INFOSEC Technologies, LLC
Risk Management for Security Professionals

Risk management is important to each of us simply because it is the best method available to determine the protection required for valuable assets at the most reasonable cost. This intense seminar will focus on two critical risk assessment areas: 1) information security and cyber security, and 2) critical assets and domestic intelligence / law enforcement. “Risk management /Homeland Security” is presented in either a four-day continuous teaching block or two independent two-day blocks of instruction. Block 1 explores the theoretical, practical and best practices aspects of risk assessment and management. Block 2 is a group-oriented independent practicum on defense of the Homeland applying practical countermeasures to a serious simulated terrorist scenario.

Attendees will explore both technology and management issues related to managing the elements of holistic information security and risk assessment. Specific technologies and techniques used by terrorists, hackers, crackers, spies, and thieves to obtain access to sensitive, private information and domestic intelligence are discussed and explored. Expect several hands-on team exercises, lots of reading and little sleep during our four days of intense activity. Attendees will complete a theoretical and practical risk assessment /management scenario dealing with applying risk assessment to a credible terrorist threat.

Modeling Risk Management

As organizations increase security measures and attempt to identify vulnerabilities in critical assets, many managers are looking for a mechanism to ensure an efficient investment of resources to counter physical, terrorist and cyber threats. One method is a risk management model that not only assesses assets, threats, and vulnerabilities and countermeasures but also incorporates a continu¬ous assessment feature. This allows organizations to tailor their management of risk to the current situation as well as assess future risks. The management of risk impacts the bottom line of every organization, either in monetary terms or in terms of operational readiness and capability. Security managers and decision-makers that operate in any sector of the national infrastructure must have a sound methodology to manage physical, terrorist and cyber risks to their organization.

INFOSEC

The proliferation of corporate databases and the development of telecommunication network technology as gateways or invitations to intrusion are examined. Ways of investigating the management of the risk and security of data and data systems are presented as a function of design through recovery and protection. Issues of risk and security, as they relate to specific industries and government, are major topics in the course. Examples are presented of how major technological advances in computer and operating systems have placed data, as tangible corporate assets, at risk. Quantitative sampling techniques for risk assessment and for qualitative decision making under uncertainty are explored.

Seminar Outline

This seminar will span four days with two modules being taught each day. The seminar may be broken up into two blocks of instruction. The former will concentrate on theoretical and practical risk assessment /management. The latter block will focus on practical countermeasures for Homeland security. On day four teams will engage in risk assessment and presentation of appropriate countermeasures to respond to an alert for a hypothetical level 3 terrorist scenario called “the Day After Thanksgiving.”

Introduction to Risk Assessment and Management –What is it and how can we use it to make our lives, critical assets and information systems safer?

Risk management is both an art and science. We first look at its purview.

1. Introduction, administrative messages, and “ daily bullets”
2. The language of risk assessment: management, assessment, mitigation,
   threat levels, vulnerabilities, impact, countermeasures, probabilities, events
   cost–effective responses and risk avoidance
3. INFOSEC: confidentiality, integrity, availability, protect, detect, correct,
   access, authentication, cryptography, non-repudiation, extended terms
4. Basic premises, the conventional risk management cycle (five phases), key
   Personnel roles, system characterization.
5. The conventional risk management model and risk assessment equation.

Improving Conventional Wisdom: Security Needs Definition Matrix, Countermeasures, Systems System’s Approach – 30 Elements and Life Cycle

Conventional strategies to reduce / manage risk de-emphasize INFOSEC and
Its relationship to countermeasures. Module 2 incorporates threats and
vulnerabilities of computer systems into the risk model and emphasizes affects
/ costs of countermeasures chosen.

