Uploaded byTechnocracy2
85 views

Security & Risk Mgmt_WK1.pptx

This document discusses key concepts in security and risk management, including the CIA triad of confidentiality, integrity, and availability. It explains various security principles such as least privilege and need to know. Organizational roles in security governance and compliance are defined. Common techniques for threat modeling like STRIDE and frameworks for risk analysis are also introduced.

Embed presentation

SECURITY AND RISK MANAGEMENT • The Security and Risk Management deals with many of the foundational elements of security solutions and focuses on risk analysis and mitigation. • These include elements essential to the design, implementation, and administration of security mechanisms. • This chapter introduces the CIA triad of confidentiality, integrity, and availability, which are touched upon in virtually every section throughout of this course. • In addition to CIA, principle of least privilege and need to know are presented. • Lastly concepts related to information security governance such as privacy, due care, due diligence, certification, and accreditation are also a focus of this chapter. • Our job as information security professionals is to evaluate risks against our critical assets and deploy safeguards to mitigate those risks. • How much security is enough?...Just enough.
Confidentiality, Integrity, and Availability • Confidentiality, integrity, and availability (CIA) are typically viewed as the primary goals and objectives of a security infrastructure. • Commonly referenced by the term CIA Triad. • The order of the acronym may change (some prefer AIC, perhaps to avoid association with a certain intelligence agency), but that is not important; what is critical is understanding each concept. • These three principles are considered the most important within the realm of security. • However important each specific principle is to a specific organization depends on the organization’s security goals and requirements and on the extent to which the organization’s security might be threatened. • An object is the passive element in a security relationship, such as files, computers, network connections, and applications. • A subject is the active element in a security relationship, such as users, programs, and computers.
Confidentiality • Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. In other words, unauthorized disclosure of information; • The goal of confidentiality protection is to prevent or minimize unauthorized access to data. • Confidentiality protection provides a means for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so. • For confidentiality to be maintained on a network, data must be protected from unauthorized access, use, or disclosure while in storage, in process, and in transit. • Attacks - capturing network traffic and stealing password files as well as social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, escalation of privileges, and so on.  Countermeasures - encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training
Integrity • Integrity seeks to prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. • It ensures that data remains correct, unaltered, and preserved. • Properly implemented integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes or oversights). • data integrity and system integrity. Data integrity seeks to protect information from unauthorized modification, while system integrity seeks to protect a system. from unauthorized modification. • Attacks - viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors. • countermeasures - strict access control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash total verifications, interface restrictions, input/function checks, and extensive personnel training.
Availability • Availability ensures that information is available when needed. • Aauthorized subjects are granted timely and uninterrupted access to objects. • Availability also implies that the supporting infrastructure—including network services, communications, and access control mechanisms—is functional and allows authorized users to gain authorized access. • Attacks - DoS attacks, object destruction, and communication interruptions. • Countermeasures - designing intermediary delivery systems, properly, using access controls effectively, monitoring performance and network traffic, using firewalls and routers to prevent DoS attacks, implementing redundancy for critical systems, and maintaining and testing backup systems. Disclosure, alteration, and destruction • Disclosure is the unauthorized release of information. • Alteration is the unauthorized modification of data. • Destruction is making systems or data unavailable.
CIA Priority • Every organization has unique security requirements and Knowing which tenet or asset is more important than another guides the creation of a security stance and ultimately the deployment of a security solution. • Example - in many cases military and government organizations tend to prioritize confidentiality above integrity and availability, whereas private companies tend to prioritize availability above confidentiality and integrity. • Although such prioritization focuses efforts on one aspect of security over another, it does not imply that the second or third prioritized items are ignored or improperly addressed. Other Security Concepts • Identification: Claiming to be an identity when attempting to access a secured area or system • Authentication: Proving that you are that identity. eg passwords. • Authorization: describes the actions you can perform on a system once you have been identified and authenticated. Actions may include reading, writing, or executing files or programs. • Auditing: Recording a log of the events and activities related to the system and subjects • Accounting (aka accountability): Accountability holds users accountable for their actions. This is typically done by logging and analysing audit data. • Nonrepudiation: Nonrepudiation means a user cannot deny (repudiate) having performed a transaction. It combines authentication and integrity.
Protection Mechanisms • Protection mechanisms are common characteristics of security controls. • Layering: also known as defence in depth, is simply the use of multiple controls in a series. • Data Hiding: preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject. • Security through obscurity: attempt to hope something important is not discovered by keeping knowledge of it a secret hence offers no security and should not be used. • Encryption: art and science of hiding the meaning or intent of communication from unintended recipients. • Least Privilege and Need to Know: Least privilege means users should be granted the minimum amount of access (authorization) required to do their jobs. • Need to know is more granular than least privilege; the user must need to know that specific piece of information before accessing it.
Organizational Processes Change Control/Management • The goal of change management is to ensure that any change does not lead to reduced or compromised security. Change management is also responsible for making it possible to roll back any change to a previous secured state. • Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. Data Classification • Data classification, or categorization, is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. • Declassification is required once an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level. • Government: Top Secret, Secret, Confidential, Sensitive But Unclassified, Unclassified • Commercial Business: Confidential, Private, Sensitive, Public
Organizational Roles and Responsibilities • Senior Manager: The organizational owner (senior manager) role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. • Security Professional: The security professional, information security (InfoSec) officer, or computer incident response team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management. • Data Owner: The data owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. • Data Custodian: The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. • Auditor: An auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. • User: The user (end user or operator) role is assigned to any person who has access to the secured system.
Security Governance Principles • Security governance is the set of responsibilities and practices exercised by executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly. • Security governance bridges your business priorities with technical implementation like architecture, standards, and policy. Governance teams provide oversight and monitoring to sustain and improve security posture over time. These teams also report compliance as required by regulating bodies. • Some aspects of governance are imposed on organizations due to legislative and regulatory compliance needs, whereas others are imposed by industry guidelines or license requirements. • All forms of governance, including security governance, must be assessed and verified from time to time. • Security governance directly oversees and gets involved in all levels of security and is commonly managed by a governance committee or at least a board of directors (Top Down approach). • Security is not and should not be treated as an IT issue only (Bottom up approach). Instead, security affects every aspect of an organization. It is no longer just something the IT staff can handle on their own. • Frameworks: NIST 800-53 or 800-100.
Security Governance Principles • The information security (InfoSec) team should be led by a designated chief information security officer (CISO) who must report directly to senior management. In some organisations chief security officer (CSO) or information security officer (ISO) is sometimes used as an alternative to CISO. • Note: The best security plan is useless without one key factor: approval by senior management. Without senior management’s approval of and commitment to the security policy, the policy will not succeed. • Developing and implementing a security policy is evidence of due care and due diligence on the part of senior management. • If a company does not practice due care and due diligence, managers can be held liable for negligence and held accountable for both asset and financial losses. • Strategic Plan vs Tactical Plan vs Operational Plan: • strategic plan is a long-term plan and defines the organization’s security purpose. • tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. • An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans. • Security is a continuous process. Thus, the activity of security management planning may have a definitive initiation point, but its tasks and work are never fully accomplished or complete.
