Risk Management Fundamentals PDF

Summary

This document provides an overview of risk management fundamentals. It explains what risk is, how it affects businesses, and the risks involved within IT infrastructures. The different types of risks are discussed in depth, along with the need for risk management strategies.

Full Transcript

Risk Management
Fundamentals
 What is Risk
Risk is the likelihood that a loss will occur.
Losses occur when a threat exposes a
vulnerability
Organizations of all sizes face risks. Some
risks are so severe they cause a business to
fail. Other risks are minor and can be
accepted without another thought
 The common themes of these defi nitions
are threat,
vulnerability, and loss
Threat—A threat is any activity that
represents
a possible danger.
Vulnerability—A vulnerability is a
weakness.
Loss—A loss results in a compromise to
business
 Risks to a business can result in a loss that
negatively affects the business
Business losses can be thought of in the
following terms:
Compromise of business functions
Compromise of business assets
Driver of business costs
 Compromise of Business Functions-Business functions are
the activities a business performs to sell products or
services. If any of these functions are negatively affected,
the business won’t be able to sell as much. The business will
earn less revenue, resulting in an overall loss.
Here are a few examples of business functions and possible
compromises:
Salespeople regularly call or e­mail customers. If the
capabilities of either phones or e­mail are reduced, sales are
reduced.
A Web site sells products on the Internet. If the Web site
is attacked and fails, sales are lost
 Compromise of Business Assets-A business asset
is anything that has measurable value to a
company. If an asset has the potential of losing
value, it is at risk
Assets can have both tangible and intangible
values. The tangible value is the actual cost of
the asset. The intangible value is value that
cannot be measured by cost, such as client
confidence
 Driver of Business Costs- Risk is also a driver of
business costs. Once risks are identified, steps can be
taken to reduce or manage the risk. Risks are often
managed by implementing countermeasures or
controls. The costs of managing risk need to be
considered in total business costs eg. considering
antivirus software for a company which will reduce the
profit.
What Are the Major Components of Risk to an IT
Infrastructure

One method is to examine the seven domains of a typical
IT infrastructure. Risks can be examine within each
domain separately. When examining risks for any domain,
you’ll look at threats, vulnerabilities and impact
Seven Domains of a Typical IT Infrastructure- There are a
lot of similarities between different IT organizations. For
example, any IT organization will have users and
computers
Figure 1­-1 below shows the seven domains of a typical IT
infrastructure
 When considering risk management, you can examine
each
of these domains separately. Each domain represents a
possible
target for an attacker
An attacker only needs to be able to exploit
vulnerabilities in one domain
 User Domain- the User Domain includes people. They
can be users, employees, contractors, or consultants.
People are often the weakest link in IT security
Workstation Domain- the workstation is the end user’s
computer. The workstation is susceptible to malicious
software, also known as malware. The workstation is
vulnerable if it is not kept up to date with recent
patches
 LAN Domain- The LAN Domain is the area that is inside
the firewall. It can be a few systems connected together
in a small home office network. It can also be a large
network with thousands of computers. Each individual
device on the network must be protected or all devices
can be at risk
LAN-to-WAN Domain- The LAN­to ­WAN Domain connects
the local area network to the wide area network (WAN).
The LAN Domain is considered a trusted zone since it is
controlled by a company. The WAN Domain is considered
an untrusted zone because it is not controlled and is
accessible by attackers
 The area between the trusted and untrusted zones is
protected with one or more firewalls
Remote Access Domain- Mobile workers often need access
to the private LAN when they are away from the company.
Remote access is used to grant mobile workers this
access. Remote access can be granted via direct dial­up
connections or using a virtual private network (VPN)
connection
 WAN Domain- For many businesses, the WAN is the
Internet.
The Internet is an untrusted zone. Any host on the Internet
with a public IP address is at significant risk of attack. A
significant amount of security is required to keep hosts in
the WAN Domain safe
System/Application Domain- The System/Application
Domain refers to servers that host server ­level applications.
Mail servers receive and send e­mail for clients. Database
servers host databases that are accessed by users,
applications, or other servers. Domain Name System (DNS)
servers provide names to IP addresses for clients
Threats, Vulnerabilities, and Impact

When a threat exploits a vulnerability it results in a loss.
The impact identifies the severity of the loss.
A threat is any circumstance or event with the potential
to cause a loss. You can also think of a threat as any
activity that represents a possible danger. Threats are
always present and cannot be eliminated, but they may
be controlled
 Threats are attempts to exploit vulnerabilities that result
in the loss of confidentiality, integrity, or
availability of a business asset. The protection of
confidentiality, integrity, and availability are common
security objectives for information systems
Confidentiality, integrity, and availability are often
referred to as
the security triad
 Risk Management and Its Importance to the
Organization

