CIST 1601 Information Security Fundamentals
Chapter 1 Measuring and Weighing Risk
Collected and Compiled
By JD Willard
MCSE, MCSA, Network+,
Microsoft IT Academy Administrator
Computer Information Systems Technology
Albany Technical College
Identifying Assets
Asset identification is the process of identifying the
types and values of assets in an organization.
In some cases, the process may be as simple as
counting systems and software licenses.
The more difficult part of an asset-identification
process is attempting to assign values
to information.
In some cases, you may only be able to determine
what would happen if the information were to
become unavailable or lost.
If absence of this information would effectively shut
down the business, the information is priceless.
Risk Assessment
There are several ways to perform a risk assessment or risk analysis.
They range from highly scientific formula-based methods to a conversation with
the owner.
The cost of an event and the probability that an event will occur are two of the
most important factors to consider when you’re formulating a risk assessment.
In general, you should attempt to identify the costs of replacing stolen data or
systems, the costs of downtime, and virtually any risk factor you can imagine.
You can move to risk assessment only after completing the asset identification.
After you’ve determined the costs, you can then evaluate the likelihood that
certain types of events will occur and the most likely outcome if they do occur.
Risk Assessment
Risk Avoidance (3:10)
Risk assessment helps align security objectives with business objectives. Risk analysis is part of the disaster
recovery plan.
Risk analysis is the process of identifying assets and their associated threats, vulnerabilities, and potential
risks, and justifying the cost of countermeasures deployed to mitigate the loss. It is important to note that
risk analysis is focused on a cost-benefit analysis of countermeasures, and not on the selection of
countermeasures.
Risk analysis also measures the amount of loss that an organization can potentially incur if an asset is
exposed to loss.
During the process of risk assessment, it is necessary to review many areas, such as the following:
Methods of access
Authentication schemes
Audit policies
Hiring and release procedures
Isolated services that may provide a single point of failure or avenue of compromise
Data or services requiring special backup or automatic failover support.
The following are the four major objectives of a risk analysis, in order of execution:
1. To identify all existing assets and estimate their monetary value.
2. To identify vulnerabilities and threats to information assets. Vulnerability is a weakness in the system, software,
hardware, or procedure. A threat agent, leading to a risk of loss potential, can exploit this weakness. A virus is an
example of a threat agent, and the possibility of a virus infecting a system is an example of a threat.
3. To quantify the possibility of threats and measure their impact on business operations.
4. To provide a balance between the cost of impact of a threat and the cost of implementing the safeguard
measures to mitigate the impact of threats.
Acting on Your Risk Assessment
Risk Avoidance
Some risks can be eliminated through a change in the
technology, policy, or mechanism of employment. For example, the risk of “wardialing” attacks can be eliminated by removing legacy dial-up telephony modem
devices.
Risk Transference
A risk may be transferred, such as when the risk of
equipment loss is covered by a full-replacement insurance policy.
Risk Mitigation
Most risks fall into the mitigated response area,
where the application of additional effort may reduce the risk to a level
documented as acceptable.
Risk Deterrence
Risk deterrence involves understanding something
about the enemy and letting them know the harm that can come their way if
they cause harm to you. This can be as simple as posting prosecution policies
on your login pages and convincing them that you have steps in place to identify
intrusions and act on them.
Risk Acceptance
Some risks cannot be addressed within a reasonable
time or cost constrained and may be accepted, with proper documentation as
to the reasons why the risk is acceptable.
Risk Assessment
Risk Calculations (5:11)
The annualized rate of occurrence (ARO) signifies the probability of an event occurring within a year. This
conclusion is usually based on referencing historical data.
This measure can be used in conjunction with a monetary value assigned to data to compute single loss
expectancy (SLE) and annual loss expectancy (ALE) values.
SLE refers to the quantitative amount of loss incurred by a single event when a threat takes place.
SLE equals the asset value (AV) multiplied by the threat exposure factor (EF). The exposure factor or
probability is the percentage of loss that a realized threat could have on a certain asset.
For example, a virus hits five computer systems out of 100 before it is prevented by the safeguard from further
infecting the other 95 computers, resulting in a loss of five percent of the computers. If the asset value of 100
computers is $10,000, then the exposure factor will be $500, which is five percent of the total asset value.
The formula for calculating SLE is: AV x EF = SLE.
From the previous example: $10,000 x 5% = $500.
Annual loss expectancy (ALE) refers to the loss potential of an asset for a single year.
ALE equals the single loss expectancy (SLE) times the annualized rate of occurrence (ARO)
When you’re computing risk assessment, remember this formula:
SLE x ARO = ALE
Thus, if you can reasonably expect that every SLE will be equivalent to $1,000 and that there will be seven
occurrences a year (ARO), then the ALE is $7,000.
Total risk can be calculated by multiplying the threats, the vulnerabilities, and the asset value.
Total risk = threats x vulnerabilities x asset value.
Risks Associated with Cloud Computing
Cloud computing means using the Internet to host services and data instead of hosting it locally. Some
examples would be to run Office-like applications from the Web (such as Google Docs) instead of having
the applications installed on each workstation, storing data on server space rented from Amazon, using
sites such as Salesforce.com, etc.
