Lecture 1

Building a Risk Management Toolkit

Dr. Barbara Endicott-Popovsky, Dir. CIAC, Dir. MIPM,

Asso. Prof.
Seth Shapiro, Sr. VP Kibble and Prentice
Ilanko Subramaniam, Maclear LLC

Dr. Barbara Endicott-Popovsky

Department Fellow Aberystwyth University
Director Center for Information Assurance and Cybersecurity University of Washington
Academic Director Master of Infrastructure Planning and Management
Research Associate Professor University of Washington Information School
email: endicott@uw.edu
Office: Suite 400 RCB
Phone: 206-284-6123
Website: http://faculty.washington.edu/endicott
Barbara Endicott-Popovsky, Ph.D., is Director for the Center of Information Assurance and Cybersecurity at the University
of Washington, designated by the NSA as a Center for Academic Excellence in Information Assurance Education and
Research, Academic Director for the Masters in Infrastructure Planning and Management in the Urban Planning
Department of the School of Built Environments and holds an appointment as Research Associate Professor with the
Information School. Her academic career follows a 20-year career in industry marked by executive and consulting positions
in IT architecture and project management.
Her research interests include enterprise-wide information systems security and compliance management, forensic-ready
networks, the science of digital forensics and secure coding practices. For her work in the relevance of archival sciences to
digital forensics, she is a member of the American Academy of Forensic Scientists. Barbara earned her Ph.D. in Computer
Science/Computer Security from the University of Idaho (2007), and holds a Masters of Science in Information Systems
Engineering from Seattle Pacific University (1987), a Masters in Business Administration from the University of Washington
(1985) and a Bachelor of Arts from the University of Pittsburgh.

Course Overview

IMT552

Course Topics

Introduction, Review of IA, Overview

Risk Management Theory
GRC Approaches: COSO, NIST and ISO
Learning the Language of Risk Management: Alternate Models
Qualitative and Quantitative Risk Assessment:
Root Cause Analysis, Threats, Vulnerabilities
End-to-end Risk Assessment Approach:
Risk ID, Drivers, contributing factors measuring risk
Risk Reporting: Communicating with Management
Communicating Risks, Findings, Compliance
Risk Intelligence

Key Questions
What is a risk?
Why do we need to worry about risk?
What are the key components of managing
risks?
Can it be measured?
How much risk is acceptable?
What is the language of risk management?

Risk Management
Risk management is the identification, assessment,
and prioritization of risks (defined in ISO 31000 as
the effect of uncertainty on objectives, whether
positive or negative)
Risks can come from uncertainty in financial markets,
project failures (at any phase in design,
development, production, or sustainment life-cycles),
legal liabilities, credit risk, accidents, natural causes
and disasters as well as deliberate attack from an
adversary, or events of uncertain or unpredictable
root-cause.

Review

IMT551

Context Evolution

Information Age
Industrial Age

Agricultural Age

Agricultural
Age

Industrial
Age

Information
Age

Land

Capital

Knowledge

Conquest

Invention

Paradigm Shifts

Sun/Seasons

Factory
Whistle

Time Zones

Farm

Capital
equipment

Networks

Family

Corporation

Collaborations

Tools

Plow

Machines

Computers

Problem-solving

Self

Delegation

Integration

Knowledge

Generalized

Specialized

Interdisciplinary

Learning

Self-taught

Classroom

Online

Attribute
Wealth
Advancement
Time
Workplace
Organization
Structure

Our Love Affair with the Internet

Docs
Embracing
Internet

US Internet Users Embrace Digital Imaging

Baby Boomers Embracing Mobile Technology

.
.

.
..

.
.

.
.
.

.
.

.
Species
8472
.

.
.

..

.
.

RESISTANCE IS FUTILE.
.
PREPARE TO BE ASSIMULATED?
. .
.

.
.

Courtesy: K. Bailey/E. Hayden, CISOs

Smashing

Industrial Age
Infrastructure!

