Uploaded by
Jordin Lambert
Cybersecurity Risk Management: Intro to InfoSec Principles
CYBR-501 Module One: Introduction to Risk Management A. Introduction - Information technology is the vehicle that stores and transfers information from one business unit (dept. within that company) to another - IT = computers, networks and software systems within that organization - IT is the tool/medium used within an organization to - to store the information in a database, server, or cloud - transfer the information - share the information between different departments/units within that company - IT = the infrastructure enabling communication and data flow inside a company - What happens if that vehicle breaks down? - Takes all the networks down - can’t transfer information from one business to another - Focus has shifted from computer security toward IS (information security) - IS is a shared responsibility - IS is no longer the responsibility of a specific group within that company - IS is the responsibility of every employee - managers set the tone for security culture, establish best practices, empower their team to make informed decisions - Effective information security decision-making in organizations should involve diverse communities of interest: - Collaboration between these different groups is important to ensure a comprehensive and informed approach to manage cyber risk - community of interest: a group of individuals with shared interests and expertise in cybersecurity - Security researchers - Individuals that discover and analyze vulnerabilities - develop security tools - contributes to the overall understanding of cyber threats - security practitioners - IT professionals, security analysts, and incident responders who implement and maintain security controls, detect and respond to attacks, and manage the overall security posture within the organization - policymakers and regulators - Develops and enforces cybersecurity policies and regulations that govern how organizations handle sensitive data and protect critical infrastructure - cybercrime investigators - Investigated cybercrime incidents, track down attackers, and bring them to justice - academic experts - Scholars and educators who advance both the theoretical foundation and practical applications of cybersecurity through performing extensive research, curriculum development, and knowledge dissemination to every other employee within that organization B. What is Security? - Secuirty referees to the state of being free from threat. Security involves protection against potential risks - Security involves protection against loss, damage, unauthorized modification, and any other potential risks - True security is achieved through a layered strategy - Two principles - defense on depth - Apply multiple layers of security measures: ACs, IDS, etc. - defense in breadth - apply two (or more) types of the same security measures - Effective security relies on strong management to ensure that all strategies are planned, organized, staffed, directed and monitored for continuous protection and improvement C. Specialized Areas of Security - a successful organization should have multiple layers in place - physical security - Protecting physical assets like servers, data centers, and employee devices - i.e., controlled access, security camera, IDS , and secure disposal of physical media - operations security - Secure the organizational processes and the procedures - i.e., secure software development practices, IRPs, disaster recovery procedures, and AC policies - communication security - Protect data in transit with it between devices, applications, or users - i.e., security protocols (HTTPS), secure email gateway - cybersecurity - Protect computer systems and devices from cyber threats - i.e.,, antivirus software, firewall, IDS, IPS, patch management - network security - Protect the network infrastructure from unauthorized access and attacks - i.e., network segmentation, firewalls, traffic monitoring, and vulnerability management - cybersecurity vs infosec - Cybersecurity focuses on protecting information and systems specifically within the digital realm: computers, networks, interconnected devices - IS focuses on protecting the information in all of its forms, regardless of whether the information is digitally or physically stored D. InfoSec - information security focuses on the protection of: - Information - Most critical asset within any organization - Characteristics give it value - Protecting the CIA - Technology that stores and transfers that information through a variety of protection mechanisms - How to protect: we can protect these three elements using protection mechanisms - policy - SETA - technology E. Confidentiality (info characteristic) - confidentiality means limiting access to information only to authorized individuals. It protects from information disclosure - information disclosure: the unintentional exposure of sensitive or confidential information to unauthorized individuals/parties may be because of human error, SE, or third party breaches - to protect the confidentiality of information - information classification - public, internal use, sensitive, classified - secure document (and data) storage - Application of security policies - education of information custodians and end users - information custodians is any person who has possession or control over sensitive information regardless of their position or role within that organization - cryptography F. Integrity (information characteristic) - integrity ensures only authorized individuals can change or delete the data - I.e., only the assigned course instructor many modify a student’s grade during the semester - corruption can occur during entry, storage, or transmission of information G. Availability (information characteristic) - availability makes sure the information is available when requested to authorized individuals only - I.e., a student can access their grades any time during their study with SU - an attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction H. Privacy (information characteristic) - The right of individuals/groups to protect themselves and their personal information from unauthorized access, ensuring confidentiality - information collected, used, and stored by an organization must only be used for the purposes explicitly communicated to and approved by the data owner at the time of collection - privacy does not imply freedom from observation - the personal information will be handled exactly in the ways authorized by the individual who provide that information - privacy doesn’t mean that no one can see or collect information about you - privacy means that the information collected must only be used in ways you have agreed to I. Information Aggregation (information characteristic) - many organizations collect, swap, and sell personal information as a commodity - aggregation means someone collecting and accumulating information about you - swapping means a company exchanged information about you with another company - today, it is possible to collect and combine personal information from several sources, which has resulted in databases that could be used in ways the original data owner hasn’t agreed to or even knows about - Does information aggregation violate our privacy? J. Identification (information characteristic) - the access control process in which an unverified entity provides a unique label by which they can be recognized by the system - it serves as the first step in access control, allowing the system to associate future actions with a specific identity - identification and authentication form the foundation for determining what level of authorization (access right) an individual will receive K. Authentication (information characteristic) - an access control mechanisms that validates and verifies the identity claimed by an unverified user or system - it ensures that the entity attempting to gain access is who they claim to be, based on provided credentials - users authenticate themselves using: - passwords or passphrases - Personal identification numbers (PINs) - biometric data - security tokens or authentication apps L. Authorization (information characteristic) - the access control mechanism that determines what an authenticated user is allowed to to - it involves matching the user’s identity to specific information assets and their permitted access levels - authorization: what resources can access? - defines permissions the user is given M. Accountability (information characteristic) - the access control mechanism that ensures all actions (both authorized and unauthorized actions) can be traced back to specific user/process. It is aka audit auditability - to establish responsibility and enable tracking of activity within a systems for auditing, security investigations, and compliance - why does accountability matter? - it can deter or discourage misuse through traceability - Supports forensic analysis after incidents - help in meeting regulatory and organizational compliance - key mechanism for accountability - System audit logs: primary tool for enabling accountability - records events like login attempts, file access, configuration changes, and the other user activities N. Key Concepts of InfoSec: Threats and attacks - to protect your organization’s information, you need to: - know yourself be familiar with the information assets to be protected and the systems, mechanisms, and methods used to store, transfer, process, and protect them - know everything about your company, what… information, information systems, hardware devices, staff and employees have - understand how the information is stored, transferred, and processed - mechanisms vs. methods - mechanisms: technical tools or systems used to protect information: tangible or implemented technologies or componenets - ACs, IDS - methods: procedures, strategies, or processes that guide how the mechanism are used or how security is managed - risk assessment, IRP< training protocols, security policies, and patch management procedures - know the threats you face - know your enemy - cyber threats are continually evolving due to the different factors = rapidly changing and complex threatscape - adapting to defenses: cybersecurity measures improve on the other side, criminals adapt their techniques to bypass them, which means they exploit newly discovered vulnerabilities in software or networks - they employ novel SE techniques and develop sophisticated malware capabilities to stay ahead of their defenders - human factor: phishing attacks and SE schemes exploit common human emotions like trust, fear, or curiosity to trick users into giving up sensitive information or compromised systems - technological advancements: the evolution of technology itself create new attack vectors and opportunities for exploitation - have emerging technologies like AI, blockchain, IoT - profit motive: financial gain remains the primary motivator for most cyber criminals - threats include threat actors, vulnerabilities, and targets that organizations must be aware of and defend against O. Threats and attacks - a threat represents a potential risk to an information asset - an attack represents an ongoing act against the asset that could result in a loss - threat agents damage or steal an organization’s information or assets by using exploits to take advantage of a vulnerability where security controls are not present or no longer effective - threat agents: represent individuals/groups with motivation and capability to harm digital systems, data, or infrastructure - cybercriminals: main motivation is financial gain - perform activities like ransomware attracts, data breaches, and fraudulent transactions - hacktivist: main motivation is social or political activism - mostly they target websites or systems of organizations they disagree with - perform website defacement, DoS attacks, leaking sensitive information - I.e., anonymous, luizsec - state-sponsored actors: main motivation is national security or strategic advantage - often targeting government or critical infrastructure systems - perform espionage, disruption, and promote their propaganda - insider threats: main motivation is personal justice, financial gain, or espionage - leaks confidential information, plant malware, sabotage company systems P. Category of threats - compromises to intellectual property: unauthorized access, disclosure, modification, or destruction of confidential information that constitutes as intellectual property - piracy: unauthorized reproduction and distribution of copyrighted material on a larger scale for commercial gain - copyright infringement: the broader range of unauthorized use of copyrighted material, not necessarily to be only for commercial purposes - deviations in quality of service: the quality of services provided fall below the expected or the promised level - espionage: - espionage: unauthorized acquisition of confidential or classified information for strategic or competitive advantage - trespass: unauthorized access to a computer system/network without the author or the owner’s consent - forces of nature: fire, flood, earthquake, lightning - human error failure: statistics indicate 80 to 95% of data breaches having a human element involved - human vulnerabilities aren’t always intentional - information extortion: thief demands money or other services in exchange for not releasing the compromised information to the public or to specific individuals - blackmail: using illegally obtained information not pressure the victim into doing something they wouldn’t do observe - sabotage or vandalism - sabotage: the deliberate manipulation or destruction of computer systems - vandalism: defacing or modification of computer systems, networks, or data for nondestructive, often attention seeking - Software attacks: viruses, worms, macros, DoS - technical hardware failure or errors: may seem like an unintentional glitch, but can cause significant threat to your valuable data and systems - technical software failure or errors - technological obsolescence: software or hardware rendered incapable of adequately addressing current security threats - why?:May have outdated design or functionality provided by that device or lack of support - unpatched vulnerabilities: maybe these devices or software are incompatible with security tools with limited functionality may drain your resources - theft: illegal confiscation of equipment or info Q. Intellectual Property (IP) - IP law is used to protect organizations’ hard-earned creations, designs, and ideas from unfair competition - patent: protection of inventions and technical innovations for a limited period, like up to 20 yrs - trademark: distinguish and protect the source of good and services like logos, brand names, and slogans - trade secret: protect confidential information like formulas or manufacturing processes that give a business a competitive advantage - copyright: protect original creative works - industrial design: protect the attractive or visual appearance of a product R. Compromises to IP - IP is protected by copyright and other laws, carries the expectation of proper credit to its source, and potentially requires the acquisition of permission for its use - the unauthorized use of IP creates a threat to infosec - this category includes two primary areas: - software piracy: unauthorized use, reproduction of copyrighted software - copyright protection and user registration - IP protection - SETA: educating employees about what intellectual property we have in the company, how to protect it - secure your IP physically and digitally - use data loss and prevention (DLP) tools for tracking sensitive documents S. Principles of InfoSec Management - governance is the strategic task of setting the organizational goals, direction, limitations, and accountability frameworks - a set of responsibilities and practices exercised by the executive management (the top management) with the goal of providing strategic direction, ensuring that objectives are achieved and verifying that the enterprise resources are used in a responsible way - management is the allocation of resources and overseeing/controlling the day-to-day operations of the organization - the process of achieving objectives using the available resources T. InfoSec planning (principles of infosec management) - planning: activities necessary to support the design, creation, and implementation of InfoSec strategies - several types of infosec plans exist - incident response planning (IRP): set of instructions to help the IT staff detect, respond, and recover from security incidents - business continuity planning (BCP): backup plan for ensuring essential business functions continue even during unforeseen events - disaster recovery planning (DRP): deals with restarting the infrastructure and the data after catastrophic events like natural disaster or major cyberattack - policy planning: defines acceptable use of technology, data security practices, incident response or incident reporting procedures, and employee security responsibilities - risk management planning: proactive approach involving identifying, assessing, and mitigating potential security risks to your organization - security education, training, and awareness (SETA) U. Policy - policy is “a set of organizational guidelines that dictate certain behavior within the organization” - in infosec, there are three general categories of policy - enterprise infosec policy (EISP): strategic policy that becomes the blueprint (reference model/policy) for other policies - it will provide the overall vision, direction, and scope for all security efforts within the organization - issue-specific policy (ISSP): I,e., password policy - system-specific policies (SysSPs): the operating manual for a specific piece of equipment to delve into the configuration, security settings, and usage guidelines for individual systems and applications V. Programs - InfoSec operations that are specifically managed as separate entities - example of an entity: SETA program - other programs that may emerge include a physical security program and physical access W. Protection - the protection function is executed via a set of risk management activities, including risk assessment and risk control, as well as protection mechanisms, technologies, and tools - each of these mechanisms represents some aspect of the management of specific controls in the overall information security plan X. People - people are the most critical link in the infosec program - this area of infosec includes security personnel as well as aspects of the SETA program Y. Projects - the application of thorough project management discipline to all elements of the infosec program - project management involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting the process as progress is made toward the goals timelines, and resources - ongoing processes (operations) - project-based activities - how is infosec both a process and a project? - infosec is a chain of interconnected projects that support ongoing and evolving processes, new threats, new technologies, and regulations that require continuous improvement and adaption Module 2: identifying and assessing risk - part 1 A. Introduction - the infosec dept. exists primarily to manage risk to the organization’s info assets - why can’t we eliminate the risk? - since the risk changes over time, the environment we project changes - information changes over time - limited resources and budget - difficult to control human behavior - what can we do? - Can manage the risk by staying within the acceptable level (risk appetite) - managing risk is a core responsibility of every manager within the organization, not just infosec - effective risk management supports business continuity, regulatory compliance, and the protection of organizational reputation - infosec dept. implements different security measures, policies and procedures to - identify the risk - assess the risk - mitigate the risk - the infosec dept. ensures we adhere to data privacy regulations, industry standards, and internal security policies - infosec dept. handles security incident like data breaches, malware attacks, and unauthorized access; also, minimizes the damage and restore critical business operations - finally, stay updated on the latest threats and vulnerabilities, so they can adapt their security measures to address these in a proactive manner - risk management - identifying potential threats, assessing their impact, and implementing strategies to mitigate or address them B. Risk management process - risk identification - need to identify all potential threats: insider, external - need to identify them since they could negatively affect the organization’s ability to achieve its objectives - need to recognize the risks to information assets like data systems and operations and document them - risk assessment - need to analyze and evaluate all these identified risks - document the likelihood of each identified threat occurring - determine the potential impact - legal, financial, and reputational - we can prioritize these risks - risk appetite - amount and type of an organization is willing to accept in meeting objectives - affected by size, industry regulatory requirements, and the strategic goals of that organization - need to understand the risk appetite so make informed decisions - i.e., - a startup company: might accept more risk to grow quickly - large and well-established company: may prioritize stability and invest more in risk mitigation - Risk control - implementation of policies, procedures, and technical controls to manage the identified risks - controls - preventive controls: access controls - detective controls: monitoring systems (SIEM) - corrective controls: IRP C. Risk management across leadership roles - Each manager within the organization plays a vital role in reducing risk. Their responsibilities often include: - general management: structuring and empowering the IT (help desk) and infosec depts. to protect organizations info assets - structure these two depts. and give them resources and budget to protect the organization’s info assets - sets the tone for security culture - Must ensure we have integration between the IT dept. and the infosec dept. bc they play interconnected roles in maintaining the organization’s overall digital health - close collaboration between the IT and infosec dept. is essential to align the IT strategies with security objectives - clearly outlining of the roles and responsibilities - adequate resources (budget, personnel, and technology) must be allocated to the two depts. - IT management: meet the organization’s technical and operational needs. Also, collaborate closely with infosec professionals to align infrastructure with security priorities - the management must work closely with the infosec professionals to ensure that the organization’s technological infrastructure supports both operational goals and security requirements - collaboration helps integrate security measures into system design, configuration, and maintenance - leveraging the infosec team specialized knowledge and forward-looking insights - forward-looking insights: the ability to anticipate future threats, trends, and technology change in cybersecurity - infosec management: lead with expertise, adaptability, and strategic thinking. Work cross-functionally with other depts. to balance the trade-offs between security and usability - security: focusing on protecting the organization, info assets, sensitive data, and ensuring the CIA of info - usability: how easily and efficiently users can interact with the system or an application to achieve their goals - simplicity, clarity, and user satisfaction in the design and functionality - striking the right balance between usability and security is essential D. Mastering risk through self and situation awareness - “One who knows the enemy and knows himself will not be in danger in a hundred battles - battle: ethical hackers vs. attackers - competing to be the one