Risk, Response, And Recovery Chapter 8
emerging threats
-new technology -changes in the culture of the organization or enviroment -unauthorized use of technology -changes in regulations and laws -changes in business practices *proactive security professional watches for new threats that might trigger the need of new risk review. two most common are cloud and virtualization. as organizations are moving torwards outsourcing data and processing to cloud services providers they encounter new threats. the threats are related to internal and external virtualization.
cloud threats
-violation of virtualization barriers - lack of access controls for outsource resources -reliability of cloud or virtualization services -cloud service provider lock in -insecure application program interfaces -malicious insiders -account hijacking
safeguards
address gaps or weaknesses in the control s that could otherwise lead to realized threat.
gaming consoles
computers that are optimized to handle graphics application efficently. today most are connect to the internet and are exposed to new threats. manufacturers do provide security patches but not all users are diligent about keeping their system updated.
static environments
environments that do not change overtime after deployement
identify risks
first part of identifying risk is what could go wrong. answers include fires floods earthquake, lightning strike, loss of electricity or other utility, labor strikes and transportation unavailability.
qualitative risk assessment
ranks risk based on their probability of occurrence and impact on business operations. impact is the degree of effect a realized threat would pose. impact is expressed in low insignificant to high catastrophic values. can be fairly subjective but do help determine the most critical risks require input from people who work in different departments. allows us to understand the ripple effect.
plan risk response
starting with the highest priority risk and exploring potential response for each one. with direction of your higher ups determine which one provides the best value.
implementing risk response
take action to implement the chosen response to each risk from the previous step
vehicle systems
vehicles contain computing systems that monitor conditions provide connectivity to the internet, provide real time routing and even control of the vehicle's operation. systems tend to be very difficult to upgrade or patch due to effort required to take the vehicle to a service agent who can perform maintenance.
countermeasures
Action, device, procedure, technique or other measure that reduces the vulnerability of an information system.
event
is a measurable occurance that has impact on the system.
monitor and control risk response
monitor and measure each risk response to ensure that it is performing as expected. include passive monitoring and logging as well as active testing to see how a control behaves.
exploit
you take advantage of opportunity that arises when you respond to the risk. i.e suppose your organization develops training material for use within your organization to help address a specific risk. you might exploit the risk by packaging and marketing those training to other organizations.
its important to identify risk....
-before they lead to an incident -before they lead to countermeasure and controls - on a continuous basis across the life of the product system or project -you can never reduce risk to zero. -you must identify the cost of risk handling methods. -in many cases small risk reduction have significantly high costs. -part of your job is to identify the tolerable risk levels and apply controls to reduce risks to that level. -you must focus must focus some risk management efforts on identifying new risk so you can manage them before a negative event occurs. part of this process includes continually reevaluating risks to make sure you have put the right countermeasure in place.
risk managment and information technology
-central concern in information security. -every action requires risk -attention to risk can mean success or failure in a business. -organizations can't solve every problem but should balance between utility and cost of various risk management options. - different organizations have different risk tolerances. -as security professional, you will work with others to identify risk and apply risk management solutions. -you must understand the true impact of risk -a succesful attack might result in immediate costs but also cause customers to go to competitor. -the true cost can be far higher than immediate cost to clean up. -you must help create and or maintain plan that makes sure your company continues to operate in the face of disruption.
risk response and recovery
-organizations are constantly changing -shareholder s exert new presures -organizations must main a supply chains connecting their suppliers and their customers. -stay competitive require organizations to shift personal, alter IT organizations and rearrange logistics. -any increase in risk. the structure of the organization must reflect the culture of the organization. -invest in cost effective plans to reduce risk
acceptance
accept a positive risk you take no steps to address it because the potential effect of the risk are positive and add value.
acceptance
allows organization to accept risk. organization knows the risk exist and has decided that the cost of reducing it is higher than the loss would be. this can include self insuring or using a deductible.
transfer (transference/assignment)
approach allows to transfer the risk to another entity. insurance is a common way to reduce risk. an organization sells the risk to insurance company in return for a premium. other times you can reduce the risk to insulate an organization from excessive liability.
calculate asset value (AV)
asset can be tangible like buildings or intangible like reputation. first step is to determine the organizations assets and their values. asset value should consider the replacement value of equipment or systems. it should include factors such as loss of productivity.
elements of risk
assets, vulnerabilities and threats are elements of risk. -new threats emerge to add to existing ones. -as these factors change over time, risk changes as well. - you should perform risk reassessments to identify new or changed risk.
avoid
deciding not to take the risk. company decides to not enter a line of business that has risk level is too high. with avoidance management decides that the potential loss to the company exceeds the potential value gained by continuing the risky activity.
quantitative risk assessment
dollar value on each risk. many risk values are difficult to measure. these include the reputation and availability of countermeasures. exact number can be difficult to determine especially if the cost of the impact of future events. are easier to automate than qualitative assessments. based on severity of the risk. a solid risk assessment uses both techniques. qualitative risk analysis gives you a better understanding of the overall impact a disruption will have as the effects ripple through the organization. it often leads to better
incident
is any event that either violates or threatens to violate security policy. for example employee warehouse theft is an incident. incident are events that justify a countermeasure.
vulnerability
is any exposure that could allow a threat to be realized. some vulnerabilities are weaknesses and some are just side effects of other actions such as allowing employees to use their smart phone to connect to corporate network
threat
is something generally bad that might happen. a threat could be a tornado hitting your data center or an attacker stealing your database of customer data.
risk
is the likelihood that a particular threat will be realized againist a specific vulnerability. most risks lead to possible damage or negative results that could damage your organization. not all risk are inherently bad; some risks can lead to positive results. the extent of damage or even the positive effect from a threat determines the level of risk
reduce (reduction/mitigation)
mitigate or reduce identified risks. these controls might be to administrative, technical, or physical. I.E adding antivirus software reduces the risk of computer infection
mobile devices
mobile operating system patches and upgrades are available and easy to apply but not all users update their devices. bad prior upgrade experiences may prevent users from applying needed patches. this can lead to threats to unpatched mobile endpoints.
assess risks
not all risk could face the same risks. they depend on location scenario. its important to determine which risk is the most important one.
impact
refers to the amount of harm a threat exploiting a vulnerability can cause. for example, if a virus could affect all the data on the system.
calculate the exposure factor (EF)
represents the percentage of asset value that will be lost if an incident is to occur. for example a car incident
controls
safeguards and countermeasures
embedded systems
small computers that are contained in large devices. components are often enclosed in a chassis that houses the rest of the device. such device can include other hardware and mechanical parts. i.e robotic vacuum device contains an embedded system that controls movement. the embedded computer is not easily accessible and is difficult to update with security patches.
mainframes
the large computers exist in primarly in large organization data centers. they handle large scale data processing and are expensive to maintain. downtime is expensive and discouraged. there aren't really oppertunities to apply security patches until a downtime window approaches.
risk register
the result of the risk identification process is list of identified risk. -a description of the risk -the expected impact associated if the associated event occurs -the probability of the event occuring -steps to mitigate the risk -steps to take should the event occur -rank of the risk
purpose of risk management
to identify possible problems before something bad happens. -early identification is important because it gives you the opportunity to manage those risks instead of just reacting to them.
share
when you share a positive risk you use a third party to help capture the opportunity associated with that risk. i.e banding with another organization to purchase a group of workstation licenses enables both organization to take advantage of the buying them at reduce price by buying them in a bundle.
