Submit Search
Upload
Chapter 15 Risk Mitigation
•
Download as PPTX, PDF
•
4 likes
•
1,476 views
Dr. Ahmed Al Zaidy
Follow
CompTIA Security+ Guide to Network Security Fundamentals, Sixth Edition
Read less
Read more
Education
Slideshow view
Report
Share
Slideshow view
Report
Share
1 of 49
Download now
Recommended
Chapter 3 Basic Cryptography
Chapter 3 Basic Cryptography
Dr. Ahmed Al Zaidy
Chapter 14 Business Continuity
Chapter 14 Business Continuity
Dr. Ahmed Al Zaidy
Chapter 1 Introduction to Security
Chapter 1 Introduction to Security
Dr. Ahmed Al Zaidy
Chapter 9 Client and application Security
Chapter 9 Client and application Security
Dr. Ahmed Al Zaidy
Chapter 6Network Security Devices, Design, and Technology
Chapter 6Network Security Devices, Design, and Technology
Dr. Ahmed Al Zaidy
Chapter 11 Authentication and Account Management
Chapter 11 Authentication and Account Management
Dr. Ahmed Al Zaidy
Chapter 10 Mobile and Embedded Device Security
Chapter 10 Mobile and Embedded Device Security
Dr. Ahmed Al Zaidy
Chapter 5 Networking and Server Attacks
Chapter 5 Networking and Server Attacks
Dr. Ahmed Al Zaidy
Recommended
Chapter 3 Basic Cryptography
Chapter 3 Basic Cryptography
Dr. Ahmed Al Zaidy
Chapter 14 Business Continuity
Chapter 14 Business Continuity
Dr. Ahmed Al Zaidy
Chapter 1 Introduction to Security
Chapter 1 Introduction to Security
Dr. Ahmed Al Zaidy
Chapter 9 Client and application Security
Chapter 9 Client and application Security
Dr. Ahmed Al Zaidy
Chapter 6Network Security Devices, Design, and Technology
Chapter 6Network Security Devices, Design, and Technology
Dr. Ahmed Al Zaidy
Chapter 11 Authentication and Account Management
Chapter 11 Authentication and Account Management
Dr. Ahmed Al Zaidy
Chapter 10 Mobile and Embedded Device Security
Chapter 10 Mobile and Embedded Device Security
Dr. Ahmed Al Zaidy
Chapter 5 Networking and Server Attacks
Chapter 5 Networking and Server Attacks
Dr. Ahmed Al Zaidy
Whitman_Ch04.pptx
Whitman_Ch04.pptx
Siphamandla9
Chapter 7 Presentation
Chapter 7 Presentation
Amy McMullin
Chapter 1 Presentation
Chapter 1 Presentation
Amy McMullin
Chapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering Attacks
Dr. Ahmed Al Zaidy
Whitman_Ch02.pptx
Whitman_Ch02.pptx
Siphamandla9
Chapter 2 Presentation
Chapter 2 Presentation
Amy McMullin
Chapter 4
Chapter 4
Amy McMullin
Chapter 7 Administering a Secure Network
Chapter 7 Administering a Secure Network
Dr. Ahmed Al Zaidy
Cyber Resilience
Cyber Resilience
Ian-Edward Stafrace
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
Chapter 12 Access Management
Chapter 12 Access Management
Dr. Ahmed Al Zaidy
Security policy
Security policy
Dhani Ahmad
Chapter 4 Advanced Cryptography and P K I
Chapter 4 Advanced Cryptography and P K I
Dr. Ahmed Al Zaidy
Attack modeling vs threat modelling
Attack modeling vs threat modelling
Invisibits
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
What is cyber resilience?
What is cyber resilience?