Unintended Consequences of Embracing

the Internet..

Troubling Realities
.

.
.

41,000,000 of em out there!

.

. .

.
.

.
.

.
.
.

.
.

..

.
.

Dan Geer
Chief Scientist
Verdasys

In the world of networked computers every sociopath is

you neighbor.
.

Growing Threat Spectrum

Cyber Attack Sophistication

Continues To Evolve
Source: CERT 2004

Cross site scripting bots

High

stealth / advanced
scanning techniques

Intruder
Knowledge

packet spoofing

denial of service

sniffers

Tools

sweepers

Staged
attack
distributed
attack tools
www attacks

automated probes/scans
GUI

back doors
network mgmt. diagnostics

disabling audits

hijacking
burglaries sessions

exploiting known vulnerabilities

password cracking
Attack
Sophistication

Low

self-replicating code
password guessing

1980

1985

1990

Attackers Technical Skills

1995

2000+

Cybercrime and Money

McAfee CEO: Cybercrime has become a
$105B business that now surpasses the value
of the illegal drug trade worldwide

Symantec Internet Security Threat Report

Threat landscape is more dynamic than ever

Attackers rapidly adapting new techniques and
strategies to circumvent new security measures
Todays Threat Landscape..
Increased professionalism and commercialization of
malicious activities
Threats tailored for specific regions
Increasing numbers of multi-staged attacks
Attackers targeting victims by first exploiting trusted
entities
Convergence of attack methods

If the Internet were a street, I wouldnt

walk it in daytime K. Bailey, CISO UW
75% of traffic is malicious
Unprotected computer infected in < 1 minute
Organized crime makes more money on the Internet
than through drugs
The take from the Internet doubles e-commerce

Courtesy: FBI, LE

What does all this mean to you?.

Mini-survey
How many have received credit notifications?
Credit card ?
Banks ?

How many have been victims of identity theft?

How many have received phishing emails?
Nigerian scam ?
Phony bank notices ?
e-Bay/PayPal ?

How many have known of someone solicited online?

Electronic voting outlawed in Ireland, Michael

Flatley DVDs okay for now
by Tim Stevens

posted Apr 28th 2009 at 7:23AM

Yes, it's another international blow for electronic voting. We've seen the things proven to be insecure, illegal,
and, most recently, unconstitutional. Now the Emerald Isle is taking a similar step, scrapping an e-voting
network that has cost 51 million to develop (about $66 million) in favor of good 'ol paper ballots. With that
crisis averted Irish politicians can get back to what they do best: blaming each other for wasting 51 million
in taxpayer money.
http://www.engadget.com/2009/04/28/electronic-voting-outlawed-in-ireland-michael-flatley-dvds-okay/

http://bwcentral.org/voting-fraud/

July 31, 2009, 12:34 pm

Student Fined $675,000 in Downloading Case

By Dave Itzkoff

Bizuayehu Tesfaye/Associated Press Joel Tenenbaum was found

liable for copyright violations in a trial in Boston.
Updated | 7:03 p.m. A jury decided Friday that a Boston University student should pay
$675,000 to four record labels for illegally downloading and sharing music, The Associated
Press reported.
A judge ruled that Joel Tenenbaum, 25, who admitted to downloading more than 800 songs from
the Internet between 1999 and 2007 did so in violation of copyright laws and is liable for
damages. Mr. Tenenbaum testified Thursday in federal district court in Boston that he had
downloaded and shared hundreds of songs by artists including Nirvana, Green Day and the
Smashing Pumpkins, and said that he had lied in pretrial depositions when he said that friends or
siblings may have downloaded the songs to his computer. The record labels involved the case
have focused on only 30 of the songs that Mr. Tenenbaum downloaded. Under federal law they
were entitled to $750 to $30,000 per infringement, but the jury could have raised that to as much
as $150,000 per track if it found the infringements were willful. In arguments on Friday, The
A.P. reported, a lawyer for Mr. Tenenbaum urged a jury to send a message to the music
industry by awarding only minimal damages.

