37 Asset Table Likeli- Asset Impact Vulnerability hood Risk Web 1 Med Unpatched High High IIS No Med Med Password Open NBT High High ports " This is just the vulnerability driven table “turned inside out” Copyright (c) 2002 by Vigilinx 38 19
  • 20. Risk Leads to Priority Risk = Impact x Likelihood Very High Risk Potential Impact Very Medium Risk Low Risk Likelihood of Attack Copyright (c) 2002 by Vigilinx 39 Addressing Risk 20
  • 21. Risk Management Program ! Establish Policy ! Implement Countermeasures ! Maintain Vigilance Copyright (c) 2002 by Vigilinx 41 Security Policy – What Is It? ! Who? ! What’s prohibited? ! What’s required? ! What’s permitted? Copyright (c) 2002 by Vigilinx 42 21
  • 22. Policy Statements ! Most corporate policies must be translated to concrete statements. ! Major elements: ! Information Classification ! System Criticality ! Operational Context Copyright (c) 2002 by Vigilinx 43 Information Classification ! Information classification streamlines policy statement and enforcement. ! CAVEAT: Over-classification leads to excessive cost and added overhead. ! CAVEAT: Some collections of unclassified data become sensitive when aggregated. Copyright (c) 2002 by Vigilinx 44 22
  • 23. An Example of Information Classification INFORMAT ION CLASSIFICAT ION GUIDELINES Classification Level Examples Personally Restricted Personnel Records Identifiable Consumer Account Information Information (PII) Company Restricted Plans for Reduction in Force Financial Results Confidential Product Development Plans Business Expansion Strategies Customers Restricted Customer Plant Designs Billing and Payables Customer Non-Disclosure Information Confidential Customer Names Sales and Delivery Records Vendor Restricted Vendor Non-Disclosure Information Contracts Confidential Business Unit Specific Price Lists Copyright (c) 2002 by Vigilinx 45 Criticality ! Criticality is a quality of operational systems. ! It depends upon the importance of a network, system or application. ! Criticality motivates reliability measures. Copyright (c) 2002 by Vigilinx 46 23
  • 24. Example of Criticality Criticality Definition Low This application, system, or network asset is non-essential to Corporate, business unit or departmental operations. Outages can be tolerated for a period of two weeks or more. Medium This asset is important for normal corporate, business unit or departmental operations, but is not essential. An outage of up to 48 hours can be tolerated. High This asset is essential and critical to corporate, business unit or department operations. Ideally, it is designed with full reliability. Outages should be kept to a minimum, generally less than 30 minutes. Copyright (c) 2002 by Vigilinx 47 Operational Context ! Facilities (systems and networks) are certified to the maximum classification level permitted. ! “Guards” ensure that information does not pass to an unauthorized environment. Copyright (c) 2002 by Vigilinx 48 24
  • 25. Example of Operational Context Copyright (c) 2002 by Vigilinx 49 Create a Policy Hierarchy Policies Requirements Standards Configurations Copyright (c) 2002 by Vigilinx 50 25
  • 26. Example: Requirements Specify Security Services Policies Requirements Standards Configurations ! Authentication ! Access Control ! Data Confidentiality ! Data Integrity ! Non-repudiation (X.800, Security Architecture for Open Systems Interconnection for CCITT Applications – also ISO/IEC 7498-2) Copyright (c) 2002 by Vigilinx 51 Communications Policies (Examples) ! Personally Identifiable Information (PII) may not be transmitted in the clear on the Internet. ! Transmission of corporate restricted information on any network requires data confidentiality, peer-entity authentication, and non-repudiation with proof of delivery. Copyright (c) 2002 by Vigilinx 52 26
  • 27. Storage Policies (Examples) ! Permanent storage of information classified as confidential or above on web servers is prohibited. ! Caching of information classified as confidential or above on web servers is permitted during the validity period of an associated session. ! Database systems must restrict access to authenticated, authorized users of confidential information. Copyright (c) 2002 by Vigilinx 53 Example: Standards Specify Service Mechanisms Policies Requirements Standards Configurations ! Includes algorithms and parameters: ! Encipherment: DES, 3DES, RSA, key-length, etc. ! Digital signature: RSA, DSS, key-length, etc. ! Access control: authorization type, time, duration, etc. ! Integrity: MD5, SHA, HMAC, etc. ! Many more choices exist. Copyright (c) 2002 by Vigilinx 54 27
