Security managment risks, controls and incidents

Security
Management:
Risks, controls
and incidents
PETER CRUICKSHANK
SCHOOL OF COMPUTING
EDINBURGH NAPIER UNIVERSITY

What is security?
Mordac the preventer of
information
2Security management: risks, controls and incidents
© Dilbert.com
http://dilbert.com/search_results?terms=Mordac+The+Preventer

Background
Over a generation, internetworked systems,
particularly the Internet, have gone from the
specialized realm of government and academic
to being a substantial part (the basis?) of our
business and personal lives.
Enterprises maintain
web sites, email, e-
commerce and
collaboration tools
that are all
connected to the
Internet.
Online banking, bill
paying and shopping
have made online
financial transactions
common.
Individuals have
smartphones, tablets
and a myriad of
other devices that
are always “online.”
Security management: risks, controls and incidents 3

The context
Computer
systems
Computer
Environment
Business
and
application
environment
Socio-
economic-
legal
environment

In a graph
Security management: risks, controls and incidents
© 2014, ISACA
 2016?
5

Information Security:
Attributes
• Authorised access only
• Protecting privacyConfidentiality
• Data and system
• Protection from accidental or deliberate
(malicious) modification
Integrity
• …for legitimate users
• DDoS attacks – prevention & recovery
Availability
• who are you – supports non-deniabilityAuthentication
• what can you do?Authorization
• Effective auditing and logging is the key to
non-repudiationAuditing

Aim of the
lecture
SERIES OF 6
LECTURES AND
TUTORIALS
COURSEWORK
ASSIGNMENT
EXAM QUESTIONS
This lecture:
 Discuss issues around threats
and their risk management
 Covers incident handling
(a particular form of risk
mitigation)
 Explains the relationship of
risks to controls

Risk
management
HOW DO YOU
PRIORITISE YOUR
WORK?
HOW DO YOU KNOW
WHAT’S IMPORTANT?

The security balance
Security
• Complex passwords are
secure
• Encryption protects
assets
Access
• Complex passwords
prevent access
• Encryption slows things
down
• Technology is not enough
• Controls often conflict with usability and business objectives
Risk

Risk is
...let’s start with Wikipedia:
 The potential that a chosen (in)action will lead to a loss
[or a gain]
 Implies that a choice having an influence on the outcome
exists (or existed)
 Potential losses themselves may also be called “risks”
 Almost any human endeavour carries some risk, but some
are much more risky than others.

Sources of risk
Processes
People
Systems
External
events
Events related to
business operations
Outside factors
threatening
operations
Employee errors or
misdeeds
Non-employees
Technology
failure
Example: A fire destroying the IT system and causing disruption to the business
External event (fire)  Systems (unavailable)  processes (disrupted)
Or in
combination

Risk management
Risk
management
Risk
identification &
assessment
Risk control
Risk
response

Risk Control
Strategies
Avoidance Transference
Mitigation Acceptance

Risk LET’S LOOK AT THE
BASICS

x
-
+
%
Risk is
 The likelihood of the occurrence of a
vulnerability
X Multiplied by the value of the
information asset (or, the impact of the
loss)

Risk assessment
Likelihood
 Expressed as fraction or %age
 May be known (eg actuarial tables)
 May need judgement (document the process)
 Often reduced to High, Medium or Low

Risk assessment
Value (impact of loss)
 Normally focuses on potential loss
 It’s most straightforward to gather
 Can be combined up the hierarchy
 eg loss of HR for a week may have high value to them, but the
organisation will be able to carry on for a while…
(So long as payroll is OK)

Identify vulnerabilities
All
threats
All
assets
Vulner-
abilities
Recorded in a TVA (threats, vulnerabilities & assets) worksheet

Risk assessment:
TVA worksheet extract
Asset Impact Vulnerability Likelihood Risk Rating
Customer
service
request via
email
55 Disruption due
to hardware
failure
0.04 2.2
Disruption due
to software
failure
0.3 16.5
Customer
order received
by SSL
100 Lost order due
to server
hardware failure
0.05 5
Lost order due
to ISP failure
0.1 10

