risk analysis for dummies
DESCRIPTION
Presentation delivered by Nick Leghorn at The Next Hope.See: http://blog.nickleghorn.com/?p=601TRANSCRIPT
![Page 1: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/1.jpg)
RISK ANALYSIS FOR DUMMIESPresented by Nick Leghorn
![Page 2: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/2.jpg)
CredentialsB.S., Security and Risk Analysis
The Pennsylvania State University
Risk Analyst for a government contractor
NSA Certified INFOSEC Professional
Speaker at The Last HOPE:“The NYC Taxi System: Privacy Vs. Utility”
![Page 3: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/3.jpg)
This talk is for…IT Professionals
Penetration testers
Network security folk
Anyone who needs to explain “risk”
![Page 4: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/4.jpg)
WARNING
The risk analysis process depends on the imagination, creativity and integrity of the individuals doing
the analysis. The mere application of these techniques without appropriately talented staff does not ensure a proper
and thorough risk analysis product.
![Page 5: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/5.jpg)
NOTICEThe data, charts and information
contained within this presentation are completely
notional and do not represent any real data. No sensitive or
otherwise classified information is contained within this
presentation.
FBI, please don’t arrest me.
![Page 6: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/6.jpg)
THE STORY OF NATE AND
CLIFF
![Page 7: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/7.jpg)
What is “Risk”?
Seriously.There are microphones, use them!
![Page 8: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/8.jpg)
What is “Risk”?Any uncertainty about the future
◦Technically can be both positive and negative
◦Security questions focus only on negative outcomes
![Page 9: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/9.jpg)
The Six Questions of Risk Management
Risk Assessment Risk management
What can happen?
How likely is it to happen?
What are the consequences if it happens?
What can be done?
What are the benefits, costs and risks of each option?
What are the impacts of each option on future options?
![Page 10: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/10.jpg)
The Risk Equation
oe
oeVeoeR,
),()|Pr()Pr(Risk
is the combination
of
probability of an event
probability of an outcome given that
event the value of that
event and outcome pair
For every event and outcome
![Page 11: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/11.jpg)
Scope
),,( atpS Scope protecto
rthreat asse
tis the set of
![Page 12: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/12.jpg)
ScopeAsset
◦ Something which provides a benefit to the possessor◦ Something which the protector is charged with
safekeeping
Protector◦ The entity charged with safekeeping of the asset◦ An entity where the loss of the asset would be harmful
Threat◦ An entity with the desire to deny the asset to the
protector◦ A force which could destroy, disrupt, or otherwise
harm the asset
![Page 13: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/13.jpg)
For Nate and Cliff…Protector:
Nate and the NOC
Threat: “Hackers”
Asset: Company information
![Page 14: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/14.jpg)
BACK TO THE EQUATION…
oe
oeVeoeR,
),()|Pr()Pr(
Probability?
![Page 15: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/15.jpg)
Calculating probability“Of all the things
than can happen, how likely is each one?”
Universe as a box…
Coin Flip
![Page 16: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/16.jpg)
Calculating probability“Of all the things
than can happen, how likely is each one?”
Universe as a box…
Coin Flip
Heads
Tails
![Page 17: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/17.jpg)
Calculating probability“Of all the things
than can happen, how likely is each one?”
Universe as a box…
The size of each “box” is the probability
Strive for MECE
Coin Flip
Heads
Tails
Heads
Tails
Coin rolls away and is lost
![Page 18: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/18.jpg)
“You must not say ‘never.’ That is a lazy slurring-over of the facts. Actually, [risk analysis] predicts only probabilities. A particular event may be infinitesimally probable, but the probability is always greater than zero.”