Aaron Clark-Ginsberg
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
Cyber Security 101
Cyber Security 101
Cloudflare
Best Practices for Password Creation
Best Practices for Password Creation
nFront Security
Chapter 13 Vulnerability Assessment and Data Security
Chapter 13 Vulnerability Assessment and Data Security
Dr. Ahmed Al Zaidy
Whitman_Ch12.pptx
Whitman_Ch12.pptx
Siphamandla9
More Related Content
What's hot
Whitman_Ch04.pptx
Whitman_Ch04.pptx
Siphamandla9
Chapter 7 Presentation
Chapter 7 Presentation
Amy McMullin
Chapter 1 Presentation
Chapter 1 Presentation
Amy McMullin
Chapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering Attacks
Dr. Ahmed Al Zaidy
Whitman_Ch02.pptx
Whitman_Ch02.pptx
Siphamandla9
Chapter 2 Presentation
Chapter 2 Presentation
Amy McMullin
Chapter 4
Chapter 4
Amy McMullin
Chapter 7 Administering a Secure Network
Chapter 7 Administering a Secure Network
Dr. Ahmed Al Zaidy
Cyber Resilience
Cyber Resilience
Ian-Edward Stafrace
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
Chapter 12 Access Management
Chapter 12 Access Management
Dr. Ahmed Al Zaidy
Security policy
Security policy
Dhani Ahmad
Chapter 4 Advanced Cryptography and P K I
Chapter 4 Advanced Cryptography and P K I
Dr. Ahmed Al Zaidy
Attack modeling vs threat modelling
Attack modeling vs threat modelling
Invisibits
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
What is cyber resilience?
What is cyber resilience?
Aaron Clark-Ginsberg
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
Cyber Security 101
Cyber Security 101
Cloudflare
Best Practices for Password Creation
Best Practices for Password Creation
nFront Security
What's hot
(20)
Whitman_Ch04.pptx
Whitman_Ch04.pptx
Chapter 7 Presentation
Chapter 7 Presentation
Chapter 1 Presentation
Chapter 1 Presentation
Chapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering Attacks
Whitman_Ch02.pptx
Whitman_Ch02.pptx
Chapter 2 Presentation
Chapter 2 Presentation
Chapter 4
Chapter 4
Chapter 7 Administering a Secure Network
Chapter 7 Administering a Secure Network
Cyber Resilience
Cyber Resilience
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Chapter 12 Access Management
Chapter 12 Access Management
Security policy
Security policy
Chapter 4 Advanced Cryptography and P K I
Chapter 4 Advanced Cryptography and P K I
Attack modeling vs threat modelling
Attack modeling vs threat modelling
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
What is cyber resilience?
What is cyber resilience?
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Cyber Security 101
Cyber Security 101
Best Practices for Password Creation
Best Practices for Password Creation
Similar to Chapter 15 Risk Mitigation
Chapter 13 Vulnerability Assessment and Data Security
Chapter 13 Vulnerability Assessment and Data Security
Dr. Ahmed Al Zaidy
Whitman_Ch12.pptx
Whitman_Ch12.pptx
Siphamandla9
Whitman_Ch05.pptx
Whitman_Ch05.pptx
Siphamandla9
Whitman_Ch06.pptx
Whitman_Ch06.pptx
Siphamandla9
Whitman_Ch11.pptx
Whitman_Ch11.pptx
Siphamandla9
Whitman_Ch10.pptx
Whitman_Ch10.pptx
Siphamandla9
Risk Management
Risk Management
vivekaathuri
ITT450 Chapter 1.pptx
ITT450 Chapter 1.pptx
AliffDarfriz
Module 2 Threat Management and Cybersecurity Resources (1).pptx
Module 2 Threat Management and Cybersecurity Resources (1).pptx
tahreerbassam2014
Python Fundamentals
Python Fundamentals
pullaravikumar
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
tmbainjr131
The External Environment Opportunities, Threats, Industry Competition and Com...
The External Environment Opportunities, Threats, Industry Competition and Com...
AndyCNiu
chapter-02.pptx
chapter-02.pptx
YantiAndriyani3
Lecture 5.pptx
Lecture 5.pptx
DuncanWachira3
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
Software Testing Fundamentals_withlogo.pdf
Software Testing Fundamentals_withlogo.pdf
usmanriaz84
Digital Forensics_Lecture.pptx
Digital Forensics_Lecture.pptx
khalifaAlMarzooqi3
Lecture 8- information technology slides
Lecture 8- information technology slides
Aiman Niazi
MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement
William McBorrough
What is security testing and why it is so important?
What is security testing and why it is so important?
