Deliverable D4.4.2 – CYSPA Risk Tool – final release Work package
Contents
1. Some forms of identity fraud are also known as masquerade B information Leakage https www enisa europa eu activities risk management evolving threat environment enisa threat Equi tL ite opas landscape 2013 overview of current and emerging cyber threats identity Theft and Fraud http en wikipedia org wiki Identity_theft B Malware Diffusion Solutions Drive by Downloads Created exploit Kits Name Description Author at Oracle Acces Oracle Access Management Suite Plus is a solution for securin Test Test 03 25 20 s Manageme g applications data web services and cloud based services It 15 nt Suite Plus s features are Authentication Single Sign on mobile Social sign on Entitlement management Fine grained authorizatio n Fraud detection Risk aware authentication Security toke ns services Identity federation It provides an integrated mod ular architecture that enables customers to deploy a complete access solution Oracle API Oracle API Gateway Acts as a control point for managing Test Test 03 25 Gateway how internal users and applications are exposed to outside 2015 cloud offerings Extends authentication authorization In cloud environments Oracle AP Gateway allows Proxy and manage interactions with Cloud Services Restrict throttle and manage web services and REST APIs SSO for web services and internet APIs API key authentication Cisco Secure Cisco Secure Access Control System serves as a policy ad2. e Allow members of the CYSPA community to exchange information about common threats thus enriching the knowledge base of each participant and refine the behavior of the CRISK tool This is called Community Interaction in the context of CRISK To start this process we can rely on the support of four sector leaders for eGovernment Energy Finance and Transport sectors that have provided initial knowledge and content so users can obtain a first evaluation without having to know or input the existing threats that could affect organisations operations in those sectors 3 CRISK Design 3 1 Tool Behaviour CRISK is built upon three main sections as we can see in the functional navigation map represented below 1 Tree of Threats 2 Questionnaires and Risk Assessment 3 Community interaction a Propose question b Report Threat Each of these sections is necessary to help CRISK achieve its primary goal allow members of the Alliance to self evaluate their organisations and increase the level of awareness about existing threats that may be affecting them Threats All the existing and identified threats that can be displayed in the analysis are gathered in this section so users can have an overview of the actual cyber threat situation Furthermore they are able to navigate through the tree in order to learn more about these threats even if those have not been identified as potentially impacting user s organisation durin
3. or vendors it is not ideal for the tool users that need to customise or setup the tool for a specific sector or use cases Furthermore the analysis of existing tools reveals that in many of them it is necessary to know the threats affecting an organisation and input the information in order to get an analysis and further evaluate the level of exposure This is a common limitation in the usage of such tools the tool itself should identify the threats the organisation could be exposed to This is also connected to the fact that the settings needed to get the tool working properly and the findings with regards to improving tool accuracy usually remains within the boundaries of each organisation as internal knowledge This furthers duplicating of efforts related to discovery of threats and calculation of exposure Starting from the abovementioned considerations the CYSPA consortium decided to elaborate a different risk self assessment tool aiming at addressing the issues identified from the analysis Essentially the CRISK tool should provide organisations especially SMEs that typically do not have a Security Manager or a Risk Expert on board with a tool to conduct a first cybersecurity self assessment and get a rough estimation about the exposure of the organisation to most common threats The CRISK tool should e Suggest the threats an organisation could be exposed to based on high level information about its processes and sector
4. Data 32 Company Client Not sure private client Breaches records are lost Is this stipulated in a impart ENISA 12 33 YES NO written agreement Data Breaches SM es P y Likelihood Information 11 YES 2 NO 4 your wireless jeakage network g How often is your ENISA TAa Every two Ouer data backed up Impact Information 13 Daily 1 were 2 Monthly 3 Annually Not 5 leakage sure How long would it ENISA 13 a Other take for you to Impact Information 12 1 day 1 7 days 2 2 weeks 3 1 month Not 4 recover your data leakage sure 4 2 Finance sector questions Question Text Impact Likelihood Associated threat Question Weight Answer 1 Text Answer 2 Value Text Answer 3 Text Value Answer 4 Text Are access control mechanisms in place to control internal Likelihood ENISA 12 Data 90 Ves 2 No 5 access to customer financial and personal data Breaches Are security mechanisms access control integrity ENISA 13 b monitoring identity services etc duly tested and their Likelihood Information 80 Yes 1 Partially 3 No 5 proper functioning audited leakage Are there security mechanisms in place in customer Likelihood ENISA 2 Worms 70 Yes 2 No 4 mobile channels trojans ENISA 7 Identit Is data integrity ensured in insurance cus
5. EJ resources 9 9 Hot Topics IT Settings Online Friends 0 Figure 2 CRISK home Threats The following screenshot represents the tree that gathers and structures all identified threats reported in D2 4 This layout displays all the threats in a hierarchy also allowing to incorporate new reported threats as sub threats that could be the topic of a more specific analysis with dedicated questionnaires On the right of the threats tree a detailed description is depicted contextually for each selected threat as well as the related solutions that have been previously validated from the community of experts The bottom part of the following screenshot also shows the OPENNESS 13 social bar enabling users to keep track of a threat by following it it also allows addition of personal comments and notifies other members of the community in regards to the threat SUROPEAN CYBER secURITY PROTECTION ALLIANCE CYSPA CYSEC RISK SELF ASSESSMENT TOOL Close eernets Identity Theft and Fraud B Denia of Service In the case of identity theft an attacker assumes a false identity he takes advantage of information Disclosure of information about another person to act on his or her behalf Theft of identity often leads directly or indirectly to damage of reputation but also elucidating the causes and preventing the negative consequences for pata breach those affected is time expensive
6. home In the following screenshots we can see how the process of reporting new threats and proposing new questions works In order to propose a new question it is necessary to select whether the questions refers to impact or likelihood write the actual question add the relevant answers and select the threats that this questions is related to Propose a Question Close ase follow the next steps to propose the question Figure 13 Propose questions Reporting new threats is also easy it is only necessary to perform the following five steps To write the actual threat name To include a short description of the threat To add some working references Po wh e To select possible existing solutions by choosing the most suitable ones from a prefilled list 5 To select whether it is a sub threat of another threat The mask to report a new threat is displayed in the following screenshot CYSPA CYSEC RISK SELF ASSESSMENT TOOL Report Threat Close Please fill the following fields and select you ou wish to add the threat within the tree Thank you for he Threat Name Required i le E FQ This field is required Threat Description Required Threat References Required Show 10 Y entries A Created Solutions Description Author at Advanced Threat Monitors a network for sophisticated a hidin g a ti m D a CyberRe platform Test Test 03 26 Showing 1 to 10 of 93
7. st Organisati Our Mo ata Terminals PDAs laptop PCs a Figure 15 Solutions search amp create 3 3 Tool Internal Logic The PMBOK 12 defines qualitative risk analysis as the process of prioritising risks for further analysis or action by assessing and combining their probability of occurrence and impact CRISK helps in carrying out this process using answers provided by users through the questionnaires In order to convert these answers into final values of impact and likelihood for each of the identified threats the tool must follow a specific process with several stages The seven main stages of each risk analysis are Answer the questionnaire and save the answers Classify questions per threat Classify questions by impact or likelihood Assign values to answers Assign weights to answers Apply the expressions indicators SOO qe po ms E Represent the obtained values on the graph Answer the questionnaire and save the answers As mentioned before users may select the most suitable questionnaire according to their sector or area of interest among those provided in the tool Users must answer all the multiple choice questions in order to submit the questionnaire by selecting only one of the answers in each of the questions These answers are saved and stored temporarily with the aim of using them in the following stages Classify questions per threat One important characteristic of the tool is that it provides question