1. A better risk management equation (Ryan model)
2. The risk management process and dynamic model of risk.
3. Exploration of Information Security aspects and systems engineering
4. Holistic view of the risk management /mitigation process in terms of
   Policy, training awareness, research and development, vulnerability analysis, security response teams, acquisition, systems operations, PDC, CIA and impact.
5. The 12- block framework for IT organization and security management

Mitigating Risk /Threat of Terrorism and other Risks

The development of strategies to reduce risk /threat of terrorism, or other
Threats, involves a process in which the cost to mitigate is measured against
savings in risk reduction.

1. Thinking sensibly about security in an uncertain world – Schneier model
2. How systems fail
3. Knowing the attacker
4. Technology creates security imbalances
5. Security and risk assessment is a weakest link problem
6. Brittleness makes bad security and increases risk
7. People!
8. Detection works where prevention fails, but is useless without response
9. Identification, authentication and authorization
10. All countermeasures have value but no one countermeasure is perfect

Down in the mud: A walk through of the risk management process and work flow

Theory and practice meet the same road in this module. The Parker analysis
for enhanced CIA /PDC and the Roper model for risk management information
flow are presented.

The Parker Analysis: preserving availability, utility, integrity, authenticity,
availability, possession to meet a standard of due care, avoid loss, reduce loss, eliminate loss

1. The Roper Risk model +1 (Nichols): 5 steps
2. Asset Identification and loss impacts
3. Threat identification and characterization (site specific)
4. Vulnerability identification and assessment
5. Assess risk and determine priorities for asset protection
6. Perform cost- benefit analysis based on understanding the technology and countermeasures available

Cryptography – the prime countermeasure?

Cryptography is a maturing science that has global-ranging applications in
business and Government. Every commercial or government establishment
that either markets its products internationally or uses computer networks for
global communications and customer services must be concerned with
protecting its information assets from a variety of attacks.

1. How cryptography works and lessons from classical cryptography
2. Key management, key size, entropy and crypto-strength
3. Modern cryptography, confidentiality, data integrity, authentication, non-repudiation, digital signatures and certificate athorities.
4. Cryptanalysis, traffic analysis, and pattern analysis, brute force
5. Biometric encryption and steganography – terrorist cryptograms
6. Wireless security –encryption features and increased risk
7. INFOSEC / INFOWAR = due diligence / terror measures, the risk is exponentially different
8. “Trust me its encrypted” – fallacies of cryptography as a countermeasure

Defending The Homeland: Domestic Intelligence, Law Enforcement and
Security

Risk assessment takes on a special meanings and problems when reviewed in
the context of Homeland Security. There are so many critical issues at stake,
such as civil liberties, domestic intelligence gathering, privacy rights, police
Organization and structure, the relationship of federal and local law
enforcement.

Module 6 will encompass more questions than answers for risk related issues:

1. Terrorism, patriotism and dilemmas of law enforcement
2. Intelligence gathering and civil liberties
3. Bureaucracy and interpretations or risk
4. Clauswitz, Sun Tsu and Asymmetry
5. Building intelligence systems based on risk identification
6. Defensive infrastructure and risk management
7. Terrorism and the future – CONPLAN (PDD39 & PDD 62)
8. How Al Qaeda sees risk
9. Asymmetric warfare is more than crime, less than all out war and very different in the commitment / fervor and planning of the terrorist participants

Practicum: “2005: The Day After Thanksgiving Scenario”

Teams will be assigned a serious simulated terrorist attack (cyber, physical, psychological, diversions, and other) against a soft target of significant symbolic interest. Teams will identify critical assets that can be protected, evaluate technologies in place, security definition matrix, prepare / present the Risk Management / Assessment Policy for this scenario. Focus must include full-range of personnel, cryptographic and INFOSEC countermeasures, their implementation and effectiveness for defense. A short after-action report will be prepared and evaluated by the class.

Instructor Biography

Randall K. Nichols is Chief Technical Officer of INFOSEC Technologies, LLC a consulting firm specializing in Counter-Terrorism, Counter-Espionage and Information Security Countermeasures to support its 1500 commercial, educational and U.S. government clients. He is certified as a Federal Expert Witness in Cryptography and Computer Forensics.

