Get documents about "Security Risk Management
Document Sample
Security Risk Management
Marcus Murray, CISSP, MVP (Security)
Senior Security Advisor, Truesec
marcus.murray@truesec.se
Agenda
What is Risk Management?
Security Strategy
Mission and Vision
Security Principles
Risk Based Decision Model
Tactical Prioritization
Representative Risks and Tactics
Marcus Murray, MVP marcus.murray@truesec.se
What is Risk Management?
The process of measuring assets and
calculating risk!
Something we all do! (More or less)
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
Risk Based Security Strategy
Corporate Security Security Operating
Mission and Vision Principles
Risk Based Decision Model
Tactical Prioritization
Marcus Murray, MVP marcus.murray@truesec.se
Mission Operating
and Vision Principles
Information Security Mission Risk Based Decision
Model
Tactical Prioritization
Prevent malicious or
unauthorized use that Assess Risk
results in the loss of
Company Intellectual
property or productivity Define
Audit Policy
by systematically
assessing,
communicating and
mitigating risks to digital Controls
assets
Marcus Murray, MVP marcus.murray@truesec.se
Mission Operating
and Vision Principles
Information Security Vision Risk Based Decision
Model
Tactical Prioritization
An IT environment comprised of services, applications and
infrastructure that implicitly provides availability, privacy and
security to any client.
Key Client Assurances
My Identity is not compromised
Resources are secure and available
Data and communications are private
Clearly defined roles and accountability
Timely response to risks and threats
Marcus Murray, MVP marcus.murray@truesec.se
Mission Operating
and Vision Principles
Security Operating Principles
Risk Based Decision
Model
Tactical Prioritization
Management Commitment
Manage risk according to business objectives
Define organizational roles and responsibilities
Users and Data
Manage to practice of Least Privilege
Privacy strictly enforced
Application and System Development
Security built into development lifecycle
Layered defense and reduced attack surface
Operations and Maintenance
Security integrated into Operations Framework
Monitor, audit, and response functions aligned to operational functions
Marcus Murray, MVP marcus.murray@truesec.se
Mission Operating
and Vision Principles
Enterprise Risk Model
Risk Based Decision
Model
Tactical Prioritization
High
(Defined by Business Owner)
Unacceptable Risk
Impact to Business
Risk assessment drives
to acceptable risk
Acceptable Risk
Low
Low High
Probability of Exploit
(Defined by Corporate Security)
Marcus Murray, MVP marcus.murray@truesec.se
Mission Operating
and Vision Principles
Components of Risk Assessment Risk Based Decision
Model
Tactical Prioritization
Asset Threat Vulnerability Mitigation
What are you What are you How could the What is
trying to afraid of threat occur? currently
assess? happening? reducing the
risk?
Impact Probability
What is the How likely is the
impact to the threat given
business? the controls?
+
=
Current Level
of Risk
What is the probability that the threat will
overcome controls to successfully exploit the
vulnerability and impact the asset?
Marcus Murray, MVP marcus.murray@truesec.se
Mission Operating
and Vision Principles
Risk Management Process and Roles Risk Based Decision
Model
Tactical Prioritization
CorpSec
Prioritize Security Compliance
Risks Policy
1 2 5
Engineering
and Operations
Security Sustained
Solutions & Operations
Initiatives
3 4
Tactical
Prioritization
Marcus Murray, MVP marcus.murray@truesec.se
Mission Operating
and Vision Principles
Tactical Prioritization by Environment Risk Based Decision
Model
Tactical Prioritization
Data Center
Client
Policies and
Prioritized Unmanaged mitigation tactics
Client appropriate for
Risks each environment
RAS
Extranet
Marcus Murray, MVP marcus.murray@truesec.se
Mission Operating
and Vision Principles
Risk Analysis by Asset Class Risk Based Decision
Model
Tactical Prioritization
Exploit of misconfiguration,
buffer overflows, open
shares, NetBIOS attacks Host
Application Unauthenticated access
to applications,
unchecked memory
allocations
Data sniffing on the Network Assets
wire, network
fingerprinting
Account Compromise of
integrity or privacy of
accounts
Trust
Unmanaged trusts
enable movement
among environments
Marcus Murray, MVP marcus.murray@truesec.se
Representative Risks and Tactics
Enterprise Risks Tactical Solutions
Secure Environment
Unpatched Devices
Remediation
Network Segmentation via
Unmanaged Devices
Embody IPSec
Trustworthy
Computing
Remote & Mobile Users Secure Remote User
Single-Factor 2-Factor for RAS &
Authentication Administrators
Focus Controls Across
Managed Source Initiatives
Key Assets
Marcus Murray, MVP marcus.murray@truesec.se
Security Solutions and Initiatives
Mitigate risk to the infrastructure through implementation
of key strategies
1. Secure 2. Secure 3. Secure 4. Enhance
the Network the Network Key Assets Monitoring
Perimeter Interior and Auditing
Secure Wireless Eliminate Weak Automate Vulnerability Network Intrusion
Smart Cards for RAS Passwords Scans Detection System
Secure Remote User Acct Segregation Secure Source Code Host Intrusion Detection
Next Generation AV Patch Management Assets Systems
(SMS/WUS/SUS) Lab Security Audit Automate Security
Messaging Firewall
NT4 Domain Migration Event Analysis
Direct Connections
Network Segmentation Use MOM for Server
IDC Network Cleanup Integrity Checking
Smart Cards for Admin
Access Use ACS for real-time
Regional Security security log monitoring
Assessment
Marcus Murray, MVP marcus.murray@truesec.se
More information
www.microsoft.se/technet
www.microsoft.se/security
www.truesec.se/events
www.itproffs.se
Marcus Murray, MVP marcus.murray@truesec.se
Marcus Murray
marcus.murray@truesec.se
Marcus Murray, MVP marcus.murray@truesec.se
