Security Risk Analysis Overview

Questions and Answers

Which of the following questions are central to defining security requirements?

• What emerging technologies should we adopt?
• What assets do we need to protect? (correct)
• How can we reduce employee benefits costs?
• How can we maximize our profits?

What is the primary goal of information security management?

• Minimizing operational costs
• Increasing employee satisfaction
• Answering questions related to securing assets. (correct)
• Complying with marketing regulations

Why is it generally impractical to examine every asset against every potential risk during a security risk analysis?

• It can be prohibitively resource-intensive. (correct)
• There are not a lot of assets in an organization.
• It's too easy to perform the analysis.
• It is a waste of money.

When choosing a security risk analysis approach, what should be the primary consideration?

The approach that aligns with the organization's available resources and risk profile. (D)

What characterizes a 'baseline approach' to security?

It relies on industry best practices and readily available checklists. (A)

What is a key limitation of the baseline approach to security?

It may not provide sufficient protection for organization-specific threats. (C)

What is a principal benefit of an informal approach to risk analysis?

Its speed and cost-effectiveness. (A)

What is a primary disadvantage of relying on an informal risk analysis?

Some risks may be incorrectly assessed due to analyst bias or lack of knowledge. (C)

For what type of organization is a detailed risk analysis most appropriate?

Large organizations where IT systems are critical to business objectives. (B)

Which of the following best describes why a detailed risk analysis can be costly and slow?

It involves a structured process, identifying risk likelihood and consequences. (C)

What is a key advantage of a combined approach to risk analysis?

It leverages the strengths of other approaches and allows for iterative assessment. (D)

What is a potential drawback of the combined approach?

It may overlook some risks early in the process. (B)

In the context of risk analysis, what is a 'threat'?

A potential cause of an unwanted incident. (C)

In the context of risk analysis, which statement best describes a vulnerability?

A weakness that can be exploited by a threat. (B)

What is the main goal of identifying the 'context' in a risk management case study?

To understand the organization's background, objectives, and environment for effective risk assessment. (A)

Why is it important to understand the technology and systems infrastructure of an organization when conducting a risk assessment?

To identify potential vulnerabilities related to outdated or unsupported systems. (B)

What does the term 'assets' refer to in the context of risk management?

Anything that has value to the organization and needs to be protected. (B)

What is the purpose of 'mapping the data flow' when identifying assets for a case study?

Identifying systems and processes that handle sensitive data. (D)

What is the main objective of 'identifying external threats' in information security?

Understanding potential threats from external sources. (B)

Prioritizing threats involves considering what two key factors?

Potential impact and likelihood of occurrence. (A)

Why is it important to 'conduct a vulnerability assessment'?

To identify weaknesses in hardware, software, and network infrastructure. (A)

What is the purpose of 'reviewing access controls' when identifying vulnerabilities?

To identify potential weaknesses related to unauthorized access. (B)

What is the expanded definition of a 'Minor' consequence in the context of assessing impact?

Impact is likely to last less than a week, but can be dealt with at the segment or project level without management intervention (A)

What does the description 'Might occur at some time, but just as likely as not' refer to when assessing the impact?

Possible (D)

What is the level of risk for a Rare Likelihood and Moderate Consequence?

Medium (C)

What type of action does 'Monitor the effectiveness' refer to?

Assessments, vulnerability scans, and penetration testing (A)

What should you do if a threat has a HIGH risk according to the image on the slides?

Avoid (B)

Which of the following best describes risk acceptance as a mitigation strategy?

Accepting the risk because the cost of treatment is excessive. (B)

What is the purpose of implementing technical controls?

Reduce the risk of unauthorized access, data breaches, and other cybersecurity incidents. (D)

What is the primary focus of employee training and awareness programs in mitigating cybersecurity risks?

Reducing risks from human error, social engineering attacks, and insider threats (A)

What is the focus of a vulnerability management program?

Identifying, assessing, and remediating vulnerabilities. (C)

What is the main goal of regular security assessments, vulnerability scans, and penetration testing?

Monitoring the effectiveness of implemented mitigation strategies. (D)

DeBeers mining company decided to use which approach?

combined approach (B)

In the DeBeers mining company case study, what categorization of software apps does it employ?

Both common and specific (D)

What does SCADA mean?

software applications for controlling industrial processes. (C)

Attacks and errors affecting the financial system is which?

system threat (C)

According to the risk register, which one has a risk priority of 1?

Reliability and integrity of the SCADA nodes and network (A)

Flashcards

Risk Management

The process of identifying potential risks, assessing their impact, and developing strategies to manage them.

Security Risk Analysis

A component of the process that may involve vulnerabilities or waste money.

Baseline Approach

An approach to security risk that uses industry best practices and is easy and cheap to implement.

Informal Approach

An approach to security risk that exploits the knowledge and expertise of the analyst, quick and cheap.

Detailed Risk Analysis

A security risk alternative assessing a formal structured process that is costly, slow, and requires expert analysts.

Combined Approach

An approach that combines elements of other approaches into a risk analysis.