ONE BCG
Similar to Chapter 15 Risk Mitigation
(20)
Chapter 13 Vulnerability Assessment and Data Security
Chapter 13 Vulnerability Assessment and Data Security
Whitman_Ch12.pptx
Whitman_Ch12.pptx
Whitman_Ch05.pptx
Whitman_Ch05.pptx
Whitman_Ch06.pptx
Whitman_Ch06.pptx
Whitman_Ch11.pptx
Whitman_Ch11.pptx
Whitman_Ch10.pptx
Whitman_Ch10.pptx
Risk Management
Risk Management
ITT450 Chapter 1.pptx
ITT450 Chapter 1.pptx
Module 2 Threat Management and Cybersecurity Resources (1).pptx
Module 2 Threat Management and Cybersecurity Resources (1).pptx
Python Fundamentals
Python Fundamentals
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
The External Environment Opportunities, Threats, Industry Competition and Com...
The External Environment Opportunities, Threats, Industry Competition and Com...
chapter-02.pptx
chapter-02.pptx
Lecture 5.pptx
Lecture 5.pptx
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
Software Testing Fundamentals_withlogo.pdf
Software Testing Fundamentals_withlogo.pdf
Digital Forensics_Lecture.pptx
Digital Forensics_Lecture.pptx
Lecture 8- information technology slides
Lecture 8- information technology slides
MCGlobalTech Cyber Capability Statement
MCGlobalTech Cyber Capability Statement
What is security testing and why it is so important?
What is security testing and why it is so important?
More from Dr. Ahmed Al Zaidy
Chapter 14 Exploring Object-based Programming
Chapter 14 Exploring Object-based Programming
Dr. Ahmed Al Zaidy
Chapter 13 Programming for web forms
Chapter 13 Programming for web forms
Dr. Ahmed Al Zaidy
Chapter 12 Working with Document nodes and style sheets
Chapter 12 Working with Document nodes and style sheets
Dr. Ahmed Al Zaidy
Chapter 11 Working with Events and Styles
Chapter 11 Working with Events and Styles
Dr. Ahmed Al Zaidy
Chapter 10 Exploring arrays, loops, and conditional statements
Chapter 10 Exploring arrays, loops, and conditional statements
Dr. Ahmed Al Zaidy
Chapter 9 Getting Started with JavaScript
Chapter 9 Getting Started with JavaScript
Dr. Ahmed Al Zaidy
Chapter 8 Enhancing a website with multimedia
Chapter 8 Enhancing a website with multimedia
Dr. Ahmed Al Zaidy
Chapter 7 Designing a web form
Chapter 7 Designing a web form
Dr. Ahmed Al Zaidy
Chapter 6 Working with Tables and Columns
Chapter 6 Working with Tables and Columns
Dr. Ahmed Al Zaidy
Chapter 5 Designing for the mobile web
Chapter 5 Designing for the mobile web
Dr. Ahmed Al Zaidy
Chapter 4 Graphic Design with CSS
Chapter 4 Graphic Design with CSS
Dr. Ahmed Al Zaidy
Chapter 3 Designing a Page Layout
Chapter 3 Designing a Page Layout
Dr. Ahmed Al Zaidy
Chapter 2 Getting Started with CSS
Chapter 2 Getting Started with CSS
Dr. Ahmed Al Zaidy
Chapter 1 Getting Started with HTML5
Chapter 1 Getting Started with HTML5
Dr. Ahmed Al Zaidy
Integer overflows
Integer overflows
Dr. Ahmed Al Zaidy
testing throughout-the-software-life-cycle-section-2
testing throughout-the-software-life-cycle-section-2
Dr. Ahmed Al Zaidy
Fundamental of testing
Fundamental of testing
Dr. Ahmed Al Zaidy
Chapter 8 Wireless Network Security
Chapter 8 Wireless Network Security
Dr. Ahmed Al Zaidy
More from Dr. Ahmed Al Zaidy
(18)
Chapter 14 Exploring Object-based Programming
Chapter 14 Exploring Object-based Programming
Chapter 13 Programming for web forms
Chapter 13 Programming for web forms
Chapter 12 Working with Document nodes and style sheets
Chapter 12 Working with Document nodes and style sheets
Chapter 11 Working with Events and Styles
Chapter 11 Working with Events and Styles
Chapter 10 Exploring arrays, loops, and conditional statements
Chapter 10 Exploring arrays, loops, and conditional statements
Chapter 9 Getting Started with JavaScript
Chapter 9 Getting Started with JavaScript
Chapter 8 Enhancing a website with multimedia
Chapter 8 Enhancing a website with multimedia
Chapter 7 Designing a web form
Chapter 7 Designing a web form
Chapter 6 Working with Tables and Columns
Chapter 6 Working with Tables and Columns
Chapter 5 Designing for the mobile web
Chapter 5 Designing for the mobile web
Chapter 4 Graphic Design with CSS
Chapter 4 Graphic Design with CSS
Chapter 3 Designing a Page Layout
Chapter 3 Designing a Page Layout
Chapter 2 Getting Started with CSS
Chapter 2 Getting Started with CSS
Chapter 1 Getting Started with HTML5
Chapter 1 Getting Started with HTML5
Integer overflows
Integer overflows
testing throughout-the-software-life-cycle-section-2
testing throughout-the-software-life-cycle-section-2
Fundamental of testing
Fundamental of testing
Chapter 8 Wireless Network Security
Chapter 8 Wireless Network Security
Recently uploaded
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
ssuser54595a
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
mkooblal
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptx
CapitolTechU
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
JhezDiaz1
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
Celine George
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
Sabitha Banu
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
JonathanParaisoCruz
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...
