Risk management
Winter 2020, COMP 3061 Computer Security
Dr Danish Khan
Lecture outline
• Introduction to risk
• Risk management framework
• Security controls
• Risk assessment
• Business impact analysis
• Data security and privacy policies
• Personnel risks
• Third-party risks
Introduction to risk
What is an information security risk?
Probability means the likelihood over a defined period of time. It is measured between 0 and 1
where probability of 0 means that there is no risk and probability of 1 means that the incident will definitely
occur.
Threat actor can be a malicious person or an automated program.
Risk is the probability of a threat actor taking advantage of a vulnerability
by using a threat against an IT system asset.
A vulnerability is a weakness inherent in an
asset that leaves it open to a threat. A threat
is an action a threat actor can use against a
vulnerability to create a negative effect. You
can’t have a threat without a vulnerability.
You can check vulnerability database at
https://nvd.nist.gov/
• Asset – is a resource with economic value that an individual,
corporation or country owns with the expectation that it will
provide a future benefit.
• Asset can be measured tangibly or intangibly; a router device is
tangible (it has a dollar value).
• Faith, trust, happy are intangible
Types of threat actors
• Hacktivists
• A hacker and an activist; some form of agenda, often political or fueled by a sense of injustice
• Script kiddies
• Limited skill set; use open source attacking tools
• Insiders
• People within an organization
• Competitors
• Outside of organization to gain access to the same customers as the targeted company.
• Organized crime
• Group which use extra legal methods to gain access to resources. Usually well funded.
• Nation state/APT
• Government directed attacks; for example one country sending spies to another country to gain
information. Well funded. Often uses advanced persistent threat (APT) to get long-term control of
a compromised system, continuously looking for new data to steal.
Calculating risk
• Risk = Probability x Vulnerability x Threat
• Risk = Probability x Impact
II. Risk
management
framework
How to apply security controls in an
organization?
Risk
management
framework
Risk management concepts
• A risk management framework (RMF) describes the major steps and
flows of the complex process of applying security controls in an
organized and controlled fashion.
• Concepts
• Infrastructure • Security controls - The action of strengthening a vulnerability to reduce or
eliminate the impact is called a security control.
• Laws
• Standards
• Best Practices
RMF steps
• Categorize the information system
• Assets and determine the impact of losing them
• Select security controls
• Select an initial set of baseline security controls for the information system based on the security
categorization.
• Implement the security controls
• Apply the security controls
• Assess the security controls
• Test/assess the security controls to verify they’re doing the job you want them to do.
• Authorize information system
• Authorize the now-strengthened information system to operate.
• Monitor the security controls
• Monitor the information system on an ongoing basis, checking for new vulnerabilities and overall
performance.
III. Security controls
• Types of controls
• Management of control types
• Security control strategies
Types of controls
Separation of control
Deterrent control
Technical control
Preventative control
Administrative control
Corrective control
Physical control
Detective control
Compensating
Types of control
• Deterrent control
•
•
•
•
Deter a potential attacker from attempting an attack.
Good light around the house.
Fake cameras around the building.
Welcome banner accessing SSH server.
• Preventative control
• Long character password length
• Putting a lock on the server room door
• Background check when hiring a new employee
Types of control
• Detective control
• Actively look for an attack and alert security professionals to the presence of
an active, ongoing attack.
• Corrective control
• A corrective control applies after an attack has taken place and fixes/mitigates
the result of the incident. Restoring data from backups is probably the most
common example of a corrective control.
• Compensating
• Provide a temporary solution to a vulnerability that’s less than optimal.
• Use compensating controls to keep going until a better control is available or
possible.
Management of control types
• Technical controls
• Technical controls are security controls applied to technology. If you specify a security
control that states, “All edge routers must be able to communicate on SNMPv3,”
then you’ve made a technical control.
• Administrative controls
• Administrative controls are applied to people. If you have a security control that
states, “All users must log off their workstations every time they leave their office,
regardless of length of time,” then you’ve made an administrative control.
• Physical controls
• Physical controls are applied to secure physical areas from physical access by
unauthorized people. Fences, door locks, elevator floor blockers, and biometric
retinal scanners are all examples of physical controls.
