Uploaded byMouradAKenk
14 views

"information risk management in cybersecurity" Lecture 2

"information risk management in cybersecurity"

Technologyâ—¦

Embed presentation

Download to read offline
Risk Assessment Threat assessment 2) Threat assessment: â–Ş identify the possible causes or sources of threats. â–Ş A threat is the potential for some damage or trouble to the IT environment. â–Ş Sources: â–Ş malicious attacks (automated malicious software) â–Ş (Viruses, worms, Daniel of services, logic bomb) â–Ş human threats are typically the most worrisome â–Ş Internal â–Ş External attacker â–Ş also natural, ex: â–Ş bad weather, floods, â–Ş earthquakes, tornadoes, etc. â–Ş factors in the environment, such as power failures. 18
Risk Assessment Threat assessment ▪ Malicious human attackers are hard to categorize because their motivations and actions could vary widely. 20 • is a dissatisfied employee seeking revenge against the organization or • a dissatisfied employee snooping for proprietary information or personal information belonging to other employees. internal attacker • must penetrate an organization’s defenses (such as firewalls) to gain access, and then would likely have difficulty gaining access with root or admin privileges. external attackers
Risk Assessment Threat assessment â–Ş Not all human threats have a malicious intention; for example, a threat might arise from negligence (such as forgetting to change a default computer account) or accident (perhaps misconfiguring a firewall to allow unwanted traffic, or unknowingly downloading malicious software). 21
Risk Assessment Threat assessment ▪ In a way, internal attackers are the most worrisome because they presumably have direct access to an organization’s valuable assets and perhaps have computer accounts with high user privileges (e.g., Unix root or Windows admin). 22
Risk Assessment Threat assessment ▪ External attackers might include: ▪ amateur “hackers” motivated by curiosity or ego, ▪ professional criminals looking for profit or theft, ▪ terrorists seeking destruction or extortion, ▪ military agents motivated by national interests, or ▪ industrial spies attempting to steal proprietary information for profit. 23
Risk Assessment Threat assessment â–Ş External threats might even include automated malicious software, namely viruses and worms, that spread by themselves through the internet. â–Ş It might be feasible to identify major external threats, but a possibility always exists for a new unknown external threat. 24
Risk Assessment Vulnerability analysis â–Ş 3) Vulnerability analysis: â–Ş A vulnerability is a weakness in a system, person, or organization that could be taken advantage of by someone with malicious intent. 25 vulnerabilities Technical system operations security management
Risk Assessment Vulnerability analysis â–Ş 3) Vulnerability analysis: â–Ş Technical vulnerabilities are perhaps the easiest to identify by: 1. Vendors of computing and networking equipment 2. Web sites such as Bugtraq 3. automated vulnerability scanning tools 4. penetration testing 26
Risk Assessment Vulnerability analysis â–Ş Vendors of computing and networking equipment usually publish bulletins of bugs and vulnerabilities, along with patches, for their products. â–Ş several Web sites maintain lists of security advisories about known vulnerabilities. such as â–Ş Bugtraq (http://www.securityfocus.com/archive/1) â–Ş CERT (http://www.cert.org/advisories) â–Ş automated vulnerability scanning tools to assess an operational system. These scanners essentially contain a database of known vulnerabilities and test a system for these vulnerabilities by probing. such as â–Ş Satan, SARA, SAINT, and Nessus. â–Ş penetration testing which simulates the actions of an attacker (NIST, 2003). (That active attacks will help to reveal weaknesses in system defenses.) 27
Risk Assessment Vulnerability analysis â–Ş Vulnerabilities might arise from security management. â–Ş For example, â–Ş human resources might be insufficient to cover all important security responsibilities, or â–Ş personnel might be insufficiently trained. â–Ş Security policies may be incomplete, exposing the system to possible compromise. â–Ş Other vulnerabilities might be related to system operations. â–Ş For example, â–Ş suppose old data CDs are disposed in trash that is publicly accessible. â–Ş It would be easy for anyone to retrieve discarded data. 29
Risk Assessment Impact analysis 30 4) Impact analysis: â–Ş Estimates the impact of each threat on the organization, that depends on some uncertain factors: â–Ş the likelihood of the threat occurring; â–Ş the loss from a successful threat; and â–Ş the frequency of recurrence of the threat. â–Ş In practice, these factors may be difficult to estimate, and there are various ways to estimate and combine them in an impact analysis.
Risk Assessment Impact analysis 31 The impact analysis can range from: Qualitative (descriptive) anything between. Quantitative (mathematical)
End of Lecture 2 32