Risk management is the practice of identifying,
assessing, controlling, and mitigating risks.
Threats and vulnerabilities are key drivers of risk.
Identifying the threats and vulnerabilities that
are relevant to the organization is an important
step. You can then take action to reduce
potential losses from these risks
Risk management attempts to identify the risks that can
be minimized and implement controls to do so
 Risk management includes several elements:
a. Risk assessment
b. identify risks to manage
c. Selection of controls
d. implementation and testing of controls
e. evaluation of controls
 In order to identify risks, one need to take three steps:
Identify threats
Identify vulnerabilities
Estimate the likelihood of a threat exploiting a
vulnerability
 Risk Management Techniques

The ultimate goal of risk management is to protect the
organization. It helps ensure a business can continue to
operate and earn a profit. Risk management includes
several steps. They include:
Identifying risks
Assessing risks
Determining which risks will be handled and which
risks will accepted
Taking steps to reduce risk to an acceptable level
 When deciding how to handle a risk you can
choose to avoid, transfer, mitigate, or accept
the risk
Perform a cost-benefit analysis (CBA) to help
determine which controls or countermeasures to
implement. If the benefits outweigh the costs,
the control is often selected
 Residual risk is the risk that remains after you
apply controls. It’s not feasible to eliminate all
risks. Instead, you take steps to reduce the risk
to an acceptable level. The risk that’s
left is residual risk
 Summary
Risks occur when threats exploit vulnerabilities,
resulting in a loss. The loss can compromise
business functions and business assets. Losses
also drive business costs. Risk management
helps a company identify risks that need to be
reduced.
The first steps in risk management are to identify
threats and vulnerabilities. These can then be
paired to help determine the severity of the risk.
 You can manage risks by choosing one of four
techniques: A risk can be avoided, transferred,
mitigated, or accepted.
The primary risk management technique is risk
mitigation. Risk mitigation is also known as risk
reduction or risk treatment. vulnerabilities are
reduced by implementing controls
 Managing Risk: Threats, Vulnerabilities, and
Exploits

Understanding and Managing Threats-
Threats are a part of the equation that creates
risk:
Risk x Vulnerability =Threat
This section includes the following three topics:
The uncontrollable nature of threats
Unintentional threats
Intentional threats
 The Uncontrollable Nature of Threats- few basic facts
about threats. These include:
Threats can’t be eliminated
Threats are always present
You can take action to reduce the potential for a
threat to occur
You can take action to reduce the impact of a threat.
You cannot affect the threat itself.
 Unintentional Threats- Unintentional threats are
threats that don’t have a perpetrator. They don’t
occur because
someone is specifically trying to attack. Natural
events and disasters, human errors, and simple
accidents are all considered unintentional.
There are four primary categories of
unintentional threats. They are: Environmental,
Human, Accidents, Failures
 Although these threats are unintentional, you can
address them with a risk management plan. Here
are some common methods:
- Managing environmental threats—You can
purchase insurance to reduce the impact of many
environmental threats
- reducing human errors
- Preventing accidents
- Avoiding failures
 Intentional Threats- Intentional threats are acts
that are hostile to the organization. One or more
perpetrators
are involved in carrying out the threat. Perpetrators
are generally motivated by one of the following:
- Greed
- Anger
- Desire to damage
 Best Practices for Managing Threats Within Your IT
Infrastructure

There are many steps you can take to manage threats
within your IT infrastructure. The following list
represents steps that many IT security professionals
consider best practices:
- Create a security policy
- insurance
- use access controls
- use automation
- Provide training
- use antivirus software
-Protect the boundary
 Understanding and Managing
Vulnerabilities
A vulnerability can be a weakness in an asset or the
environment. You can also consider a weakness as a
flaw in any system or any business process
This section presents the following three topics:
Threat/vulnerability pairs
Vulnerabilities can be mitigated
Mitigation techniques

Threat/Vulnerability Pairs- A
threat/vulnerability pair occurs when a threat
exploits a vulnerability
 Vulnerabilities Can Be Mitigated- this can
mitigate or reduce vulnerabilities, which reduces
potential risk. The risk reduction comes from one
of the following:
Reducing the rate of occurrence
Reducing the impact of the loss
 Mitigation Techniques- there are variety of
mitigation techniques in any enterprise. As you
explore the techniques in this section, keep the
following elements in mind:
The value of the technique
The initial cost of the technique
Ongoing costs
 Understanding and Managing
Exploits
Losses occur when threats exploit vulnerabilities. If
you want to reduce losses due to risks, you’ll need
to have a good understanding of what exploits are
and how to manage them
An exploit is the act of exploiting a vulnerability. It
does so by executing a command or program
against an IT system to take advantage of a
weakness