SlideShare une entreprise Scribd logo

Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure

J
jbasney

Presented Nov 11 2017 http://www.stem-trek.org/news-events/urisc/ “Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure” Risk assessment provides valuable insights to the cyberinfrastructure security program, but launching a risk assessment process can seem daunting for all but the largest projects. Jim Basney will present risk assessment tools (checklists, spreadsheets, templates) developed by CTSC (trustedci.org) for getting started on a lightweight risk assessment for cyberinfrastructure projects of varying types and sizes.

Technologie
1  sur  20
Télécharger pour lire hors ligne
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure Jim Basney <jbasney@ncsa.illinois.edu> URISC@SC17 This material is based upon work supported by the National Science Foundation under grant number 1547272. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.
Risk Assessment: Motivation Implement cybersecurity “best practices” Create an inventory of your project's assets Think critically about potential risks Develop risk mitigations Understand accepted risks
Risk Assessment Tools Risk Self-Evaluation Spreadsheet https://goo.gl/9x1NdQ Risk Assessment Table http://trustedci.org/guide/docs/RAtable Copies also in https://go.ncsa.illinois.edu/URISC
Risk Self-Evaluation: Sections Policy and Procedure Host Protection Network Security Physical Security Monitoring and Logging
Risk Self-Evaluation: Layout
Risk Self-Evaluation: Example
Risk Self-Evaluation: Potential Strategies View project as a whole Divide project into parts Conceptual components Location-based Existing vs Planned Have personnel fill out what they know
Risk Self-Evaluation: Discussion
I Did the Risk Self-Evaluation! Now What? Address any issues Mitigated = “Partial”, “No”, or “Unknown” Schedule a re-check in 3 months Give report to management Start a more complete Risk Assessment http://trustedci.org/guide/docs/RAtable
Risk Assessment Process Risk Assessment Table http://trustedci.org/guide/docs/RAtable CTSC Guide to Developing Cybersecurity Programs https://trustedci.org/guide NIST 800-30: Risk Management Guide for Information Technology Systems http://doi.org/10.6028/NIST.SP.800-30
1. System Characterization Describe the system resources used by the project Break down the system by location, function, information flow, etc. Use an Information Asset Inventory https://trustedci.org/guide/docs/IAI
2. Threat Identification Threat is the potential for a particular source to exploit a particular vulnerability toward a malicious end. Threats consist of sources (e.g., humans, natural disasters, power outages), motivations (e.g., monetary gain, espionage), and actions (e.g., hacking, social engineering). Identifying threats often involves looking at old attack data and noting which threats are applicable today.
3. Vulnerability Identification A vulnerability is a flaw or weakness in a system’s security procedures, design, implementation, or internal controls that could potentially be exercised by a threat agent to result in a breach or violation of the system's security policy. The Risk Assessment Table reflects the vulnerabilities as a combination of the columns “Asset”, “Attack Surface”, and “Threat Description”.
4. Control Analysis Security controls are mechanisms put in place to mitigate the risk of threats being being realized by exploiting vulnerabilities. Controls can be administrative (e.g., policies, standards, guidelines, training and other processes), technical/logical (e.g., authentication and authorization systems, file permissions, firewalls, intrusion detection systems, etc.), or physical (e.g., locked file cabinets, secured data centers, cameras, fences, etc.). The “Current Controls” column of the Risk Assessment Table lists any controls in place for the associated risk. The “Control Effectiveness” column is an estimation of how effective the current control is, using a scale from 1 (ineffective) to 5 (extremely effective). Control Effectiveness 5 Extremely effective 4 Very effective 3 Moderately effective 2 Minimally effective 1 Ineffective
5. Likelihood Determination When ranking likelihood, consider not only the specifics of the vulnerability, but also motivation and capability of a potential threat source. Likelihood Estimation 5 Constant or extremely frequent, > 85% 4 Very frequent, 60% - 85% 3 Somewhat frequent, 30% - 60% 2 Infrequent, 10% - 30% 1 Rarely, if ever, < 10%
6. Impact Analysis The impact of any exploit depends upon (1) the mission of the project, (2) the criticality of the vulnerable system or data, and (3) the sensitivity of the affected system or data. Impact from a security incident could affect the integrity, availability, or confidentiality of a system or data. Depending on the subsystem affected, we could be concerned more with one kind of impact than another. However, the impact on each of these three properties should be considered for any potential exploit. On method to make the impact of an exploited vulnerability more concrete is to estimate a dollar amount for the impact of an incident. Impact Estimation 5 Catastrophic, > $1M 4 Major, $250K - $1M 3 Moderate, $50K - $250K 2 Minor, up to $50K 1 Insignificant, ~$100s
Sort the Risk Assessment Table by “Residual Risk” to find the vulnerabilities which have a high risk, taking into account the current controls in place. These are the risks that should be addressed first. 7. Risk Determination & Recommendations Inherent Risk = Likelihood * Impact Risk 20 – 25 Very High 14 – 19 High 9 – 13 Medium 4 – 8 Low 0 – 3 Negligible Residual Risk = Inherent Risk * (6-Control Effectiveness)/5
Risk Assessment Table: Discussion
19 Cybersecurity Guides and Tools ● Addressing concerns unique to science ● Policy templates: Acceptable Use, Access Control, Asset Management, Disaster Recovery, Incident Response, Inventory, Awareness, Physical Security, ... ● Risk assessment table ● Securing commodity IT ● Self-assessment Tool ● Identity Management Best Practices https://trustedci.org/guide
Thanks! https://go.ncsa.illinois.edu/URISC https://trustedci.org/webinars https://trustedci.org/guide jbasney@ncsa.illinois.edu