who discovers vulnerability first - enemy: hackers, malicious actors, and potential vulnerabilities in the system - understanding the tactics, techniques, and procedures employed by attackers - STAY IN INFORMED - understanding oneself: having a clear awareness of the organization’s security posture - knowledge of the IT infrastructure, vulnerabilities, strengths and weaknesses - understand the data landscape and recognize the organization risk appetite - one who does not know the enemy but knows himself will sometimes win, sometimes lose - one who does not know the enemy and does not know himself will be in danger in every battle” - goal: knowing both the Eryn and oneself - stay well-informed about the potential threats and having a clear understanding of the organization’s security landscape E. Knowing yourself: foundation of risk management - residual risk is inevitable - Unable to have zero remaining risks - some level of risk will remain even after implementing procedures and strong controls - i.e. The risk of DDoS attacks is high -> implemented more security controls, so the remaining risk of DDoS attacks is low - understand your information flows - when speaking about effective risk management, we need to know how the data is - collected - need to identify the source of the data - important to assess the initial security risks associated with acquiring thus sensitive information - processed - data manipulation, data analysis, data transformation - managers should be aware of how the processing happened, what systems are involved, and the potential vulnerabilities that may arise during these activities - stored - retaining the data for future use - managers should know where and how the data is stored - data stored on servers, databases, cloud - understanding the storage infrastructure is important for implementing security controls to protect against unauthorized access, data breaches, and other potential risks associated with data storage - transmitted - assess internal capabilities and weaknesses - need to identify gaps in policies, technologies, and employee awareness that can expose the organization F. Understanding your critical information assets - knowing which information assets are valuable to the organization - identifying, categorizing, and classifying those assets - Identifying (identification): - recognize and list all information assets within the organization - Assets can include customer data, intellectual property, financial records, employee info, etc - identification + valuation - valuation: assigning a value for each information asset - usually between 0 and 1 - the higher reflect that this asset as more value/importance to the company - categorization - grouping the information assets based on common characteristics/functions - classification - assigning a level of sensitivity or confidentiality to each category - helps us prioritize the security measures and allocating resources based on the importance and potential impact on a security breach - understanding how they are being protected - identifying and understanding the existing security measures, what current security measures we have in place to protect these information assets - helps us make that our organization comply with relevant regulations and industry standards in safeguarding the information assets - armed with this knowledge, the organization can then initiate an in-depth risk management program G. Knowing the enemy - identifying threats - infosec professionals within an organization need to stay vigilant and continuously monitor the cyber security landscape for any emerging threats - keeping up with latest cyber attack techniques, vulnerabilities, and potential risks - apply threat intelligence: gathering information about potential threats from different sources - examining threats - need to understand the 3 components (TTPs). Involves analyzing our past incidents, studying malware behaviors, and examining the modes of operation of cybercriminals - tactics - Are the high level goals or strategic objectives of attackers - describes what the adversary aims to achieve from this attack - techniques - what are the general methods used to achieve a tactic? - describes how the attacker executed each phase of these objectives - procedures - Specific implementation of techniques tailored to particular tools or environments - Need to know how the attacker carries out a technique in practice - Perform regular vulnerability assessments to identify weaknesses in the organization, systems, and infrastructure - understanding threats - understanding the motivations and objectives of potentially threat actors, whether they are financially motivated, state sponsored or hacktivist - knowing their goals helps in anticipating their actions and building effective defense - can perform: risk assessment - Identifying potential threats, evaluating the likelihood of their occurrence, and estimating their potential impact n the on the organization assets H. Risk Management Process - risk management is the systematic approach to: - identifying potential risks that could impact an organization’s operations - assessing the likelihood and potential impact of these risks - determining effective strategies to control, reduce, or mitigate the identified risk - Reduce:lowering the likelihood or the impact of a risk - implementing strong and complex, MFA - mitigate: taking actions to lessen the severity or consequences if the risk actually happens - data backup - DRP I. Accountability (responsibility) for risk management - accountability for risk management mean someone is being held accountable for ensuring that the risk management practices are effective and well implemented within that organization - all communities of interest take responsibility for risk management: - infosec dept. - IT (help desk) dept. - management and end users J. Infosec and IT depts. - infosec dept - take a leadership role in addressing risk - addressing risk: controlling (managing) the risk to stay within the acceptable level - IT (help desk) dept. - help in building secure systems and ensure their safe operation - first point of contact for users facing an IT issue - in the event of security incidents or anomalies, the help desk is crucial in providing quick response and resolution - shared responsibility: the help desk is involved in managing user accounts like creating their accounts, modifying and disabling their accounts - is responsible for managing software updates and batches - serve as a critical communication channel between users and IT security team - can contribute to the ongoing security, awareness, and training programs for users - can provide valuable insights and feedback based on user interactions and reported issues K. Management and end users - properly trained and aware of current threats - management training: properly trained management understands the strategic importance of information security - includes aligning security measures with organizational goals, making informed decisions about security investments, and setting the tone for a security conscious culture - focuses on risk management and assessment - The executives/top management within our company need to be aware of the potential threats - participate in the early detection and response to security incidents - the end users of the system is the first entity to notice that the system is slow - informs the help desk/security team - help create a security-aware culture across the organization - Management sets the tone by prioritizing and enforcing security policies - builds a culture where cybersecurity is everyone’s shared responsibility - ensures that adequate resources are allocated - provides strategic direction and oversight for organizational risk management efforts - this is the responsibility of the top management within organization - by setting clear security priorities - aligning risk initiatives with business goals and ensuring accountability across all depts. - makes high level decisions on risk tolerance - approve policies and allocate resources to effectively manage and reduce the risk throughout the organization L. Accountability for Risk Management - prepare for risk management - plans and organize process - develop information asset categories and classifications - identify the risk (risk identification): goal is to understand your assets, threats, and vulnerabilities - know yourself - Inventory information assets: create a complete list of all the organization information assets - need to use automated inventory tools rather than doing the process manually - categorize assets: laptop, server, network, equipment - classify information assets: assign label for each one based on sensitivity - confidential, internal use, public - prioritize information assets: rank these assets based on their criticality to business operations - Know your enemy - identify and inventory threats: need to list all possible threats - assess threats: evaluate each threat and potential impact - prioritize threats: identify the threats by their potential impact on operations, revenue, and reputation - identify vulnerabilities: need to find weaknesses in these critical assets that the attackers might exploit - assess risk (evaluate risk): analyze how serious each risk is - Determine vulnerability likelihood: the estimate of probability of exploitation - assess potential loss (impact) - consider the financial, reputational, legal, and operational consequences - evaluate current security controls - need to determine how the existing security controls (policies, training, security technology) reduce the risk - determine the overall risk - Assign a risk level (high, moderate, low) for each critical asset - define risk appetite: decide how much risk the organization is willing to accept to meet its strategic objectives - determine risk tolerance - risk tolerance: the acceptable deviation from the organization’s risk appetite - consider the available resources, security budget, staff expertise, and industry risks - synthesize risk appetite - Synthesize: need to describe/formulate the risk - develop risk appetite statement: - need to document the organization’s stance - control/manage the risk - Implement appropriate security controls based on the risk appetite and risk tolerance - controls could be technical, administrative, or physical to reduce/mitigate the risk - controls are selected based on budget priorities and risk level M. Risk identification - a successful risk management project must be: - well-organized - has a defined structure and the process - requires a structured framework that outlined the entire risk management process, including: defining roles, responsibilities, and the overall methodology for identifying, assessing, and mitigating risk - properly funded - ensure access to essential tools, personal technology, and training needed for effective risk management - led by a clear champion - someone with authority and influence to drive the efforts - the need for an individual to have the responsibility of the project and ownership - guided by a clear Statement of Work - outlining the objectives, scope, and main deliverables of this project - fully supported - involves commitment from the senior management and collaboration across different depts - managers responsibility - Identify the organization’s information assets - classify and categorize assets into useful groups - prioritize assets by overall importance N. Identification and Prioritization of Info Assets - the risk identification process begins with the identification of information assets, including people, procedures, data and information, software, hardware, and networking elements - this step should be done without pre-judging the value of each asset; values will be assigned later in the process - unbiased evaluation: evaluating each info asset objectively without making assumptions about its importance or risk levels - all assets are simply identified and documented without ranking or judgement - equal consideration: all information assets must receive the same level of attention during the risk identification process - Values will be assigned later in the process: - Assessing and prioritizing these risks - values are assigned to each identified asset based on its importance to the organization’s operations, sensitivity of the information it holds - its criticality to business processes - focus the available resources on addressing the most critical risks first - the risk identification process involves identifying potential risks that could impact the organization information assets - subprocess aims to provide a comprehensive assessment of all possible risks, ensuring nothing is overlooked O. Organizational Assets Used in Systems Information system components risk management components example risk management components people internal personnel external personnel trusted employees other staff members people we trust outside our organization strangers procedures procedures IT and business-standard procedures IT and business-sensitive procedures data data/information transmission processing storage software software applications operating systems utilities security components hardware hardware systems and peripherals security devices network-attached process control devices and other embedded systems (IoT) networking networking local area network components intranet components internet or extranet components cloud-based components P. Identifying hardware, software, and network assets - many organizations use asset inventory systems to keep track of their hardware, network, and software components - asset inventory systems: tools/databases that organizations used to keep a comprehensive record of their hardware devices, network components, and software applications - whether automated or manual, the inventory process requires a certain amount of planning - determine which attributes of each of these information assets should be tracked - that will depend on the needs of the organization and its risk management efforts - asset inventory allows the organizations to identify and assess potential vulnerabilities associated with hardware, network and software components - understanding the risk landscape help in implementing targeted security measures - in the event of a security incident, having updated asset inventory enables the organization to quickly identify the affected systems Q. Asset Attributes - when deciding which attributes to track for each information asset, consider the following list of potential attributes: - name - IP address - asset type: - the categorization of the information as based on its nature, function, or characteristic - helps in classifying these assets into different groups or categories - manufacturer name - physical location - controlling entity - software version and update version - asset tag - A unique code or label assigned to a specific information asset - MAC address - serial number - manufacturer’s model/part number - logical location R. Identifying people, procedures, and data assets - responsibility for identifying, describing, and evaluating these information assets should be assigned to managers who possess the necessary knowledge, experience, and judgement - as these assets are identified, they should be recorded via a reliable data-handling process like the one used for hardware and software S. Suggested attributes for people, procedures, and data assets - people - position name/number/ID - supervisor name/number/ID - security clearance level - special skills - procedures - description - intended purpose - software/hardware/networking elements to which it is tied - location where it is stored for reference - location where it is stored for update purposes - Data - Classification - owner/creator/manager - size of data structure - data structure used - online or offline - location - backup procedures Module 2- identifying and assessing risk- part 2 A. Categorizing info assets - once inventoried, we determine which asset categories are crucial for the risk management program - once we created a list of all information assets we have inside the organization - determine which asset categories are important so we can resume the risk management programs - this involves prioritizing assets based on their value and vulnerability to potential threats: - understand asset value - there are four different values for each asset - financial: need to consider the direct cost of replacing or repairing the asset - operational: need to assess the impact - if we have asset loss or disruption, especially when speaking about what will be the impact on a critical business functions, - reputational: need to evaluate the potential damage to the brand image and customer interest - legal and regulatory: need to consider compliance requirements and potential penalties for any data breach - analyze asset vulnerability - exposure to threats: need to identify threats that each asset category face - existing security controls: need to evaluate the current controls protecting each asset category - likelihood of attack: need to assess what’s the probability of these threats affecting each asset type - potential impact of a breach: need to estimate the severity of consequences if the attack is successful on that asset - risk prioritization frameworks - qualitative: use risk matrices with the scoring systems to weight the value and the vulnerability factors - i.e.., risk is moderate - quantitative: calculate the potential financial loss and estimate the risk - i.e., risk is 0.4 - hybrid: combines qualitative and quantitative approaches to get a more balanced and more accurate risk assessment - common asset categories: develop common categories - data - what categories we have (i.e., customer information, financial records, intellectual property, etc.) - Applications - i.e, can categorize them into, i.e., business critical software, web application, database, or user application, - systems - can categorize them into like serverless network devices, workstations, mobile devices, etc. - people - privileged users (employees with access to sensitive data) - facilitates - physical locations, housing critical infrastructure - can categorize into data centers, server room, or critical infrastructure control center - continuously refine - need to regularly review and update the asset inventory and the risk assessment - need to adopt prioritization - : when prioritizing all the assets and threats based on the evolving threats and the business needs, which usually change over time - Inventory should also reflect sensitivity and security priority assigned to each information asset - sensitivity: the potential impact on the organization if the asset is compromised, lost, or unavailable; how important the asset is to the organization - security priority: deciding which assets get the most attention for protection, and which ones we would focus on recovering first - Benefits: - prioritization and resource allocation - Understanding the sensitivity and security policy of each asset helps us focus our efforts on the most critical assets - can allocate resources for security controls for monitoring and incident response based on the potential impact of a breach or unauthorized access to different assets - risk assessments and mitigation strategies - the sensitivity and security priority results are used in the risk assessment - helps us better understand the potential consequences of any security incident or the service is unavailable based on the sensitivity of the affected information - purpose? - reduce the change of the threat happening - if the attack happened, we can be reduce the damage - security and access controls - knowing the sensitivity and security priority guides us in determining the appropriate security controls - incident response and business continuity - having this information available facilitates faster and more effective incident response - three main steps of incident response: - containment: immediately isolate the affected web server to prevent it from spreading the malware or from being used to launch further attacks - recovery: want to restore the data and the critical business functions ASAP - communication efforts - business continuity: even if we have an incident or a disaster, we don’t want to stop the critical business functions - regulatory compliance and reporting - Having a documented classification system can help demonstrate compliance - General data protection regulation (GDPR) - California consumer privacy act (CCPA) - HIPAA B. Classifying Information assets - a data classification scheme categorizes the information assets based on their sensitivity and security needs - A data classification scheme is a crucial foundation for protecting the valuable information assets - no one size fits all approach, different classification schemes exist - data classification schemes: - impact-based - classifies the data by the potential business harm - confidentiality-based - Classifies the data based on its level of secrecy and the need for protection - hybrid - combines different approaches for a more detailed classification - each of these categories defines the level of protection required for a particular information asset - effective implementation - need to establish clear definitions and guidelines for each data classification level - need to educate and train employees on the classification scheme, different classification schemes, and their role in protecting classified data - need to regularly review the classification schemes because the business, data, and threats evolve C. Assessing values of info assets - after identifying, categorizing, and classifying each info asset, we need to assign a relative value - in the infosec risk management process, assigning a relative value to each info asset after identifying, categorizing, and classifying that asset is important for prioritizing the security efforts and resource allocation - the relative value doesn’t necessarily translate to a direct monetary cost, but rather the combined significance of different values - factors: - CIA - confidentiality: how sensitive is the information within that asset - would a disclosure cause reputational damage, legal issues, or competitive advantage? - Integrity: how crucial is it to maintain the accuracy and completeness of the information within that information asset? - Availability: how critical is the continuous access to the information for business operations? - impact of loss: what are the potential consequences of losing access, or have unauthorized modification of the information? - relative values are comparative judgements that ensure our most valuable information assets receive the highest priority. For example, consider: - which asset is most critical to the organization’s success? - which asset generates the most revenue? - which asset is the most expensive to protect? - comparative judgements: the process of comparing and evaluating the significance of different information assets - comparative: are directly assessing assets against each other to determine their relative importance - judgements should be based on informed decision - assigning values involve making judgements about how important one information asset is compared to another - allows you to prioritize the security efforts and resources, effectively focusing on protecting the most critical assets - key considerations for making comparative judgements - define clear criteria: need to establish will define the criteria for evaluating each factor considered - consistency: ensuring consistency in judging the different asset across different categories to avoid any form of bias - involve relevant stakeholders D. prioritizing info assets - the final step in the risk identification process is to prioritize (rank order) the assets - this is typically achieved using a weighted table analysis, aka, weighted factor analysis worksheet - weighted table analysis: a tool for propitiating information assets during the infosec