jaredbarbolino94
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
AvyJaneVismanos
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
OH TEIK BIN
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
NirmalaLoungPoorunde1
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
Marc Dusseiller Dusjagr
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
pboyjonauth
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
UnboundStockton
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.
arsicmarija21
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
UjwalaBharambe
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
Sayali Powar
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
Dr.Ibrahim Hassaan
Recently uploaded
(20)
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptx
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
AmericanHighSchoolsprezentacijaoskolama.
AmericanHighSchoolsprezentacijaoskolama.
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
Chapter 15 Risk Mitigation
1.
1 CompTIA Security+ Guide
to Network Security Fundamentals, Sixth Edition Chapter 15 Risk Mitigation © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
2.
Objectives 15.1 Explain how
to manage risk 15.2 Describe strategies for reducing risk 15.3 List practices for mitigating risk 15.4 Describe common security issues © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password- protected website for classroom use.
3.
3 Managing Risk • Risk •
A situation that involves exposure to some type of danger • Managing risk • To create a level of protection that mitigates the vulnerabilities to the threats and reduces the potential consequences • Involves: -Knowing what threats are being faced -Assessing those risks © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
4.
4 Threat Assessment (1
of 3) • Threat assessment • A formal process of examining the seriousness of a potential threat as well as the likelihood that it will be carried out • Three categories of threats: • Environmental • Manmade • Internal vs. external © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
5.
5 Threat Assessment (2
of 3) Threat category Description Example Strategic Action that affects the long-term goals of the organization Theft of intellectual property, not pursuing a new opportunity, loss of a major account, competitor entering the market Compliance Following (or not following) a regulation or standard Breach of contract, not responding to the introduction of new laws Financial Impact of financial decisions or market factors Increase in interest rates, global financial crisis Operational Events that impact the daily business of the organization Fire, hazardous chemical spill, power blackout Technical Events that affect information technology systems Denial of service attack, SQL injection attack, virus Managerial Actions related to the management of the organization Long-term illness of company president, key employee resigning © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
6.
6 Threat Assessment (3
of 3) • A threat assessment should be used to determine the asset value • Relative worth of an asset that is at risk • Supply chain assessment • Supply chain – a network that moves a product from the supplier to the customer • Should be viewed as assets to the enterprise and their threats should be cataloged • Assessing threats is not always a straightforward exercise © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
7.
7 Risk Assessment • Risk
assessment involves: • Testing • Change management • Privilege management • Incident management • Risk calculations • Representing risk information © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
8.
8 Testing (1 of
2) • Technology assets should be tested to identify any vulnerabilities • Involves an automated software vulnerability scan through a system • Intrusive vulnerability scan • Attempts to actually penetrate the system to perform a simulated attack • Non-intrusive vulnerability scan • Uses only available information to hypothesize the status of the vulnerability • Penetration test (pentest) • Designed to exploit any weaknesses in systems that are vulnerable • Penetration testing authorization should be obtained © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
9.
9 Testing (2 of
2) • Reasons authorization should be obtained: • Legal authorization • Indemnification • Limit retaliation © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
10.