Recommandé

Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartJames W. De Rienzo
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsLumension
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
DEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTERDEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTERChristopher Nanchengwa
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE MethodRaul Calzada
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk AssessmentMichael Lines
 

Recommandé

Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartJames W. De Rienzo
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsLumension
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
DEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTERDEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTERChristopher Nanchengwa
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE MethodRaul Calzada
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk AssessmentMichael Lines
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Comparative of risk analysis methodologies
Comparative of risk analysis methodologiesComparative of risk analysis methodologies
Comparative of risk analysis methodologiesRamiro Cid
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Managementtschraider
 
Vulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application securityVulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application securityijcsa
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentDavid Sweigert
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management Argyle Executive Forum
 
Best vulnerability assessment training
Best vulnerability assessment trainingBest vulnerability assessment training
Best vulnerability assessment trainingAdarshMathuri
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy John Gilligan
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Octave Topology
Octave TopologyOctave Topology
Octave TopologyJason Rusch - CISSP CGEIT CISM CISA GNSA
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk managementhealthpoint
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
Octave
OctaveOctave
OctaveAmar Myana
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modelingsedukull
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016EnterpriseGRC Solutions, Inc.
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityIJCSIS Research Publications
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseThilak Pathirage -Senior IT Gov and Risk Consultant
 

Contenu connexe

Tendances

Comparative of risk analysis methodologies
Comparative of risk analysis methodologiesComparative of risk analysis methodologies
Comparative of risk analysis methodologiesRamiro Cid
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Managementtschraider
 
Vulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application securityVulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application securityijcsa
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentDavid Sweigert
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management Argyle Executive Forum
 
Best vulnerability assessment training
Best vulnerability assessment trainingBest vulnerability assessment training
Best vulnerability assessment trainingAdarshMathuri
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy John Gilligan
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk managementhealthpoint
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modelingsedukull
 

Tendances (19)

NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012
 
Comparative of risk analysis methodologies
Comparative of risk analysis methodologiesComparative of risk analysis methodologies
Comparative of risk analysis methodologies
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
 
Vulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application securityVulnerability scanners a proactive approach to assess web application security
Vulnerability scanners a proactive approach to assess web application security
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
 