Policy, Procedures, Standards and Baselines • A security policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. • Policies are high-level management directives and is mandatory. • It is a strategic plan for implementing security. • The security policy is used to assign responsibilities, define roles, specify audit requirements, outline enforcement processes, indicate compliance requirements, and define acceptable risk levels and used as the proof that senior management has exercised due care in protecting itself against intrusion, attack, and disaster. • Examples: organizational security policy, issue-specific security policy, system-specific security policy, regulatory, advisory, and informative policy. • A procedure is a step-by-step guide for accomplishing a task. Procedures are low level and specific. Like policies, procedures are mandatory. • Standards are tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies. Mandatory • Baseline defines a minimum level of security that every system throughout the organization must meet. Mandatory. • Guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.
Compliance Requirement • Complying with laws and regulations is a priority for top information security management. • The world of compliance is a legal and regulatory jungle for information technology (IT) and cybersecurity professionals. Things become even more complicated for multinational companies, which must navigate the variations between international law as well. Categories of Laws • Criminal Law: Criminal law contains prohibitions against acts such as murder, assault, robbery, and arson. Penalties for violating criminal statutes fall in a range that includes mandatory hours of community service, monetary penalties in the form of fines (small and large), and deprivation of civil liberties in the form of prison sentences. • Civil Law: designed to provide for an orderly society and govern matters that are not crimes but that require an impartial arbiter to settle between individuals and organizations. Examples of the types of matters that may be judged under civil law include contract disputes, real estate transactions, employment matters, and estate/probate procedures. • Administrative Law: Administrative law or regulatory law is law enacted by government agencies.The executive branch of government charges numerous agencies with wide-ranging responsibilities to ensure that government functions effectively. Due Care and Due Diligence • Due care is doing what a reasonable person would do in a given situation. Due diligence is the management of due care. • Gross negligence is the opposite of due care.
Laws • Computer Fraud and Abuse Act: The Computer Fraud and Abuse Act (CFAA) was the first major piece of cybercrime-specific legislation in the United States. • National Information Infrastructure Protection Act of 1996 • Federal Information Security Management Act (FISMA) • Federal Cybersecurity Laws of 2014 • Copyright and the Digital Millennium Copyright Act • U.S. Privacy Law • Health Insurance Portability and Accountability Act of 1996 • Health Information Technology for Economic and Clinical Health Act of 2009 • NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations. This standard is required for use in federal computing systems and is also commonly used as an industry cybersecurity benchmark. • NIST SP 800-171: Protecting Controlled Unclassified Information in Non federal Information Systems and Organizations. Compliance with this standard’s security controls (which are quite similar to those found in NIST 800-53) is often included as a contractual requirement by government agencies. Federal contractors must often comply with NIST SP 800-171. • The NIST Cybersecurity Framework (CSF) is a set of standards designed to serve as a voluntary risk- based framework for securing information and systems.
Compliance • Organizations find themselves subject to a wide variety of laws and regulations imposed by regulatory agencies or contractual obligations and may be subject to compliance audits, either by their standard internal and external auditors or by regulators or their agents. • For example, an organization’s financial auditors may conduct an IT controls audit designed to ensure that the information security controls for an organization’s financial systems are sufficient to ensure compliance with the Sarbanes-Oxley Act (SOX). Some regulations, such as PCI DSS, may require the organization to retain approved independent auditors to verify controls and provide a report directly to regulators. • The Payment Card Industry Data Security Standard (PCI DSS) is an excellent example of a compliance requirement that is not dictated by law but by contractual obligation. PCI DSS governs the security of credit card information and is enforced through the terms of a merchant agreement between a business that accepts credit cards and the bank that processes the business’s transactions. • In addition to formal audits, organizations often must report regulatory compliance to a number of internal and external stakeholders. For example, an organization’s Board of Directors (or, more commonly, that board’s Audit Committee) may require periodic reporting on compliance obligations and status. Similarly, PCI DSS requires organizations that are not compelled to conduct a formal third-party audit to complete and submit a self-assessment report outlining their compliance status.
Understand and Apply Threat Modeling Concepts and Methodologies • Threat modeling is the security process where potential threats are identified, categorized, and analyzed. • Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. • A proactive approach to threat modeling takes place during the early stages of systems development, specifically during initial design and specifications establishment. This type of threat modeling is also known as a defensive approach. • This method is based on predicting threats and designing in specific defences during the coding and crafting process, rather than relying on post-deployment updates and patches. • A reactive approach to threat modeling takes place after a product has been created and deployed. This deployment could be in a test or laboratory environment or to the general marketplace. This type of threat modeling is also known as the adversarial approach. • This technique of threat modeling is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing. • Microsoft developed a threat categorization scheme known as the STRIDE threat model.
STRIDE • Spoofing: An attack with the goal of gaining access to a target system through the use of a falsified identity. • Tampering: Any action resulting in unauthorized changes or manipulation of data, whether in transit or in storage. • Repudiation: The ability of a user or attacker to deny having performed an action or activity. • Information disclosure: The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities. • Denial of service (DoS): An attack that attempts to prevent authorized use of a resource. • Elevation of privilege: An attack where a limited user account is transformed into an account with greater privileges, powers, and access. Process for Attack Simulation and Threat Analysis (PASTA) Visual, Agile, and Simple Threat (VAST) • Generally, the purpose of STRIDE and other threat modeling methodologies is to consider the range of compromise concerns and tofocus on the goal or end results of an attack.
Understand and Apply Risk Management Concepts • The possibility that something could happen to damage, destroy, or disclose data or other resources is known as risk. • Risk management is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost effective solutions for mitigating or reducing risk. • Risk management concepts are essential to the establishment of a sufficient security stance, proper security governance, and legal proof of due care and due diligence. • The overall process of risk management is used to develop and implement information security strategies. The goal of these strategies is to reduce risk and to support the mission of the organization. • It is impossible to design and deploy a totally risk-free environment; however, significant risk reduction is possible, often with little effort. • The primary goal of risk management is to reduce risk to an acceptable level through finding cost effective solution depending on the value of its assets, the size of its budget, and many other factors. • The process by which the goals of risk management are achieved is known as risk analysis. • It includes examining an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause if it did occur, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management.
Risk Terminology • Asset: Anything of Value to the company • Asset Valuation: dollar value assigned to an asset • Vulnerability: A weakness; the absence of a safeguard • Threat: Something that could pose loss to all or part of an asset • Threat Agent: What carries out the attack • Exposure Exposure is being susceptible to asset loss because of a threat • Exploit: An instance of compromise • Risk: Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. • Safeguards: A safeguard, security control, or countermeasure is anything that removes or reduces a vulnerability or protects against one or more specific threats. • Attack An attack is the exploitation of a vulnerability by a threat agent. • Breach A breach is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. When a breach is combined with an attack, a penetration, or intrusion, can result. • Controls: Physical, Administrative, and Technical Protections Safeguards Countermeasure
Risk Management Risk Management Risk Assessment Identify and Valuate Assets Identify Threats and Vulnerabilities Risk Analysis Qualitative: assigns subjective and intangible values to the loss of an asset Quantitative: assigns real dollar figures to the loss of an asset Risk Mitigation/Response Reduce /Avoid Transfer Accept /Reject Ongoing Risk Monitoring • Risk management/analysis is primarily an exercise for upper management. It is their responsibility to initiate and support risk analysis and assessment by defining the scope and purpose of the endeavour. • The actual processes of performing risk analysis are often delegated to security professionals or an evaluation team. However, all risk assessments, results, decisions, and outcomes must be understood and approved by upper management as an element in providing prudent due care.
Identification and Valuation of Assets is the first step in risk assessment. What are we protecting and what is it worth? Is it valuable to me? To my competitors? What damage will be caused if it is compromised How much time was spent in development Are there compliance/legal issues? RISK ANALYSIS Determining a value for a risk Qualitative vs. Quantitative Qualitative Analysis (subjective, judgment-based) Probability and Impact Matrix: Uses words like “high” “medium” “low” to describe likelihood and severity (or probability and impact) of a threat exposing a vulnerability. Risk Value is Probability * Impact Probability: How likely is the threat to materialize? Impact: How much damage will there be if it does? Could also be referred to as likelihood and severity. Delphi technique is often used to solicit objective opinions - an anonymous feedback-and-response process Quantitative Analysis (objective, numbers driven) Risk Management
