Chapter 3: Evaluating Risk
Terms
Risk
How likely this is to happen and how badly it will hurt.
Disaster
An event that disrupts a critical business function
Business Interruption
Something that disrupts the normal flow of business operations.
Attributes of Risk
Risk
Predictability
Location
Impact
Advanced Warning
Time of Day
Scope
Day of Week
Likelihood
Risk Analysis
Process that identifies the probable threats to your business
Analysis used as basis for assessment later in the process
Assessment compares risk analysis to what you have in place
Begins with determining what are essential functions to business
Scope
Determined by the potential damage and/or cost
Cost of downtime
Cost of lost opportunity
Five Layers of Risk
External Risk
Risk to local facility
Data systems
Individual department
Own workstation
External Risk
Natural Disaster
Fire
Hurricanes
Storms
Earthquake
Tornado
Civil Risk
Riots
Labor Disputes
Manufactured Risk
Industrial Sites
Transportation
Facility-wide Risk
Electricity
Telephones
Water
Climate Control
Data Network
Data Systems
Data Communication Network
Telecomm System
Data Systems
Shared computers and LANs
Viruses
Departmental Risk
Key Operating Equipment
Lack of Data Systems
Vital Records
Desk’s risk
Determine Tools Used
Locked Down?
Severity of Risk
Time of Day
Day of Week
Location
Making the Assessment
Scoring
Sorting
Analyze the data
Summary
Determine cost of downtime
Identify risks at five layers
Determine impact of risk
Identify outside sources
Prioritize risks
Q. Perform a search on the Web for articles and stories about social engineering attacks or reverse social engineering attacks. Find an attack that was successful and describe how it could have been prevented.
Social engineering, in the field of cyber-attacks and security systems being referred as psychological manipulation of people into performing actions or misuse of confidential information. It largely involves human interaction and manipulating people into breaking security procedures and company practices/rules in order to breach the security networks, computer system, obtain financial documents when not supposed.
To discuss it at large, the recent social engineering attack I found where victim is the giant retail company in United States called Target corporation. Target is the 8th largest retailer company in North America. The incident happened at target’s point of sale systems in the year 2013. The result of incident has enabled hackers to gain access to a sum of 40million user credit and debit card information. So, it is pretty huge.
The incident happened because for target has given remote access to its network including payment (which should be secure and isolated from other networks) to its Air conditioning vendor Fazio mechanical services. The hackers tried with phishing ema ...
1. Chapter 3: Evaluating Risk
Terms
Risk
How likely this is to happen and how badly it will hurt.
Disaster
An event that disrupts a critical business function
Business Interruption
Something that disrupts the normal flow of business operations.
Attributes of Risk
Risk
2. Predictability
Location
Impact
Advanced Warning
Time of Day
Scope
Day of Week
Likelihood
Risk Analysis
Process that identifies the probable threats to your business
Analysis used as basis for assessment later in the process
3. Assessment compares risk analysis to what you have in place
Begins with determining what are essential functions to
business
Scope
Determined by the potential damage and/or cost
Cost of downtime
Cost of lost opportunity
Five Layers of Risk
External Risk
Risk to local facility
Data systems
Individual department
4. Own workstation
External Risk
Natural Disaster
Fire
Hurricanes
Storms
Earthquake
Tornado
Civil Risk
Riots
Labor Disputes
Manufactured Risk
Industrial Sites
Transportation
Facility-wide Risk
Electricity
Telephones
Water
5. Climate Control
Data Network
Data Systems
Data Communication Network
Telecomm System
Data Systems
Shared computers and LANs
Viruses
Departmental Risk
Key Operating Equipment
6. Lack of Data Systems
Vital Records
Desk’s risk
Determine Tools Used
Locked Down?
Severity of Risk
Time of Day
Day of Week
Location
7. Making the Assessment
Scoring
Sorting
Analyze the data
Summary
Determine cost of downtime
Identify risks at five layers
Determine impact of risk
Identify outside sources
Prioritize risks
Q. Perform a search on the Web for articles and stories about
social engineering attacks or reverse social engineering attacks.
