A risk assessment is the results/process to determine the likelihood that a threat will exploit a weakness. Risk assessment is a part of the risk management.

What is risk management?

Risk Management is the on-going process of determining assessing, identifying and prioritizing of risks.

STEP of a RISK ASSESSMENT

This is a synopsis of NIST Special Publication 800-30. These are steps that should be a part of an IT risk management plan

Step 1 System Characterization

An organization must know all the parts of a new information system before the threats, vulnerabilities can be identified and impact (or harm) to the organization can be analyzed. System characterization includes the a list of the hardware, software, firmware and network diagram. System characterization also includes the operational environment that the system is in, any management, operational, technical controls implemented.

Additional features and methods of system characterization are described in 3.1 of NIST SP 800-30. The output looks a lot like a System Security Plan. NIST 800-18, Guide for Developing Security Plans for Federal Information Systems characterizes system in section 2.-System Boundary Analysis & Security Controls and section 3.- Plan Development.

Output from Step 1-Characterization of the IT system assessed, a good picture of the IT system environment, and delineation of system boundary

Step 2 Threat Identification

A threat is “the potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” A threat-source is “Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.” an adverse action or event that could exploit or trigger vulnerability. NIST identifies three “common threat-sources” Natural, Environmental, Human.

Common Threat-Sources
- Natural Threats—Floods, earthquakes, tornadoes,
landslides, avalanches, electrical storms, and other such
events.
- Human Threats—Events that are either enabled by or
caused by human beings, such as unintentional acts
(inadvertent data entry) or deliberate actions (network
based attacks, malicious software upload, unauthorized
access to confidential information).
- Environmental Threats—Long-term power failure,
pollution, chemicals, liquid leakage.

Sources of information include, but are not limited to, the following:
• Intelligence agencies (for example, the Federal Bureau of Investigation’s National Infrastructure Protection Center)
• Federal Computer Incident Response Center (FedCIRC)
• Mass media, particularly Web-based resources such as SecurityFocus.com, SecurityWatch.com, SecurityPortal.com, and SANS.org. – NIST 800-30

By addressing the motivation behind a potential attack, the capability of the event to occur, and the available resource of a potential attacker, an organization can have a better idea of the likelihood of real threat-sources.

Output from Step 2 – A threat statement containing a list of threat-sources that could exploit
system vulnerabilities

Step 3 Vulnerability Identification

A vulnerability is a weakness in a systems design, architecture, configuration etc that could be exploited. There are many ways to find vulnerabilities on a system. Federal systems have the Vulnerability Management System (VMS) and National Vulnerability Database which are databases with a breakdown of operating system, network, application vulnerabilities that can allow an organization to track vulnerabilities. Network vulnerability scans, security test & evaluations, interviews, questionnaires, POA&Ms, penetration tests and previous assessments are other methods of identifying vulnerabilities.

Step 4 Control Analysis

Control analysis consist of listing all controls that are planned and implemented. Actions to identify planned and implemented controls could include examining previous POA&Ms & system security plans on existing systems. On new systems the organization could examine nontechnical and technical controls to be implemented by using network scanners, scripts. For nontechnical controls, the organization could observe documentation addressing business/mission procedures and organization policies.

http://nvd.nist.gov/scap/docs/2008-conf-presentations/day2/mgt-80037-transformation-ross-092408.pdf

Step 5 Likelihood Determination
Likelihood determination is based on threat-source motivations, capability, and resources available combined with the nature of system vulnerabilities.

The organization creates likelihood levels and definitions for the development of qualitative determination.

Step 6 Impact Analysis
Impact analysis takes determination of the system mission, the system and data criticality/sensitivity. The organization should determine the adverse impacts of the loss of integrity, confidentiality, or availability.

The organization can give examples of quantitative assessments by introducing real profit loss as a result of impacts. The magnitude of impact/impact definition is represents a qualitative matrix above.