10 Change Management (1
of 2) • Change management • Methodology for making modifications and keeping track of changes • Ensures proper documentation of changes so future changes have less chance of creating a vulnerability • Involves all types of changes to information systems • Two major types of changes that need proper documentation • Changes to system architecture • Changes to file or document classification © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
11.
11 Change Management (2
of 2) • Change management team (CMT) • Body responsible for overseeing the changes • Composed of representatives from all areas of IT, network security, and upper management • Proposed changes must first be approved by CMT • CMT duties • Review proposed changes • Ensure risk and impact of planned change are understood • Recommend approval, disapproval, deferral, or withdrawal of a requested change • Communicate proposed and approved changes to coworkers © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
12.
12 Privilege Management (1
of 2) • Privilege • Subject’s access level over an object, such as a file • Privilege management • Process of assigning and revoking privileges to objects • Privilege auditing • Periodically reviewing a subject’s privileges over an object • Objective: determine if subject has the correct privileges © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
13.
13 Privilege Management (2
of 2) © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
14.
14 Incident Management • Incident
response • Components required to identify, analyze, and contain an incident • Incident handling • Planning, coordination, communications, and planning functions needed to resolve incident • Incident management • The “framework” and functions required to enable incident response and incident handling within an organization • Objective: To restore normal operations as quickly as possible with least impact to business or users © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
15.
15 Risk Calculation (1
of 6) • Two approaches to risk calculation: • Qualitative risk calculation - uses an “educated guess” based on observation • Typically assigns a numeric value (1-10) or label (High, Medium, or Low) that represents the risk • Quantitative risk calculation - attempts to create “hard” numbers associated with the risk of an element in a system by using historical data • Can be divided into the likelihood of a risk and the impact of a risk being successful © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
16.
16 Risk Calculation (2
of 6) • Risk Likelihood • Several quantitative tools can be used to predict the likelihood of the risk • Mean Time Between Failure (MTBF) • Mean Time To Recovery (MTTR) • Mean Time To Failure (MTTF) • Failure In Time (FIT) • Historical data can be used to determine the likelihood of a risk occurring within a year • Known as Annualized Rate of Occurrence (ARO) © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
17.
17 Risk Calculation (3
of 6) Source Explanation Police departments Crime statistics on the area of facilities to determine the probability of vandalism, break-ins, or dangers potentially encountered by personnel Insurance companies Risks faced by other companies and the amounts paid out when these risks became reality Computer incident monitoring organization Data regarding a variety of technology-related risks, failures, and attacks © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
18.
18 Risk Calculation (4
of 6) • Risk Impact • Comparing the monetary loss associated with an asset in order to determine the amount of money that would be list if the risk occurred • Two risk calculation formulas are used to calculate expected losses: • Single Loss Expectancy (SLE) - expected monetary loss every time a risk occurs • Annualized Loss Expectancy (ALE) - expected monetary loss that can be expected for an asset due to risk over a one-year period • Representing Risks • Risk register – a list of potential threats and associated risks • Risk matrix – a visual color-coded tool that lists the impact and likelihood of risks © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
19.
19 Risk Calculation (5
of 6) © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
20.
20 Risk Calculation (6
of 6) © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
21.
21 Strategies for Reducing
Risk • Approaches for reducing risk: • Using control types • Distributing allocation • Implementing automation © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
22.
22 Using Control Types
(1 of 2) • Security control • Any device or process that is used to reduce risk • Two levels of security controls: • Administrative controls – processes for developing and ensuring that policies and procedures are carried out • Technical controls – security controls carried out or managed by devices © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
23.
23 Using Control Types
(2 of 2) • Subtypes of controls that can be either technical or administrative: • Deterrent controls • Preventative controls • Physical controls • Detective controls • Compensating controls • Corrective controls © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
24.
24 Distributing Allocation • Distributive
allocation refers to “spreading” the risk • Ways to distribute risk include: • Transference - makes a third party responsible for the risk • Risk avoidance - involves identifying the risk and making the decision to not engage in the activity • Mitigation - the attempt to address the risk by making it less serious © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
25.