8. would be the impact of a confidential business information leakage on your organisation Moderate 2 Do you know which computer systems in your company are NM used to process or store critical or private data Yes 1 Likelihood Are there systems or procedures in place to protect confidential information flow within your organisation No 4 Table 1 Example Information leakage questions Replies amp Values 0 5 Reply1 Value1 Reply2 Value2 Reply3 Value3 Reply4 Value4 Critical 5 High 4 Moderate 2 Residual 0 Critical 5 High 4 Moderate 2 Residual 0 Yes 1 No 4 Yes 1 No 4 Table 2 Example Values assigned to answers for evaluation Impact Weights 0 5 Q1 Transport Q2 Energy Q3 eGov Q4 Finance 4 4 3 3 4 2 3 5 4 4 3 3 Table 3 Example Weights assigned to sectors for evaluation Risk Analysis 4 5 3 5 e 25 e 1 5 0 5 0 1 2 3 4 Likelihood Figure 16 Example Graphical analaysis IL Transport IL Energy IL eGov IL Finance 4 Questionnaires 4 1 Transport sector questions Question Text Do you have a Impact Likelihood Associated threat Question Weight Answer 1 Text Value Answer 2 Text Value Answer 3 Text Value Answer 4 Text VEINS Answer 5 Text Value centralised or ENG a Likelihood Information 34 Centralised 4 Dec
9. C European Commission ENISA European Network and Information Security Agency EOS European Organisation for Security EU European Union ISP Internet Service Provider TLP Traffic Light Protocol TLP refer to Annex for more information WP Work Package Table of contents Executive SUMIMANY 5 i reed Sa cdinsteceainctcdecaneddseduosde cusnsvarvedoddaccinevecsadneedectinabessedunddvecegertnotdng deestysteasid 6 1 Introduction 5e et detti oe ed ad codo danse fad OS RR CHER Gate Ha rea Los Eee eR Eee code ea ir cess 7 2 3CRISK POSITIONING ot cnr ed rb eitis edere eade beet ee pac 9 2 1 Existing Risk To E rore tet ot edat eei eee ipee eiue rein 9 2 2 Motivations for the CRISK Tool ener nnne en tense nnns 14 3 CRISK Design i eL RD 16 3 1 TOO Behaviour 5 et eee odinaeecoainsvdacdabhsceoddueeds daysieessduueddecabastesddinecaedausees 16 3 2 Tool Initerface ee dedere oret aderire eri uiri Aanaieenatave cs aE 19 3 3 Tool Internal Logic sess nennnnn nns aera neri i sanis reser trig rotae ie 28 Ao Questionnalles scie riter etr reet ne erret Aik ee las ia eer deeds a eer EOR EALER rar Aiaia ea egens 32 4 1 Transport sector questions sssssseseeeenenenene emen oeeo nnne nnnm nnns aikoi sess ess s sss s seen eis 32 4 2 Finance sector questions a emen nn nnnn nnnm nnn nest ense sss sss ss sess esas sess sess eis 36 4 3 e Government sector questions sssssssseseeeeenenene enne nennen
10. CYSPA C2 EUROPEAN CYBER SECURITY PROTECTION ALLIANCE Deliverable D4 4 2 CYSPA Risk Tool final release Work package WP4 Due date 30 03 2015 Submission date 03 04 2015 Revision V2 00 Status of revision Final Responsible partner Engineering Ingegneria Informatica S p A ENG Contributors Visionware ATOS Fraunhofer Corte EOS Project Number FP7 ICT 2011 8 318355 Project Acronym CYSPA Project Title European Cyber Security Protection Alliance Start Date of Project 01 10 2012 Dissemination Level PU Public v PP Restricted to other programme participants including the Commission RE Restricted to a group specified by the consortium including the Commission CO Confidential only for members of the consortium including the Commission Version history Rev Date Author Notes V1 00 16 03 2015 Engineering Table of content V1 01 31 03 2015 Engineering First draft V1 02 01 04 2015 Engineering Overall content review V1 03 02 04 2015 Engineering Final review V2 00 3 04 2015 EOS Final review and submission Glossary Acronym Description CERTS Computer Emergency Response Team CIWIN Critical Infrastructure Warning Information Network CRISK Community Interaction Risk Self assessment Tool CYSPA European Cyber Security Protection Alliance DG Directorate general of the European Commission E
11. Denial of 20 Not likely 0 Low 1 Medium High 4 ve 5 be in your opinion the service y probability of such an attack in the next year What is the history of DoS defacements or other ENISA 8 types of successful ius m No perceived At least one Between 2 and 5 More than 5 a Likelihood Denial of 50 0 3 5 hacktivism attacks on your Service attacks attack attacks attacks organisation in the last three years Does the organisation More a eae EMBA g At least every two than q Likelihood Denial of 30 No 5 y 3 Every year Every 6 months 1 i 0 security audits and j years twice a service penetration tests year R h t t iness h nthe evencofa TA GNE i eee Tu defacement attack would Impact Targeted 40 y 5 y 3 y p 1 uM soon as processes to disaster recovery services of a the organisation attacks possible using restore the processes to specialized internal resources affected systems restore the affected systems partner to recover the systems and gather any evidence needed In the internal ere Outside th The organisation s publicly ENISA 14 In an external In a segregated network QE i internal exposed systems are Impact Targeted 30 hosting network DMZ published 3 network with located attacks provider behind a firewall through the d no firewall perimeter firewall POP AOU a rEaN aN l Sk
12. ENISA 13 a to prevent data leakage of safety relevant Information 65 information Likelihood leakage YES 1 NO 5 NOT SURE 3 ENISA 6 a How critical for your organisation would the Physical 80 Somewhat loss of a single power station be Impact damage Very critical 5 critical 3 Not critical 1 ENISA 8 What service disruption period is your Denial of 78 organisation able to tolerate Impact service gt 5 days O 1 5 days 1 8 24 hours 2 lt 8 hours 5 ENISA 6 a Does your organization operate critical Physical 90 facilities like nuclear power plants Impact damage YES 5 NO 0 ENISA 8 How often is your organisation the target of Denial of 55 cyber attacks Likelihood service Infrequently 1 Frequently 3 Daily 4 Constant 5 ENISA 13 a Do you run background checks of your Information 42 employees Likelihood leakage YES 1 NO 4 SOMETIMES 3 ENISA 6 a Does your organisation operate spare Physical 72 transformers Likelihood damage YES 1 NO 4 Does your organisation use a private ENISA 13 a communication network like a powerline Information 62 carrier PLC system Impact leakage YES 1 NO 3 Is your organization s private communication ENISA 14 network adequate protected against cyber Targeted 52 attacks Likelihood attacks YES 1 NO 5 NOT SURE 3 ENISA 14 Has your organisation adopted special security Targeted 67 measures for smart grid controls Impact attacks YES 0 NO 5 NOT SURE 3 Has your organisation ins
13. I AN CYBER SECURITY PROTECTION ALLIANCE CYSPA Finance Sector Close Before answering the questionnaire Please answer as many questions as you are able to It is not mandatory to answer all the questions but be aware that the more questions you answer the more accurate will be the results of the analysis Question 1 What would be the consequences of stolen credit card customer data Penal Loss of business Bad reputation None 2 What would be the consequences of social engineering attacks in call center agents Unauthorized access to customer data Stealing of customer funds High insurance costs None 3 What would be the consequences of manipulated financial indicators or investment data Loss of business Increased costs None 4 What would be the consequences of loss of customer data Penal Loss of business Bad reputation None 5 What would be the consequences of fraudulent identity in new bank accounts Penal Bad reputation None Loss of business Figure 6 Finance sector questionnaire CY m D BUROPEAN CYBER SECURITY PROTECTION ALLIANCE CYSPA eGovernment Sector Close Before answering the questionnaire Please answer as many questions as you are able to It is not mandatory to answer all the questions but be aware that the more questions you answer the more accurate will be the results of the analysis Question 1 Are major assets behind a SSLv3 supported infrastructure None Few
14. SMENT TOOL Questionnaires Close Please select the questionnaire that is more suitable for the self evaluation of your organization Search fi Name Actions H Transport Sector 2 Finance Sector amp eGovernment Sector 3 Energy Sector 8 Figure 4 Set of questionnaires After choosing one all the multiple choice questions are displayed as shown in the next screenshots for each sector respectively c 57 SUROPEAN CYBER SECURITY CYSPA Transport Sector Close Before answering the questionnaire Please answer as many questions as you are able to It is not mandatory to answer all the questions but be aware that the more questions you answer the more accurate will be the results of the analysis Question 1 How are your records stored Electronically Paper External hard drives Other Not sure 2 How effectively would your company be able to deal with a computer virus in your network Very effectively Somewhat effectively Somewhat ineffectively Not effectively 3 How long would it take for you to recover your data 1 day 7 days 2 weeks 1 month Other Not sure 4 How often is your data backed up Daily Every two weeks Monthly Annually Other Not sure 5 How prepared would your company be to deal with the situation if there were a loss of confidential records Entirely prepared Somewhat prepared Not very prepared Not prepared Figure 5 Transport sector questionnaire c 5
