MIS risk and security project

profileAbdulellah1997
9-Riskmgmt1.pptx

Risk Management

What is Risk?

Risk is a business concept: is the likelihood of financial loss for the organization high, medium, low or zero?

Three factors play into risk determination:

What the threat is?

How vulnerable the system is?

The importance of the asset that could be damaged or made unavailable.

Risk can be defined as follows:

Risk = Threat x Vulnerability x Asset

The Purpose Of Risk Management

Ensure overall business and business assets are safe

Protect against competitive disadvantage

Compliance with laws and best business practices

Maintain a good public reputation

Steps of a risk management plan

Identify and Prioritize Assets

Identify Threats

Identify Vulnerabilities

Analyze Controls

Determine the Likelihood of an Incident

Assess the Impact a Threat Could Have

Prioritize the Information Security Risks

Recommend Controls

Document the Results

Step #1: Identify and Prioritize Assets

Assets include servers, client contact information, sensitive partner documents, trade secrets...

what a technician think is valuable might not be what is most valuable for the business.

Therefore, you need to work with business users and management to create a list of all valuable assets.

For each asset, gather the following information, as applicable:

Software, Hardware, Data, Interfaces, Users, Support personnel…

Define a standard for determining the importance of each asset.

Common criteria include the asset’s monetary value, legal standing and importance to the organization

Step #2: Identify Threats

types of threats:

Natural disasters. Floods, hurricanes, earthquakes, fire and other natural disasters can destroy much more than a hacker. When deciding where to house your servers, think about the chances of a natural disaster. For instance, don’t put your server room on the first floor if your area has a high risk of floods.

System failure. The likelihood of system failure depends on the quality of your computer.

Example: new, high-quality equipment, the chance of system failure is low. old or from a “no-name” vendor, the chance of failure is much higher.

Accidental human interference. This threat is always high: accidentally deleting important files, clicking on malware links, accidentally physical damaging a piece of equipment.

Therefore, regularly back up data, including system settings, ACLs and other configuration information, and track all changes to critical systems.

Malicious humans:

Interference: when somebody causes damage to business by deleting data, engineering a distributed denial of service (DDOS), physically stealing a computer or server…

Interception: hacking- stealing data.

Impersonation: misuse of someone else’s credentials, which are often acquired through social engineering attacks or brute-force attacks, or purchased on the dark web.

Step #3: Identify Vulnerabilities

Vulnerabilities can be identified through vulnerability analysis, audit reports, system software security analysis…

Testing the IT system is an important tool in identifying vulnerabilities.

Testing can include the following:

Information Security test and evaluation (ST&E) procedures

Penetration testing techniques

Automated vulnerability scanning tools

Step #4: Analyze Controls

Technical Controls such as computer hardware or software, encryption, intrusion detection mechanisms, and identification and authentication subsystems.

Nontechnical controls include security policies, administrative actions, and physical and environmental mechanisms.

Preventive controls attempt to anticipate and stop attacks.

Examples of preventive technical controls are encryption and authentication devices.

Detective controls are used to discover attacks or events through audit trails and intrusion detection systems.

Step #5: Determine the Likelihood of an Incident

Assess the probability that a vulnerability might actually be exploited

Taking into account the type of vulnerability, the capability and motivation of the threat source, and the existence and effectiveness of the controls.

Many organizations use the categories high, medium and low to assess the likelihood of an attack

Step #6: Assess the Impact a Threat Could Have

Uses quantitative or qualitative methods to determine the impact caused by compromise or harm to the organization’s information assets

An attack can result in compromise or loss of information system confidentiality, integrity and availability.

After likelihood is determined, the impact on the system can be qualitatively assessed as high, medium or low

Quantitative assessment deals with numbers and dollar amounts.

It attempts to assign a cost (monetary value) to the elements of risk assessment and to the assets and threats of a risk analysis.

all elements of the process (asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability) are quantified.

difficult, impossible, to assign dollar values to all elements;

some qualitative measures must be applied to quantitative elements.

12

Quantitative Risk Analysis Calculations

The key variables and equations used for conducting a quantitative risk analysis are

Exposure Factor (EF) = Percentage of asset loss caused by identified threat; ranges from 0 to 100%.

