CRISCb

IT Risk Assessment Practices

Identifying Risk Events

o Seeking to identify loss-event

scenarios affecting your business
goals and objectives
o Risk practitioners should work
closely with business process
owners
o Risk practitioners should consult
with IT and cybersecurity experts to
understand technological risk
Risk Events

o Risk events are specific occurrences

that create an impact in a business
o These are not threats
o Risk events = Threats with attached
probability and impact on a
company’s asset(s)
o Risk practitioners should first
understand their current and
future environment
 Risk Events

o Loss of talented workers

o Natural disasters
o DDOS attack
o Abuse of authority
o New legal or regulatory
requirements
o Terrorism
Risk Identification Terms

o Asset
o Impact
o Likelihood
o Threat
o Threat actor
o Threat vector
o Vulnerability
 Handy Dandy Exam Simulation Question

What is the FIRST step in Risk identification?

A. Identify threats and vulnerabilities
B. Gather information on current and future
environment
C. Check incident reports for trends
D. Confirm the Risk capacity of the business
Identifying Risk Factors

o Risk is made up of a combination of

factors
o Risk factors are typically classified in
two ways:
o Contextual factors (internal/external)
o Capability factors (ability to perform
IT related activities)
 Risk Factors

Threat Actors Threats Vulnerabilities Risk Assets

 Risk Analysis and Evaluation

o Threat and Vulnerability

landscape is in a constant flux
o Use a Risk register to manage
risk generated during the
identification process
o Risk analysis is the modeling of
various threats against assets
o Risk evaluation considers these
risk events in context of the risk
appetite, tolerance and capacity
Methods of Risk Identification

o Historical
o Systematic
o Inductive
o Risk libraries
Risk Identification Process
Identify Assets

Identify Threats

Identify Existing Controls

Identify Vulnerabilities

Identify Impacts

Risk Estimation Process

Changes In The Risk Environment

o Organizations and Technologies

change all the time
o This changes the risk environment
o Risk practitioners should constantly
monitor the business and external
reports (CERT)
o Emerging threats should be
identified, analyzed, evaluated,
assessed and reported
 Maintaining Operational Integrity

o Requires procedures such as

incident management, change
management, etc.
o Consistent and sustainable
operations LESSEN risk
o Well defined procedures help
businesses achieve their goals
Industry Trends

o IT departments need to be
aware of changes in the
industry
o Risk practitioners should
assess the maturity of the
IT Department
o Flexibility is key
 Forecasting Risk

o Risks can occur as the result of

preexisting conditions
o Risk events can also cascade from
one another
o The greatest threat to an
organization is failure to learn
from past events and forecast
accurately based on those events
Threat Modeling And Threat Landscape

o Threats can be external or internal

o Threats can be intentional or
unintentional
o Not all conceivable threats need to
be considered
o It is best to categorize threats to help
organize appropriate responses
 Threat Modeling

o Risk practitioners should

document all threats that apply
to systems and business
processes
o Threats are the result of
accidental actions, intentional
actions or natural events
Information Sources On The Threat Landscape

o Service Providers
o Threat Monitoring Agencies
o Audits
o Business Continuity
o Product Vendors
o Insurance Companies
o Etc.
 Types of Threats

o Internal Threats
o External Threats
o Emerging Threats
Threat Modeling
o Threats depend a lot on the mindset
and approach of an attacker (Threat
Actor)
o Threat modeling is all about mapping
methods, approaches, steps and
techniques
o Threat actors use different tools,
different techniques
o Threat Modeling, Abuse-case
modeling is different than standard
use-case modeling
 Threat Modeling

o Threat modeling is important as

part of the risk analysis process
as well
o It’s important to understand
which controls successfully
defend against attacks
o We put these answers in a
Threat Profile
Some Threat Modeling Methods

o STRIDE
o PASTA
o LINDDUN
o Attack Trees
o PnG
o Trike
o VAST
Sources of Vulnerabilities
o Vulnerabilities are weaknesses or
gaps in an organization’s processes,
technology and people
o Threat actors use these to exploit or
harm a business
o Quite a few of these are pre-existing
conditions in systems
o Risk identification will need to locate
and identify so that they can be
solved or mitigated
 Sources Of Vulnerabilities - Networks

o Typically due to
misconfiguration or poor
architecture
o Open services are a potential
attack vector
o Non-hardened devices such as
routers and switches can be be
compromised
o Traffic interception is primarily
the goal of an attacker
Sources of Vulnerabilities – Physical Access

o Physical access allows for:

oTheft
oNetwork access
oServer room
oInstalling “skimmers”
o Testing access control
systems, locks, security
guards, etc. is vital
 Sources Of Vulnerabilities: Applications/Web Services

o Web applications are one of the top

attack vectors in IT
o Most applications are written to support
job roles vs. being secure
o Application vulnerabilities include:
oLogic flaws
oIncorrect user access
oBuffer overflows
o Applications that contain sensitive
information are placed in insecure areas
Other Sources Of Vulnerabilities

o Utilities
o Equipment
o Supply Chain
o Cloud Computing
o Big Data
 Using Gap Analysis

o First you document the current

state of vulnerabilities
o Next you document the desired
state that management
requires
o This allows risk practitioners to
identify the gap and scope of
the risk management process
Vulnerability Assessments

