CYBER SECURITY RISK MANAGEMENT ITEC433

Ransomware -

encrypts files on an endpoint or server demanding a ransom in bitcoin to receive encryption key.

Integrity

ensure not modified or destroyed

Cyber Security Goal

ensure that the confidentiality, integrity, availability and accountability of the organization's resources (tangible and intangible) are maintained at an acceptable level.

Risk Components

•Losses occur when a threat exposes a vulnerability

Threat

-Any activity that represents a possible danger -Any circumstance or event with the potential to adversely impact confidentiality, integrity or availability of business assets

Risk Profile Includes: (OMB A-123 requires)

-Identification of Objectives -Identification of Risk - simple narrative statement -Inherent Risk Assessment -Current Risk Response -Residual Risk Assessment -Proposed Risk Response -Proposed Action Category

Cyber Criminals

-Target information that is of value to them, such as bank accounts, credit cards, or intellectual property that can be converted into money -Often structured to operate as any well-run, legitimate business with experts specialized in each area and position

To Identify Risks:

1.Identify threats 2.Identify vulnerabilities 3.Estimate the likelihood of a threat exploiting a vulnerability

NIST Cybersecurity Risk Management Framework (SP 800-37)

6 Steps: 1.Categorize Information systems 2.Identify and Tailor Security controls 3.Implement security controls 4.Access Security controls 5.Authorize Information systems Continuous monitoring

Vulnerability Risk = Threat * Vulnerability

A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. Vulnerabilities can be system specific, within governance structures, or related to external relationships. Vulnerability = weakness in an asset or the environment, flaw in a system or business process Vulnerabilities can be mitigated to reduced Reduce Probability of occurrence Reduce Impact of loss

Enterprise Risk Management (ERM)

Agency wide approach to addressing full spectrum of significant risks by considering the combined array of risks as an interrelated portfolio, not as a silo.

Risk Types

Aggregate Risk - Inherent Risk - Residual risk -

"Data" breach

An incident that resulted in confirmed disclosure, not just exposure, to an unauthorized party

A threat is

Any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, or modification of information and/or denial of service. The potential for an adverse effect

Personally Identifiable Information (PII)

Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Sources of Risks

Business Interruption/Disaster Risk Compliance Risk Financial Risk Liquidity Risk Operational Risk Political Risk Regulatory Risk Strategic Risk

Cyber Security Risk - KEY Components AKA the CIA Triangle

Confidentiality Integrity Availability Accountability

Impact

Consequence of occurrence; penalty incurred if objective is not met

Common Attackers

Criminals Advanced persistent threats (APTs) Vandals Saboteurs Disgruntled employees Activists Nation states, other nations (espionage)

Threat - E-Mail Phishing Attack

E-mail phishing is an attempt to trick someone in the workplace into giving out information using e-mail Inbound phishing e-mail includes an active link or file (often picture or graphic) Appears to come from a legitimate source: friend, co-worker, or personal email Clicking to open the link or file takes the user to a website that may solicit sensitive information or proactively infect the computer Addressing the link or file may result in malicious software being downloaded or access being provided to information stored on computer or other computers within the network. There is an immediate need for you to do something No one will ask for your user name and password

Unintentional Threats

Environmental - weather, earthquakes, epidemics Human - errors Accidents - minor mishap to major catastrophe Failures - equipment

Intentional Threats

Greed - monetary, fraud Espionage - wanting information Anger - victims to pay a price Desire to damage - results in loss

WannaCry Ransomware

Impacted 300 countries and more than 300,000 computers worldwide. cost could swell into the billions of dollars, most damaging incidents involving ransomware

"Philadelphia" Ransomware-as-a-Service Web App Attacks - Injection

Injection is tricking an application into including unintended commands in the data sent to an interpreter. The interpreter takes strings and interprets them as commands. One of the most common is SQL injection. Injection attacks are usually severe. The entire database can usually be read or modified and a successful attack could also allow full database schema, account access, or even OS level access.

