Chapter 20: Risk Management

Binary Assessment

2 possible outcomes for impact and probability.

Compensating

A compensating control is one that is used to meet a requirement when the requirement cannot be met. Fire suppression systems do not stop damage, but if properly employed, they can be mitigate or limit the level of damage from fire.

Risk Register

A risk register is a list of the risks associated with a system. It can also contain additional information associated with the risk element, such as the category to group like risks, probability of occurrence, impact to the organization, mitigation factors, and other data.

Residual Risk

A risk that remains after risk responses have been implemented. accepted risk.

Annualized Loss Expectancy (ALE)

ALE is how much a loss is expected to cost per year

Annualized Rate of Occurrence (ARO)

ARO is the frequency with which an event is expected to occur on an annualized basis.

Risk Assessment

Aka Risk Analysis, is the process of analyzing an environment to identify the risks (threats and vulnerabilities) and mitigating actions to determine (either quantitatively or qualitatively) the impact of an event that would affect a project, program, or business.

Step 3: Impact Determination and Quantification

An impact is the loss created when a threat exploits a vulnerability. Impacts can be either tangible or intangible. a tangible impact results in financial loss or physical damage. For an intangible impact, assigning a financial value of the impact can be difficult. Tangible impacts include: -Direct loss of money -Endangerment of staff or customers -Loss of business opportunity -Reduction in operational efficiency on performance -Interruption of a business activity Intangible impacts include: -Breach of legislation or regulatory requirements -Loss of reputation or goodwill -Breach of confidence

Asset

Any resource or information an organization needs to conduct it's business.

Business Impact Analysis (BIA)

Business Impact Analysis (BIA) is the name often used to describe a document created by addressing the questions associated with sources of risk and the steps taken to mitigate them in the enterprise

Gray Box Testing

Gray box Testing is a combination of white and black box testing. They have some knowledge of the systems they are examining.

Step 1: Asset Identification

Identify and classify the assets, systems, and processes that need protection because they are vulnerable to threats. Use a classification that fits your business. This classification leads to the ability to prioritize assets, systems, and processes and to evaluate the costs of addressing the associated risks. Assets can include the following: -Inventory -Buildings -Cash -Information and Data -Hardware -Software -Services -Domains -Documents -Personnel -Brand Recognition -Organization Reputation -Goodwill

Exposure Factor

Is a measure of magnitude of loss of an asset. It is used in the calculation of single loss expectancy.

Vulnerability

Is any characteristic of an asset that can be exploited by a threat to cause harm. A vulnerability can also be the result of a lack of security controls or weaknesses in controls.

Threat

Is any circumstances or event with the potential to cause harm to an asset.

Systemic Risk

Is the chance of loss that is predictable under relatively stable circumstances. Examples such as fire, wind, flood, produces losses, that in the aggregate over time, can be accurately predicted despite short term fluctuations.

Unsystemic Risk

Is the chance of loss that is unpredictable in the aggregate because it results from forces difficult to predict.

Threat Actor

Is the entity behind a threat. (agent)

Catalog of controls:

NIST provides a catalog of controls in its NIST SP 800-53 series. Note: The last 3 descriptors of controls - technical, administrative, and physical - are separate from the previous descriptors and can be used independently of them. It is possible to have a control that is a technical physical preventative control (or a door lock).

Property

Property damage can be the result of unmitigated risk. This includes property damage to company owned property, property damage to property of others, and even environmental damage from toxic releases in industrial settings

Mitigate

Refers to taking action to reduce the likelihood of a threat occurring and/or to reduce the impact if a threat does occur.

Impact

Risk is the chance of something not working as planned. Impact is the cost associated with a realized risk. Impact can occur in many forms, including human life as in injury or death, property loss, or loss of reputation.

System Testing

Systems can be tested in a variety of ways. One method of describing the test's capabilities relates to the information given to the tester. Testers can have varying levels of detail, from complete knowledge of a system and know how it works to zero knowledge.

Single Life Expectancy (SLE)

The Single Life Expectancy is calculated using the following formula: SLE = Asset Value (AV) X Exposure Factor (EF)

Supply Chain Assessment

The analysis of risk in a supply chain has become an important issue in our connected society. The term supply chain assessment describes the process where these risks are determined and explored.

Annualized Rate of Occurrence (ARO)

The annualized rate of occurrence is a representation of the frequency of the event, measured in a standard year. If the event is expected to occur once in 20 years, then the ARO = 1/20.