Risk Management Quantitative Risk Analysis • The quantitative method results in concrete probability percentages. That means the end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards. • The process of quantitative risk analysis starts with asset valuation and threat identification. Next, you estimate the potential and frequency of each risk. This information is then used to calculate various cost functions that are used to evaluate safeguards. • AV (Asset Value) • EF (Exposure Factor): percentage of loss that an organization would experience if a specific asset were violated by a realized risk. • ARO (Annual Rate of Occurrence): expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year. • SLE (Single Loss Expectancy)=AV * EF: cost associated with a single realized risk against a specific asset. • ALE (Annual Loss Expectancy) SLE*ARO: possible yearly cost of all instances of a specific realized threat against a specific asset. • Cost of control should be the same or less than the potential for loss • Example: if the SLE of an asset is $90,000 and the ARO for a specific threat (such as total power loss) is .5, then the ALE is $45,000. On the other hand, if the ARO for a specific threat (such as compromised user account) is 15, then the ALE would be $1,350,000.
• In addition to determining the annual cost of the safeguard, you must calculate the ALE for the asset if the safeguard is implemented. • EF to an asset remains the same even with an applied safeguard but safeguard changes the ARO. In act, the whole point of a safeguard is to reduce the ARO. • With the new ARO, a new ALE with the application of a safeguard is computed. • If the cost of the countermeasure is greater than the value of the asset (that is, the cost of the risk), then you should accept the risk. • With the pre-safeguard ALE and the post-safeguard ALE calculated, there is yet one more value needed to perform a cost/benefit analysis. This additional value is the annual cost of the safeguard. • Once you know the potential cost of a safeguard, it is then possible to evaluate the benefit of that safeguard if applied to an infrastructure. As mentioned earlier, the annual costs of safeguards should not exceed the expected annual cost of asset loss. • ALE before safeguard – ALE after implementing the safeguard –annual cost of safeguard (ACS) = value of the safeguard to the company • If the result is negative, the safeguard is not a financially responsible choice. If the result is positive, then that value is the annual savings your organization may reap by deploying the safeguard because the rate of occurrence is not a guarantee of occurrence. Risk Management
Risk Mitigation/Responses • Reduce or mitigate: implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats. • Assign or transfer: placement of the cost of loss a risk represents onto another entity or organization. Example: insurance and outsourcing. • Accept: management has agreed to accept the consequences and the loss if the risk is realized. • Deter: implementing deterrents to would-be violators of security and policy. Examples: implementation of auditing, security cameras, security guards etc. • Avoid: selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. For example, choosing to fly to a destination instead of driving to it is a form of risk avoidance. • Reject or ignore: an unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk. • Once countermeasures are implemented, the risk that remains is known as residual risk. It is the risk that management has chosen to accept rather than mitigate. threats * vulnerabilities * asset value = total risk total risk – controls gap = residual risk
Countermeasure Selection and Implementation • The cost of the countermeasure should be less than the value of the asset. • The cost of the countermeasure should be less than the benefit of the countermeasure. • The countermeasure should provide a solution to a real and identified problem. (Don’t install countermeasures just because they are available, are advertised, or sound cool.) • The countermeasure should provide consistent and uniform protection across all users, systems, protocols, and so on. • The countermeasure should have few or no dependencies to reduce cascade failures. • The countermeasure should require minimal human intervention after initial deployment and configuration. • The countermeasure should provide fail-safe and/or fail-secure options. Keep in mind that security should be designed to support and enable business tasks and functions. Thus, countermeasures and safeguards need to be evaluated in the context of a business task.
Business Continuity Business continuity planning (BCP) • Focuses on sustaining operations and protecting the viability of the business following a disaster, until normal business conditions can be restored. The BCP is an “umbrella” term that includes many other plans including the DRP. Long Term focused. Disaster Recovery Planning • Goal is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel and business processes are able to resume operations in a timely manner. Deals with the immediate aftermath of the disaster and is often IT focused. Short Term focused. The perspective difference is that business continuity activities are typically strategically focused at a high level and center themselves on business processes and operations. Disaster recovery plans tend to be more tactical in nature and describe technical activities such as recovery sites, backups, and fault tolerance. The overall goal of BCP is to provide a quick, calm, and efficient response in the event of an emergency and to enhance a company’s ability to recover from a disruptive event promptly. The BCP process has four main steps. • Project scope and planning • Business impact assessment • Continuity planning • Approval and implementation The top priority of BCP and DRP is always people.
BCP relationship with Risk Management
Business Continuity Process Project Scope and Planning • Structured analysis of the business’s organization from a crisis planning point of view - to identify all departments and individuals who have a stake in the BCP process. • The creation of a BCP team with the approval of senior management - strike a balance between representing different points of view and creating a team with explosive personality differences. Your goal should be to create a group that is as diverse as possible and still operates in harmony. • An assessment of the resources available to participate in business continuity activities • An analysis of the legal and regulatory landscape that governs an organization’s response to a catastrophic event
Business Impact Assessment • Identifies and prioritizes all business processes based on criticality • Addresses the impact on the organization in the event of loss of a specific services or process Quantitative: Loss of revenue, loss of capital, loss due to liabilities, penalties and fines, etc.. Qualitative: loss of service quality, competitive advantage, market share, reputation, etc.. • Establishes key metrics for use in determining appropriate counter-measures and recovery strategy (RPO, RTO etc). • IMPORTANCE (relevance) vs. CRITICALITY (downtime) • The Auditing Department is certainly important, though not usually critical. THE BIA FOCUSES ON CRITICALITY Business Continuity Process
Key Metrics to Establish • Service Level Objectives: reliability targets for technology products and services. • RPO (Recovery Point Objective): amount of data loss or system inaccessibility (measured in time) that an organization can withstand. • MTD (Maximum Tolerable Downtime) - total time a system can be inoperable before an organization is severely impacted. Comprised of: RTO (Recovery Time Objective): maximum time allowed to recover business or IT systems. WRT (Work Recovery Time): time required to configure a recovered system. • MTBF (Mean Time Between Failures): how long a new or repaired system will run before failing. • MTTR (Mean Time To Repair): how long it will take to recover a specific failed system. • MOR (Minimum Operating Requirements): minimum environmental and connectivity requirements in order to operate computer equipment. Business Continuity Process
Results of Business Impact Analysis contain • Identified ALL business processes and assets, not just those considered critical. • Impact company can handle dealing with each risk • Outage time that would be critical vs those which would not be critical • Preventive Controls • Document and present to management for approval • Results are used to create the recovery plans Recovery Strategies: When preventive controls don’t work, recovery strategies are necessary Facility Recovery Hardware and Software Recovery Personnel recovery Data Recovery Business Continuity Process
Recovery Strategies Facility Recovery • Subscription Services Hot, warm, cold sites • Reciprocal Agreements • Others Redundant/Mirrored site (partial or full) Outsourcing Rolling hot site Prefabricated building Offsite Facilities should be no less than 15 miles away for low to medium environments. Critical operations should have an offsite facility 50-200 miles away. • Data Recovery: Electronic Vaulting: Copy of modified file is sent to a remote location where an original backup is stored. Remote Journaling: Moves the journal or transaction log to a remote location, not the actual files
BCP Plan Three Phases Following a Disruption Notification/Activation • Notifying recovery personnel • Performing a damage assessment • Recovery Phase--Failover Actions taken by recovery teams and personnel to restore IT operations at an alternate site or using contingency capabilities—performed by recovery team • Reconstitution--Failback Outlines actions taken to return the system to normal operating conditions—performed by Salvage team
Types of Tests • Checklist Test: Copies of plan distributed to different departments. Functional managers review • Structured Walk-Through (Table Top) Test: Representatives from each department go over the plan • Simulation Test: Going through a disaster scenario. Continues up to the actual relocation to an offsite facility • Parallel Test: Systems moved to alternate site, and processing takes place there • Full-Interruption Test: Original site shut down. All of processing moved to offsite facility • BCP/DRP Frameworks • NIST SP 800-34, ISO/IEC-27031, and BCI.
Security Awareness Education • The successful implementation of a security solution requires changes in user behavior. • To develop and manage security education, training, and awareness, all relevant items of knowledge transference must be clearly identified and programs of presentation, exposure, synergy, and implementation crafted. • The goal of creating awareness is to bring security to the forefront and make it a recognized entity for users. • Many tools can be used to create awareness, such as posters, notices, newsletter articles, screen savers,T-shirts, rally speeches by managers, announcements, presentations, mouse pads, office supplies, and memos as well as the traditional instructor-led training courses. • The awareness program in an organization should be tied in with its security policy, incident-handling plan, business continuity, and disaster recovery procedures. • Training is typically hosted by an organization and is targeted to groups of employees with similar job functions. • An assessment of the appropriate levels of awareness, training, and education required within the organization should be revised on a regular basis using periodic content reviews.

