Risk Management Fundamentals

Questions and Answers

What is the primary goal of information security concerning residual risk?

• To bring residual risk into alignment with the organization's risk appetite. (correct)
• To eliminate residual risk entirely from the organization's assets.
• To ignore residual risk if it is below a certain financial threshold.
• To transfer all residual risk to a third-party insurance provider.

In risk management, what is the purpose of identifying, classifying, and prioritizing an organization's assets?

• To ensure compliance with industry regulations.
• To prepare for potential audits by external entities.
• To facilitate a threat assessment process and quantify risks. (correct)
• To streamline the disposal process of outdated assets.

When organizing the risk identification process, what is the most crucial initial step an organization should undertake?

• Developing a detailed budget for the entire process.
• Organizing a team with representation from all affected groups. (correct)
• Selecting a project manager with prior risk management experience.
• Purchasing software to automate risk identification.

What is the significance of asset categorization in the context of risk management?

It helps in managing information by accounting for transmission, processing, and storage aspects. (A)

When classifying information assets, what is the primary consideration that organizations must ensure?

That classifications are specific enough to enable the determination of priority levels. (C)

During information asset valuation, what is a key question to consider in order to develop effective criteria?

Which information asset is most critical to the organization's success? (B)

What should a threat assessment primarily involve when identifying and prioritizing threats?

Identifying threats that present danger to assets. (C)

What is the role of 'vulnerabilities' in the context of risk management?

They are specific avenues threat agents can exploit to attack an information asset. (A)

In risk assessment, what is the main purpose of evaluating the relative risk for each vulnerability?

To create a method for evaluating the relative risk of each listed vulnerability. (B)

What does the process of 'determining the loss frequency' involve in risk assessment?

Assessing the likelihood of an attack combined with the expected probability of success. (A)

How do you calculate risk?

Risk = (Loss frequency * Loss magnitude) - Percentage of risk mitigated by current controls + Element of uncertainty (A)

What is the primary purpose of assessing risk acceptability after calculating residual risk?

To create a ranking of relative risk levels and determine if additional risk reduction strategies are needed. (D)

After completing a ranked vulnerability risk worksheet, which of the following actions must an organization take?

Choosing one of five strategies to control each risk. (A)

In risk control, what is the preferred approach to prevent exploitation of a vulnerability?

Defense, which includes countering threats and limiting asset access. (A)

What does the risk control strategy of 'mitigation' primarily aim to achieve?

To reduce the impact of an attack rather than reduce the success of the attack itself. (A)

Before implementing a control strategy, what must an organization explore regarding the vulnerability to information assets?

All consequences of the vulnerability to information assets, including the cost of protection, maintenance, and recovery. (A)

What is the primary purpose of Cost-Benefit Analysis (CBA) in the context of information security?

To assess whether an alternative being evaluated is worth the cost incurred to control a vulnerability. (B)

What is the key differentiator between quantitative and qualitative risk control practices?

Quantitative assessment uses actual values or estimates, while qualitative assessment uses non-numerical measures. (A)

What does 'benchmarking' involve in the context of risk management?

Seeking out and studying practices in other organizations to improve risk management efforts. (D)

Which of the following best describes the function of Access Control?

The method by which systems determine whether and how to admit a user into a trusted area of the organization. (C)

What is the key difference between Discretionary Access Control (DAC) and Mandatory Access Control (MAC)?

MAC is managed by a central authority, while DAC allows users to control access to their resources. (B)

In the context of identification and authentication, what is 'authentication'?

The process of verifying the identity of a user or system. (C)

What is the purpose of 'authorization' in information security?

To ensure that an authenticated entity has permission to access specific resources. (D)

What does 'Accountability (Auditability)' ensure in the context of system security?

That actions on a system can be traced back to the authenticated identity. (A)

Which of the following metrics is used to evaluate the effectiveness of a biometric system?

Crossover error rate (A)

Which firewall type acts as an intermediary between internal and external networks, filtering based on application-layer protocols?

Application Gateways (Proxy Servers) (B)

What is the key function of 'Stateful Inspection' in firewalls?

Tracking the state of each connection to make real-time decisions about whether traffic is legitimate. (B)

What is the purpose of a demilitarized zone (DMZ) in a network architecture?

To isolate critical servers from both the external and internal networks. (D)

What is the primary function of VPNs?

