'Determining The Ideal Security Measure' is Nugget 3 in the series 'Cyber Security Awareness Month 2017'. You must ensure that the best and cost effective measure applies...
2. Previous Nuggets Recap
• We identified and classified the Information Assets based on the Value and
Criticality of the Assets.
• We learnt that the Identification and Classification of the Assets could be
achieved using the Risk Assessment and Impact Analysis Techniques.
• We discussed the CIA Triad(Confidentiality, Integrity and Availability), the
three Control Types, Security Services and Measures centred around each
control and the Assets therein.
• We discussed that in protecting your Information Assets, you must have a
good understanding of the Control Types(Administrative, Technical and
Physical) as well as the Security Services and Measures(Preventive,
detective, deterrent, corrective, recovery, compensating and Directive).
• We also discussed that it is important you understand the ideal security
measure to apply on each classified asset using Vulnerability and Risk
Assessment Techniques.
• We finally looked at some important facts on ‘protecting your Information
Assets’.
3. In This Nugget:
Determining The Ideal Security Measure
• We have had a good understanding of the Controls and Security Measures,
we would further look at how the Assets could be protected by applying the
ideal Security measures.
• We would look at how these measures of protection could be ascertained
using some Vulnerabilities/Risk Assessment Methodologies.
• We would discuss Vulnerabilities, Threats and Risks extensively.
• We would look at how we could tie the cost of each Security measure with
the actual value of the Assets.
• A little Math would apply here but nevertheless it would not be much of a
bother.
• Finally, we would outline some important facts on Risk Management.
4. Determining The Ideal Security Measure:
Vulnerability
• A Vulnerability could be defined as a weakness or looseness.
• An Asset or any object could be seen as vulnerable if there is an element of
weakness around that Asset.
• The weakness could be in form of an opening, exposure or something
important lacking on the Asset.
• There is an element of visible and invisible vulnerabilities surrounding
every newly installed or procured Asset.
• It is a good practice to pro-actively outline the vulnerabilities around an
Asset immediately after identifying it as Critical for your Business.
• In Cyber Security, it is important to start your Risk Management process
with a Vulnerability check list around the Asset.
• For example, a Critical Server Operating System(Asset) with no Anti Virus,
no updated patches, weak log-in password, easily accessible by
unauthorised parties, no Uninterrupted Power Supply(UPS) plug-in and
other weaknesses surrounding the Asset is seen as highly Vulnerable.
5. Determining The Ideal Security Measure:
Threat
• A Threat is that point at which the vulnerability is seen as a danger that
could be exploited by the bad guys(hackers, criminals, attackers, others)
known as Threat Agents.
• For example, some of the Critical Operating System vulnerabilities
outlined in the previous slide could cause so much harm on both the
Asset and the business if exploited by the bad guys(Threat Agents).
• The bad guys(Threat Agents) could take advantage of the fact that there
is no Anti-Virus program on the system and get it infected with
Virus(Threat).
• Malware infection on a Critical System could be disastrous and
negatively affect the Confidentiality, Integrity and Availability principles of
Security.
• An Asset could be Vulnerable but with High or minimal Threat, it all
depends on the scenarios around the vulnerability and the probability of
Impact.
6. Determining The Ideal Security Measure:
Risk
• Risk is the probability or likelihood that a Vulnerability could be
exploited with a Threat by a Threat Agent.
• Following our Critical Operating System example, one of the
vulnerabilities is that of weak log-in Password which could be easily
guessed and attacked(Threat) by the Threat Agents.
• The Probability or likelihood that actually the weak Log-in
Password(Vulnerability) could be exploited with guessing
attacks(Threat) by the Threat Agent is referred to as Risks.
• It is this level of certainty or probability that now determines whether
the risk is high, low or insignificant.
• If the Risk is high, a Security Measure which at this point is referred
to as a Counter Measure or Safeguard is proffered.
• As discussed in the previous Nugget, the weak Log-in Password is a
Vulnerability that falls under Technical Control which could breach
the three basic principles in the CIA Triad.
• The Security Measure (Counter Measure) would be a Preventive
Technical Control which is tailored down to a stricter Password
Management approach.
• We would be looking at Risk from various perspectives in the
subsequent slides.
7. Determining The Ideal Security Measure:
Risk Equation
• We would now derive the Risk value from the Vulnerability and
Threat as discussed in the previous slides.
• Risk= Vulnerability * Threat * Impact
• Impact is the consequence of the Threat exploiting the
Vulnerability.
• The Risk Equation assists us to understand the Risk level of a
Threat exploiting a vulnerability on an Asset.
• For example, the Critical Operating System’s missing
patch(Vulnerability) could lead to unauthorised access to the
system and other Applications on the System(Threat) and the
consequence could amount to theft of data and so many
others(Impact).
• The Risk Equation would assist us to determine the Risk
Response, that is if the Risk should be mitigated, Accepted,
Avoided or transferred to Insurance.