15. Some Most of them All 2 Are your users local administrators of their laptops or workstations No Few Some Most of them All 3 Do you have a policy in place to warn users not to click on links received in e mail messages No Informal policy Formal policy Formal policy and awareness training 4 Does the organization conduct internal security audits with a focus the security of personal data Yes No 5 Does the organization have qualified staff and a process in place to react to DoS attacks No Skilled staff capable of handling DoS attacks Skilled staff with specific training on DoS mitigation Figure 7 e Government sector questionnaire c 5I AN CYBER SECURITY PROTECTION ALLIANCE CYSPA Energy Sector Close Before answering the questionnaire Please answer as many questions as you are able to It is not mandatory to answer all the questions but be aware that the more questions you answer the more accurate will be the results of the analysis Question 1 Do your systems comply with international security guidelines Yes No Not sure 2 Does your company intend to have its IT security system certified Yes No It is already certified 3 Does your hardware have automated system protection measures such as data erasure Yes No Not sure 4 Does your organization operate critical facilities such as nuclear power plants Yes No 5 Does your organization operate energy transmission systems
16. Yes No Figure 8 Energy sector questionnaire At the end of each questionnaire as shown in the next screenshot participants can Submit their answers thereafter the risk analysis processing begins 22 How often is your organization the target of cyber attacks infrequently Frequently Daily Constantly 23 Is your organization s private communication network adequate protected against cyber attacks Yes No Not sure 24 Does your organization sees itself as a possible target for hacktivists Yes No Figure 9 Submit a questionnaire Once all the answers have been processed and evaluated according to the internal logic of the tool see section O the analysis is presented to the user as follows cYrsPA D EUROPEAN croen SECURITY PROTECTION ALLIANCE CYSPA Risk T Risk Analysis and Solutions Close Thank you for completing the questionnaire Graphical analysis Targeted Attacks Likelihood 3 44 Impact 1 7 Results accuracy 100 0 Figure 10 Graphical analysis The vertical axis corresponds to impact and the horizontal to likelihood As we can see the maximum values are five and the minimum is zero for both dimensions Just below the chart the info and references for each of the threats identified in the analysis is displayed CYSPA Threats Identified 3 ie 2352 14 23 Code Injection iY Likelihood 5 0 Critical Impact 4 0 Critical Descripti
17. a self sustained Alliance of organisations interested to reduce the impact that cybercrime has on industry sectors As an online community CYSPA launched a campaign called Understanding Risk The campaign deals with the importance of cyber risks and possible solutions that may be used to reduce those risks for organisations running IT assets CRISK the Community Interaction Risk Self assessment Tool created in the context of the CYSPA initiative is a tool born to support the Understanding Risk campaign With this regard the tool allows members of the CYSPA community to self evaluate their risk exposure to the most common cyber threats as has been identified in the CYSPA impact reports 2 3 4 5 By filling a questionnaire specifically tailored to the industry sector organisations operate in users obtain an assessment of the exposure to cyber risks that their organisation is currently facing This may improve the respective organisation s awareness of cyber security while giving the user a holistic overview on threats that may have a major impact on their organisation Moreover in a context where cyber threats and solutions to address them are constantly changing no organisation has the ability to build and maintain its knowledge across the entire landscape Therefore the only possibility for facing issues that constantly arise is to leverage by sharing the collective knowledge of community participants CRISK has also been c
18. bout this tool please refer to http www itgovernance co uk shop p 1228 vsrisk standalone basic aspx VLAN2iuG aq e CoAble developed by CoBlue is a benchmark tool and related platform for assessment of the compliance of your organisation with a number of ISO security related standards Cybersecurity is a challenge in all sorts of industries A collective effort can truly improve cybersecurity on an organisation national and international level Coblue has developed Coable to facilitate this collaboration Coable is a benchmark and collaboration platform which helps organisations to assess and improve their cybersecurity by facilitating inter organizsational benchmarks and knowledge exchange Information is kept confidential throughout this process 9 Main features of the CoAble tool include Assess your whole organisation in detail See your progress over time Benchmark with peers anonymously Learn from the knowledge base Create flexible reporting Collaborate with or delegate to colleagues increase user awareness O O0 O 0 0 O For further information about this tool please refer to o http www coable eu 2 Motivations for the CRISK Tool The analysis of the tools listed in the previous section shows that most of them are not targeting a specific sector and are in fact general enough to apply to any kind of organisation While this is good from a marketing point of view because it benefits tool creators
19. cations Has any malfunction defect of A FOU d ENISA 6 a Likelihood Physical 24 YES NO component or damage equipment been noted Rn m ENISA 2 ij Likelihood Worms 2 YES NO software on your trojans devices Could software be formi a ews ee Likelihood Worms 31 YES NO the expiration or Toan withdrawal of J technical support Do you have a data Likelihood ENISA 12 6 YES NO management plan in Data place Breaches eal ENA a y Likelihood Identity 7 YES NO theft risk theft fraud assessment reports Is a data privacy ENISA 12 policy in place in Likelihood Data 8 YES NO your company Breaches om m i nes Likelihood Data 9 YES NO breaches and or Breaches cyber attacks n ENA Y SY Likelihood Information 5 YES NO regularly updated aves and tested 8 Is your IT Infrastructure and Likelihood ENISA 6 b 10 YES NO data insured against Theft theft ENISA 12 How are your Electronica External Other Impact Data 25 Paper records stored Ily hard drives Not sure Breaches Who i nb ENISA 12 company has access Data Other Not i Impact Data 26 Employees Clients to private client owner only sure Breaches records Who is able to ENISA 12 Dat Oth add modify the data Impact Data 27 p Employees Clients SE owner only Not sure on the hard drive Breaches Who is in charge of the notification ENISA 12 Other process if any Impact
20. e Risk assessment e Risk treatment e Gap analysis e Business continuity management For further information about this tool please refer to e http www riskmanagementstudio com features BSI Entropy Software BSI Entropy Software provides a management solution that significantly reduces the cost and effort needed to proactively manage risk performance and sustainability activities Entropy Software provides a number of powerful features that drive continual business improvement throughout an organisation Entropy Software is composed of five key modules which function independently or as a whole to help organisations effectively manage business challenges around the areas of o Audit amp Compliance Management Incident Management Performance Management Risk Management O O O O Knowledge Management For further information about this tool please refer to e http www bsi entropy com e http www bsi entropy com explore entropy modules risk management e AlienVault Unified Security Management developed by Alien Vault is an all in one platform that provides e Unified Coordinated Security Monitoring e Simple Security Event Management and Reporting e Continuous Threat Intelligence e Fast Deployment e Multiple Security Functions without Multiple Consoles This tool also provides a threat reporting system similar to the Community Interaction but it does not improve the tool in any case With Al