Probability/Threat Likelihood

The probability or likelihood of an event is a measure of how often it is expected to occur. From a qualitative assessment, using terms such as frequent, occasionally, rare, and quantitative measure ARO, the purpose is to allow scaling based on the frequency of an event. Determining the specific probabilities of security events with any accuracy is a nearly impossible feat. What is important in the use of probabilities and likelihoods is the relationship they have with respect to determining relative risk. When examining risk, the probability or threat likelihood plays a significant role in the determination of risk and mitigation options.

Life

There are IT systems that are involved in medicine, and failures of these systems can and has resulted in injury and death to patients

False Results

Tools are not perfect. Sometimes they will erroneously report things as an issue when they really are not a problem, and other times they won't report an issue at all.

Passive vs Active Tools

Tools can be classified as active or passive. Active tools = can be detected (loud) Passive tools = interact with systems in a manner that would not permit detection (quiet)

Threat Vector

is a method used to effect a threat - for example, malware (threat) that is delivered via a watering hole attack (vector). aka how (methodology) or routes taken to exploit.

Detective

A detective control is one that facilitates the detection of a security breach. Detective controls act during an event, alerting operators to specific conditions. example: flood lights with sensors or IDS.

Deterrent

A deterrent control acts to influence the attacker by reducing the likelihood of success. Note that a deterrent control must be one that has to be known to a person for it to be effective. example: Camera system with a sign

Single Point of Failure

A key principle of security is defense in depth. This layered approach to security is designed to eliminate any specific single pints of failure. A single point of failure is any aspect that if triggered could result in the failure of a system.

Identification of Critical Systems

A part of identifying mission essential functions is identifying the systems and data that support the functions. Identification of Critical Systems enable the security team to properly prioritize defenses to protect the systems and data in a manner equivalent with the associated risk.

Physical

A physical control is one that prevents specific physical actions from occurring; Physical controls prevent specific human interaction with a system and are primarily designed to prevent accidental operation of something. Physical controls act before an event, preventing it from actually occurring.

Preventative

A preventative control is one that prevents specific actions from occurring: for example, a mantrap prevents piggybacking/tailgating

Technical

A technical control is the use of some form of technology to address a physical security issue. Biometrics are examples of technical controls

Threat Vectors

A threat is any circumstance or event with the potential to cause harm to an asset. Threats can be classified into groups, with the term threat vector describing the elements of these groups. A threat vector is the path or tool used by an attacker to attack a target (method). There is a wide range of threat vectors that a security professional needs to understand. -The web (fake sites, session hijacking, malware, watering hole attack) -Wireless unsecured hotspots -Mobile devices (ios/andriod) -USB (removable) media -Email (links, attachment, malware) -Social engineering (deceptions, hoaxes, scams, fraud) This list is merely a sample of threat vectors. The use of insurance type of actuarial models for risk determination is useful when risks are independent, such as in auto accidents. But controls need to be added when a factor becomes less independent such as a bad driver. In cyber Security, once an attack is successful, it is repeatedly employed against a victim, breaking this lessens the true usefulness of the insurance type actuarial models in cybersecurity practice.

Credentialed vs Noncredentialled

A vulnerability scanner can be programmed with the credentials of a system, giving it the same access as an authorized user. This is assumed to be easier than running the same tests without credentials, widely considered to be a more real-world attempt. Credentialed scans will be more accurate in determining whether the vulnerabilities exist because they are not encumbered by access controls. Noncredentialled scans demonstrate what the system may be vulnerable to against an outside attacker without access to a user account.

Step 2: Threat Assesment

After identifying the assets, you identify both the possible threats and the possible vulnerabilities associated with each asset and the likelihood of their occurrence. Threats can be defined as any circumstance or event with the potential to cause harm to an asset. -Natural disaster -Man made disaster -Internal vs External -Terrorism -Errors -Malicious damage or attacks -Fraud -Theft -Equipment or software failure Vulnerabilities are characteristics of resources that can be exploited by a threat to cause harm. common classes of vulnerabilities include: -Unprotected facilities -Unprotected computer systems -Unprotected data -Insufficient procedure and controls -Insufficient or unqualified personnel

Administrative

An administrative control is a policy or procedure used to limit physical security risk. Instructions to guards act as administrative controls.

Business dependencies

An area often overlooked in risk assessment is the need to address business dependencies - each organization must asses risks caused by other organizations with which it interacts. This occurs when the organization is either a consumer or a supplier to other organizations (or both).