risk management process - allows you to systematically compare and rank different assets based on their relative value and vulnerability to security threats - steps: - identify information assets - define a criteria - CIA, impact of loss, threat likelihood, vulnerability - Assign weights E. Threat Assessment - threat assessment is a crucial process for identifying, analyzing, and evaluating potential threats to your organization’s information assets - it forms the foundation for proactive risk mitigation and helps you prioritize security measures effectively - proactive risk mitigation: taking steps before a security incident happened to reduce the likelihood or the impact of any potential threat - prioritizing security measures: deciding which security actions or control are most important and should implemented first - ensures you focus the resources on protecting your most critical assets - risk assessment examines how potential threats could impact each information asset and is conducted after inventory and classification F. Key steps of a threat assessment - identify info assets: list all data, systems and applications that hold sensitive information within your organization - identify threats: analyze the potential threats - could be external, internal, natural disaster, physical security threats - assess threat likelihood: based on past security incidents faced, industry trends, intelligence reports, we estimate how probable it is for each identified threat to occur - assess vulnerability: evaluate how susceptible your info assets to each threat - involves looking at existing security controls, system weaknesses, typical user behavior - impact analysis: calculate the potential consequences if a successful impact on each asset happened - financial loss, reputational damage, operational disruption, and legal implications - risk prioritization: combine the threat likelihood, vulnerability, and impact assessments to rank the risk by their potential severity - mitigation strategies: develop and implement countermeasures to address the identified risk, allocate resources on security controls to make sure each asset is protected G. Threat assessment (cont.) - organizations face a wide array of threats. Assuming every threat will attack every information asset makes the project scope overly complex - In the infosec risk management, assuming every threat can and will attack every information asset is not a practical or efficient approach - leads to overly complex project and resource-intensive approach because - resource drain: trying to defend against all possible threats simultaneously becomes resource expensive - false positives: focusing on irrelevant threats generates false positives ; are unnecessary alerts that distract us from the real risk - ineffective prioritization: hinders the efforts to prioritize the critical assets and vulnerabilities which lead to wasted efforts - scope creep: the project becomes heavy and difficult to manage - to simplify this process, the threat identification and vulnerability identification processes are managed separately, then coordinated at the end - effective approach?: risk-based methodology - identify assets and threats - classify assets - prioritize threats - assess vulnerabilities - risk prioritization - focus on high-impact risks - by prioritizing risks, we can focus our security efforts and resources on mitigating the most critical threats to the most valuable assets - benefits: - efficient resource allocation - targeted security controls - improved security posture H. Identifying threats - each threat presents a unique challenge to information security and requires specific controls to handle it - before threats can be assessed within the risk identification process, each threat must be further examined to determine its potential (likelihood) to affect the targeted info asset - why unique security controls are important?: for each info asset that has specific vulnerability and the specific likely threat, need to implement suitable controls only for this info asset - different threats mean different objectives: applying generic security controls might not address the specific tactic used by each attacker - varying asset vulnerability: are specific vulnerabilities to each info asset. - Resource optimization: focusing on customized security controls ensures that resources aren’t wasted on unnecessary mitigation efforts for irrelevant threats - improved security effectiveness: applying the suitable security controls for the right threat results and more enhanced overall security posture than applying general generic security controls I. Assessing threats - determine these factors depends on several key aspects on your organization’s specific situation - info assets: type + its value - organization context: industry, size, security posture, threat landscape - existing controls - the following questions can help you understand various threats and their potential effects on an info asset: - which threats have the highest likelihood of success? - which threats could result in the greatest loss if successful? - which threats are the costliest to protect against? - which threats are the costliest to recover from? J. Prioritizing threats - just like with info assets, your organization should conduct a weighted table analysis for threats - first, list the categories of threats your organization faces - then, select the categories that correspond to your key questions of interest K. Vulnerability assessment - a systematic process for identifying, classifying, and prioritizing weaknesses in your info systems, networks, and applications - here are the key steps: - identify assets - list all valuable or sensitive systems, applications, and data within the organization - identify vulnerabilities - use scanners, tools, and manual testing to discover security weaknesses in these identified assets - classify vulnerabilities - Categorize the vulnerabilities based on their severity, how easily the vulnerabilities can be exploited - prioritize vulnerabilities - remediation - develop and implement corrective actions to mitigate or eliminate the identified - reporting and documentation vulnerabilities - benefits of vulnerability assessment - Proactive RM - improved security posture - compliance requirements - reduced risk of data breaches L. Types of vulnerability assessments (not a one time thing, but continuous) - network vulnerability scanning - scan the network devices like routers, switches, firewalls for known security weaknesses - web app vulnerability scanning - Identify security flaws and weaknesses specifically within the applications like websites - host-based vulnerability scanning - scan individual computers on servers or hosts for vulnerabilities in their OSes and installed software - internal penetration testing - simulate real world attack scenarios from within the network to identify any exploitable vulnerabilities and assess their potential impact - Integrating vulnerability assessments with other security practices like threat intelligence, and RM M. Mapping vulnerabilities to assets - once an organization has identified and prioritized its info assets and the threats it faces, it compares (maps) each info asset to relevant threats - this review process helps create a list of vulnerabilities that remain potential risks to the organization - you should create a list for each info asset, documenting its susceptibility to every possible or likely attack - steps - list in a table the most critical info assets - list the likely threats for each critical asset - list the vulnerabilities for each critical asset that can be exploited by that critical threat N. TVA worksheet - at the end of the risk identification process, an organization should have: - a prioritized list of assets and their vulnerabilities, and - a prioritized lists of threats facing the organization - these prioritized lists of assets and threats can then be combines into a threats-vulnerabilities ITVA) worksheet Module 3: analyzing and measuring risk exposure- part 1 A. Introduction - a risk assessment must go beyond simply listing worst-case scenarios - Only listing the worst case scenario isn;t recommended because it wouldn’t constitute as a comprehensive and efficient risk assessment - three examples of worst-case cyberattacks: - massive ransomware attack on the core infrastructure - nation-state sponsored cyber espionage and IP theft - catastrophic supply chain attacks leading to wide-scale system - limitations of limiting the risk assessment on only listing the worst case cyberattacks - impracticality - missed priorities: can divert our attention away from more probable, more impactful threats, which leads to misallocation of our available resources and ineffective security measures - unrealistic scope - as a risk analyst, your role is to inform the organization about its most significant risk exposures and guide the prioritization of mitigation efforts - risk analyst: identifying, assessing, and mitigating portential cybersecurity risks - identifying potential threats and vulnerabilities - analyzing security incidents and breaches to understand their impact - conducting comprehensive risk assessments to evaluate the likelihood and potential impact of the identified threats - determining the severity or impact of vulnerabilities - prioritizing risks based on their potential consequences - recommending and implementing appropriate security controls to mitigate the identified risks - risk exposure = likelihood of threats x potential impact - risk exposure is the combined likelihood of a security threat happening and the potential impact it could have on the organization - example: - a high probable threat (0.9), low-impact threat (0.3) - risk exposure = likelihood of threat x potential impact = 0.9 x 0.3 = 0.27 - low [0-0.33], moderate [0.34-0.67], high [0.68-1] - you need to decompose each risk into its core components and accurately evaluate the overall level of exposure B. Risk assessment finding (risk components) - consider the following risk assessment finding: “network administrators use Telnet to manage network devices, and their passwords never expire.” - This sentence isn’t a correct risk description. Only a finding - Can identify a few vulnerabilities from this finding - encrypted communication - telnet transmit the data in plaintext, including the login credentials - Weak authentication - using static passwords that never expire - someone can perform any type of cracking, like a brute force attack, to discover your passwords since they never expire - lack of secure alternatives - SSH - SFTP - HTTPs-based web interface - noncompliance with security standards C. Risk components (cont.) - as a security manager identified the previous finding, how would you break down the scenario into risk components? - what is described in the previous statement is certainly a finding, but does it accurately describe the risk? D. Dissecting a risk statement - from a well-written risk statement, you should be able to clearly answer the following questions: - who is the threat actor we’re concerned about? - why does the vulnerability lead to risk exposure? - what is the potential impact on the organization if the threat occurs? - “Network administrators use telnet to manage network devices, and their passwords never expire” - who is the threat actor we’re concerned about? - the threat actor is NOT mentioned in this sentence - why does the vulnerability lead to risk exposure? - the vulnerabilities are clearly stated - what is the potential impact on the organization if the threat occurs? - the potential impact is NOT mentioned in this sentence E. Main risk components - likelihood: the probability that a threat will occur - impact: the potential consequences if the threat occurs - sensitivity: the criticality or confidentiality level of the affected assets - vulnerability: the weaknesses that may be exploited by a threat F. Likelihood - represents the probability of a threat occurring. It includes the: - probability of a successful exploit - need to estimate the probability of a successful exploit - refers to how likely it is that a specific weakness in a system will be successfully targeted and taken advantage of by a threat agent - frequency of the exploit - indicates how often a particular threat is expected to happen, or to be attempted against a system or organization over a given period G. example 1: web server vulnerability exploited via SQL injection - vulnerability: an unpatched SQL injection vulnerability exists in a web server - probability of successful exploit: this vulnerability is widely known and has publicly available exploit code; the probability of successful exploit is high (0.9) - frequency of exploit: based on security reports, similar SQL injection vulnerabilities are exploited frequently, suggesting a high (1) frequency of exploit - overall likelihood: combining these, the overall likelihood of this specific exploit occurring is high - overall likelihood = probability of a successful exploit x frequency of the exploit - 0.9 x 1 =0.9 (high) - low [0-0.33], moderate [0.34-0.67], high [0.68-1] H. Example 2: phishing attack targeting internal employees - Discuss the - vulnerability - employees didn’t receive adequate training on phishing attacks making them susceptible to clicking malicious links or attachments - probability of successful exploit: moderate (0.6) - frequency of exploit: high (0.9) - overall likelihood = 0.6 x 0.9 = 0.54 [moderate] I. Impact - represents the potential consequences (= impact = severity: financial loss + reputational damage + legal consequences) of a successful threat exploitation: - it is a measure of the degree of damage or how universal the exploit is. - discuss high impact - financial impact - Disruption of critical financial services leading to major economic loss - significant ransomware attack - reputational damage - Public exposure of sensitive data, leading to loss of trust and the brand image - major news coverage highlighting security vulnerabilities - regulatory fines and penalties for data breaches - operational disruptions - complete outage of critical systems leading to loss of productivity and revenue - widespread data loss or corruption - discuss low impact - limited financial loss - minor theft of non-critical data resulting in minimal financial impact - non-essential systems with limited financial consequences - Minimal reputational damage - minor data exposure with limited public awareness or impact - internal security incident not publicly disclosed and no regulatory fines/penalties incurred - localized operational disruption - short lived of minor systems with minimal impact on the overall operations - loss of non-critical data easily restored from backup - discuss universality of exploit - widespread exploit - affects a large number of organizations and systems globally - exploits a major vulnerability in a widely used software or hardware device - requires widespread patching or mitigation efforts across different industries - targeted exploit - won’t affect a specific organization or industry sector, but exploits a vulnerability in a specific software or hardware used by limitless number of entities - required targeted mitigation efforts for the specific systems or configurations J. Sensitivity - refers to the criticality of the asset being threatened, often related to legal, financial, or reputational impacts - high sensitivity example - customer financial data: any breach to customer financial data could lead to financial loss, identity theft, and legal impacts for the organization - medical records - unauthorized access to medical records could violate patient privacy, violate the laws, damage trust, and harm individual health - trade secrets or IP - any disclosure of trade secrets or IP could give the competitor an unfair advantage, causing significant financial loss - government classified info - A leak could threaten the national security and have international consequences - moderate sensitivity example - Employee data - any breach to employee data could expose personal info leading to embarrassment, discrimination, or identity theft - company internal documents - any leak could reveal operational plans, strategies, or competitive advantage, thus impacting the market position of that company - marketing campaigns or upcoming product launches - could disrupt the marketing efforts and give competitors an advantage - low sensitivity example - Publicly available info - non-critical system backups - public website content K. Vulnerability - represents the weaknesses in an asset or system that can be exploited by a threat: - understanding vulnerabilities helps prioritize risks - even a highly impactful threats is manageable if not vulnerabilities exist in a system - focuses mitigation efforts - knowing specific vulnerabilities help us select appropriate security controls and measures - provides context for likelihood and impact - the vulnerability severity can further assess the likelihood of a successful exploitation and the potential consequences L. Understanding risk: types and control concepts - inherent risk: the level of risk present before any security control or countermeasures are implemented - Aka. The raw risk - compensating controls: alternative or supplementary controls implemented to reduce risk when primary controls are not feasible or ineffective - residual risk: the amount of risk that remains even after all planned and implemented security controls have been applied M. Assessing impact: what are the consequences? - your risk description should clearly address the potential impact of a successful exploit - organizational losses: what specific assets/values would be compromised - business continuity: could the organization cease operations or face existential threats - recovery capability: how difficult and time consuming it would be for the organization to recover from the incident - regulatory and ethical obligations: would the organization be legally or ethically required to notify the affected parties N. The domino effect of unauthorized info disclosure - example: unauthorized disclosure of info - losses - reputational damage - loss of customer trust - potential lawsuit and regulatory fines - going out of business - depends on the severity and sensitivity of the data disclosed, customer base, and industry regulations - recovery - depends on the extent of the data leak, type of data, and its criticality for customers - recovery period depends on - the severity of the attack - industry type - data sensitivity - IR readiness - customer notification and remediation - customer notification - depends on the specific type of data and the applicable regulations O. How to describe a risk - as a result of <issue>, <consequences> may occur, which would lead to/cause/require <effect> - Example 1: as a result of a DDoS, a server shutdown may occur, which would cause disruption in all intranet services - The threat actor is mentioned: DDoS - vulnerability?: not mentioned - potential impact?: clearly explained - Example 2: as a result of insecure storage of backup tapes, unauthorized disclosure of customer data may occur, which would require notification to regulators and affected clients - Vulnerability is mentioned, but the threat source is not mentioned P. Redefined risk statement template - if [issue/condition] due to [cause], then [consequence] would result in [impact]; likelihood: [high/medium/low or %]; existing controls: [control1, control2…]; residual risk: [acceptable/unacceptable]. Q. Threat examples - external mass attacks - external targeted attacks - internal - accidental damage - internal abuse - infrastructure failure - natural disaster R. Threat vs. risk - threat: a part of the risk description - to correctly describe the risk: threat, vulnerability, impact - examples: - disgruntled employee: threat - password cracking: threat - internet-facing router: asset - internet-facing server: vulnerability - clear text passwords being sent over the internet: vulnerability Module 3: analyzing and measuring risk exposure- part 2 A. Measuring risk exposure: art vs. science? - Risk vs risk exposure - risk: the potential for damage when a threat exploits a vulnerability - risk exposure: quantified measure of that potential loss (combine the likelihood + potential impact) - two approaches to measure and analyze risk exposure - qualitative (art bc it relies on expert judgement, experience, and subjective interpretation) - Ex. The risk is low - benefits: - easier to implement and understand, subjective - quantitative (science bc it uses numerical data, statistical models, and measurable probabilities) - ex. The risk is 0.25 - benefits - provide more objective and measurable data B. Qualitative risk management and analysis - easy to apply - useful when historical data is limited - uses relative scales and descriptive terms - low, moderate, high - likely, unlikely - subjective but can be systematized - results may vary - to reduce this effect, use risk matrices and collaborative assessments - visual representation is possible C. Quantitative risk management and analysis - data-driven and calculation-based - quantitative methods focus on numerical estimates of risk - can use expected annual loss, probabilities - still requires interpretation and contextual understanding - relies on quality data, but can adapt - typically require accurate historical data; although statistical techniques and industry benchmarks can help fill the data gaps - scales from simple to complex models - The value of the model depends on how it fits to the specific risk scenario - can use basic risk formula: risk = threat x vulnerability x impact - can use Monte Carlo simulations D. Best approach to RM and analysis - the most effective stately combines both qualitative and quantitative methods - most effective because it provides us with a balanced view - qualitative methods offer expert judgement while quantitative is data driven precision - the chosen approach should align with the organization’s context, data availability, and the required depth of analysis - the right method you want to implement depends on different factors like available data, organizational goals, and how detailed the analysis needs to be - Monte Carlo simulations are statistical methods that run thousands of random scenarios to predict the range and likelihood of different outcomes - ongoing review and updates of risk assessments are essential - important because it ensures relevance and accuracy - why - risk evolution over time - different risk profile - risk profile is a snapshot of the organization exposure to various risks E. Examples of visualizing qualitative risk data - heatmaps: use color gradients to show risk levels across streets or vulnerabilities - risk matrices: plot the likelihood and impact of threats on a grid, using qualitative terms for likelihood and impact - bar charts and histograms: display the frequency or distribution of risk scores across various assets, threats, or controls - histogram is a graphical representation of the distribution of numerical data. Uses bars to show the frequency of data points falling within a specified range - line graphs and trend lines: monitor changes in risk levels over time to detect emerging or escalating threats F. Quantitative risk analysis - quantitative approaches emphasize numerical data and calculations to measure risk exposure - quantitative methods also involve making sense of the data and understanding its context - without clear definitions of sensitivity and severity, different people within the same organization might rate these two terms differently - several formulas - risk exposure = sensitivity x severity x likelihood - exposure rating severity^2 x threat G. Basic quantitative risk example - a common formula used in quantitative risk analysis is: - annualized loss expectancy (ALE) = single loss expectancy (SLE) x average rate of occurrence (ARO) - ALE: the expectation of annual loss, which