Info_Sec_Discussion
Colin Horn
Wk2_risk_ppt08_l02.pptxManaging Risk in Information Systems
Lesson 2
Risk Management Planning
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objectives
Explain methods of mitigating risk by managing threats, vulnerabilities, and exploits.
Describe the components of an effective organizational risk management program.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
Key Concepts
Risk, threats, vulnerabilities, and exploits
Public resources for risk management
Use of threat/vulnerability pairs in managing risk
Fundamental components of a risk management plan
Objectives of a risk management plan
Objectives and scope of a risk management plan
Importance of assigning responsibilities
Significance of planning, scheduling, and documentation
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
Chapter 2 Slides
Chapter 2: “Managing Risk: Threats, Vulnerabilities, and Exploits”
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
4
The Uncontrollable Nature of Threats
Threats can’t be eliminated.
Threats are always present.
You can take action to reduce the potential for a threat to occur.
You can take action to reduce the impact of a threat.
You cannot affect the threat itself.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5
Unintentional Threats
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
6
Environmental
Human
Accidents
Failures
Intentional Threats
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7
Greed
Anger
Desire to Damage
| Unintentional Threats | Intentional Threats |
| Environmental: Fire, wind Lighting, flooding Accident Equipment failures | Individuals or Organizations: Hackers Criminals Disgruntled employees |
| Human: Keystroke errors Procedural errors Programming bugs |
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Common Attackers
Criminals
Advanced persistent threats (APTs)
Vandals
Saboteurs
Disgruntled employees
Activists
Other nations
Hackers
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9
Best Practices for Managing Threats
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Create a security policy.
Purchase insurance.
Use access controls.
Use automation.
Best Practices for Managing Threats (Cont.)
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
11
Include input validation.
Provide training.
Use antivirus software.
Protect the boundary.
Understanding and Managing Vulnerabilities
Countermeasures reduce risk and loss
Reduce vulnerabilities
Reduce impact of loss
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
12
Threat/Vulnerability Pair
Occurs when a threat exploits a vulnerability
A vulnerability provides a path for the threat that results in a harmful event or a loss
Both the threat and the vulnerability must come together to result in a loss
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
13
Threat/Vulnerability Pair and Threat Action
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Threat
Ex-employee
Vulnerability
Ex-employee who still has access to the system
Threat Action
Accessing proprietary data
Threat/Vulnerability Pair Example 1
Threat Source
Fire or negligent person
Vulnerability
Sprinklers used to suppress fire damage
Protective tarpaulins not in place
Threat Action
Sprinkler system turned on
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
15
Threat/Vulnerability Pair Example 2
Threat Source
Unauthorized users (e.g., hackers)
Vulnerability
Identified flaws in system design
New patches not applied
Threat Action
Unauthorized access to files
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
16
Vulnerability Mitigation Techniques
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
17
Policies and procedures
Documentation
Training
Separation of duties
Vulnerability Mitigation Techniques (Cont).
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
18
Configuration management
Version control
Patch management
Intrusion detection
Vulnerability Mitigation Techniques (Cont).
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
19
Incident response
Continuous monitoring
Technical controls
Physical controls
Best Practices for Managing Vulnerabilities
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
20
Identify vulnerabilities.
Match the threat/vulnerability pairs.
Use as many of the mitigation techniques as feasible.
Perform vulnerability assessments.
Understanding and Managing Exploits
An exploit is the act of taking advantage of a vulnerability
Executes a command or program against an IT system to take advantage of a weakness
Results in a compromise to the system, an application, or data
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
21
Understanding and Managing Exploits (Cont.)
Attacks executed by code primarily affect public-facing servers:
Web servers
Simple Mail Transfer Protocol (SMTP) e-mail servers
File Transfer Protocol (FTP) servers
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
22
Attack public-facing servers
Buffer overflow
SQL injection
DoS attack
DDoS attack
Exploits
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
23
Risk Mitigation Techniques for Protecting Public-Facing Servers
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
24
Remove or change defaults.
Reduce the attack surface.
Keep systems up to date.
Enable firewalls.
Risk Mitigation Techniques for Protecting Public-Facing Servers
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
25
Enable intrusion detection systems (IDSs)
Enable intrusion prevention systems (IPSs)
Install antivirus software
Best Practices for Managing Exploits
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
26
Harden servers.
Use configuration management.
Perform risk assessments.
Perform vulnerability assessments.
U.S. Government Risk Management Initiatives
The National Institute of Standards and Technology (NIST)
The Department of Homeland Security
The National Cybersecurity and Communications Integration Center (NCCIC)
U.S. Computer Emergency Readiness Team (US-CERT)
The MITRE Corporation – Common Vulnerabilities Exposure (CVE) List
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
27
Relationships Among Organizations
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
28
