MIS risk and security project
Risk Management
What is Risk?
Risk is a business concept: is the likelihood of financial loss for the organization high, medium, low or zero?
Three factors play into risk determination:
What the threat is?
How vulnerable the system is?
The importance of the asset that could be damaged or made unavailable.
Risk can be defined as follows:
Risk = Threat x Vulnerability x Asset
The Purpose Of Risk Management
Ensure overall business and business assets are safe
Protect against competitive disadvantage
Compliance with laws and best business practices
Maintain a good public reputation
Steps of a risk management plan
Identify and Prioritize Assets
Identify Threats
Identify Vulnerabilities
Analyze Controls
Determine the Likelihood of an Incident
Assess the Impact a Threat Could Have
Prioritize the Information Security Risks
Recommend Controls
Document the Results
Step #1: Identify and Prioritize Assets
Assets include servers, client contact information, sensitive partner documents, trade secrets...
what a technician think is valuable might not be what is most valuable for the business.
Therefore, you need to work with business users and management to create a list of all valuable assets.
For each asset, gather the following information, as applicable:
Software, Hardware, Data, Interfaces, Users, Support personnel…
Define a standard for determining the importance of each asset.
Common criteria include the asset’s monetary value, legal standing and importance to the organization
Step #2: Identify Threats
types of threats:
Natural disasters. Floods, hurricanes, earthquakes, fire and other natural disasters can destroy much more than a hacker. When deciding where to house your servers, think about the chances of a natural disaster. For instance, don’t put your server room on the first floor if your area has a high risk of floods.
System failure. The likelihood of system failure depends on the quality of your computer.
Example: new, high-quality equipment, the chance of system failure is low. old or from a “no-name” vendor, the chance of failure is much higher.
Accidental human interference. This threat is always high: accidentally deleting important files, clicking on malware links, accidentally physical damaging a piece of equipment.
Therefore, regularly back up data, including system settings, ACLs and other configuration information, and track all changes to critical systems.
Malicious humans:
Interference: when somebody causes damage to business by deleting data, engineering a distributed denial of service (DDOS), physically stealing a computer or server…
Interception: hacking- stealing data.
Impersonation: misuse of someone else’s credentials, which are often acquired through social engineering attacks or brute-force attacks, or purchased on the dark web.
Step #3: Identify Vulnerabilities
Vulnerabilities can be identified through vulnerability analysis, audit reports, system software security analysis…
Testing the IT system is an important tool in identifying vulnerabilities.
Testing can include the following:
Information Security test and evaluation (ST&E) procedures
Penetration testing techniques
Automated vulnerability scanning tools
Step #4: Analyze Controls
Technical Controls such as computer hardware or software, encryption, intrusion detection mechanisms, and identification and authentication subsystems.
Nontechnical controls include security policies, administrative actions, and physical and environmental mechanisms.
Preventive controls attempt to anticipate and stop attacks.
Examples of preventive technical controls are encryption and authentication devices.
Detective controls are used to discover attacks or events through audit trails and intrusion detection systems.
Step #5: Determine the Likelihood of an Incident
Assess the probability that a vulnerability might actually be exploited
Taking into account the type of vulnerability, the capability and motivation of the threat source, and the existence and effectiveness of the controls.
Many organizations use the categories high, medium and low to assess the likelihood of an attack
Step #6: Assess the Impact a Threat Could Have
Uses quantitative or qualitative methods to determine the impact caused by compromise or harm to the organization’s information assets
An attack can result in compromise or loss of information system confidentiality, integrity and availability.
After likelihood is determined, the impact on the system can be qualitatively assessed as high, medium or low
Quantitative assessment deals with numbers and dollar amounts.
It attempts to assign a cost (monetary value) to the elements of risk assessment and to the assets and threats of a risk analysis.
all elements of the process (asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability) are quantified.
difficult, impossible, to assign dollar values to all elements;
some qualitative measures must be applied to quantitative elements.
12
Quantitative Risk Analysis Calculations
The key variables and equations used for conducting a quantitative risk analysis are
Exposure Factor (EF) = Percentage of asset loss caused by identified threat; ranges from 0 to 100%.