Risk Management Best Practices

Best Practices are the best defenses that an organization can employ in any activity. One manner of examining best practices is to ensure that the business has a set of the best practices to cover its operational responsibilities. At a deeper level, the details of these practices need to themselves be best practices if you are to get the best level of protection. At a minimum, risk mitigation best practices include business continuity, high availability, fault tolerance, and disaster recovery concepts. None of these operate in isolation. They are all interconnected, sharing elements that work together to achieve a common purpose: the security of data in an enterprise, which is measured in terms of risk exposure. Key elements of best practices include understanding vulnerabilities, understanding threat vectors and the likelihood of occurrence, and the use of mitigation techniques to reduce the residual risk to manageable levels.

Change Management

Change Management has its roots in system engineering and looks at the overall view of the system's components and processes. Configuration management applies to a lower level of detail, specifically, the actual configuration of components, such as hosts, devices, etc. It is normal for an enterprise to have a change control board to approve all production changes and ensure the change management procedures are followed before changes are introduced to a system. Note: Change management ensures proper procedures are followed when modifying the IT infrastructure

Types of controls:

Controls can be classified based on the types of actions they perform. Three classes of controls exists. -Management or Administrative -Technical or Logical -Physical or Operational For each of these classes, there are 6 types of controls. 1. Deterrent (Used to discourage occurrence) 2. Preventative (Used to avoid occurrence) 3. Detective (Used to detect or identify occurrence) 4. Corrective (Used to correct or restore controls) 5. Recovery (Used to restore resources, capabilities, or losses) 6. Compensating (Used to mitigate when direct control is not possible)

Reputation

Corporate reputation is important in marketing. Notes: Risk is instantiated as impact. Impacts can have effects on life, property, safety, reputation, and finances. Typically multiple impacts occur from an incident, and finance always pays the bill. Be prepared to parse a question to determine its risk, impact, or specific consequences.

Corrective

Corrective controls are used post event, in an effort to minimize the extent of damage. Backups are a prime example of a corrective control because they can facilitate rapid resumption of operations.

Cost Effective Modeling

Cost effective modeling assumes you are incurring a cost and focuses on the question of what the value of that cost is. This is a rational means of economic analysis used to determine the utility of a specific strategy. It is a nearly forgone conclusion you will be spending resources on security; it's just a question of what you get for your money. The Total Cost Of Ownership (TCO) is the set of all costs, including everything form capital costs to operational and exception handling costs, that is associated with a technology. It is important to note the differences between normal operational costs and exception handling. Exception handling is always more expensive. The objective in risk management is to have a set of overlapping controls such that the TCO is minimized. This means that the solution has a measured effectiveness across the risk spectrum. This is where the compliance versus security debate becomes interesting. You establish compliance rules for a variety of reasons, but once established, their future effectiveness depends upon the assumption that the same risk environment exists as when they were created. Should the risk, the value, or the impact change over time, the cost effectiveness of the compliance directed control can shift, frequently in a negative fashion.

Data Loss or Theft

Data is the primary target of most attackers. The value of the data can vary, making some data more valuable and hence more at risk of theft. Data can also be lost through a variety of mechanisms, with hardware failure, operator error, and system errors being common issues. Backups lead the list of actions because backups can provide the ultimate protection against loss. To prevent theft, a variety of controls can be employed. Some are risk mitigation steps, such as data minimization, which is the act of not storing what is not needed. It if must be stored and has value, then technologies such as data loss prevention can be used to provide a means of protection. Simple security controls such as firewalls and network segmentation can also act to make data theft more difficult.

Escalation of Privileges

Escalation of privileges is the movement to an account that enables root or higher level privilege. Typically this occurs when a normal user account exploits a vulnerability on a process that is operating with root privilege, and as a result of the specific exploit, the attacker assumes the privileges of the exploited process at the root level. Once this level of privilege is achieved, additional steps are taken to provide persistent access back to the privileged level. With root access, things such as log changes and other changes are possible, expanding the ability of the attacker to achieve their objective and to remove information, such as logs that could lead to the detection of the attack.

Finance

Finance is in many way the final arbiter of all activities because it is how people keep score. You can measure the gains through sales and profit and losses through unmitigated risk. Where this becomes an issue is when the impacts exceed the expected costs associated with the planned residual risks because then the costs directly impact profit.

Identify Lack of Security Controls

If a vulnerability is exposed to the vulnerability scanner, then a security control is needed to prevent the vulnerability from being exploited. As vulnerabilities are discovered, the specific environment of each vulnerability is documented. As the security vulnerabilities are all known in advance, the system should have controls in place to protect against exploitation.