means what the company may lose in one year - SLE: how much it costs to lose one item of that resource - ARO: how many times this attack might happen? - example 1: if you expect to lose 9 laptops per year, and each costs $1,000 to replace, find ALE? - lose 9 laptops per years = ARO - SLE: each costs $1,000 to replace - ALE: 9,000 - example 2: if you lose one laptop every 3 years, fine ALE? - ARO: ⅓ - ALE= SLE X ARO = 1000 X ⅓ = 333.333 - class activity 1: the ALE is estimated at $600 and the cost to replace a laptop is $200. Find how many laptops lost this year? - ALE: 600 - SLE: 200 - ALE = SLE X ARO - 600 = 200 X ARO -> ARO = 600/200 =3 3 - class activity 2: Sara expects to lose 15 laptops every 6 years, and the cost to replace a laptop is $850. Find ALE? - ARO = 15/6 =2.5 - SLE = $850 - ALE - SLE X ARO = 850 X 2.5= 2,125 H. Qualitative risk analysis - risk analysis is similar to weather forecasting - both relies on informed judgements and context - predictive nature: aims to predict future events/outcomes based on the available data and the current analysis - uncertainty: both deal with inherent uncertainty and can’t provide absolute certainty about future events - risk analysis deals with broader threats and vulnerabilities, often across the entire system or organization - can implement controls and mitigation strategies to reduce the impact of security risks - key factors to define include: - sensitivity of the resource - severity of the vulnerability - likelihood of the threat - each threat-vulnerability pair creates a unique risk profile - examples - social engineering/no SETA - trojan/no firewall - factors - threat characteristics - vulnerability characteristics - Organizational contexts - avoid assigning the same risk score to all combinations - the same vulnerability might pose a bigger risk in a high-valued system that a low-value one I. Estimating severity: key questions to consider - what is the scope of impact? - full system, specific users, critical departments, etc. - how much sensitive data could be exposed? - will the breach allow data modification or only viewing? - how will this affect the organization’s reputation and brand? - could the incident trigger fines, lawsuits, or financial losses? - does it violate regulations or legal requirements? - will it disrupt critical business operations? J. Table 1: qualitative severity scale Level description low may be a deviation from recommended practice or an emerging standard. May lack a security governance process or activity but have no direct exposure moderate may indirectly contribute to unauthorized activity or just have no known attack vector. May result in a degradation of service and/or a noticeable decrease in service performance high may allow limited access to or control of the application, system, or communication, including all data and functionality. May result in a short disruption or service and/or DoS for part of the user community critical may allow full access to (read, write, execute) or control of the application, system, or communication, including all data and functionality. May result in a prolonged outage affecting all users of the service K. defining likelihood - likelihood represents the chance that a threat will successfully exploit a vulnerability and how frequently it may occur - it depends on the following factors: - threat surface: the total points where an attacker can try to enter or attack a system - attacker motivation: reason or incentive driving an attacker to target a system - attack complexity: how difficult it is for the attacker to successfully exploit a vulnerability - existing security controls: what security measures are in place to prevent or reduce the attack L. Table 2- qualitative likelihood scale Level description negligible the threat source is part of a small and trusted group; controls prevent exploitation without physical access to the target; significant inside knowledge is necessary, or purely theoretical low the threat source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exploited moderate the threat source motivated and capable, but controls are in place that may impede the successful exploitation of the vulnerability high the threat source highly motivated and very capable, and controls prevent the exploitation of the vulnerability are ineffective very high exposure is apparent through casual use or with publicly available info, and the weakness is accessible publicly on the internet M. Estimating likelihood key questions to consider - what is the size of the population? - what skill level is required to exploit the vulnerability? - can the vulnerability be exploited anonymously? - how attractive is the target? N. Defining risk sensitivity - not all assets are equally critical. Their unique sensitivity must inform risk calculations - incorporating resource sensitivity provides a more accurate and detailed understanding of true risk exposure - how to integrate sensitivity (qualitative assessment) - embed sensitivity directly into the definition of severity - evolve the traditional likelihood-severity matrix to include a third dimension: sensitivity Module 4: risk control and management strategies- part 1 A. Intro - ensuring a safe environment for business operations is crucial - can create a safe environment by involving multi-layered approach - implementing a comprehensive infosec program - multilayered approach - one layer: risk management - second layer: security controls - technical: firewalls - physical: cameras - administrative: policies - third layer security awareness and training (SETA) - need to educate employees in security best practices to minimize the human error - fourth layer: BCP (business continuity plan) - outlines how to resume critical business operations after a disruptive event - fifth layer: DRP (disaster recovery plan) - focuses on restoring the IT systems and data in the case of any disaster - sixth layer: physical access controls - restricts access to the sensitive areas and equipment - seventh layer: clear policies and procedures - to guide employee behavior in handling sensitive info and systems - eighth layer: IRP - to identify, contain, and remediate any security incident - ninth layer: evaluate the security posture of the the third party vendor and partners - infosec goes beyond simply keeping up with competition - competition: good (ethical hackers) vs. bad (hackers) - competing to find the vulnerability first - Effective infosec protects assets from threat and compromise and info disclosure - security breaches can lead to system downtime, loss of productivity, and sometimes disruption of the critical business operations - infosec prioritizes the protections of an organization’s sensitive data by maintaining its CIA - the previous objectives are achieved through the implementation of a comprehensive risk management framework - objectives?: protecting at least the CIA of the sensitive data and critical assets - a comprehensive risk management framework is a structured approach that guides organizations in achieving their objectives - framework needs to be actively implemented meaning a robust and well-defined risk management framework is very important for proactively identifying, analyzing, and prioritizing security risks - understanding and formulating effective risk mitigation strategies are essential components of this framework - understanding the risk - identifying potential threats to our organization, data systems, and operations - need to assess the likelihood and potential impact if these threats - Prioritize risks and allocate resources effectively - formulating effective risk mitigation strategies - need to develop and implement plans to reduce their likelihood or reduce their impact of the identified risk - Formulating effective risk mitigation strategies involve considering different factors - cost: need to balance the cost of the implementation and maintenance of that security control with the potential loss - effectiveness: need to choose a risk control strategy that clearly reduces the risk or its impact - feasibility: need to ensure that the chosen risk control strategy is practical and implementable within our organization B. Risk control strategies - depending on the risk appetite, budget, and resources, we can select the suitable risk control strategy(ies) - organizations can address risks using primary strategies - defense: implement safeguards to eliminate or significantly reduce uncontrolled risks - applying security controls to reduce the risk - transference: shift the risk burden to another party or area - mitigation: reduce the potential impact if a risk event occurs - acceptance: acknowledge and understand the consequences of not controlling a specific risk - termination: eliminate the risk by removing or discontinuing the associated asset or activity C. Defense risk control strategy - it aims to prevent the exploitation of vulnerabilities - this strategy focuses on mitigating risks by: - countering threats - implementing security measures to actively prevent or deter potential threats from causing harm - removing vulnerabilities - taking steps to eliminate weaknesses in assets that could be exploited by threats - limiting access - restrict access to sensitive information and sensitive resources to authorized users only - adding protective safeguards - implements security controls to strengthen defense - defense = risk prevention - common methods of risk defense are: - training and education - technical controls - utilize security software, hardware, and network configurations to protect the digital assets and our infrastructure - physical controls - management controls - want to establish and enforce organizational policies D. Transference risk control strategy - it aims to shift the financial impact, not necessarily the entire risk, to another entity - doesn’t necessarily eliminate the risk itself, however, it reduces the financial consequences the organization would face if the risk happened - this can be achieved through outsourcing specific functions, purchasing cyber insurance, or entering service controls with specialized providers - outsourcing: transferring specific security functions or operations to a third party organization with the specialized expertise and resources - purchasing cyber insurance: purchasing insurance policies that provide financial compensation for losses happened after a cyberattack, data breach, or other security incidents - entering service contracts with specialized providers - could involve managed security services from providers responsible for ongoing security monitoring and incident response or cloud security services for data protection in the cloud environments - while the financial impact is transferred, the underlying risk still exists - the organization remains responsible for managing the overall security posture and ensuring the effectiveness of their chosen transference methods - benefits? - reduce financial losses - access to expertise - cost-effective solution - drawbacks? - loss of control - by relying on an external entity, the organizations hands over some level of control over their security operations to this third party - vendor dependence - the effectiveness of the transferred risk depends on the chosen vendor capabilities and service quality - potential hidden costs - depending on the contract and service type, outsourcing might not always be the most cost-effective option in the long run - while a lack of security expertise can be a factor organizations also consider: - cost-efficiency - the total cost of ownership (TCO): includes service fees, potential hidden costs, and the potential impact on the security posture - scalability - security needs within a company can fluctuate depending on industry regulations, company growth, and emerging threats - access to specialized skills - when deciding to outsource security functions E. Service level agreements (SLAs) for risk tender - SLA: a contract that defines the level of service expected by a customer from a supplier - while an SLA is crucial for managing transferred risk, it part of a broader strategy - to create an effective SLA for risk tolerance, focus on these 4 key steps: - defining clear objectives - involves outlining the specific security goals intended to be achieved through this service agreement - specifying detailed security requirements - outline the specific security controls, services, and performance expectations from the external provider - establishing measurable metrics - define quantifiable metrics to assess the effectiveness of the security measures implemented by the third party or by the service provider to ensure they met the agreed upon requirements - ensuring clear accountability - clearly defining the responsibilities of both parties, including reporting mechanisms, escalation of procedures, and consequences for noncompliance \ - additional considerations for successful risk transference - thorough due diligence - carefully evaluate the security posture and capabilities of the external provider before entering into a service agreement - continuous monitoring - regularly monitoring the provider performance and adherence to the agreed upon security measures - IRPs - establish a clear IRP for responding to each security incident that may happen despite this transference strategy F. Mitigation risk control strategy - it aims to reduce the likelihood and impact of security incidents - this proactive approach involves - implementing security controls - controls-firewall, IDS, encryption- aim to prevent or make it more difficult for the attackers to succeed - Developing and maintaining IRP - Outlines the steps and procedures to be taken when a security incident occurred ensuring an efficient and coordinated response to minimize the damage - DRP - addresses large-scale disruptions that may or may not be security related - focus: quickly restoring critical business functions - BCP - provide broader framework for ensuring continuity of critical business operations during any type of disruption - regular vulnerability assessments and penetration testing - the mitigation risk control strategy doesn’t focus only on detection and response but prevention and preparedness to minimize the overall risk of security incidents too G. IRP- generalized structure and key elements - preparation - team formation - create/form an incident response team with clearly defined roles and responsibilities for each member - communication plan - establish procedures for internal and external communication during an incident, including notifying relevant stakeholders and authorities - documentation - develop and maintain documentation outlining the incident response process - training - regularly train the IR team on the IRP - detection and analysis - security monitoring - continuously monitor systems and networks for suspicious activities using security tools - incident identification - define clear criteria for identifying potential security incidents - initial containment - implement initial steps to contain the incidents - incident analysis - investigate the incident to determine the scope, the root cause, and the potential impact on the organization - response and recovery - eradication - implement actions to remove the threat and prevent further compromise - may involve patching vulnerabilities, removing malware, or reset compromised account(s) - recovery - restore the affected systems and data to their normal state using backups and recovery procedures - lessons learned - conduct a post-incident review to identify areas for improvement and update the IR as needed - IRP: additional considerations - legal and regulatory requirements - ensure compliance with relevant laws and regulations regarding data breach notification and reporting - third-party relationships - establish clear communication and responsive protocols with external vendors and service providers in case of an incident - testing and exercising - regularly test the IRP through simulations and exercises to ensure it remains effective H. Acceptance risk control strategy - this strategy involves an organization acknowledging a potential threat and its consequences, then deciding not to implement further controls - while unconscious acceptance (ignoring risks) is not recommended, conscious acceptance can be a valid strategy in specific situations - specific situations: - low likelihood and impact - when the risk has a very low probability of happening, and even have minimal potential consequences - cost of implementing security controls outweighs the benefit - intangible assets - implementing specific security controls might be impractical or ineffective, making acceptance a more suitable option - limited resources - acceptance should be a deliberate and informed security decision based on thorough risk assessment - even when you accept the risk, risks should be monitored and reviewed periodically to ensure their continued low priority status - organizations need to balance risk acceptance with their overall security posture and risk tolerance - the acceptance risk control strategy can be valid if a thorough risk assessment shows: - the cost of controls outweighs potential losses - the cost of implementing and maintaining security controls exceed the potential financial losses from the identified risk - involves CBA to compare the costs and benefits of different control options - the risk is inherent and cannot be fully eliminated - the benefits of accepting the risk outweighs the cost of controlling it - always conduct a comprehensive risk assessment before accepting a risk - includes identifying and prioritizing info assets, assessing the likelihood and potential impact of threats to these assets, evaluating the feasibility and effectiveness of different security control options, and performing detailed CBA to compare the costs of security controls with the potential losses from the risk I. Termination risk control strategy - this strategy involves eliminating the vulnerability or the asset itself thereby removing it from the attack surface - this decision is often made when: - the cost of protecting the asset outweighs its value or criticality - the asset is inherently difficult or impractical to secure - the organization no longer needs the asset for business operations - eliminating the asset reduces the overall attack surface and associated risks - important to evaluate the consequences of termination before implementing this strategy because - termination might impact business processes that rely on the eliminated risk - may lead to data loss if the asset contains critical info - may require alternative solutions to fulfill the functions previously provided by the eliminated asset J. Pros and cons of risk control strategies Strategy pros cons defense proactive approach prevents incidents can be expensive and complex to implement transferal shifts financial risk to another entity (i.e., insurance) relies on external provider’s effectiveness, may not transfer all risk mitigation reduces impact of an incident if it occurs may not eliminate risk, requires ongoing effort acceptance lowest cost option, may be suitable for low-impact risks exposes the organization to potential losses, requires careful consideration termination eliminates the activity or asset may significantly impact creating the risk business operations, should be a last report K. Managing risk - risk appetite is the level of risk an organization is willing to accept in pursuit of its objectives - risk tolerance is the specific amount of deviation allowed from the established risk appetite - can vary depending on the specific risk being considered and the potential impact on the organization - this involves balancing the costs of security measures and potential losses from security incidents against the desired level of accessibility and functionality for users and systems - residual risk is the amount of risk that remains after an organization has implemented various risk control strategies - a company implements a strong password policy requiring employees to use complex passwords and change them regularly - identify the implemented risk control strategies? - policy - education - technical controls - estimate the residual risk? - SE attacks - malware keyloggers - physical access - the main goal of infosec is to manage and reduce risk to a level acceptable to the organization - achieving a balance between security controls and operational needs, allowing the organization to function effectively while protecting its valuable info assets - once appropriate safeguards are in place and stakeholders are informed of any remaining (residual) risks, if decision-makers choose to accept these residual risks, the infosec program has fulfilled its duty by providing a risk-based approach to security L. Residual risk - amount of threat reduced by a safeguard - refers to the decrease in the likelihood or severity of a threat due to the implementation of a specific safeguard - amount of vulnerability reduced by a safeguard - refers to the decrease in the potential impact of a specific vulnerability if it is exploited due to the implementation of specific safeguard - amount of asset value reduced by a safeguard - Refers to the potential decrease in the value of an asset due to the implementation of a safeguard - is a negative aspect to consider as it can impact user experience or functionality - residual risk is the risk that has been covered by one of the safeguards - the remaining risk that exists even after implementing safeguards - residual risk arises due to the limitations of the existing security controls and the dynamic nature of threats and vulnerabilities - it’s important to balance the positive impacts of safeguards (reducing threats, vulnerabilities, and risks) with their potential negative impacts (reducing asset value, user experience) when making a security decision M. Rules of thumb for selecting a risk control strategy - prioritize controls for critical assets - when a vulnerability exists in a critical asset, prioritize implementing security controls to reduce the likelihood of exploitation - emphasizes the importance of focusing resources on protecting your most valuable assets - implement a layered defense for comprehensive protections - recommended to apply layer protection system using a combo of technical, architectural, and administrative controls - creates a defense-in-depth strategy, making it harder for the attacker to succeed - deterrence and cost considerations - the attacker’s gain shouldn’t be the sole factor, consider increasing the attacker cost of attack - cost of attack: time, financial cost - considering increasing the attack at a cost of attack or reducing their potential gain - can reduce their potential gain through technical or managerial controls when it is feasible and cost effective - note: a comprehensive risk assessment and CBA are crucial for choosing the most appropriate risk control strategies for your organization Module 4: risk control and management strategies- part 2 A. Risk handling action steps - threat source: could be an attacker, natural disaster, system malfunction, or human error - understanding the threat source helps us focus our risk mitigation strategies - asset assessment: involves identifying and evaluating the critical info systems, data, and resources in our organization - we consider the value of each asset through its main characteristic: CIA - is the asset vulnerable?: determine if the identified as it has a weakness that can be exploited by a threat source - yes - vulnerabilities: software bugs, misconfigurations, weak password, or lack of access controls - No - no risk - If the answer to the previous question is yes… is the asset exploitable? - even if an asset is vulnerable, it is important to assess if the attacker has the capability to exploit it - need to analyze the attacker skills, resources, and tools to see if the attacker can successfully take advantage of the identified vulnerability - if the answer is