8. Determining The Ideal Security Measure:
Risk Responses
Risk Response is a process of determining a suitable Counter
Measure to be applied on the Asset. The four basic Risk
Responses are:
• Mitigate: Reduce Risk to an Acceptable Level and with the
right protection Mechanism to maintain it at that level.
• Accept: To take the Risk as it is probably due to a minimal or
insignificant likelihood.
• Avoid: Not to do anything that is causing the Risk.
• Transference: To involve a Third Party Insurance on the Assets
especially when the cost of Counter Measure is unbearable to
the Business.
9. Determining The Ideal Security Measure:
Risk Analysing Types
We have two types of Risks generally:
• The Quantitative Risk Analysis: A process of calculating Risk
using numerical and monetary values. The quantitative Risk
Analysis takes into consideration:
– The Asset Value (AV): The cost of the Asset, the man hour and cost of
labour.
– The Exposure Factor of Asset(EF): The level of Exposure
– The Single Loss Expectancy(SLE): The value of loss expected on an
event disruption. (AV *EF)
– The Annual Rate of Occurrence(ARO): Frequency at which the
disruption could occur in one year.
– The Annual Loss Expectancy(ALE): The value of loss expected in one
year. (SLE*ARO).
• The Qualitative Risk Analysis: A process of calculating Risk
using determined scenarios that could be subjective in nature.
10. Determining The Ideal Security Measure:
Cost of Counter Measure vs Value of Asset
• Recall that the Cost of Counter Measure should
not be more than the value of Asset. It is advisable
that you use a compensating control at that point.
• After you arrive at a Counter Measure using the
Risk Equation and Risk Analysis, it is a good
practice to evaluate the cost of Counter Measure
and ascertain that it is not more than the Value of
the Asset.
• To achieve this:
Cost Counter Measure = Annual Loss Expectancy(ALE)
before Counter Measure-Annual Loss Expectancy(ALE)
after Counter Measure-Annual Cost of Counter
Measure.
11. Determining The Ideal Security Measure:
Risk Management Frameworks
It is a good practice to run your Risk Management
and Analysis using any of the methodologies.
• NIST Sp 800-50
• FRAP
• OCTAVE
• FMEA
• Others.
Kindly do a search on each of the frameworks and
apply accordingly.
12. Determining The Ideal Security Measure:
Important Facts on Risk Management
• Information Risk Management is the responsibility of the Business Unit or
Group Managers even though it has to be in support of the Top Level
Management.
• Risk Management focuses on reducing risk to a level acceptable by the
Business and with the right mechanisms to maintain that level.
• Risk Management would help to ascertain the most cost effective, relevant,
up-to-date, ideal and resilient Counter Measure on a given Asset.
• The right countermeasure would eliminate the Vulnerability and Threat but
cannot eliminate Risk and the Threat agent. The Asset would be protected
by reducing or mitigating Risk and preventing the Threat Agent from
exploiting Vulnerabilities around the Asset.
• There would always be some elements of risk left after applying the Counter
Measure. This left-out Risk is referred to as Residual Risk.
13. Determining The Ideal Security Measure:
In Summary
This Nugget may sound a bit technical to most of us here, you may not need to worry much but grab this :
• We looked at the various ways to ascertain the ideal Counter Measure to be applied on a given Asset.
• We first of all looked at the various Vulnerabilities and Threats around the Asset and explained Risk as
the probability that the Threats could exploit the vulnerabilities by Threat Agents.
• We worked around the Risk areas: Risk Equation, Quantitative and Qualitative Risk Analysis and Risk
Responses.
• Each of the Risk areas drew us closer to ascertaining the ideal and best Countermeasure to be
applied on a given Asset.
• The Risk Equation(Vulnerability*Threat*Impact) ascertained the level of Risk whether High, Medium or
Low.
• Then based on the Risk level ascertained from the Risk Equation, the Risk Response is determined.
The response could be to Mitigate, Accept, Avoid or Transfer to the Third Party Insurance.
• We further looked at how we can generate the Annual Loss Expectancy(ALE=SLE*ARO) based on
the Value of the Asset(AV), The Exposure Factor(EF), The Single Loss Expectancy(SLE=AV*EF) and
The Annual Rate of Occurrence(ARO).
• We finally used the derived Annual Loss Expectancy to generate the Cost of Countermeasure
which must be much less than the Annual Loss expectancy.
Cost of Counter Measure= ALE before-ALE after-Annual cost of Counter Measure.
• We hope we have well understood the concept of Cyber Security so far in this Awareness series:
Identify , Classify, Protect(Vulnerabilities, Threats, Risk and Counter Measures).
• Going forward we would bring home the various Threats and the ideal Counter Measures for
combating the Threats.
• We hope this helps...
14. See You in the Next Nugget!
Thank You
Chinatu Uzuegbu
CISSP, CISM, CISA, CEH, ITIL, MCSE