Risk Management Lifecycle: Risk Identification

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:01
>> The first step of the Risk Management Lifecycle
00:01
>> is risk identification.
00:01
>> This is our first step.
00:01
>> What we're doing here is just that.
00:01
>> All we are trying to do is to identify risk.
00:01
We're not talking about value,
00:01
we're not talking about responding.
00:01
What we want to do is take a step-by-step process
00:01
>> where we can figure out what risks exist.
00:01
>> Usually, we do this based on our assets.
00:01
We often start with our assets,
00:01
then we look at the things that would threaten
00:01
the assets and what vulnerabilities exist.
00:01
But in this first piece,
00:01
those are the three elements we're exploring.
00:01
We're just looking at assets,
00:01
things that would harm the assets
00:01
>> are threats and weaknesses
00:01
>> or vulnerabilities that allow that threat to exist
00:01
>> or to damage an asset.
00:01
>> We're going to document this information
00:01
through something called a risk register.
00:01
A risk register can be provided to us
00:01
>> through risk-related software.
00:01
>> We can design our own risk register,
00:01
we can bring one in through Excel or create it.
00:01
But ultimately that risk register is going to be
00:01
a central repository for information on risk.
00:01
Again, the first phase of
00:01
>> the risk management lifecycle.
00:01
>> When we talk about identifying risks,
00:01
>> again, it's only a risk as it's a risk
00:01
>> to the organization, to the business.
00:01
We're not getting into the weeds on
00:01
>> technology risks or system risks
00:01
>> unless they have a direct impact
00:01
>> on the organizational goals.
00:01
>> The very first step
00:01
>> that we will always take is to understand
00:01
>> the business and to make sure that we have
00:01
an understanding of the organizational goals,
00:01
of the vision, of the strategy.
00:01
We never jump into security,
00:01
we always, always,
00:01
always look at the business,
00:01
and we think of risks in terms of the business.
00:01
Remember, information technology
00:01
and information security,
00:01
our primary job is to deliver value to the company.
00:01
We generally deliver value through reduction of loss,
00:01
so we tie those risks in to financial loss,
00:01
availability loss, reputational loss,
00:01
and we figure out how to respond to those risk
00:01
>> as they relate to the organization as a whole.
00:01
>> Now, I mentioned earlier,
00:01
risk is really best addressed
00:01
>> if it's integrated into the enterprise as a whole.
00:01
>> Meaning, we're not just risk aware
00:01
>> in information security department,
00:01
>> but our inducers are risk aware, our managers,
00:01
our lines of business,
00:01
and that's the job of senior management.
00:01
That's the job of those entities
00:01
>> that govern the organization.
00:01
>> Once again, I cannot
00:01
overestimate the importance of senior management buy-in
00:01
senior management leadership
00:01
>> because what we really want to do
00:01
>> is to create a culture in our environment,
00:01
>> that's aware and focused on risk.
00:01
That way, when we don't just have a set of rules of
00:01
>> what to do and what to not do,
00:01
>> we have an environment
00:01
>> where end-users are capable of making
00:01
>> good risk aware business decisions.
00:01
>> That's where we want to be,
00:01
and that can only come from buy-in at the top.
00:01
All right, now, here's an example of a risk register,
00:01
and like I have here, asset value,
00:01
times threat, times vulnerability is your risk.
00:01
Now, this isn't something
00:01
>> that you're going to plug values into.
00:01
>> This is just a conceptual formula that tells you,
00:01
you only have a risk where you have a valuable asset.
00:01
There's a threat that could cause harm to the asset
00:01
>> and there's a weakness
00:01
>> that allows the threat to materialize.
00:01
>> We are just listing here.
00:01
As a matter of fact,
00:01
>> and I'll tell you this risk registers fine,
00:01
>> but you'll see other risk registers maybe
00:01
>> that you like better or one that you customize,
00:01
>> but usually on the risk register,
00:01
you can see the first category to identify risks.
00:01
Each phase of the risk management lifecycle usually
00:01
has associated entries on the risk register.
00:01
For instance, in risk identification, really,
00:01
all we're figuring out is the first
00:01
>> and maybe the category where we're just filling in
00:01
>> that first column of the risk register.
