module 2

Module 02 Performance Risk-based Analytics

 With all the advancements in technology and encryption levels, some methods are faster or slower than others. In most cases a cybersecurity professional must weigh cost, performance, and security. Risk is a powerful tool used by all cybersecurity professionals to assist in making these decisions, and in influencing appropriate stakeholders by providing appropriate information with regard to these three elements.

Risk analysis or risk base analytics helps determine the level of risk to an organization. The first step in this process is to determine the sensitivity of the data being processed. The example below is a common data classification for many organizations; however, depending on how the data will be used, these data fields may vary due to classification levels.

· Public: Data available to the general public and approved for distribution outside the organization.

· Examples: press releases, directory information (not subject to a government regulations or blocks), product catalogs, application and request forms, and other general information that is openly shared. The type of information an organization would choose to post on its website offers a good example of Public data.

· Internal: Data necessary for the operation of the business and generally available to all internal users, users of that particular customer, and potentially interested third-parties if appropriate and when authorized.

· Examples: Some memos, correspondence, and meeting minutes; contact lists that contain information that is not publicly available; and procedural documentation that should remain internal.

· Confidential: Data generally not made available outside the organization and the unauthorized access, use, disclosure, duplication, modification, or destruction of which could adversely impact the organization and/or customers. All confidential information is sensitive in nature and must be restricted to those with a legitimate business need to know.

· Examples:

· Information covered by the Family Educational Rights and Privacy Act (FERPA), which requires protection of records for current and former students. This includes pictures of students kept for official purposes.

· Personally identifiable information entrusted to the organization’s care that is not restricted use data, such as information regarding applicants, donors, potential donors, or competitive marketing research data.

· Information covered by the Gramm-Leach-Bliley Act (GLB), which requires protection of certain financial records.

· Individual employment information, including salary, benefits and performance appraisals for current, former, and prospective employees.

· Legally privileged information.

· Information that is the subject of a confidentiality agreement.

· Restricted: Data that MUST be specifically protected via various access, confidentiality, integrity and/or non-repudiation controls in order to comply with legislative, regulatory, contractual or business obligations.

· Examples:

· Protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), which sets standards for protection of medical records and patient data.

· Certain types of personal information, including an individual’s name plus the individual’s Social Security Number, driver’s license number, or financial account number.

· Financial information including bank or credit card information.

· Data controlled by U.S. Export Control Law such as the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR).

· U.S. Government Classified Data

· Data used to authenticate or authorize individuals to use electronic resources, such as passwords, keys, and other electronic tokens.

· “Criminal Background Data” that might be collected as part of an application form or a background check.

Calculating risk is typically on a one-to-five scale for likelihood an incident could occur, and the level of impact a breach would have on the organization. Level of impact is pretty easy to determine because of the data classifications listed above. The more classified or restricted data at risk, the higher the impact would be to the organization.

Likelihood is something that a business can control through the use of security controls, and access management. Thinking about an existing business system where all the users were given administrative access rather than granular access for their specific job role would mean that the likelihood of a breach is higher than one which has strict granular access controls.

Traffic Analysis Impact

The second element of likelihood can be calculated based on its accessibility to the Internet or outside network(s). The addition of firewalls and other security appliances would affect the likelihood of risk to the data. Additionally, when you are looking at this area, you need to look at where the data are stored and not accessed. For example, you may have a web-based form to access the data, but the data is stored in a more fortified area of the network on a database, for example. This structure reduces the level of impact.

The last step in risk analytics is heat mapping, in which the likelihood and the impact are placed into a heat matrix to determine the level of risk (High, Medium, or Low). The heat map example below shows the level of risk when the impact level is multiplied by the likelihood. Once the level of risk is determined, efforts then turn to executing controls that may diminish the likelihood of a breach.

Data-at-Rest vs. Data-in-Transit

Data exist in one of two states within technology. In this section, we discuss how these two states work and how to secure either one or the other, and in some cases, both. However, as stated earlier, higher the levels of security can impact delivery performance, slowing processing or transmission of the data.

Data-at-Rest

Data-at-Rest remain without process and in their storage location. These data can be within any application, or may simply be a file stored on a drive. Every application has the capability of encrypting data or has made it possible for another application to perform these functions. One example of this is bit locker, where all the data stored on a Windows computer get encrypted, and without proper authentication, the data will be unrecoverable. Other examples include backups, as most applications include an encryption component when creating backup files.

Data-at-Rest faces risks if there is a likelihood that unauthorized access can take place where the data rests. This access can be both logical and/or physical in nature.

With data-at-rest it is important to understand that before data can be processed, it must be decrypted, then processed, and any changed information is then encrypted and returned to its position at rest. Think of how performance is impacted.

Data-in-Transit

In this second state, data moves from location A to location B. While in transit, data faces the most risk when traveling outside a business secured environment, but may also be vulnerable if the business does not follow appropriate physical security for the organization. Proper office access protocols prevent systems being left unattended and logged in. Problematic practices expose the internal business to man-in-the-middle attacks--a primary risk point for data in transit.

Again, with encrypted data in transit, the source and destinations must have the capability of encrypting and decrypting the data, which will also increase the amount of time it will take to transport the data. Again think of how performance gets affected by the time these tasks require.