Asset

Anything that has value to the organization.

Threat

A potential cause of an unwanted incident that may result in harm to a system or organization.

Vulnerability

A weakness in an asset or group of assets which can be exploited by a threat.

Assets

Anything that has value to the organization and needs to be protected.

Identify threats

A potential event that can harm an asset.

Identify vulnerabilities

Weaknesses that can be exploited.

Access the impact

Quantify potential damage of a security incident.

Prioritize the rigs

Assign priorities to address first.

Risk transfer

Buy insurance.

Technical controls

Implement technical controls such as firewalls, antivirus software.

Employee training/awareness

Train employees on information security best practices policies and procedures.

Data backup and recovery

Implement a data backup and recovery plan protects data incidents.

Vulnerability management

Implement a vulnerability management program to identify, assess, and remediate vulnerabilities.

Third party risk management

Implement third-party management policies for vendors and suppliers.

Business continuity and disaster recovery

Develop and implement a business continuity and disaster recovery plan to ensure that the organization can continue to operate security.

Implement and monitor

Monitor security that risks are effectively mitigated.

Monitor the effectiveness

Monitor the effectiveness and help identify any weaknesses or gaps in the security controls.

Review and update

Regularly review and update the security policies and procedures.

Train employees

Train employees in the organization's security posture.

Incident response

Periodically ensure that it prevents impact to security.

Assess third-party vendors

Conduct regular assessments of third-party vendors and suppliers to ensure security.

SCADA

Gathering of data in real time from remote locations in order to control equipment.

Study Notes

Overview of Risk Management

• Security requirements involve determining what assets need protection, how these assets are threatened, and how to counter those threats.
• Information security management is about determining security objectives and risk profiles, performing security risk assessments, and selecting/monitoring controls.

Security Risk Analysis

• Security risk analysis is a critical component in determining possible vulnerabilities and preventing wasted money.
• It's impractical to examine every asset vs. risk individually, so choose alternatives based on organizational resources and risk profile.
• Different approaches to security risk analysis include baseline, informal, formal, and combined methods.

Baseline Approach

• The use of "industry best practice" is an example of the baseline approach to security risk analysis.
• The simplicity and replicability of this method allows for easy/cheap risk analysis.
• May not give specific consideration to the organization being analyzed, so may provide too much or too little security.
• Implementation of safeguards are against common threats.
• Baseline recommendations are available from various bodies.
• This approach is best suited for small organizations.

Informal Approach

• Informal risk analysis involves applying individual knowledge and pragmatic analysis of organizations' information systems.
• It is fairly quick and cheap, and addresses some organization-specific issues.
• Risks can be incorrectly assessed, and analyses are skewed by individual analyst views.
• The informal approach is suitable for small to medium-sized organizations.

Detailed Risk Analysis

• A detailed risk analysis is a comprehensive alternative using a formal structured process.
• It involves numerous stages, and can identify likelihood of risk & subsequent consequences.
• Can offer confident, appropriate controls.
• Detailed risk analysis is costly and slow, and requires expert analysts.
• It may be a legal requirement for large organizations.
• This is suitable for organizations where IT systems are critical to their business objectives.

Combined Approach

• The combined approach combines elements of other risk analysis approaches.
• It involves initial baseline on all systems, and informal analysis to identify critical risks.
• A formal assessment is then executed on these systems, and iterated/extended over time.
• The combined approach can lead to better use of time and money resources.
• It provides better security earlier that evolves, but may miss some risks early on.
• The combined approach is the recommended alternative for most organizations.

Risk Analysis Process

• Risk analysis process key terms:
  • Asset: Anything that has value to the organization.
  • Threat: Potential cause of an unwanted incident that may harm a system or organization.
  • Vulnerability: Weakness in an asset or group of assets that can be exploited by a threat.
  • Risk: Potential that a given threat will exploit vulnerabilities of an asset to cause loss/damage.
• The risk analysis process involves understanding the context, identifying assets/threats/vulnerabilities, prioritizing risks, developing mitigation strategies, and implementing and monitoring.

Understand the Context

• Understanding the context of a case study effectively identifies risks, threats, and vulnerabilities.
• The context is background information about the organization, its business objectives, industry, and the technologies & systems involved.
• Aspects of the context include the economic, technological, business, legal, social, and political environments.
• When considering a healthcare organization, it is critical to understand:
  • what types of patient data they store.
  • compliance requirements.
  • technology and systems infrastructure.
  • identify potential threats and vulnerabilities: insider threats, such as data breaches caused by negligent employees, can have a higher risk if there is organization has poor employee training on data security practices.

Identify Assets

• Critical assets of the organization, such as customer data, intellectual property, and sensitive information, need protection.
• 'Assets' is anything that the organization values.
• The steps to identify assets are:
  • Review the case study to identify the critical components of the organization's operations: data, facilities, and intellectual property.
  • Category the assets based on financial, reputational, and operational value.
  • Identify sensitive data, such as customer information, intellectual property, and financial records.
  • Map the flow of data throughout the organization to identify the systems and processes that handle sensitive data.
  • Identify critical systems, such as payment processing systems or manufacturing equipment.
  • Prioritize the identified assets based on their criticality to the organization's operations and the potential impact of a security incident.