•Probability:

Likelihood of occurrence that an objective will not be met using the current plan

Cyber Crime Black Market

Payment Card Data Malware Infected Computers or "Bots" Malware & Exploit Kits Hacker Services for Hire Dark Web / Deep Web / Tor Ransomware-as-a-service (RaaS)/Cybercrime-as-a service (CaaS) "Booters" or "Stressers"

Data Breach Overview - Common Types

Physical Electronic Skimming

Physical

Physical theft of documents or equipment containing cardholder account data such as receipts, files, and computer systems.

Risk Exposure

Probability x Impact

a class of malicious software designed to extort money from users by disabling important computer system functionality or by encrypting files on the infected device as well as on shared or networked drives.

Ransomware

Skimming

The capture and recording of magnetic stripe data on the back of credit cards. This process uses an external device that is installed on a merchant's point of sale systems to harvest customer data.

Residual risk

The risk that remains after controls are implemented (total risk - controls)

Inherent Risk

The risk to an entity in the absence of any actions management might take to alter either the risk's likelihood or impact

Threat x Vulnerability x impact x Likelihood = RISK

Threat x Vulnerability x impact x Likelihood = RISK

Nature of Threats:

Threats cannot be eliminated Threats are always present You can reduce the potential for a threat to occur You can reduce the impact of a threat You cannot affect the threat Example; Hackers, Weather

Risk Management Goal

To maximize the output of the organization in terms of services, products, revenue, etc., while minimizing the chance for unexpected outcomes

Electronic

Unauthorized access on a system or network environment where customer data is hosted, processed, stored, or transmitted.

Malware Threat

Virus Worms Trojans Spyware Ransomware

Example: a Microsoft patch is not applied

Vulnerability = what the patch was fixing, network, data etc. Threat = someone may gain access to a network or data if the patch is not applied Likelihood= ??

Cyber Security "Rules"

When considering mitigations, controls and procedures to increase security, they should never be at the expense of human safety.

Cyber Security

managing the risks to sensitive data and critical resources

Accountability

ability to trace activities to responsible source

Hackers

attempt to breach system may be curiosity to malicious intent White hat or ethical hackers Black hat or Crackers Grey hat

Availability

available when needed

Spyware

can infect web browsers making them nearly inoperable, may be disguised as a legitimate application, secretly records behavior and usage patterns.

Virus -

commonly spread through file sharing, web downloads, email attachments

Trojans -

designed to specifically extract sensitive data from network, may take control of infected system, open up back door for attacker to access later. Often used in creation of botnets.

Sensitive PII

is Personally Identifiable Information, which if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.

Risk

is the likelihood that a loss will occur.

Risk profile

listing and assessment of the business's top risks -Provides thoughtful analysis of the risks a business faces towards achieving its strategic objectives. -Assists in facilitating a determination around the aggregate level and types of risk that the business is willing to assume to achieve its strategic objectives

Confidentiality

preventing unauthorized disclosure of information

•Loss

results in a compromise to business functions or assets that adversely affects the business -Compromise of business functions - activities a business performs, can result in a loss of revenue -Compromise of business assets - anything of measurable value, tangible and intangible -Driver of business costs

Exploit

the act of taking advantage of a vulnerability resulting in a compromise to the system, application or data

Risk Appetite

the amount of risk an organization is welling to accept given consideration of costs and benefits

Threats can compromise

the confidentiality, integrity and/or availability of information processed, stored or transmitted by IT systems.

Aggregate Risk -

total or cumulative amount of exposure associated with a specified risk

Worms -

unlike a virus, can crawl through networks without human interaction

Vulnerability

weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source.

Losses occur

when a threat exposes a vulnerability

Security incident

· Any event that compromised the confidentiality, integrity, or availability of an information asset. · A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Risk Response Options

•Avoidance •Share or Transfer (insurance) •Mitigation - reduce the vulnerability (likelihood or impact) •Accept the risk- take no action

Examples of Threats

•Internal / external •Natural or man-made •Intentional or accidental

Risk Management

•Practice of identifying, assessing, controlling and mitigating risks. •Risk management does NOT eliminate risks •Not all risks are created equal or should be treated the same •Goal - identify the risks, determine the appropriate actions

Risk Response

•The action taken to manage or treat the risks •Not all risks are created equal or should be treated the same •Goal - identify the risks, determine the appropriate actions