Single Loss Expectancy (SLE) = Asset Value x Exposure factor;
1,000,000 @ 20% likelihood = $200,000
13
Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur with in a year and is characterized on an annual basis.
A threat occurring once in 10 years has an ARO of 0.1
a threat occurring 10 times in a year has an ARO of 10
14
Annualized Loss Expectancy (ALE) = Single Loss Expectancy x Annualized Rate of
Occurrence.
ALE can sometimes be extrapolated from existing comparable data.
15
Suppose than an asset is valued at $100,000, and the Exposure Factor (EF) for this asset is 25%.
The single loss expectancy (SLE) is 25% * $100,000, = $25,000.
The annualized loss expectancy is the product of the annual rate of occurrence (ARO) and the single loss expectancy
ALE = ARO * SLE
For an annual rate of occurrence of one, the annualized loss expectancy is 1 * $25,000= $25,000.
For an ARO of three, the equation is:
ALE = 3 * $25,000= $75,000
16
| Asset | Risk | Asset Value | Exposure Factor | SLE | Annualized Frequency | ALE |
| Customer database | Hacked | $432,000 | .74 | $320,000 | .25 | $80,000 |
| Word document and data files | Virus | $9,450 | .17 | $ 1,650 | .9 | $1,485 |
| Domain controller | Server failure | $82,500 | .88 | $ 72,500 | .25 | $18,125 |
| E-commerce website | DDoS | $250,000 | .44 | $110,000 | .45 | $49,500 |
17
How SLE, ARO, and ALE Are Used
The organization you are working for has identified a new risk on its network server. The cost of this server is 75,000 SAR and the exposure factor is 0.47.
Even though your network is well protected, you have found out that this risk could be exploited once every 7 years.
Calculate the Single Loss Expectancy (SLE), the Annual Rate of Occurrence (ARO) and the Annual Loss Expectancy (ALE)
Safeguard cost/benefit analysis = (ALE before implementing safeguard) – (ALE after
implementing safeguard) – (annual cost of safeguard)
== value of safeguard to the company
19
ASSIGNING VALUES TO TANGIBLE ASSETS
Ask IT manager for cost information regarding equipment, software, and hardware.
Conduct research on the Internet for exact or comparable systems. Determine the age of the current tangible assets, and calculate value by including depreciation.
20
When determining the overall replacement cost due to total failure, the costs related to the following should be included:
installation cost
troubleshooting cost
add 10% contingency
loss of business services to outside customers
loss of business services to internal employees
21
Qualitative Assessment
scenario driven and does not attempt to assign dollar values to components of the risk analysis
The ranking is subjective:
Low—Minor inconvenience that could be tolerated for a short period of time.
Medium—Could result in damage to the organization or cost a moderate amount of money to repair.
High—Would result in loss of goodwill between the company and clients or employees. Could result in a legal action or fine, or cause the company to lose revenue or earnings.
22
ASSIGNING VALUES TO INTANGLBLE ASSETS
The typical intangible assets that are prone to information system attacks are as follows
financial data
R & D research data
sales information
marketing research
engineering blueprints and specifications
trade secrets and know-how
computer software
23
24
Step #7: Prioritize the Information Security Risks
For each threat/vulnerability pair, determine the level of risk to the IT system, based on the following:
The likelihood that the threat will exploit the vulnerability
The impact of the threat successfully exploiting the vulnerability
The adequacy of the existing or planned information system security controls for eliminating or reducing the risk
Step #8: Recommend Controls
Using the risk level as a basis, determine the actions that senior management and other responsible individuals must take to mitigate the risk.
General guidelines for each level of risk:
High— A plan for corrective measures should be developed as soon as possible.
Medium — A plan for corrective measures should be developed within a reasonable period of time.
Low — The team must decide whether to accept the risk or implement corrective actions.
Treatment Once a risk has been assessed and analyzed, an organization need to select treatment options:
Remediation: Implementing a control that fully or nearly fully fixes the underlying risk.
Example: You have identified a vulnerability on a server where critical assets are stored, and you apply a patch for that vulnerability.
Mitigation: Lessening the likelihood and/or impact of the risk, but not fixing it entirely.
