why risk management is impossible
Post on 22-Jan-2015
Embed Size (px)
DESCRIPTIONIt is impossible to identify all critical assets. It is impossible to determine value of IT assets. It is impossible to manage vulnerabilities. Impossible^3 = Impossible. Presented at ITAC 2013 Boston, November 19, 2013
- 1. Risk Management: A Failed Strategy with Unachievable Goals.Richard Stiennon Chief Research Analyst IT-Harvest
2. International Cybersecurity DialogueWhat is risk? Risk = Threat * Vulnerability * Asset Value -or-The probable frequency and probable magnitude of future loss - FAIR 3. International Cybersecurity DialogueRisk Management 101 1. Identify all critical assets 2. Score them by value 3. Discover all vulnerabilities All three are impossible. 4. International Cybersecurity Dialogue What is an IT asset? DesktopsLaptops Servers Thumb drivesSwitches Applications Data bases Records Artifacts (VM images) Usernames, passwords, e mail addresses IP addresses, domains Digital certificates (SSL, SSH, Kerboros, code signing, identity) Email, email archives Business intelligence data Logs Policies, settings, configurationsProcesses, work flow, authorization IP. Designs, formulae, patent applications, litigation documents, spreadsheets, docs, Powe r Point. Real time dataMeta data Software licenses and version data Virtual data center (repeat most of above) Phones Smart phones Video conferencingFirewalls, IPS, Content filtering, Log management, patch management, trouble ticketing, AV, etc. etc. etc. Active Directory, Ephemeral assets 5. International Cybersecurity DialogueWhat is the value of an IT asset? Replacement cost? Purchase+shipping+config+restore+staging+d eployment Cost to reproduce data?Loss of productivity? Loss of business competitiveness?Lost sales? Lost battle? 6. International Cybersecurity DialogueCan you really reduce the surface area (exposed vulnerabilities) ? Some systems cannot be patched Legacy Operations All systems have unknown vulnerabilities 7. International Cybersecurity DialogueRisk Manage This: 8. International Cybersecurity DialogueOr this: Athens 2004: A series of software updates turns on Lawful intercept function in Ericsson switch 104 diplomats and Olympic officials spied on Engineer mysteriously commits suicide 9. International Cybersecurity DialogueOr this: Cyber sabotage: Stuxnet s7otbxdx.dllStep 7 softwareDLL Rootkits7otbxsx.dllDLL originalNew data blocks added 10. International Cybersecurity Dialogue Trading lossesOr this:2008, Jerome Kerviel covers up trading losses, Largest trading fraud in history to be carried out by a single person. $54 billion exposure, $7.14 Billion loss 5 year sentence reduced to 3 11. International Cybersecurity DialogueOr this: Saudi Aramco, August 2012 South Korea, March 2013 12. International Cybersecurity DialogueOr this: Malware transmitted to SIPRNETacross an air gap by foreign agents in an overseas theater according to assistant defense secretary Lynn. Buckshot Yankee costs reputed to be over $1 billion to re-image all machines within DoD. 13. International Cybersecurity DialogueRisk management is based on normal distribution of events IT security is not subject to Gaussian distributions The difference is: adversaries 14. International Cybersecurity DialogueTargeted Attacks are Not Random Risk Management arose toaddress random attacks. Viruses, worms, opportunistic hackers. Targeted attacks are Black Swan events 15. International Cybersecurity DialogueSo, if Risk Management is a failure what should be done? Welcome to the world of threat based security, the real world. 16. International Cybersecurity DialogueSome scenarios A mass killer is on the loose. Find himand stop him? Or protect every asset? Chinese Comment Crew is in your network. Do a vulnerability scan? Rogue employee is accessing customer database. Beef up security awareness training? 17. International Cybersecurity DialogueCyber kill chain 18. International Cybersecurity DialogueSecurity Intelligence is the key to threat management Malware analysis Key indicators of attack Key indicators of compromise Threat actor intelligence 19. International Cybersecurity DialogueThe Cyber Defense Team Operations AnalystsRed TeamCyber Commander 20. International Cybersecurity DialogueLets be honest Risk Management was developed so that IT security could speak to management. Management understands threats not risks. Show them the threats and they will respond.