21. e among different views Back paths paths that allow the user to go back from one section to the previous one are enabled in the tool but they have not been presented in the diagram as arrows in order to make it more readable Main elements of the map are available and will be explained with relevant screenshots in the following sections stm Statemachine Diagram1 J Community interaction Intreact with the community threat selection here propose question report new Threat join thread create thread List discussion threads Questionnaires Questionnaires add draft questionnaire empty LY List Questo publish questionnaire assign values to answers edit Edit Question question delete question list of questions edit view questionnaire edit questionnaire Fill Questionnaire e cancel or save submit Questions ve cancel or save one answer questionnaire remove question Edit Questionnaire assign weight to question add question Risk Analysis Qualitative Risk Analysis Leave your comment Link to the Forum section 2 report new threat includes Impact Likelihood map filtering by threat accuracy information and threat details Threats Tree of Threats select threat remove threat edit threat Edit Threat Detail provide references to threat prov
22. e fixed values assigned to answers and W are the weights A 271 22 73 74 W w1 us Wn Represent the obtained values on the graph After obtaining the values for impact and likelihood for each of the threats the only step left is to represent them in a graph as mentioned before this graph represents the impact and likelihood scale of a threat The graph respects the range of the values from 0 to 5 for both dimensions and all the identified threats are represented within this area Questions are focused to identify the most common threats that may affect the organisations operating in each of the sectors taking into account technologies used available IT infrastructure different activities and processes deployed etc Below is a working example of the entire process of answering questions and obtaining the quantitative analysis this example concretely has been developed to identify the threat of information leakage in each of the sectors evaluating the impact and likelihood It is important to clarify that in CRISK threats are evaluated separately for each of the sectors The graph below figure 13 represents the values for one threat in each of the four sectors this is just an example to explain the process of evaluation and it does not represent the risk analysis explained before figure 6 Questions Answers Answer value What would be the impact of an information leakage incident Critical 5 Impact What
23. ecesseeeeceaeeeeeceaaeccesseseeeeseeeceseaaeeeeaueseeeeeseeeeeeageeeeaes 24 Figure 11 Information and references of the risk analySiS c ccceeseeeeeeeeeeeeeeeeeeeeeeaeeeeeaaeeeeeeeeeeeaeaeeeeeaes 25 Figure 12 Community Interaction home ssssssssssssssssssseeee esee tann tAE nne nnn nnns NERA nnns esr EEEE sr sine nns 25 Fig re 13 Propose questions aero ba n ae rep Esa ERE Ne a PERI Ras ePn sh iad Dose ag dos x aav ea nodes cce aeu Neu i aaa N 26 Figure 14 Report new threats cccccecccccsssececeeseececeecccesseeeceeeeeeeceuaeceessuseeeesaeceeseaaeeeesuegeeeeaeeeeeeeaeeeeaes 27 Figure 15 Solutions search amp create ccccccecececeeeeeeeceeeeeeeaaeeeeeeaeeeeeaaaaeeeeaaeeeeeaaseeeseaaeeeeaaaeeseaeeeeeseegeeeeaas 28 Figure 16 Example Graphical analaysis cccccccececneeeeeeeeeeeeeeeeeeeeaaeeeeeeaaeeeeeaaeeeeseaaeeeeaaaaeeeeeeeeeeseegeeeeaas 31 Table of tables Table 1 Example Information leakage questions cceceessssccececeseesnsnsseeeeeceseeseaeaeeeeecessessaeaeeeeeens 30 Table 2 Example Values assigned to answers for evaluation eese 30 Table 3 Example Weights assigned to sectors for evaluation eeessseeeeeeeennnene 31 Executive summary CYSPA is an initiative created by 17 partners aiming to create a European Alliance to protect cyberspace for industry 1 The initiative is currently evolving to become
24. edge about cyber security This document is divided in four main sections 1 Introduction Short description that briefly explains the main functionalities and provides an overview of the entire process of the tool 2 CRISK positioning This section explains the stronger points of CRISK and the reason why it was decided to proceed with the development of CRISK and not adopt another tool available in the market 3 CRISK design Detailed description of the tool s design and all the functionalities available This section provides a better understanding of all the processes carried out within the tool behaviour interface and internal logic Screenshots have been incorporated in order to help describe all these processes and sections of the tool 4 Conclusions Description of the benefits of having CRISK as a service in an Alliance such as CYSPA and next steps to follow 2 CRISK Positioning This section contains an overview of the risk tools already available on the market and their main features It also introduces the motivations for the creation of the CRISK tool 2 1 Existing Risk Tools Risk management is a process that goes back to the beginning of the computer era 19705 Modern risk assessment methodologies define risk as the process of identifying vulnerabilities and threats to the information resources used by an organisation in achieving business objectives and deciding what countermeasures if any to take in reducing ri
25. ely and processed in securely securely insecurely Breaches your company Is your network linked to other ENISA 13 a wireless networks Likelihood Information 21 YES NO that are not under leakage your control If you are connected to other networks ENISA 13 a ved Somewhat Not very Not how susceptible to Impact Information 22 susceptibl susceptible susceptible susceptible cyber attacks do you leakage e think they could be Are you confident that your company ENISA 10 always sends data Likelihood 2 20 YES NO only through secure P networks Are you in A ENISA 12 ie Oe Likelihood Data 28 YES NO YEY Breaches employees customers clients Do you or your h m n PNS ENISA 13 a y Likelihood Information 29 YES NO corporate leakage information or trade secrets either for your company or for those of your clients How prepared would your eres Be ud dedi Edel Entirely Somewhat Not very Not with the situation if Impact Information 1 PAD RN RARE anti there were a loss of leakage prep prep prep prep confidential records Have you ever had problems with your mobile and or ENISA 8 Internet service Likelihood Denial of 30 YES NO provider failure service interruption outage of Internet access Is there a messaging protocol in place for Likelihood ENISA 10 23 YES NO e mail Spam communi
26. entralised 2 decentralised leakage wireless network Are all your portable devices encrypted ENISA 6 c laptops mobile Likelihood Equipment 14 YES 2 NO 4 devices wireless Loss connections Is the data on ENISA 13 a portable devices Likelihood Information 15 YES 2 NO 4 encrypted leakage oo esa Impact Data 16 High 1 Mediocre 3 Low Not sure 2 encryption service Breaches you use Are portable devices ENISA 6 c equipped with Likelihood Equipment 17 YES 2 NO 4 tracking software Loss How would you rate ENISA 6 c the safety of the Impact Equipment 18 High 1 Mediocre 3 Low Not sure 2 tracking software Loss Is data storage on M LENS USB drives allowed Likelihood Worms 36 YES 4 NO 2 trojans What technology do you use to keep ENISA 13 a Radio GNSS Other track of the location Likelihood Information 35 Frequency 4 MEN 3 E sensors please 3 None 5 of trailers trucks leakage Tag RF applications specify shipments Is an Anti Phishing Likelihood ENISA 9 19 YES gt NO 4 mechanism or Phishing software in place How effectively Id WOLS YON ENISA 2 Somewhat company be able to Very Somewhat R Not Impact Worms 3 ineffectivel deal with a effectively effectively effectively trojans y computer virus in your network How securely is ENISA 12 private data stored Very Somewhat Somewhat Impact Data 4 Insecur
27. entries Pre A 2 3 4 5 10 Next On If the reported threat is a parent of the tree do not select anything if reats not please select the parent threat Botnets Code Inje omputer te viewing an Drive by Downloads Exploit Kits Figure 14 Report new threats As previously introduced solutions to specific threats can be proposed and submitted by any member of the community and then approved from the experts of the same community through the approval process implemented in the portal itself Once a request for the inclusion of a new solution is received or a request for modification of an existing one the experts in the portal are notified by email Experts can then review the request approve reject or apply modifications to information about existing solutions The following screenshot taken from the solutions section shows how they can be searched for by using filtering criteria or text search yellow circles In the same screenshot the create button red circle is also shown with which users can propose new solutions and associate them to any specific threats Further details about the Solutions submission process and behaviour are available in deliverable 3 6 2 crsPA CD Q CYSPA SOLUTIONS Q Toggle filter Y Vote 0 9 95 e E x f Ej Name Description Vote Provider Actions DeviceProtect taff with access to local and global 0 0 Test Test Te Link at hig