More Related Content

PPTX
CISSP - Chapter 1 - Security Concepts
byKarthikeyan Dhayalan
 
PPTX
ISM-CS5750-01.pptx
byRashidSahito1
 
PDF
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
bySam Bowne
 
PDF
Course Information Security Lecture 1.pdf
bySamahAdel16
 
PPT
Testing
bylorenceman
 
PDF
1. Security and Risk Management
bySam Bowne
 
PPTX
crisc_wk_5.pptx
bydotco
 
PDF
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
CISSP - Chapter 1 - Security Concepts
byKarthikeyan Dhayalan
 
ISM-CS5750-01.pptx
byRashidSahito1
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
bySam Bowne
 
Course Information Security Lecture 1.pdf
bySamahAdel16
 
Testing
bylorenceman
 
1. Security and Risk Management
bySam Bowne
 
crisc_wk_5.pptx
bydotco
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 

Similar to Security & Risk Mgmt_WK1.pptx

PPT
Information Security
byDhilsath Fathima
 
PDF
1. Security and Risk Management
bySam Bowne
 
PPTX
Information Security
byAlok Katiyar
 
PPTX
Security and Risk Management Practices.pptx
byharshadrai2
 
PPTX
Security Foundation and Incident Mgmt and BCMS.pptx
byMohsenMojabi1
 
PPTX
Foundation of the information securiety
byALIZAIB KHAN
 
PPTX
Information security ist lecture
byZara Nawaz
 
PPTX
information security (network security methods)
byZara Nawaz
 
PDF
Describe two methods for communicating the material in an Informatio.pdf
byarchgeetsenterprises
 
PDF
Short Handbook for CISSP Learners with all domains
byarpitmags1
 
PDF
Chapter 1
byTien Nguyen Duc
 
PPTX
Security Ch-1.pptx
byKeenboonAsaffaa
 
DOCX
11What is Security 1.1 Introduction The central role of co.docx
bymoggdede
 
PPTX
Information Security Lecture One for Basic
byhassankhan978073
 
PPTX
Information security: importance of having defined policy & process
byInformation Technology Society Nepal
 
PPTX
Introduction to Network Security
byJohn Ely Masculino
 
PPTX
Dancyrityshy 1foundatioieh
byAnne Starr
 
PDF
Domain1_Security_Principles --(My_Notes)
byefs14135
 
PPT
M.Florence Dayana/Cryptography and Network security
byDr.Florence Dayana
 
PPT
Information security background
byNicholas Davis
 
Information Security
byDhilsath Fathima
 
1. Security and Risk Management
bySam Bowne
 
Information Security
byAlok Katiyar
 
Security and Risk Management Practices.pptx
byharshadrai2
 
Security Foundation and Incident Mgmt and BCMS.pptx
byMohsenMojabi1
 
Foundation of the information securiety
byALIZAIB KHAN
 
Information security ist lecture
byZara Nawaz
 
information security (network security methods)
byZara Nawaz
 
Describe two methods for communicating the material in an Informatio.pdf
byarchgeetsenterprises
 
Short Handbook for CISSP Learners with all domains
byarpitmags1
 
Chapter 1
byTien Nguyen Duc
 
Security Ch-1.pptx
byKeenboonAsaffaa
 
11What is Security 1.1 Introduction The central role of co.docx
bymoggdede
 
Information Security Lecture One for Basic
byhassankhan978073
 
Information security: importance of having defined policy & process
byInformation Technology Society Nepal
 
Introduction to Network Security
byJohn Ely Masculino
 
Dancyrityshy 1foundatioieh
byAnne Starr
 
Domain1_Security_Principles --(My_Notes)
byefs14135
 
M.Florence Dayana/Cryptography and Network security
byDr.Florence Dayana
 
Information security background
byNicholas Davis
 

Recently uploaded

PPTX
Finals - History and Geography Quiz - Around the World in 80 Questions - IITK
byAditya Padhi
 
PDF
DEFINITION OF COMMUNITY Sociology. .pdf
byJhasketan Kuanar
 
PPTX
Chapter 3. Pharmaceutical Aids (pharmaceutics)
bySharibJamal
 
PPTX
Declaration of Helsinki Basic principles in medical research ppt.pptx
byRanikonde
 
PDF
CXC-AD Associate Degree Handbook (Revised)
byCaribbean Examinations Council
 
PPTX
Time Series Analysis - Method of Simple Moving Average 3 Year and 4 Year Movi...
bySundar B N
 
PDF
Agentic AI and AI Agents 20251121.pdf - by Ms. Oceana Wong
byagenticroom
 
PDF
AI and ICT for Teaching and Learning, Induction-cum-Training Programme, 5th 8...
byProf. Vinod Kumar Kanvaria
 
