Add to collection(s) Add to saved
  1. Business
  2. Management

now

advertisement 
1
RISK MANAGEMENT – PART 2
Lecture #3
Learning Objectives
2



Understand how risk is identified
Understand how risk is assessed
Being able to generate a document for risk assessment
Threats
3
Threat: an object, person, or other entity that represents a
constant danger to an asset
 Management must be informed of the different threats facing
the organisation
 By examining each threat category, management effectively
protects information through policy, education, training, and
technology controls

Top Security Threats 2016
4

http://www.itnext.in/article/2016/01/14/cyber-attack-disrupting-critical-infrastructure-2016-likelihood-say-security
Threats
5

Groups that represent the greatest threats:
 Hackers
22%
 Current and former employees 21%
 Foreign countries 11%
 Hacktivists 5%
Threats
6
Threats are divided into twelve categories (see next
slide)
 These twelve categories are organised into five groups:

Inadvertent acts
 Deliberate acts
 Acts of God
 Technical failures
 Management failures

Threats
7
Threat Group 1: Inadvertent Acts
8
Malicious intent is absent and cannot be proven
 Two threat categories:

Acts of human error or failure
 Deviations in quality of service by service providers

8
Acts of Human Error or Failure
9
Includes acts performed without malicious intent
 Employees are among the greatest threats to an
organisation’s data
 Social engineering

 419
fraud
 Phishing
9
Acts of Human Error or Failure
10
Deviations in Quality of Service
11
Includes situations where products or services not
delivered as expected
 This degradation is a form of availability disruption
 Internet service, communications, and power
irregularities dramatically affect availability of information
and systems

11
Internet Service Issues
12
Internet service provider (ISP) failures can considerably
undermine availability of information
 Outsourced Web hosting provider assumes responsibility
for all Internet services as well as hardware and Web
site operating system software
 SLAs are usually arranged

12
Power Irregularities
13
Lead to fluctuations such as power excesses, power
shortages, and power losses
 The voltage levels:

Spike
 Surge
 Sag


 Brownout
 Blackout
Uninterruptible power supply (UPS)
13
Deviation in Quality of Services
14
Threat Group 2: Deliberate Acts
15
Purposeful acts to harm people, organisations or culture
 Six threat categories:

Deliberate acts of espionage or trespass
 Deliberate acts of information extortion
 Deliberate acts of sabotage or vandalism
 Deliberate acts of theft
 Deliberate acts of software attacks
 Compromises to intellectual property

15
Deliberate Acts of Espionage or Trespass
16
Access of protected information by unauthorized
individuals
 Competitive intelligence (legal) vs. industrial espionage
(illegal)
 Shoulder surfing occurs anywhere a person accesses
confidential information

16
Shoulder Surfing
17
17
Deliberate Acts of Espionage or Trespass
18

Escalation of privileges
 Jailbreaking
 Rooting

Authentication and authorisation
18
Hacker vs Script Kiddie
19
19
Deliberate Acts of Information Extortion
20
Attacker steals information from computer system and
demands compensation for its return or nondisclosure
 Commonly done in credit card number theft

20
Deliberate Acts of Sabotage or Vandalism
21
Attacks on the face of an organisation—its Web site
 Threats can range from petty vandalism to organised
sabotage
 Web site defacing can erode consumer confidence,
dropping sales and organisation’s net worth
 Hacktivism

21
Deliberate Acts of Theft
22
Illegal taking of another’s physical, electronic, or
intellectual property
 The property can be physical, electronic or intellectual
 Physical theft is controlled relatively easily
 Electronic theft is more complex problem; evidence of
crime not readily apparent

22
Deliberate Software Attacks
23
Malicious software (malware) designed to damage,
destroy, or deny service to target systems
 Includes viruses, worms, Trojan horses and denial-ofservices attacks

23
Deliberate Software Attacks
24

Polymorphism


A polymorphic threat is one that changes its apparent shape
over time, representing a new threat not detectable by
techniques that are looking for a preconfigured signature
Virus and worm hoaxes

Random emails warning of the latest and most dangerous
viruses that are fictitious
24
Compromises to Intellectual Property
25
Intellectual property (IP): “ownership of ideas and control
over the tangible or virtual representation of those ideas”
 The most common IP breaches involve software piracy
 Enforcement of copyright law has been attempted with
technical security mechanisms

Digital watermark
 Embedded code
 Online registration

25
Threat Group 3: Acts of God
26
Threats that result from forces of nature that cannot be
prevented or controlled
 One threat category:


Forces of nature
26
Forces of Nature
27
Forces of nature are among the most dangerous threats
 Organisations must implement controls to limit damage
and prepare contingency plans for continued operations

27
Forces of Nature
28






Fire
Flood
Earthquake
Lightning
Landslide/mudslide
Tornado or severe windstorm
Hurricane or typhoon
 Tsunami
 Electro-static discharge
 Dust contamination

28
Threat Group 4: Technical Failures
29
Sometimes machines break in unexpected ways
 Two threat category:


Technical hardware failures or errors
Technical
software failures or errors
29
Technical Hardware Failure or Errors
30

Intel Pentium CPU Failure
 Bug
in simple mathematic calculations
 Floating point division (FDIV)
 Loss of over $475 million
Technical Hardware Failure or Errors
31