To provide secure connections over an unsecured network. (C)

What is the main difference between Transport Mode and Tunnel Mode in VPNs?

Tunnel Mode encrypts the entire packet, while Transport Mode only encrypts the data (payload). (C)

Flashcards

Risk Management

Identifying, assessing, and reducing risks to an organization.

Risk Identification

Enumerating and documenting potential risks to an organization's information assets.

Risk Control

Using controls to lower risks to an acceptable level.

Risk Appetite

The quantity and nature of risk an organization is willing to accept.

Residual Risk

Risk remaining after controls have been applied.

Vulnerability

Avenues that threat agents use to attack an information asset.

Loss Frequency

The likelihood of an attack combined with its expected probability of success.

Loss Magnitude

How much of an information asset could be lost in a successful attack.

Risk Control (Process)

Selecting control strategies and justifying them to management.

Defense (Risk Control)

Preventing exploitation of a vulnerability.

Transfer (Risk Control)

Shifting risk to another asset, process, or organization.

Mitigation (Risk Control)

Reducing the impact of an attack.

Acceptance (Risk Control)

Doing nothing to protect a vulnerability and accepting the outcome.

Termination (Risk Control)

Avoiding business activities that introduce uncontrollable risks.

Access Control

A method by which systems determine access to a trusted area.

Mandatory Access Control (MAC)

Uses data classification schemes to enforce access policies.

Discretionary Access Control (DAC)

Allows users to control and provide access to resources they own.

Nondiscretionary Control

Managed by a central authority; a more stringent version of MAC.

Authentication

Verifying the identity of a user or system.

Authorization

Ensuring that an authenticated entity has permission to access specific resources.

Accountability (Auditability)

Ensuring actions can be traced back to an authenticated identity.

Firewall

Barrier between trusted and untrusted networks that prevents specific info from passing.

Packet Filtering Firewall

Examines data packet headers.

Application Gateway (Proxy)

Acts as intermediary, filtering based on application-layer protocols.

Circuit Gateway

Monitors TCP/UDP connection setup to control traffic.

MAC Layer Firewall

Operates at the data link layer, using MAC addresses.

Virtual Private Network (VPN)

Allows secure connections over an unsecured network using encryption.

Intrusion Prevention

Activities that deter an intrusion.

WEP (Wired Equivalent Privacy)

Early protocol for securing Wi-Fi networks.

Cryptology

The science of encryption.

Study Notes

Risk Management

• Involves identifying, assessing, and reducing risks
• Risk identification, or enumeration and documentation of risks to an organization's information assets
• Risk control, or applying controls that reduce risks to an acceptable level

Overview of Risk Management

• Crucial to identify, examine, and understand current systems
• Know the threats facing the organization
• Communities of interest are responsible for risk management

Roles of Communities of Interest

• InfoSec, management, users, and IT should work together
• Communities of interest are responsible for evaluating risk controls, determining cost-effective options, acquiring necessary controls, and ensuring controls remain effective

Risk Appetite and Residual Risk

• Risk appetite defines the quantity and nature of risk an org will accept, balancing security and accessibility
• Residual risk refers to risk that remains, and should align with the risk appetite

Risk Identification

• Risk management requires identifying, classifying and prioritizing assets
• Threat assessment process identifies and quantifies risks
• Project management principles need to be followed
• A team with representation across all affected groups is required
• The process includes periodic deliverables, reviews, and presentations

Identifying, Inventorying, and Categorizing Assets

• Assets are identified, inventoried, and categorized
• Organization's system includes all elements such as people, procedures, data, information, software, hardware, and networking
• Human resources, documentation, and data info assets are more difficult to identify

People, Procedures, and Data Asset Identification

• Asset attributes include position name/number/ID, supervisor, security clearance, as well as special skills
• Procedures include description, intended purpose, relation to software/hardware/networking elements, and the storage location for reference/update
• Data includes classification, owner/creator/manager, data structure size, data structure used, online/offline status, location, and backup procedures

Hardware, Software, and Network Asset Identification

• Attributes to track include the org's risk management efforts
• Requires preferences/needs of the security and IT communities
• Asset attributes include name, IP address, MAC address, element type, serial number, manufacturer, model, software version, location, and controlling entity
• Assets must be identified and inventoried to be protected
• The inventory process should be formalized using organizational tools

