1.3 Risk Assessment

What steps might you take to develop an overview of your company's problems?

1) Interview the department heads and the data owners to determine what information they believe requires additional security and to identify the existing vulnerabilities from their perspective. 2) Evaluate the network infrastructure to determine known vulnerabilities and how you might counter them. 3) Perform a physical assessment of the facility to evaluate what physical risks must be countered.

privacy impact assessment (PIA)

A PIA is often associated with a business impact analysis, and it identifies the adverse impacts that can be associated with the destruction, corruption, or loss of accountability of data for the organization. The Department of Homeland Security (DHS), for example, uses it to identify and mitigate privacy risks by telling the public what personally identifiable information (PII) it collects, why it is collected, and how it is used, accessed, shared, safeguarded, and stored. According to the DHS, a PIA needs to do three things: ensure conformance with applicable legal, regulatory, and policy requirements for privacy; determine risks and effects; and evaluate protections and alternative processes to mitigate potential privacy risks.

Risk Avoidance

A risk response strategy whereby the project team acts to eliminate the threat or protect the project from its impact.

Risk Acceptance

A risk response strategy whereby the project team decides to acknowledge the risk and not take any action unless the risk occurs.

Risk Transference

A risk response strategy whereby the project team shifts the impact of a threat to a third party, together with ownership of the response.

the single loss expectancy. SLE can be divided into two components:

AV (asset value): the value of the item EF (exposure factor): the percentage of it threatened

Risks Associated with Virtualization

Breaking Out of the Virtual Machine Intermingling Network and Security Controls

Data Integration/Segregation

Data Integration/Segregation Just as web-hosting companies usually put more than one company's website on a server in order to be profitable, data-hosting companies can put more than one company's data on a server. To keep this from being problematic, you should use encryption to protect your data. Be aware of the fact that your data is only as safe as the data with which it is integrated. For example, assume that your client database is hosted on a server that another company is also using to test an application that they are creating. If their application obtains root-level access at some point (such as to change passwords) and crashes at that point, then the user running the application could be left with root permissions and conceivably be able to access data on the server for which they are not authorized, such as your client database. Data segregation is crucial; keep your data on secure servers. Data integration is equally important. Make sure that your data is not comingled beyond your expectations. It is not uncommon in an extranet to pull information from a number of databases in order to create a report. Those databases can be owned by anyone connected to the extranet, and it is important to make certain that the permissions on your databases are set properly to keep other members from accessing more information than you intended to share.

Regulatory Compliance

Depending on the type and size of your organization, there are any number of regulatory agencies' rules with which you must comply. If your organization is publicly traded, for example, you must adhere to Sarbanes-Oxley's demanding and exacting rules, which can be difficult to do when the data is not located on your servers. Make sure that whoever hosts your data takes privacy and security as seriously as you do.

User Privileges

Enforcing user privileges can be fairly taxing. If the user does not have least privileges (addressed later in this chapter), then their escalated privileges could allow them to access data to which they would not otherwise have access and cause harm to it—intentional or not. Be cognizant of the fact that you won't have the same control over user accounts in the cloud as you do locally, and when someone locks their account by entering the wrong password too many times in a row, you or they could be at the mercy of the hours that the technical staff is available at the provider.

cloud computing

Hosting services and data on the Internet instead of hosting it locally. Some examples of this include running office suite applications such as Office 365 or Google Docs from the web instead of having similar applications installed on each workstation; storing data on server space, such as Google Drive, SkyDrive, or Amazon Web Services; and using cloud-based sites such as Salesforce.com.

Breaking Out of the Virtual Machine

If a disgruntled employee could break out of the virtualization layer and were able to access the other virtual machines, they could access data that they should never be able to access.

IaaS

Infrastructure as a Service The Infrastructure as a Service (IaaS)

Mean time to failure (MTTF)

Mean Time to Failure: Similar to MTBF, the mean time to failure (MTTF) is the average time to failure for a nonrepairable system. If the system can be repaired, the MTBF is the measurement to focus on, but if it cannot, then MTTF is the number to examine. Sometimes, MTTF is improperly used in place of MTBF, but as an administrator you should know the difference between them and when to use one measurement or the other.

Mean Time to Restore (MTTR)

Mean Time to Restore The mean time to restore (MTTR) is the measurement of how long it takes to repair a system or component once a failure occurs. (This is often also referenced as mean time to repair.) In the case of a computer system, if the MTTR is 24 hours, this tells you that it will typically take 24 hours to repair it when it breaks.

Acting on Your Risk Assessment

Once you've identified and assessed the risks that exist, for the purpose of the exam, you have four possible responses that you can choose to follow: risk avoidance, risk transference, risk mitigation, risk acceptance

Two types of testing that can help identify risks:

Penetration testing and Vulnerability testing. They are particularly useful with identifying threats associated with authorization.

three different ways of implementing cloud computing

Platform as a Service The Platform as a Service (PaaS) Software as a Service The Software as a Service (SaaS) Infrastructure as a Service The Infrastructure as a Service (IaaS)

PaaS model

Platform as a Service The Platform as a Service (PaaS) model

Recovery Point Objective

Recovery Point Objective The recovery point objective (RPO) is similar to RTO, but it defines the point at which the system needs to be restored. This could be where the system was two days before it crashed (whip out the old backup tapes) or five minutes before it crashed (requiring complete redundancy). As a general rule, the closer the RPO matches the item of the crash, the more expensive it is to obtain.