no, no risk - if answer is yes, there’s a vulnerability - if answer to the previous two questions are yes… risk of loss exists - determine if there is a realistic possibility of loss taking place due to the threat source exploiting the vulnerability of the vulnerable asset - if answer to the previous questions are yes + risk of loss exists, attacker gain more than attack cost? - If no, the risk can be accepted - if yes, is the loss too big for the organization? - if no, risk can be accepted - if yes, it is too risky- needs more control or must be removed B. Risk management - after selecting and implementing risk control strategies, security controls should be continuously monitored and measured to assess their effectiveness - after implementing security control to address the identified risks, it is essential to continuously monitor and measure their effectiveness to ensure that the security controls are working as expected and identify any potential weaknesses or a need for adjustment - continuous monitoring - identifying control failures: early detection of a control failure allow for prompt corrective action to mitigate the risk before the risk can be exploited - evaluating control effectiveness: measuring the effectiveness of these security controls allows for adjustment and improvement to the controls over time as threats and vulnerabilities evolve - Maintaining an updated risk profile: understanding the effectiveness of the implemented security controls, the organization can maintain a realistic understanding of the residual risk - each info asset-threat pair identified in the initial risk assessment should have documented risk control strategy outlining any remaining risk after implementing the chosen strategy - Each info asset-threat pair identified in the initial risk assessment should have a documented risk control strategy - Documenting residual risk: should clearly outline the residual risk that remain after implementing the chosen risk control strategy - transparency and accountability: clear understanding of the remaining risk level associated with each asset - prioritization: allows the organization to prioritize the mitigation efforts based on the severity of the residual risk - communication and awareness: clear documentation facilitates communication and awareness of the risk across different teams within the organization C. Risk control cycle - identify info assets: involves identifying all critical info assets within the organization - prepare ranked threat-vulnerability asset worksheet - once critical assets are identified, potential vulnerabilities associated with each asset are documented - a ranked vulnerability risk worksheet helps prioritize these vulnerabilities based on factors: - likelihood/probability of exploit - potential impact on the asset - the ease of exploitation - develop risk control strategies and plan - based on the identified vulnerabilities and their ranking, a plan is developed outlining suitable risk control strategies to mitigate these identified risks - implement security controls - implement that using security controls into action - software configuration changes, policy implementation, or deploying security technologies - assess the security controls effectiveness - after implementation of security controls, their effectiveness needs to be evaluated - may involve testing the security controls to ensure they’re functioning as intended and identifying any gaps or weaknesses - are the security controls effective? - If no, need to go back to this system and develop risk control strategies and plan - if yes, the security controls are effective in mitigating the risk - if answer to previous question is yes, plan for maintenance - a plan needs to be established for ongoing maintenance of the security controls - regular updates, patching of vulnerabilities, user training and awareness - Measure risk to info assets - after implementation and maintenance, the overall risk to the info asset of re-evaluated to determine if the implemented security controls have successfully reduced the risk to the acceptable level - acceptable risk?: if the remaining risk associated with that info asset is within the acceptable range for the organization - if no, if the risk remains unacceptable, go back to the system, develop risk control strategies and plan - if yes, keep measuring the risk to info asset D. Standard approaches to risk management - OCTAVE (operationally critical threat, asset, and vulnerability evaluation) - Developed by the US CERT (computer emergency response team) - focuses on protecting the critical infrastructure by evaluating organizational threats and vulnerabilities - identify critical assets, assess operational threats and vulnerabilities, and develop risk mitigation strategies - is tailored for organizational self-assessment and prioritizing operational risks - ISO/IEC 27005: infosec RM - published by the ISO (international organization for standardization) - focuses on supporting the implementation of the ISO 27 - implementation ISO 27001 - focuses on risk identification, assessment, treatment, and monitoring - provides a structured, repeatable and internationally recognized process - NIST RM framework (RMF) - published by NIST (national institute of standards and technology) - focuses on managing the risk for info sys across government and the private sectors - includes categorize, select, implement, assess, authorize, and monitor - highly flexible and scalable for various sys types and organizational sizes - Microsoft security development lifecycle (SDL) - focuses on integrating security throughout the software development lifecycle - works by embedding security practices in the design, implementation, testing, and release cycles - encourages early vulnerability detection - provides a proactive security integration within the development lifecycle - FAIR (factor analysis of info risk) - developed by Jack A. Jones - is a quantitative framework for analyzing and managing info risk - Focuses on quantitative risk analysis with financial impact estimation - uses standardized factors like threat event frequency, vulnerability, and last magnitude - supports CBA E. Feasibility and CBA - before deciding, it’s crucial to conduct a thorough investigation of the vulnerability and its potential consequences, including both financial and non-financial impacts and the likelihood of an exploit - Thorough investigation of the vulnerability - conducting a thorough investigation vulnerabilities involves understanding different aspects - technical details: need to analyze the technical nature of the vulnerability, including how it can exploited and the potential attack vectors - potential consequences: evaluate the potential financial and non-financial impact of a successful exploit - likelihood of exploit: Need to assess the probability of the vulnerability being exploited by attackers - compare the advantages and disadvantages - this involves weighing the benefits of implementing a control against the costs and the effectiveness of the control in mitigating the specific risk - perform CBA on the proposed risk control strategy - benefits - reduced impact - improved compliance - enhanced security posture - disadvantages - costs - initial setup costs - ongoing maintenance expenses - potential training requirements - operational impact - may affect user workflow or require additional administrative overhead - effectiveness - cost avoidance is one benefit of implementing a control, but it should be considered alongside other potential benefits and the overall cost-effectiveness of the strategy compared to alternative options - Overall cost-effectiveness - Cost avoidance: the potential financial savings from implementing a security control that prevents and attack and is associated financial costs - Beyond cost avoidance: should consider other potential benefits alongside cost avoidance when you make a security decision - overall cost-effectiveness: involves comparing benefits and drawbacks against the total cost of implementation and maintenance F. CBA in infosec - economic feasibility is one part of a full CBA - economic feasibility focuses on whether the cost is reasonable compared to the expected financial benefits - CBA is a broader evaluation including economic feasibility and also security effectiveness, compliance, operational impact, and technical feasibility - while economic feasibility is essential, effective evaluation of infosec projects requires a multi-dimensional CBA that balances cost, risk reduction, and organizational impact: - economic feasibility: assesses the implementation and maintenance cost against the financial benefits of avoiding security incidents - return on investment (ROI) - measures the financial efficiency of the security control - how much benefit is gained per dollar spent? - security effectiveness - Evaluate how will the security control reduces or eliminates the targeted risk - should be aligned with the threat likelihood and impact severity - not all high-cost security controls offer proportional risk reduction - operational impact - analyze the security control effect on the workflow efficiency, user experience, and business continuity - security measures implemented shouldn’t disrupt critical operations unless justified - compliance requirements - determine whether security controls support regulatory, legal, or industry compliance - sometimes mandatory security controls may offer limited return on investment but aren’t negotiable - technical feasibility - assess whether the security control is practical to deploy given the organization G. Balancing the cost and value of infosec - cost of safeguards: calculating total costs can be complex, consider both initial and ongoing expenditures : - hardware, software, and services - are upfront costs for purchasing/developing security technologies and tools - training costs - are expenses for advocating staff on security policies, tools, and awareness programs - implementation - resource allocation for installing and configuring the security controls, both internal and external labor - service fees - recurring costs for cloud security, managed services, or third party vendors - maintenance and upgrades - long term costs for patching, support, performance tuning, and hardware replacement - value of infosec: the return isn’t always directly measurable but is critical to business continuity and trust - financial value - protect sensitive assets like intellectual property, financial records, and customers DBs from costly breaches - operational value - ensuring uninterrupted access to systems and data is essential for daily business operations - reputational value - preserve trust, brand image, and market position by preventing high profile breaches H. Benefit - the benefit of a control lies in its ability to reduce or prevent losses from a specific vulnerability, not just in protecting the value of the asset itself. - how to estimate the benefit: - severity of impact - involves analyzing the potential consequences of a successful exploit such as financial losses, operational disruption, legal costs, and reputational damage - likelihood of exploit - involves assessing the probability of an attacker successfully exploiting the vulnerability - need to consider factors like difficulty of exploitation and attacker motivation - use annualized loss expectancy (ALE) as a rough indicator of the potential benefit I. Asset valuation in infosec - the process of identifying and assessing the value of info assets across multiple dimensions - financial - operational - reputational - asset value can vary widely across organizations and contexts - industry: different industries may place varying levels of importance on specific types of info - business needs: the specific use and function of the info within the organization impact its value - legal and regulatory requirements - a thorough valuation goes beyond fixed lists, considering both tangible and intangible impacts - these may include direct costs, indirect costs, intangible costs - we compare the total cost of protection against the potential loss if no security controls are implemented and the attack occurs J. Asset Valuation Components - direct costs: the cost of creating, acquiring, maintaining, and securing the info asset - indirect costs: this encompasses potential losses due to: - business disruption: temporary or prolonged inability to access or use the critical info asset - reputational damage: harm to the organization, public image and credibility due to the security incident - legal issues: regulatory noncompliance or legal consequences arise from data breaches or mishandling of sensitive info - lost opportunities: missed business deals, partnerships, or market advantages due to the system unavailability, data loss, or breach related delays - intangible value: this includes the impact on: - employee morale: decline in staff confidence, motivation, or job satisfaction following a security incident - brand value: long term reduction in the perceived brand strength and market value due to the reputational antitrust related impacts - customer trust: erosion of a client confidence in the organization’s ability to protect their data K. From asset value to risk-based impact assessment - Estimating the value of assets is a valuable step, but it’s not the only factor when calculating the potential loss from a vulnerability - understanding the specific vulnerability, potential exploit, and resulting risk is crucial for accurately assessing the potential loss - why? - limited scope: focusing only on the asset value and ignoring the distinctive aspect of each vulnerability - different vulnerabilities within the same asset can have varying consequences and therefore different potential losses - by focusing on vulnerabilities, specific risks, and their potential losses, the organization can prioritize these risks more effectively - allows the organization to allocate resources toward addressing the vulnerabilities with the highest potential impact rather than simply focusing on protecting the most valuable assets - while asset valuation is important, risk analysis should focus on the losses tied to specific vulnerabilities, not just the asset’s worth. - focusing only on the asset value ignores the distinctive aspect of vulnerability - understanding the specific vulnerability, potential exploit, and the resulting risk is crucial for accurately assessing the potential loss - move from valuing assets in isolation to evaluating potential loss scenarios by: - estimating impact severity - need to analyze the potential damage from a successful exploit considering both financial and non-financial losses - quantifying potential financial loss - assign a monetary value to the vote and the potential financial impact identified in the first step - assessing recovery and downtime costs - estimate the costs associated with responding to, recovering from, and mitigating the consequences of a cyberattack - calculating single loss expectancy (SLE) - use the ARO and the average cost per incident to calculate the SLE for each risk - by following these steps, the organization can gain a more accurate understanding of the potential losses associated with the specific risks - enables the organization to make informed security decisions about prioritizing security investments and implementing appropriate risk mitigation strategies L. CBA formula - a CBAhelps determine whether the expected long-term benefits of implementing a control outweigh the associated costs. It contributes significantly to the decision-making process - CBAs can be performed before and after implementing controls - pre-implementation - post-implementation M. The CBA formula - CBA plays a crucial role through helping organizations make informed decisions about security investments. It involves a comprehensive analysis that considers: - benefits: security controls reduce the risk, improve compliance, and enhance security posture - costs: acquisition/development costs, training costs, implementation cost, and ongoing maintenance costs - CBA formula - CBA = ALE (pre control) - ALE (post control) - ACS - ALE (pre control): annualized loss expectancy precontrol - the annualized loss expectancy of the risk before implementing the security control - ALE (post control) - Estimated after the security control has been in place for a period of time - ACS: annual cost of the security control - while the quantitative methods, like CBA formula, can be used to estimate the value of a security control, a complete CBA also considers: - Operational impact: the potential disruption to the workflow or business process after implementing the security control - technical feasibility: the ability to implement the security control with the current resources we have and the expertise we have - ease of use and maintainability: the usability and ongoing maintenance requirements for that security control N. Alternative feasibility assessment methods - organizational feasibility assesses how well the proposed solution aligns with the organization’s structure, goals, and environment: - efficiency: the potential for improved efficiency and security practices and resource utilization after implementing the security solution - effectiveness: the ability of the solution to effectively address the identified risks and security needs - strategic and operational alignment: the potential disruptions to business processes and workflow - operational feasibility focuses on the practicality and ease of adoption, including: - user acceptance and support: ensure that users and employees understand the need for security solution and are willing to adapt their work practices with this new security solution - management buy-in: demonstrating the value to their management and securing their buy-in for implementation and ongoing support for that security solution - compatibility with existing systems and workflows: ensure the new security solution is compatible with existing systems, infrastructure, and organizational procedures - technical feasibility evaluates the organization’s capability to implement and sustain the security solution by considering: - technology availability: whether the required technology exists and it’s accessible to the organization - expertise and skillsets: do we have employees with the skills to be able to implement and maintain this new security solution? - Infrastructure compatibility: ensure the solution can function within the existing technological infrastructure - political feasibility assesses the internal and external political factors that may affect decision-making, such as: - stakeholder alignment and consensus: alignment of interests and perspectives among different stakeholders - power dynamics and influence: understanding who hold the decision-making power in that company, and how different groups might influence the outcome - resource allocation priorities: recognize that security investments can be subject to competition for resources and may require justifying the need and potential benefits O. Alternatives to feasibility analysis - benchmarking: comparing the organization’s security practices against industry peers or similar organizations - due care and due diligence: - due care: taking reasonable steps to avoid likely risks - installing antivirus software and enforce password policy - due diligence: conducting thorough research and investigations to minimize risks and ensure compliance - best business practices: widely accepted industry standards proven to effectively achieve security goals - gold standard: the highest level of performance or quality - government recommendations: guidelines from government agencies outlining recommended cybersecurity practices - baseline: a reference point used to measure progress or change over time Module 5: Contingency Planning- Part 1 A. Intro to contingency planning - why contingency planning matters - adverse event: if we have any unexpected adverse event, we don’t know exactly what will be the impact - well-developed contingency plans = reduced risk, maintain business continuity, and limit financial and operation losses - types of unexpected events - cyberattacks, natural disasters, infrastructure failure, human error - can impact the technology, finance, and reputation - key planning activities - effective planning include - identifying critical business functions (CBF) - registration, teaching at university - assessing different types of threats - develop recovery strategies - organizational benefits - if we have a proactive contingency planning approach, this reflects the organization commitment to responsibility, resilience, and the protection of its people, systems, and assets B. Core principles of contingency planning (CP): the process of proactively preparing for, responding to, and recovering from security incidents which can disrupt/threaten the CIA of info assets impacting CBF - minimize the impact of security incidents - main goal of contingency planning is to reduce the effects of any form of threats and disruptions through fast and coordinated response and efficient recovery of the critical business functions - prepare all organizational units - All depts within the company must be ready to respond because it helps in limiting the downtime and restoring operations with minimal cost and delay - understand incidents and adverse events - incident?: an unexpected event posing a threat to the system - protect critical business functions and info assets - contingency planning helps us preserve the CIA of systems and data - objectives of contingency planning - swift and effective response: quickly contain and control any form of security incidents to prevent them from further escalation, spreading, and to reduce the damage - rapid recovery: - resumption of critical functions: want to ensure essential business operations - essential business functions resume quickly using backup systems or using alternative methods - reduced disruption and cost: minimizing operational downtime and financial losses by having a well practiced recovery plan in place - key aspect of contingency planning - identifying potential threats and vulnerabilities - understanding the risks and potential security incidents the organization might face - developing detailed plans - outline responsive procedures, role and responsibilities, recovery strategies, and communication protocols - assigning responsibilities - clearly define roles and responsibilities for employees involved in the response and recovery efforts - testing and updating plans - regularly test and update the contingency plan to ensure its effectiveness and its adaptability to new threats - benefits of effective CP: - reduced risk and impact of security incidents - plan/aim to mitigate the potential damage caused by security breaches and minimize any form of business disruptions - improved response and recovery capabilities - enables swift and coordinated action in the event of an incident - enhanced decision-making - provide a framework for making informed decisions during critical situations - regulatory compliance C. Key components of CP - CP comprises the following core concepts: - business impact analysis (BIA) - assesses the potential impact of security incidents and disruptions on CBF - purpose?: identify essential processes and acceptable downtime to guide the prioritization of recovery strategies across the contingency plans - incident response plan (IR plan) - Defines the steps to detect, respond, and manage security incidents - enables a timely and coordinated response to limit the damage support investigations and initiate recovery efforts - disaster recovery plan (DR plan) - Provides procedures for restoring the critical IT systems (or CBFs), infrastructure, and data after a disaster - business continuity plan (BC plan) - establish strategies to sustain essential business operations during and after a disruption - maintains operational resilience even under adverse conditions by enabling continuity