Chapter 22 - 01 - Understand Risk Management Concepts - 02_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Risk Management

Key Risk Indicators (KRI)
;EI
;:D A key risk indicator (KRI) is an important component of an effective risk management process
that shows the riskiness of an activity
:D
ZD Understanding the organizational goals is required to identify KRI
jl:l A KRI is a metric showing the risk appetite probability for an organization
jCI

Key Risk Indicators

Define risk for an
‘ objective

’ Identify the Possibility

Identifying the Notifying on Rochandt looking of Adverse Effect
Backward looking —
R.
adverse effect of an threshold levels of e
PR
end early warning
event the risk
the risk to identifyot
a potential
adverse event

Copyright © byby I EC Ccl. All Rights Reserved.
Reserved, Reproduction
ReproductionIs Strictly Prohibited

Key Risk Indicators (KRI)
KRIs are essential components of an effective risk management process, and indicate the
riskiness of an activity at an early stage. An understanding of organizational goals is required to
properly identify KRIs. It is a metric that can indicate the risk appetite probability of an
organization. KRIs are the most important indicators of an organization’s overall health, helping
reduce loss and prevent risk exposure. Risk exposure is prevented by measuring the risk profiles
and risk situations in advance before the risk event occurs.

Role of KRIs

=* Identify current risk exposure
|dentify and emerging risk trends in order to provide an early
warning and proactive action

* Event impact identification
=* Threshold level notifications
= Backward looking view on risk events, enabling learning lessons from the past events

= Highlight weaknesses of the existing controls and allow strengthening of poor controls
= Facilitate the risk-reporting and escalation process
=* Provide an indication that the risk appetite and tolerance are reached
= Provide real-time actionable intelligence to decision-makers and risk managers

Features of Effective KRIs
= Quantifiable Metrics: Should be measurable (number, count, or percentage)
*= Predictable: Should provide early warning signals

Module 22 Page 2341 Certified Cybersecurity Technician Copyright © by EG-Council
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

= Comparable: Should be able to track over a period of time

= Informational: Should measure the status of the risk and control

KRIs should accurately measure and reflect any negative impact on an organization’s key
performance indicators (KPI). KPI is a metric that assesses the progress of an organization
toward its goals, and provides leading indicator information about emerging risks from external
events that impact the demand for an organization’s products or services. KRIs represent key
ratios that an organization tracks as indicators of evolving risks and potential opportunities, and
guide an organization’s responses. KRIs should be reported regularly; proper escalation
methods and plans enable timely reporting to the management. KRIs have different escalation
levels.

Management identifies the KRIs to execute its strategic initiatives by mapping risks. An effective
method for developing KRIs is to first identify risk events that could impact an organization’s
financial status, and then find the intermediate and root cause for the risk event. The indicator
assists management with responding to the risk event in advance.

Module 22 Page 2342 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

Types of Risks
Risks from Internal Sources Risks from Legacy Systems

z I Internal risks emerge within the organizational A legacy system with unpatched data and outdated
I I network during normal business operations, which security measures can allow attackers to gain access
can include accidental, technical, or physical asset to the middleware, applications, and databases that
failures or deliberate human actions are running on the compromised server platform

Risks from External Sources.. Multi-Party Risks
N... ——

1) These tema st may ncuce ntura bk o el bl
'\“". External risks arise from outside an organization... _—
R
(L_}J /’ These external threats may include natural @.srihn'msu::l::ec;furs‘ls‘f ::1: d:gigsi:fivi;:ggi"'ztz:'::san
“ disasters, man-made threats, and unexpected ¥;y; they v vY i
Py. " roviders used by organizations for particular services
issues such as fire outbreaks P Y oreorg bP

Intellectual Property Theft Software Compliance Risks
Organizations often encounter risks from various Software noncompliance risks may arise from
sources that include malicious entities in the illegitimate copying of the software, misuse of
environment, competitors, illegitimate copiers, and license, or failure to comprehend the newly
third parties granted/changed policy terms of the software

Copyright © by EC tll. All
cll. Al Rights
Rights Reserved, Reproduction
Reproduction is Strictly Prohibited
Prohibited.

Types of Risks
Risk is the likelihood of the occurrence of an event that can adversely impact the systems or
processes running in an organization. A risk is defined as a significant damage or loss due to
exposure to vulnerabilities or misuse of technology and technical assets. These risks can be
extended beyond the damage and destruction of data; they can cause significant loss in
business and damage the reputation. The types of risks may vary for each organization.