Single Loss Expectancy (SLE) = Asset Value x Exposure factor;

1,000,000 @ 20% likelihood = $200,000

13

Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur with in a year and is characterized on an annual basis.

A threat occurring once in 10 years has an ARO of 0.1

a threat occurring 10 times in a year has an ARO of 10

14

Annualized Loss Expectancy (ALE) = Single Loss Expectancy x Annualized Rate of

Occurrence.

ALE can sometimes be extrapolated from existing comparable data.

15

Suppose than an asset is valued at $100,000, and the Exposure Factor (EF) for this asset is 25%.

The single loss expectancy (SLE) is 25% * $100,000, = $25,000.

The annualized loss expectancy is the product of the annual rate of occurrence (ARO) and the single loss expectancy

ALE = ARO * SLE

For an annual rate of occurrence of one, the annualized loss expectancy is 1 * $25,000= $25,000.

For an ARO of three, the equation is:

ALE = 3 * $25,000= $75,000

16

Asset Risk Asset Value Exposure Factor SLE Annualized Frequency ALE
Customer database Hacked $432,000 .74 $320,000 .25 $80,000
Word document and data files Virus $9,450 .17 $ 1,650 .9 $1,485
Domain controller Server failure $82,500 .88 $ 72,500 .25 $18,125
E-commerce website DDoS $250,000 .44 $110,000 .45 $49,500

17

How SLE, ARO, and ALE Are Used

The organization you are working for has identified a new risk on its network server. The cost of this server is 75,000 SAR and the exposure factor is 0.47.

Even though your network is well protected, you have found out that this risk could be exploited once every 7 years.

Calculate the Single Loss Expectancy (SLE), the Annual Rate of Occurrence (ARO) and the Annual Loss Expectancy (ALE)

Safeguard cost/benefit analysis = (ALE before implementing safeguard) – (ALE after

implementing safeguard) – (annual cost of safeguard)

== value of safeguard to the company

19

ASSIGNING VALUES TO TANGIBLE ASSETS

Ask IT manager for cost information regarding equipment, software, and hardware.

Conduct research on the Internet for exact or comparable systems. Determine the age of the current tangible assets, and calculate value by including depreciation.

20

When determining the overall replacement cost due to total failure, the costs related to the following should be included:

installation cost

troubleshooting cost

add 10% contingency

loss of business services to outside customers

loss of business services to internal employees

21

Qualitative Assessment

scenario driven and does not attempt to assign dollar values to components of the risk analysis

The ranking is subjective:

Low—Minor inconvenience that could be tolerated for a short period of time.

Medium—Could result in damage to the organization or cost a moderate amount of money to repair.

High—Would result in loss of goodwill between the company and clients or employees. Could result in a legal action or fine, or cause the company to lose revenue or earnings.

22

ASSIGNING VALUES TO INTANGLBLE ASSETS

The typical intangible assets that are prone to information system attacks are as follows

financial data

R & D research data

sales information

marketing research

engineering blueprints and specifications

trade secrets and know-how

computer software

23

24

Step #7: Prioritize the Information Security Risks

For each threat/vulnerability pair, determine the level of risk to the IT system, based on the following:

The likelihood that the threat will exploit the vulnerability

The impact of the threat successfully exploiting the vulnerability

The adequacy of the existing or planned information system security controls for eliminating or reducing the risk

Step #8: Recommend Controls

Using the risk level as a basis, determine the actions that senior management and other responsible individuals must take to mitigate the risk.

General guidelines for each level of risk:

High— A plan for corrective measures should be developed as soon as possible.

Medium — A plan for corrective measures should be developed within a reasonable period of time.

Low — The team must decide whether to accept the risk or implement corrective actions.

Treatment Once a risk has been assessed and analyzed, an organization need to select treatment options:

Remediation: Implementing a control that fully or nearly fully fixes the underlying risk.

Example: You have identified a vulnerability on a server where critical assets are stored, and you apply a patch for that vulnerability.

Mitigation: Lessening the likelihood and/or impact of the risk, but not fixing it entirely.