Risk according to OWASP1
Risk
Likelihood
Threat agent
Skill Motive
Oppor-
tunity
Capacity
Resour-
ces,
Size
Vulnerability
Ease of
disc-
overy
Ease of
exploit
Aware-
ness
Detec-
tion if
exploit-
ed
Impact
Technical
Loss of
C, I, A
Business
Finan-
cial,
Reput-
ational
Comp-
liance,
Privacy
OR
1 https://www.owasp.org/index.php/OWASP_Risk_Rating_MethodologySecurity management: risks, controls and incidents 24

Risk
management
 Choose a risk posture
 Analyse impact of threats
 business impacts and other,
non-financial impacts
 Identify and analyse risks
 Determine risk treatment
 Determine security strategy
options based on risk profile
Steps that enterprises should
perform when implementing
(information security) steps and
measures

http://thegreatgildersleeve.tumblr.com/post/708013469/bolted-and-barricaded-door-behind-empty-k-mart

Risk Control
Risk appetite
 The goal is not risk elimination
 It is risk minimisation
 What costs can you bear
 What impact has risk control on your business
 At what point are you prevented from doing anything
 Leaving organisation with residual risk
Aim: reduce residual risk to match risk
appetite

Choose a risk posture
Minimalist
• Reduce actions and
investment to a
minimum
• Comparatively high
level of residual risk.
Balanced
• comprehensive
security investment
• Moderate level of
residual risk
Conservative
• Aim for a
precautionary,
comparatively high,
investment
• Little or no
tolerance for
residual risk.
This is also known
as ‘Risk Appetite’

Threats
http://www.justsaypictures.com/verbal-threat.html

Threat actors:
categorisation
Location
Internal
Staff
Cont-
ractors
Should
they be
internal?
External
Busi-
ness
part-ner
Regu-
lator
Com-
petitor
& their
governm
ents
Motivation
Friendly Hostile
Capability
&
expertise
Script
kiddies
GCHQ,
the
NSA,
the
PLA

Building risk scenario
Risk
scenario
Actor
•Internal
•External
Threat type
•Malicious
•Accidental / error
•Failure /nature
•External requirement
Event
•Disclosure
•Interruption
•Modification
•Theft
•Destruction
•Ineffective
design/execution
•New rules
•Inappropriate use
Asset / resource
•People & skills
•Organisation structures
•Process
•Facilities
•IT infrastructure
•Information
•Application
Time
•Duration
•Criticality
•To detection
•Time lag to respond
Scenario-based
approaches are
sometimes preferred
over ‘pure’ risk
catalogues

Analyse Business Impact
What could go wrong?
How would it affect the business?
• Discard if impact is negligible
Judge likelihoods
• Discard if unlikely
Plan for what’s left

Analyse Business Impact

x
-
+
%
Risk is (therefore)
 The likelihood of the occurrence of a
vulnerability
X Multiplied by the value of the
information asset
- Minus the percentage of the risk
mitigated by current controls
+ Plus the uncertainty of current
knowledge of the vulnerability

Risk analysis cycle
Asset
identification
& valuation
Threat
assessment
Counter-
measures
Vulnerability
assessment
Risk
assessment
Control
evaluation
Residual
risk
Action
Plan
Review
Source: ITGI IT Governance Implementation Guide, 2 ed, 2007

Risk management
concepts
Risk
management
Risk
identification &
assessment
Inventory
Classification
Threat
Identification
Risk control
Risk
avoidance
Reduce and
mitigate
Risk reduction Risk transfer
Risk sharing
Risk retention
Risk
response
Incident
handling
Disaster
recovery

44
Security management: risks, controls and
incidents
Back to controls

Controls
 Control activities are:
 actions, supported by policies and
procedures that,
when carried out properly and in a timely
manner,
manage or reduce risks.

Controls
Prevent Controls
 Preventive controls attempt to
deter or prevent undesirable
events from occurring.
 They are proactive controls that
help to prevent a loss.
 Examples of preventive controls
are separation of duties, proper
authorisation, adequate
documentation, and physical
control over assets.
Detect Controls
 Detective controls, on the other
hand, attempt to detect
undesirable acts.
 They provide evidence that a
loss has occurred but do not
prevent a loss from occurring.
 Examples of detective controls
are reviews, analyses, variance
analyses, reconciliations,
physical inventories, and audits.
These examples are from general business:
Can you think of the equivalent in information systems?

