Professional Documents
Culture Documents
Course Overview
IMT552
Course Topics
Key Questions
What is a risk?
Why do we need to worry about risk?
What are the key components of managing
risks?
Can it be measured?
How much risk is acceptable?
What is the language of risk management?
Risk Management
Risk management is the identification, assessment,
and prioritization of risks (defined in ISO 31000 as
the effect of uncertainty on objectives, whether
positive or negative)
Risks can come from uncertainty in financial markets,
project failures (at any phase in design,
development, production, or sustainment life-cycles),
legal liabilities, credit risk, accidents, natural causes
and disasters as well as deliberate attack from an
adversary, or events of uncertain or unpredictable
root-cause.
Review
IMT551
Context Evolution
Information Age
Industrial Age
Agricultural Age
Agricultural
Age
Industrial
Age
Information
Age
Land
Capital
Knowledge
Conquest
Invention
Paradigm Shifts
Sun/Seasons
Factory
Whistle
Time Zones
Farm
Capital
equipment
Networks
Family
Corporation
Collaborations
Tools
Plow
Machines
Computers
Problem-solving
Self
Delegation
Integration
Knowledge
Generalized
Specialized
Interdisciplinary
Learning
Self-taught
Classroom
Online
Attribute
Wealth
Advancement
Time
Workplace
Organization
Structure
Docs
Embracing
Internet
.
.
.
..
.
.
.
.
.
.
.
.
Species
8472
.
.
.
..
.
.
RESISTANCE IS FUTILE.
.
PREPARE TO BE ASSIMULATED?
. .
.
.
.
Smashing
Industrial Age
Infrastructure!
Troubling Realities
.
.
.
. .
.
.
.
.
.
.
.
.
.
..
.
.
Dan Geer
Chief Scientist
Verdasys
High
stealth / advanced
scanning techniques
Intruder
Knowledge
packet spoofing
denial of service
sniffers
Tools
sweepers
Staged
attack
distributed
attack tools
www attacks
automated probes/scans
GUI
back doors
network mgmt. diagnostics
disabling audits
hijacking
burglaries sessions
Low
self-replicating code
password guessing
1980
1985
1990
2000+
Courtesy: FBI, LE
Mini-survey
How many have received credit notifications?
Credit card ?
Banks ?
Yes, it's another international blow for electronic voting. We've seen the things proven to be insecure, illegal,
and, most recently, unconstitutional. Now the Emerald Isle is taking a similar step, scrapping an e-voting
network that has cost 51 million to develop (about $66 million) in favor of good 'ol paper ballots. With that
crisis averted Irish politicians can get back to what they do best: blaming each other for wasting 51 million
in taxpayer money.
http://www.engadget.com/2009/04/28/electronic-voting-outlawed-in-ireland-michael-flatley-dvds-okay/
http://bwcentral.org/voting-fraud/
http://artsbeat.blogs.nytimes.com/2009/07/31/judge-rules-student-is-liable-in-music-download-case/
http://www.scmagazineus.com/Majority-think-outsourcing-threatens-network-security/article/150955/
The unbelievable story of Julie Amero concluded quietly Friday afternoon at Superior Court in Norwich,
with the state of Connecticut dropping four felony pornography charges.
Amero agreed to plead guilty to a single charge of disorderly
conduct, a misdemeanor. Amero, who has been
hospitalized and suffers from declining health, also
surrendered her teaching license.
"Oh honey, it's over. I feel wonderful," Amero, 41, said a few
minutes after accepting the deal where she also had to
surrender her teaching license. "The Norwich police made a
mistake. It was proven. That makes me feel like I'm on top
of the world."
In June of 2007, Judge Hillary B. Strackbein tossed out
Amero's conviction on charges that she intentionally caused
a stream of "pop-up" pornography on the computer in her classroom and allowed students to view it.