Example: You have identified a vulnerability on a server where critical assets are stored, but instead of patching the vulnerability, you implement a firewall rule that only allows specific systems to communicate with the vulnerable service on the server.

Transference: Transferring the risk to another entity so your organization can recover from incurred costs of the risk being realized.

Example: You purchase insurance that will cover any losses that would be incurred if vulnerable systems are exploited.

Risk acceptance: Not fixing the risk. This is appropriate in cases where the risk is clearly low and the time and effort it takes to fix the risk costs more than the costs that would be incurred if the risk were to be realized.

Example: You have identified a vulnerability on a server but concluded that there is nothing sensitive on that server; it cannot be used as an entry point to access other critical assets, and a successful exploit of the vulnerability is very complex. As a result, you decide you do not need to spend time and resources to fix the vulnerability.

Risk avoidance: Removing all exposure to an identified risk

Example: You have identified servers with operating systems (OS) that are about to reach end-of-life and will no longer receive security patches from the OS creator. These servers process and store both sensitive and non-sensitive data. To avoid the risk of sensitive data being compromised, you quickly migrate that sensitive data to newer, patchable servers. The servers continue to run and process non-sensitive data while a plan is developed to decommission them and migrate non-sensitive data to other servers.

Security Controls

The objective of security controls is to enforce the security mechanisms the organization has developed.

Security controls can be

administrative,

Technical: can be hardware or software (restrict unauthorized access, firewalls, IDS systems, biometrics..)

Physical: gates, guards, fences, locks, CCTV systems…

30

Administrative

Administrative controls are composed of the policies, procedures, guidelines, and baselines an organization develops, such as the following:

Applicant screening—A control that should be used during the hiring process.

Background checks, reference checks, verification of educational records

31

Employee controls—a mechanism that adds defense in depth to the organization’s administrative controls.

Some common employee controls include detailed job descriptions with defined roles and responsibilities.

These are procedures that assign the rotation of duties, the addition of dual controls, and mandatory vacations.

Termination procedures—to address the termination of employees.

Termination procedures should include exit interviews, suspension of network access, and checklists verifying that employees have returned all equipment they had in their care, such as remote-access tokens, keys, ID cards, cellphones, pagers, credit cards, laptops, and software.

32

Step #9: Document the Results

The final step in the risk assessment process is to develop a risk assessment report to support management in making appropriate decisions on budget, policies, procedures and so on.

For each threat, the report should describe the corresponding vulnerabilities, the assets at risk, the impact to your IT infrastructure, the likelihood of occurrence and the control recommendations.

Business Continuity Planning

35

A business continuity plan documents how a business will continue to function during or after a computer security incident

Addresses situations having two characteristics:

Catastrophic situations, in which all or a major part of a computing capability is suddenly unavailable

Long duration, in which the outage is expected to last for so long that business will suffer

The next slide addresses the specific tasks involved in business continuity planning.

35

36

Examples:

fire destroys a company’s entire network.

A seemingly permanent failure of a critical software component renders the computing system unusable.

The unexpected failure of a supplier of electricity, telecommunications, network access, or other critical service limits or stops activity.

A flood prevents the essential network support staff from getting to the operations center.

Incident Response Plans

37

A security incident response plan tells the staff how to deal with a security incident

In contrast to a business continuity plan, the goal of incident response is handling the current security incident without direct regard for the business issues

An incident response plan should

Define what constitutes an incident

Identify who is responsible for taking charge of the situation

Describe the plan of action

1- Policy

A security policy is a high-level statement of purpose and intent

It documents an organization’s security needs and priorities.

policy statement must answer three essential questions:

• Who should be allowed access?

• To what system and organizational resources should access be allowed?

• What types of access should each user be allowed for each resource?

Policy structure

39

Policy

Standard

Baseline

Guideline

Procedure

6/29/2020

Policies

Policies are statements of management intentions and goals

General statement about the organization’s assets and what level of protection they should have

Senior Management support and approval is vital to success

General, high-level objectives

should spell out who’s responsible for security, what needs to be protected, and what is an acceptable level of risk.