Security control
strategies
• Layered security
• Vendor diversity
• Do not stick with one vendor when
providing security. Use different
vendors.
• Control diversity
• Add admin and technical controls.
• Asking user to select a complex
password (admin control) and adding a
complex password policy to windows
(technical control).
• User training
• Continuous user training
https://www.malwarefox.com/layered-security/
IV. Risk assessment
Risk management processes and
concepts
Risk assessment methods
• NIST special publication 800-30, Rev 1, “Guide for Conducting Risk
Assessments. The link can be found at
https://www.nist.gov/publications/guide-conducting-riskassessments
Risk assessment process
Risk assessment process
• Identifying threat sources
•
•
•
•
Environmental
Manmade
Internal – Insider to the organization
External – Outsider your organization
• Likelihood and impact
• Likelihood of occurrence is the probability that a threat actor will initiate a threat or
the probability that a threat could success- fully exploit a given vulnerability.
• Impact is the degree of harm or damage caused to an asset or the organization.
• Review NIST special publication 800-30, Rev 1 to get likelihood and impact tables.
• Risk registers
• A risk register is a scatter-plot graph that compares probability to impact. Risk
registers are handy tools for detecting otherwise easily missed risks.
Risk assessment process
Risk assessment methods
• Quantitative risk assessment (objective or numerical)
• Asset value (AV) and exposure factor (EF)
• AV is expressed in currency and EF is a probability between 0 and 1.
• Single loss expectancy (SLE) = AV x EF
• Lets say you have an asset (a server) which costs you $5000. A single loss event such as flood,
you expect to loss 50% of the asset, the SLE would be 5000 x 0.5 = $2,500
• Annualized Rate of Occurrence (ARO) - The annualized rate of occurrence
(ARO) is how many times per year you would expect a particularly negative
event to occur, resulting in a loss of the asset
• Annualized Loss of Expectancy (ALE) - amount of loss from the SLE and
determines how much loss the organization could realistically expect in a oneyear period.
• ALE = SLE x ARO
Quantitative risk assessment - example
• The Bayland Widget corporation has a data center in Totoville, Kansas.
Totoville averages about seven major tornados a year. The ARO of a
tornado is therefore 7. A serious tornado hit to the $2,000,000 facility
would likely cause about 20 percent damage. Put those numbers
together to create the SLE:
• SLE = AV x EF; $2M x 0.2 = $400,000
• ALE = SLE x ARO; $400,000 x 7 = $2.8M loss/year
Risk assessment methods
• Qualitative risk assessment (subjective)
• A qualitative risk assessment doesn’t necessarily use numerical values; it
relies on descriptive elements derived from opinion, trend analysis, or best
estimates. For example, what would the impact be to an organization if it
suffered a loss of reputation in the marketplace?
• Reputation cannot be easily quantified numerically. But it can be assigned a
descriptive value, such as low, medium, or high.
• Uses scale such as very high, high, moderate, low, very-low
Risk response
• Mitigate - an attempt to reduce risk, or at least minimize its effects on
an asset.
• Transfer - (also sometimes called risk sharing) deals with risk by
sharing the burden of the risk, especially the impact element.
• Accept - the organization has implemented controls and some risk
remains.
• Avoid - the organization could choose not to participate in activities
that cause unnecessary or excessive risk.
Note: Risk can never be completely eliminated; it may simply be
reduced to a very unlikely level or to a very insignificant impact.
V. Business impact analysis
Business impact analysis concepts
BIA basics
• An analysis of an information system’s requirements, functions, and
interdependencies used to characterize system contingency
requirements and priorities in the event of a significant disruption.
• NIST SP 800-34, Revision 1, “Contingency Planning Guide for Federal
Information Systems,” offers a detailed, three-stage BIA
BIA stage 1
• Determine mission/business processes and recovery criticality.
Mission/Business processes supported by the system are identified
and the impact of a system disruption to those processes is
determined along with outage impacts and estimated downtime.
• Make sure you know which workflows and processes your
organization depends on to operate, in other words, the missionessential functions. Determine the types of impact and consider the
impact of the failure of each of these workflows and processes.
Estimate how long it takes to bring those workflows and processes up
to speed.