8. Find an attack that was successful and describe how it could
have been prevented.
Social engineering, in the field of cyber-attacks and security
systems being referred as psychological manipulation of people
into performing actions or misuse of confidential information. It
largely involves human interaction and manipulating people into
breaking security procedures and company practices/rules in
order to breach the security networks, computer system, obtain
financial documents when not supposed.
To discuss it at large, the recent social engineering attack I
found where victim is the giant retail company in United States
called Target corporation. Target is the 8th largest retailer
company in North America. The incident happened at target’s
point of sale systems in the year 2013. The result of incident
has enabled hackers to gain access to a sum of 40million user
credit and debit card information. So, it is pretty huge.
The incident happened because for target has given remote
access to its network including payment (which should be
secure and isolated from other networks) to its Air conditioning
vendor Fazio mechanical services. The hackers tried with
phishing email that installed malware type of citadel Trojan on
the victim’s machine, through which got access credentials to
target network. And installed malware on target’s network
which extracted the user payment information from the infected
machine.
So, from the above details target corporation was attacked by
cyber attackers. Through one of the common method of
attacking which is phishing. If we go back to what is phishing -
phishing is a technique of fraudulently obtaining private
information from a user by sending a fraudulent email or text
9. which seems as original message from the bank or a credit card
company or any service provider. The link contains a dark web
link which then collects all the user info as input it and then
uses it to gain access to victim’s accounts and cause financial or
security issues.
The above phishing attack happened with Target corporation
might have been successfully prevented if:
1. Target should have kept its payment network isolated and
secured it with some extra authorization tokens.
2. Target should have its own cyber security team to tackle any
breaches, or any security issues because gaining access to such
huge data is time taking process, so they had enough time to
retrieve it, which is only possible if the system is not under
surveillance for any unusual activities.
3. vendor should have had a security for all its employees
access to its customer’s database.
4. More scrutiny before allotting contracts to any third-party
vendor.
5. Give access to only for what is needed, in this case for
vendor who is to support AC absolutely doesn’t need access to
payment systems.
Reference :
I. Ghafir, V. Prenosil, A. Alhejailan and M. Hammoudeh,
"Social Engineering Attack Strategies and Defence
Approaches," 2016 IEEE 4th International Conference on Future
Internet of Things and Cloud (FiCloud), Vienna, 2016, pp. 145-
149.
doi: 10.1109/FiCloud.2016.28
Mann, Ian. (2008). Hacking the Human: Social Engineering
Techniques and Security Countermeasures Published by Gower
Publishing Ltd. ISBN0-566-08773-1
12. Introduction
Access control Problem Statement:
Purpose Statement
Scope Statement:
Impact assessment
Budget /Financial Assessment
High-Level Functional Requirements:
13. Business Benefits: (Tangible and Intangible)
Special Issues or Constraints:
Summary
Conclusion
References
1
Chapter 4: Selecting a Strategy
Recovery strategy
Main purpose is to restore vital business functions
Restore to minimum acceptable level of service
Selecting a strategy
Trade off between time and money
14. Maximum recovery time = recovery time objective (RTO)
Craft a strategy for each significant area
Recovery Point Objective (RPO)
Amount of data that may be lost since last backup
Time
Distance
Recovery options
Recover in a different company site
Subscribe to a recovery site
Wait until disaster-locate empty space
15. IT recovery strategy
Environmental conditions
Infrastructure
Applications
Data
Recommended it recovery strategy
Second company site
Second site facility set-up
Offsite data backup
Work area recovery strategy
16. New location far enough away – not affected
Alternate communications for legacy systems
Pre-printed forms for legal or business reasons
Pandemic strategy
Plan to continue operation at a level that permits it to remain in
business
Plan will be in operation for 18-24 months
Business continuity strategy
Customers never notice interruption in service
List critical processes identified in BIA
Draft a process map
17. Identification of steps to eliminate
Draft a risk assessment
Draft end-to-end recovery plan
summary
Selecting a strategy is an important step
Look at how quick one can recover
Determine amount of data a company can afford to lose
How much security the company can afford