Asset Categorization

• People are employees and non-employees
• Procedures either do not expose knowledge useful to a potential attacker, or are sensitive and could allow an adversary to gain an advantage
• Data components account for the management of information in transmission, processing, and storage
• Software components are applications, operating systems, or security components
• Hardware includes system devices, peripherals, or part of information security control systems

Classifying, Valuing, and Prioritizing Information Assets

• Many organizations have data classification schemes
• Classification of components must be specific enough to enable priority levels
• Categories must be comprehensive and mutually exclusive

Data Classification and Management

• A variety of classification schemes are used
• Info owners classify their information assets
• Info classifications must be reviewed periodically
• Classifications include confidential, internal, and external
• Each data user must be assigned an authorization level
• Management of classified data includes storage, distribution, transportation, and destruction

Information Asset Valuation

• Asset valuation includes determining the org's most critical assets
• Important assets include those that generate the most revenue or deliver key services
• Requires estimating the expense to replace/protect assets
• Requires weighing the liability if assets are revealed

Information Asset Prioritization

• Categories are weighted based on a series of questions
• Each asset is prioritized using a weighted factor analysis
• Assets are also listed in order of importance, using a weighted factor analysis worksheet

Identifying and Prioritizing Threats

• Realistic threats need investigation; unimportant threats are set aside
• Threat assessment involves identifying threats, determining most dangerous threats, estimating recovery costs, and evaluating prevention costs

Specifying Asset Vulnerabilities

• Vulnerabilities are avenues threat agents exploit to attack an information asset
• Brainstorming sessions among diverse backgrounds within an org work best
• A prioritized list of assets and their vulnerabilities is achieved at the end of the risk identification process

Risk Assessment

• Risk assessment evaluates relative risk and assigns a rating/score to each info asset
• Its goal is to create a method for evaluating the relative risk of each listed vulnerability

Determining Loss Frequency

• Assesses the likelihood of an attack
• Includes an expected probability of success

Evaluating Loss Magnitude

• Determines how much of an info asset could be lost in a successful attack
• Requires combining the value of the info asset with the percentage of the asset lost

Calculating Risk

• Risk is calculated as loss frequency * loss magnitude
• Mitigating actions include deducting risk mitigated by current controls
• Adding an element of uncertainty is required

Assessing Risk Acceptability

• For each threat and associated vulnerability with residual risk a ranking of relative risk levels is created
• Additional strategies to further reduce risk are required, if risk appetite is less than the residual risk

Documenting the Results of Risk Assessment

• Documenting the results includes a ranked vulnerability risk worksheet
• It is the initial working document for assessing and controlling risk

FAIR Approach to Risk Assessment

• Identify scenario components
• Evaluate loss event frequency and probable loss magnitude
• Derive and articulate risk

Risk Control

• Risk control involves selecting control strategies, justifying them to upper management, and implementing/monitoring/ongoing assessment of adopted controls
• Select from Defense, Transfer, Mitigation, Acceptance, and Termination

Defense

• Defense attempts to prevent exploitation of vulnerabilities
• It is accomplished through threat countering, removing asset vulnerabilities, limiting asset access, and adding protective safeguards

Transfer

• Shifts risk to other assets, processes, or organizations
• Orgs may hire experts to transfer risk associated with complex systems management

Mitigation

• Reduces the impact of an attack
• Includes incident response (IR) plan, a disaster recovery (DR) plan, and a business continuity (BC) plan

Acceptance and Termination

• Acceptance involves inaction, protection costs exceed asset value
• Termination avoids introducing uncontrollable risks

Selecting & Justifying Risk Control Strategies

• The level of threat and asset value determines strategy selection.
• Before implementing a control strategy, explore all consequences of the vulnerability to information assets, determining the cost of protection, maintenance, and recovery

Cost-Benefit Analysis Formula

• Cost Benefit Analysis determines if an alternative being evaluated is worth the cost incurred to control vulnerability
• CBA = ALE(prior) – ALE(post) – ACS
• ALE(prior) is annualized loss expectancy before control.
• ALE(post) is the ALE after the control
• ACS is annualized cost of the safeguard

Implementation, Monitoring, and Assessment of Risk Controls

• The control strategy selection isn't the end
• The process must be implemented and monitored to determine effectiveness