28. ferences about the threats solutions that can prevent or mitigate them and reporting new threats by using the community interaction feature Bo Du In order to identify the threats affecting their organisations users have to answer a series of questions related to the value of their assets to the business and their exposure to known threats The initial questions are fairly general and answers are not considered as revealing sensitive information as the questions become more precise in terms of the details of the critical assets to the organisation and which countermeasures are in place answers can become more sensitive The decision to answer or to skip a question in more detailed questionnaires is always optional for the user However the actual precision of the results provided by CRISK will be linked to the extensiveness with which the user has answered questions Once the user has completed and submitted the answers a qualitative analysis is displayed revealing the relative risk for each threat related to the business in terms of impact and probability of occurrence This analysis allows the user to identify the threats he should be more concerned about those with a higher impact or probability as opposed to those which are not likely to occur or have no serious consequences low probability or low impact This analysis is complemented with information and references about each threat to raise awareness of its impact and explain how impor
29. for business legal and contractual requirements Produces a set of exportable reusable and audit ready ISO 27001 compliant documents Link and track controls back to specific documents to record implementation details Customisable assessment scales and risk assessment criteria Features a backup and restore functionality Includes a detailed user manual to take you step by step through the process The vsRisk version 2 3 has new additions Fully compatible with ISO IEC 27001 2013 Offers the choice of applying either a scenario based or asset based assessment methodology Includes an integrated searchable ISO 27005 compliant threat and vulnerability database as well as a database of common risk scenarios Supports the option to add additional customised risks and controls o Create views and categories based on risks owners assets or customised company groups in addition to sub groups o Includes the option to conduct assessments on multiple different information security management systems ISMSs i e across different companies and geographic locations Additional ISMSs are available to purchase Easily switch between multiple ISMSs from a single tool Offers suggestions intuitively about relevant controls for specific threats and vulnerabilities Includes a conversion tool for current vsRisk users which helps to quickly map existing controls based on 1SO27001 2005 to ISO27001 2013 controls For further information a
30. g the analysis For each threat a list of available solutions is displayed based on the suggestions of the community of experts Furthermore users can easily interact as explained more in details in the next section through OPENNESS 13 social bar This toolbar is located the bottom of each threat description allowing users to comment and rate the threat as well as subscribe to the specific threat in order to be promptly updated whenever important changes are applied to it Questionnaires CYSPA operates mainly in four different sectors transport energy e Government and finance The CYSPA alliance has the opportunity to count with members from organisations that play an important role in each of these sectors and that can support the rest of the community by providing knowledge while reporting new threats appearing in their sectors Based on their expertise and knowledge CRISK has been populated with different types of questionnaires targeting each of the sectors above so all expert and non expert members of the alliance can self evaluate their organisations Each of the questionnaires is composed by a certain number of multiple choice questions to address existing threats among those included in the Tree of Threats see below and evaluate likelihood and impact of these threats on organisations of a given sector Questionnaires have been developed by using the impacts reports D2 1 1 D2 1 4 2 3 4 5 delivered in the context of wo
31. he effort that this integration represents which has been evaluated as too high in the context of the CYSPA project The tool will now be used by the CYSPA Alliance and its community It represents a first real service to CYSPA members and we hope that they will find it useful not only as a tool for assessing their own organisation s risk but also as a mechanism for community building As the number of users for the tool increases so too will the content and reliability of outputs As such we see a real value in continuously bringing in other communities to be part of CYSPA and take part in and benefit from its activities and services 6 REFERENCES 1 CYSPA Description of Work 2011 2 D2 1 1 Impact report Transport 2013 3 D2 1 2 Impact report Energy 2013 4 D2 1 3 Impact report e Government 2013 5 D2 1 5 Impact report Finance 2013 6 CYSPA Community Portal https cyspa eng it 7 CoBlue www coblue eu 8 CoAble http www coable eu 9 CoAble Overview https www coblue eu products 10 D3 6 2 Solutions amp Threats dataset final release 11 ISACA 2006 CISA Review Manual 2006 Information Systems Audit and Control Association p 85 ISBN 1 933284 15 3 12 PMBOK g edition http www pmi org PMBOK Guide and Standards pmbok guide aspx 13 OPENNESS http openness eng it
32. he self assessment questionnaire is complete CSET provides a prioritized list of recommendations for increasing cybersecurity posture including solutions common practices compensating actions and component enhancements or additions The tool also identifies what is needed to achieve a desired level of cybersecurity within a system s specific configurations Key Benefits CSET contributes to an organisation s risk management and decision making process Raises awareness and facilitates discussion on cybersecurity within the organisation Highlights vulnerabilities in the organisation s systems and provides recommendations on ways to address the vulnerability Identifies areas of strength and best practices being followed in the organisation Provides a method to systematically compare and monitor improvement in the cyber systems Provides a common industry wide tool for assessing cyber systems For further information about this tool please refer to O https ics cert us cert gov Assessments e vsRisk developed by Standalone Basic The vsRisk version 2 O O O O Automates and delivers an ISO IEC 27001 compliant information security risk assessment Simplifies and accelerates the risk assessment with an intuitive risk assessment process Provides a set of 3 different pre populated controls ISO IEC 27001 2005 ISO IEC 27001 2013 and ISO IEC 27032 2012 Assess confidentiality integrity and availability CIA
33. ide references e link threat to solution Solutions are provided in the Solutions section of the community portal Link to solutions Figure 1 Functional Navigation Map A 3 2 Tool Interface In this section some screenshots are presented showing each of the sections of the tool Home As mentioned in section 3 1 the tool is built upon three main sections and those are exactly the three options that a user has in the welcome page e Tree of Threats e Questionnaires and Risk Assessment e Community interaction Furthermore since CRISK is integrated with the CYSPA community portal it can benefits and add value to its functionalities with links to and from portal sections such as the Cyber Reference section and the Solutions section In particular Cyber Reference can help to raise knowledge and thus awareness about cyber threats as shown in the screenshots below On the other hand in the Solutions section specific solutions to cyber threats also related to a defined sector a particular threat or to a specific purpose can be consulted and or proposed Thereby CRISK can suggest to users for each completed risk analysis appropriate solutions to mitigate the identified threats as they are linked to solutions taking advantage of the solutions collected categorised and approved through the community portal Q amp o o 1 useri23 5 Pj reor CYSPA i i
34. ienVault USM for threat management you can e Identify isolate and investigate indicators of exposure IOEs and indicators of compromise IOCs e Correlate asset information with built in vulnerability scan data and AlienVault Labs Threat Intelligence to better prioritise response efforts e Respond to emerging threats with detailed customized how to guidance for each alert e Validate that existing security controls are functioning as expected e Demonstrate to auditors and management that your incident response program is robust and reliable For further information about this tool please refer to o https www alienvault com products o https www alienvault com open threat exchange e The Cyber Security Evaluation Tool CSET developed by The Department of Homeland Security s is a desktop software tool that provides users with a systematic and repeatable approach for assessing the cyber security posture of their industrial control system networks CSET guides users through a step by step process to assess their control system and information technology network security practices against recognised industry standards CSET helps asset owners to assess their information and operational systems cybersecurity practices by asking a series of detailed questions about system components and architecture as well as operational policies and procedures These questions are derived from accepted industry cybersecurity standards Once t