Software Engineering Institute Model

In an approach tailored for managing risk in software projects, SEI uses the following paradigm. Although the terminology varies slightly from the previous model, the relationships are apparent, and either model can be applied wherever risk management is used. 1. Identify = look for risks before they become problems 2. Analyze = convert the data gathered into information that can be used to make decisions. Evaluate impact, probability, and timeframes of risks. classify and prioritize each risk 3. Plan = Review and evaluate the risks and decide what actions to take to mitigate them. Implement mitigations 4. Track = Monitor the risks and the mitigation plans. Review periodically to measure progress and identify new risks. 5. Control = Make corrections for deviations from the risk mitigation plans. Correct products and processes as required.

Step 4: Control Design and Evaluation

In this step, you determine which controls to put in place to mitigate the risks. Controls (aka countermeasures or safeguards) are designed to control risk by reducing vulnerabilities to an acceptable level. Controls can be actions, devices, or procedures. As discussed earlier, they can be a deterrent, preventative, detective, or corrective.

Impact

Is the loss (or harm) resulting when a threat exploits a vulnerability. A malicious hacker (threat agent) uses an XSS tool (threat vector) to hack your unpatched web site (vulnerability), stealing credit card info (threat) that is then used fraudulently. The credit card company pursues legal recourse against your company to recover the losses from the credit card fraud (the impact).

Risk Management

Is the overall decision making process of identifying threats and vulnerabilities and their potential impacts, determining the costs to mitigate such events, and deciding what actions are cost effective for controlling these risks.

Quantitative Risk Assesment

Is the process of objectively determining the impact of an event that affects a project, program, or business. Completing the assessment usually involves the use of metrics and models.

False Negative

Is when a scanner fails to report a vulnerability that actually does exist: the scanner simply missed the problem or didn't report it as a problem.

Adding Objectivity to a Quantitative Assessment

It is possible to move a qualitative assessment to a more quantitative one. This can be achieved by simply assigning numeric values to one of the tables below

Qualitative vs Quantitative Risk Assessment

It is recognized throughout industry that it is impossible to conduct risk assessment that is purely quantitative. Usually risk management includes both qualitative and quantitative elements, requiring both analysis and judgement or experience. In contrast to quantitative assessment, it is possible to accomplish purely qualitative risk management. It is easy to see that it is impossible to define and quantitatively measure all factors that exist in a given risk assessment

Tools:

Many tools can be used to enhance the risk management process. The following tools can be used during the various phases of risk assessment to add objectivity and structure to the process: -Affinity Grouping = a method of identifying items that are related and then identifying the principle that ties them together. -Baseline Identification and Analysis = the process of establishing a baseline set of risks. It produces a "snapshot" of all the identified risks at a given point in time. -Cause and Effect analysis = identifying relationships between a risk and the factors that can cause it. This is usually accomplished using Fishbone Diagrams. -Cost/Benefit Analysis = A straight forward method for comparing cost estimates with the benefits of a migration strategy -Gant Charts = A management tool for diagramming schedules, events, and activity duration. -Interrelationship Diagraphs = a method for identifying cause and effect relationships by clearly defining the problem to be solved, identifying the key elements of the problem, and then describing the relationships between each of the key elements. -Pareto Charts = A histogram that ranks the categories in a chart form most frequent to least frequent, thus facilitating risk prioritization. -Program Evaluation and Review Technique (PERT) Charts = a diagram depicting interdependencies between project activities, showing the sequence and duration of each activity. When complete, the chart shows the time necessary to complete the project and the activities that determine that time (critical path). -Risk Management Plan = a comprehensive plan documenting how risks will be managed on a given project. It contains processes, activities, milestones, organizations, responsibilities, and details of each major risk management activity and how it is to be accomplished. It is an integral part of the project management plan.

Risk Calculation

More complex models permit a variety of analyses based on statistical and mathematical models. A common method is the calculation of the Annualized Loss Expectancy. Calculating the ALE creates a monetary value of the impact. This calculation begins by calculating a single loss expectancy.

NIST Risk Models

NIST has several informative risk models that can be applied to an enterprise. SP 800-39, Managing Information Security Risk: organization, mission, and information systems view, presents several key insights: -Establish a relationship between aggregated risk from information systems and mission/business success. -Encourage senior leaders to recognize the importance of managing information security risk within the organization. -Help those with system level security responsibilities understand how system level issues affect the organization/mission as a whole. This model has 2 distinct levels of analysis, which work together as one in describing risk management actions. The 1st level of analysis is represented by 4 elements: Frame, Assess, Respond, and Monitor The 2nd level is related to the tiers represented in the hierarchical triangles: Organization, Mission/Business Processes, and Information Systems The 3 tiers represent the different distinct layers in an organization that are associated with risk. Tier 1 representing the Executive Function, is where the risk framing occurs. At Tier 2 , the mission and Business Process Layer, the risk management functions of assess, respond, and monitor occur. Tier 3 is the Information Systems Layer, where activities of risk management are manifested in the systems of the organization.