Output from Step 6-Magnitude of impact (High, Medium, or Low)

Step 7 Risk Determination
The risk determination consists of the likelihood of a given threat and the magnitude of the impact should a vulnerability be exploited/engaged by a threat-source. The output of this step is a Risk-Level Matrix. Threat likelihood and potential impacts are given a rating system.

Step 8 Control Recommendations
The goal of the control recommendation is to determine how the mitigate identified vulnerabilities to reduce risk to the system.
• Effectiveness of recommended options (e.g., system compatibility)
• Legislation and regulation
• Organizational policy
• Operational impact
• Safety and reliability

Step 9 Document findings
All the results of the risk assessment methodology must be documented. A Security Assessment Report (SAR) or risk assessment report captures data that will allow decision makers to make an inform decision on cost benefit for implementing controls.

Stuff I learned from people in the class:

-AFCA is changing its name (to what?)

DOD is going to put the new IA controls in NCSSI 12-53 (currently in draft)

-a lot of what I need in there is in NIST 800-53

Marines use something called Exacta

Site called securitycritics.org

33-202 is now completely irrelevant and obsolete (not even mentioned ONCE in the class)

800-30

Feds call Certification &Accreditation (C&A) “Security authorization”

NIST SP 800-37

Day 4:

Validator Activities & Issue Accreditation Decision

Prepare POA&M

Validate Results/Scorecard

Scorecard

Make certification determination

CA/DAA Package review

Day 5:

Validation procedures were discussed. On day five, we looked at how the validators look at a system.

I thought is was interesting. It should help me get through the EITDR/DIACAP process easier.

Maintain Situational Awareness

Maintain IA Posture

Conduct Review

R-Accreditation

Retire system

Day 3:

DIACAP Structure

Terminology Review

Assemble DIACAP Team

Registered System/System Information Profile

Assign IA Controls

Initiate DIACAP Implementation Plan

In the first day of class we’ve taken a high level look at the big picture of the Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) and Air Force Certification & Accreditation Program (AFCAP). It is a very valuable tool for a beginner.

Since I’ve gone through the entire process (with a legacy system) more than once through all the growing pains of Air Force C&A from DITSCAP to DIACAP, I found that I knew about 90% of everything taught. I don’t mind having a refresher, though and quite frankly, I need the CPE’s for my CISSP .

There were a couple of golden nuggets that I’ve been able to get out of some of the old timers. I learned some interesting things about how the Navy, Marines and Army do things.
Navy (as weird as their dumb ass rank system.. yep, I said it.. its dumb) have like three systems: DITPR-DON, DA-DUMB and some other BS, Marines have something called Exacta and the Army has APMS (Army Profile Management System). Also learned cool off topic stuff like history of eMass.

I must admit I’m looking forward to day two.
pros of day 1: Good solid start on basics GREAT for beginners. SecureInfo gets mad props for have a great instructor John M.(don’t know if he wants his full name published.. but he’s highly, highly knowledgeable and very positive).

cons of day 1: Right off the bat I am noticing a huge hole in the training… a lack of in depth teaching of EITDR, which is how the Air Force implements, manages and maintains the entire DIACAP/AFCAP process. I don’t really see how you can teach one without the other these days. I guess contractually, SecureInfo can not touch it since some other company has the contract. But unfortunately, the folks that are new to this are going to suffer. Because if they goto this class without knowing the EITDR they will know why but now how, and if they go to the EITDR class without knowing the DIACAP they will know how but not Why.

Since I’ve been doing the DIACAP stuff for about 2 years now, I’m not certain there is any new information for me to learn.

DIACAP Essentials
The Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP) Essentials course blends lecture and hands-on
exercises to introduce students to DIACAP policy (to include FISMA
requirements of a comprehensive, repeatable, and auditable Information
Security process).