35. illed staff have a dedicated incident Skilled staff An Skilled staff with policies and response staff and ENISA 14 capable of a SNAM specific training in procedures for intrusion analyst staff to Impact Targeted 30 No conducting S v adn incident response incident monitor and secure major attacks incident response and analysis response and assets exposed on the and analysis analysis internet Specific policy and d M j Pis v Specific policy Hiacinctudg and procedures Specific polic Regarding the security ENISA 14 patch p p aed No specific ae that include patch and procedures t maintenance of publicly Likelihood Targeted 30 management policy or M management and that include patch available systems there is attacks vulnerability ER procedures vulnerability management management management and regular security assessments i S itical Critical Do the publicly available ENISA 14 x deis E a Tem information that information that systems include business Likelihood Targeted 40 No M Leid ORENSE is replicated in doesn t exist in critical information attacks other systems other systems Cause public Conduc What would be the ENISA 14 Cause minor embarassment or Steal valuable t possible benefit of a u i damage to the serious damage information fraudul Likelihood Targeted 30 None DE successful attack on your ades organisation s to the such as personal ent public sites image organisation
36. l ve Is all personal data stored organization l not use in the Impact Data 25 stored using data stored using using encryption does not store storage of Breaches encryption encryption personal data personal data Ine Encryption is Is all personal transmitted ENISA 12 organization s All personal data Most personal Wok n nihe through the network using Impact Data 25 systems do transmitted using data transmitted emici Ot encryption Breaches not transmit encryption using encryption personal data personal data Are data breaches ENISA 12 Most data Some data detected and Likelihood Data 10 Yes breaches are breaches are No investigated Breaches investigated investigated Does the organization manage A i of ENSE Only employees ge p Likelihood Data 45 No Only employees y pr Yes clients associates or and associates Breaches employees Does the organisation have specific legal ENISA 12 requirements regarding Likelihood Data 45 No Yes the processing of personal Breaches data 4 4 Energy sector questions r Impact Associated Question Answer 1 Answer 2 Answer 3 Answer 4 Question Text UR Likelihood threat Weight Value EIS Value Text Value ENISA 14 Does your organisation have controls in place Targeted 85 to detect attacks on your systems Likelihood attacks YES 2 NO 4 NOT SURE 3 Does your organisation have provisions in place
37. minis Test Test 03 25 20 Access Contr tration point and policy decision point for policy based networ 15 ol System k device access control main features are Access policies ru les based and attribute driven Authentication protocols PA P MS CAP EAP MDS TLS etc Integration with external ide ntity and policy databases Windows Active Directory LDAP s erver and RSA token servers Cisco Cisco Identity Services Engine is as security policy Test Test 03 25 Identity management and control platform it automates and simplifies 2015 Services access control and security compliance for wired and VPN Engine connectivity Cisco Identity Services Engine is primarily used to provide secure access provide guest access support BYOD initiatives enforce usage policies O o A amp o Figure 3 Tree of threats Questionnaires and Risk Assessment In this section a list of questionnaires is presented to the users so they can choose the most suitable one depending on the sector or type of self evaluation process they would like to conduct Since this second release of CRISK all the sector related questionnaires have been completed with the support of each specific expert partner of the project In the following screenshots there are excerpts from four different questionnaires that represent each of the mentioned sectors that CYSPA has been involved with CY SI D BUROPEAN cvoen secURITY CYSPA ll CYSEC RISK SELF ASSES
38. naires for all the different sectors that CYSPA is involved with these questionnaires gather the most relevant threats affecting each of them Questions have been carefully developed by taking into consideration a majority of threats within the same questionnaire They also allow the tool to understand if it s important to prevent or mitigate the related threat Being clear that questionnaires contain and explore many different threats it thus becomes essential that all questions referring to a same threat are classified together in order to reach a final quantitative analysis for that threat Classify questions by impact or likelihood A similar process is necessary at this stage once questions have been classified per threat now they have to be separated into two different groups impact and likelihood This separation is necessary because in the analysis each threat has two different values that represent the axis of the graph one value for impact vertical axis and the other one for likelihood horizontal axis Assign fixed values to answers A prior mapping determines the value assigned to a specific answer depending on the question and the number of available answers This value is always within the same range 0 as minimum and 5 as maximum values are arranged and distributed taking into account the number of available answers Assign weights to answers Some questions are more important than others within the same questionnaire
39. nn nnnnsnss esse sss s sess sess senses 38 4 4 Energy sector o LEIE a A E E E AE 42 Bi CONCUSSIONS her r a TO Ea AENEA a ERA AENA EA 44 6 REFERENCES pP 45 Table of figures Figure 1 Functional Navigation Map cccccccccsecceceeeeeeeeeeeaeaeceeeeeseceaaaeaeeeeeeeseeaaaeaeeeeeeesessenieaeeeeeess 18 FigUre 2 GRISK MOM Cisse E eeepc ee teo nee edo a Cortona dopo ute aep ELE Pd E guru cse Reed Pra dep e Ordo e Saxa pura 19 Figure 3 Tree of tliredts 1 treu ioo prev sa e ea pete desrad Maus aa ra a Gotan datu ursi Iova Dee va ada e Ru da 20 Figure4 Set of questionnalres iot ee eei ero wkd etes ea t ede sense Fo Tee e do0nes doce pev e tO cda E E EE 21 Figure 5 Transport sector questionnaire lescssesesssssssssssesseee es nhe nnns na snssnn nisi sien tr sias siis seii si sina sns r sida 22 Figure 6 Finance sector questionnaire cccccceeccceceececeassececeaeecceceuseceessueceeesseeeeseaaeeeesuseesesaeceeceageeeeaes 22 Figure 7 e Government sector questionnaire eesssssssisssssssssseseeee eee enhn nnne nennen en nr nnn 23 Figure 8 Energy sector questionnaire seesssssssssssessssseseee eene nnn nnns sse nh hh is nsn se ne nnns ne nnns nan 23 Figure 9 Submit a questionnaire ccccceeeecceceeecceceesceeeaseeeeceaeeceecsuaeccessueeeeeaaeeeeceeaeeeesugeesenseeeeseageeeeaes 24 Figure 10 Graphical analysis ccccseccccesssececeeseeceseesc
40. on Code injection is the jitation of a computer bug that is caused by processing invalid data Code injection can be used by an attacker to introduce or inject code into a computer f pes program to change EQ urse of execution References http www enisa europa eu activities risk management evolving threat environment enisa threat landscape Solutions Solutions Created Name Description Author at Tes 03 24 20 15 3 25 2015 Oracle API Ga Test T 03 25 21 teway 15 Control System serves as a policy administration point and policy decision point for policy based network device access contro Test Test 03 25 Ciseo Secure Cisco Secure A Figure 11 Information and references of the risk analysis Community interaction This section allows as in the previous version of the tool to propose new questions or report new threats CcYsPA EUROPEAN C vibe sec PROTECTION ALLIANCE CYSPA HI CYSEC RISK SELF ASSESSMENT TOOL Welcome to the community interaction Close In this section you can interact with the rest of the alliance and exchange ideas experiences even ask for help to other members or support them using the forum feature You can also collaborate and help us improve the tool by proposing questions reporting new threats providing information and references regarding those threats and providing solutions Your support today can benefit you tomorrow Figure 12 Community Interaction
41. onceived to give the CYSPA community participants the possibility to introduce new cyber threats in order to include them in the self assessment process and provide new input with the aim of improving the questionnaires they can also report available solutions The community interaction is one of the main added values of CRISK In addition to other considerations introduced in section 2 it is one of the reasons that led to the decision to create a new tool instead of reusing what is already available in the market The risk tool implementation has been scheduled in two phases the first one ended in November 2014 with a first release that was open to CYSPA partners only while the second one was completed at the end of March and will be made available to the whole CYSPA Alliance via the Community Portal This document as part of the second release of the tool integrates the content of the first release from D4 4 1 which presents the CRISK tool logical design and behaviour including the description of the extensions and improvements applied in the second release of the tool 1 Introduction CRISK is an online self assessment tool that allows users to Identify threats that may be affecting their organisations Obtain a risk analysis to self evaluate their level of exposure Navigate through a tree of threats collected in D2 4 Interact with the rest of the community and enrich the tool by providing questions information and re
