6 - 1
Information Risk Management - SANS
©2001
1
Risk Management
The Big Picture – Part VI
Risk Assessment and Auditing
Now that we know the tools and the primary concepts, this part of the course is designed to help you
pull everything together. This section is especially important if you need to present security
proposals to management. Your next slide, titled Risk Management – Where do I Start presents the
roadmap we showed you almost at the beginning of the course. We will bet you have a much clearer
idea of how to analyze risks and establish a security infrastructure at this point. Let’s go take a look
at the roadmap!
6 - 2
Risk Management: The Big Picture - SANS
©2001
2
Information Risk Management - SANS
©2001
2
Risk Management – Where do I
Start?
• Write the security policy (with business input)
• Analyze risks, or identify industry practice for due
care; analyze vulnerabilities
• Set up a security infrastructure
• Design controls, write standards for each technology
• Decide what resources are available, prioritize
countermeasures, and implement top priority
countermeasures you can afford
• Conduct periodic reviews and possibly tests

risk assessment: Qualitative, quantitative, and knowledge-based (also known as best practices).
Whether or not we explicitly choose, we have exactly three options and we do choose between:
Acceptance, mitigation, and transference.
When we accept the risk, this means we make no changes in policy or process. This decision means
that we judge the risk of a given threat to be inconsequential in the greater scheme of things.
If we feel the threat is significant and could cause harm to our business or enterprise, then we have
the option of taking action to protect operations by reducing the risk. A firewall or system patch are
obvious examples of risk mitigation.
Transferring the risk is sometimes a workable technique. The classic example is to buy insurance.
This means that you do not have to fully protect yourself against a catastrophic threat. Instead, for a
fee you pass this risk to a risk broker that insures you up to some limit against the threat. A real
world example of this is hacker insurance. The insurance company still expects you to have a
firewall and patches, but insures you should these fail.
6 - 4
Risk Management: The Big Picture - SANS
©2001
4
Information Risk Management - SANS
©2001
4
Risk Management Questions
• What could happen? (what is the threat)
• If it happened, how bad could it be? (impact
of threat)
• How often could it happen? (frequency of
threat - annualized)
• How reliable are the answers to the above
three questions? (recognition of
uncertainty)
In order to decide between the choices (accept, mitigate, or transfer risk) we want to make, we

happen over the course of a year. In the same way that gravity is the compelling reason jumping
from a plane without a chute is near-certain death, the continuous probing and poking of exposed
systems on the Internet is the compelling reason the box will be compromised. So what? How bad
can a compromise be? Well, once they compromise the box they have the ability to manipulate the
addresses associated with the names of the network entities (such as computers) at your site. These
names and addresses are often used to identify which computers are allowed to access other
computers - your organization’s trust model. If you have valuable assets, that may be what
happens. Or they may just create weird system domains and hit systems all over the Internet, giving
your organization a bad name.
6 - 6
Risk Management: The Big Picture - SANS
©2001
6
Information Risk Management - SANS
©2001
6
What is an Unacceptable Risk?
• You can define the threat.
• If it happened, it would be bad. (high
impact)
• If one shot didn’t kill you, and then it
hit you again and again. (frequent
threat)
• There is high certainty the threat exists,
it is high impact, and potentially could
occur multiple times.
So, it would seem that running an unpatched, unshielded DNS server is not an acceptable risk. To
have an unacceptable risk, there has to be a defined threat. They will compromise the DNS server,
most likely via a buffer overflow. How bad would it be? If they chose to manipulate the trust model
and had several days to work without being detected - such as over the Christmas holidays - they

the data is not recoverable? $25,000 x 80% or $20,000, unless he has been sending chapters in as
they are done.
6 - 8
Risk Management: The Big Picture - SANS
©2001
8
Information Risk Management - SANS
©2001
8
Annualized Loss Expectancy
(ALE - multi-hits)
• SLE x Annualized rate occurrence = Annual
Loss Expectancy (ALE)
• Annual loss is the frequency the threat is
expected to occur
• Example, web surfing on the job
– SLE: 1000 employees, 25% waste an hour per
week surfing, $50/hr x 250 = $12,500
– ALE: They do it every week except when on
vacation: $12,500 x 50 = $625,000
If you are screaming, “But what if??”, relax - we understand. Again, a main point of the chapter is
uncertainty, this is what drives the “what ifs”. The key question, however, is how much continuing
risk am I willing to accept?
Even if you can survive a given event (possibly sadder but wiser) can you survive it six times? This
is the notion of annualized risk. It applies well to shoplifting. We expect to lose 9% of revenue over
N occurrences.
The information about expected losses due to cyber attacks is much harder to come up with, as
organizations do not tend to share this type of information so it is only available in the micro-view of
a given organization.
6 - 9