PDF
Deep Research and Analysis - by Ms. Oceana Wong
byagenticroom
 
PPTX
Anatomy of the eyeball An overviews.pptx
byMushahidRaza8
 
PPTX
Time Series Analysis - Meaning, Definition, Components and Application
bySundar B N
 
PPTX
ATTENTION - PART 1.pptx cognitive processes -For B.Sc I Sem By Mrs.Shilpa Hot...
bySHILPA HOTAKAR
 
PDF
Digital Journalism Ethics 2025 materi for Regulation & Ethic Media
byAdePutraTunggali
 
PDF
Cattolica University - Lab Generative and Agentic AI - Mario Bencivinni
byMario Bencivinni
 
PPTX
The hidden treasures Grade 5 Story with Motive Questions.pptx
byGildaPetillaDelaCruz
 
PPTX
General Wellness & Restorative Tonic: Draksharishta
byDr. Paindla Jyothirmai
 
PPTX
kklklklklklklklk;lkpoipor[3rjdkjoe99759893058085
bypreetheshparmar
 
PPTX
Plant Breeding: Its History and Contribution
bySatyam Sharma
 
PDF
Past Memories and a New World: Photographs of Stoke Newington from the 70s, 8...
byHistory of Stoke Newington
 
PDF
AI Workflows and Workflow Rhetoric - by Ms. Oceana Wong
byagenticroom
 
Finals - History and Geography Quiz - Around the World in 80 Questions - IITK
byAditya Padhi
 
DEFINITION OF COMMUNITY Sociology. .pdf
byJhasketan Kuanar
 
Chapter 3. Pharmaceutical Aids (pharmaceutics)
bySharibJamal
 
Declaration of Helsinki Basic principles in medical research ppt.pptx
byRanikonde
 
CXC-AD Associate Degree Handbook (Revised)
byCaribbean Examinations Council
 
Time Series Analysis - Method of Simple Moving Average 3 Year and 4 Year Movi...
bySundar B N
 
Agentic AI and AI Agents 20251121.pdf - by Ms. Oceana Wong
byagenticroom
 
AI and ICT for Teaching and Learning, Induction-cum-Training Programme, 5th 8...
byProf. Vinod Kumar Kanvaria
 
Deep Research and Analysis - by Ms. Oceana Wong
byagenticroom
 
Anatomy of the eyeball An overviews.pptx
byMushahidRaza8
 
Time Series Analysis - Meaning, Definition, Components and Application
bySundar B N
 
ATTENTION - PART 1.pptx cognitive processes -For B.Sc I Sem By Mrs.Shilpa Hot...
bySHILPA HOTAKAR
 
Digital Journalism Ethics 2025 materi for Regulation & Ethic Media
byAdePutraTunggali
 
Cattolica University - Lab Generative and Agentic AI - Mario Bencivinni
byMario Bencivinni
 
The hidden treasures Grade 5 Story with Motive Questions.pptx
byGildaPetillaDelaCruz
 
General Wellness & Restorative Tonic: Draksharishta
byDr. Paindla Jyothirmai
 
kklklklklklklklk;lkpoipor[3rjdkjoe99759893058085
bypreetheshparmar
 
Plant Breeding: Its History and Contribution
bySatyam Sharma
 
Past Memories and a New World: Photographs of Stoke Newington from the 70s, 8...
byHistory of Stoke Newington
 