Three ways to implement cloud computing:
Platform as a Service – Also known as cloud platform services. Vendors allow apps to be created and run
on their infrastructure. i.e. Amazon Web Services and Google Code.
Software as a Service – Applications are remotely run over the Web. No local hardware is required and no
software apps need be installed on the machine accessing the site. i.e. Salesforce.com. Costs are usually
computed on a subscription basis.
Infrastructure as a Service – Utilizes virtualization, and clients pay an outsourcer for resources used.
GoGrid is a well known example.
Risk related issues of cloud computing include:
Regulatory Compliance – Depending on the type and size of your organization, there are any number of
regulatory agency’s rules with which you must comply.
User Privileges – Be cognizant of the fact that you will not have the same control over user accounts in the
cloud as you did locally, and when someone locks their account by giving the wrong password too many
times in a row, you /they could be at the mercy of the technical staff of the provider.
Data Integration/Segregation – Data hosting companies can put more than one company’s data on a
server. You should use encryption to protect your data. Be aware that your data is only as safe as the data it
is integrated with.
Risks Associated with Virtualization
Security risks associated with virtualization include:
Breaking Out of the Virtual Machine – if you can break out of the
virtualization layer you could get access to the other virtual
machines and access data you shouldn’t have access to.
Network and Security Controls Can Intermingle – The tools used
to manage the virtual machine may not have the same granularity as
those used to manage the network, which could lead to privilege
escalation.
Most virtualization-specific threats focus on the hypervisor,
which is the virtual machine monitor, or the software that
allows the virtual machine to exist. If the hypervisor can be
compromised, the attacker can gain root-level access to all
virtual systems.
The solution to most virtualization threats is to always apply the
most recent patches and keep the system(s) up to date.
Developing Policies, Standards, and Guidelines
Implementing Policies
Reducing Risk with Security Policies (12:24)
A policy consists of the rules and requirements which should be adhered to
within an organization. Policies usually cover a single area, and contain
conditions of expected performance, and the consequences of non-compliance.
A good policy contains several key areas besides the policy:
Scope statement
Outlines what the policy intends to accomplish and what documents, laws, and practices the
policy addresses.
Policy overview statement
Policy overview statements provide the goal of the policy, why it’s important, and how to
comply with it.
Policy statements
Once the policy’s readers understand its importance, they should be informed of what the
policy is. If the policy is intended to help people determine how to lock up the building at the
end of the business day, it might be helpful to provide a specific checklist of the steps that
should be taken.
Accountability statement
Who is responsible for ensuring that the policy is enforced. Who should be contacted if a
problem is discovered. What are the consequences of non-compliance?
Exception statement
The exception statement provides specific guidance about the procedure or process that
must be followed in order to deviate from the policy. This may include an escalation contact, in
the event that the person dealing with a situation needs to know whom to contact.
Developing Policies, Standards, and Guidelines
Incorporating Standards
A standard deals with specific issues or aspects of the business. Standards are
derived from policies. A standard should provide enough detail that an audit
can be performed to determine if the standard is being met.
The following five points are the key aspects of standards documents:
Scope and purpose
Should explain or describe the intention. If a standard is developed for a technical
implementation, the scope might include software,
updates, add-ins, and any other relevant information to carry out the task.
Roles and responsibilities
This Outlines who is responsible for implementing, monitoring, and maintaining the
standard.
Reference documents
Explains how the standard relates to the organization’s different policies, thereby connecting
the standard to the underlying policies that have been put in place. In the event of confusion or
uncertainty, it also allows people to go back to the source and figure out what the standard
means.
Performance criteria
Outlines what or how to accomplish the task. It should include relevant baseline and
technology standards.
Maintenance and administrative requirements
These standards outline what is required to manage and administer the systems or networks.
Developing Policies, Standards, and Guidelines
Following Guidelines
Guidelines tend to be less formal than policies or standards.
Guidelines are similar to standards, in that they too detail rules and best
practices that govern an organization and how business is conducted. The
difference is that guidelines are not mandatory. Guidelines are usually drawn up
to streamline the implementation of security policy elements.
The following four items are the minimum contents of a good guidelines
document:
Scope and purpose
The scope and purpose provide an overview and statement of the guideline’s intent.
Roles and responsibilities
Identifies which individuals or departments are responsible for accomplishing specific tasks.
This may include implementation, support, and administration of a system or service.
Guideline statements
Provide the step-by-step instructions on how to accomplish a specific task in a specific
manner. Again, these are guidelines—they may not be hard-and-fast rules.
Operational considerations
Specify and identify what duties are required and at what intervals. This list might include
daily, weekly, and monthly tasks. Guidelines for systems backup might provide specific
guidance as to what files and directories must be backed up and how frequently.
Business Policies
Business policies address organizational and departmental
business issues and have an impact on the security of an
organization.
Separation of duties policies describe rules that reduce the risk
of fraud and other losses.
These policies should define more than one person for
completing business critical tasks. Multiple people conspiring to
corrupt a system is less likely than a single person corrupting it.
