It is impossible to identify all critical assets. It is impossible to determine value of IT assets. It is impossible to manage vulnerabilities. Impossible^3 = Impossible. Presented at ITAC 2013 Boston, November 19, 2013
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
Why Risk Management is Impossible
1. Risk Management: A Failed Strategy with
Unachievable Goals.
Richard Stiennon
Chief Research Analyst
IT-Harvest
2. International Cybersecurity Dialogue
What is risk?
Risk = Threat * Vulnerability * Asset Value
-or-
The probable frequency and probable
magnitude of future loss - FAIR
3. International Cybersecurity Dialogue
Risk Management
101
• 1. Identify all critical assets
• 2. Score them by “value”
• 3. Discover all vulnerabilities
• All three are impossible.
4. International Cybersecurity Dialogue
•
•
•
•
•
•
•
•
•
•
What is an IT asset?
Desktops
Laptops
Servers
Thumb drives
Switches
Applications
Data bases
Records
Artifacts (VM images)
Usernames, passwords, e
mail addresses
•
•
•
•
•
•
•
•
•
•
IP addresses, domains
Digital certificates
(SSL, SSH, Kerboros, code
signing, identity)
Email, email archives
Business intelligence data
Logs
Policies, settings, configurations
Processes, work flow, authorization
•
•
•
•
•
•
IP. Designs, formulae, patent
applications, litigation
documents, spreadsheets, docs, Powe
r Point.
Real time data
Meta data
•
•
Software licenses and version data
Virtual data center (repeat most of
above)
Phones
Smart phones
Video conferencing
Firewalls, IPS, Content filtering, Log
management, patch
management, trouble
ticketing, AV, etc. etc. etc.
Active Directory,
Ephemeral assets
5. International Cybersecurity Dialogue
What is the value of an IT asset?
•
•
•
•
•
•
Replacement cost?
Purchase+shipping+config+restore+staging+d
eployment
Cost to reproduce data?
Loss of productivity?
Loss of business competitiveness?
Lost sales?
Lost battle?
6. International Cybersecurity Dialogue
Can you really reduce the
surface area (exposed
vulnerabilities) ?
• Some systems cannot be patched
• Legacy
• Operations
• All systems have unknown
vulnerabilities
8. International Cybersecurity Dialogue
Or this:
Athens 2004:
A series of software updates turns on
Lawful intercept function in Ericsson switch
104 diplomats and Olympic officials
spied on
Engineer mysteriously commits suicide
9. International Cybersecurity Dialogue
Or this:
Cyber sabotage: Stuxnet
s7otbxdx.dll
Step 7 software
DLL
Rootkit
s7otbxsx.dll
DLL
original
New data blocks added
10. International Cybersecurity Dialogue
Trading losses
Or this:
2008, Jerome Kerviel covers up trading losses,
Largest trading fraud in history to be carried out by a single person.
$54 billion exposure, $7.14 Billion loss
5 year sentence reduced to 3
12. International Cybersecurity Dialogue
Or this:
• Malware transmitted to SIPRNET
across an air gap by “foreign agents” in
an “overseas theater” according to
assistant defense secretary Lynn.
• Buckshot Yankee costs reputed to be
over $1 billion to re-image all machines
within DoD.
13. International Cybersecurity Dialogue
Risk management is based on normal
distribution of events
• IT security is not subject to Gaussian
distributions
• The difference is: adversaries
14. International Cybersecurity Dialogue
Targeted Attacks are Not Random
• Risk Management arose to
address “random attacks.”
Viruses, worms, opportunistic
hackers.
• Targeted attacks are Black
Swan events
16. International Cybersecurity Dialogue
Some scenarios
• A mass killer is on the loose. Find him
and stop him? Or protect every “asset”?
• Chinese Comment Crew is in your
network. Do a vulnerability scan?
• Rogue employee is accessing customer
database. Beef up security awareness
training?
18. International Cybersecurity Dialogue
Security Intelligence is the key to
threat management
• Malware analysis
• Key indicators of attack
• Key indicators of compromise
• Threat actor intelligence
20. International Cybersecurity Dialogue
Let’s be honest
• Risk Management was developed so
that IT security could “speak to
management.”
• Management understands threats not
risks.
• Show them the threats and they will
respond.