Business Risk:

No comprehensive identification of all risks in a business environment is possible. In today's technology dependent business environment, risk is often simplistically divided into 2 areas: 1. Business Risk 2. Technology Risk

Risks Really Don't Change, But They Can Be Mitigated:

One final thought to keep in mind is that the threats themselves are independent of your actions, no matter what actions are taken to mitigate the associated risk. A high threat environment will always be high risk and will require more mitigation than a lower one. However, actions can be taken to reduce the likelihood of the risk and the impact of that risk if it occurs. Over time, risks may be fluid as new threats come into focus and older ones retreat, with the issues of likelihood and potential impact changing. A new web system using a different technology will have a different risk profile than the older system.

Pen Testing vs Vulnerability Scanning

One of the early steps in penetration testing is the examination for vulnerabilities, but the differentiation comes in the follow ups on steps, which examine the system in terms of exploitability.

Transferring Risk

One possible action to manage risk is to transfer that risk. The most common method of transferring risk is to purchase insurance. Insurance allows some level of risk to be transferred to a third party that manages specific types of risk for multiple parties, thus reducing the individual cost. Note that transferring risk usually applies to the financial aspect of risk; it normally doesn't apply to legal accountability or responsibility. Note: It is important that you understand that technology itself is a business risk. Hence, it must be managed along with other risks. Today, technology risks are so important that they should be considered separately.

Identify Common Misconfigurations

One source of failure with respect to vulnerabilities is in the misconfiguration of a system. Common misconfigurations include access control failures and failure to protect configuration parameters. Vulnerability scanners can be programmed to test for these specific conditions and report on them.

Vulnerability Scanning Concepts

One valuable method that can help administrators secure their system is vulnerability scanning. Vulnerability scanning is the process of examining your systems and network devices for holes, weaknesses, and issues and finding them before a potential attacker does. Specialized tools called vulnerability scanners are designed to help administrators discover and address vulnerabilities.

Risk Management Culture

Organizations have a culture associated with their operation frequently, this culture is set and driven by the activities of senior management personnel. The risk management culture of an organization can have an effect upon actions being taken by others.

Penetration Testing

Pen tests are often the most aggressive form of security testing and can take many forms, depending on what is considered "in" or "out" of scope. Regardless of the scope and allowed methods, the goal of a pen test is the same: to determine whether an attacker can bypass your security and access your systems. Unlike a vulnerability assessment, which typically just catalogs vulnerabilities, a pen test attempts to exploit vulnerabilities to see how much access that vulnerability allows. Pen tests are useful in that they: -Can show relationships between a series of "low risk" items that can be sequentially exploited to gain access (making them a "high risk" item in the aggregate) -Can be used to test the training of employees, the effectiveness of your security measures, and the ability of your staff to detect and respond to potential attackers. -Can often identify and test vulnerabilities that are difficult or even impossible to detect with traditional scanning tools.

Penetration Testing Authorization

Penetration tests are used by organizations that want a real world test of security. Obtaining penetration testing authorization is the 1st step in penetration testing. This penetration test authorization is used as a communication plan for the test. Penetration tests are typically used to verify threats or to test security controls.

Persistence

Persistence is one of the key elements of a whole class of attacks referred to as Advanced Persistent Threats (APTs). APTs place two elements at the forefront of all activity: 1. Invisibility from defenders 2. Persistence APT actors tend to be patient and use techniques that make it difficult to remove them once they have gained a foothold

Pivot

Pivoting is a key method used by a pen tester or attacker to move across a network. Performing a pivot is not easy because the attacker must not only establish access to machine A, but also move their tools to machine A and control these tools remotely from another machine, all the while not being detected.

Qualitatively Assessing Risk

Qualitative risk analysis allows expert judgment and experience to assume a prominent role. To assess risk qualitatively, you compare the impact of the threat with the probability of occurrence and assign an impact and probability level to the risk

Risk Management Models

Risk management concepts are fundamentally the same despite their definitions, and they require similar skills, tools, and methodologies. Several models can be used for managing risk through its various phases. 2 models are presented here: 1. Manage risk in general 2. Manage risk in software projects KPI and KRI together provide management information essential for efficient operations. KPIs and KRIs are sued to monitor the performance of systems and processes and are critical to effective risk management. If you can't measure it, you have to rely on more subjective evaluation methods.