BIA stage 2
• Identify resource requirements. Realistic recovery efforts require a
thorough evaluation of the resources required to resume
mission/business processes and related interdependencies as quickly
as possible.
• What are the critical tools your organization uses to do these
workflows and processes? Where are they? How do they work? In
other words, a BIA provides identification of critical systems.
BIA stage 3
• Identify recovery priorities for system resources. Based upon the
results from the previous activities, system resources can be linked
more clearly to critical mission/ business processes and functions.
Priority levels can be established for sequencing recovery activities
and resources.
• Once you understand all the resources that together make a
particular workflow/process work, determine the priority of bringing
them back up to speed if they fail.
Types of impact
• Financial - Financial impact manifests in several ways. It might mean lost or
delayed sales. It might also lead to increased expenses, such as overtime,
outsourcing, and fines.
• Reputation – What if you visit a site and it is not working or a privacy
breach.
• Property – Property damage or property not habitable due to nearby fire in
the building.
• Safety/life - The most serious impact is loss of safety or life.
• Privacy - An organization performs a privacy impact assessment (PIA) to
determine the impact on the privacy of the individuals whose data is being
stored, and to ensure that the organization has sufficient security controls
applied to be within compliance of applicable laws or standards.
Calculating impact
• MTBF - typically applies to hardware components, represents the
manufacturer’s best guess (based on historical data) regarding how
much time will pass between major failures of that component
• MTTF - indicates the length of time a device is expected to last in
operation. In MTTF, only a single, definitive failure will occur and will
require that the device be replaced rather than repaired.
• MTTR - is the amount of time it takes for a hardware component to
recover from failure.
https://www.researchgate.net/figure/A-schematic-diagram-ofMTTF-MTTR-and-MTBF_fig5_334205633
Calculating downtime
• The recovery time objective (RTO) is the maximum amount of time
that a resource may remain unavailable before an unacceptable
impact on other system resources occurs.
• The recovery point objective (RPO) defines the amount of time that
will pass between an incident and recovery from backup.
VI. Data security and privacy
policies
Data privacy
• Data organization
• The first step to dealing with data security is organization. Analyze individual
chunks of data, such as databases, spreadsheets, access control lists, and so
on. Then determine the importance—the sensitivity—of that data.
• Data sensitivity - IT security professionals need to apply appropriate security controls for
data, making decisions based on the sensitivity of that data. The more sensitive the data,
the more controls we apply to ensure its security.
Impact table for data (FIPS 199)
Data privacy
• Commercial labels
• Confidential, private, proprietary, public
• Government/Military labels
• Top secret, secret, confidential
Data privacy
• Data roles - Every data set needs some number of people with clearly
defined roles who manage that data at various levels. Data roles help
define both the various responsibilities and the responsible parties for the
different jobs.
• Data owner - The data owner is the entity who holds the legal ownership of a data
set.
• Data custodian - A data custodian ensures that the technical aspects of the data set
are in good order.
• Data steward - A data steward makes sure that the data set does what the data is
supposed to do for the organization. Data stewards update the data as needed to
conform to needs. Data stewards also define how users access the data.
• Privacy officer - When an organization has data that is subject to privacy laws and
regulations, it will assign a privacy officer to oversee that data. Privacy officers
perform the due diligence to make sure that the data’s storage, retention, and use
conform to any and all laws and regulations.
Data privacy
• Legal and compliance
• Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley Act (SOX)
provide strict federal guidelines for the handling, storage, and transmission of data. In
addition, the Payment Card Industry Data Security Standard (PCI-DSS), while not a law, has
equally stringent guidelines for credit card data.
• Personally identifiable information
• Personally identifiable information (PII) is any information referencing an individual that either by itself
or with other information could identify that individual, allowing persons to contact or locate that
individual without their permission.
• Protected health information
• Protected health information (PHI) is any form of personal health information (treatment, diagnosis,
prescriptions, etc.) electronically stored or transmitted by any health provider, insurer, or employer. This
health information must be tied to the individual’s PII to be considered PHI
• Data retention
• Number of laws and regulations require strict rules on how long different types of data is retained. The
Sarbanes-Oxley Act is easily the most far-reaching law affecting the types of data public companies must
retain and the length of time they must retain that data.