http://artsbeat.blogs.nytimes.com/2009/07/31/judge-rules-student-is-liable-in-music-download-case/

Majority think outsourcing threatens

network security
Angela Moscaritolo
September 29, 2009
A majority of IT security professionals believe that outsourcing technology jobs to offshore
locations has a negative impact on network security, according to a survey released Tuesday.
In the survey of 350 IT managers and network administrators concerned with computer and
network security at their organizations, 69 percent of respondents said they believe outsourcing
negatively impacts network security, nine percent said it had a positive impact and 22 said it
had no impact.
The survey, conducted this month by Amplitude Research and commissioned by VanDyke
Software, a provider of secure file transfer solutions, found that 29 percent of respondents'
employers outsource technology jobs to India, China and other locations.
Of those respondents whose companies outsource technology jobs, half said that they believe
doing so has had a negative impact on network security.
Sixty-one percent of respondents whose companies outsource technology jobs also said their
organization experienced an unauthorized intrusion. In contrast, just 35 percent of those whose
company does not outsource did. However, the survey noted that organizations that do
outsource were significantly more likely than those that do not to report intrusions.
We're not going to say we have any proven cause and effect, Steve Birnkrant, CEO of
Amplitude Research, told SCMagazineUS.com on Tuesday. Correlation doesn't prove
causation, but it's definitely intriguing that the companies that outsource jobs offshore are more
likely to report unauthorized intrusions.
In a separate survey released last December from Lumension Security and the Ponemon
Institute, IT security professionals said that outsourcing would be the biggest cybersecurity
threat of 2009.
In light if the recession, companies are outsourcing to reduce costs, but the practice opens
organizations up to the threat of sensitive or confidential information not being properly
protected, and unauthorized parties gaining access to private files, the survey concluded.
In contrast to their overall views about the impact that outsourcing has on network security,
Amplitude/VanDyke Software survey respondents were largely positive about the impact of
outside security audits. Seventy-two percent of respondents whose companies paid for outside
audits said they were worthwhile investments and 54 percent said they resulted in the discovery
of significant security problems.

http://www.scmagazineus.com/Majority-think-outsourcing-threatens-network-security/article/150955/

Connecticut drops felony charges against Julie Amero, four years

after her arrest
By
Rick Green
on November 21, 2008 5:16 PM |

The unbelievable story of Julie Amero concluded quietly Friday afternoon at Superior Court in Norwich,
with the state of Connecticut dropping four felony pornography charges.
Amero agreed to plead guilty to a single charge of disorderly
conduct, a misdemeanor. Amero, who has been
hospitalized and suffers from declining health, also
surrendered her teaching license.
"Oh honey, it's over. I feel wonderful," Amero, 41, said a few
minutes after accepting the deal where she also had to
surrender her teaching license. "The Norwich police made a
mistake. It was proven. That makes me feel like I'm on top
of the world."
In June of 2007, Judge Hillary B. Strackbein tossed out
Amero's conviction on charges that she intentionally caused
a stream of "pop-up" pornography on the computer in her classroom and allowed students to view it.
Confronted with evidence compiled by forensic computer experts, Strackbein ordered a new trial, saying the
conviction was based on "erroneous" and "false information."
But since that dramatic reversal, local officials, police and state prosecutors were unwilling to admit that a
mistake may have been made -- even after computer experts from around the country demonstrated that
Amero's computer had been infected by "spyware."
New London County State's Attorney Michael Regan told me late Friday the state remained convinced Amero
was guilty and was prepared to again go to trial.
"I have no regrets. Things took a course that was unplanned. Unfortunately the computer wasn't examined
properly by the Norwich police," Regan said.
"For some reason this case caught the media's attention,'' Regan said.
The case also caught the attention of computer security experts from California to Florida, who read about
Amero's conviction on Internet news sites. Recognizing the classic signs of a computer infected by malicious
adware, volunteers examined computer records and the hard drive and determined that Amero was not
responsible for the pornographic stream on her computer.
The state never conducted a forensic examination of the hard drive and instead relied on the expertise of a
Norwich detective, with limited computer experience. Experts working for Amero ridiculed the state's
evidence, saying it was a classic case of spyware seizing control of the computer. Other experts also said
that Amero's response -- she failed to turn off the computer -- was not unusual in cases like this.
Among other things, the security experts found that the Norwich school system had failed to properly
update software that would have blocked the pornography in the first place.