Controls
Both types of controls are
essential to an effective internal
control system
From a quality standpoint,
preventive controls are
essential because they are
proactive and emphasize
quality
However, detective/corrective
controls play a critical role
providing evidence that the
preventive controls are
functioning and preventing
losses

Controls and audit:
Key facts
Controls are an expense
Controls that aren’t
consistently used are no good
An audit is basically a check that
the controls are
• Well designed (and cost effective)
• Have been operated consistently & correctly

Controls: Take 10
Prevent Detect Recover /
mitigate
People
Process
Technology
Physical
Think of one IT-related control to go in each box

Risk assessment
Effect of controls
 Current controls mitigate the
threat
 Possible controls can be
identified
 Different types of control
 eg Access control: role-based,
task-based
People Process Tech
Prevent 
Detect 
Recover/
mitigate

This is one way of reviewing
how you are controlling a risk
in depth

Incident
response

Context: Resilience
 In the traditional sense, ‘resilience’ means the ability of a
material to revert to its original shape after it has been
deformed.
 In information security (and in business continuity),
resilience describes the ability of an enterprise to recover
and absorb external shocks or events and their internal
impacts.
 Incident handling is a type of risk mitigation

Business impact analysis
 Results of business impact analysis (BIA) and risk
assessment
 specific risks and scenarios, threats and vulnerabilities analysis,
etc.
 clustered (aggregated) risk
 potential impacts and strategic options (with residual risk)
 Key technologies
 Cloud, network interconnections, supervisory control and
data acquisition (SCADA) and other industrial control
systems.
 Focus is: what if they fail?

Incident strategy: two
aspects
Knowing what
do to
Incident reporting
Policies,
reporting lines,
authorities, etc.
Testing it
Participation in &
integration with
exercises
(EU/national/
industry wide)

Not all events are incidents
 Distinguish between events and incidents.
 NIST defines an event as “any observable occurrence in
a network or system.”
 This includes normal network operations, such as
connections to servers, email transactions and database
updates.
 A computer security incident is “a violation or imminent
threat of violation of computer security policies,
acceptable use policies, or standard security practices.”

Incident response
 Despite an organisation’s best efforts, attackers are
sometimes successful.
 When this happens, an incident occurs.
 When incidents occur, it is essential to have a plan in
place to handle them
 The purpose of incident response.
 Terminology:
 The people trained to deal with incidents are called incident
handlers
 They are part of an incident response team.

Incident response phases
Preparation
Detection &
analysis
Containment,
eradication,
recovery
Post incident
activity
 Preparation to establish roles,
responsibilities and plans for how an
incident will be handled
 Detection and Analysis capabilities
to identify incidents as early as
possible and effectively assess the
nature of the incident
 Investigation capability if identifying
an adversary is required
 Mitigation and Recovery procedures
to contain the incident, reduce
losses and return operations to
normal
 Post-incident Analysis to determine
corrective actions to prevent similar
incidents in the future

Conclusion
 The principles of risk
management
 How risks and controls relate
 An outline of an incident
handling plan
Today, we have covered

Final though:
What is security?
If we make security trade-offs based on the feeling of security rather than the
reality, we choose security that makes us feel more secure over security that
actually makes us more secure. And that’s what governments, companies,
family members, and everyone else provide. Of course, there are two ways to
make people feel more secure.
 The first is to make people actually more secure, and hope they notice.
 The second is to make people feel more secure without making them
actually more secure, and hope they don’t notice.
The key here is whether we notice. The feeling and reality of security tend to
converge when we take notice, and diverge when we don’t. People notice
when 1) there are enough positive and negative examples to draw a conclusion,
and 2) there isn’t too much emotion clouding the issue.
The feeling and the reality of security Schneier 2008
“
”

65
Security management: risks, controls and
incidents
…Watch for Security theatre
that iS…

“
”
Thank you
PETER CRUICKSHANK
Lecturer in Information Systems. School of Computing,
Edinburgh Napier University
@spartakan | p.cruickshank@napier.ac.uk

Sources and references
A good general source on this material is
Whitman & Mattord’s Management of Information Security
(many editions)
Some of the material in this lecture is sourced from the
following ISACA documents:
• Cybersecurity Student Book (2014)
• European Cybersecurity Implementation: Overview (2014)

Security managment risks, controls and incidents

More Related Content

What's hot

Viewers also liked

Similar to Security managment risks, controls and incidents

More from Edinburgh Napier University

Recently uploaded

Security managment risks, controls and incidents