Quantitative vs. Qualitative Risk Control Practices

• Quantitative assessment uses actual values or estimates
• Qualitative assessment uses non-numerical measures with scales instead of specific estimates

Benchmarking and Best Practices

• Benchmarking is seeking out and studying practices in other organizations
• Benchmarking is for improving risk management, including measures based on metrics or processes

Other Feasibility Studies & Risk Scenarios

• Determine alternative methods of risk mitigation
• Evaluate the risk when switching to a new system
• Assessing the consequences when switching or changing a technology

Access Control

• Access control determines whether and how to admit a user into an org
• MAC uses data classification to enforce access policies
• DAC allows users to control access
• Nondiscretionary control is a stringent version of MAC, managed by a central authority

Identification and Authentication

• Identification: mechanism by which unverified entities provide a label recognized by a system
• Authentication: verifies a user or system's identity
• Authentication factors include:
  • Something you know (passwords).
  • Something you have (smart card).
  • Something you are (biometrics).

Authorization

• It ensures, after successful authentication, that a user has access to specific resources
• Based on per User, per Group or Across Multiple Systems

Accountability

• Accountability, also Auditability, ensures actions on a system, whether authorized or unauthorized, can be traced back to the authenticated identity
• Through system logs recording specific actions or events on a system
• Through database journals storing data changes for audit purposes

Biometrics

• Biometrics uses unique human characteristics for authentication.
• Performance is based on the False Reject Rate (FRR), False Accept Rate (FAR) and Crossover Error Rate (CER)

Firewalls

• Firewalls act as a barrier between trusted networks and untrusted networks to prevent unauthorized info transfer

Types of Firewalls

• Packet filtering examines packet headers, but not content
• Application gateways/proxy servers act as intermediaries, filtering based on application-layer protocols
• Circuit gateways monitor TCP/UDP connections
• MAC layer firewalls operate at the data link layer
• Hybrid firewalls combine features

Firewall Processing Modes

• Static filtering uses predefined rules
• Dynamic filtering reacts to events and can update dynamically
• Stateful inspection tracks connection states for real-time decisions

Firewall Architectures

• Packet-filtering routers are common in small organizations, filtering based on packet headers but lack detailed logging
• Bastion hosts are sacrificial hosts placed at the network perimeter with connections to external and internal networks
• Screened host firewalls combine packet filtering with a dedicated firewall
• Screened Subnet Firewalls (with DMZ) place internal servers in a DMZ, separating them from external and internal networks, most common configuration

Configuring and Managing Firewalls

• Firewall configuration involves rules that determine traffic handling and must be managed carefully
• Config handled as science (technical needs) and art (balancing security and performance)
• Best practices:
  • Allow outbound traffic
  • Restrict inbound traffic
  • Disallow inbound ICMP
  • Block telnet access to internal servers
  • Deny all traffic that is not explicitly authorized

Content Filtering

• It restricts websites, content, or spam

Remote Access & Dial Up

• Remote access like VPNs and dial-up connections, needs strong security protocols
• War dialers find dial-up connections by finding modems
• RADIUS, Diameter, and TACACS authenticate users for dial-up access

Virtual Private Networks (VPNs)

• VPNs use encryption for secure connections over secured networks
• VPN types:
  • Trusted VPNs rely on private networks and network security controls
  • Secure VPNs employ encryption and tunneling protocols for secure remote access
  • Hybrid VPNs combine trusted and secure

VPN Modes

• Transport mode encrypts only the data (payload) of an IP packet.
• Tunnel mode encrypts the entire packet.

VPN Protocols

• IPsec encrypts and authenticates traffic.
• SSL/TLS secures web browser communication, and increasingly for VPNs

Introduction to Information Security

• Protecting assets with managerial controls and technical safeguards
• Technical solutions, guided by policy
• Advanced technologies enhance security

Intrusion Detection and Prevention

• Intrusion involves attacker gaining entry/disrupting information systems
• Intrusion prevention deters intrusions
• Intrusion detection identifies system intrusions
• Intrusion reaction follows when intrusion is detected
• Intrusion correction restores operations and identifies the source

IDPS Functions

• Detects violations of configurations
• Activates alarms for admins
• Notifies external services of a break-in

IDPS Terminology

• Alarm clustering/compaction combines similar alarms to reduce redundancy
• Alarm filtering removes irrelevant alarms
• Confidence value measures the certainty of an alert
• False negatives are missed attacks; false positives are non-attacks flagged as threats
• Evasion are techniques attackers use to avoid detection
• Noise are irrelevant or non-actionable alerts that can make it harder to detect real attacks
• Tuning adjusts the system for optimal performance

Why Use an IDPS?