Best vulnerability assessment training
Best vulnerability assessment trainingBest vulnerability assessment training
Best vulnerability assessment training
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
 
Octave Topology
Octave TopologyOctave Topology
Octave Topology
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk management
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
Octave
OctaveOctave
Octave
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modeling
 

Similaire à Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure

Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityIJCSIS Research Publications
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overviewdr_edw777
 
Introductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxIntroductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxbagotjesusa
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementJim Piechocki
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxREPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxJakeariesMacarayo
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxIAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxJakeariesMacarayo
 
cupdf.com_it-security-management-and-risk-assessment.pdf
cupdf.com_it-security-management-and-risk-assessment.pdfcupdf.com_it-security-management-and-risk-assessment.pdf
cupdf.com_it-security-management-and-risk-assessment.pdfAgusNursidik
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superwormUltraUploader
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentationAlan Holyoke
 
Week 1&amp;2 intro_ v2-upload
Week 1&amp;2 intro_ v2-uploadWeek 1&amp;2 intro_ v2-upload
Week 1&amp;2 intro_ v2-uploadVinoth Sn
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationShritam Bhowmick
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managersamiable_indian
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsInformation Technology
 

Similaire à Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure (20)

Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network Security
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
Octav ethreat profiles
Octav ethreat profilesOctav ethreat profiles
Octav ethreat profiles
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overview
 
Introductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docxIntroductory Physics Electrostatics Practice Problems Spring S.docx
Introductory Physics Electrostatics Practice Problems Spring S.docx
 
USPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability ManagementUSPS CISO Academy - Vulnerability Management
USPS CISO Academy - Vulnerability Management
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxREPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxIAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
 
cupdf.com_it-security-management-and-risk-assessment.pdf
cupdf.com_it-security-management-and-risk-assessment.pdfcupdf.com_it-security-management-and-risk-assessment.pdf
cupdf.com_it-security-management-and-risk-assessment.pdf
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superworm
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
Phi 235 social media security users guide presentation
Phi 235 social media security users guide presentationPhi 235 social media security users guide presentation
Phi 235 social media security users guide presentation
 
Week 1&amp;2 intro_ v2-upload
Week 1&amp;2 intro_ v2-uploadWeek 1&amp;2 intro_ v2-upload
Week 1&amp;2 intro_ v2-upload
 
Gs Ch1
Gs Ch1Gs Ch1
Gs Ch1
 
New Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise InfilterationNew Age Red Teaming - Enterprise Infilteration
New Age Red Teaming - Enterprise Infilteration
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
 

Plus de jbasney

Guidance and Survey Results from the Trustworthy Data Working Group
Guidance and Survey Results from the Trustworthy Data Working GroupGuidance and Survey Results from the Trustworthy Data Working Group
Guidance and Survey Results from the Trustworthy Data Working Groupjbasney
 
Federated Identity Needs for the Large Synoptic Survey Telescope (LSST)
Federated Identity Needs for the Large Synoptic Survey Telescope (LSST)Federated Identity Needs for the Large Synoptic Survey Telescope (LSST)
Federated Identity Needs for the Large Synoptic Survey Telescope (LSST)jbasney
 
CILogon & SciTokens: OIDC/OAuth Federation
CILogon & SciTokens: OIDC/OAuth FederationCILogon & SciTokens: OIDC/OAuth Federation
CILogon & SciTokens: OIDC/OAuth Federationjbasney
 
CILogon 2.0 - IAM Online Webinar Series
CILogon 2.0 - IAM Online Webinar SeriesCILogon 2.0 - IAM Online Webinar Series
CILogon 2.0 - IAM Online Webinar Seriesjbasney
 
CILogon 2.0 at Oct 2017 CICI PI meeting
CILogon 2.0 at Oct 2017 CICI PI meetingCILogon 2.0 at Oct 2017 CICI PI meeting
CILogon 2.0 at Oct 2017 CICI PI meetingjbasney
 