Identify Threats

• Potential threats can harm the organization's assets, such as natural disasters, cyber attacks, insider threats, or physical attacks.
• Steps to identify threats are:
  • Identification of external threats that the organization may face: cyber-attacks, hacking attempts, malware, or phishing.
  • Identify internal threats that may arise from employees or contractors with authorized access to organizational systems: theft or fraud.
  • Identify physical threats that can impact organizational assets: vandalism, natural disasters, or power outages.
  • Threats should be prioritized based on their potential impact and likelihood of occurrence.

Identify Vulnerabilities

• Vulnerabilities that could be exploited such as weak passwords, outdated software, unsecured networks, or lack of employee training should be identified.
• Steps to identify vulnerabilities are:
  • Conduct a vulnerability assessment using scanning tools or manual testing.
  • Identify any configuration weaknesses in the organization's information systems.
  • Review the organization's access controls and prioritize the identified vulnerabilities based on their potential impact and likelihood of exploitation.
  • Prioritize the identified vulnerabilities based on their potential impact and likelihood of exploitation.

Assess the Impact

• Impact is assessed by rating the consequence and the likelihood of a risk.
• Consequence:
  • Insignificant: Result of a minor security breach lasting less than several days.
  • Minor: Security breach lasting less than a week, dealt with at project level without mgt intervention.
  • Moderate: Limited systemic breaches lasting to up to 2 weeks and requires management intervention.
  • Major: Ongoing systemic security breaches, requires interventions, and outcomes are at risk, lasting from 4-8 weeks
  • Catastrophic: Security breach, lasting more than 3 months. Substantial public or political debate expected.
  • Doomsday: Impacts cannot be determined, senior management may be required to make significant changes.
  • Likelihood:
    • Rare: May occur only in exceptional circumstances. Deemed "unlikely".
    • Unlikely: Could occur at some time but not expected.
    • Possible: Might occur at some time, difficult to control its occurrence due to external influences.
    • Likely: Will probably occur in some circumstance and one should not be surprised if it occurred.
    • Almost Certain: Is expected to occur in most circumstances and certainly sooner or later.

Steps To Assess Impact

• Identify potential impact of the risk: this impact should be on the organization’s operations, compliance requirements,reputation, financials.
• Quantify the impact: Use risk scoring, financial impact and business impact analysis.
• The risk can be prioritized based on vulnerability.
• Review the identified potential impact, periodically.

Prioritize Risks

• Risks can be identified based on potential impact and the likelihood of occurrence.
• Steps in prioritizing risks, in a case study: -Evaluate the likelihood and its impact. -Assign risk scores. -Prioritize the risks.

Develop Mitigation Strategies

• Mitigations by risk technique:
  • Risk Acceptance: Accepting of the risk because of some risk treatment, such as the excessive cost.
  • Risk avoidance: Avoid the activity that causes the risk
  • Risk transfer: Outsource or by insurance.
  • Reduce its consequence: modify the uses of an asset to reduce the risk’s impact (back up of offsite)
  • Reduce likelihood: Implement the suitable controls.

Other Mitigation Strategies

• Implement employee training and awareness, data recovery and backup, technical controls
• Additional controls should include a vulnerability management program, third party risk management, and business continuity and disaster recovery
• Implement and monitor-The mitigation strategies are implemented and regularly monitored so the organization’s risks are effectively mitigated: -Develop a plan -Implement mitigation strategies -Monitor the implemented mitigation strategies -Train employees -Review and update -Conduct regular tests

Case Study: Silver Star Mines

• Background: -DeBeers mining company -There’s large IT infrastructure -Software is both common and specific-some of which relates to health & safety
• All previously isolated systems are now networked and have decided on a combined approach
• The Mining Industry is less risky as a whole and management accepts the low/moderate risk

SCADA

• *SCADA (supervisory control and data acquisition) is a category of software applications for controlling industrial processes, which is the gathering of data in real time from remote locations in order to control equipment and conditions.
• Assets include the system’s integrity, networks and availability of its financial and procurement systems.

Threats and Vulnerabilities

• The threats and vulnerabilities include errors or attacks on control and maintenance systems that may affect the financial systems involved

Risk Register for Silver Star Mines includes:

-Reliability and Integrity of the SCADA nodes + network. -Integrity of stored file + database information. -Availability, Integrity of financial system. -Availability + Integrity of Procurement System. -Availability + Integrity of Maintenance/Production system. -Availability, integrity, + Confidentiality of mail services."

• Based on threat/vulnerability factors, the system is able to assess the risk.

Summary of Risk Assessment

• A detailed need to perform risk assessment is part of the information security management process.
• Standards of security are relevant to identify the threats and vulnerabilities.
• Risk mitigation strategies and detailed risk assessment processes should involve: -Context including asset identification. -Identification of threats/vulnerabilities, & any risks. -Analysis + evaluation.