It may involve both the separation of logons, such as day-to-day
and admin accounts both assigned to the same network admin,
as well as the separation of roles, such as security assignment
and compliance audit procedures.
Business Policies
Due care is the knowledge and actions that a reasonable and prudent person would possess or act upon. The
objectives of due care policies are to protect and safeguard customer and/or client records.
Due care is determined based on legislative requirements.
The company exercises the practice of due care in the following manner:
The company implements physical and logical access controls.
The company ensures telecommunication security by using authentication and encryption.
Information, application, and hardware backups are performed at regular intervals.
Disaster recovery and business continuity plans are in place within the company.
Periodic reviews, drills, and tests are performed by the company to test and improve the disaster recovery and
business continuity plans.
The company’s employees are informed regarding the anticipated behavior and implications of not following the
expected standards.
The company has security policies, standards, procedures, and guidelines for effective security management.
The company performs security awareness training for its employees.
The company network runs updated antivirus definitions at all times.
The administrator periodically performs penetration tests from outside and inside the network.
The company implements either a call-back or a preset dialing feature on remote access applications.
The company abides by and updates external service level agreements (SLAs).
The company ensures that downstream security responsibilities are being met.
The company implements counter measures that ensure that software piracy is not taking place within the company.
The company ensures that proper auditing and reviewing of the audit logs is taking place.
The company conducts background checks on potential employees.
If a company does not exercise due care, the company’s senior management can be held legally accountable
for negligence and might have to pay damages under the principle of culpable negligence legislation for the
loss suffered because of insufficient security controls.
Business Policies
Physical Access Control Policies refer to the authorization of
individuals to access facilities or systems that contain information.
They limit issues such as unauthorized disclosure of information,
unauthorized access to the company facilities, and data theft.
Document Disposal and Destruction Policies detail the methods
on how information that is no longer needed gets disposed. Data
in all forms must be properly disposed of.
Some data and data sources must be destroyed or thoroughly
erased. Because many sophisticated recovery techniques exist,
destroying all data and data sources may be more appropriate.
Discarded hard drives might need to be physically destroyed.
Business Policies
Privacy policies must clearly define:
Which information can be disclosed
What information cannot be disclosed
What types of information employees are provided
The policy must clearly state that employees should have no expectations of privacy. Employers are
allowed to search desks, computers, files, and any other items brought into the building.
By explicitly stating your policies, you can avoid misunderstandings and potentially prevent employees
from embarrassing themselves.
Acceptable-use policies (AUP) deal primarily with computers and information provided by the company.
An acceptable use policy provides details that specify what users may do with their network access,
including email and instant messaging usage for personal purposes, limitations on access times, and the
storage space available to each user.
It dictates how computers can be used within an organization. It should also outline the consequences of
misuse.
Employees are commonly asked to sign such a document, which is a binding agreement to adhere to the
policy.
Business Policies
Security Policies define what controls are required to implement and
maintain the security of systems, users, and networks. Should be used as a
guide in system implementation and evaluation.
Mandatory Vacations This policy requires all users to take time away from
work and refresh. An employee who don’t take time off can be a
detriment to himself or the company. Mandatory vacations give the
company the chance to make sure others can fill the void in skills. They
give the company a chance to discover fraud.
Job Rotation policies define intervals at which employees must rotate
through positions. It helps to ensure that companies don’t become to
dependent on one person. They also give the company a chance to
discover fraud.
Least Privilege should be used when assigning permissions. Give users only
the permission they need to do their work and no more. Every OS includes
the ability to limit users based on groups and individual permissions. Apply
only those permissions users need and block all others.
Understanding Control Types, False Positives,
and Change and Incident Management
Risk assessment/analysis involves calculating
potential risks and making decisions based on
the variables associated with those risks. Once
risks are identified, you put controls in place
to address those risks. Control types fall into
three categories: Management, Operational,
and Technical.
Understanding Control Types, False Positives,
and Change and Incident Management
Risk assessment/analysis involves calculating
potential risks and making decisions based on the
variables associated with those risks. Once risks
are identified, you put controls in place to address
those risks.
Control types fall into three categories:
Management
Operational
Technical
Control Types
Control Type
Controls
Management
Risk Assessment
Management
Planning
Management
System and Services Acquisition
Management
Certification, Accreditation, and Security Assessment
Operational
Personnel Security
Operational
Physical and Environmental Protection
Operational
Contingency Planning
Operational
Configuration Management
Operational
Maintenance
Operational
System and Information Integrity
Operational
Media Protection
Operational
Incident Response
Operational
Awareness and Training
Technical
Identification and Authentication
Technical
Access Contol
Control Types, False Positives, and Change
and Incident Management
Control Type
Controls
Technical
Audit and Accountability
Technical
System and Communication Protection
After implementing controls based on risk you must
perform audits which include reviews of user rights and
permissions as well as events that occur.
False Positives are events that aren’t really incidents. If the
rules are not set up properly, normal traffic may set off the
analyzer and generate an event.
Your audits should address change management, which is
the structured approach that is followed to secure the
company’s assets, and incident management, which are
the steps followed when events occur.
The End