42. rk package 2 of the CYSPA project A mapping that links each question with corresponding threats and each answer with a value that is used in the risk analysis has been also developed for more detailed info please refer to section 4 3 Logic of the tool Once the user has answered and submitted the questionnaire the risk analysis is displayed containing all the identified threats represented in a two dimensional graph Impact and likelihood are represented on graph axis both within the same range zero to five zero being the minimal impact and likelihood and five the maximum For each of the identified threat a threat detail is also presented The detail contains relevant information and references to increase the awareness and knowledge of the user about the related threat Community interaction This section allows members of the Alliance that are using the tool to share information about new and existing threats as well as related solutions considering an initial solutions and threats collection performed in D3 6 2 Solutions and Threats dataset 10 Also suggestions on new questions can be included in the tool thus increasing awareness and knowledge that community participants have with respect to cybersecurity topics The following figure introduces the functional navigation map of the CRISK tool Boxes in the different sections represent the different views of the tool s interface while the arrows represent the user actions navigat
43. rols the organisation has put in place in order to manage or mitigate those risks The purpose of this tool is not to ensure all risks are rated as Adequately Controlled but rather to help departments assess their control structure for sufficiency given their environment resources and bandwidth This tool will help organise organisations thinking while considering the organisation s risk profile and related enterprise risk management implications For further information about this tool please refer to e http www ucop edu enterprise risk management tools templates risk assessment toolbox content risk ranking tool html The company MITRE developed three tools RiskNav is a tool to facilitate the risk process and help program managers handle their risk information in a collaborative manner This tool provides three dimensions of information graphically risk priority probability and mitigation management status RiskNav originally produced for the U S government is designed to capture analyse and display risks at a project or enterprise level For further information about this tool please refer to o http www mitre org publications systems engineering guide acquisition systems engineering risk management risk management tools RiskMatrix is a software application that can help identify prioritize and manage key risks on a program MITRE created this applicationt a few years ago with the aim of supporting risk asse
44. s data transac image tions Do you have a policy in ENISA 1 Formal policy place to warn users notto Impact Drive by 80 No Informal policy Formal policy and awareness click on links received in e downloads training mail messages Is the end user laptop or MEE ENISA 1 f workstation maintained l Applicable to Applicable to Applicable to all B Impact Drive by 10 No with security policies and some users most users users f A downloads patching policies Are your user s local ENISA 1 administrators of their Impact Drive by 10 No Few Some Most of them All laptops or workstations downloads No Is there a software suite olic selection that reduces the Restrictive ae Recommended Recommended Rede ENISA 1 Restrictive suite on the number of software to be PAE suite of i suite of software suite of Likelihood Drive by 30 of software with suite of managed by the software with with few software with RUE downloads some exceptions ao DA softwar organisation s patching no exceptions restrictions no restrictions Stobe olicy abii used Do you have an effective m ENISA 1 Yes with Yes with daily Yes with anti spam and e mail virus Likelihood Drive by 60 hourly No a updates frequent updates screening system downloads updates Is there a centralized log system SIEM that can pinu SEE and ENISA 1 Fa Likelihood Drive by 10 Yes No Anti Virus logs in a wa
45. since all answers are evaluated within the same range equally and independently from the question and the related threat it is absolutely necessary to have a differentiating factor that determine the importance of that specific question related to a specific threat within a specific questionnaire that factor is the weight and it is assigned to every question The reason why this approach was adopted is because of the following advantages e Values assigned to answers are always assigned within the range 0 5 this simplifies the administrators tasks e ifthe importance of a question changes with time because certain technologies have evolved and gained higher relevance within a specific sector and so related threats have become more dangerous the questionnaires would be updated by just modifying the weight and not every value of every answer e Having the same values assigned to answers allows the tool to compare them whenever necessary and elaborate evolutional reports if requested e User perceives that questions and answers are homogeneous making the task of answering a questionnaire much easier especially for non experts on security and also improving the UX User eXperience e The model captures the sectorial analysis done in D2 4 2 Apply the expressions indicators The adopted process is the weighting process and works as follows i Tie TQU TW Tag Tau r Din Wi Wy W 103 Wy Where X ar
46. sk to an acceptable level based on the value of the information resource to the organisation 11 To this effect a process of risk assessment identifies the assets information resources that are critical to the organisation and for each asset what vulnerabilities exist and which threats may use these vulnerabilities to affect the integrity confidentiality and availability of the asset There are many tools available in the market to assist in the risk assessment process some more sophisticated than others more efficient or even more able to carry out the risk analysis processes The number of tools available is rapidly increasing nowadays mainly because organisations are now working in a hyper connected world that makes the exposure of risks more difficult to understand and mitigate The CYSPA project carried out extensive research in identifying and analysing a number of existing tools for risk analysis The most interesting ones in relation to CYSPA purposes and activities are briefly introduced in the list below e Enterprise Risk Management developed by the University of California This tool will help to consider the factors affecting the risks faced by an organisation The factors considered are e Event likelihood e Time to impact e Financial severity e Injury severity e Reputational impact severity The tool will prompt organisations to list potential risk events which may impact them and describe the cont
47. ssment processes developed by a MITRE DoD client MITRE and the client have expanded and improved the original process creating the Baseline Risk Assessment Process Although the process and application were developed for use by a specific client these principles can be applied to most government acquisition projects For further information about this tool please refer to systems engineering risk management risk management tools RiskRadar is a risk management database to help project managers identify prioritise and communicate project risks in a flexible and easy to use form Risk Radar provides standard database functions to add and delete risks as well as specialised functions for prioritizing and retiring project risks Each risk can have a user defined risk management plan and a log of historical events A set of standard short and long form reports can be easily generated to share project risk information with all members of the development team The number of risks in each probability impact category by time frame can be displayed which allows the user to drill down through the data to uncover increasing levels of detail Risk Radar allows the user with the flexibility of automatically sorting in addition to manually moving risks up and down in setting priority rank For further information about this tool please refer to o http www2 mitre org work sepo toolkits risk ToolsTechniques RiskRadar html OpenPages soft
