It is not often that I highlight a single post from somebody else here on Infosec Ramblings, but every once in a while I come across something that deserves to have a bit brighter light shined on it.

Russel has written a post on The New School of Information Security blog entitled Would a CISO benefit from an MBA education? That's a good question and he brings some good thoughts to the table about the issue.

However, there is some additional information in that post and the comments that follow, along with links to other resources,  that anybody who is interested in becoming a CISO should give a read. Truly awesome stuff.

Just to be clear, I do not mean to belittle the original purpose of the article or its content that addresses that question. The question is a good one, Russel's words are great, and he and Eric have a great conversation about that topic in the comments.

Just make sure to read the rest of the reference material too.

As always, comments are encouraged below or you can email me at kriggins@infosecramblings.com if you prefer.

If you are interested in getting our content regularly, go ahead and subscribe to the RSS feed. You can also subscribe to have posts emailed to you if you prefer.

-Kevin

-Kevin

My good friend, Alex Hutton, has written an excellent post where he talks about the science of Risk Management.

I am not going to try and summarize what he says because he says it so well.

Do yourself a favor and go read it. Then go and look at some of the stuff he points to in the post. Then figure out how to apply it to your organization. Goodness will follow.

Risk Appetite: Counting Risk Calories is All You Can Do by Alex Hutton

-Kevin

Image courtesy of divaangelic2

I wish I could take credit for the idea below, but I cannot. This was sent to me by someone who works in a marketer compliance department.

With his permission, I modified it a little to be information security centric and now present it to you. Enjoy.

BTW - I won't be surprised if I get a take down notice so tell your friends quickly if you find it worth sharing.

I am very pleased to announce that my Peer2Peer session submission for RSA 2010 was accepted.

Here is the definition of a Peer2Peer session from RSA in case you are not familiar with them:

Have a security issue you would like to discuss with your peers? Want to share your experiences with a new technology? Care to explore best practices with colleagues? Then submit a P2P session!

Peer2Peer sessions are limited to 25 people who share a common interest and want to discuss or learn more about a particular security issue. The sessions are interactive and moderated by someone who knows the subject at hand and also can keep the conversation flowing. No PowerPoint allowed!

The first Yay! is that you won't be subjected to a PowerPoint; the second is that you will get to help shape the conversation and learn from your peers.

The title of my session is Risk Management: Getting Engaged.

Before we can effectively practice risk management in our organizations, a number of things have to happen. One of the key things that must occur is getting our business partners to engage with us. In this Peer2Peer session we will explore different ways to capture our business partners attention so that we can effectively and efficiently provide the risk management activities that help our organizations make appropriate risk based decisions.

Here are the details:

Session Track: Peer2Peer
Session Code: P2P-203B
Scheduled Date: 3/3/2010
Scheduled Time: 10:40 AM - 11:30 AM
P2P Session Title: Risk Management: Getting Engaged

I hope to see you there!

-Kevin

Well, there I go again, I keep saying I am going to get back to it and then leave you hanging. No real excuse this time other than being mondo busy.

As usual, all the posts in this series can be found on this page if you want a refresher or are just now jumping on the band wagon.

Anyway, last time we started talking about the taxonomy and the definition of risk from FAIR's perspective. As mentioned, we are going to leave those alone for a bit. We are going to build the taxonomy from the ground up. So, without further ado, here is where we are starting.

We start with the first component of Loss Frequency which is threat event frequency (TEF.) From the introduction, threat event frequency is:

The probable frequency, within a given timeframe, that a threat agent will act against an asset.

In other words, how many times within some amount of time will the bad guy try to do something evil to our treasured asset. This is important to know in determining how often we might actually suffer a loss.

So, to figure out the how many in how much part of the equation, we need to look at a couple things, contact and action. However, we are not talking about binary definitions here such as 'was there contact or not'.

First let's talk contact. From the introduction, contact is:

The probable frequency, within a given timeframe, that a threat agent will come into contact with an asset.

There are three things we want to consider. We are interested in whether the bad guy has regular or random contact with our treasure. Is contact the result of just random chance or is there some regularity to the contact? We are also really interested in whether the contact is intentional or not. Is the bad guy looking specifically for the types of treasure you have or are we target of opportunity.

Now action. From the introduction, action is:

The probability that a threat agent will act against an asset once contact occurs.

Again, we want to look at three things, asset value, vulnerability, and risk. Is it worth it to the bad guy to try something, i.e. is the value of the asset high enough. How vulnerable does the bad guy perceive the treasure to be. Our treasure is much less vulnerable sitting in a bank vault than it is sitting unwatched on a table in a crowded room. Finally, what is the risk to the bad guy. How likely is he to get caught if he tries to make contact.

All these factors must be taken into consideration when we we are thinking about threat event frequency.

Next we will explore the other half of loss frequency, vulnerability. I'll tell you right now that it is not what you think it is, unless, of course, you are already familiar with the FAIR Taxonomy.

As usual, drop me a note or leave me a comment with your thoughts.