Risk-related issues associated with cloud computing

Regulatory Compliance User Privileges Data Integration/Segregation

Risk assessment deals with...

Risk assessment deals with the threats, vulnerabilities, and impacts of a loss of information-processing capabilities or a loss of information itself.

Risk assessment is also known as...

Risk assessment is also known as risk analysis or risk calculation.

The chief components of a risk assessment

Risks to Which the Organization Is Exposed Risks That Need Addressing Coordination with BIA

Formula for computing Risk Assessment

SLE x ARO = ALE SIngle Loss Expectancy x Annualized Rate of Occurrence = Annual Loss Expectancy

SaaS

Software as a Service The Software as a Service (SaaS) model

Risk Calculations

The calculations to determine the impact an event could have

ARO

The likelihood, often drawn from historical data, of an event occurring within a year: the annualized rate of occurrence.

Mean Time Between Failures (MTBF)

The measure of the anticipated incidence of failure for a system or component. This measurement determines the component's anticipated lifetime. If the MTBF of a cooling system is one year, you can anticipate that the system will last for a one-year period; this means that you should be prepared to replace or rebuild the system once a year. If the system lasts longer than the MTBF, it's a bonus for your organization. MTBF is helpful in evaluating a system's reliability and life expectancy.

Recovery Time Objective

The recovery time objective (RTO) is the maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable. Beyond this time, the break in business continuity is considered to affect the business negatively. The RTO is agreed on during BIA creation.

Risks That Need Addressing

The risk assessment component also allows an organization to provide a reality check on which risks are real and which are unlikely. This process helps an organization focus on its resources as well as on the risks that are most likely to occur. For example, industrial espionage and theft are likely, but the risk of a hurricane damaging the server room in Indiana is very low. Therefore, more resources should be allocated to prevent espionage or theft as opposed to the latter possibility.

Coordination with BIA

The risk assessment component, in conjunction with the business impact analysis (BIA), provides an organization with an accurate picture of the situation facing it. It allows an organization to make intelligent decisions about how to respond to various scenarios.

Threat Vectors

The term threat vector is the way in which an attacker poses a threat. This can be a particular tool that they can use against you (a vulnerability scanner, for example) or the path(s) of attack that they follow. Under that broad definition, a threat vector can be anything from a fake email that lures you into clicking a link (phishing) or an unsecured hotspot (rouge access point) and everything in between.

Intermingling Network and Security Controls

The tools used to administer the virtual machine may not have the same granularity as those used to manage the network. This could lead to privilege escalation and a compromise of security.

Risks to Which the Organization Is Exposed

This component allows you to develop scenarios that can help you evaluate how to deal with these types of risks if they occur. An operating system, server, or application may have known risks in certain environments. You should create a plan for how your organization will best deal with these risks and the best way for it to respond to them.

annual loss expectancy (ALE) value

This is a monetary measure of how much loss you could expect in a year.

Likelihood

Usually self-explanatory; however, actual values can be assigned to likelihood. The National Institute of Standards and Technology recommends viewing likelihood as a score representing the possibility of threat initiation.

Computing Risk Assessment

When doing a risk assessment, one of the most important things to do is to prioritize. Not everything should be weighed evenly, because some events have a greater likelihood of happening. In addition, a company can accept some risks, whereas others would be catastrophic for the company.

Risk Mitigation

a process whereby the organization takes concrete actions against risks, such as implementing controls and developing a disaster recovery plan

Virtualization

consists of allowing one set of hardware to host multiple virtual machines. It is in use at most large corporations, and it is also becoming more common at smaller businesses.

Four Responses to an identified and assessed risk.

four possible responses that you can choose to follow: risk avoidance, risk transference, risk mitigation, risk acceptance

Most virtualization-specific threats focus on the...

hypervisor

Platform as a Service The Platform as a Service (PaaS) model

is also known as cloud platform services. In this model, vendors allow apps to be created and run on their infrastructure. Two well-known models of this implementation are Amazon Web Services and Google Code.

SLE

is another monetary value, and it represents how much you could expect to lose at any one time: the single loss expectancy.

privacy threshold assessment (PTA)

is more commonly known as an "analysis" rather than an "assessment." This is the compliance tool used in conjunction with the PIA.

Software as a Service The Software as a Service (SaaS) model

is the one often thought of when users generically think of cloud computing. In this model, applications are remotely run over the web. The big advantages are that no local hardware is required (other than that needed to obtain web access) and no software applications need to be installed on the machine accessing the site. The best-known model of this type is Salesforce.com. Costs are usually computed on a subscription basis.

Hypervisor

is the virtual machine monitor—that is, the software that allows the virtual machines to exist.

Infrastructure as a Service The Infrastructure as a Service (IaaS)

model utilizes virtualization, and clients pay a cloud service provider for resources used. Because of this, the IaaS model closely resembles the traditional utility model used by electric, gas, and water providers. GoGrid is a well-known example of this implementation.

Two privacy-related concepts:

privacy impact assessment (PIA) privacy threshold assessment (PTA).

Vulnerability

vulnerability is a weakness that could be exploited by a threat.