Overview Of Risk Management

Risk management is an essential element of management from the enterprise level down to the individual project. Risk management encompasses all the actions taken to reduce complexity, increase objectivity, and identify important decision factors. Risk management is about making a business profitable, not about buying insurance.

Risk Mitigation Strategies

Risk mitigation strategies are the action plans developed after a thorough evaluation of the possible threats, hazards, and risks associated with business operations. These strategies are employed to lessen the risks associated with operations.

Single Loss Expectancy

SLE Is the monetary loss or impact of each occurrence of a threat exploiting a vulnerability

Safety

Safety is the level of concern one places on the well being of people.

Security Controls

Security Controls are the mechanisms employed to minimize exposure to risk and mitigate the effects of loss. Using the security attributes of confidentiality, Integrity, and Availability associated with data, it is incumbent upon the security team to determine the appropriate set of controls to achieve the security objectives.

Model Application

The 3 model examples define steps that can be used in any general or software risk management process. These risk management principles can be applied to any project, program, or business activity, no matter how simple or complex.

Asset Value

The Asset value (AV) is the amount of money it would take to replace an asset. This term is used with the Exposure Factor, a measure of how much an asset is at risk, to determine the Single Life Expectancy (SLE)

Risk According to the Basel Committee:

The Basel Committee referenced earlier in this chapter has divined 3 types of risk specifically to address international banking. 1. Market Risk, risk of losses due to fluctuation of market prices 2. Credit Risk, risk of default of outstanding loans 3. Operational Risk, risk from disruption by people, systems, or processes

Annualized Loss Expectancy (ALE)

The annualized loss expectancy is then calculated by multiplying the SLE by the likelihood or number of times the event is expected to occur in a year, which is called the Annualized Rate of Occurrence: ALE = SLE x ARO The ALE determines a threshold for evaluating the cost/benefit ratio for a given countermeasure. Note: It is always advisable to memorize these fundamental equations for certifications such as the security+: SLE = AV x EF ALE = SLE x ARO

Exposure Factor

The exposure factor (EF) is a measure of the magnitude of loss of an asset. The exposure factor is the percentage of an asset's value that is at risk. In some cases, if the risk is realized, the asset is lost; in other cases, it may be impaired. If you have one web server and it breaks, you have 100% EF. If you have a farm of 5 web servers and 2 of them break, the EF is 40%

General Risk Management

The following 5 steps can be used in virtually any risk management process. Following these steps will lead to an orderly process of analyzing and mitigating risks

Examples of Business Risk

The following are some of the common business risks: -Treasury Management, management of company holdings and bonds, futures, currencies, etc.. -Revenue Management, management of consumer behavior and the generation of revenue. -Contract Management, management of contracts with customers, vendors, partners, etc. -Fraud, deliberate deception made for personal gain, to obtain property or services, etc. -Environmental risk, management management of risks associated with factors that affect the environment. -Regulatory Risk Management, management of risks arising from new or existing regulations -Business Continuity Management, management of risks associated with recovering and restoring business functions after a disaster or major disruption occurs. -Technology, management of risks associated with technology in its many forms.

Examples of Technology Risks:

The following are some of the most common technology risks: -Security and Privacy, the risks associated with protecting personal, private, or confidential information. -Information Technology Operations, the risks associated with the day to day operation of information technology systems. -Business systems control and effectiveness, the risks associated with manual and automated controls that safeguard company assets and resources. -Business Continuity Management, the risks associated with the technology and processes to be used in the event of a disaster or major disruption. -Information System Testing, the risk associated with testing processes and procedures of information systems. -Reliability and Performance Management, the risks associated with meeting reliability and performance agreements and measures. -Information Technology Asset Management, the risks associated with safeguarding information technology physical assets -Project Risk Management, the risks associated with managing an information technology project -Change Management, the risks associated with managing configurations and changes.

Impact

The impact of an event is a measure of the actual loss when a threat exploits a vulnerability. Processing standards (FIPS) 199 defines 3 levels of impact using the terms high, moderate, and low.

Initial Exploitation

The initial exploitation is the first step because just being able to demonstrate that a vulnerability is present and exploitable does not demonstrate that the objective of the penetration test is achievable. In many cases, multiple methods, including pivoting (network traversal) and escalation privilege to perform activities with admin privileges, are used to achieve the desired effect.