AI Workflows and Workflow Rhetoric - by Ms. Oceana Wong
byagenticroom
 

Security & Risk Mgmt_WK1.pptx

  • 1.
    SECURITY AND RISKMANAGEMENT • The Security and Risk Management deals with many of the foundational elements of security solutions and focuses on risk analysis and mitigation. • These include elements essential to the design, implementation, and administration of security mechanisms. • This chapter introduces the CIA triad of confidentiality, integrity, and availability, which are touched upon in virtually every section throughout of this course. • In addition to CIA, principle of least privilege and need to know are presented. • Lastly concepts related to information security governance such as privacy, due care, due diligence, certification, and accreditation are also a focus of this chapter. • Our job as information security professionals is to evaluate risks against our critical assets and deploy safeguards to mitigate those risks. • How much security is enough?...Just enough.
  • 2.
    Confidentiality, Integrity, andAvailability • Confidentiality, integrity, and availability (CIA) are typically viewed as the primary goals and objectives of a security infrastructure. • Commonly referenced by the term CIA Triad. • The order of the acronym may change (some prefer AIC, perhaps to avoid association with a certain intelligence agency), but that is not important; what is critical is understanding each concept. • These three principles are considered the most important within the realm of security. • However important each specific principle is to a specific organization depends on the organization’s security goals and requirements and on the extent to which the organization’s security might be threatened. • An object is the passive element in a security relationship, such as files, computers, network connections, and applications. • A subject is the active element in a security relationship, such as users, programs, and computers.
  • 3.
    Confidentiality • Confidentiality isthe concept of the measures used to ensure the protection of the secrecy of data, objects, or resources. In other words, unauthorized disclosure of information; • The goal of confidentiality protection is to prevent or minimize unauthorized access to data. • Confidentiality protection provides a means for authorized users to access and interact with resources, but it actively prevents unauthorized users from doing so. • For confidentiality to be maintained on a network, data must be protected from unauthorized access, use, or disclosure while in storage, in process, and in transit. • Attacks - capturing network traffic and stealing password files as well as social engineering, port scanning, shoulder surfing, eavesdropping, sniffing, escalation of privileges, and so on.  Countermeasures - encryption, network traffic padding, strict access control, rigorous authentication procedures, data classification, and extensive personnel training
  • 4.
    Integrity • Integrity seeksto prevent unauthorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. • It ensures that data remains correct, unaltered, and preserved. • Properly implemented integrity protection provides a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses and intrusions) as well as mistakes made by authorized users (such as mistakes or oversights). • data integrity and system integrity. Data integrity seeks to protect information from unauthorized modification, while system integrity seeks to protect a system. from unauthorized modification. • Attacks - viruses, logic bombs, unauthorized access, errors in coding and applications, malicious modification, intentional replacement, and system back doors. • countermeasures - strict access control, rigorous authentication procedures, intrusion detection systems, object/data encryption, hash total verifications, interface restrictions, input/function checks, and extensive personnel training.
  • 5.
    Availability • Availability ensuresthat information is available when needed. • Aauthorized subjects are granted timely and uninterrupted access to objects. • Availability also implies that the supporting infrastructure—including network services, communications, and access control mechanisms—is functional and allows authorized users to gain authorized access. • Attacks - DoS attacks, object destruction, and communication interruptions. • Countermeasures - designing intermediary delivery systems, properly, using access controls effectively, monitoring performance and network traffic, using firewalls and routers to prevent DoS attacks, implementing redundancy for critical systems, and maintaining and testing backup systems. Disclosure, alteration, and destruction • Disclosure is the unauthorized release of information. • Alteration is the unauthorized modification of data. • Destruction is making systems or data unavailable.
  • 6.
    CIA Priority • Everyorganization has unique security requirements and Knowing which tenet or asset is more important than another guides the creation of a security stance and ultimately the deployment of a security solution. • Example - in many cases military and government organizations tend to prioritize confidentiality above integrity and availability, whereas private companies tend to prioritize availability above confidentiality and integrity. • Although such prioritization focuses efforts on one aspect of security over another, it does not imply that the second or third prioritized items are ignored or improperly addressed. Other Security Concepts • Identification: Claiming to be an identity when attempting to access a secured area or system • Authentication: Proving that you are that identity. eg passwords. • Authorization: describes the actions you can perform on a system once you have been identified and authenticated. Actions may include reading, writing, or executing files or programs. • Auditing: Recording a log of the events and activities related to the system and subjects • Accounting (aka accountability): Accountability holds users accountable for their actions. This is typically done by logging and analysing audit data. • Nonrepudiation: Nonrepudiation means a user cannot deny (repudiate) having performed a transaction. It combines authentication and integrity.
  • 7.
    Protection Mechanisms • Protectionmechanisms are common characteristics of security controls. • Layering: also known as defence in depth, is simply the use of multiple controls in a series. • Data Hiding: preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject. • Security through obscurity: attempt to hope something important is not discovered by keeping knowledge of it a secret hence offers no security and should not be used. • Encryption: art and science of hiding the meaning or intent of communication from unintended recipients. • Least Privilege and Need to Know: Least privilege means users should be granted the minimum amount of access (authorization) required to do their jobs. • Need to know is more granular than least privilege; the user must need to know that specific piece of information before accessing it.
  • 8.
    Organizational Processes Change Control/Management •The goal of change management is to ensure that any change does not lead to reduced or compromised security. Change management is also responsible for making it possible to roll back any change to a previous secured state. • Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities. The only way to maintain security in the face of change is to systematically manage change. Data Classification • Data classification, or categorization, is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. • Declassification is required once an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level. • Government: Top Secret, Secret, Confidential, Sensitive But Unclassified, Unclassified • Commercial Business: Confidential, Private, Sensitive, Public
  • 9.
    Organizational Roles andResponsibilities • Senior Manager: The organizational owner (senior manager) role is assigned to the person who is ultimately responsible for the security maintained by an organization and who should be most concerned about the protection of its assets. • Security Professional: The security professional, information security (InfoSec) officer, or computer incident response team (CIRT) role is assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management. • Data Owner: The data owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution. • Data Custodian: The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management. • Auditor: An auditor is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate. • User: The user (end user or operator) role is assigned to any person who has access to the secured system.
  • 10.
    Security Governance Principles •Security governance is the set of responsibilities and practices exercised by executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly. • Security governance bridges your business priorities with technical implementation like architecture, standards, and policy. Governance teams provide oversight and monitoring to sustain and improve security posture over time. These teams also report compliance as required by regulating bodies. • Some aspects of governance are imposed on organizations due to legislative and regulatory compliance needs, whereas others are imposed by industry guidelines or license requirements. • All forms of governance, including security governance, must be assessed and verified from time to time. • Security governance directly oversees and gets involved in all levels of security and is commonly managed by a governance committee or at least a board of directors (Top Down approach). • Security is not and should not be treated as an IT issue only (Bottom up approach). Instead, security affects every aspect of an organization. It is no longer just something the IT staff can handle on their own. • Frameworks: NIST 800-53 or 800-100.
  • 11.
    Security Governance Principles •The information security (InfoSec) team should be led by a designated chief information security officer (CISO) who must report directly to senior management. In some organisations chief security officer (CSO) or information security officer (ISO) is sometimes used as an alternative to CISO. • Note: The best security plan is useless without one key factor: approval by senior management. Without senior management’s approval of and commitment to the security policy, the policy will not succeed. • Developing and implementing a security policy is evidence of due care and due diligence on the part of senior management. • If a company does not practice due care and due diligence, managers can be held liable for negligence and held accountable for both asset and financial losses. • Strategic Plan vs Tactical Plan vs Operational Plan: • strategic plan is a long-term plan and defines the organization’s security purpose. • tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. • An operational plan is a short-term, highly detailed plan based on the strategic and tactical plans. • Security is a continuous process. Thus, the activity of security management planning may have a definitive initiation point, but its tasks and work are never fully accomplished or complete.
  • 12.
