Risk Management Fundamentals_part1 PDF

Summary

This document is a comprehensive overview of risk management fundamentals related to business and IT infrastructures. It covers various aspects of risk, including threats, vulnerabilities and exploits.

Full Transcript

1
CHAPTER 1 Risk Management Fundamentals

CHAPTER 2 risk

CHAPTER 3 Developing a risk Management plan

2
CHAPTER 4

CHAPTER 5

CHAPTER 6 Identifying assets to Be protected

CHAPTER 7 Identifying and analyzing threats,

Vulnerabilities, and exploits

CHAPTER 8 Identifying and analyzing risk Mitigation

Security Controls

3
CHAPTER 9

CHAPTER 10

CHAPTER 11 Mitigating risk with a disaster recovery

plan

CHAPTER 12 Mitigating risk with a Computer Incident

response team plan

4
CHAPTER 1 Risk Management Fundamentals

5
 CHAPTER 1
Risk Management Fundamentals
What Is Risk?
Risk is the likelihood that a loss will occur. Losses occur when a threat exposes a

vulnerability. Organizations of all sizes face risks. Some risks are so severe they cause a

business to fail. Other risks are minor and can be accepted without another thought.

Companies use risk management techniques to identify and differentiate severe risks from

minor risks.

The common themes of these definitions are threat, vulnerability, and loss. Here’s a short

definition of each of these terms:

 Threat—A threat is any activity that represents a possible danger.

 Vulnerability—A vulnerability is a weakness.

 Loss—A loss results in a compromise to business functions or assets.

Risks to a business can result in a loss that negatively affects the business. A business

commonly tries to limit its exposure to risks. The overall goal is to reduce the losses that

can occur from risk. Business losses can be thought of in the following terms:

 Compromise of Business Functions

 Compromise of Business Assets

 Driver of Business Costs

6
 What Are the Major Components of Risk to an IT Infrastructure?
Seven Domains of a Typical IT Infrastructure

User Domain

The User Domain includes people. They can be users, employees, contractors,

or consultants. The old phrase that a chain is only as strong as its weakest link

applies to IT security too. People are often the weakest link in IT security

Workstation Domain

The workstation is the end user’s computer. The workstation is susceptible to

malicious software, also known as malware. The workstation is vulnerable if it is not

kept up to date with recent patches.
7
LAN Domain

The LAN Domain is the area that is inside the firewall. It can be a few systems

connected together in a small home office network. It can also be a large network

with thousands of computers. Each individual device on the network must be

protected or all devices can be at risk.

LAN-to-WAN Domain

The LAN to WAN Domain connects the local area network to the wide area

network (WAN). The LAN Domain is considered a trusted zone since it is

controlled by a company. The WAN Domain is considered an untrusted zone

because it is not controlled and is accessible by attackers

Remote Access Domain

Mobile workers often need access to the private LAN when they are away from the

company. Remote access is used to grant mobile workers this access. Remote access

can be granted via direct dialup connections or using a virtual private network (VPN)

connection.

WAN Domain

For many businesses, the WAN is the Internet. However, a business can also lease

semiprivate lines from private telecommunications companies. These lines are semi

8
private because they are rarely leased and used by only a single company. Instead,

they are shared with other unknown companies.

System/Application Domain

The System/Application Domain refers to servers that host server level applications.

Mail servers receive and send email for clients. Database servers host databases that

are accessed by users, applications, or other servers. Domain Name System (DNS)

servers provide names to IP addresses for clients.

Threats, Vulnerabilities, and Impact
When a threat exploits a vulnerability it results in a loss. The impact identifies the severity

of the loss.

Threats are attempts to exploit vulnerabilities that result in the loss of confidentiality,

integrity, or availability of a business asset. The protection of confidentiality, integrity,

and availability are common security objectives for information systems.

9
A vulnerability is a weakness. It could be a procedural, technical, or administrative

weakness. It could be a weakness in physical security, technical security, or operational

security.

Just as all threats don’t result in a loss, all vulnerabilities don’t result in a loss.

The loss can be expressed in monetary terms, such as $5,000.

The value of hardware and software is often easy to determine. If a laptop is stolen, you can

use the purchase value or the replacement value. However, some losses aren’t easy to

determine. If that same laptop held data, the value of the data is hard to estimate.

Descriptive terms instead of monetary terms can be used to describe the impact.