More Related Content

PPTX
ISAA PPt
byRishabhAgrawal695188
 
PDF
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
byjbasney
 
PDF
Outsourcing
bykarlhennessy
 
PPTX
Identifying Your Agency's Vulnerabilities
byEmily2014
 
PDF
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
byCam Fulton
 
PDF
Week-3_Lecture-1.pdfaaaaaaaaaaaaaaaaaaaaaa
byAmirMohamedNabilSale
 
PDF
Threat Based Risk Assessment
byMichael Lines
 
PPTX
Week-3_Lecture-1.pptxccccccccccccccccccccc
byAmirMohamedNabilSale
 
ISAA PPt
byRishabhAgrawal695188
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
byjbasney
 
Outsourcing
bykarlhennessy
 
Identifying Your Agency's Vulnerabilities
byEmily2014
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
byCam Fulton
 
Week-3_Lecture-1.pdfaaaaaaaaaaaaaaaaaaaaaa
byAmirMohamedNabilSale
 
Threat Based Risk Assessment
byMichael Lines
 
Week-3_Lecture-1.pptxccccccccccccccccccccc
byAmirMohamedNabilSale
 

Similar to "information risk management in cybersecurity" Lecture 2

DOCX
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
bytodd521
 
PDF
Cybersecurity risk assessments help organizations identify.pdf
byTheWalkerGroup1
 
PDF
Risks threats and vulnerabilities
byManish Chaurasia
 
PPTX
501 ch 8 risk management tools
bygocybersec
 
PPT
NH Bankers 10 08 07 Kamens
bykamensm02
 
PPTX
Vulenerability Management.pptx
byThavaselviMunusamy1
 
PPTX
Understanding the security_organization
byDan Morrill
 
PDF
Microsoft InfoSec for cloud and mobile
byVijayananda Mohire
 
PPTX
Module 6.pptx
byssuser66c4d5
 
PDF
It risk assessment
byHappiest Minds Technologies
 
PPTX
How to assess and manage cyber risk
byStephen Cobb
 
PDF
BCS ITNow 201406 - The Risk Business
byGareth Niblett
 
PPTX
Cyber Security # Lec 3
byKabul Education University
 
PPTX
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
byJakeariesMacarayo
 
PPTX
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
byJakeariesMacarayo
 
DOCX
((Anatomy of a Security IncidentAttack)) will survey current threat.docx
byajoy21
 
PDF
New Age Red Teaming - Enterprise Infilteration
byShritam Bhowmick
 
PDF
Ch07 Managing Risk
byphanleson
 
PDF
Sem 004
bySelectedPresentations
 
PPT
1 (20 files merged).ppt
byseshas1
 
Running head THREATS, ATTACKS AND VULNERABILITY ASSESSMENT .docx
bytodd521
 
Cybersecurity risk assessments help organizations identify.pdf
byTheWalkerGroup1
 
Risks threats and vulnerabilities
byManish Chaurasia
 
501 ch 8 risk management tools
bygocybersec
 
NH Bankers 10 08 07 Kamens
bykamensm02
 
Vulenerability Management.pptx
byThavaselviMunusamy1
 
Understanding the security_organization
byDan Morrill
 
Microsoft InfoSec for cloud and mobile
byVijayananda Mohire
 
Module 6.pptx
byssuser66c4d5
 
It risk assessment
byHappiest Minds Technologies
 
How to assess and manage cyber risk
byStephen Cobb
 
BCS ITNow 201406 - The Risk Business
byGareth Niblett
 
Cyber Security # Lec 3
byKabul Education University
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
byJakeariesMacarayo
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
byJakeariesMacarayo
 
((Anatomy of a Security IncidentAttack)) will survey current threat.docx
byajoy21
 
New Age Red Teaming - Enterprise Infilteration
byShritam Bhowmick
 
Ch07 Managing Risk
byphanleson
 
Sem 004
bySelectedPresentations
 
1 (20 files merged).ppt
byseshas1
 

Recently uploaded

PPTX
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
PDF
AI TOOLS FOR PRODUCTIVITY IN MODERN TIMES.pdf
bySantunu
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
final.pdf
byomarbishtawi04
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
AI TOOLS FOR PRODUCTIVITY IN MODERN TIMES.pdf
bySantunu
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
final.pdf
byomarbishtawi04
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 