IA Control Validation In-Depth - 3 Days
The IA Control Validation In-Depth course takes the students DIACAP
education and turns the view from an implementor to a Validator perspective
and involves the students in the validation process for the IA Controls
(DoDI 8500.2).

What I am hoping to get from the course is a better handle on the FISMA process.
I don’t feel like I really have a handle on what is supposed to happen with it.

The Committee on National Security Systems is preparing instructions for implementing a unified certification and accreditation (C&A) process that could be used on all national security systems, including those in the Defense Department and intelligence community, said Tony Cornish, chairman of the CNSS’ C&A working group.

At the same time, the National Institute of Standards and Technology plans to update its C&A guidance for systems covered by the Federal Information Security Management Act, said Ron Ross, a senior computer scientist and FISMA implementation lead at NIST.

“We are very close to producing a unified C&A process for the entire federal government,” Ross said in July at a government security symposium hosted by Symantec. “Within the next six to eight months, you are going to see a plethora of new things coming out” from CNSS and NIST.

CNSS’ instructions will be incorporated into NIST guidelines in its 800 series of special publications. Ross said a major update of SP 800-53 Rev. 2, “Recommended Security Controls for Federal Information Systems,” is expected in December, and a draft of the first revision of SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” is expected to be released for comment soon.

A single, governmentwide approach would make it easier for agencies to share data and cooperate with one another and with states, foreign allies and the private sector.

It could enable reciprocity, or the acceptance of other agencies’ C&A processes, without requiring recertification, and also could streamline acquisition processes by making it easier for vendors and developers to meet one set of standards.

C&A is a process for ensuring that IT systems are operating with an appropriate level of security. In the certification phase, the security of the system is documented; for accreditation, a designated authority signs off on the system’s fitness to go into operation. The concept has been around for some time, but there has been little standardization.

“In the past, we each had our own set of policies, and we didn’t look at each other’s,” said Sherrill Nicely, deputy associate director of national intelligence at the Office of the Director of National Intelligence.

FISMA requires C&A of information technology systems, but that does not apply to national security systems. And within the national security community, the military and intelligence sectors each have had their own way of doing things.

“Since about 1993, the Defense Department had its program, the Defense IT Security Certification and Accreditation Process,” said Eustace King, DOD chief of acquisition and technology oversight. “It worked pretty well” in a time before DOD’s emphasis on network- centric systems and information sharing, but it lacked enterprise visibility.

That C&A program was replaced with the Defense Information Assurance Certification and Accreditation Process. DOD was moving to the program in 2006 to harmonize military and intelligence processes when, a year later, it was expanded to include the rest of the national security community by bringing in the CNSS.

Through NIST, C&A procedures eventually will be standardized across all of government. However, policies do not change mind-sets, and old habits still remain one of the primary challenges to a standardized process. At DOD, there is a reluctance to accept reciprocity — that is, to give full credit to another agency’s C&A process without recertification, King said.

The intelligence community faces a similar hurdle, said Sharon Ehlers, an assistant deputy associate director of national intelligence.

“The cultural change has been the biggest challenge,” Ehlers said. “When it is not invented here, people don’t want to look at it.”

I’m not saying we should not be more cautious or more aware. I’m not saying that more security is not necessary. What I am saying is that Taking away liberties is not necessary. And even if you feel it is necessary to spy on all citizens indefinitely to “catch terrorist” shouldn’t there be checks and balances on the watchers. Who will watch the watchers? How will we ensure that their powers are not abused.

New Technologies:
Smart CCTV – There are now smart security cameras with pattern recognition that allow them to alarm when some one does something suspicious such as climb a fence, or put down a bag and walk away. That technology has been developed by companies like ObjectVideo Inc. Defense Advanced Research Products Agency (DARPA) hopes to take it a step further by creating systems that can learn everyday patterns and send alarm when things are outside of their known pattern, also known as anomaly detection.

http://govtsecurity.com/mag/fighting_terror_technology/

read more | digg story