Risk management
What is at risk
Networks- is someone on the network, capturing data Data- is it being taken or altered.
Does risk management eliminate risk?
No
Attacks
Acts or actions that exploit vulnerabilities (an identified weakness) Accomplished by threat agent that damages or steals organizations information
Threat
Any activity that represents a possible danger or loss of CIA.
Which of the following is true about a threat?
Any activity that represents a possible loss of CIA or presents a danger
List the 5 steps of the Risk Management process
Asset Identification Identify Threats Identify Vulnerabilities Asses Risks Determine Countermeasures
Risk Management Process
Asset identification Identify threats Identify Vulnerabilities Assess Risk Determine Countermeasures
Best practices in threat assesment
Assume nothing
Sources for identifying vulnerabilities
Audits Certification and accreditation (ATO, OSA) System logs, scan reports Incident Response investigation
List four stratgies for risk control:
Avoidance Transference Mitigation Acceptance
cost-benefit analysis
CBA is begun by evaluating worth of assets to be protected and the loss in value if those assets are compromised items that impact cost of a control: cost of development training fees implementation cost service costs cost of maintenance
When identifying risk consider
CIA Confidentiality- data at rest/in transmission. Integrity- versioning, change management Availability- backups, required hours of operation.
Risk Management Process: Asset Identification
Can be: People- id number, skills, clearance level, Data and information- data structure, creator/owner, online/offline location, backup procedures. Procedures- description, elements its tied to, purpose, storage location Software Hardware Attributes to consider for hardware/software: names, IP address, MAC, serial number, model, software version,
Information asset valuation
Critical- compromise to these assets would have grave consequences leading to mission failure. 50-100 High- compromise would have serious consequences that would impair operations for a significant period of time 13-50 Medium- compromise to assets would have moderate consequences that could impair operations for limited time 3-13 Low- compromise to assets would have little or no impact 1-3
Vulnerability Valuation
Critical- no known countermeasures and adversary capability exists 75-100% High- some countermeasures, multiple weaknesses exist that could be exploited 50-74% Medium- there are effective countermeasures in place, but adversaries can exploit a weakness 25-49% Low- multiple levels of countermeasure exist and few or no adversaries could exploit the asset 0-24%
A good risk management plan will eliminate all risks.
False
Documenting the results of risk assessment
Final summary comprised in ranked vulnerability risk worksheet. which details assets, asset impact, vulnerability, vulnerability likelihood and risk rating factor. needed for next step: assessing and controlling risk
Vulnerability Identifcation
Human Operational- insufficient security procedures Informational vulnerabilities Facility- weak physical location and geographical Equipment
Threat Categories
Human Threats Natural Threats Bring your own device Cloud Computing Big data
To identify risks
Identify Threats Identify vulnerabilities Estimate the likelihood of a threat exploiting a vulnerability
Risk Mitigation Plan
Identify costs implement countermeasures verify countermeasures are effective Document- plan of actions and milestones (POAMS)
Human Threats
Internal or External Internal- current or past employees External- hackers, malware, DOS, terrorists.
Overview of risk management
Know yourself- understand the systems currently in place Know the enemy- understand threats to the organization
Selecting a risk contorl strategy
Level of threat and value of asset play a major role in selecting a control method. •Rules of thumb on strategy selection can be applied: •When a vulnerability exists •When a vulnerability can be exploited •When attacker's cost is less than potential gain •When potential loss is substantial•
What is risk cont.
Likelihood Threat Vulnerability Impact
What is risk?
Likelihood that a loss will occur. Harm that may arise from some current process or future event. Process of understanding and responding to factors that may lead to failure of CIA.
Risk Component: Losses
Losses- occur when a threat exposes a vulnerability results in a compromise to business functions or assets
Types of attacks
Malware- viruses, worms, trojan horses, active web scripts, with intent to destroy or steal information DoS- sending a large number of connection or information requests to a target Phishing- attempt to gain personal/financial information from person. Social engineering- people are the weakest link.
Risk Management Process: Risk Control
Once the risk worksheet is complete you must choose one strategy to control each risk. Avoidance Transference Mitigation Acceptance
List at least three different categories of assets for an organization,
People. Data and information, Procedures, Software. hardware
Types of risk assessment
Quantitative Qualitative
Risk Management Process: Identify Threats
Realistic threats need investigation, set aside non important threats
Select the correct formula for calculating risk
Risk = Asset Value x Threat Rating x Vulnerability Rating
Qualitative Assessment
Subjective Method use relative values based on opinions from experts. Uses words such as low, moderate, high Uses probablity and impact.