You can describe losses in relative terms such as high, medium, or low. As an example,

NISTSP 80030 suggests the following impact terms:

High impact—If a threat exploits the vulnerability it may:

Result in the costly loss of major assets or resources

Significantly violate, harm, or impede an organization’s mission, reputation,

or interest

Or, result in human death or serious injury.

Medium impact—If a threat exploits the vulnerability it may:

Result in the costly loss of assets or resources

Violate, harm, or impede an organization’s mission, reputation, or interest

Or, result in human injury.

10
Low impact—If a threat exploits the vulnerability it may:

Result in the loss of some assets or resources

Or, noticeably affect an organization’s mission, reputation, or interest

11
Risk Management and Its Importance to the Organization
How Risk Affects an Organization’s Survivability

Reasonableness

Balancing Risk and Cost

Role-Based Perceptions of Risk

Risk Identification Techniques
Risk is the likelihood that a loss will occur. Losses occur when a threat exposes

a vulnerability. In order to identify risks, you’ll need to take three steps:

Identify threats

Identify vulnerabilities

Estimate the likelihood of a threat exploiting a vulnerability

Identifying Threats
A threat is any circumstance or event with the potential to cause a loss. Said

another way, it is any activity that represents a possible danger. The loss or

danger is directly related to one of the following:

Loss of confidentiality

Loss of integrity

Loss of Availability

12
Threat Categories
Threats are often considered in the following categories:
 External/Internal
 Natural or Man-made
 Intentional or Accidental

Some examples of threats to an organization include:
An unauthorized employee trying to access data
Any type of malware
An attacker defacing a Web site
Any DoS or DDoS attack
An external attacker trying to access data
Any loss of data
Any loss of services
A social engineer tricking an employee into revealing a secret
Earthquakes, floods, or hurricanes
A lightning strike
Electrical, heating, or air conditioning outages
Fires

Identifying Vulnerabilities
A vulnerability is a weakness. When a threat occurs, if there is a vulnerability the
weakness is apparent. However, before threats occur, you’ll have to dig a little to
identify the weaknesses. Luckily, most organizations have a lot of sources which
can help you.
 Audits
 Certification and accreditation records
 System Logs
13
  Prior Events
 Trouble reports
 Incident response teams

Pairing Threats with Vulnerabilities
Risk = Threat X Vulnerability
Total Risk = Threat X Vulnerability X Asset Value

Risk Management Techniques
Avoidance

 Eliminating the source of the risk “remove wireless n/w”
 Eliminating the exposure of assets to the risk
Transfer
 Insurance
 Outsourcing the activity
Mitigation
 Alter the physical environment
 Change procedures
 Add fault tolerance
 Modify the technical environment
 Train employees

Acceptance

Cost-Benefit Analysis

 Cost of the control
 Projected benefits
14
  Loss before control - loss after control = cost of
control

Residual Risk
Risk = Threat X Vulnerability
Total risk =Threat X Vulnerability X Asset Value
Residual Risk = Total Risk X Controls

15
CHAPTER 2 Managing risk

16
 CHAPTER 2
Managing Risk: Threats, Vulnerabilities, and Exploits

Understanding and Managing Threats
The Uncontrollable Nature of Threat
 Threats can’t be eliminated.
 Threats are always present.
 You can take action to reduce the potential for a threat to
occur
 You can take action to reduce the impact of a threat.
 You cannot affect the threat itself
Unintentional Threats
 Environmental
 Human
 Accidents
 Failures
Managing Unintentional Threats
 Managing environmental threats
 reducing human errors
 Preventing accidents
 Avoiding failures

Intentional Threats
 Greed
 Anger
 Desire to damage

17
Some of the more common attackers today are:
 Criminals
 Vandals
 Saboteurs
 Disgruntled employees
 Activists
 Other nations
 Hackers

Best Practices for Managing Threats within Your IT Infrastructure
 Create a security policy
 Insurance
 use access controls
-Principle of least privilege
-Principle of need to know
 use automation
 include input validation
 Provide training
 use antivirus software
 Protect the boundary

18
Understanding and Managing Vulnerabilities

Threat/Vulnerability Pairs

19
Vulnerabilities Can Be Mitigated

Reducing the rate of occurrence
Reducing the impact of the loss

Mitigation Techniques
keep the following elements in mind:
The value of the technique
The initial cost of the technique
Ongoing costs
The common mitigation techniques
 Policies and procedures
 Documentation
 Training
 Separation of duties
 Configuration management
 Version control
 Patch management
 intrusion detection system
 Incident response
 Continuous monitoring
 Technical controls
 Physical controls