Likelihood of Occurrence

The likelihood of occurrence is the chance a particular risk will occur. This measure can be qualitative or quantitative. For qualitative measures, it is typically defined on an annual basis to allow use of the measurement with respect to other annualized measures. If defined quantitatively, it is used to create rank order outcome

Risk Response Techniques

The presence of risks in a system is an absolute - they cannot be removed or eliminated. Actions can be taken to change the effects that a risk possess to a system, but the risk itself doesn't really change, no matter what actions are taken to mitigate that risk. The risk can be avoided, transferred, mitigated, or accepted. Note: There are 4 things that can be done to respond to risk: 1. accept 2. transfer 3. avoid 4. mitigate. Whatever risk is not transferred, mitigated, or avoided, is referred to as Residual Risk and by definition is accepted.

What is Risk Management?:

Three definitions relating to risk management reveal why it is sometimes considered difficult to understand. -The dictionary defines risks as the possibility of suffering harm or loss. -Carnegie Mellon University's Software Engineering Institute (SEI) defines Continuous Risk Management as "Processes, methods, and tools for managing risks in a project. It provides a disciplined environment for proactive decision making to: 1. assess continuously what could go wrong (risks) 2. determine which risks are important to deal with 3. implement strategies to deal with those risks" (SEI, continuous risk management guidebook) -The Information Systems Audit and Control Association (ISACA) says "In modern business terms, risk management is the process of identifying vulnerabilities and threats to an organization's resources and assets and deciding what countermeasures, if any, to take to reduce the level of risk to an acceptable level based on the value of the asset to the organization" (CISA review manual) These 3 definitions show that risk management is based on what can go wrong and what action should be taken if any.

Step 5: Residual Risk Management

Understand that risk cannot be completely eliminated. A risk that remains after implementing controls is termed a residual risk. In this step, you further evaluate residual risks to identify where additional controls are required to reduce residual risk even more. Note: The steps in the general risk management model should allow you to identify the steps in any risk management process.

Testing

Understanding a system's risk exposure is not a simple task. Using a series of tests, one can determine an estimate of the risk that a system has to the enterprise. Vulnerability tests detail the known vulnerabilities and the degree to which they are exposed. It is important to note that zero-day vulnerabilities will not be known, and the risk from them still remains unknown. A second form of testing, penetration testing, is used to simulate an adversary to see whether the controls in place perform to the desired level.

User Rights and Permission Reviews

User rights and permission reviews are one of the more powerful security controls. But the strength of this control depends upon it being kept up to date and properly maintained. Ensuring that the list of users and associated rights is complete and up to date is a challenging task in anything bigger than the smallest enterprises. A compensation control that can assist in keeping user rights lists current, is a set of periodic audits of the user base and associated permissions.

System Vulnerabilities

Vulnerabilities are characteristics of an asset that can be exploited by a threat to cause harm. All systems have bugs and errors. Not all errors or bugs are vulnerabilities. For an error or bug to be classified as a vulnerability, it must be exploitable, meaning an attacker must be able to use the bug to cause a desired result. There are 3 elements needed for a vulnerability to occur: 1. The system must have a flaw. 2. The flaw must be accessible by an attacker 3. The attacker must possess the ability to exploit the flaw Vulnerabilities can exist in many levels and from many causes. From design, coding errors, or unintended (and untested) combinations in complex systems, there are numerous forms of vulnerabilities. They can exist in software, hardware, and procedures. Note: Vulnerabilities can be fixed, removed, and mitigated. They are part of any system and represent weaknesses that can be exploited.

Identify Vulnerabilities

Vulnerabilities are known entities; otherwise, the scanners would not have the ability to scan for them. When a scanner finds a vulnerability present in a system, it makes a log of the fact. In the end, an enumeration of the vulnerabilities that we discovered is part of the vulnerability analysis report.

Intrusive vs Nonintrusive

Vulnerability scanners need a method of detecting whether a vulnerability is present and exploitable. One method is to perform a test that changes the system' state, and intrusive test. The other method is to perform the test in a manner that does not directly interact with the specific vulnerability. This nonintrusive method can be significantly less accurate in the actual determination of a vulnerability. If a vulnerability scan is going to involve a lot of the checks, the nonintrusive method can be advantageous because the servers may not have to be rebooted all the time. Note: one of the key objectives of testing and penetration testing is to discover misconfigurations or weak configurations. Misconfigurations and/or weak configurations represent vulnerabilities in a systems that can increase risk to the system. Discovering them so that appropriate mitigations can be employed is an essential security process.