Various types of risks are discussed below:

Risks from Internal Sources

Internal risks emerge within the organizational network during normal business
operations, which can include accidental, technical, or physical asset failure or
deliberate human actions. They can be predicted in advance and mitigated by taking
necessary actions. However, it is difficult to identify these risks occasionally, especially
when they are caused by disgruntled employees; in such cases, it is mandatory to verify
whether aa risk is caused by malicious intention or accidental outbreak.
An employee of an organization can be responsible for the breach of confidential
organizational data, intentionally or unintentionally, depending on their internet usage.
This encourages external attackers to penetrate the target system and cause more
damage to the organizational data.
Risks from External Sources

External risks arise from outside an organization. These external threats may include
natural disasters, man-made threats, and unexpected issues such as fire outbreaks. A
malicious user or attacker who gains access to an organizational system or server by
exploiting the existing vulnerabilities or bugs can perform attacks such as malware

Module 22 Page 2343 Certified Cybersecurity Technician Copyright © by EG-Council
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

injection from remote systems, manipulating the services, and stealing confidential
information to disrupt operations, which can eventually lead to loss of productivity.

Sometimes, attackers can also hide their presence on compromised systems for
numerous days. In such cases, it becomes difficult for authorized users or organizations
to identify their presence until the damage occurs.

= Intellectual Property Theft
Intellectual property theft is the process of stealing the idea of an organization or
individual by an entity and promoting it as their property. Intellectual property is a type
of property that is created by human intelligence and it is legally protected and owned
by an organization or individual. These properties include business secrets, authorized
signatures, copyrights, and patents. Organizations often face risks from various sources
including malicious entities in the environment, competitors, illegitimate copiers, and
third parties.

Intellectual property theft in a smaller organization or start-ups can cause significant
damage in terms of economy, business growth, and competitive withstand. To protect
businesses and assets in the long term, product owners must have proper knowledge
about the techniques implemented by intellectual property theft actors.

= Risks from Legacy Systems

A legacy system is a computing device or software running an outdated version. Because
they do not receive any patches or updates, they can cause potential harm to the
organizational network.

These systems can be incompatible with the upgraded technology, lack security support,
have high maintenance costs, and involve complicated modification and patching
techniques. However, some legacy systems are still in use for specific purposes.
Sometimes, installing critical updates on legacy systems may invite several risks because
they can break the system functionalities.

Although upgraded services and capabilities such as data integration and cloud
computing are widely deployed in the market, most of the small and moderate
businesses that use legacy systems do not have proper modern data disaster recovery,
backup, and other security-related services. Such organizations might face various risks
that can destroy their businesses.

A legacy system with unpatched data and outdated security measures can also enable
attackers to obtain access to the middleware, applications, and databases that run on
the compromised server platform.
= Multi-Party Risks

This type of risk can damage several organizations simultaneously. They are usually
caused by third-party providers that organizations rely on for particular services. If an
event occurs at the provider end, it can impact the organizational business or risk the
organizational data. To address these issues, multiparty computation or secure

Module 22 Page 2344 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Risk Management

multiparty computation can be employed, which is a cryptographic primitive that shares
the computational process over the network of several parties and maintains data
privacy by restricting one party to view the data related to other parties. It performs
joint analysis on the data of an individual without exposing their data to other
individuals.

= Software Compliance Risks
The word compliance in software defines a state of following the guidelines or
standards while developing or installing an application or software. Organizations are
provided with a publisher licensing contract or agreement when an application or
software is deployed at their end.

Software noncompliance risks may arise from the illegitimate copying of the software,
inadequate asset management systems, misuse of license, inefficient software audits,
failure to keep the contract record, over budgeting for server licensing, under budgeting
for client licenses, and failure to comprehend the newly granted/changed policy terms
of the software. Therefore, network administrators must be trained considering
appropriate terms and conditions to install specific applications or software along with
the legal risks associated with them.

The risks associated with software compliances are discussed below:
o Legal Risk: It represents non-compliance to the software license agreement and
inability to meet the corporate standard requirements.
o Operational Risk: It represents the inadequate and inappropriate usage of licenses
that leads to poor business decision-making.
o Financial Risk: It represents the over expenditure, inaccurate budgeting, and
undisclosed liabilities on software licenses.

Module 22 Page 2345 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.