20
Best Practices for Managing Vulnerabilities within Your IT
Infrastructure
 Identify vulnerabilities
 Match the threat/vulnerability pairs
 Use as many of the mitigation techniques as feasible
 Perform vulnerability assessments

21
 Understanding and Managing Exploits

 What Is an Exploit?
 How Do Perpetrators Initiate an Exploit?
 Where Do Perpetrators Find Information About
Vulnerabilities and Exploits?
 Mitigation Techniques
 Best Practices for Managing Exploits Within Your IT
Infrastructure

Best Practices for Managing Exploits within Your IT Infrastructure
 Harden servers
 Use configuration management
 Perform risk assessments
 Perform vulnerability assessments

22
CHAPTER 3 Developing a risk Management plan

23
 CHAPTER 3

Developing a Risk Management Plan

Topics

This chapter covers the following topics and concepts:

What the objectives of a risk management plan are

What the scope of a risk management plan is

How to assign responsibilities in a risk management plan

How procedures and schedules are described in the risk management plan

What the reporting requirements are

What a plan of action and milestones is

Goals

When you complete this chapter, you will be able to:

Describe the objectives of a risk management plan

Describe the purpose of a plan’s scope

Identify the importance of assigning responsibilities

Describe the purpose of the procedures list in a risk management plan

List reporting requirements of a risk management plan

Document findings of a risk management plan

24
Objectives of a Risk Management Plan
The objectives identify the goals of the project. These objectives outline what you
should include in the plan. Some common objectives for a risk management plan
are:
A list of threats
A list of vulnerabilities
Costs associated with risks
A list of recommendations to reduce the risks
Costs associated with recommendations
A cost-benefit analysis
One or more reports

Objectives Example: Web Site

The Acme Widgets Web site has suffered outages. These outages have resulted in
unacceptable losses. These losses could have been prevented by managing risks
with the Web site. You can use the risk management plan to identify these risks.
The objectives of the plan are to:

Identify threats—
This means any threats that directly affect the Web site. These may include:
Attacks from the Internet
Hardware or software failures
Loss of Internet connectivity

25
Identify vulnerabilities—These are weaknesses and may include:
Lack of protection from a firewall
Lack of protection from an intrusion detection system
Lack of antivirus software
Lack of updates for the server
Lack of updates for the antivirus software

Assign responsibilities—Assign responsibility to specific departments for collecting
data. This data will be used to create recommendations. Later in the plan, you will
assign responsibilities to departments to implement and track the plan.

Identify the costs of an outage—Include both direct and indirect costs. The direct
costs are the lost sales during the outage. The amount of revenue lost if the server is
down for 15 minutes or longer will come from sales data. Indirect costs include the
loss of customer goodwill and the cost to recover the goodwill.

Provide recommendations—Include a list of recommendations to mitigate the risks.
The recommendations may reduce the weaknesses. They may also reduce the impact
of the threats. For example, you could address a hardware failure threat by
recommending hardware redundancy. You could address a lack of updates by
implementing an update plan.

Identify the costs of recommendations—Identify and list the cost of each
recommendation.

Provide a cost-benefit analysis (CBA)—include a CBA for each recommendation.
The CBA compares the cost of the recommendation against the benefit to the
26
company of implementing the recommendation. You can express the benefit in terms
of income gained or the cost of the outage reduced.
Document accepted recommendations—Management will choose which
recommendations to implement. They can accept, defer, or modify
recommendations. You can then document these choices in the plan.

Track implementation—Track the choices and their implementation.

27
Scope of a Risk Management Plan
In addition to the objectives, it’s also important to identify the scope of a risk

management plan. The scope identifies the boundaries of the plan. The boundaries

could include the entire organization or a single system. Without defined boundaries,

the plan can get out of control.

Scope Example: Web Site

The purpose of the risk management plan is to secure the Acme Widgets Web site.

The scope of the plan includes:

Security of the server hosting the Web site

Security of the Web site itself

Availability of the Web site

Integrity of the Web site’s data Stakeholders for this project include:

Vice president of sales

IT support department head

28
Assigning Responsibilities
The risk management plan specifies responsibilities. This provides accountability. If

you don’t assign responsibilities, tasks can easily be missed. You can assign

responsibilities to:

Risk management PM
Stakeholders
Departments or department heads
Executive officers such as CIO or CFO

The PM is responsible for the overall success of the plan. Some of the common tasks
of a PM are:
Ensuring costs are controlled

Ensuring quality is maintained

Ensuring the project stays on schedule

Ensuring the project stays within scope

Tracking and managing all project issues

Ensuring information is available to all stakeholders

Raising issues and problems as they become known

Ensuring others are aware of their responsibilities and deadlines

29
Individual responsibilities could be assigned for the following activities:

Risk identification—This includes threats and vulnerabilities. The resulting lists of

potential risks can be extensive.