Risk Appetite
The amount of risk an organization is willing to accept considering costs and benefits. Decisions with regard to: allocation of resources Management controls Potential consequences Impacts to other parts of organization
Threat and vulnerability order
Threat creates an attack Attack exploits a vulnerability An exploited vulnerability results in a loss
Transference
Transfer the risk or share it with other assets, processes or organizations
Most attacks occur by exploiting a vulnerability.
True
Not all risks are created equal or should be treated the same.
True
Risk Management Process: Vulnerability Identification
Vulnerability- anything that can be exploited to attack an asset At the end of the risk identification process, you'll have a list of assets and their vulnerabilities
Example: a Microsoft patch is not applied.
Vulnerability- what the patch was fixing Threat- someone may gain access to a network if the patch inst applied Likelihood-??
Overlapping countermeasures
Vulnerability=weakness (doesnt present a risk) Threat does not present a risk Risk= threat exploits a vulnerability
Information Asset valuation questions to consider
Which asset is: most critical to organizations success? Generates the most revenue/profitability? would be most expensive to replace or protect? would be the most embarrassing or cause greatest liability?
Questions to ask in Threat assessment
Which threats present danger to assests? Which threat represents the most danger to information? How much would it cost to recover from attack? Which threat requires greatest expenditure to prevent?
Threat
any activity that represents a possible danger or loss of CIA. They exploit vulnerabilities Identify threats: internal/external natural or man made Intentional or accidental
Mission critical systems
any system that must continue to run to ensure business runs.
Avoidance
apply safeguards eliminate the source of the risk eliminate the exposure of assets to the risk attempts to prevent exploitation of the vulnerability Three common methods: application of policy training and education applying technology
Risk Management Process: Risk Assessment
evaluates the relative risk for each vulnerability assigns a risk rating/score to each asset. Based on asset value, threat and vulnerability assessment (HW chart) Goal- create a method for evaluation the relative risk of each listed vulnerability
A good risk management strategy involves annual monitoring.
false
Goal of risk managment
identify the risks, determine the appropriate actions.
Risk Profile
listing and assessment of the business's top risks
Quantitative Assessment
objective method Uses numbers with dollar values Math problems Requires data that takes time to gather
Probability/Likelihood
probability that a specific vulnerability will be the object of a successful attack. Assign a value 1-100
Risk control
process of taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of components of an information system
Risk Analysis in Information Systems is primarily:
qualitative
Mitigaiton
reduce the impact of the risk, or reduce vulnerability (likelihood or impact) through planning and preparation Approach includes three types of plans: IRP DRP BCP
TIps to identify threats
review historical data Review information on past threats No guaranteed threats will be repeated No guarantee new threats wont appear. Think like an adversary
Accept the risk
take no action. valid only when the service/information/asset doesnt justify the cost of protection risk appetite describes the degree to which organization is willing to accept risk
Risk response
the action taken to manage or treat the risks Not all risks are created equal or should be treated the same Goal- identify the risks, determine the appropriate actions.
What is Risk Management
the identification, assessment and prioritization of risks.
Residual Risk
the risk that remains residual risk = total risk-controls
Critical Business function
vital to an organization, if it fails cannot perform essential operations and results in monetary loss
Vulnerability
weakness in a system, procedure or internal control that could be exploited or triggered by a threat source
Risk identifcation
•A risk management strategy enables identification, classification, and prioritization of organization's information assets •Residual risk: risk remaining to the information asset even after the existing control is applied
Minimizing risk
•Assess the risk and magnitude of harm that could result from unauthorized access, use, disclosure, disruption, modification, or destruction of information or information systems. • •Determine the levels of information security appropriate to protect information and information systems. • •Implement policies and procedures to cost-effectively reduce risks to an acceptable level. • •Regularly test and evaluate information security controls and techniques to ensure effective implementation and improvement of such controls and techniques.
Summary Cont
•Risk Management is a recognition that you cannot protect your company from everything. •It is about prioritization and the acceptance of risk. •IT should NOT decide how much residual risk is acceptable.