25 Implementing Technology • Risk
is often introduced through human error • Using technology as a strategy for reducing risk can minimize these errors • Implementing technology involves using: • Automation • Images and templates • Non-persistence tools © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
26.
26 Automation (1 of
2) • Automation • Can be defined as that which replaces human physical activity • Automated courses of action • Using technology to automate IT processes • It automation can provide: • Scalability - the ability to continue to function as the size or volume of the enterprise data center expands to meet the growing demands • Elasticity – the ability to revert to its former size after expanding • Continuous monitoring – sustained and continual surveillance © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
27.
27 Automation (2 of
2) • Secure configuration guides – available to help IT security personnel configure hardware devices and software to repel attacks • Vendor-specific guides – useful for configuring web servers, OSs, application servers, and network infrastructure devices • Configuration validation • Reviewing the configuration of systems to determine if security settings are correct © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
28.
28 Images and Templates •
Master image • A copy of a properly configured and secured computer software system that can be replicated to other computers • Eliminates the need for configuring individualized security settings • Template • A type of document in which the standardized content has already been created • The user needs only to enter specialized and variable components • Reduces the amount of data to be entered and helps minimize errors that could introduce a risk © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
29.
29 Non-Persistence Tools • Non-persistence
tools – used to ensure that unwanted data is not carried forward (clean image is used) Tool name Description How used Live boot media A “lightweight” bootable image on a USB flash drive or optical media Temporarily creates a secure, non- persistent client for use on a public computer for accessing a secure remote network Revert to a known state Restore device to a previous secure condition Used to reset a device to a stable and secure setting Rollback to known configuration Undo recent changes that cause errors or weaken security Can restore a device to a previous configuration Snapshot An instance (image) of a virtual machine Used to replace a corrupted or infected virtual machine © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
30.
30 Practicing for Reducing
Risk • Practices for reducing risk: • Security policies • Awareness and training • Agreements • Personnel management © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
31.
31 Security Policies • Definition
of a Policy • Communicates a consensus of judgment • Defines appropriate behavior for users • Identifies what tools and procedures are needed • Provides directives for Human Resources action in response to inappropriate behavior • May be helpful if it is necessary to prosecute violators © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
32.
32 What is a
Security Policy? (1 of 3) • Security Policy • A written document that states how an organization plans to protect the company‘s information technology assets • Outlines the protections that should be enacted to ensure the organization’s assets face minimal risk • Having a written security policy empowers an organization to take appropriate action to safeguard its data © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
33.
33 What is a
Security Policy? (2 of 3) • Security policy functions • An overall intention and direction, formally expressed by the organization’s management • Details specific risks and how to address them • Provides controls to direct employee behavior • Helps create a security-aware organizational culture • Helps ensure employee behavior is directed and monitored in compliance with security requirements © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
34.
34 What is a
Security Policy? (3 of 3) • An effective security policy must balance: trust and control • Three approaches to trust • Trust everyone all of the time • Trust no one at any time • Trust some people some of the time • Security policy attempts to provide right amount of trust • Trust some people some of the time • Builds trust over time • Level of control must also be balanced • Influenced by security needs and organization’s culture © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
35.
35 Types of Security
Policies (1 of 4) • A security policy is comprehensive and often detailed • Many organizations break the security policy down into smaller “subpolicies” • Examples: • Acceptable encryption policy • Antivirus policy • Database credentials coding policy • Email policy • Extranet policy • Router security policy • Server security policy • VPN security policy • Wireless communication policy © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
36.
36 Types of Security
Policies (2 of 4) • Acceptable Use Policy (AUP) • Policy that defines actions users may perform while accessing systems • Users include employees, vendors, contractors, and visitors • Typically covers all computer use, including mobile devices • Unacceptable use may also be outlined by the AUP • Generally considered most important information security policy © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
37.
37 Types of Security
Policies (3 of 4) • Personal Email Policy • Generally covers three important elements: - Using company email to send personal email messages - Accessing personal email at a place of employment - Forwarding company emails to a personal account • Social Media Policy • Social media network – grouping individuals and organizations into clusters or groups based on some sort of affiliation • Risks of social media: - Personal data can be used maliciously - Users may be too trusting - Accepting friends may have unforeseen consequences - Social media security is lax or confusing © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
38.