Risk assessment—This means identifying the likelihood and impact of each risk. A

threat matrix is a common method used to assess risks.

Risk mitigation steps—These are steps that can reduce weaknesses. This can also

include steps to reduce the impact of the risk.

Reporting—Report the documentation created by the plan to management.

The PM is often responsible for compiling reports.

Responsibilities Example: Web Site
The CFO will provide funding to the IT department to hire a security consultant.

This security consultant will assist the IT department.

The IT department is responsible for providing:

A list of threats

A list of vulnerabilities

A list of recommended solutions

Costs for each of the recommended solutions

30
The sales department is responsible for providing:

Direct costs of any outage for 15 minutes or longer

Indirect costs of any outage for 15 minutes or longer

The CFO will validate the data provided by the IT and sales departments. The CFO
will then complete a cost-benefit analysis.

31
Describing Procedures and Schedules for Accomplishment
You create this part of the risk management plan after the project has started. You
include a recommended solution for any threat or vulnerability, with a goal of
mitigating the associated risk. While you can summarize a solution in a short phrase,
the solution itself will often include multiple steps.

Procedures Example: Web Site

The Web site is vulnerable to denial of service (DoS) attacks from the Internet.
This risk cannot be eliminated. However, several tasks can be completed to
mitigate the risk:
 Recommendation—Upgrade the firewall.
 Justification—The current firewall is a basic router. It filters packets but does
not provide any advanced firewall capabilities.
 Procedures—The following steps can be used to upgrade the new firewall:
Determine what traffic should be allowed.
Create a firewall policy.
Purchase a firewall.
Install the firewall.
Configure the firewall.
Test the firewall.
Implement the firewall

32
Reporting Requirements

Reporting Requirements
After you collect data on the risks and recommendations, you need to include it in a

report. You will then present this report to management. The primary purpose of

the report is to allow management to decide on what recommendations to use.

There are four major categories of reporting requirements. They are:

Present recommendations—These are the risk response recommendations.

Document management response to recommendations—Management can accept,

modify, or defer any of the recommendations.

Document and track implementation of accepted recommendations—

This becomes the actual risk response plan.

Plan of action and milestones (POAM)—The POAM tracks the risk response

actions.

Present Recommendations
Present Recommendations You compile the collected data into a report. It will
include the lists of threats, vulnerabilities, and recommendations. You then present
this report to management. Management will use this data to decide what steps to
take.
It’s important to remember the overall goal of the risk management plan at this stage.
The goal is to identify the risks and recommend strategies to reduce them. Most of
the risks won’t be eliminated, but instead they will be reduced to an acceptable level.
33
For every risk identified, there will be an accompanying recommendation to reduce
the risk.
The report should include the following information:
Findings
Recommendation cost and time frame
Cost-benefit analysis

Findings
The findings list the facts. Remember, losses from risks occur when a threat exposes
a vulnerability. Risk management findings need to include threats, vulnerabilities,
and potential losses. These are described as cause, criteria, and effect.
Cause—The cause is the threat. For example, an attacker may try to launch a
DoS attack. In this case, the threat is the attacker. When you list the cause, it’s
important to identify the root cause. A successful attack is dependent on an attacker
having access and the system being vulnerable. Risk management attempts to reduce
the impact of the cause, or reduce the vulnerabilities.

Criteria—This identifies the criteria that will allow the threat to succeed. These
are the vulnerabilities. For example, a server will be susceptible to a DoS attack if
the following criteria are met:
Inadequate manpower—If manpower isn’t adequate to perform security steps,
the site is vulnerable.
Unmanaged firewall—Each open port represents a vulnerability. If ports are
not managed on a firewall, unwanted traffic can be allowed in.
No intrusion detection system (IDS)—Depending on the type of IDS, it can not only
detect intrusions but also respond to intrusions and change the environment.

34
 Operating system not updated—Apply patches to the system as they are
released and tested. If you don’t apply updates, the system is vulnerable to new
exploits.
Antivirus software not installed and updated—Antivirus software can detect
malware. You should update it with definitions to ensure it will detect new malware

Effect—The effect is often an outage of some type. For example, the effect on a
Web site could be that the Web site is not reachable any more.

35