o Assessments examine a target

environment to discover areas of
weakness
o May be manual or automated
o Can contain ”false positives”
o Qualified staff need to be involved in
interpreting results
 Penetration Testing

o Uses the same tools as attackers

o Can be conducted by internal or
external individuals
o Full knowledge or Zero-
knowledge tests
o Must be carefully planned
o Scope, targets, exclusions and
authority must be spelled out
before the test
False Positives and Zero-Day Exploits

o Some assessments might

point to a weakness that is
not usable by attackers
o Some assessments might
return no vulnerabilities (False
Negatives)
o Systems can still be open to
unknown vulnerabilities or
stored vulnerabilities called
“Zero-Day” exploits
Risk Scenario Development

o Risk Scenarios are descriptions of

possible threat events that have an
uncertain impact
o Used to conceptualize risk
o Each scenario should be related to a
business objective
o Can be based on past events, but
should also look to future events
 Approaches to Risk Scenario Development

o Top-Down
o Bottom-Up
o Components used:
o Actors
o Threat Types/Events
o Asset/Resource
o Estimated Frequency/Impact
Analyzing Risk Scenarios

o Risk Scenarios are useful to

communicate the potential
probability and impact
o These things are difficult to
predict with great precision
o Using F.A.I.R. or H.A.R.M. can
help with creating multiple
simulations and map
qualitative statements to
quantitative values
Risk Assessment Standards And Frameworks

o Once risk is identified, risk

assessment and analysis should take
place
o IT risk is a subset of enterprise risk
o In today's modern enterprise, IT risk
heavily influences all areas of overall
risk
o Assessment should look at critical
functions, controls in place, and
prioritization of risk
 Risk Assessment Concepts

o Bow Tie Analysis

o Cause and Effect
o Delphi Method
o Event Tree Analysis
o Fault Tree Analysis
o Markov Analysis
o Monte Carlo Analysis
o SWIFT
Tools of Risk Assessment

o Risk practitioners should use tools

wisely and choose appropriately
o A consistent assessment technique
should be used when the goal is to
produce results compared over time
o Practitioners should not use as many
techniques as possible nor only one
 Risk Register

o Consolidates risk data into one

place and enables tracking
o Shows impact/probability
o Should document the
organization’s entire risk
o Risk register drives the
management of risk
Risk Ranking

o Results of risk assessment need to

be prioritized
o Weighted score derived from all the
components of risk
o Senior management should be
involved in the definition of weights
o This information is in the Risk
Register
 Risk Maps

o Used after qualitative and

quantitative analysis is complete
o Scenarios are considered in the Risk
context of risk appetite and risk Map
tolerance
o Sometimes called a Probability and
Impact Matrix
o Risk maps help the practitioner
assess what the appropriate level of
response should be
Risk Assessment Considerations

o Risk Ownership
o Risk Documentation
o Risk Exclusions
Risk Analysis Methodologies- Quantitative Risk
Analysis
o Uses mathematical models to simulate
potential outcomes
o Often referenced by financial or time
values
o Relies on quality data to make
accurate predictions
o Suitable for cost-benefit analysis
o Uses EMV (Expected Monetary Value)
and ALE (Annual Loss Expectancy)
 Qualitative Risk Analysis

o Considers the “quality” of the

risk.
o Uses P/I matrix based on
subjective H-M-L values on
probability and impact
o Relies heavily on experience of
experts
o Typically based on scenarios or
descriptions of possible risk
events
Root Cause Analysis

o Causes of risk are not always

obvious
o Root Cause Analysis asks a series of
questions to get to the root of the
issue
o Uses a “Fishbone”/Ishikawa
diagram
o Helps with risk assessment to
understand the cause and effect
Business Impact Analysis
o A process to help establish disaster
recovery and continuity
requirements
o Comprehensive BIA works to
establish the escalation of loss over
time
o BIA helps the risk practitioner in
proposing appropriate risk responses
o BIA helps senior management select
appropriate recovery strategies
 Business Continuity – Fault Tolerance

o BIA concentrates on the

activities and resources needed
for the most critical services
o Recovery Time Objectives (RTO)
are established
o Key processes and resources
can be prioritized and put into
the business continuity plan
(BCP)
BIA and Risk Assessment

o BIA and Risk management are

typically performed in close
coordination
o There are distinctions:
o BIA is about business
continuity
o Risk assessment is about
understanding the threats
facing the business
Inherent, Residual and Current Risk

o Risk is inevitable. It is inherent in

anything an organization undertakes
o Risk practitioners should understand
risk, assess and respond to risk
outside of risk appetite
o Practitioners should also understand
the difference between inherent,
residual and current risk
 Inherent Risk

o The risk level or exposure

without considering the actions
a company has taken or might
take
o This risk is present in any
chosen course of action that I
not specifically avoided
Residual Risk

o The remaining risk after

management has
implemented a risk response
o Calculated by subtracting the
effectiveness of the risk
response from inherent risk
o Residual risk is what risk
appetite is based upon.
 Current Risk

o Residual risk is more in line with

predictive perspective
o Current risk can tend to confuse
those that aren’t following a risk
management framework
o Current risk = Current “point in
time” risk associated with an
asset where actions taken and
actions pending are considered