    Policy, Procedures, Standardsand Baselines • A security policy is a document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection. • Policies are high-level management directives and is mandatory. • It is a strategic plan for implementing security. • The security policy is used to assign responsibilities, define roles, specify audit requirements, outline enforcement processes, indicate compliance requirements, and define acceptable risk levels and used as the proof that senior management has exercised due care in protecting itself against intrusion, attack, and disaster. • Examples: organizational security policy, issue-specific security policy, system-specific security policy, regulatory, advisory, and informative policy. • A procedure is a step-by-step guide for accomplishing a task. Procedures are low level and specific. Like policies, procedures are mandatory. • Standards are tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies. Mandatory • Baseline defines a minimum level of security that every system throughout the organization must meet. Mandatory. • Guideline offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.
  • 13.
    Compliance Requirement • Complyingwith laws and regulations is a priority for top information security management. • The world of compliance is a legal and regulatory jungle for information technology (IT) and cybersecurity professionals. Things become even more complicated for multinational companies, which must navigate the variations between international law as well. Categories of Laws • Criminal Law: Criminal law contains prohibitions against acts such as murder, assault, robbery, and arson. Penalties for violating criminal statutes fall in a range that includes mandatory hours of community service, monetary penalties in the form of fines (small and large), and deprivation of civil liberties in the form of prison sentences. • Civil Law: designed to provide for an orderly society and govern matters that are not crimes but that require an impartial arbiter to settle between individuals and organizations. Examples of the types of matters that may be judged under civil law include contract disputes, real estate transactions, employment matters, and estate/probate procedures. • Administrative Law: Administrative law or regulatory law is law enacted by government agencies.The executive branch of government charges numerous agencies with wide-ranging responsibilities to ensure that government functions effectively. Due Care and Due Diligence • Due care is doing what a reasonable person would do in a given situation. Due diligence is the management of due care. • Gross negligence is the opposite of due care.
  • 14.
    Laws • Computer Fraudand Abuse Act: The Computer Fraud and Abuse Act (CFAA) was the first major piece of cybercrime-specific legislation in the United States. • National Information Infrastructure Protection Act of 1996 • Federal Information Security Management Act (FISMA) • Federal Cybersecurity Laws of 2014 • Copyright and the Digital Millennium Copyright Act • U.S. Privacy Law • Health Insurance Portability and Accountability Act of 1996 • Health Information Technology for Economic and Clinical Health Act of 2009 • NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations. This standard is required for use in federal computing systems and is also commonly used as an industry cybersecurity benchmark. • NIST SP 800-171: Protecting Controlled Unclassified Information in Non federal Information Systems and Organizations. Compliance with this standard’s security controls (which are quite similar to those found in NIST 800-53) is often included as a contractual requirement by government agencies. Federal contractors must often comply with NIST SP 800-171. • The NIST Cybersecurity Framework (CSF) is a set of standards designed to serve as a voluntary risk- based framework for securing information and systems.
  • 15.
    Compliance • Organizations findthemselves subject to a wide variety of laws and regulations imposed by regulatory agencies or contractual obligations and may be subject to compliance audits, either by their standard internal and external auditors or by regulators or their agents. • For example, an organization’s financial auditors may conduct an IT controls audit designed to ensure that the information security controls for an organization’s financial systems are sufficient to ensure compliance with the Sarbanes-Oxley Act (SOX). Some regulations, such as PCI DSS, may require the organization to retain approved independent auditors to verify controls and provide a report directly to regulators. • The Payment Card Industry Data Security Standard (PCI DSS) is an excellent example of a compliance requirement that is not dictated by law but by contractual obligation. PCI DSS governs the security of credit card information and is enforced through the terms of a merchant agreement between a business that accepts credit cards and the bank that processes the business’s transactions. • In addition to formal audits, organizations often must report regulatory compliance to a number of internal and external stakeholders. For example, an organization’s Board of Directors (or, more commonly, that board’s Audit Committee) may require periodic reporting on compliance obligations and status. Similarly, PCI DSS requires organizations that are not compelled to conduct a formal third-party audit to complete and submit a self-assessment report outlining their compliance status.
  • 16.
    Understand and ApplyThreat Modeling Concepts and Methodologies • Threat modeling is the security process where potential threats are identified, categorized, and analyzed. • Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. • A proactive approach to threat modeling takes place during the early stages of systems development, specifically during initial design and specifications establishment. This type of threat modeling is also known as a defensive approach. • This method is based on predicting threats and designing in specific defences during the coding and crafting process, rather than relying on post-deployment updates and patches. • A reactive approach to threat modeling takes place after a product has been created and deployed. This deployment could be in a test or laboratory environment or to the general marketplace. This type of threat modeling is also known as the adversarial approach. • This technique of threat modeling is the core concept behind ethical hacking, penetration testing, source code review, and fuzz testing. • Microsoft developed a threat categorization scheme known as the STRIDE threat model.
  • 17.
    STRIDE • Spoofing: Anattack with the goal of gaining access to a target system through the use of a falsified identity. • Tampering: Any action resulting in unauthorized changes or manipulation of data, whether in transit or in storage. • Repudiation: The ability of a user or attacker to deny having performed an action or activity. • Information disclosure: The revelation or distribution of private, confidential, or controlled information to external or unauthorized entities. • Denial of service (DoS): An attack that attempts to prevent authorized use of a resource. • Elevation of privilege: An attack where a limited user account is transformed into an account with greater privileges, powers, and access. Process for Attack Simulation and Threat Analysis (PASTA) Visual, Agile, and Simple Threat (VAST) • Generally, the purpose of STRIDE and other threat modeling methodologies is to consider the range of compromise concerns and tofocus on the goal or end results of an attack.
  • 18.
    Understand and ApplyRisk Management Concepts • The possibility that something could happen to damage, destroy, or disclose data or other resources is known as risk. • Risk management is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost effective solutions for mitigating or reducing risk. • Risk management concepts are essential to the establishment of a sufficient security stance, proper security governance, and legal proof of due care and due diligence. • The overall process of risk management is used to develop and implement information security strategies. The goal of these strategies is to reduce risk and to support the mission of the organization. • It is impossible to design and deploy a totally risk-free environment; however, significant risk reduction is possible, often with little effort. • The primary goal of risk management is to reduce risk to an acceptable level through finding cost effective solution depending on the value of its assets, the size of its budget, and many other factors. • The process by which the goals of risk management are achieved is known as risk analysis. • It includes examining an environment for risks, evaluating each threat event as to its likelihood of occurring and the cost of the damage it would cause if it did occur, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management.
  • 19.
    Risk Terminology • Asset:Anything of Value to the company • Asset Valuation: dollar value assigned to an asset • Vulnerability: A weakness; the absence of a safeguard • Threat: Something that could pose loss to all or part of an asset • Threat Agent: What carries out the attack • Exposure Exposure is being susceptible to asset loss because of a threat • Exploit: An instance of compromise • Risk: Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. • Safeguards: A safeguard, security control, or countermeasure is anything that removes or reduces a vulnerability or protects against one or more specific threats. • Attack An attack is the exploitation of a vulnerability by a threat agent. • Breach A breach is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. When a breach is combined with an attack, a penetration, or intrusion, can result. • Controls: Physical, Administrative, and Technical Protections Safeguards Countermeasure
  • 20.
    Risk Management Risk Management RiskAssessment Identify and Valuate Assets Identify Threats and Vulnerabilities Risk Analysis Qualitative: assigns subjective and intangible values to the loss of an asset Quantitative: assigns real dollar figures to the loss of an asset Risk Mitigation/Response Reduce /Avoid Transfer Accept /Reject Ongoing Risk Monitoring • Risk management/analysis is primarily an exercise for upper management. It is their responsibility to initiate and support risk analysis and assessment by defining the scope and purpose of the endeavour. • The actual processes of performing risk analysis are often delegated to security professionals or an evaluation team. However, all risk assessments, results, decisions, and outcomes must be understood and approved by upper management as an element in providing prudent due care.
  • 21.
    Identification and Valuationof Assets is the first step in risk assessment. What are we protecting and what is it worth? Is it valuable to me? To my competitors? What damage will be caused if it is compromised How much time was spent in development Are there compliance/legal issues? RISK ANALYSIS Determining a value for a risk Qualitative vs. Quantitative Qualitative Analysis (subjective, judgment-based) Probability and Impact Matrix: Uses words like “high” “medium” “low” to describe likelihood and severity (or probability and impact) of a threat exposing a vulnerability. Risk Value is Probability * Impact Probability: How likely is the threat to materialize? Impact: How much damage will there be if it does? Could also be referred to as likelihood and severity. Delphi technique is often used to solicit objective opinions - an anonymous feedback-and-response process Quantitative Analysis (objective, numbers driven) Risk Management
  • 22.