Example: You have identified a vulnerability on a server where critical assets are stored, but instead of patching the vulnerability, you implement a firewall rule that only allows specific systems to communicate with the vulnerable service on the server.
Transference: Transferring the risk to another entity so your organization can recover from incurred costs of the risk being realized.
Example: You purchase insurance that will cover any losses that would be incurred if vulnerable systems are exploited.
Risk acceptance: Not fixing the risk. This is appropriate in cases where the risk is clearly low and the time and effort it takes to fix the risk costs more than the costs that would be incurred if the risk were to be realized.
Example: You have identified a vulnerability on a server but concluded that there is nothing sensitive on that server; it cannot be used as an entry point to access other critical assets, and a successful exploit of the vulnerability is very complex. As a result, you decide you do not need to spend time and resources to fix the vulnerability.
Risk avoidance: Removing all exposure to an identified risk
Example: You have identified servers with operating systems (OS) that are about to reach end-of-life and will no longer receive security patches from the OS creator. These servers process and store both sensitive and non-sensitive data. To avoid the risk of sensitive data being compromised, you quickly migrate that sensitive data to newer, patchable servers. The servers continue to run and process non-sensitive data while a plan is developed to decommission them and migrate non-sensitive data to other servers.
Security Controls
The objective of security controls is to enforce the security mechanisms the organization has developed.
Security controls can be
administrative,
Technical: can be hardware or software (restrict unauthorized access, firewalls, IDS systems, biometrics..)
Physical: gates, guards, fences, locks, CCTV systems…
30
Administrative
Administrative controls are composed of the policies, procedures, guidelines, and baselines an organization develops, such as the following:
Applicant screening—A control that should be used during the hiring process.
Background checks, reference checks, verification of educational records
31
Employee controls—a mechanism that adds defense in depth to the organization’s administrative controls.
Some common employee controls include detailed job descriptions with defined roles and responsibilities.
These are procedures that assign the rotation of duties, the addition of dual controls, and mandatory vacations.
Termination procedures—to address the termination of employees.
Termination procedures should include exit interviews, suspension of network access, and checklists verifying that employees have returned all equipment they had in their care, such as remote-access tokens, keys, ID cards, cellphones, pagers, credit cards, laptops, and software.
32
Step #9: Document the Results
The final step in the risk assessment process is to develop a risk assessment report to support management in making appropriate decisions on budget, policies, procedures and so on.
For each threat, the report should describe the corresponding vulnerabilities, the assets at risk, the impact to your IT infrastructure, the likelihood of occurrence and the control recommendations.
Business Continuity Planning
35
A business continuity plan documents how a business will continue to function during or after a computer security incident
Addresses situations having two characteristics:
Catastrophic situations, in which all or a major part of a computing capability is suddenly unavailable
Long duration, in which the outage is expected to last for so long that business will suffer
The next slide addresses the specific tasks involved in business continuity planning.
35
36
Examples:
fire destroys a company’s entire network.
A seemingly permanent failure of a critical software component renders the computing system unusable.
The unexpected failure of a supplier of electricity, telecommunications, network access, or other critical service limits or stops activity.
A flood prevents the essential network support staff from getting to the operations center.
Incident Response Plans
37
A security incident response plan tells the staff how to deal with a security incident
In contrast to a business continuity plan, the goal of incident response is handling the current security incident without direct regard for the business issues
An incident response plan should
Define what constitutes an incident
Identify who is responsible for taking charge of the situation
Describe the plan of action
1- Policy
A security policy is a high-level statement of purpose and intent
It documents an organization’s security needs and priorities.
policy statement must answer three essential questions:
• Who should be allowed access?
• To what system and organizational resources should access be allowed?
• What types of access should each user be allowed for each resource?
Policy structure
39
Policy
Standard
Baseline
Guideline
Procedure
6/29/2020
Policies
Policies are statements of management intentions and goals
General statement about the organization’s assets and what level of protection they should have
Senior Management support and approval is vital to success
General, high-level objectives
should spell out who’s responsible for security, what needs to be protected, and what is an acceptable level of risk.