Previously, Nichols served as CEO of COMSEC Solutions, a cryptographic / biometrics countermeasures company which was acquired by a public company in 2000. As part of the acquisition agreement, he served as Vice President of Cryptography and Director of Research. Nichols also has served as Technology Director of Cryptography and Biometrics for the International Computer Security Association (ICSA) and President and Vice President of the American Cryptogram Association (ACA). Nichols is internationally respected, with 38 years of experience in a variety of leadership roles in cryptography and INFOSEC computer applications in the engineering, consulting, construction, communications, and chemicals industries. He is a previous Director of Invisimail, Ltd.

Professor Nichols teaches graduate level courses in Cryptology, Data Protection, Intrusion Detection, Computer Forensics and Risk Assessment at UMUC Graduate School, Information and Telecommunications Department, College Park, MD and INFOSEC, Cryptography and Systems Applications Management and Policy, Counter-Terrorism, Risk Assessment, and Wireless Security for the School of Engineering Management and Applied Science (SEAS), at George Washington University in Washington, D.C.

Professor Nichols is currently writing his sixth title on information security for Springer: Counter-Terrorism in Practice: Soft Targets of Opportunity. His previous books (with co-author Panos Lekkas) include: Wireless Security: Models, Threats and Solutions, McGraw Hill, 2002, a definitive textbook on the security of wireless systems and Defending Your Digital Assets: Against Hackers, Crackers, Spies and Thieves, (with co-authors Daniel J Ryan and Julie J.C.H. Ryan) McGraw Hill, 2000, a best-selling title on the subjects of cryptography and information security (INFOSEC) countermeasures. Nichols' previous books, The ICSA Guide to Cryptography McGraw Hill, 1998, and Classical Cryptography Course, Volumes I & II, Aegean Park Press, 1995, and 1996, have gained recognition and industry respect for Nichols.

Nichols holds BSChE and MSChE degrees from Tulane University and Texas A & M University, respectively and an MBA from University of Houston. He is currently completing a Doctorate of Science Degree in Information Security (INFOSEC) at George Washington University, School of Engineering Management and Applied Science (SEAS) in Washington, D.C.

Professor Nichols holds a TS / SCI security clearance (USDOJ) with current BI (3/02/2002) done by FBI.

Required Textbooks

Michael E. Whitman and Herbert J. Mattord, Management of Information Security, Thomson Course Technology, 2004. (ISBN: 0-619-21515-1)

Jonathan R White, Defending the Homeland: Domestic Intelligence, Law Enforcement, and Security, Thomson –Wadsworth, 2004. (ISBN: 0-534-62169-4)

Optional Reading

Carl A Roper, Risk Management for Security Professionals, Butterworth Heinemann, 1999. [ISBN: 0-7506-7113-0] A foundation book on the subject.

Randall K. Nichols and Panos C. Lekkas, Wireless Security McGraw-Hill Professional Books, January 2002. [ISBN: 0-07-138038-8] One of the most comprehensive references on the subject of wireless security design, by far, and includes sections on advance risk management for wireless systems.

Bruce Schneier, Beyond Fear: Thinking Sensibly About Security in an Uncertain World Copernicus Books, 2003. [ISBN: 0-387-02620-7] One of his best works!

Randall K Nichols, Daniel J. Ryan, Julie J.C.H. Ryan, Defending Your Digital Assets Against Hackers, Crackers, Spies and Thieves, McGraw Hill, 2000. [ISBN: 0-07-212285-4] A terrific text with informative sections on Risk Assessment.

Handouts: Among the several handouts available in this seminar: CONPLAN, Guide to Protecting Critical Assets, Asset, Threat, Vulnerability, Contingency, Impact worksheets and Al Qaeda Handbook. PowerPoint’s will be available to the class; attendees should bring their portable computers, as they will be needed for presentation of group findings in the practicum module.