    Risk Management Quantitative RiskAnalysis • The quantitative method results in concrete probability percentages. That means the end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards. • The process of quantitative risk analysis starts with asset valuation and threat identification. Next, you estimate the potential and frequency of each risk. This information is then used to calculate various cost functions that are used to evaluate safeguards. • AV (Asset Value) • EF (Exposure Factor): percentage of loss that an organization would experience if a specific asset were violated by a realized risk. • ARO (Annual Rate of Occurrence): expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year. • SLE (Single Loss Expectancy)=AV * EF: cost associated with a single realized risk against a specific asset. • ALE (Annual Loss Expectancy) SLE*ARO: possible yearly cost of all instances of a specific realized threat against a specific asset. • Cost of control should be the same or less than the potential for loss • Example: if the SLE of an asset is $90,000 and the ARO for a specific threat (such as total power loss) is .5, then the ALE is $45,000. On the other hand, if the ARO for a specific threat (such as compromised user account) is 15, then the ALE would be $1,350,000.
  • 23.
    • In additionto determining the annual cost of the safeguard, you must calculate the ALE for the asset if the safeguard is implemented. • EF to an asset remains the same even with an applied safeguard but safeguard changes the ARO. In act, the whole point of a safeguard is to reduce the ARO. • With the new ARO, a new ALE with the application of a safeguard is computed. • If the cost of the countermeasure is greater than the value of the asset (that is, the cost of the risk), then you should accept the risk. • With the pre-safeguard ALE and the post-safeguard ALE calculated, there is yet one more value needed to perform a cost/benefit analysis. This additional value is the annual cost of the safeguard. • Once you know the potential cost of a safeguard, it is then possible to evaluate the benefit of that safeguard if applied to an infrastructure. As mentioned earlier, the annual costs of safeguards should not exceed the expected annual cost of asset loss. • ALE before safeguard – ALE after implementing the safeguard –annual cost of safeguard (ACS) = value of the safeguard to the company • If the result is negative, the safeguard is not a financially responsible choice. If the result is positive, then that value is the annual savings your organization may reap by deploying the safeguard because the rate of occurrence is not a guarantee of occurrence. Risk Management
  • 24.
    Risk Mitigation/Responses • Reduceor mitigate: implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats. • Assign or transfer: placement of the cost of loss a risk represents onto another entity or organization. Example: insurance and outsourcing. • Accept: management has agreed to accept the consequences and the loss if the risk is realized. • Deter: implementing deterrents to would-be violators of security and policy. Examples: implementation of auditing, security cameras, security guards etc. • Avoid: selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. For example, choosing to fly to a destination instead of driving to it is a form of risk avoidance. • Reject or ignore: an unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk. • Once countermeasures are implemented, the risk that remains is known as residual risk. It is the risk that management has chosen to accept rather than mitigate. threats * vulnerabilities * asset value = total risk total risk – controls gap = residual risk
  • 25.
    Countermeasure Selection andImplementation • The cost of the countermeasure should be less than the value of the asset. • The cost of the countermeasure should be less than the benefit of the countermeasure. • The countermeasure should provide a solution to a real and identified problem. (Don’t install countermeasures just because they are available, are advertised, or sound cool.) • The countermeasure should provide consistent and uniform protection across all users, systems, protocols, and so on. • The countermeasure should have few or no dependencies to reduce cascade failures. • The countermeasure should require minimal human intervention after initial deployment and configuration. • The countermeasure should provide fail-safe and/or fail-secure options. Keep in mind that security should be designed to support and enable business tasks and functions. Thus, countermeasures and safeguards need to be evaluated in the context of a business task.
  • 26.
    Business Continuity Business continuityplanning (BCP) • Focuses on sustaining operations and protecting the viability of the business following a disaster, until normal business conditions can be restored. The BCP is an “umbrella” term that includes many other plans including the DRP. Long Term focused. Disaster Recovery Planning • Goal is to minimize the effects of a disaster and to take the necessary steps to ensure that the resources, personnel and business processes are able to resume operations in a timely manner. Deals with the immediate aftermath of the disaster and is often IT focused. Short Term focused. The perspective difference is that business continuity activities are typically strategically focused at a high level and center themselves on business processes and operations. Disaster recovery plans tend to be more tactical in nature and describe technical activities such as recovery sites, backups, and fault tolerance. The overall goal of BCP is to provide a quick, calm, and efficient response in the event of an emergency and to enhance a company’s ability to recover from a disruptive event promptly. The BCP process has four main steps. • Project scope and planning • Business impact assessment • Continuity planning • Approval and implementation The top priority of BCP and DRP is always people.
  • 27.
    BCP relationship withRisk Management
  • 28.
    Business Continuity Process ProjectScope and Planning • Structured analysis of the business’s organization from a crisis planning point of view - to identify all departments and individuals who have a stake in the BCP process. • The creation of a BCP team with the approval of senior management - strike a balance between representing different points of view and creating a team with explosive personality differences. Your goal should be to create a group that is as diverse as possible and still operates in harmony. • An assessment of the resources available to participate in business continuity activities • An analysis of the legal and regulatory landscape that governs an organization’s response to a catastrophic event
  • 29.
    Business Impact Assessment •Identifies and prioritizes all business processes based on criticality • Addresses the impact on the organization in the event of loss of a specific services or process Quantitative: Loss of revenue, loss of capital, loss due to liabilities, penalties and fines, etc.. Qualitative: loss of service quality, competitive advantage, market share, reputation, etc.. • Establishes key metrics for use in determining appropriate counter-measures and recovery strategy (RPO, RTO etc). • IMPORTANCE (relevance) vs. CRITICALITY (downtime) • The Auditing Department is certainly important, though not usually critical. THE BIA FOCUSES ON CRITICALITY Business Continuity Process
  • 30.
    Key Metrics toEstablish • Service Level Objectives: reliability targets for technology products and services. • RPO (Recovery Point Objective): amount of data loss or system inaccessibility (measured in time) that an organization can withstand. • MTD (Maximum Tolerable Downtime) - total time a system can be inoperable before an organization is severely impacted. Comprised of: RTO (Recovery Time Objective): maximum time allowed to recover business or IT systems. WRT (Work Recovery Time): time required to configure a recovered system. • MTBF (Mean Time Between Failures): how long a new or repaired system will run before failing. • MTTR (Mean Time To Repair): how long it will take to recover a specific failed system. • MOR (Minimum Operating Requirements): minimum environmental and connectivity requirements in order to operate computer equipment. Business Continuity Process
  • 31.
    Results of BusinessImpact Analysis contain • Identified ALL business processes and assets, not just those considered critical. • Impact company can handle dealing with each risk • Outage time that would be critical vs those which would not be critical • Preventive Controls • Document and present to management for approval • Results are used to create the recovery plans Recovery Strategies: When preventive controls don’t work, recovery strategies are necessary Facility Recovery Hardware and Software Recovery Personnel recovery Data Recovery Business Continuity Process
  • 32.
    Recovery Strategies Facility Recovery •Subscription Services Hot, warm, cold sites • Reciprocal Agreements • Others Redundant/Mirrored site (partial or full) Outsourcing Rolling hot site Prefabricated building Offsite Facilities should be no less than 15 miles away for low to medium environments. Critical operations should have an offsite facility 50-200 miles away. • Data Recovery: Electronic Vaulting: Copy of modified file is sent to a remote location where an original backup is stored. Remote Journaling: Moves the journal or transaction log to a remote location, not the actual files
  • 33.
    BCP Plan Three PhasesFollowing a Disruption Notification/Activation • Notifying recovery personnel • Performing a damage assessment • Recovery Phase--Failover Actions taken by recovery teams and personnel to restore IT operations at an alternate site or using contingency capabilities—performed by recovery team • Reconstitution--Failback Outlines actions taken to return the system to normal operating conditions—performed by Salvage team
  • 34.
    Types of Tests •Checklist Test: Copies of plan distributed to different departments. Functional managers review • Structured Walk-Through (Table Top) Test: Representatives from each department go over the plan • Simulation Test: Going through a disaster scenario. Continues up to the actual relocation to an offsite facility • Parallel Test: Systems moved to alternate site, and processing takes place there • Full-Interruption Test: Original site shut down. All of processing moved to offsite facility • BCP/DRP Frameworks • NIST SP 800-34, ISO/IEC-27031, and BCI.
  • 35.
    Security Awareness Education •The successful implementation of a security solution requires changes in user behavior. • To develop and manage security education, training, and awareness, all relevant items of knowledge transference must be clearly identified and programs of presentation, exposure, synergy, and implementation crafted. • The goal of creating awareness is to bring security to the forefront and make it a recognized entity for users. • Many tools can be used to create awareness, such as posters, notices, newsletter articles, screen savers,T-shirts, rally speeches by managers, announcements, presentations, mouse pads, office supplies, and memos as well as the traditional instructor-led training courses. • The awareness program in an organization should be tied in with its security policy, incident-handling plan, business continuity, and disaster recovery procedures. • Training is typically hosted by an organization and is targeted to groups of employees with similar job functions. • An assessment of the appropriate levels of awareness, training, and education required within the organization should be revised on a regular basis using periodic content reviews.