Mean time between failure (MTBF)
Mean time to diagnose (MTTD)
Mean time to failure (MTTF)
Mean time to repair (MTTR)
MTBF = MTTF + MTTD + MTTR
Hard drive:
 An
average MTBF is 500,000 hours
Technical Software Failures and Errors
32
Threat Group 5: Management Failures
33
Lack of planning and foresight to anticipate the
technology needed for evolving business requirements
 One threat category:


Technological obsolescence
33
Technological Obsolescence
34
Antiquated/outdated infrastructure can lead to unreliable,
untrustworthy systems
 Management’s strategic planning should always include
an analysis of the current technology in the organisation
 Proper managerial planning should prevent technology
obsolescence; IT plays large role

34
Attacks
35
Password crack: attempting to reverse calculate a
password
 Brute force: trying every possible combination of options
of a password
 Dictionary: selects specific accounts to attack and uses
commonly used passwords (i.e., the dictionary) to guide
guesses

35
Attacks
36

Denial-of-service (DoS): attacker sends large number of
connection or information requests to a target
Target system cannot handle successfully along with other,
legitimate service requests
 May result in system crash or inability to perform ordinary
functions


Distributed denial-of-service (DDoS): coordinated
stream of requests is launched against target from many
locations simultaneously
36
Attacks
37
Spoofing: technique used to gain unauthorised access;
intruder assumes a trusted IP address
 Sniffers: program or device that monitors data traveling
over network; can be used both for legitimate purposes
and for stealing information from a network

37
Attacks
38

“People are the weakest link. You can have the best technology;
firewalls, intrusion-detection systems, biometric devices ... and somebody
can call an unsuspecting employee.” — Kevin Mitnick
38
Threat Identification
Realistic threats need investigation; unimportant threats
are set aside
 Threat assessment:

Which threats present danger to assets?
 Which threats represent the most danger to information?
 How much would it cost to recover from attack?
 Which threat requires greatest expenditure to prevent?

39
Vulnerability Identification
Examine how each threat could be perpetrated and list
organisation’s assets and vulnerabilities
 Process works best when people with diverse
backgrounds within organisation work iteratively in a
series of brainstorming sessions
 At end of risk identification process, list of assets and
their vulnerabilities is achieved

40
Vulnerability Identification
41
Risk Assessment
Risk assessment evaluates the relative risk for each
vulnerability
 Assigns a risk rating or score to each information asset

42
Risk Identification Estimate Factors
Risk is
the likelihood of the occurrence of a vulnerability
multiplied by
the value of the information asset
minus
the percentage of risk mitigated by current controls
plus
the uncertainty of current knowledge of the vulnerability
43
Likelihood
The overall rating of the probability that a specific
vulnerability within an organisation will be successfully
attacked
 Assign a numeric value for the likelihood, e.g., 0.1 to 1.0

44
Valuation of Information Assets
Assign weighted scores for value of each asset; actual
number used can vary with needs of organisation
 Done in the asset valuation process

45
Percentage of Risk Mitigated by Current Controls
If a vulnerability is fully managed, it no longer needs to
be considered
 If it is partially controlled, estimate what percentage of
the vulnerability has been controlled

46
Uncertainty

Apply judgment to add a factor into the equation to allow
for an estimation of the uncertainty of the information
47
Risk Determination

For the purpose of relative risk assessment, risk equals:
Likelihood of vulnerability occurrence TIMES value (or
impact)
 MINUS percentage risk already controlled
 PLUS an element of uncertainty

48
Risk Determination (Example)

Information asset A has a value score of 50 and has
one vulnerability: Vulnerability 1 has a likelihood of 1.0
with no current controls; and you estimate that
assumptions and data are 90 percent accurate.
49
Risk Determination (Example)

Information asset B has a value score of 100 and has
two vulnerabilities: Vulnerability 2 has a likelihood of 0.5
with a current control that addresses 50 percent of its
risk; vulnerability 3 has a likelihood of 0.1 with no
current controls. You estimate that assumptions and
data are 80 percent accurate.
50
Documenting the Results of Risk Assessment
Final summary comprised in ranked vulnerability risk
worksheet
 Worksheet details asset, asset impact, vulnerability,
vulnerability likelihood, and risk-rating factor
 Ranked vulnerability risk worksheet is initial working
document for next step in risk management process:
assessing and controlling risk

51
Risk Factor Worksheet
52
Summary
53




Threats
Attacks
Risk assessment
Risk factor report
Related documents
Review Questions
Review Questions
Managing Threats in a Changing World
Managing Threats in a Changing World
The foremost goal of the information security function should be to
The foremost goal of the information security function should be to
CPSC 6126 Computer Security
CPSC 6126 Computer Security
Chapter 11: Policies and Procedures
Chapter 11: Policies and Procedures
Executive Level Security Caliber Security Partners is a different kind
Executive Level Security Caliber Security Partners is a different kind
Business Plan Scope Sheet - Cleveland Clinic Academy
Business Plan Scope Sheet - Cleveland Clinic Academy
Review Questions - Cisco Networking Academy
Review Questions - Cisco Networking Academy
Risk Assessment-Security Plan
Risk Assessment-Security Plan
How Cities Work - Urban Systems Collaborative
How Cities Work - Urban Systems Collaborative
20101102_The Need for Security v1.2
20101102_The Need for Security v1.2
Download
advertisement