Data privacy
• Data destruction
• Legacy media
• Given that most legacy media isn’t completely erasable, the best way to eliminate the
data is to destroy the media. Paper, film, and tape are all extremely flammable, so
burning is an excellent method to destroy the data. For the more “green” organizations,
pulping water-soluble media (paper) enables you to recycle the media and not pollute
the environment.
• Electronic media
• Almost all electronic media is erasable, so in many cases you can nondestructively
remove the data. Simple erasing, even reformatting, isn’t enough.
• NIST SP 800-88, Rev. 1, describes the ATA Secure Erase command built into PATA and
SATA drives. Several programs can perform a secure erase.
• DBAN 2.3.0 (Darik’s Boot and Nuke), a popular secure erase utility (and it’s free!).
VII. Personnel risks
Policies, plans and procedures related
to organizational security
Personnel risks
• Hiring
• Organizations perform background checks to look for potential issues, such as
felony convictions, and to verify resume statements.
• Sign a nondisclosure agreement (NDA)
• Onboarding
• Onboarding is the process of giving a new hire the knowledge and skills he or
she needs to do the job, while at the same time defining the behaviors
expected of the new hire within the corporate culture.
Personnel risks
• Personnel Management Policies
• Standard operating procedures
• how the organization do things according to the organization’s best practices—for their
job functions. Some SOPs that are particularly important for IT security include login
procedures, usable data storage locations, use of security credentials, and procedures for
lost or damaged equipment.
• Mandatory vacations
• Many industries (for example, the U.S. banking industry) require all employees to take
off work for a minimum of two weeks every year, a mandatory vacation. Mandatory
vacations are an important security control mainly to make it harder to perpetuate
embezzlement. Any embezzlement scheme usually requires the embezzler to monitor
orders constantly, manipulate records, or deal with issues that might arise to keep
themselves from being detected.
Personnel risks
• Personnel Management Policies (contd.)
• Job rotations
• Job rotation involves periodically switching people around to work in different positions.
This practice enables different people to become proficient in a variety of job roles so
that the organization doesn’t have to depend solely on one person to perform certain
critical functions or tasks.
• Separation of duties
• a single individual should not perform all critical or privileged-level duties. These types of
important duties must be separated or divided among several individuals.
• Multi-person control
• Multi-person control means that more than one person is required to accomplish a
specific task or function.
Personnel risks
• Personnel Management Policies (contd.)
• Training - User training should take place at two very distinct points in the user’s
relationship with an organization: during the onboarding process to get the new hire
to understand and subscribe to critical policies and good user habits, and, possibly
even more importantly, as an ongoing continuing-education process.
• User - A user must understand how his or her system functions and have proper security
training to recognize common issues (malware, unauthorized user at their system, etc.).
• privileged user - A privileged user has increased access and control over a system, including
access to tools unavailable to regular users.
• executive user - An executive user concentrates on strategic decisions including policy review,
incident response, and disaster recovery.
• system administrator - The system administrator has complete, direct control over a system.
• data owner/system owner - From a role-based training aspect, these two otherwise slightly
different functions are very similar in that in almost all cases the owner is the organization. In
these cases, the main security role here is to know how to delegate security awareness to the
proper authority. For data, this is usually the data custodian; for systems, it is usually the
system administrator.
Personnel risks
• Personnel Management Policies (contd.)
• Policies
• Acceptable use policy - An acceptable use policy (AUP), also called a rules of behavior
policy, defines what a user may or may not do on the organization’s equipment.
• General security policies - People use social media networks and personal e-mail to
exchange information and photo- graphs and keep in touch with family members and
friends. Unfortunately, some people post way too much information on social media
networks and through social media applications—hello, Snapchat—decreasing their (and
others’) level of privacy.
Personnel risks
• Personnel Management Policies (contd.)
• User habits
• Password behaviors
• Users should create complex passwords.
• Users must try to create passwords that don’t use dictionary words.
• Users should never share their passwords or write them down.
• Users should change their passwords often to thwart password attacks.
• Clean desk policies - A clean desk policy isn’t about asking employees not to leave old soda
cans and candy wrappers on their desks! Instead, it creates a process for employees to clear
sensitive data out of work areas so that it is stored securely at the end of the workday.