http://blogs.courant.com/rick_green/2008/11/connecticut-drops-felony-charg.html

Interdependence of Critical
Infrastructure

A Metaphor..

Information Assurance
How do we stay safe online?

The CIA of IA
(context, needs, customs, laws)

Confidentiality

Integrity

Availability

Security Design
(Threats + Vulnerabilities Controls)

Vulnerabilities

Threats

Controls

The Castle Approach:

Defense in Depth
Perimeter defense: firewalls
Layered defense: AV, IDS, IPS

However, these arent working!

Protect
your data

McCumber Cube
Thru info states

Organizational Information Assurance

No BOK for IA/IS

CISO : ISRM as CEO : MBA
Curriculum Framework

Trusting Controls
Assumes:
Design implements your goals
Sum total of controls implement all goals
Implementation is correct

Installation/administration are
correct

Bottom line assumption:

You Will Never Own a Perfectly
Secure System!!!
You Will Never Own a Perfectly
Secure System!!!
You Will Never Own a Perfectly
Secure System!!!

Balance Risk vs. Cost

Costs:
Solution
Value
Potential losses

Risks:
Likelihood
Potential impacts

We Need
To Manage
Risk

Everyone has an opinion.

Risk is like a fire: If controlled it will help

you; if uncontrolled it will rise up and
destroy you.
Theodore Roosevelt

The purpose of risk management is to

change the future, not to explain the
past
The Book of Risk, Dan Borge

General Approach
identify, characterize, and assess threats
assess the vulnerability of critical assets

determine the risk

(i.e. expected consequences of specific types of attacks on specific assets)

identify ways to reduce those risks

prioritize risk reduction measures

Definitions and Terms

Risk (n)
Undesirable effect of uncertainty on achieving business objectives

Risk (v)
To put something in a state where it may encounter undesirable effects on
achieving objectives due to uncertainty.

Risk Management System or Framework

A system that addresses risk and reward

Risk Management Process

Process that establishes context and communicates with stakeholders
about, risk management; and identifies, analyzes, prioritizes, treats, and
monitors while addressing reward.

Winter 2011

Certificate for Information Assurance and

Cybersecurity

52

Many modelsthis is just one

ISO 31000 Risk Assessment Process

1) Risk Identification (RI)

Identify events and factors that may

affect the achievement of business
objectives, including those arise from
noncompliance with requirements
established by law, standards, internal
policies or other mandatory or
voluntary boundaries.

Common practices and failures

Common approach
Keep an eye on the ball
Listen and look through the organization
Categorize risks into logical buckets
Look from all angles
Common sources of failures
Failing to consider all risk factors
Missing key aspects in analysis

2) Risk Analysis (RA)

Define the current
risk profile by
analyzing the
inherent and
residual risk after
considering current
risk management
activities

Common practices and failures

Approach
Analyze risks from bottom-up and top-down
Establish clear criteria for acceptability of risk
Document and share securely
Remember consistent measurement of inherent and
residual risks
Sources of failures
Being consistent
Considering only one view
Using limited methods
Assessing risks after controls

3) Risk Management (RM)

Evaluate and implement selected risk
management action options

Common practices and failures

Common approach
Evaluate risk optimization tactics and activities
Determine planned residual risks
Determine optimizing activities
Develop key risk indicators
Develop risk optimization plan
Common sources of failures
Lack of adequate prioritization
Not enough monitoring
Scope of solution is inadequate
No accountability
Lack of funding
Failing to consider human factors