Confronted with evidence compiled by forensic computer experts, Strackbein ordered a new trial, saying the
conviction was based on "erroneous" and "false information."
But since that dramatic reversal, local officials, police and state prosecutors were unwilling to admit that a
mistake may have been made -- even after computer experts from around the country demonstrated that
Amero's computer had been infected by "spyware."
New London County State's Attorney Michael Regan told me late Friday the state remained convinced Amero
was guilty and was prepared to again go to trial.
"I have no regrets. Things took a course that was unplanned. Unfortunately the computer wasn't examined
properly by the Norwich police," Regan said.
"For some reason this case caught the media's attention,'' Regan said.
The case also caught the attention of computer security experts from California to Florida, who read about
Amero's conviction on Internet news sites. Recognizing the classic signs of a computer infected by malicious
adware, volunteers examined computer records and the hard drive and determined that Amero was not
responsible for the pornographic stream on her computer.
The state never conducted a forensic examination of the hard drive and instead relied on the expertise of a
Norwich detective, with limited computer experience. Experts working for Amero ridiculed the state's
evidence, saying it was a classic case of spyware seizing control of the computer. Other experts also said
that Amero's response -- she failed to turn off the computer -- was not unusual in cases like this.
Among other things, the security experts found that the Norwich school system had failed to properly
update software that would have blocked the pornography in the first place.
http://blogs.courant.com/rick_green/2008/11/connecticut-drops-felony-charg.html
Interdependence of Critical
Infrastructure
A Metaphor..
Information Assurance
How do we stay safe online?
The CIA of IA
(context, needs, customs, laws)
Confidentiality
Integrity
Availability
Security Design
(Threats + Vulnerabilities Controls)
Vulnerabilities
Threats
Controls
Protect
your data
McCumber Cube
Thru info states
Trusting Controls
Assumes:
Design implements your goals
Sum total of controls implement all goals
Implementation is correct
Installation/administration are
correct
Risks:
Likelihood
Potential impacts
We Need
To Manage
Risk
General Approach
identify, characterize, and assess threats
assess the vulnerability of critical assets
Risk (v)
To put something in a state where it may encounter undesirable effects on
achieving objectives due to uncertainty.
Winter 2011
52
COSO
Enterprise Risk Management
Guiding Principles
better
understood
Ideal assessment
method should
be
ERM
Top-down / bottom-up
assessments
62
flexible
agile
standard
extendable
ExRA Scoping
document
Expectations
Communication
Accountabilities
Regulatory
changes and
outreach
activities
Business plans,
strategies, etc
Customer/
partner SAT
External
Context
Domain
objectives
Domain
objectives
Org changes
Compliance
tools changes
Internal
Context
Vendors and
dependencies
changes
64
New risk
scenarios
Risks
Drivers
Financial
Operational
Strategic
Ethical
Reputation
Technological
Legal/Regulatory
Human Capital
Likelihood?
Objective
failure?
New
circumstances?
Compound
effect?
Worst case?
Historical
data?
Happened to
us or
competitors?
Predictive
techniques
possible?
Expert
judgment
Controls?
New/changed
/planned
controls?
Evidence of
effectiveness
and
efficiency?
Focus
Risk
66
3
5
6
2
Focus
5
Options, always options
Cost/benefit?
New tactics?
Strategy changes?
Feasibility of change?
Dependencies?
Accountabilities?
67
Specific mitigations
68
Assessment of
mitigations /
controls
effectiveness
and events /
changes in
environment
factored
Course
correction
or JOB
DONE!
69
Communication
& Consultation
BG-specific reporting
70
PAGO SME
input
Basic Risk
Payload
Quarterly
Bi-Annual
TwC Risk
Report
Enterprise
Risk
Assessment
BG
stakeholder
input
Annual
ERM
Annual
Assessment
Strategy
Planning
Docs
QBR Risk
Scorecards
Inform BGs
ERM Board
Reports
Policy
Updates
Questions?