CYBER SECURITY RISK MANAGEMENT ITEC433
Ransomware -
encrypts files on an endpoint or server demanding a ransom in bitcoin to receive encryption key.
Integrity
ensure not modified or destroyed
Cyber Security Goal
ensure that the confidentiality, integrity, availability and accountability of the organization's resources (tangible and intangible) are maintained at an acceptable level.
Risk Components
•Losses occur when a threat exposes a vulnerability
Threat
-Any activity that represents a possible danger -Any circumstance or event with the potential to adversely impact confidentiality, integrity or availability of business assets
Risk Profile Includes: (OMB A-123 requires)
-Identification of Objectives -Identification of Risk - simple narrative statement -Inherent Risk Assessment -Current Risk Response -Residual Risk Assessment -Proposed Risk Response -Proposed Action Category
Cyber Criminals
-Target information that is of value to them, such as bank accounts, credit cards, or intellectual property that can be converted into money -Often structured to operate as any well-run, legitimate business with experts specialized in each area and position
To Identify Risks:
1.Identify threats 2.Identify vulnerabilities 3.Estimate the likelihood of a threat exploiting a vulnerability
NIST Cybersecurity Risk Management Framework (SP 800-37)
6 Steps: 1.Categorize Information systems 2.Identify and Tailor Security controls 3.Implement security controls 4.Access Security controls 5.Authorize Information systems Continuous monitoring
Vulnerability Risk = Threat * Vulnerability
A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. Vulnerabilities can be system specific, within governance structures, or related to external relationships. Vulnerability = weakness in an asset or the environment, flaw in a system or business process Vulnerabilities can be mitigated to reduced Reduce Probability of occurrence Reduce Impact of loss
Enterprise Risk Management (ERM)
Agency wide approach to addressing full spectrum of significant risks by considering the combined array of risks as an interrelated portfolio, not as a silo.
Risk Types
Aggregate Risk - Inherent Risk - Residual risk -
"Data" breach
An incident that resulted in confirmed disclosure, not just exposure, to an unauthorized party
A threat is
Any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, or other organizations through an information system via unauthorized access, destruction, disclosure, or modification of information and/or denial of service. The potential for an adverse effect
Personally Identifiable Information (PII)
Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Sources of Risks
Business Interruption/Disaster Risk Compliance Risk Financial Risk Liquidity Risk Operational Risk Political Risk Regulatory Risk Strategic Risk
Cyber Security Risk - KEY Components AKA the CIA Triangle
Confidentiality Integrity Availability Accountability
Impact
Consequence of occurrence; penalty incurred if objective is not met
Common Attackers
Criminals Advanced persistent threats (APTs) Vandals Saboteurs Disgruntled employees Activists Nation states, other nations (espionage)
Threat - E-Mail Phishing Attack
E-mail phishing is an attempt to trick someone in the workplace into giving out information using e-mail Inbound phishing e-mail includes an active link or file (often picture or graphic) Appears to come from a legitimate source: friend, co-worker, or personal email Clicking to open the link or file takes the user to a website that may solicit sensitive information or proactively infect the computer Addressing the link or file may result in malicious software being downloaded or access being provided to information stored on computer or other computers within the network. There is an immediate need for you to do something No one will ask for your user name and password
Unintentional Threats
Environmental - weather, earthquakes, epidemics Human - errors Accidents - minor mishap to major catastrophe Failures - equipment
Intentional Threats
Greed - monetary, fraud Espionage - wanting information Anger - victims to pay a price Desire to damage - results in loss
WannaCry Ransomware
Impacted 300 countries and more than 300,000 computers worldwide. cost could swell into the billions of dollars, most damaging incidents involving ransomware
"Philadelphia" Ransomware-as-a-Service Web App Attacks - Injection
Injection is tricking an application into including unintended commands in the data sent to an interpreter. The interpreter takes strings and interprets them as commands. One of the most common is SQL injection. Injection attacks are usually severe. The entire database can usually be read or modified and a successful attack could also allow full database schema, account access, or even OS level access.