  • 28. Tabulate Policy to Ensure Consistent Practice Static Application Application Internet Content Web Front- Front-end Logic Database Notes Access Server end Server Server Server Server Server Router User passwords C NA C NA U NA R NA R NA C NA U NA User password quality checking C NA C NA C NA NA NA NA NA NA NA NA NA Token based authentication R NA R NA R NA NA NA NA NA NA NA NA NA Digitial certificates NA NA NA NA NA NA NA NA NA NA R NA NA NA Session Encryption (SSL, TLS, SSH) R NA R NA NA NA NA NA NA NA NA NA U NA IPSEC (ESP) NA NA NA NA R NA R NA R NA NA NA NA NA IPSEC (AH) NA NA NA NA NA NA NA NA NA NA NA NA NA NA S/MIME NA NA NA NA NA NA NA NA NA NA NA NA NA NA PGP NA NA NA NA NA NA NA NA NA NA NA NA NA NA Software design review U NA U NA U NA U NA U NA U NA NA NA Software code review U NA U NA U NA U NA U NA U NA U NA Application vulnerability testing U NA U NA U NA R NA R NA R NA NA NA Network vulnerability testing U H U H U H R NA R NA R NA U NA Backup and recovery process NA L NA L NA L NA L NA L NA L NA L Automatic fail-over NA H NA H NA H NA H NA H NA H NA M Manual fail-over NA M NA M NA M NA M NA M NA M NA L Copyright (c) 2002 by Vigilinx 55 Recap of Policy ! Policy defines classification and rules for access/exchange. ! Policy defines criticality. ! Policy hierarchy defines security services and quality of mechanisms. Copyright (c) 2002 by Vigilinx 56 28
  • 29. Implement Countermeasures TECHNOLOGY: PROCESS: PEOPLE: Firewalls Monitoring Assignment Authentication Response Training VPN Administration Awareness System IDS Change Control Background Network IDS Auditing PKI / Cryptography Continuity Intelligence Network Manager Copyright (c) 2002 by Vigilinx 57 Countermeasures: Defense in Depth TECHNOLOGY: PROCESS: PEOPLE: Firewalls Monitoring Assignment Authentication Response Training VPN Administration Awareness System IDS Change Control Background Network IDS Auditing PKI / Cryptography Continuity Intelligence Network Manager TECHNOLOGY PROCEDURE Management, Monitoring, Information Auditing, Response Application System Network Physical Copyright (c) 2002 by Vigilinx 58 29
  • 30. The 10 Guiding Principles* 1. Secure the Weakest Link 2. Practice Defense in Depth 3. Fail Securely 4. Follow the Principle of Least Privilege 5. Compartmentalize 6. Keep It Simple 7. Promote Privacy 8. Remember That Hiding Secrets Is Hard 9. Be Reluctant to Trust 10. Use Your Community Resources • From Building Secure Software, John Viega and Gary McGraw Copyright (c) 2002 by Vigilinx 59 Cost vs. Risk Solutions above the line are not cost effective. Cost to Implement Chosen Solution Residual Risk Vuln #2 Vuln #3 Vuln #4 Vuln #1 Less More Effectiveness of Solution/ Impact of Threat Copyright (c) 2002 by Vigilinx 60 30
  • 31. Maintain Vigilance Level of Vigilance Frequency of Attack Level of Vigilance Level of Vigilance Level of Vigilance Time Copyright (c) 2002 by Vigilinx 61 Balance Security Activities Plan Execute Appraise Copyright (c) 2002 by Vigilinx 62 31
  • 32. Plan Plan Execute Appraise ! Consider: ! Future business needs ! Changing threatscape ! Tolerance to residual risk ! Establish policy ! Design security infrastructure ! Develop security procedures Copyright (c) 2002 by Vigilinx 63 Execute Plan Execute Appraise ! Implement according to design ! Operate according to procedures ! Continually improve Copyright (c) 2002 by Vigilinx 64 32
  • 33. Appraise Plan Execute Appraise ! Appraise the plan: ! Does it meet the expected threats? ! Will it protect business interests? ! Are there flaws in the design? ! Is policy adequate or overly burdensome? ! Appraise the execution: ! Is the design implemented correctly? ! Has the configuration changed? ! Do procedures cover all events? ! Are operators alert? Copyright (c) 2002 by Vigilinx 65 Conclusions ! Understanding vulnerability alone is not enough! ! Risk depends upon likelihood of successful attack and its impact on the organization. ! Countermeasures include technology, procedures and people. ! Reducing risk generally requires additional cost. ! The war is never won—constant vigilance is the only way. Copyright (c) 2002 by Vigilinx 66 33
  • 34. Thank You 34