Vulnerability Testing Authorization

Vulnerability tests are used to scan for specific vulnerabilities or weaknesses. These weaknesses if left unguarded can result in loss. Obtaining Vulnerability testing Authorization from management before commencing the test is the step designed to prevent avoidable accidents. Just as it is important to obtain authorization for penetration tests, it is important to obtain permission for penetration tests in the active machines. This permission is usually a multi-person process and involves explaining the risk of these tests and their purpose to the people running the system.

Passively Test Security Controls

When a automated vulnerability scanner is used to examine a system for vulnerabilities, one of the side effects is the passive testing of security controls. This is referred to as passive testing because the target of the vulnerability scanner is the system not the controls.

Incident Management

When an incident occurs, having an incident response management methodology is a key risk mitigation strategy. Incident response and incident management are essential security functions.

Risks Associated with Cloud Computing and Virtualization

When examining a complex system such as cloud or virtual computing environment from a risks perspective, several basic considerations always need to be observed. First, the fact that the system is in the cloud or virtualized does not change how risk works. Risk is everywhere, and changing a system to a new environment does not change the fact that there are risks. Second, complexity can change risk exposure. There are specific risk associated with both virtualization and cloud environments. Having data and computing occur in environments that are not under the direct control of the data owner adds both a layer of complexity and a degree of risk. The potential for issues with confidentiality, integrity, and availability increases with the loss of direct control over the environment. Virtualization and cloud layers present new avenues of attack into a system. Security is a particular challenge when data and computation are handled by a remote party as in cloud computing. The specific challenge is how to allow data outside your enterprise and yet remain in control over the use of the data. The common answer is encryption. Through the proper use of encryption of data before it leaves the enterprise, external storage can still be performed securely by properly employing cryptographic elements. The security requirements associated with confidentiality, integrity, and availability remain the responsibility of the data owner, and measures must be taken to ensure that these requirements are met, regardless of the location or usage associated with the data. Another level of protection is through the use of Service Level Agreements (SLAs) with the cloud vendor, although these frequently cannot offer much remedy in the event of data loss.

Mission Essential Functions

When examining risk and impacts to a business, it is important to separate Mission Essential Functions from other business functions. Mission essential functions are those that should they not occur or should they be performed improperly, the mission of the organization would be directly affected. Notes: When examining business functions, you should also be aware of identifying vulnerable business processes. These are processes that have external inputs that could be less trustworthy and subject to manipulation.

Quantitatively Assessing Risk

Where as qualitative risk assessment relies on judgement and experience, quantitative risk assessment applies historical information and trends to attempt to predict future performance. This type of risk assessment is highly dependent on historical data, and gathering such information can be difficult.

Risk Management Vocabulary

You need to understand a number of key terms to manage risk successfully. Some of these terms are defined here because they are used throughout the chapter.

Black Box Testing

black box testing is a testing technique where testers have no knowledge of the internal workings of the software they are testing.

Hazard

is a circumstance that increases the likelihood or probable severity of a loss.

Key performance indicators (KPIs)

is a measurable value that demonstrates how effectively a key business objective is being met.

Key risk indicators (KRIs)

is a measure used in management to indicate how risky an activity is to the enterprise.

False Positive

is an incorrect finding - something that is incorrectly reported as a vulnerability.

Control

is the measure taken to detect, prevent, or mitigate the risk associated with a threat. Aka countermeasures or safeguards

Configuration control

is the process of controlling changes to items that have been baselined. Configuration control ensures that only approved changes to a baseline are allowed to be implemented.

Qualitative Risk Assessment

is the process of subjectively determining the impact of an event that affects a project, program, or business. Completing the assessment usually involves the use of expert judgement, experience, or group concensus.

Reconnaissance

reconnaissance is the first step of performing a penetration test. The objective of reconnaissance is to obtain an understanding of the system and its components that someone wants to attack. Attack Reconnaissance = it is loud and detectable on the network Passive Reconnaissance = it is quiet and not detectable on the network.

Risk

risk is the possibility of suffering harm or loss

Example of Risk Management at the International Banking Level

the Basel Committee on banking supervision comprises government central bank governors from around the world. This body created a basic, global risk management framework for market and credit risk. It implemented internationally a flat 8 percent capital charge to banks to manage bank risks. In Layman's terms, this means that for every $100 a bank makes in loans, it must possess $8 in reserve to be used in the event of financial difficulties.

White Box Testing

white box testing is the polar opposite of black box testing. They have detailed knowledge of the application they are examining.