• Preventing social engineering attacks - Users should be briefed on the general concepts of
social engineering and how it works, and they should also be briefed on the specific types of
attacks they may encounter, such as shoulder surfing, tailgating, dumpster diving, and so on.
• Personally owned devices - Users should get training on risks posed by bringing personally
owned devices to work and how they might help prevent these risks.
Personnel risks
• Personnel Management Policies (contd.)
• Offboarding
• Termination letter/exit interview - An employee should provide a written termination
letter, defining final day of employment. In many organizations, this is also the time to
perform an exit interview. Exit interviews give the soon-to-be-separated employee an
opportunity to provide insight to the employer about ways to improve the organization.
Some example questions include a) What are your main reasons for leaving? B) What
procedures can we improve upon?
• Return of equipment - All organizations should use a checklist to ensure that all
equipment owned by the organization is returned by the departing employee.
• Knowledge transfer - Knowledge transfer is the process that makes sure a separating
employee provides any and all knowledge needed by the organization.
VIII. Third-party risk
Policies, plans and procedures related
to organizational security
Considerations
• Security policy and procedures
• Although your organization should have its own security policies, procedures,
and pro- cesses, third-party organizations usually have their own as well.
Sometimes these policies and procedures conflict between the parties and
have to be negotiated, resolving any differences between them, in advance.
• Privacy considerations
• Privacy is a serious consideration when exchanging data with any third party.
If you con- tract services with a third party, make sure to agree on data
privacy prior to entering into any business agreements. Privacy considerations
include employee data privacy; privacy related to the type of data itself, such
as financial data, personally identifiable information (PII), and protected
health information (PHI); and how the third party will treat this data.
Considerations
• Risk awareness
• Many organizations require that third-party providers or business associates
have an established risk management program that includes threat and
vulnerability assess- ments, risk mitigation strategies, and so on. This helps
assure an organization that the third party has performed its due care and
diligence in assessing and managing risk and is therefore able to reduce and
mitigate it.
• Understanding data sharing
• Security policy set forth in third-party agreements should cover unauthorized
data sharing and access control.
Considerations
• Data ownership
• Organizations must define the types of data to which they claim ownership
initially, and how they would classify that data in terms of its sensitivity and
protection requirements.
• Supply chain assessment
• Supply chains, the processes by which organizations receive necessary goods
and services from third parties, is a huge issue for any organization, especially
in the manufacturing and distribution industries.
• From the standpoint of IT security, our biggest concern is availability of
equipment, software, and online services. To that end, it’s important for IT
security folks to conduct a supply chain assessment to ensure those critical
products are available as needed and to create alternative processes.
Considerations
• Agreement types
• Sales and purchase agreement (SPA)
• A sales and purchase agreement (SPA) is a legal document obligating a buyer to buy and
a seller to sell a product or service. SPAs are critical and common for large, complex
purchases. An SPA not only defines prices, but payment amounts and time frames for
deposits.
• Service level agreement (SLA)
• a legal document that defines the expectations for servic- es that a third-party provider
will guarantee to the organization. The provider guarantees the service they provide to
be up and running and usable by the organization, either for a certain percentage of time
or to a certain level of standards.
Considerations
• Agreement types
• Business partners agreement (BPA)
• The business partners agreement (BPA) specifies what type of relationships the different
parties will have, usually from a legal perspective. An entirely separate company may be
established for the business venture, combining elements of both individual businesses;
this is usually for long-term or large-scale ventures.
• Memorandum of understanding (MOU)
• Sometimes called a memorandum of agreement (MOA), is a document often used within
a large business or government agency that establishes an agreement between two
independently managed parties that may be working together on a project or business
venture.
Considerations
• Agreement types
• Interconnection security agreement (ISA)
• Telecommunication companies will use an interconnection security agreement (ISA)
when connecting to each other’s network to handle essential details about technology
and personnel. An ISA is not a legal document used to cover technical issues between
two parties. An ISA may detail how two independently owned and managed network
infrastructures are connected to each other.
• Verifying compliance and performance
• Any agreement between business parties and providers should specify how each party
can verify compliance and performance standards. You may specify certain common
standards and performance levels that each party has to meet, as well as legal or
governance compliance.
Q/A