00:01
Now, for me,
00:01
I might also include a column on the owner of the risk
00:01
>> because that's really how you get accountability.
00:01
>> That's how you get additional assurance that
00:01
the risk is going to be managed properly,
00:01
is that you assign it to an individual.
00:01
Somebody has a little skill in the game
00:01
>> in order to properly ensure the risk is mitigated.
00:01
>> If I find out that this is a technology risk,
00:01
>> for instance, then I may assign it
00:01
>> to the Chief Technology Officer
00:01
>> and they may be the owner of that risk.
00:01
The risk owner does need to be
00:01
somebody high enough within the organization,
00:01
so that they can authorize changes,
00:01
>> authorize risk response,
00:01
>> so that they can monitor to ensure
00:01
the control appropriately manages risk.
00:01
But again, all we're doing here at
00:01
the risk identification piece is
00:01
focusing on the assets, threats, and vulnerabilities.
00:01
Now, one of the ways that we can go through
00:01
>> and brainstorm what threats exist,
00:01
>> what vulnerabilities exist,
00:01
is we can do some modeling.
00:01
One of the models that I have is over on
00:01
the left-hand side of this little grid
00:01
and it's called the STRIDE model.
00:01
We'll get more in depth into
00:01
STRIDE when we get into software development security,
00:01
but I wanted to point out here,
00:01
when you're developing software,
00:01
>> and by the way,
00:01
>> there are numerous other models
00:01
for process development, system development.
00:01
This is one that's relevant.
00:01
This could threat model for software development.
00:01
When I'm developing software,
00:01
there are some threats that are most common,
00:01
most likely to impact my resources.
00:01
With an application,
00:01
>> spoofing is really common impersonation, tampering.
00:01
>> We'll talk about repudiation,
00:01
information disclosure, denial of service,
00:01
and escalation of privilege.
00:01
That comes later.
00:01
We'll get into the details here.
00:01
But the bottom line is,
00:01
this is just an example of
00:01
a threat model that says, "Listen,
00:01
if you're developing software
00:01
>> and you're not aware of what threats to look at,
00:01
>> start here, because these are the most common ones."
00:01
Alright, figure out our assets,
00:01
look at our threats,
00:01
and then we've got to look at our vulnerabilities.
00:01
What vulnerabilities exist.
00:01
We should know not all vulnerabilities
00:01
>> are created equal.
00:01
>> That's where the DREAD vulnerability model comes in,
00:01
and this helps us assess our vulnerabilities.
00:01
You know, it's estimated that
00:01
>> for every 10, 15 lines of code,
00:01
>> there's some form of error.
00:01
That doesn't mean that the code isn't well written
00:01
>> or the code isn't going to work,
00:01
>> but with coding,
00:01
it's very easy to have coding mistakes or areas
00:01
>> where formal coding policy's not followed.
00:01
>> The idea is, is that a big deal?
00:01
Many applications have millions of lines of code.
00:01
I can't make sure the code is perfect.
00:01
When there are vulnerabilities that are found,
00:01
we have to think about,
00:01
>> well, what's the damage potential?
00:01
>> How much harm would this allow?
00:01
Is it even something that could be
00:01
reproducible by a hacker?
00:01
Because if a hacker can't exploit the vulnerability,
00:01
then it doesn't really matter.
00:01
I won't say it doesn't matter,
00:01
but if the vulnerability isn't going to occur,
00:01
then that's certainly lower priority.
00:01
Is it exploitable?
00:01
How large would the user base be
00:01
>> that would be effective?
00:01
>> Is it easy to discover?
00:01
These are ways
00:01
>> that we can prioritize our vulnerabilities.
00:01
>> With our risk register,
00:01
we're not really going to list out our assets.
00:01
Those should be done earlier on
00:01
separate document based on asset management.
00:01
But we're going to list out
00:01
our risks which are made up of,
00:01
where threat meets a vulnerability.
00:01
Then we're going to assign a risk owner to that risk,
00:01
and all of this information is going to be captured
00:01
>> and documented on the risk register.
00:01
>> Remember, risk identification stops here.
00:01
In the next section is where we're going to figure out
00:01
the probability and impact of the risk
00:01
>> and get our risk value.
Up Next