Drupal Hosting Risk Management Avalanches
Drupal Hosting
Risk ManagementAvalanches
Daniel KanchevSiteGround.com
@dvkanchev
Risk Management Getting Started
Basic Terminology
Risk?
Risk = Threat + Vulnerability
Storytime
What Is The Single Most Important Thing Related to
Risk Management?
COMPANYMANAGEMENT
VISION
S3 Losses• S&P 500 - $150 Million
• U.S. financial companies - $160 million
Risk Categorisation
Risk Categorisation• Internal Risks • External Risks
Internal Company Conversations
Internal Company Conversations
• C-Level • Team Leaders • People from every department
Risk Management Getting Started
Recap
• Basic Terminology and Tools
• Management Vision Statement
• Internal Conversations
• Risk Categorisation
Risk Evaluation
Don’t Go
Experts Only
Basic
Too Scary to Go Out
Percentage of Fatalities: 1993-present
Most Fatalities
Obvious Risks
Low Impact Risks
Underestimated Risks
Avalanche Factors
IT Risk Management Factors• Importance of assets • Impact • Risk mitigation costs • Human factor • History of attacks
Risk Assessment Procedure
STEP 1: Assets Valuation
1. Quantitative Analysis
2. Qualitative Analysis
STEP 2: Impact AnalysisTiming/Duration Operations Impact Financial Impact
Christmas < 15 minutes
Checkout Down (Lost Sales) $10000 per hour
>2 hoursCRM Down
(Increased Expenses - Overtime Labor)
$2000 per hour
< 15 minutesWebsite Hacked
(Customer Data Exposed - Regulatory Fines)
$500000 fine
STEP 3: Likelihood DeterminationAvalanches IT Risk
• Weather Forecast • Skills of The Group • Past Events
• Threat-Source Motivation
• Threat Capacity • Nature of Vulnerability • Current Controls
Example Time• Latest Drupal 8 website • Custom Module + third-party library • Library got vulnerable • Module still uses an old library version
System Design
Vulnerable? Exploitable?Yes Yes
NoNo
Threat Source
Risk Exist
Attacker’s Cost < Gain
Loss Anticipated >
Threshold
Yes
No No
Yes Unacceptable Risk
Risk EvaluationRecap
• Know the Risk Levels
• Don’t Underestimate Risks
• Consider All Factors
• Determine Likelihood and Impact
Risk Avoidance Incidents Handling
Storytime
Risk Avoidance• Get the Basics • Get the Gear • Get the Training • Record Training Sessions • Use Recordings When Hiring People
Incidents Handling• Organise Workshops • Simulate Risks • Write Incidents Postmortems • Analyse Your Actions
• Form Two Teams - Offense vs Defense • Setup and use a QA/Test Environment • Offense Team Tries to Break Things • Defense Team Tries to Keep Things Up
War Room Tests
Risk Avoidance Incidents HandlingRecap
• Keep Everyone Informed • Perform Regular Trainings • Simulate Incidents • Write Incident Reports • Design For Failure
QUESTIONS ?