with minimal interruption D. NIST contingency planning methodology - the contingency planning management team (CPMT) follows these steps to develop and maintain an effective contingency plan: - establish the contingency planning policy - define roles, responsibilities, scope, and objectives of the contingency plan - conduct a BIA - identify the CBFs dependencies - develop contingency strategies - define practical recovery and continuity strategies based on the impact the BIA findings from previous step - create the contingency plan document - outline detailed response, recovery, and continuity procedures - test, train, and conduct exercises - want to validate the plan through simulations, staff training, and readiness drills - maintain and update the plan - want to regularly review the plan to incorporate any lessons learned from a previous incident - if we have any changes in the system should be incorporated to the plan and any evolving risks D. 1. Establish the contingency planning policy - this policy serves as the foundation for all contingency planning efforts - defined the scope of objectives, roles, responsibilities, and authority for planning activities - it ensures organizational commitment - sets the strategic direction - purpose? - the contingency plan statement formally communicates the senior management commitment to - protect CBFs - highlights the importance of maintaining continuity and minimizing disruptions to critical business operations - Allocate resources - demonstrates the willingness to allocate the necessary resources - comply with regulations - content? - Scopes: define the types of disruptions covered by the policy - objectives: achieve specific recovery time objectives (RTO) and recovery point objectives (RPO) - responsibilities: assign accountability for developing, implementing, and maintaining contingency plans at different organizational levels - review and update schedule: specify the frequency at which the policy statement and contingency plans will be reviewed and updated E. 2. Conduct the BIA - the BIA identifies and evaluates the potential impact of disruptions on critical CBFs - provides a data driven foundation for recovery planning - key activities - identifying critical CBFs: identify the essential functions that contribute significantly to achieving the organization goals - need to focus on business functions whose disruption may cause severe consequences - assessing the impact of disruptions: for each identified CBF, analyze the potential effects of different types of disruptions - need to consider various scenarios - evaluate the impact of each disruption on the CBF - evaluate the financial loss, reputational damage, regulatory non-compliance, customer satisfaction - determining maximum tolerable downtime (MTD): - maximum acceptable period the organization can function without this CBF before experiencing severe consequences - MTD help establish recovery time objective - establishing prioritization - based on the impact assessment and MTD, we prioritize the CBF - high impact CBF with low MTD require the most robust and immediate recovery strategies - low impact CBf might have some flexibility in the recovery timeframes F. 3. Develop contingency strategies - design recovery strategies to restore CBFs in the event of a disruption - informed by the BIA - rely heavily on the results of the BIA identified - BIA identified: - the most CBFs - MTD - impact of disruption on business operations - strategy development goals - recovery strategies should be tailored to each CBFs to minimize the downtime to maintain data integrity and availability during and after disruption and to reduce the financial impact by limiting losses and recovery costs - common recovery strategies - hot site - warm site - cold site - cloud backup and recovery - work from home arrangements - alternative processing site - strategy CBF alignment - match the recovery strategies to CBFs by evaluating the MTD requirements and cost-benefit trade-offs - want to balance recovery speed with implementation and maintenance costs G. Develop contingency strategies-example - company: ABC online retail - methodology: following the NIST contingency planning framework - BIA findings - CBF: processing online customer orders - MTD: 4 hours - strategy development considerations? - hot site: offers almost immediate system switch over, but it may be too expensive for a four hour recovery time limit - fully operational backup site with near instant fill over - high cost, low downtime - warm site: practical; enables quick recovery then using a cold site without the high cost of a hot site - pre-configured facility - requires moderate cost and recovery time called site: a basic infrastructure required a full setup - cloud backup and recovery: offers a scalable, fast restoration of systems and data - work-from-home arrangements: feasible if the staff can have secure access and manage orderly processing remotely - chosen strategy? - Warm site because it balances the recovery speed and cost effectiveness - cloud backup and recovery because it adds redundancy but accelerates data restoration H. 4. Create the contingency plan document - CP acts as a comprehensive roadmap for responding to and recovering from security incidents or operational disruptions - key activities: - define scope and objectives - specify the systems, applications, and data covered by the plan - outline the key objectives like minimize downtime and data loss, protects CIA of the info, and ensure continuity of the CBFs - identify potential threats and disruptions - use risk assessment and past incidents to list likely disruptions-the disruptions that have the highest probability to happen - develop response procedures - for each identified threat, detailed steps for detection and containment of the incident, data recovery and system restoration, internal and external communication protocols, and restoration of CBFs - assign roles and responsibilities - clearly designate who does what during a disruption - define responsibilities to prevent confusion and ensure coordinated response - establish communication and training plans - create a communication strategy to keep all the staff and stakeholders informed in case of an incident - develop and deliver training so employees understand their roles and the procedures to follow for each type of incident I. Develop a contingency plan-example - scenario: develop a contingency plan for a web server outage affecting the company website - scope and objectives - focus on restarting the website functionality within 2 hours to minimize customer impact and potential revenue loss - covers the web server hosting the main company website - potential incidents/disruptions - hardware failure - DoS attack - software bug - system crash - response procedures (DoS attack example) - detection: security tools detect abnormal traffic consistent with DoS attacks - Containment: network administrators deploy mitigation tactics and isolate the affected systems - recovery: IT team investigate and neutralize the source of the attack - restoration: patch is applied and the web server is brought back online after verification - communication: customers are notified via social media, news outlets, email, etc. on updates on the status - roles and responsibilities - Security analyst: monitor for attacks and conduct initial investigation - network administrator: executes containment actions to protect the systems - IT team: restores services and implement long term solutions - public relations team: communicate outage details and update for customers - communication and training - communication plan?: ensures timely updates to internal teams and customers - training: perform regular training sessions to prepare staff to respond effectively to any outage J. 5. test, train, and conduct exercises - this phase ensure the effectiveness and readiness of the contingency plan by validating its procedures, preparing staff, and identifying areas for improvement - Key activities - plan testing: evaluate the plan, functionality, and effectiveness under simulated conditions - tabletop exercises: discussion-based scenarios to evaluate the decision-making - walk-throughs: step-by-step review of the responsive procedures without activating systems or personnel - full-scale exercises: realistic hands on simulation involving systems, staff, and actual resources - training: ensures all staff understand their roles and responsibilities and are equipped to carry out the contingency procedures - awareness training: for all staff to understand the importance of the plan and basic response expectations - role-specific training: specific training for key individuals with assigned duties during a disruption - technical training: focused on tools and technologies used during recovery - exercises: simulates real world incidents to test the response effectiveness and identify gaps in the plan - frequency: should be conducted regularly based on the risk level and the system complexity K. 6. Maintain and update the contingency plan - this phase ensures that the contingency plan remains effective, relevant, and aligned with organizational changes and evolving risks. Activities: - importance of ongoing maintenance - threats and vulnerabilities continue to evolve over time - the business processes and technologies may change significantly - testing, exercise, or actual incidents often reveal critical improvement areas - need to regularly maintain the plan to ensure the organization remains resilient and it has response ready plan - key maintenance activities: - regular review: conduct formal reviews every 6 to 12 months - reevaluate the CBFs, risk landscape, and recovery strategies based on the recent changes - incorporate lessons learned (after the exercises, tests, or real incidents): document and improvement points - then use findings to refine procedures and strengthen the plan effectiveness - update for organizational changes: reflect updates in technologies, business processes, personnel - then revise procedures, rules, and resource allocations accordingly - align with new regulations: monitor relevant legal, industry, or compliance requirements - ensure the plan remains compliant with the latest standards and frameworks - version control: use version tracking software to ensure all teams are working from the most current plan - also maintain looks over changes to support audit and accountability - record date, time, version number, and what changes we made L. BIA - both BIA and risk management are essential components of an infosec and continuity strategy - they serve distinct but complementary purposes - risk management - identify potential threats and vulnerabilities; assess the likelihood and impact of specific risks; recommend risk mitigation strategies to reduce or eliminate risk exposure - BIA - focus on the impact of disruptions to the CBFs; determine the MTD and recovery priorities; inform the development of contingency and recovery strategies - key difference? - RM: what could go wrong, and how do we prevent it? - BIA: if something does go wrong, how badly will it affect operations, and how quickly must we recover? M. Business process and recovery criticality - recovery time objective (RTO): maximum allowable downtime for a system/resource before it causes significant disruption to business operations - recovery point objective (RPO): point in time to which the data must be restored after an outage - based on the most recent usable backup - shorter the RPO the better - maximum tolerable downtime (MTD): the total acceptable downtime, including both system recovery (RTO) and business recovery (WRT) - MTD = RTO + WRT - i.e, senior management determined that the web server can’t be down for more than 6 hours in total. - RTO: 2 hours (system recovery) - WRT: 4 hours (business function recovery) - work recovery time (WRT): the additional time required after system restoration to return the business function to full operation - may reenter data, run manually processes or resynchronize systems N. RTO, RPO, MTD, and WRT O. Cost balancing - recovery against investment: companies to minimize disruption time to maintain customer trust, avoid revenue loss, and ensure business continuity - requires the right balance between security investment and acceptable risk - short disruption time = high cost to recover - high security investment: investing heavily in robust security controls backups redundancy, and rapid response capabilities reduce the downtime - longer disruption time = lower security investment - Higher risk of loss and more cost of disruption - minimal investment may save upfront costs, but can lead to longer recovery times and high disruption cost during an incident - Key decision factors?: - companies must evaluate - risk tolerance: how much downtime or data loss can the business afford? - cost of disruption: financial, operational, and reputational losses during an outage? - budget for prevention and recovery: level of investment is realistic for our organization and effective? - summary: every company must find the right balance between disruption time, security and recovery investment, and cost of disruption - ensures recovery goals are met efficiently without overspending or leaving the organization exposed Module 5: contingency planning- part 2 A. Prioritizing CBFs - this step focuses on ranking the identified CBFs based on their significance to organizational resilience - organizational resilience?: the organization’s ability to continue delivering essential services and operations during and after adsorption - preparing for, responding to, and recovering from unexpected events while minimizing impact on the CBFs - aim for an effective prioritization - effective prioritization?: ensure that the resources are allocated efficiently and that the recovery strategies address the most essential functions first - prioritization factors - revenue impact: assess the extent to which a disruption in the function may directly affect the organization’s ability to generate income or complete sales transactions - reputational consequences: evaluate the potential damage to the organization brand image, customer confidence, and stakeholder trust which can result from a disruption - regulatory compliance requirements: determine where the function is essential to maintain compliance with legal, regulatory, or industry standards - also the severity of the consequences if these obligations are not met - recovery time objective (RTO): specify the maximum allowable duration that the CBF can be unavailable before the disruption caused unacceptable harm to operations - functional interdependencies: examine how heavily other CBFs depend on the continued operations of this given CBF - i.e,, if the order processing system failed, it disrupts inventory management, shipping, and customer billing - prioritization methods - qualitative scoring techniques: a subjective method in which each prioritization factor is assigned a relative value and the severity of score - related value and severity score - total weighted score helps rank these CBFs - highest score indicate need to recover this CBF before other CBFs - risk impact matrix: visual tool that naps each CBF - horizontal axis: potential impact of disruption - vertical axis: likelihood of occurrence - any CBF placed in the high impact, high likelihood axis are prioritized for recovery planning B. Example- prioritizing CBFs - acme widgets identified the following CBFs: production, order processing, customer support, financial transactions, and payroll processing - discuss the following: - impact analysis - production stoppage: company can’t make or delivery products - directly affects revenue and customer commitment - delays in order processing: result in missed sales opportunities and frustrated customers who might not return to the company - customer support outage: leaving client without help when needed most isn’t a skippable factor - damage the client trust and reduce their long term loyalty to the company - disruptions to financial transactions: delayed payments to payroll - can harm employee morale, strain vendor relationships, and raise compliance concerns - prioritization methods - 1. Production: highest priority CBF because it its direct connection to revenue - 2. Order processing: given its role in completing sales - 3. Customer support: essential for maintaining satisfaction and long term loyalty - 4. Financial transactions and payroll processing: may allow slightly more recovery time because potential short term work-amounts can allow us - importance of prioritization - By prioritizing the CBFs, Acme can - focus recovery efforts: can direct resources and attention toward restoring the most essential functions, minimizing business disruption - allocate budget effectively: can invest in mitigation and redundancy measures for high CBFs where the downtime would be most costly - develop targeted contingency plans: design customized recovery strategies and timelines for each CBF based on its importance and tolerance for disruption C. Identifying resource requirements for recovery - determine the specific resources needed to restore each CBF following a service disruption - why?: accurate identification ensure that the recovery strategies are realistic, actionable, and capable of minimizing downtime - resource categories - personnel: individuals with the necessary skills and expertise to support recovery efforts like IT professionals, system administrators, data recovery specialists, and the staff from the affected business units - equipment: hardware and software required to resume operations, including backup servers, spare devices, license software, and mobile technology for remote access if needed - facilitates: alternative physical locations used during recovery, like designated disaster recovery site to temporary office spaces - info/data: access to essential data, backups, documentation system configurations, recovery procedures, and user guides needed to restore operations effectively - financial resources: funding allocated for recovery activities, including cost for emergency repair, equipment rentals, vendor services and over time compensation for recovery team - linking resources to CBFs - ensures an efficient recovery process - map each CBF to the specific resources it depends on - 2 questions to consider - what personnel, equipment, or data are essential to restore this CBF? - what facility or backup site is required for recovery? - Resource prioritization: allocate resources based on the priority of each CBF as identified during the impact analysis - resources linked to high priority vCBFs should be given precedence or dedicated support to avoid bottleneck during the recovery D. Example- identifying resource requirements for recovery - acme widgets identified the following CBFs: production, order processing, customer support, financial transactions, and payroll processing - discuss how acme identifies resource requirements - first 2 CBFs: - production: might identify the need for specialized machinery production staff. Manufacturing facility, and real time inventory data - order processing: essential resources may include order management software, internet access, customer data, and trained staff E. Contingency planning policies - contingency planning policies provide a high-level framework that defined the organization’s overall approach to: - incident response (IR) - disaster recovery (DR) - business continuity (BC) - individual plans are not created by contingency planning policies; instead, the contingency planning policies authorize, guide, and align individually planned development with the organizationally broader business strategy and RM framework - distinguish policy from the BIA - policy?: the policy sets the strategic vision and establish the authority, scope, and responsibilities for contingency planning - BIA is a tactical activity conducted under the policy guidance to identify and prioritize CBFs based on impact and downtime tolerance F. Understanding BC and DR - Business continuity (BC): is the organization ability to maintain or quickly resume CBFs and services during or after a disruption - ensures minimal impact to operations - Business continuity plan (BC Plan): a documented framework that outline how an organization will continue essential operations when its primacy facilitates or systems are unavailable - business continuity planning (BCP): strategic process of developing, implementing, and maintaining good procedures to ensure the continuation or rapid restoration of a CBFs in the event of disruptions - emphasizes maintaining or restoring CBFs through different strategies l - disaster recovery (DR) plan - is a component of BCP focusing on the technical recovery of the IT infrastructure systems and data at the primacy site to resume normal operations ASAP - small business consideration - Even small organizations benefit from having BCP and DRP, help these small organizations reduce the downtime, limit financial losses, and ensure recovery from unexpected events - what does BCP and DRP refer to? (Video) - BCP - outlines how a company will continue to operate during and after a major disruption. - Focuses on maintaining critical functions - by outlining the steps to be taken in the event of a cyber incident, a BCP can help to minimize the impact of an attack and ensure that critical operations can continue - focuses on how to continue delivering business outcomes during an incident - DRP - a set of tools, processes, and policies that support recovery following a disaster or major incident - would be activated after a major system disruption, with long term effects such as loss of data - focuses on recovering from an incident - both plans would form part of an organization’s overall RM and emergency preparedness strategy, ensuring that the organization is capable of responding to and recovering from disruptions of different severity - the DRP can support a BCP strategy by relocating supporting systems for business operations or mission critical functions - once plans are in place, it’s crucial they’re tested with simulated disruptions - The results of any tests should be shared with relevant stakeholders, and any improvements should be incorporated into an action plan G. BC in action - BCP ensures operational resilience - involves creating and implementing a strategy allowing the organization to continue delivering CBFs during and after a disruption - BCP focuses on restoring critical functions through flexible strategies - includes options like alternative sites, enabling remote work, reallocating internal resources, or working with third party providers - DR is a key component of BCP - DRP specifically targets the technical recovery of systems and infrastructure at the primary site to bring them back online quickly - small businesses benefit from BCP and DR planning - Implementing basic plans can significantly reduce downtime and support quicker recovery in the face of unexpected disruptions - cross-departmental collaboration is critical to BCP success - While senior leadership approve and fund the BCP, effective planning and implementation requires input from different departments across the organization H. Continuity Strategies - cold site - hot site - warm site - rolling mobile site - mutual agreement - service bureau - timeshare I. cold site continuity strategy - basic infrastructure only - provides essential utilities like power, cooling, and internet access, but no preinstalled IT equipment or systems - no pre-installed hardware or software - doesn’t include servers, workstations, or applications - everything must be brought in and setup from scratch - longer setup and recovery time - because all hardware and software must be installed and configured after a disruption - have the longest recovery time - cost-effective for non-urgent functions - cold sites are inexpensive to maintain, this making them suitable for low priority business functions that can tolerate