11th FIM4R Workshop: US Projects Update
11th FIM4R Workshop: US Projects Update11th FIM4R Workshop: US Projects Update
11th FIM4R Workshop: US Projects Updatejbasney
 
CILogon PEARC17
CILogon PEARC17CILogon PEARC17
CILogon PEARC17jbasney
 
CILogon 2.0 at 2017 Internet2 Global Summit
CILogon 2.0 at 2017 Internet2 Global SummitCILogon 2.0 at 2017 Internet2 Global Summit
CILogon 2.0 at 2017 Internet2 Global Summitjbasney
 
CTSC+SWAMP: cybersecurity resources for your campus
CTSC+SWAMP: cybersecurity resources for your campusCTSC+SWAMP: cybersecurity resources for your campus
CTSC+SWAMP: cybersecurity resources for your campusjbasney
 
CILogon: An Integrated Identity and Access Management Platform for Science
CILogon: An Integrated Identity and Access Management Platform for ScienceCILogon: An Integrated Identity and Access Management Platform for Science
CILogon: An Integrated Identity and Access Management Platform for Sciencejbasney
 
CILogon 2.0 MAGIC SC16
CILogon 2.0 MAGIC SC16CILogon 2.0 MAGIC SC16
CILogon 2.0 MAGIC SC16jbasney
 
CILogon 2.0 Update at TechEx 2016
CILogon 2.0 Update at TechEx 2016CILogon 2.0 Update at TechEx 2016
CILogon 2.0 Update at TechEx 2016jbasney
 
Trusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research CollaborationsTrusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research Collaborationsjbasney
 
Cybersecurity for Conservation
Cybersecurity for ConservationCybersecurity for Conservation
Cybersecurity for Conservationjbasney
 
CTSC at TNC16
CTSC at TNC16CTSC at TNC16
CTSC at TNC16jbasney
 
CILogon 2.0 at 2016 Internet2 Global Summit
CILogon 2.0 at 2016 Internet2 Global SummitCILogon 2.0 at 2016 Internet2 Global Summit
CILogon 2.0 at 2016 Internet2 Global Summitjbasney
 
SAML Security Contacts
SAML Security ContactsSAML Security Contacts
SAML Security Contactsjbasney
 
FeduShare TechEx15
FeduShare TechEx15FeduShare TechEx15
FeduShare TechEx15jbasney
 
CILogon 2.0 at REFEDS 30
CILogon 2.0 at REFEDS 30CILogon 2.0 at REFEDS 30
CILogon 2.0 at REFEDS 30jbasney
 
CILogon and InCommon: Technical Update
CILogon and InCommon: Technical UpdateCILogon and InCommon: Technical Update
CILogon and InCommon: Technical Updatejbasney
 

Plus de jbasney (20)

Guidance and Survey Results from the Trustworthy Data Working Group
Guidance and Survey Results from the Trustworthy Data Working GroupGuidance and Survey Results from the Trustworthy Data Working Group
Guidance and Survey Results from the Trustworthy Data Working Group
 
Federated Identity Needs for the Large Synoptic Survey Telescope (LSST)
Federated Identity Needs for the Large Synoptic Survey Telescope (LSST)Federated Identity Needs for the Large Synoptic Survey Telescope (LSST)
Federated Identity Needs for the Large Synoptic Survey Telescope (LSST)
 
CILogon & SciTokens: OIDC/OAuth Federation
CILogon & SciTokens: OIDC/OAuth FederationCILogon & SciTokens: OIDC/OAuth Federation
CILogon & SciTokens: OIDC/OAuth Federation
 
CILogon 2.0 - IAM Online Webinar Series
CILogon 2.0 - IAM Online Webinar SeriesCILogon 2.0 - IAM Online Webinar Series
CILogon 2.0 - IAM Online Webinar Series
 