Acceptable use, internet access, logging, information security, etc

Advisory Policy

The job of an advisory policy is to ensure that all employees know the consequences of certain behavior and actions.

Ex:

Illegal copying: Employees should never download or install any commercial software, shareware, or freeware onto any network drives or disk unless they have written permission from the network administrator.

Be prepared to be held accountable for your actions, including the loss of network privileges, written reprimand, probation, or employment termination if the Rules of Appropriate Use are violated

41

Informative Policy

it is developed for education.

inform and enlighten employees.

Ex: In partnership with Human Resources, the employee supervisory body job is to serve as an advocate for all employees, providing mediation between employees and management.

This job is to help investigate complaints and mediate fair settlements when a third party is requested.

42

Regulatory Policy

These policies are used to make certain that the organization complies with local, state, and federal laws.

Ex: Because of recent changes to Texas State law, The Company will now retain records of employee inventions and patents for 10 years; all email messages and any backup of such email associated with patents and inventions will be stored for one year.

43

Standards

Standards specify the use of specific technologies in a uniform manner

Requires uniformity throughout the organization

Operating systems, applications, server tools, router configurations, etc

Example: a standard might set a mandatory requirement that all email communication be encrypted.

it does specify a certain standard, it doesn’t clarify how it is to be done

44

Baselines

Is a minimum level of security that a system, network, or device must adhere to.

Baselines are usually mapped to industry standards.

Example: an organization might specify that all computer systems comply with a minimum Trusted Computer System Evaluation Criteria (TCSEC) C2 standard.

45

6/29/2020

Guidelines

Guidelines are recommended methods for performing a task

Recommended, but not required

Malware cleanup, spyware removal, data conversion, sanitization, etc

6/29/2020

Procedures

Procedures are detailed steps to perform a specific task

In-depth, step-by-step document that details exactly what is to be done

Usually required by policy

Tied to specific technologies and devices

Procedures change as equipment changes.

Example, a company replacing CheckPoint firewall with a Cisco PIX.

Although the policies and standards dictating the firewalls role in your organization probably will not change, the procedure for configuration of the firewall will.

Continuity Planning Activities

48

Assess the business impact of a crisis

What are the essential assets?

What could disrupt use of these assets?

Develop a strategy to control impact

Investigate how the key assets can be safeguarded

Develop and implement a plan for the strategy

Define:

Who is in charge when an incident occurs

What to do when an incident occurs

Who does what tasks when an incident occurs

Incident Response Teams

49

The response team is charged with responding to the incident. It may include

Director : The person in charge of the incident, who decides what actions to take

Technicians: People who perform the technical part of the response

Advisors: Legal, human resources, or public relations staff members as appropriate

Matters to consider when identifying a response team:

Legal issues

Preserving evidence

Records

Public relations

CSIRTs

50

Computer Security Incident Response Teams (CSIRT) are teams trained and authorized to handle security incidents

Responsibilities of a CSIRT include

Reporting: Receiving reports of suspected incidents and reporting as appropriate to senior management

Detection: Investigation to determine if an incident occurred

Triage: Immediate action to address urgent needs

Response: Coordination of effort to address all aspects in a manner appropriate to severity and time demands

Postmortem: Declaring the incident over and arranging to review the case to improve future response

Education: Preventing harm by advising on good security practices and disseminating lessons learned from past incidents

CSIRTs are closely related to, and often heavily overlap, Security Operations Centers (SOC), which perform day-to-day monitoring of a network and may be the first to detect an incident.

50

CSIRT Skills

51

Collect, analyze, and preserve digital forensic evidence

Analyze data to infer trends

Analyze the source, impact, and structure of malicious code

Help manage installations and networks by developing defenses such as signatures

Perform penetration testing and vulnerability analysis

Understand current technologies used in attacks

Roles and Responsibility

Data owner—Usually a member of senior management.

Senior management is responsible for the asset and, if it is compromised, can be held responsible.

The data owner can delegate some day-to-day duties but cannot delegate total responsibility;

senior management is ultimately responsible

52

Security Controls

The objective of security controls is to enforce the security mechanisms the organization has developed.

Security controls can be

administrative,

technical,

physical.

53