-Kevin

First, I apologize for the long absence of any further posts in this series. I am sure everybody thought I had decided not to continue. Not the case. With the presentation at Secure360, a bathroom remodel and life in general getting in the way, I didn't take the time to keep on top of this series.

Anyway, let's dive back in. All the posts in this series can be found on this page if you want a refresher or are just now jumping on the band wagon.

In the last post I said we were going to talk a little more about assets, but we are not. We are going to start in on the taxonomy and pick up those words about assets a little later. First, what in the world is a taxonomy? I asked myself this question late last year.

From wikipedia:

...In addition, the word is also used as a count noun: a taxonomy, or taxonomic scheme, is a particular classification ("the taxonomy of ..."), arranged in a hierarchical structure. Typically this is organised by subtype-supertype relationships, also called parent-child relationships...

At the top of a taxonomy is the item being represented. I guess that means we should define exactly what we are building this taxonomy for. One would think I'd have gotten to this a bit earlier. Apparently not Okay. Here we go. Let's define RISK.

From the introduction:

Risk - The probable frequency and probable magnitude of future loss

If risk is defined as above, then the very top of our taxonomy looks like this:

Starting with the next post, we will begin to build out the rest of the taxonomy. However, we are going to start from the bottom.

As always, I am interested in what you have say. Please leave comments or email me if you like. My email address is on the about page.

-Kevin

This is the presentation I gave at Secure360 2009 titled "Measuring and Communicating Risk using Factor Analysis of Information Risk (FAIR)."

As always, I am interested in your feedback.

-Kevin

I go through quite a few blogs everyday to keep abreast of what is being said in the information security world. My daily bits posts are things that strike me as interesting and that I think you might find interesting too.

I don't usually single out a blog post all on its own, but every once in awhile I come across something that I feel deserves special attention.

Alex Hutton posted the following on the Verizon Business Security Blog today. There are some profound statements in this missive. I won't steal his thunder. Go read it. You will not be disappointed.

On Clouds and The Evolving Role of the CISO

In the last post in our series on FAIR we took a look at the data flow diagram for the system that Oblivia wants us to assess. We also reviewed the definition of threat and quickly figured out we need a way to narrow down which threats we should be most concerned about.

FAIR uses the concepts of threat communities and threat characteristics to help us group together like threat agents and help us determine the probability of that threat affecting us. A threat agent being an individual person or instance in a threat population or set of threats.

Let's take a look at these two concepts and see how they can help us.

First, the definition of threat community. From the Introduction to FAIR: Risk Landscape Components:

Subsets of the overall threat agent population that share key characteristics

Basically, we are talking about those characteristics that would define a group of threat agents. The Introduction uses at set of characteristics that could be used to place a threat agent in a community call 'terrorist.' How about the following characteristics?

Motive: Money
Primary intent: Financial gain
Sponsorship: Unofficial
Preferred general target characteristics: Systems where small changes are difficult to find
Preferred specific target characteristics: High traffic/significant impact systems
Preferred targets: Systems and applications
Capability: Significant technology skills
Personal risk tolerance: Medium
Concern for collateral damage: High (need for changes to remain unnoticed)

What could we call the threat community whose agents have these characteristics? I'm going to hate myself for using the term, but cyber criminals seems to work. Individuals who make money by subverting computer systems. This gives us some information about what makes up the community. Now we need some information that can help us determine which communities are worthy of more inspection. That is where threat characteristics come in.

From the Introduction, paraphrased a bit:

There are four primary characteristics we are concerned with in our risk taxonomy:

• The frequency with which threat agents come into contact with our organizations or assets
• The probability that threat agents will act against our organizations or assets
• The probability of threat agent actions being successful in overcoming protective controls
• The probable nature (type and severity) of impact to our assets

What we are really concerned about from an agent characteristic perspective is, frequency of contact, the likelihood that the agent will act against us, the likelihood that the agent will succeed and the likely type and severity the result of that action to our assets.

A situation where the agent is rarely in contact, is unlikely to actually attack us and even more unlikely to succeed if they do and, finally, the impact if they are successful will be insignificant is much different that one where the agent is in constant contact, is very likely to act against us, is skillful enough to succeed and probably going to result in severe impacts to our assets.

Understanding the different communities and the significant characteristics mentioned above can help us a great deal in managing risk. They help us have a much more concrete estimate of the probability of something untoward happening to us as the result of a threat agent acting against us.

In our next installment we will take one more quick look at a few characteristics related to assets. We will then dive into risk factoring in the next few posts.

As always, I am really interested in your thoughts. I read and take to heart every comment that is left and email received, so please join the conversation!

-Kevin

I am really excited. I will be speaking at Secure360. The conference takes place on May 12th and 13th in St. Paul, Minnesota. I will be speaking in the afternoon on the 13th.

From the Secure360 website:

The Upper Midwest Security Alliance (UMSA) serves business, government, and education professionals in the Twin Cities and surrounding areas. The Secure360 conference is the primary mission of UMSA. The annual event is a unique opportunity to explore the latest threats and opportunities in enterprise risk management.

The title of my talk is "Measuring and Communicating Risk with Factor Analysis of Information Risk (FAIR)."

-Kevin