CILogon 2.0 at Oct 2017 CICI PI meeting
CILogon 2.0 at Oct 2017 CICI PI meetingCILogon 2.0 at Oct 2017 CICI PI meeting
CILogon 2.0 at Oct 2017 CICI PI meeting
 
11th FIM4R Workshop: US Projects Update
11th FIM4R Workshop: US Projects Update11th FIM4R Workshop: US Projects Update
11th FIM4R Workshop: US Projects Update
 
CILogon PEARC17
CILogon PEARC17CILogon PEARC17
CILogon PEARC17
 
CILogon 2.0 at 2017 Internet2 Global Summit
CILogon 2.0 at 2017 Internet2 Global SummitCILogon 2.0 at 2017 Internet2 Global Summit
CILogon 2.0 at 2017 Internet2 Global Summit
 
CTSC+SWAMP: cybersecurity resources for your campus
CTSC+SWAMP: cybersecurity resources for your campusCTSC+SWAMP: cybersecurity resources for your campus
CTSC+SWAMP: cybersecurity resources for your campus
 
CILogon: An Integrated Identity and Access Management Platform for Science
CILogon: An Integrated Identity and Access Management Platform for ScienceCILogon: An Integrated Identity and Access Management Platform for Science
CILogon: An Integrated Identity and Access Management Platform for Science
 
CILogon 2.0 MAGIC SC16
CILogon 2.0 MAGIC SC16CILogon 2.0 MAGIC SC16
CILogon 2.0 MAGIC SC16
 
CILogon 2.0 Update at TechEx 2016
CILogon 2.0 Update at TechEx 2016CILogon 2.0 Update at TechEx 2016
CILogon 2.0 Update at TechEx 2016
 
Trusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research CollaborationsTrusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research Collaborations
 
Cybersecurity for Conservation
Cybersecurity for ConservationCybersecurity for Conservation
Cybersecurity for Conservation
 
CTSC at TNC16
CTSC at TNC16CTSC at TNC16
CTSC at TNC16
 
CILogon 2.0 at 2016 Internet2 Global Summit
CILogon 2.0 at 2016 Internet2 Global SummitCILogon 2.0 at 2016 Internet2 Global Summit
CILogon 2.0 at 2016 Internet2 Global Summit
 
SAML Security Contacts
SAML Security ContactsSAML Security Contacts
SAML Security Contacts
 
FeduShare TechEx15
FeduShare TechEx15FeduShare TechEx15
FeduShare TechEx15
 
CILogon 2.0 at REFEDS 30
CILogon 2.0 at REFEDS 30CILogon 2.0 at REFEDS 30
CILogon 2.0 at REFEDS 30
 
CILogon and InCommon: Technical Update
CILogon and InCommon: Technical UpdateCILogon and InCommon: Technical Update
CILogon and InCommon: Technical Update
 

Dernier

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Dernier (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure

  • 1. Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure Jim Basney <jbasney@ncsa.illinois.edu> URISC@SC17 This material is based upon work supported by the National Science Foundation under grant number 1547272. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.
  • 2. Risk Assessment: Motivation Implement cybersecurity “best practices” Create an inventory of your project's assets Think critically about potential risks Develop risk mitigations Understand accepted risks
  • 3. Risk Assessment Tools Risk Self-Evaluation Spreadsheet https://goo.gl/9x1NdQ Risk Assessment Table http://trustedci.org/guide/docs/RAtable Copies also in https://go.ncsa.illinois.edu/URISC
  • 4. Risk Self-Evaluation: Sections Policy and Procedure Host Protection Network Security Physical Security Monitoring and Logging
  • 7. Risk Self-Evaluation: Potential Strategies View project as a whole Divide project into parts Conceptual components Location-based Existing vs Planned Have personnel fill out what they know
  • 9. I Did the Risk Self-Evaluation! Now What? Address any issues Mitigated = “Partial”, “No”, or “Unknown” Schedule a re-check in 3 months Give report to management Start a more complete Risk Assessment http://trustedci.org/guide/docs/RAtable
  • 10. Risk Assessment Process Risk Assessment Table http://trustedci.org/guide/docs/RAtable CTSC Guide to Developing Cybersecurity Programs https://trustedci.org/guide NIST 800-30: Risk Management Guide for Information Technology Systems http://doi.org/10.6028/NIST.SP.800-30
  • 11. 1. System Characterization Describe the system resources used by the project Break down the system by location, function, information flow, etc. Use an Information Asset Inventory https://trustedci.org/guide/docs/IAI
  • 12. 2. Threat Identification Threat is the potential for a particular source to exploit a particular vulnerability toward a malicious end. Threats consist of sources (e.g., humans, natural disasters, power outages), motivations (e.g., monetary gain, espionage), and actions (e.g., hacking, social engineering). Identifying threats often involves looking at old attack data and noting which threats are applicable today.
  • 13. 3. Vulnerability Identification A vulnerability is a flaw or weakness in a system’s security procedures, design, implementation, or internal controls that could potentially be exercised by a threat agent to result in a breach or violation of the system's security policy. The Risk Assessment Table reflects the vulnerabilities as a combination of the columns “Asset”, “Attack Surface”, and “Threat Description”.
  • 14. 4. Control Analysis Security controls are mechanisms put in place to mitigate the risk of threats being being realized by exploiting vulnerabilities. Controls can be administrative (e.g., policies, standards, guidelines, training and other processes), technical/logical (e.g., authentication and authorization systems, file permissions, firewalls, intrusion detection systems, etc.), or physical (e.g., locked file cabinets, secured data centers, cameras, fences, etc.). The “Current Controls” column of the Risk Assessment Table lists any controls in place for the associated risk. The “Control Effectiveness” column is an estimation of how effective the current control is, using a scale from 1 (ineffective) to 5 (extremely effective). Control Effectiveness 5 Extremely effective 4 Very effective 3 Moderately effective 2 Minimally effective 1 Ineffective
  • 15. 5. Likelihood Determination When ranking likelihood, consider not only the specifics of the vulnerability, but also motivation and capability of a potential threat source. Likelihood Estimation 5 Constant or extremely frequent, > 85% 4 Very frequent, 60% - 85% 3 Somewhat frequent, 30% - 60% 2 Infrequent, 10% - 30% 1 Rarely, if ever, < 10%
  • 16. 6. Impact Analysis The impact of any exploit depends upon (1) the mission of the project, (2) the criticality of the vulnerable system or data, and (3) the sensitivity of the affected system or data. Impact from a security incident could affect the integrity, availability, or confidentiality of a system or data. Depending on the subsystem affected, we could be concerned more with one kind of impact than another. However, the impact on each of these three properties should be considered for any potential exploit. On method to make the impact of an exploited vulnerability more concrete is to estimate a dollar amount for the impact of an incident. Impact Estimation 5 Catastrophic, > $1M 4 Major, $250K - $1M 3 Moderate, $50K - $250K 2 Minor, up to $50K 1 Insignificant, ~$100s
  • 17. Sort the Risk Assessment Table by “Residual Risk” to find the vulnerabilities which have a high risk, taking into account the current controls in place. These are the risks that should be addressed first. 7. Risk Determination & Recommendations Inherent Risk = Likelihood * Impact Risk 20 – 25 Very High 14 – 19 High 9 – 13 Medium 4 – 8 Low 0 – 3 Negligible Residual Risk = Inherent Risk * (6-Control Effectiveness)/5
  • 19. 19 Cybersecurity Guides and Tools ● Addressing concerns unique to science ● Policy templates: Acceptable Use, Access Control, Asset Management, Disaster Recovery, Incident Response, Inventory, Awareness, Physical Security, ... ● Risk assessment table ● Securing commodity IT ● Self-assessment Tool ● Identity Management Best Practices https://trustedci.org/guide