longer downtime J. Hot site contingency strategy - fully equipped and ready-to-use - includes all required hardware, software, and network systems configured to replicate the organization’s primary environment - minimal setup time - since everything is installed and synchronized, operations can resume quickly with little to no additional configurations - ideal for mission-critical functions - supports high availability needs and are best suited for business functions that can’t tolerate extended downtime - higher operational cost - maintaining real-time and fully functional backup facility come at a significant cost, but ensures near instant recovery K. Warm site continuity strategy - pre-installed hardware and network infrastructure - comes with essential servers, storage, and network systems in place - reduces the setup time after a disruption - software is not pre-installed or configured - applications must be installed and configured before the site became operational - causes moderate delay - faster recovery than a cold site - offers faster recovery than a cold site because the core infrastructure is ready - lower cost than a hot site - Warm sites are more affordable than fully redundant hot sites, thus making them a practical muddle ground for many organizations L. Rolling mobile site continuity strategy - mobile disaster recovery unit - rolling mobile site is specifically equipped vehicles that provides temporary computing and communication infrastructure during a disruption - flexible and location-independent - unit can be rapidly deployed to any location, making them ideal for situations where the primary site is inaccessible or compromised - secure pre-configured environment - mobile sites are equipped with firewalls, IDS, encrypted storage and secure access protocols to support sensitive operations - supports limited but essential services - supports limited but essential services while not designed for full scale recovery - Rolling mobile sites enable privileged employees to access vital applications, communicate securely, and resume urgent operations M. Mutual agreement continuity strategy - formal reciprocal agreement - a mutual agreement is a legally binding contract between two organizations to support each other during a disruption - shared facilities and resources - each party agreed to provide access to physical space systems or personnel to help the other maintain a critical operations - cost-effective alternative - helps reduce the expense of maintaining fully independent back up facilities by leveraging shared infrastructure - requires compatibility and trust - successful mutual agreements depend on similar business needs, compatible systems, and a strong foundation of cooperation between the two organizations N. Service bureau continuity strategy - third-part continuity provider - a service bureau is an external organization that are for disaster recovery and business continuity services to clients - for a fee, not the free - access to specialized facilities and infrastructure - clients can use the bureau of data centers, network infrastructure, and recovery platforms without building and maintaining their own - skilled staff support - the service bureau also provide experienced technical staff to assist in recovery and system restoration efforts during a disruption - flexible and scalable option - organizations can scale up or scale down their continuity services as needed - makes this strategy especially useful for companies without the resources for in-house solutions O. Timeshare continuity strategy - co-leased recovery facility - a timeshare arrangement involves two or more organizations sharing the cost and space of a disaster recovery site under a formal agreement - scheduled exclusive use - each organization is assigned specific times or scenarios during which they have exclusive access to the facility - reduces resource conflict - cost-sharing advantage - By splitting the expenses of infrastructure and maintenance organizations, reduce the financial burden of maintaining a dedicated recovery site - limited availability during concurrent disruptions - Timeshare are cost effective but may pose risk if multiple tenants need the facility at the same time due to overlapping disasters P. Business continuity management (BCM) - strategic continuous management process - BCM is a long term initiative at the management level that ensure an organization can recover and maintain CBFs within acceptable timeframes - integrated approach to continuity and recovery - BCM include interconnected elements like disaster recovery, business recovery, contingency planning, and RM strategies - supports operational resistance and resilience - BCM strengthened the organization ability to resist and recovery from a wide range of threats like cyberattacks, natural disasters, and infrastructure failures - focus on minimizing loss and downtime - if we have effective BCM, this helps reduce the impact of disruptions like degraded performance from DDoS attacks and interruptions like full system outage - minimizes financial, reputational, and operational losses - multiple strategies can be combined - organizations can select and implement complementary strategies automated fillover, alternate sites, and resilient software tools to ensure robust and layered protection Q. Key components of BCM - BCM describes an enterprise-wide process that include: - accident prevention - not a core BCM function - supports the broader RM framework by reducing the likelihood of disruptions - BIA - is the foundational BCM element that identifies CBF, their dependencies, and acceptable downtime or data loss - helps prioritize recovery efforts - business recovery - is a comprehensive process that focus on restoring the overall business operations after a disruption including systems, personnel, and workflows - business resumption planning - is the subset of the business recovery that outline step by step procedures to bring specific and CBFs back online with defined timeframes - command centers - - - - - - - - - - - - temporary or designated spaced used to coordinate the crisis response and recovery - enables real time communication, decision making, and leadership oversight during an incident Computer security - protects the digital assets from cyber threats - prevents incidents that could trigger business disruptions contingency planning - proactive development of alternative procedures and recovery strategies to ensure critical operations can continue despite unexpected disruptions crisis communication - a structured approach to inform and coordinate with stakeholders, including employees, customers, and the public during a crisis to breath in, to preserve trust and minimize confusion crisis management - the broader and strategic process of responding to and stabilizing major incidents that threaten business operations, personnel, or reputation disaster recovery - A technical recovery function focused on restoring IT systems, applications, and data following events such as cyberattacks, hardware failure, or natural disasters event management - not exclusive to BCM - involves coordinating the response to planned or unplanned incidents such as IT outage, natural disaster, or public safety threats that can disrupt business operations exercising and training - process of regularly testing BCP through simulations , drills, and staff training to ensure teams are familiar with the procedures and can respond effectively under pressure infosec - broad discipline focusing on safeguarding info assets from threats like cyberattacks, data breaches, or unauthorized access - ensures CIA of the critical data mitigation planning - The development of proactive strategies and controls to reduce the likelihood or impact of identified risks before they result in a disruption risk control - umbrella term of all activities involved in identifying, evaluating, mitigating, and monitoring risks, including both preventive measures and response strategies risk financing and insurance - specific financial strategies used to transfer or mitigate the monetary impact of disruptions, including purchasing insurance or allocating reserves to cover losses from incidents such as natural disasters or cyberattacks - risk management - comprehensive, organization wide process that involves identifying, assessing, prioritizing, and treating risks, including those related to BC, cybersecurity, compliance, and operations - safety and security - activities and protocols designed to protect people, assets, facilities, and information from a wide range of threats, whether these threats are physical or digital - emergency management and response - Focus on the immediate coordinated actions taken to protect life assets and operations during emergencies like fire, flood, cyberattacks, or activist threats - project management and quality control - provides structured methodologies for planning, executing, and monitoring the BCM initiatives - ensures the continuity plans are developed, implemented, and maintained effectively and consistently R. Stages of BCM: a lifecycle approach - understand your business - how?: by doing BIA - we identified what’s most critical to the organization and how disruptions can affect them - identify CBFsdetermine which processes are vital to achieving the organization’s goals - perform impact assessment - evaluate how a disruption to each CBF may affect revenue, reputation, legal compliance, and operations - MTD: define how long each CBF can be unavailable before severe consequences occur - develop BC strategies - Design the strategies tailored to the recovery needs identified in the BI - develop and implement the response plan - translate strategies into detailed and executable plans - develop recovery procedures - create detailed instructions for restarting operations - assign roles and responsibilities - establish communication protocols - training and awareness - build and embed a continuity culture - promote long term organizational commitment to BCM - leadership support - employee engagement - regular communication - incentivize participation - maintain and audit the BCM program - ensure the plan remains effective, current, and compliant - regular reviews and updates - testing and exercises - document lessons learned - audits and compliance checks Module 6: Understanding standards and regulations- part 1 A. Ensuring infosec - infosec standards and regulations play a crucial role in ensuring the protection and confidentiality of sensitive info. They aid in: - establishing baselines: - standards define the minimum required security control and security practices - enables the organization to set consistent expectations to measure compliance and reduce the overall risk exposure of - driving accountability - regulations most of the time include enforcement mechanisms and penalties - motivates organizations to comply and foster a culture of responsibility and proactive security - structuring RM - security controls provide structured methodologies for identifying, assessing, and mitigating threats and vulnerabilities - aids in forming the foundation of effective RM strategies - building trust - compliance with widely accepted standards strengthens the stakeholders confidence and enhance organizational reputation - Compliance signals a strong commitment to data protection - enabling collaboration - by promoting a uniform security control, or by implementing uniform security controls across multiple companies in the same sectors - standards support interoperability and secure info exchange across organizational and geographic boundaries - if we comply with the same standards, with the same regulation for that region, we can easily exchange our information B. Establishing baselines through standards- example - a small medical clinic adopts the HIPAA security rule as its framework for handling patient records - HIPAA safeguardsCIA of PHI - applies to healthcare providers, health plans, and any business associate that handle PHI - discuss the impact - the clinic now follows a well-defined set of required safeguards (like ACs, encryption, etc.) that were previously missing - removes uncertainty and enable the clinic to focus on high impact security measures rather than spreading resources thinly - spreading resources thinly?: instead of prioritizing critical AC - the clinic previously spent time and money on low risk areas - what does guesswork mean in infosec? - making decisions without clear guidance or using structured methodology - Reacting to security incident as they occur, without preventive strategy - prioritizing efforts based on intuition or convenience, leading to neglected vulnerabilities - How standards reduce guesswork and improve prioritization? - without a standard, organizations often struggle with - what matters most? - whats enough? - with a standard (HIPAA) - clear requirements - mandated security controls that eliminate uncertainty - organizations don’t need to define best practices from scratch - risk-based focus - emphasizing mitigating threats that pose the greatest potential harm C. Driving accountability through compliance-example - an online retailer is required to comply with the PCI DSS standard to process credit card transactions - PCI DSS: payment card industry data security standard - set of security requirements developed by major credit card companies to safeguard cardholder data - applies to any organization that store, process, or transmits payment card info - discuss the impact? - Defined roles: security responsibilities are clearly distributed - enforced oversight: regular vulnerability scans are mandated - creates a built in system for checks and balances to ensure ongoing compliance and oversight - what are checks and balances in cybersecurity? - A governance mechanism that prevents concentration of authority by: - separation/separating duties - applies the separation of duties principle - ensures that critical tasks are handled by different individuals or different teams - enabling oversight - vulnerability scans serve as independent evaluations, often conducted externally to validate internal security efforts - Why does it matter? - mutual accountability - security culture: foster shared responsibility, prevent negligence, and strengthen the organization overall security posture D. Structuring RM- example - a software company adopts the NIST cybersecurity framework (CSF) to guide its security strategy - NIST CSF: voluntary framework developed by the NIST to help organizations assess, prioritize, and improve their ability to manage cybersecurity risks - provides a flexible structure applicable across industries and organizational sizes - discuss the impact? - transition from reactive ad-hoc fixes to a strategic and structured approach - Ad-hoc fixes: quick, unplanned responses to problems as they arise without having a long term strategy - enables smart allocation of resources: ensures critical areas are not overlooked - the problem with ad-hoc fixes? - are reactive responses to isolated incidents, without having a cohesive strategy - inefficient: time and resources are spent instead of building a lasting defense - short-sighted: immediate symptoms are treated while the root causes remain unresolved - incomplete - attention drawn to obvious issues - leaves other vulnerabilities undetected or ignored - how NIST CSF helps? - Risk-based focus: guides organizations to assess risks and prioritize actions based on impact - balanced security posture: encourages a comprehensive approach that cover prevention, detection, and recovery - strategic investment: help avoid overspending in one area while neglecting others that are equally or more critical E. Building trust through certification- example - a cloud storage provider obtained ISO 27001 certification for its infosec management practices - ISO 27001: an internationally recognized standard that define best practices for establishing, implementing, maintaining, and continuously improving an infosec management system - discuss the impact? - security conscious clients get confidence in the provider controls thanks to independent third party validation - certification becomes competitive differentiator: signals maturity and trustworthiness in handling sensitive data - why this step builds trust? - transparency and accountability - assurance to clients and partners - market advantage F. Enabling secure collaboration through shared standards-example - two healthcare organizations need to exchange patient data securely - HIPAA defined specific safeguards for a protected health info like encryption, access controls, and audit trails - bc both organizations adhere to HIPAA standards, there’s no need to negotiate baseline requirements - saves time and reduce uncertainty - discuss the impact? - establish a shared security framework - setting clear expectations for how data is handled and protected - streamline collaboration - reduce legal and technical friction - accelerate secure data sharing - trust and mutual expectations - compliance with HIPAA creates a foundation of trust, allowing each organization to assume that others meet the established privacy and security obligations - reduces the need for repeated risk assessment - minimizes uncertainty in the partnership - streamlined processes - HIPAA outlines clear protocols for data exchange and transfer - makes it easier to align technical systems and operational procedures G. Compliance and RM - standards and regulations provide a framework for organizations to: - implement best practices - Proven industry accepted security controls and procedures - manage risk systematically - enables structure identification, assessment and mitigation of threats and vulnerabilities - establish a security baseline - define minimal acceptable security measures to ensure consistency and compliance - promote trust - demonstrates accountability and adherence to recognized standards - fosters confidence among clients, partners, and regulators H. Key infosec standards and frameworks - ISO 27001 provides an international framework for managing infosec - developed by ISO - outlines the requirements for establishing, implementing, maintaining, and continuously improving an infosec management system - helps organizations of all sizes protect sensitive data systematically and cost effectively - NIST offers detailed guidance for cybersecurity RM - NIST provides a comprehensive frameworks: NIST CSF, SP 800 series - documents help any organizations in identifying, assessing, and managing cybersecurity risks through practical controls and structures methodologies - PCI DSS focuses on securing payment card data and transactions - focus on securing payment card data and financial transactions - is a mandatory set of requirements for any organizations that store, process, or transmit credit card information - includes specific security controls like encryption, access controls, and regular testing to protect the cardholder data I. Understanding ISO 27001 - ISO 27001 provides a globally recognized framework for managing infosec - it defines the structure and requirements for building and maintaining an ISMS - helps organizations to protect their data in a systematic, consistent, and measurable way - it promotes a risk-based approach tailored to the organization’s context - rather than prescribing fixed controls, ISO 27001 requires organizations to assess their own risks, and apply suitable security controls (suitable to their size, industry, and threat environment) - organizations of all sizes can pursue ISO 27001 certification - key requirements include RM, documented controls, and continuous improvement - RM framework identify and treat security risks in a systematic way - policies and procedures create clear, enforceable documentation that govern access, incident response, and other key procedures - risk assessments and audits - conduct regular internal assessments and external audits to maintain compliance - continuous improvement - adapt and evolve the infosec management system by monitoring effectiveness, learning from incidents and updating controls as needed J. Applying the NIST cybersecurity framework - identify: understand assets, threats, and vulnerabilities - organizations begin by recording their systems and data, then evaluating potential risks - finally, prioritizing which vulnerabilities need to be addressed first - protect: apply safeguards to limit or contain cybersecurity risks - based on the risk assessment, the organization implement appropriate security controls like access restrictions, firewalls, and security policies - detect: monitor systems to identify cybersecurity events - monitoring, logging, and alerting help detecting intrusion, anomalies, or suspicious behavior early - response: contain and manage the impact of incidents - organizations establish IRPs to contain the threats, reduce damage, and communicate with the stakeholders during security events - recover: restore capabilities and ensure BC - planning to recover systems, data and business operations - ensures essential operations can resume quickly after an incident with minimal disruption and have lessons learned for future improvement K. PCI DSS: securing cardholder data through standardized controls - secure network infrastructure - organizations must implement firewalls, IDS, and secure default settings to safeguard their network environment - cardholder data protection - Data must be encrypted both at rest, which means when you store the data, and in transit, when you transfer the data from one system to another - required strict controls on who can access the information to prevent unauthorized use or theft - vulnerability management - Systems should be kept updated with security patches, and regular scans must be conducted to identify and address any discovered weaknesses - access controls - access to the cardholder data should be limited to authorized employees only by using strong passwords and MFA - testing and monitoring - regular testing, log reviews, and real time monitoring are essential to detect anomalies and prevent security breaches - formal policy - a comprehensive, updated policy ensure all staff understand and follow the practices that align with PCI DSS requirements L. Key data protection regulations in infosec - GDPR: governs data privacy and protection for individuals in the European union - Applied to any organization that handles personal data of European Union residents - mandates transparency, consent, data minimization, and strong rights for individuals - HIPAA: regulates the security and privacy of health info in the US - set standards for the protections of a PHI - applies to healthcare providers, insures, and any business associate that handle PHI - CCPA: grants California residents control over their personal data - give consumers the right to know what personal data is collected, request its deletion, and opt out of data sales - Apply for profit businesses that operate in California and meet at least three, or at least one of these thresholds - annual gross revenue over 25 million - buy, sell, or share personal data of at least 100,000+ consumers - derive 50% or more of annual revenue from selling personal data M. General data protection regulation (GDPR) - is a comprehensive European Union regulation designed to protect the personal data and the privacy of individuals within the European Union - any organization that process the personal data of European Union residents, regardless of where it’s based, must comply with GDPR - key legal requirements: - Consent: the personal data must be collected and processed based on clear, informed, and explicit consent from the individual, which the operation to withdraw it at any time - data breach notification: most data breaches must be reported to the supervisory authorities within 72 hours of discovery - enhances transparency and rapid response sealed individual rights - individual rights - the right to access and correct their data - the right to be forgotten (requests deletion