Upload File

why risk management is impossible

20
Risk Management: A Failed Strategy with Unachievable Goals. Richard Stiennon Chief Research Analyst IT-Harvest

Upload: richard-stiennon

Post on 22-Jan-2015

1.826 views

Category:

Business


1 download

Report

Tags:

DESCRIPTION

It is impossible to identify all critical assets. It is impossible to determine value of IT assets. It is impossible to manage vulnerabilities. Impossible^3 = Impossible. Presented at ITAC 2013 Boston, November 19, 2013

TRANSCRIPT

  • 1. Risk Management: A Failed Strategy with Unachievable Goals.Richard Stiennon Chief Research Analyst IT-Harvest

2. International Cybersecurity DialogueWhat is risk? Risk = Threat * Vulnerability * Asset Value -or-The probable frequency and probable magnitude of future loss - FAIR 3. International Cybersecurity DialogueRisk Management 101 1. Identify all critical assets 2. Score them by value 3. Discover all vulnerabilities All three are impossible. 4. International Cybersecurity Dialogue What is an IT asset? DesktopsLaptops Servers Thumb drivesSwitches Applications Data bases Records Artifacts (VM images) Usernames, passwords, e mail addresses IP addresses, domains Digital certificates (SSL, SSH, Kerboros, code signing, identity) Email, email archives Business intelligence data Logs Policies, settings, configurationsProcesses, work flow, authorization IP. Designs, formulae, patent applications, litigation documents, spreadsheets, docs, Powe r Point. Real time dataMeta data Software licenses and version data Virtual data center (repeat most of above) Phones Smart phones Video conferencingFirewalls, IPS, Content filtering, Log management, patch management, trouble ticketing, AV, etc. etc. etc. Active Directory, Ephemeral assets 5. International Cybersecurity DialogueWhat is the value of an IT asset? Replacement cost? Purchase+shipping+config+restore+staging+d eployment Cost to reproduce data?Loss of productivity? Loss of business competitiveness?Lost sales? Lost battle? 6. International Cybersecurity DialogueCan you really reduce the surface area (exposed vulnerabilities) ? Some systems cannot be patched Legacy Operations All systems have unknown vulnerabilities 7. International Cybersecurity DialogueRisk Manage This: 8. International Cybersecurity DialogueOr this: Athens 2004: A series of software updates turns on Lawful intercept function in Ericsson switch 104 diplomats and Olympic officials spied on Engineer mysteriously commits suicide 9. International Cybersecurity DialogueOr this: Cyber sabotage: Stuxnet s7otbxdx.dllStep 7 softwareDLL Rootkits7otbxsx.dllDLL originalNew data blocks added 10. International Cybersecurity Dialogue Trading lossesOr this:2008, Jerome Kerviel covers up trading losses, Largest trading fraud in history to be carried out by a single person. $54 billion exposure, $7.14 Billion loss 5 year sentence reduced to 3 11. International Cybersecurity DialogueOr this: Saudi Aramco, August 2012 South Korea, March 2013 12. International Cybersecurity DialogueOr this: Malware transmitted to SIPRNETacross an air gap by foreign agents in an overseas theater according to assistant defense secretary Lynn. Buckshot Yankee costs reputed to be over $1 billion to re-image all machines within DoD. 13. International Cybersecurity DialogueRisk management is based on normal distribution of events IT security is not subject to Gaussian distributions The difference is: adversaries 14. International Cybersecurity DialogueTargeted Attacks are Not Random Risk Management arose toaddress random attacks. Viruses, worms, opportunistic hackers. Targeted attacks are Black Swan events 15. International Cybersecurity DialogueSo, if Risk Management is a failure what should be done? Welcome to the world of threat based security, the real world. 16. International Cybersecurity DialogueSome scenarios A mass killer is on the loose. Find himand stop him? Or protect every asset? Chinese Comment Crew is in your network. Do a vulnerability scan? Rogue employee is accessing customer database. Beef up security awareness training? 17. International Cybersecurity DialogueCyber kill chain 18. International Cybersecurity DialogueSecurity Intelligence is the key to threat management Malware analysis Key indicators of attack Key indicators of compromise Threat actor intelligence 19. International Cybersecurity DialogueThe Cyber Defense Team Operations AnalystsRed TeamCyber Commander 20. International Cybersecurity DialogueLets be honest Risk Management was developed so that IT security could speak to management. Management understands threats not risks. Show them the threats and they will respond.


The Impossible Trinity, or, Why Latin America Hates QE2

Pete and Mihir. Why they’re important Which risk factors? Risk assessment

Risk Management Why and How

Mission Impossible: Why Crisis Management Missions Do Not Increase the Visibility of the European Union

WHY RISK-BASED AUDIT PLANNING?

Emissions Impossible: why divest to invest?...Emissions Impossible: why divest to invest? An editable paper template to support student campaigners articulating the arguments for fossil

Why Do We Have Risk - Milliman

“Why, sometimes I've believed as many as six impossible ... learning... · six impossible things before breakfast. ... happy things, and your heart will fly on wings, forever.

25+ Reasons why predicting CTR from Rankings is Impossible

Lesson Title: Why did the Mormons find it impossible to live in the East?

How and Why to use Software Risk Master (SRM) for Risk

STRENGTH DEXTERITY ANIMA EFFECTS STAMINAbazzalisk.org.s3-website-eu-west-1.amazonaws.com/... · Impossible to hide Impossible to hide Normal + 2 Impossible Impossible Impossible LOCKED

Why Lead with Risk?

Why risk management is needed

Managing Risk Certainty Equivalents Why Manage Diversifiable Risk? Types of Risk Traditional Approach to Risk Management Enterprise Risk Management

Why Low Risk Innovation Costly

Why manage risk?

Why Community-LedFlood Risk Mapping: Why Community-Led

Elm : Making impossible states impossible

The Theories of Time Travel Why it is theoretically possible? Who is responsible for these conclusions? Why it is believed to be impossible?

Mission Impossible? Using global flood risk assessments for ......Mission Impossible? Using global flood risk assessments for local decision-making Tuesday 14.00-15.30 ICC Capital

The Only B.S. Reason Why Your Dreams Seem Impossible

Mission Impossible: Why Crisis Management Missions Do Not

David Wilsford - Path Dependency, Or Why History Makes It Difficult but Not Impossible to Reform Health

09114 Risk Management - Why Contractors Fail

Lesson Title: Why did the Mormons find it impossible to live in the East? Know why Joseph Smith is important Understand what factors made it impossible

Why Is Credit Risk Management Important

Why It Might Be Impossible to See a Doctor in Person Sometimes

Why Your Thyroid is Making Fat Loss IMPOSSIBLE

“ “Impossible is not a fact. It's an opinion. Impossible is not a declaration. It's a dare. Impossible is potential. Impossible is temporary. Impossible

What Is the Risk of the Impossible? - People | MIT CSAILpeople.csail.mit.edu/ilya_shl/alex/riskOfTheImpossible.pdf · 2005-12-03 · Risk of the impossible review. Maddox notes that:

WHY IS EVOLUTION OF BIG BANG TO MOLECULES TO LIFE TO MAN IMPOSSIBLE? Dr. Jobe Martin

Risk-Limiting Post-Election Audits: Why and Howdickatlee.com/issues/elections/evote/maine_rcv/pdfs/risk... · 2016-10-28 · Risk-Limiting Post-Election Audits: Why and How Risk-Limiting

Risk in a collaborative culture. why risk matters risk and Conscious Competence mitigating risk

Why corporate culture affects Operational Risk