UC : IT

pra1234
Chapter2.pdf
Home>Computer Science homework help>UC : IT

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Managing Risk in Information Systems

Chapter 2 Managing Risk: Threats, Vulnerabilities,

and Exploits

Page 2Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Learning Objectives  Explain methods of mitigating risk by

managing threats, vulnerabilities, and exploits.  Describe the components of an effective

organizational risk management program.

Page 3Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Key Concepts  Risk, threats, vulnerabilities, and exploits  Public resources for risk management  Use of threat/vulnerability pairs in managing risk  Fundamental components of a risk management

plan  Objectives of a risk management plan  Objectives and scope of a risk management plan  Importance of assigning responsibilities  Significance of planning, scheduling, and

documentation

Page 4Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Chapter 2 Slides

Chapter 2: “Managing Risk: Threats, Vulnerabilities, and Exploits”

Page 5Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

The Uncontrollable Nature of Threats Threats can’t be eliminated. Threats are always present. You can take action to reduce the

potential for a threat to occur. You can take action to reduce the

impact of a threat. You cannot affect the threat itself.

Page 6Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Unintentional Threats

Environmental Human

Accidents Failures

Page 7Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Intentional Threats

Greed Anger

Desire to Damage

Page 8Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Unintentional Threats Intentional Threats Environmental:  Fire, wind  Lighting, flooding  Accident  Equipment failures

Individuals or Organizations:

 Hackers  Criminals  Disgruntled employees

Human:  Keystroke errors  Procedural errors  Programming bugs

Page 9Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Common Attackers  Criminals

 Advanced persistent threats (APTs)

 Vandals

 Saboteurs

 Disgruntled employees

 Activists

 Other nations

 Hackers

Page 10Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Best Practices for Managing Threats

Create a security policy.

Purchase insurance.

Use access controls.

Use automation.

Page 11Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Best Practices for Managing Threats (Cont.)

Include input validation.

Provide training.

Use antivirus software.

Protect the boundary.

Page 12Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Understanding and Managing Vulnerabilities Countermeasures reduce risk and loss

• Reduce vulnerabilities • Reduce impact of loss

Page 13Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Threat/Vulnerability Pair  Occurs when a threat exploits a vulnerability

 A vulnerability provides a path for the threat that results in a harmful event or a loss

 Both the threat and the vulnerability must come together to result in a loss

Page 14Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Threat/Vulnerability Pair and Threat Action

• Ex-employee

Threat

• Ex-employee who still has access to the system

Vulnerability • Accessing

proprietary data

Threat Action

Page 15Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Threat/Vulnerability Pair Example 1  Threat Source

• Fire or negligent person

 Vulnerability

• Sprinklers used to suppress fire damage

• Protective tarpaulins not in place

 Threat Action

• Sprinkler system turned on

Page 16Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Threat/Vulnerability Pair Example 2  Threat Source

• Unauthorized users (e.g., hackers)

 Vulnerability

• Identified flaws in system design

• New patches not applied

 Threat Action

• Unauthorized access to files

Page 17Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Vulnerability Mitigation Techniques

Policies and procedures

Documentation

Training

Separation of duties

Page 18Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Vulnerability Mitigation Techniques (Cont).

Configuration management

Version control

Patch management

Intrusion detection

Page 19Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Vulnerability Mitigation Techniques (Cont).

Incident response

Continuous monitoring

Technical controls

Physical controls

Page 20Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Best Practices for Managing Vulnerabilities

Identify vulnerabilities.

Match the threat/vulnerability pairs.

Use as many of the mitigation techniques as feasible.

Perform vulnerability assessments.

Page 21Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Understanding and Managing Exploits  An exploit is the act of taking advantage of a

vulnerability  Executes a command or program against an IT

system to take advantage of a weakness

 Results in a compromise to the system, an application, or data

Page 22Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Understanding and Managing Exploits (Cont.)  Attacks executed by code primarily affect public-

facing servers:  Web servers

 Simple Mail Transfer Protocol (SMTP) e-mail servers

 File Transfer Protocol (FTP) servers

Page 23Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Attack public-facing servers • Buffer overflow • SQL injection • DoS attack • DDoS attack

Exploits

Page 24Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Risk Mitigation Techniques for Protecting Public-Facing Servers

Remove or change defaults.

Reduce the attack surface.

Keep systems up to date.

Enable firewalls.

Page 25Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Risk Mitigation Techniques for Protecting Public-Facing Servers

Enable intrusion detection systems (IDSs)

Enable intrusion prevention systems (IPSs)

Install antivirus software

Page 26Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Best Practices for Managing Exploits

Harden servers.

Use configuration management.

Perform risk assessments.

Perform vulnerability assessments.

Page 27Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

U.S. Government Risk Management Initiatives  The National Institute of Standards and Technology

(NIST)

 The Department of Homeland Security

 The National Cybersecurity and Communications Integration Center (NCCIC)

 U.S. Computer Emergency Readiness Team (US-CERT)

 The MITRE Corporation – Common Vulnerabilities Exposure (CVE) List

Page 28Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Relationships Among Organizations