"information risk management in cybersecurity" Lecture 2

  • 1.
    Risk Assessment Threat assessment 2)Threat assessment: â–Ş identify the possible causes or sources of threats. â–Ş A threat is the potential for some damage or trouble to the IT environment. â–Ş Sources: â–Ş malicious attacks (automated malicious software) â–Ş (Viruses, worms, Daniel of services, logic bomb) â–Ş human threats are typically the most worrisome â–Ş Internal â–Ş External attacker â–Ş also natural, ex: â–Ş bad weather, floods, â–Ş earthquakes, tornadoes, etc. â–Ş factors in the environment, such as power failures. 18
  • 2.
    Risk Assessment Threat assessment ▪Malicious human attackers are hard to categorize because their motivations and actions could vary widely. 20 • is a dissatisfied employee seeking revenge against the organization or • a dissatisfied employee snooping for proprietary information or personal information belonging to other employees. internal attacker • must penetrate an organization’s defenses (such as firewalls) to gain access, and then would likely have difficulty gaining access with root or admin privileges. external attackers
  • 3.
    Risk Assessment Threat assessment â–ŞNot all human threats have a malicious intention; for example, a threat might arise from negligence (such as forgetting to change a default computer account) or accident (perhaps misconfiguring a firewall to allow unwanted traffic, or unknowingly downloading malicious software). 21
  • 4.
    Risk Assessment Threat assessment ▪In a way, internal attackers are the most worrisome because they presumably have direct access to an organization’s valuable assets and perhaps have computer accounts with high user privileges (e.g., Unix root or Windows admin). 22
  • 5.
    Risk Assessment Threat assessment ▪External attackers might include: ▪ amateur “hackers” motivated by curiosity or ego, ▪ professional criminals looking for profit or theft, ▪ terrorists seeking destruction or extortion, ▪ military agents motivated by national interests, or ▪ industrial spies attempting to steal proprietary information for profit. 23
  • 6.
    Risk Assessment Threat assessment â–ŞExternal threats might even include automated malicious software, namely viruses and worms, that spread by themselves through the internet. â–Ş It might be feasible to identify major external threats, but a possibility always exists for a new unknown external threat. 24
  • 7.
    Risk Assessment Vulnerability analysis â–Ş3) Vulnerability analysis: â–Ş A vulnerability is a weakness in a system, person, or organization that could be taken advantage of by someone with malicious intent. 25 vulnerabilities Technical system operations security management
  • 8.
    Risk Assessment Vulnerability analysis â–Ş3) Vulnerability analysis: â–Ş Technical vulnerabilities are perhaps the easiest to identify by: 1. Vendors of computing and networking equipment 2. Web sites such as Bugtraq 3. automated vulnerability scanning tools 4. penetration testing 26
  • 9.
    Risk Assessment Vulnerability analysis â–ŞVendors of computing and networking equipment usually publish bulletins of bugs and vulnerabilities, along with patches, for their products. â–Ş several Web sites maintain lists of security advisories about known vulnerabilities. such as â–Ş Bugtraq (http://www.securityfocus.com/archive/1) â–Ş CERT (http://www.cert.org/advisories) â–Ş automated vulnerability scanning tools to assess an operational system. These scanners essentially contain a database of known vulnerabilities and test a system for these vulnerabilities by probing. such as â–Ş Satan, SARA, SAINT, and Nessus. â–Ş penetration testing which simulates the actions of an attacker (NIST, 2003). (That active attacks will help to reveal weaknesses in system defenses.) 27
  • 10.
    Risk Assessment Vulnerability analysis â–ŞVulnerabilities might arise from security management. â–Ş For example, â–Ş human resources might be insufficient to cover all important security responsibilities, or â–Ş personnel might be insufficiently trained. â–Ş Security policies may be incomplete, exposing the system to possible compromise. â–Ş Other vulnerabilities might be related to system operations. â–Ş For example, â–Ş suppose old data CDs are disposed in trash that is publicly accessible. â–Ş It would be easy for anyone to retrieve discarded data. 29
  • 11.
    Risk Assessment Impact analysis 30 4)Impact analysis: â–Ş Estimates the impact of each threat on the organization, that depends on some uncertain factors: â–Ş the likelihood of the threat occurring; â–Ş the loss from a successful threat; and â–Ş the frequency of recurrence of the threat. â–Ş In practice, these factors may be difficult to estimate, and there are various ways to estimate and combine them in an impact analysis.
  • 12.
    Risk Assessment Impact analysis 31 Theimpact analysis can range from: Qualitative (descriptive) anything between. Quantitative (mathematical)
  • 13.