• Used to identify and report intrusions
• Provide quick containment, address preambles to attacks, gather data to understand attacks, deters attack, and aids in QA

Types of IDPS

• Network-Based IDPS (NIDPS) protects network assets can be wireless
• Network Behavior Analysis detects abnormal traffic
• Host-Based IDPS (HIDPS) resides on individual systems and detects attacks that NIDPS might miss

Network-based IDPS (NIDPS) Key Features

• Monitors traffic entering/leaving network segments
• Uses signatures to identify attacks based on network traffic patterns
• Detects invalid packets and unexpected behavior
• Can monitor large networks and operate with minimal disruption, difficult to detect, easily overwhelmed, cannot analyze encrypted packets, may miss fragmented packet attacks

Host-based IDPS (HIDPS) Key Features

• Resides on a particular host and detects when key files are altered
• Can detect attacks that bypass NIDPS
• Can monitor encrypted traffic, isn't affected by switched networks, and detects local system-level attacks
• Vulnerable to direct attacks, uses a lot of disk space, and performance overhead on the host system

IDPS Detection Methods

• Signature-based detection examines network traffic for known attack patterns and requires signature database updates
• Anomaly-based detection detects deviations from normal traffic patterns and can cause false positives
• Stateful protocol analysis compares network traffic with a baseline

Introduction to Cryptology

• Cryptology is the science of encryption, includes cryptography and cryptanalysis
• Cryptography involves encoding messages to secure communication
• Cryptanalysis is the process of deciphering encrypted messages

Key Terminologies

• Algorithm = Step-by-step procedure for encryption
• Cipher = Method for encrypting/decrypting
• Ciphertext = Encrypted message
• Plaintext = Original readable message
• Key = Variable for encrypting or decrypting data
• Steganography = art of hiding messages

Cipher Methods

• Bitstream Cipher encrypts one bit at a time
• Block Cipher encrypts a fixed block of plaintext

Substitution Cipher

• Monoalphabetic Substitution replaces the single letter with another letter
• Polyalphabetic Substitution uses more advance multiple alphabets for encryption, such as Vigenere Cipher
• Vigenere Cipher is a polyalphabetic cipher that has 26 cipher alphabets
• Transposition Cipher rearranges Plaintest values into form ciphertext
• XOR Cipher occurs bits are compared and identical bits will be a result of 0 while differing bits result in 1
  • Not secure on its own

Advance Ciphers

• Vernam Cipher uses one time pad for encryption
  • As secure as the key
  • Key is both random and never used

Basic Ciphers

• Book-based ciphers encrypt messages by using a book a key
• Examples; Running Key Cipher and Template Cipher

Hash Functions

• Hash Algorithms confirm message identity. Commonly used in password verification and integrity checks

Symmetric vs Asymmetric Encryption

Symmetric Encryption uses one key for encryption and decryption. Examples are DES, AES or 3DES

• Asymmetric encryption has a public and private key. Example RSA Algorithm

Cryptographic Tools and Key Management

• Security tokens offer secure access and store cryptographic keys
• Public-Key Infrastructure allows secure communication by using encryption certificates

Digital Signatures & Certificates

• Digital signatures use asymmetric encryption that verifies a sender's identity
• Digital certificates include signed information from a CA.

Hybrid Cryptography Systems

• Often both asymmetric and symmetric encryption. Example-Diffie-helman keys

Steganography

• A process of hiding messages in digital media in order to avoid detection

Secure Communication Protocols

• Secures communication over the internet using public-key encryption
• SSL = Secure Socket Layer
• S-HTTP encrypts messages from an HTTP

Security Protocols

• S/MIME secured emails through public-key encryption
• PGP good for privacy encrypts and secured Emails and file storage

Protocols for securing Networks

• Wep Wired
• Wi-fi networks that uses early protocol
• Wpa/WPA2
  -Is a more secure protocol than an Wep

Secured Internet

• Bluetooth security
• Provides measurement to protect data within 30 feet
• Ipsec
  • protects IP communication with encryption -Secure Electronic transitions (SET)
• Secure electronic transitions are used online