Second Foundation (Isaac Asimov)
![Page 19: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/19.jpg)
Calculating probabilityPast data
◦Events of concern / total events 3 successful attacks / 30,000 attempts
= 0.0001 probability
“Binning your gut”◦Low, Medium, High
![Page 20: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/20.jpg)
Remember:Probability must be calculated for
BOTH
◦Probability of an event
◦Probability of an outcome GIVEN that the event has taken place
![Page 21: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/21.jpg)
Why does “valuation” matter?Some events are more
concerning than others◦Death in a car accident◦Death in a plane crash
Value of the (e,o) pair can be monetary, time based, goodwill based, whatever is of most concern
![Page 22: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/22.jpg)
The process
![Page 23: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/23.jpg)
The processNo Attack Unsuccess
ful AttackSuccessful External Penetrati
on
Successful Insider Attack
![Page 24: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/24.jpg)
The processNo Attack Unsuccess
ful AttackSuccessful External Penetrati
on
Successful Insider Attack
Data Loss
Data Exfiltration
Data Corruption
![Page 25: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/25.jpg)
The processNo Attack Unsuccess
ful AttackSuccessful External Penetrati
on
Successful Insider Attack
Data Loss (Low)*(Low)* (Low) =
Low
Data Exfiltration
Data Corruption
![Page 26: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/26.jpg)
The processNo Attack Unsuccess
ful AttackSuccessful External Penetrati
on
Successful Insider Attack
Data Loss (Low)*(Low)* (Low) =
Low
(High)*(Med)* (Low) =
Med
Data Exfiltration
Data Corruption
![Page 27: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/27.jpg)
The processNo Attack Unsuccess
ful AttackSuccessful External Penetrati
on
Successful Insider Attack
Data Loss (Low)*(Low)* (Low) =
Low
(High)*(Med)* (Low) =
Med
(Low)*(Med)* (High) =
Med
Data Exfiltration
Data Corruption
![Page 28: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/28.jpg)
The processNo Attack Unsuccess
ful AttackSuccessful External Penetrati
on
Successful Insider Attack
Data Loss (Low)*(Low)* (Low) =
Low
(High)*(Med)* (Low) =
Med
(Low)*(Med)* (High) =
Med
(High)*(High)* (High)
= High
Data Exfiltration
Data Corruption
![Page 29: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/29.jpg)
The processNo Attack Unsuccess
ful AttackSuccessful External Penetrati
on
Successful Insider Attack
Data Loss (Low)*(Low)* (Low) =
Low
(High)*(Med)* (Low) =
Med
(Low)*(Med)* (High) =
Med
(High)*(High)* (High)
= High
Data Exfiltration
(Low)*(Low)* (Low) =
Low
(High)*(Low)* (Low)
= Low
(Low)*(Med)* (High) =
Med
(High)*(High)* (High)
= High
Data Corruption
(Low)*(Low)* (Low) =
Low
(High)*(Low)* (Low)
= Low
(Low)*(Med)* (High) =
Med
(High)*(Low)* (High)
= Med
![Page 30: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/30.jpg)
The processNo Attack Unsuccess
ful AttackSuccessful External Penetrati
on
Successful Insider Attack
Data Loss Low Medium Medium High
Data Exfiltration
Low Low Medium High
Data Corruption
Low Low Medium Medium
![Page 31: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/31.jpg)
Method 1: The Simple Chart
No Attack Unsuccessful Attack
Successful External Penetrati
on
Successful Insider Attack
Data Loss Low Medium Medium High
Data Exfiltration
Low Low Medium High
Data Corruption
Low Low Medium Medium
THIS IS NOT A “RISK MATRIX”!
![Page 32: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/32.jpg)
Method 2: The Probabilistic Chart
No Attack Unsuccessful Attack
Successful External Penetrati
on
Successful Insider Attack
Data Loss$5,000
Low(25%)
Medium(45%)
Medium(45%)
High(65%)
Data Exfiltration
$10,000
Low(25%)
Low(25%)
Medium(45%)
High(65%)
Data Corruption$100,000
Low(25%)
Low(25%)
Medium(45%)
Medium(45%)
(Probability of event)*(Probability of outcome given event)
![Page 33: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/33.jpg)
Method 3: Annualized Loss Expectancy
No Attack Unsuccessful Attack
Successful External Penetrati
on
Successful Insider Attack
Data Loss$5,000
$1,250 $2,250 $2,250 $3,250
Data Exfiltration
$10,000
$2,500 $2,500 $4,500 $6,500
Data Corruption$100,000
$25,000 $25,000 $45,000 $45,000
(Probability from last page)*(Loss from event)
![Page 34: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/34.jpg)
SHORTCUTS AND METHODOLOGIES
![Page 35: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/35.jpg)
How to use a “Factor based Model”“Factor Based Models” provide a
formula for quick and easy assessment of a range of items and rank ordering of them.
WARNING: This system only provides a RELATIVE ranking of the items listed.