of data) - the right to data portability: allows individuals to receive their personal data in a structured format that’s commonly used and transfer the data to another service provider without any difficulty - significant fines - noncompliance can result in severe penalties - operational changes - organizations often need to revise the business practices, IT systems, and the privacy policies to ensure lawful, secure, and transparent data handling N. Health insurance portability and accountability (HIPAA) - a US federal law that establishes national standards for protecting the CIA of sensitive PHI - PHI: any info about the person’s health status, treatment, or payment for health care that can be linked to a specific individual - applies to covered entities and their business associates who handle PHI - key components: - privacy rule: set standards for how PHI can be used and disclosed - security rule: mandate technical, physical, and administrative safeguards to protect the electronic PHI - breach notification rule: requires covered entities to notify individuals and authorities in the event PHI breach - penalties for non-compliance - HIPAA violations can result in significant in criminal and civil penalties - fines range from $100 to $1.5 million per violation - depend on the severity and level of negligence involved in that incident O. California consumer privacy act (CCPA) - a california law granting consumers enhanced privacy rights over their personal info - who must comply? - profit businesses that do business in California and meet one or more of the following criteria - having annual gross revenue over 25 million - buy, receive, sell, or share the personal info of 50,000 or more consumers, households, or devices per year - derive 50% or more of annual revenue from selling consumers’ personal info - key consumer rights under CCPA - right to know: consumers can request to know what personal info a business collects, use, share, or sell - right to opt out: consumers can direct a business not to sell their personal info to third parties - right to delete: consumers may request that a business deletes their personal data, with some exceptions like for completing transactions or legal compliance - potential consequences for non-compliance - up to 2,500 for each unintentional violation - up to 7,500 for each intentional violation(s) involving children’s personal info - these penalties are enforced by the California attorney general or the CCPA under the CPRA - legal action: - private right of action is limited but exists - consumers can sue in the event of certain data breaches, particularly when non-encrypted or non-redacted personal info is exposed due to a business’s failure to implement reasonable security measures - the attorney general or CCPA can also bring enforcement actions for broader violations - reputational damage: - While not a legal penalty, this is a real and significant consequence - publicized non-compliance or enforcement actions can erode consumer trust and damage brand reputation, especially in privacy-sensitive industries (e.g., healthcare finance, e-commerce) Module 6: Understanding standards and regulations- part 2 A. Compliance and auditing: working together to strengthen infosec - compliance process: implement controls to meet regulatory and standards-based requirements - The compliance process focus on aligning security practices with required frameworks like ISO 27001 or HIPAA - key steps - perform risk assessment - identify and prioritize security risks - perform policy development and implementation - define and enforce security policies based on regulatory needs - perform control selection and implementation - deploy the safeguards to address the identified risks - training and awareness - educate employees to promote secure behavior and reduce human error - auditing process: verify control effectiveness and identify areas for improvement - Ensures that the implemented security controls are functions as intended and identify any areas that need improvements or need attention - regular assessment internal audits to evaluate ongoing compliance inside the company - independent reviews: external audits like a team from outside the company to provide an objective evaluation - remediation: put action plans to correct any security control, weakness we discover, or any policy gaps - why they matter together: create a continuous cycle of accountability and improvement - Compliance sets the security strategy and structure within the organization - performing auditing, both internal and external, ensures ongoing execution and accountability - both help the organizations adapt, improve, and maintain trust in their security posture over time B. Best practices for implementing standards and regulations - risk assessment - main goal is to identify vulnerabilities before they’re exploited - employee training - teach employees to recognize cyberattacks and handle data securely - regular reviews and updates - Need to adapt the different policies bc the threats evolve C. Implementing effective risk assessment for security planning - identify assets, vulnerabilities, and threats through an initial assessment - begin with a comprehensive review of the systems we have, the data stored, transmit, process, and the processes we implement inside the company to understand what needs protection and where potential weaknesses exist - can determine which systems, data, or processes need protection and if there’s any weaknesses we can address - update risk assessments regularly to reflect business and technology changes - As new technologies are adopted or the business operations evolve, risk assessment must be revisited to stay relevant and effective - use established frameworks and defined schedules for consistency D. Building a security-aware workforce through employee training - provide mandatory training on security policies and threat awareness - reinforce learning through ongoing, role-specific activities - tailored programs, like advanced modules for IT staff or data handlers - data handlers: are employees who regularly access or reprocess sensitive info like customer records or financial data - i.e., billing clerk - use simulations and follow-up training to address real-world risks E. Maintaining security alignment through regular reviews and updates - review security policies to reflect organizational risks and regulations - periodic reviews because this ensures that internal policies and procedures stay aligned with the current business operations and evolving risk profiles - monitor changes in industry standards and legal requirements - Need to stay updated with the updates to frameworks like NIST CSF or ISO 27001, and regulations like HIPAA to ensure continued compliance - assign responsibility and enforce a consistent review schedule - Need to designate a staff member or team to track regularly regulatory changes - conduct annual policy review even if no updates are mandated to maintain accountability and preparedness - the review ensures policies remain effective and the staff stay informed Module 7: Managing Data Breaches: Risk, Impacts, and Strategic Response A. What is a data breach and how does it happen? - understanding data breaches - A data breach involves unauthorized access, use, disclosure, or loss of sensitive data - data breaches can occur - digitally: hacking or malware - physically: through lost or stolen devices or documents - common causes of data breaches - cyberattacks: hackers exploit system vulnerabilities, install malware, or use phishing emails to trick employees into revealing their login credentials, or to grant them access to the system - insider threats - employees or contractors may misuse the data - Intentionally: personal gain - Accidentally: negligence - physical theft/loss: devices like laptops, USB drives, or printed documents can be stolen or lost, which can lead to data exposures - examples of insider threats - intentional misuse - selling customer data - unauthorized disclosure - Accidental misuse - email errors - lost devices - phishing scams B. Understanding data breaches - types of compromised information - personal info - data that identify or relate to individuals - financial info - sensitive data involving financial transactions - intellectual property (IP) - exclusive business info such as trade secrets, product design, etc. that provides a competitive advantage - impacts of a data breach - Financial losses - tangible costs resulting from the breach itself - may include remediation efforts, regulatory fines, legal settlements, and potential revenue decline - reputational damage - loss of public trust and confidence that may affect the brand image, customer loyalty, and long term business opportunities - legal liabilities - exposure to legal consequences due to noncompliance with data protection laws - can potentially result in sanctions, penalties, or a court case - operational disruption - interruption of the day-to-day activities as the resources will be redirected to contain the breach to investigate the cause and restore normal operations C. Case study: understanding a data breach incident - a small medical office stored patient records on a local server using outdated security software. A hacker exploited this vulnerability and remotely installed ransomware, locking all patient files. The breach was discovered when staff couldn’t access records at the start of the workday. - discuss - root causes - cyberattack: the attacker exploited known weaknesses in unpatched software - main mistake is that the company didn’t automatically patch their software - technical vulnerability: failure to update security patches allowed this unauthorized access - types of data at risk - Personal info - financial info - consequences of the breach - operational disruption - Financial losses - reputational damage - legal liabilities: the clinic may face HIPAA investigations and lawsuits from the affected clients D. Common causes of data breaches and underlying vulnerabilities - technical vulnerabilities - outdated software: software that’s no longer supported by the vendor - can leave known vulnerabilities open for exploitation - Unpatched systems: failing to apply security patches - misconfigured firewalls: improper settings may allow unauthorized traffic into your network or outside of your network - traffic now bypasses the intended security controls - lack of encryption: the unencrypted data, both when stored and transmitted, is readable - if intercepted, this exposes sensitive records - weak or default passwords: if you’re using an easily guessed password or haven’t changed the password for a long time, you are now giving the hackers an opportunity to crack your password, which gives them entry into your system - human error - Phishing scams: employees may be tricked into malicious links or giving up their credentials - accidental data sharing: sensitive data can be mistakenly sent to the wrong person or uploaded to unsecured platform, - poor password hygiene: common risky habits include weak passwords or reused passwords, sharing login credentials, etc. - unsecured devices: leaving laptops or phones unattended without locking or encrypting them - can create physical security risks - lack of training: without regular security awareness training, employees remain unaware of the threats and best practices - third-party risks - due diligence before onboarding: need to investigate partners and vendors for security maturity for their reputation and compliance posture before granting them access to our system and data - contractual security requirements: defined clear security expectations, breach response responsibilities, and legal liability clauses in the contract - ongoing monitoring: conduct regular audits, vulnerability assessments or reviews of compliance reports to ensure continued third party security performance E. Scenario: how a third-party software supply chain breach unfolds - use of third-party code - Assume your development team integrated code components from an external vendor to enhance your application functionality - vendor’s weak security posture - the window’s development environment, including their systems, software, and security practices, is poorly maintained - their machines are unpatched and employees still used weak passwords - credential compromise - one of the windows developer accounts is breached due to a weak password - this gives the attackers access to their internal system - development environment is exploited - assume the hackers infiltrated the vendor systems and subtly modify a code component - you rely on embedding a hidden backdoor in that code component - unknowingly importing malicious code - you integrated the infected code module into your productivity application, which means unknowingly, you are distributing compromised software to your users F. Scenario: how a third-party software supply chain breach unfolds - your next app update includes the compromised software module. It quietly sends user data from your app to the attackers. This data breach not only exposed your users but also damaged your reputation - missed opportunities? - due diligence: the vendor security posture was never reviewed before adopting their code, leaving you the product exposed to hidden risks - no contractual requirements: there was no agreement in place mandating security standards, responsibilities or breach notification obligations - lack of monitoring: your team had no system to verify or track the integrity of third party code over time - may allow malicious changes to go on noticed - lessons learned? - partners are extensions of you - customers claim your organization, not the vendor - due diligence may prevent headaches - assessing the vendor upfront could have uncovered their weak security practices and avoided this entire incident - contracts matter - well written contracts can enforce security expectations and reduce your legal exposure in the event of a breach - monitoring is ongoing - regular audits and code reviews help catch issues early before they can cause severe damage G. Regulatory impact and legal consequences of a data breach - compliance obligations - data breach response is not optional - regulations like GDPR, HIPAA, and CCPA mandate how organizations must secure data and report breaches within specific timeframes - legal ramifications - breaches can result in lawsuits from individuals or groups, trigger class action cases, and invite regulatory investigations - defense costs and legal settlements also can be financially devastating - reputational consequence - breaches often lead to customer erosion, strained partner relationships, and reduced investor confidence - rebuilding reputation takes time, effort, and significant resources H. Key elements of an effective data breach response plan - importance of preparedness - more than just a document - a responsive plan is a critical safeguard that protects your organization’s integrity, support rapid recovery, and maintain customer trust - clear roles and communication - a well defined data breach responsive plan defines responsibilities and communication protocols, both internal and external - ensures a coordinated and effective response - minimization the impact - a prepared team can quickly contain the damage, reduce downtime, and limit financial and reputational damage - key components of the data breach response plan - incident detection: breaches must be quickly identified through monitoring tools, alerts, or employee reports - containment: immediate actions like isolating the effective systems can help stop the spread of the breach - Eradication: eliminate the root cause of the attack, such as removing the malware or patching the vulnerability - recovery: restore the systems and data - confirm that the threat is removed and resume normal business operations - lessons learned: conduct post-incident review - helps improve future response strategies and refine roles, documentation, and communication protocols - testing and training - ongoing validation: need to conduct tabletop exercises, simulations, and full scale drills to ensure everyone understand their roles - identification: need to identify any weaknesses we have - Testing in many cases revealed gaps in the plan that can be addressed before a real incident happens - foster a security culture: regular training, build a proactive and breach aware workforce that responds quickly and effectively I. Steps for effective data breach management - 1. Identifying and assessing a potential data breach - detection mechanisms - automated tools and reporting: use IDS, log monitoring and distance reporting to flag unusual activities - assessment scope - need to determine the type of data involved, how much data was accessed or exposed, and whether the breach is ongoing to help guide response actions - forensic investigation - in complex cases, we need to engage forensic experts to understand how the breach happened and gather evidence to prevent this from happening again - scenario: a small healthcare clinic’s IDS flagged unusual network traffic from the EHR (electronic health record) server during off-hours - initial investigation - the IT administrator confirmed unauthorized access attempts targeting patient data - scope defined - the breach likely exposed names, medical histories, and insurance information due to unknown each hour software vulnerability - next steps - the clinic move into the response phase, which means they need to isolate the server, contact legal counsel, and evaluate breach notification requirements - 2. Responding and containing a confirmed data breach - incident response team - need to engage a designated group including IT personnel, legal counsel, and communication staff - in smaller organizations, this might include the internal IT person and an office manager supported by external consultant - isolate affected systems - immediately disconnect the compromised systems to stop the spread of the breach - isolation also support evidence preservation for later investigation - containment strategy - develop actions based on the breach type - evidence preservation - need to capture looks, take a network snapshot and preserve malware samples where possible without disrupting the business operations - why?: helps the forensic investigation and regulatory reporting - additional considerations - large organizations may require more specialized roles, i.e, like CISO (chief infosec officer: senior executive in that company responsible for establishing and overseeing an organization infosec strategy, policies, and programs to protect its data and systems ) and PR (public relations) lead - 3. Meeting notification and compliance obligations - legal requirements - know which laws apply - depending on your location and the affected individuals, regulations (HIPAA, CCPA, Nevada’s data breach laws) apply - each laws has s specific notification timelines and reporting obligations - HIPAA compliance - if healthcare data is involved in the data breach, notify the affected individuals and report to the US department of Health and Human Services within the required timeframe - state laws - i.e., California require prompt notification, usually within 72 hours, to the affected residents - in the scenario from step #1, let’s assume that the clinic treats (also) Nevada patients. They may also fall under Nevada breach notification laws - internal notification - be clear, timely, and helpful - can craft a message for the affected patients explaining what type of data was accessed, when the breach happened, what is the clinic is doing to prevent future incidents, and what are the resources available - 4. Recovering from a breach and strengthening future defenses - data restoration - the IT team verify the backup integrity and restore the encrypted version data from a clean backup created just minutes before the ransomware attack - this restores the business operations without paying the ransom - patching and security updates - the breach originated from a known firewall vulnerability, so the team immediately applied the latest security patch to prevent repeated exploitation - root cause analysis - a security consultant to investigate and find that the attack began with a phishing email opened by an employee, identifying the true entry point, which helps prevent future incidents - review and improve - so based on the lessons we learned from this data breach, the clinic update the IRP, launch mandatory phishing awareness training, and improve its email filtering system to catch future threats that come through email J. Proactive measures and continuous improvement - 1. Security awareness and training - employee education - need to regularly educate the staff on phishing detection, password hygiene, and social engineering tactics - preferable to use interactive sessions to make the material more memorable, so employees can memorize the training material longer - behavioral change (within the organization) - need to recognize and reward employees who report suspicious activities - executive involvement - visible support from the leadership reinforce the importance of the cybersecurity across all levels of the organization - 2. Technology and infrastructure enhancements - security controls - can require MFA for logins - can deploy firewalls with current threat detection capabilities - incident response tools - invest in a security platform that continuously monitor network activity and alert the IT teams of any anomalies - i.e., the early detection of unusual behavior enables faster incident response before the data is exfiltrated - secure development practices - need to incorporate security testing into the development workflow and train developers to recognize and avoid common coding vulnerabilities - helps prevent the release of software with exploitable flaws like SQL injection or insecure authentication - 3. Collaboration and info sharing - industry partnerships - recommended to join ISAC (info sharing and analysis center) relevant to your industry to receive timely alerts and best practices - Cross-functional coordination - conduct annual tabletop exercises that simulate a data breach and involve key depts, like IT, legal, HR, and communication - these simulations help test the communication channels and uncover any potential conflicts between dept. priorities during a crisis - lessons learned repository - Maintain a central database to log past security incidents, how they were handled, and what improvements were made - helps prevent recurring mistakes by ensuring institutional knowledge is accessible and shared across all teams - 4. Continuous monitoring and adaptation - threat hunting - need to dedicate time each week for security staff to investigate signs of unusual activities across the different systems and the different networks we have - security metrics and reporting - need to track meaningful indicators, such as the number of phishing attempts blocked, average time to patch vulnerabilities, and response time to alerts - so if critical patches are consistently delayed, this signals a need for process improvement like automation or additional stuff - regulatory alignment - subscribe to industry specific regulatory updates like the PCI DSS, GDPR, OR HIPAA to ensure your security program evolves with the changing rules - can help us proactively adapt to regulation changes - can help maintain compliance, avoid fines, or operational gaps
0
No more boring flashcards learning!
Learn languages, math, history, economics, chemistry and more with free StudyLib Extension!
- Distribute all flashcards reviewing into small sessions
- Get inspired with a daily photo
- Import sets from Anki, Quizlet, etc
- Add Active Recall to your learning and get higher grades!
Add this document to collection(s)
You can add this document to your study collection(s)
Sign in Available only to authorized usersAdd this document to saved
You can add this document to your saved list
Sign in Available only to authorized users