38 Types of Security
Policies (4 of 4) • Social Media Policy (continued) • Social media policy – outlines acceptable employee use of social media be enforced • Reasons for a social media policy: -Setting standards for employee use -Defining limitations -Protecting the enterprise’s reputation -Creating consistency across channels © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
39.
39 Awareness and Training
(1 of 4) • A key defense in information security: • Providing security awareness and training to users (sometimes called continuing education) • All users need continuous training in the new security defenses and be reminded of company security policies and procedures • Opportunities for security training: • When a new employee is hired • After a computer attack has occurred • When an employee promoted • During an annual department retreat • When new user software is installed • When user hardware is upgraded © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
40.
40 Awareness and Training
(2 of 4) Year born Traits Number in U.S. population Prior to 1946 Patriotic, loyal, faith in institutions 75 million 1946-1964 Idealistic, competitive, question authority 80 million 1965-1981 Self-reliant, distrustful of institutions, adaptive to technology 46 million 1982-2000 Pragmatic, globally concerned, computer literate, media savvy 76 million © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
41.
41 Awareness and Training
(3 of 4) Subject Pedagogical approach Andragogical approach Desire Motivated by external pressures to get good grades or pass on to the next grade Motivated by higher self-esteem, more recognition, desire for better quality of life Student Dependent on teacher for all learning Self-directed and responsible for own learning Subject matter Defined by what the teacher wants to give Learning is organized around situations in life or at work Willingness to learn Students are informed about what they must learn A change triggers a readiness to learn or students perceive a gap between where they are and where they want to be © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
42.
42 Awareness and Training
(4 of 4) • In addition to training styles, there are different learning styles • Visual • Auditory • Kinesthetic • Training styles impact how people learn • Role-based training -Involves specialized training that is customized to the specific role that an employee holds in the organization © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
43.
43 Agreements (1 of
2) • Risks of third-party integration: • On-boarding and off-boarding • Application and social media network sharing • Privacy and risk awareness • Data considerations • Interoperability agreements • Formal contractual relationships as they related to security policy and procedures • Part of the standard operating procedures, or those actions and conduct that are considered normal © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
44.
44 Agreements (2 of
2) • Agreements that should be regularly reviewed to verify compliance and performance standards include: • Service Level Agreement (SLA) – specifies what services will be provided and the responsibilities of each party • Blanket Purchase Agreement (BPA) – a prearranged purchase or sale agreement between a government agency and a business • Memorandum of Understanding (MOU) – describes an agreement between two or more parties • Interconnection Security Agreement (ISA) – an agreement that is intended to minimize security risks for data transmitted across a network • Non-disclosure agreement (NDA) – a legal contract that specifies how confidential material will be shared between parties but restricted to others © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
45.
45 Personnel Management • When
hiring, a background check should be conducted • The process of authenticating the information supplied to a potential employer by a job applicant in the applicant’s resume, application, and interviews • When an employee leaves, an exit interview is usually conducted • A “wrap-up” meeting between management representatives and the person leaving an organization either voluntarily or through termination © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
46.
46 Troubleshooting Common Security
Issues (1 of 2) • Security professionals should have the knowledge and skill to troubleshoot common security issues, including: • Access violations • Asset management • Authentication issues • Baseline deviation • Certificate issues • Data exfiltration • License compliance violation • Logs and events anomalies • Misconfigured devices © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
47.
47 Troubleshooting Common Security
Issues (2 of 2) • Security professionals should have the knowledge and skill to troubleshoot common security issues, including (continued): • Permission issues • Personnel issues • Unauthorized software • Unencrypted credentials • Weak security configurations © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
48.
48 Chapter Summary (1
of 2) • A risk is a situation that involves exposure to some type of danger • Privilege management and change management are risk management approaches • Two approaches to risk calculation: qualitative risk calculation and quantitative risk calculation • Several approaches are used to reduce risk • A security control and modifying the response to the risk instead of accepting the risk • A policy is a document that outlines specific requirements or rules that must be met © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
49.
49 Chapter Summary (2
of 2) • An acceptable use policy (AUP) defines the actions users may perform while accessing systems and networking equipment • Other policies: • Personal email policy • Social media policy • Different parties can reach an understanding of their relationships and responsibilities through interoperability agreements © 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Download now