Established Governance and Risk Management methodologies

provide a foundation for building RM Programs

McCumber cube - evaluating information

assurance programs

Control Objectives for Information and

related Technology

COSO
Enterprise Risk Management

Companies often adopt a hybrid

60

Guiding Principles

create value the gain should exceed the pain

be an integral part of organizational processes
be part of decision making
explicitly address uncertainty and assumptions
be systematic and structured
be based on the best available information
be tailorable
take into account human factors
be transparent and inclusive
be dynamic, iterative and responsive to change
be capable of continual improvement and enhancement
be continually or periodically re-assessed

better

understood

Ideal assessment
method should
be
ERM
Top-down / bottom-up
assessments
62

Example: ISO 31010-based risk

assessment methodology and process

flexible

agile

standard

extendable

optimal for quarterly updates efficient

63

Phase 1: Scoping and Planning

Sets expectations and domain environmental
external and internal context
Assessment goals
Scope

ExRA Scoping
document

Risk Advisory Council

Business and TwC
domain SMEs

Expectations

Communication

Accountabilities

Quarterly assessment: Whats changed?

External
incidents
Competitive
moves

Regulatory
changes and
outreach
activities

Business plans,
strategies, etc

Customer/
partner SAT

External
Context

Domain
objectives

Domain
objectives

Org changes

Compliance
tools changes

Internal
Context

Vendors and
dependencies
changes

64

Phase 2: Risk Identification

Risk identification through evidence and
collaboration
BG and TwC
SME
brainstorm

New risk
scenarios

Risks

Privacy risk scenario example 1:

Accessibility risk scenario example 2:

Organized hackers (actor) exploiting weaknesses

in external infrastructure (asset) stealing
customer private information (asset), publicly
exposing it and repeating (timing) the process
humiliating the Company. (Sony PSP April 2011
hack scenario)

US Congress expands ADA to cover all

online interactions, thus forcing Microsoft
to retrofit all of its products and services
within 36 months to meet the bar.
65

Phase 3: Risk Analysis

Measure risk likelihood and consequence
to the Company
Impact?

Drivers
Financial
Operational
Strategic
Ethical
Reputation
Technological
Legal/Regulatory
Human Capital

Likelihood?

Objective
failure?
New
circumstances?
Compound
effect?
Worst case?
Historical
data?

Happened to
us or
competitors?
Predictive
techniques
possible?
Expert
judgment

Controls?

New/changed
/planned
controls?
Evidence of
effectiveness
and
efficiency?

Focus

Risk

66

Phase 4: Risk Evaluation

Recommend mitigations
Your risk today

3
5
6
2

Focus

5
Options, always options

Your risk target

This much you have to do

Cost/benefit?

New tactics?
Strategy changes?

Feasibility of change?

Dependencies?

Low hanging fruit?

Alignment with other groups?

Accountabilities?

67

Phase 5: Risk Treatment

Specific mitigations

Select AND implement recommendations

Mitigations tracked how they

affect the risks

68

Monitoring and Review

Events, data and capabilities drive
periodic assessments

Assessment of
mitigations /
controls
effectiveness
and events /
changes in
environment
factored

Course
correction
or JOB
DONE!

69

Communication
& Consultation

Persistent process throughout

risk management lifecycle

BG-specific reporting
70

Example of E2E Process

Micro-level risk
assessments
(FRA, CRA,
Trust-X, SRA..)
Controls
training stats,
compliance,
incident data
Data from the
BGs
(assessment,
strategy,
incidents
External and
environmental
data

PAGO SME
input

Basic Risk
Payload

Quarterly

Bi-Annual

TwC Risk
Report
Enterprise
Risk
Assessment

BG
stakeholder
input

Annual

ERM
Annual
Assessment
Strategy
Planning
Docs

QBR Risk
Scorecards
Inform BGs

ERM Board
Reports

Policy
Updates

Questions?