• Qualitative succeeds at identifying high
risk areas
• Quantitative is far more valuable as a
business decision tool since it works in
metrics, usually dollars
The main point between the two approaches is that qualitative is much easier and when done well,
can certainly identify the areas that need attention. This is because as soon as an area is marked high
risk, you know you need to look into it.
There is still another approach to risk assessment. This is the knowledge-based or best practices
approach. There is much more up-front work required to implement this, but the results are more
accurate and consistent.
6 - 11
Risk Management: The Big Picture - SANS
©2001
11
Information Risk Management - SANS
©2001
11
Best Practice Risk Assessment
• System administration is a high-
turnover job for large organizations,
which affects continuity
• System administrators tend to be
focused on having the “trains run on
time”
• Security configuration may not be
understood or implemented
In many organizations, there is a large amount of staff rotation and employee turnover, particularly
in the fields of system administration and network security. This fact, combined with the need to
simply keep the systems up and running with a minimum support staff, leads to dangerous situations

We have downloaded the Windows 2000 tool from the Center for Internet Security,
www.cisecurity.org and run the test. As you can see, we have a bit of work that we need to do.
Your next slide is from Microsoft Update. Let’s download the critical fixes, reboot a few times, and
see how we are doing.
6 - 14
Risk Management: The Big Picture - SANS
©2001
14
Information Risk Management - SANS
©2001
14
This shot is Microsoft’s web site. We expect that everyone knows about update, but as you will see,
getting a perfect score just isn’t that simple.
6 - 15
Risk Management: The Big Picture - SANS
©2001
15
Information Risk Management - SANS
©2001
15
Even after downloading all the Security patches that Microsoft has on the update site, the scoring
tool tells us we need to pick up two more. If we select the 'Hotfixes Needed' button we can get the
names of the missing patches. Also, you will notice that we have a zero score for restrict
anonymous. This is a big problem for Windows computers, so we will fix this next.
6 - 16
Risk Management: The Big Picture - SANS
©2001
16
Information Risk Management - SANS
©2001

©2001
19
SANS’ Securing NT SBS
* Action 3.1.1 Disable the display of the last logged on username by setting the
following registry value. If the value does not already exist, it must be created. With REGEDT32 this
is done with the Edit menu, Add Value. Enter the Name "DontDisplayLastUsername” exactly as
shown and then use the String Editor to enter a "1". Also, you can use the C2 Configuration
Manager from the NT Resource kit instead of using REGEDT32.
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DontDisplayLastUsername
Type: REG_SZ
Value: 1
Note: In some situations it might be preferable to allow the display of the last logged
on user. Certain users may not be able to remember their user name, and this would keep the
administrator from having to tell them each time they logged on. Another reason to display the last
logged on username is because it will quickly let you know if someone else logged onto the
machine. Not displaying the last logged on user name will only keep novice hackers from finding
out which users exist on the machine. It is trivial for a determined hacker to get that information.
Therefore, many administrators do not bother hiding the last logged on user name.
A similar project - also a community development effort - is the SANS Securing Windows NT Step-
by-step booklet. This is on its third revision and the current editors are Jason Fossen and Stephen
Northcutt.
6 - 20
Risk Management: The Big Picture - SANS
©2001
20
Information Risk Management - SANS
©2001
20

(__) Auditing is configured to minimally audit -
Account Logon Events (Success and Failure)
Account Management (Success and Failure)
Logon Events (Success and Failure)
Object Access (Failure)
Policy Change (Success and Failure)
Privilege Use (Failure)
System Events (Success and Failure)
The person that knows security and risk in general (often an auditor or security officer) reads the
items to the person more familiar with the specific technology. This person checks each item and
fills in the checklist.
At the end of each section, the security officer makes the determination as to the overall risk posture
of the system.
6 - 22
Risk Management: The Big Picture - SANS
©2001
22
Information Risk Management - SANS
©2001
22
Windows 2000 Form Summary
• Benefits
– Reasonably good tool for minimal OS
security
– Good form “layout”
•Limits
– Needs a list of applicable patches
– Where to get them
– Tool to determine patch status
The NSWC checklist or the SANS Securing Windows 2000 Step-by-step checklist are not the final

24
Business Case For Risk
Management (2)
• We have been introduced to a
basic risk assessment process; can
we apply this process to the
business case for intrusion
detection?
– If there is a ‘big picture’ can we apply
what we have learned to our real
world environment?
The real test of this course’s value is whether you can apply what you have learned here in your
organization. Every situation is different; a financial institution has different priorities than a
military organization, for example. As we work through this next section, think about your
organization and whether these concepts apply. If you have ideas that would help me balance or
improve this, please send me e-mail at
6 - 25
Risk Management: The Big Picture - SANS
©2001
25
Information Risk Management - SANS
©2001
25
Business Case - Applications
• Organization has no intrusion detection
and you are presenting the case for
standing up a capability
• Organization has rudimentary capability
and you want to upgrade
• Organization has central monitoring and