Acceptable use, internet access, logging, information security, etc
Advisory Policy
The job of an advisory policy is to ensure that all employees know the consequences of certain behavior and actions.
Ex:
Illegal copying: Employees should never download or install any commercial software, shareware, or freeware onto any network drives or disk unless they have written permission from the network administrator.
Be prepared to be held accountable for your actions, including the loss of network privileges, written reprimand, probation, or employment termination if the Rules of Appropriate Use are violated
41
Informative Policy
it is developed for education.
inform and enlighten employees.
Ex: In partnership with Human Resources, the employee supervisory body job is to serve as an advocate for all employees, providing mediation between employees and management.
This job is to help investigate complaints and mediate fair settlements when a third party is requested.
42
Regulatory Policy
These policies are used to make certain that the organization complies with local, state, and federal laws.
Ex: Because of recent changes to Texas State law, The Company will now retain records of employee inventions and patents for 10 years; all email messages and any backup of such email associated with patents and inventions will be stored for one year.
43
Standards
Standards specify the use of specific technologies in a uniform manner
Requires uniformity throughout the organization
Operating systems, applications, server tools, router configurations, etc
Example: a standard might set a mandatory requirement that all email communication be encrypted.
it does specify a certain standard, it doesn’t clarify how it is to be done
44
Baselines
Is a minimum level of security that a system, network, or device must adhere to.
Baselines are usually mapped to industry standards.
Example: an organization might specify that all computer systems comply with a minimum Trusted Computer System Evaluation Criteria (TCSEC) C2 standard.
45
6/29/2020
Guidelines
Guidelines are recommended methods for performing a task
Recommended, but not required
Malware cleanup, spyware removal, data conversion, sanitization, etc
6/29/2020
Procedures
Procedures are detailed steps to perform a specific task
In-depth, step-by-step document that details exactly what is to be done
Usually required by policy
Tied to specific technologies and devices
Procedures change as equipment changes.
Example, a company replacing CheckPoint firewall with a Cisco PIX.
Although the policies and standards dictating the firewalls role in your organization probably will not change, the procedure for configuration of the firewall will.
Continuity Planning Activities
48
Assess the business impact of a crisis
What are the essential assets?
What could disrupt use of these assets?
Develop a strategy to control impact
Investigate how the key assets can be safeguarded
Develop and implement a plan for the strategy
Define:
Who is in charge when an incident occurs
What to do when an incident occurs
Who does what tasks when an incident occurs
Incident Response Teams
49
The response team is charged with responding to the incident. It may include
Director : The person in charge of the incident, who decides what actions to take
Technicians: People who perform the technical part of the response
Advisors: Legal, human resources, or public relations staff members as appropriate
Matters to consider when identifying a response team:
Legal issues
Preserving evidence
Records
Public relations
CSIRTs
50
Computer Security Incident Response Teams (CSIRT) are teams trained and authorized to handle security incidents
Responsibilities of a CSIRT include
Reporting: Receiving reports of suspected incidents and reporting as appropriate to senior management
Detection: Investigation to determine if an incident occurred
Triage: Immediate action to address urgent needs
Response: Coordination of effort to address all aspects in a manner appropriate to severity and time demands
Postmortem: Declaring the incident over and arranging to review the case to improve future response
Education: Preventing harm by advising on good security practices and disseminating lessons learned from past incidents
CSIRTs are closely related to, and often heavily overlap, Security Operations Centers (SOC), which perform day-to-day monitoring of a network and may be the first to detect an incident.
50
CSIRT Skills
51
Collect, analyze, and preserve digital forensic evidence
Analyze data to infer trends
Analyze the source, impact, and structure of malicious code
Help manage installations and networks by developing defenses such as signatures
Perform penetration testing and vulnerability analysis
Understand current technologies used in attacks
Roles and Responsibility
Data owner—Usually a member of senior management.
Senior management is responsible for the asset and, if it is compromised, can be held responsible.
The data owner can delegate some day-to-day duties but cannot delegate total responsibility;
senior management is ultimately responsible
52
Security Controls
The objective of security controls is to enforce the security mechanisms the organization has developed.
Security controls can be
administrative,
technical,
physical.
53