![Page 36: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/36.jpg)
How to use a “Factor based Model”1. Assign a range of numbers to
each factor◦ Try to use even ranges of numbers
(1-4)◦ Ensure that the higher the number,
the more it points towards whatever the issue at hand is
2. Evaluate each factor using that range
3. Add up the combined score
![Page 37: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/37.jpg)
CARVER: Target SelectionCriticalityAccessibilityRecoverabilityVulnerabilityEffect Recognizability
![Page 38: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/38.jpg)
CARVER Analysis: The Next HOPE
Target C A R V E R Total
NOC
Elevator
Projector
Segways
Emmanuel
Scale: 1-66 = Contributes highly to attack success
probability1 = Does not contribute to attack success
probability
P: HOPE Staff | A: Enjoyment of attendees | T: Rouge attendee
![Page 39: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/39.jpg)
CARVER Analysis: The Next HOPE
Target C A R V E R Total
NOC 6 3 2 2 6 4 23
Elevator 6 6 5 5 6 1 29
Projector 2 5 1 5 2 1 16
Segways 1 6 6 5 1 1 20
Emmanuel
6 1 6 3 6 6 28
Scale: 1-66 = Contributes highly to attack success
probability1 = Does not contribute to attack success
probability
P: HOPE Staff | A: Enjoyment of attendees | T: Rouge attendee
![Page 40: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/40.jpg)
EVIL DONE: Target SelectionExposedVitalIconicLegitimateDestructibleOccupiedNearEasy
![Page 41: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/41.jpg)
DSHARPP: Target SelectionDemographySymbologyHistoryAccessibilityRecuperabilityPopulationProximity
![Page 42: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/42.jpg)
CRAVED: Attractiveness of AssetsConcealableRemovableAvailableValuableEnjoyableDisposable
![Page 43: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/43.jpg)
MURDEROUS: Weapon Selection
MultipurposeUndetectableRemovableDestructiveEnjoyableReliableObtainableUncomplicatedSafe
![Page 44: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/44.jpg)
ESEER: Facilitation of crimeEasySafeExcusableEnticingRewarding
![Page 45: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/45.jpg)
HOPE: Ease of social engineeringHour of the dayOversight by managerPressureEncouragement
![Page 46: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/46.jpg)
SCALES
![Page 47: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/47.jpg)
Scales are IMPORTANTLet’s assume a FBM of: A+B+C+D
◦A: 1-4 Vulnerability◦B: $ of damages◦C: Time to return to operation
(Seconds)◦D: Lives lost
For:◦Ships?◦Buildings?◦Troops?
![Page 48: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/48.jpg)
Types of scalesNominal
◦Binning, no order (apples, pears, oranges)
Ordinal◦Hierarchical, no calculations (High,
medium, low)Interval
◦Hierarchy and calculations (1, 2, 4, 8, 16)
Natural◦Interval with countable items
(deaths, $, time)
![Page 49: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/49.jpg)
LET’S BRING THIS ALL TOGETHER
Nate’s presentation
![Page 50: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/50.jpg)
Risk Analysis of Corporate Systems
Presented by Nate
![Page 51: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/51.jpg)
Attackers are attempting to penetrate our network to steal, destroy or alter corporate data
NOC has been tasked with securing against these attacks
Problem at Issue
![Page 52: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/52.jpg)
Sim
ple
atta
cks
Compl
ex a
ttack
s
Phishi
ng
User e
rror
0
100
200
300
400
500
200720082009
Attacks over the last 3 years
![Page 53: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/53.jpg)
Andrews Co.◦ Victim of a penetration, customer data leaked◦ Loss of revenue from loss of goodwill: $2.4M◦ Revenue dedicated to fixing systems: $10M
TNH Inc.◦ Victim of a lengthy Denial of Service attack◦ Loss of revenue from inability to do business:
$30M◦ Revenue dedicated to upgrading systems: $12M
Effects of attacks on other companies
![Page 54: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/54.jpg)
Annualized Loss Expectancy
No Attack Unsuccessful Attack
Successful External Penetrati
on
Successful Insider Attack
Data Loss$5,000
$1,250 $2,250 $2,250 $3,250
Data Exfiltration
$10,000
$2,500 $2,500 $4,500 $6,500
Data Corruption$100,000
$25,000 $25,000 $45,000 $45,000
![Page 55: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/55.jpg)
The End(Of the presentation within a presentation)
![Page 56: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/56.jpg)
Remember these?
Risk Assessment Risk management
What can happen?
How likely is it to happen?
What are the consequences if it happens?
What can be done?
What are the benefits, costs and risks of each option?
What are the impacts of each option on future options?
![Page 57: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/57.jpg)
Things to remember…Use common sense!
◦ If something looks wrong, it usually is
Scope the question◦ Don’t bite off more than you can chew
Use proper scales
Remember the 6 questions of risk
FBMs are quick and easy, but be careful!
Check your work!◦ Academic integrity BEFORE making managers happy
![Page 58: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/58.jpg)
QUESTIONS?
Full presentation (including slides, resources, audio & video):
Blog.NickLeghorn.com
![Page 59: Risk Analysis for Dummies](https://reader034.vdocuments.mx/reader034/viewer/2022042623/548f33a3b47959e4548b4586/html5/thumbnails/59.jpg)
“You must not say ‘never.’ That is a lazy slurring-over of the facts. Actually, [risk analysis] predicts only probabilities. A particular event may be infinitesimally probable, but the probability is always greater than zero.”
Second Foundation (Isaac Asimov)