•Probability:
Likelihood of occurrence that an objective will not be met using the current plan
Cyber Crime Black Market
Payment Card Data Malware Infected Computers or "Bots" Malware & Exploit Kits Hacker Services for Hire Dark Web / Deep Web / Tor Ransomware-as-a-service (RaaS)/Cybercrime-as-a service (CaaS) "Booters" or "Stressers"
Data Breach Overview - Common Types
Physical Electronic Skimming
Physical
Physical theft of documents or equipment containing cardholder account data such as receipts, files, and computer systems.
Risk Exposure
Probability x Impact
a class of malicious software designed to extort money from users by disabling important computer system functionality or by encrypting files on the infected device as well as on shared or networked drives.
Ransomware
Skimming
The capture and recording of magnetic stripe data on the back of credit cards. This process uses an external device that is installed on a merchant's point of sale systems to harvest customer data.
Residual risk
The risk that remains after controls are implemented (total risk - controls)
Inherent Risk
The risk to an entity in the absence of any actions management might take to alter either the risk's likelihood or impact
Threat x Vulnerability x impact x Likelihood = RISK
Threat x Vulnerability x impact x Likelihood = RISK
Nature of Threats:
Threats cannot be eliminated Threats are always present You can reduce the potential for a threat to occur You can reduce the impact of a threat You cannot affect the threat Example; Hackers, Weather
Risk Management Goal
To maximize the output of the organization in terms of services, products, revenue, etc., while minimizing the chance for unexpected outcomes
Electronic
Unauthorized access on a system or network environment where customer data is hosted, processed, stored, or transmitted.
Malware Threat
Virus Worms Trojans Spyware Ransomware
Example: a Microsoft patch is not applied
Vulnerability = what the patch was fixing, network, data etc. Threat = someone may gain access to a network or data if the patch is not applied Likelihood= ??
Cyber Security "Rules"
When considering mitigations, controls and procedures to increase security, they should never be at the expense of human safety.
Cyber Security
managing the risks to sensitive data and critical resources
Accountability
ability to trace activities to responsible source
Hackers
attempt to breach system may be curiosity to malicious intent White hat or ethical hackers Black hat or Crackers Grey hat
Availability
available when needed
Spyware
can infect web browsers making them nearly inoperable, may be disguised as a legitimate application, secretly records behavior and usage patterns.
Virus -
commonly spread through file sharing, web downloads, email attachments
Trojans -
designed to specifically extract sensitive data from network, may take control of infected system, open up back door for attacker to access later. Often used in creation of botnets.
Sensitive PII
is Personally Identifiable Information, which if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
Risk
is the likelihood that a loss will occur.
Risk profile
listing and assessment of the business's top risks -Provides thoughtful analysis of the risks a business faces towards achieving its strategic objectives. -Assists in facilitating a determination around the aggregate level and types of risk that the business is willing to assume to achieve its strategic objectives
Confidentiality
preventing unauthorized disclosure of information
•Loss
results in a compromise to business functions or assets that adversely affects the business -Compromise of business functions - activities a business performs, can result in a loss of revenue -Compromise of business assets - anything of measurable value, tangible and intangible -Driver of business costs
Exploit
the act of taking advantage of a vulnerability resulting in a compromise to the system, application or data
Risk Appetite
the amount of risk an organization is welling to accept given consideration of costs and benefits
Threats can compromise
the confidentiality, integrity and/or availability of information processed, stored or transmitted by IT systems.
Aggregate Risk -
total or cumulative amount of exposure associated with a specified risk
Worms -
unlike a virus, can crawl through networks without human interaction
Vulnerability
weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source.
Losses occur
when a threat exposes a vulnerability
Security incident
· Any event that compromised the confidentiality, integrity, or availability of an information asset. · A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
Risk Response Options
•Avoidance •Share or Transfer (insurance) •Mitigation - reduce the vulnerability (likelihood or impact) •Accept the risk- take no action
Examples of Threats
•Internal / external •Natural or man-made •Intentional or accidental
Risk Management
•Practice of identifying, assessing, controlling and mitigating risks. •Risk management does NOT eliminate risks •Not all risks are created equal or should be treated the same •Goal - identify the risks, determine the appropriate actions
Risk Response
•The action taken to manage or treat the risks •Not all risks are created equal or should be treated the same •Goal - identify the risks, determine the appropriate actions