48. system Equipment 44 protection measures like data erasure Impact Loss YES NO NOT SURE ENISA 14 Does your organisation separate energy Targeted 74 delivery and energy management networks Impact attacks YES NO NOT SURE Does your organization employ distinct personnel supervising it security i e an IT ENISA 12 75 security officer Likelihood Data Breaches YES NO NOT SURE ENISA 8 Does your organisation operate energy Denial of 77 transmission systems Impact service YES NO 5 Conclusions We have realised that developing a tool such as CRISK is not an easy task especially when it is oriented to different sectors Most of the tools identified have a more defined scope but with the support of the CYSPA Alliance and the self maintained design that we have implemented we believe it brings an added value and that it has a great potential to become a very useful service for members of the Alliance Although the tool is oriented towards risk assessment due to its flexible design it may be adapted to different evaluations such as regulatory compliance with the ISO standards On this side the CYSPA consortium has evaluated the possibility of joining forces with the CoBlue 7 company developing the CoAble 8 product After some phone calls held between CRISK and CoAble teams the Consortium decided not to integrate CRISK and the CoAble tool because of the different goals of both solutions and t
49. talled security measures like encryption or authentication ENISA 12 50 technologies Likelihood Data Breaches YES 1 NO 5 NOT SURE 3 How does your organisation rank the risk of Likelihood ENISA 13 a 48 Very likely 5 Somewhat 3 Unlikely 1 industrial espionage Information likely leakage ENISA 13 a Has your organisation adopted measures to Information 45 prevent industrial espionage Likelihood leakage YES NO NOT SURE ENISA 8 Does your organisation sees itself as a possible Denial of 30 target for hacktivists Likelihood service YES NO Can your organisation ensure system ENISA 8 functionality in case of reduced availability of Denial of 80 operational control systems Likelihood service YES NO NOT SURE How long can your organisation ensure system ENISA 8 functionality with reduced availability of Denial of 71 operational control systems Impact service 5 days 1 5 days 8 24 hours 8 hours ENISA 14 Do your systems comply with international Targeted 68 security guidelines Impact attacks YES NO NOT SURE ENISA 14 Does your company intend to have its it Targeted 50 Already security system certified Impact attacks YES NO certified Somewhat How tamper proof is your hardware against ENISA 3 70 Very tamper tamper Not tamper physical attacks Impact Code injection proof proof proof ENISA 6 c Does your hardware have automated
50. tant is to prevent or monitor them One or more solutions or relevant technologies may also be proposed for each of the identified threats Regarding the solutions proposed the tool will not delve into details of the proposed solutions but will point to experts in the field and or tools on the market that can be used in order to mitigate these threats Solutions are linked to the solutions section in the CYSPA community portal since the 2nd release of this tool The community interaction will allow users to share information including threats solutions and recommendations that will make the process of mitigating and preventing threats much easier It will also be an important source of information exchange where users can share questions and experts within the alliance can provide solutions and suggestions in order to make the tool more complete and accurate Users will also be able to send feedback to improve the functionality of the tool The community interaction of the CRISK tool will also allow users to comment and understand better the results obtained in the analysis and even skip the risk identification process and find a solution to a specific threat This second release of the tool widened its usage to all members of the CYSPA Alliance through its community portal This way a larger group of experts rather than only a restricted project partner group can work together against cyber attacks and share relevant information and knowl
51. to core 3 Fr oe i R Impact 80 security None non mission related systems air conditioning etc kits systems controls costs Consequences of BYOD induced failures Impact ENISA 4 Expioit 40 Loss of business Access to None kits core systems High Consequences of online POS fraud Impact ENISA 6 b Theft 70 Loss of business insurance None costs 4 3 e Government sector questions p Impact Associated Answer 1 Answer 2 Answer 3 Answer 4 Answer 5 Question Text EN Likelihood threat Text Value Text Value Text Value Text Value Text EIS Does the organisation bu ii end LENSA p ys Impact Denial of 50 None 0 Few 1 Some Most of them 4 All 5 with High avaibility service requirements Contracted Redundant sites Does the organisation use ENISA 8 Redundant large hosted in external DoS Denial of Service Impact Denial of 10 No 5 throughput 3 different mitigation 1 mitigation service Internet links infrastructures providers and services Skilled staff isati kill ff M ue Ean Anan ENISA 8 Spilled sea Skilled staff with policies and have qualified staff and a capable of x oa Impact Denial of 40 No 5 3 specific training procedures to 1 process in place to react j handling DoS RARE service on DoS mitigation handle DoS to DoS attacks attacks attacks Do you see the organisation as a desirable target for cyber ENISA 8 Ver hacktivism What would Likelihood
52. tomer databases Likelihood Identity 90 Yes 2 No 4 theft fraud Are there multiple security layers in place Likelihood ae Exploit 50 Yes 2 No 4 Consequences of fraudulent identity in new bank Impact ENISA 7 Identity 70 Penal 5 Bad 4 on 0 Loss of accounts theft fraud reputation business Bad Consequences of loss of customer data Impact ENISA 5 Botnets 60 Loss of business 4 moon 4 Penal 5 None Consequences of manipulated financial indicators or ibat ENISA 12 Data 70 PIRE 5 Increased 4 None 0 investment data Breaches costs ENISA 4 Exploit Bad Consequences of stolen credit card customer data Impact Exploi 90 Loss of business 5 a 4 Penal 5 None kits reputation Unauthorized Steali f High Consequences of social engineering attacks in call center ENISA 14 nauponze ee 8 Impact 90 access to 5 customer 5 insurance 4 None agents Targeted attacks customer data funds costs Consequences of faulty or compromised 3rd party impact ENISA 4 Exploit 90 Access to org 5 Stealing of 5 Mona 0 software in mission critical systems kits and customer funds data 3 High ENISA 4 Exploit Steal f Consequences of faulty or compromised teller machines Impact t Exploi 80 pee T insurance None costs ENISA 14 Steali f L f Consequences of phishing on bank customers Impact 60 tee pa None Targeted attacks funds reputation High Consequences of security failures in 3rd party systems in ENISA 4 Exploit Access
53. ware developed by IBM enable customers to manage risk and compliance initiatives across the enterprise helping businesses to reduce loss improve decision making in regards to resource allocation and optimises business performance The IBM OpenPages GRC Platform allows organisation to e Integrate risk management processes across the enterprise e Manage risk and compliance across multiple regulations including Basel Il Solvency Il SOX and SOX like requirements financial reporting data privacy industry regulations and more e Leverage GRC information to make better business decisions e Empower decision makers with fully scalable and interactive reporting and trending tools For further information about this tool please refer to e http www 01 ibm com software analytics openpages RM Studio RM Studio software is the dynamic solution combining risk management and business continuity management into one easy to use software application You can use RM Studio to simplify operational risk management or implement a strategic ISMS governed through a framework for implementing risk management procedures and outlining business continuity recovery planning RM Studio is a turnkey application with time saving technology features built in and many customisation options that will meet the unique needs of an organisation RM Studio is used by organisations of all types on a global scale to implement effective ERM strategies Features
54. y downloads that a possible drive by attack would be blocked p ENISA 13 Are major assets behind a E SSLv3 supported Impact 30 None Few Some Most of them All gt Informatio infrastructure n leakage Is sensitive or critical information using SSLv3 SSL as a method of ENISA 13 transport fromthe s Impact 2 60 None Few Some Most of them All network to the outside Informatio and from the outside to n leakage the inside of the organisation Is there any security guideline in best practice ENISA 13 A ere implements ver Impact al 10 None Few Some Most of them All referring the best Cipher Informatio Suite to use in case of a n leakage SSLv3 dependence Is there any internal ENISA 13 a service or server using Likelihood 10 None Few Some Most of them All Informatio SSLv3 n leakage In case of SSLv3 usage is ENISA 13 th tricted to th TNNT MU MM ILIR Likelihood a 10 None Few Some Most of them All internal network or to Informatio internal and external n leakage Do you have a process in ENISA 13 lace to replace systems a Yes already in Yes in plannin i p y Likelihood 80 y Yes ongoing us ne No using weak cryptography Informatio place phase such as SSLv3 n leakage ee mm y Impact Data 50 Yes No audits with a focus the Breaches security of personal data The Encryption is ENISA 12 d All personal data Most persona
Download Pdf Manuals
Related Search