IAS-102-unit-1-Security-Risk-Management.pdf

Full Transcript

IAS 102

UNIT 1
SECURITY & RISK MANAGEMENT
 Objectives
After the discussion the students will able to:
Identify the elements of CIA
Understand the Security Governance Principles
Distinguish the Control Frameworks
Analyze Control Frameworks
Determine the due care vs due diligence
Know the CISSP for legal & investigation Regulatory Compliance
Aware about Information Security Legal Issues and security policies, standards, procedures & Guidelines
Determine the security personnel, vendor, consultant and contractor security.
Understand the Risk Management Concepts
 WHAT IS SECURITY AND RISK
MANAGEMENT?
Security and risk management involve identifying,
assessing, and controlling risks to an organization’s
capital, earnings, and critical assets. These risks can
arise from various sources, including financial
uncertainty, legal liabilities, strategic management
errors, accidents, and natural disasters.
Specifically, cyber risk management focuses on
information systems, aiming to reduce the impact and
likelihood of threats such as cyberattacks, employee
mistakes, and natural disasters. It’s an essential part
of broader enterprise risk management efforts,
allowing companies to safeguard their profits, data,
and reputation
 WHAT IS CIA TRIAD?
The CIA Triad or Confidentiality,
Integrity, and Availability is a guiding
model in information security. A
comprehensive information security
strategy includes policies and
security controls that minimize
threats to these three crucial
components.
 WHAT IS CIA TRIAD?
Confidentiality refers to protecting
information from unauthorized
access.
Integrity means data are trustworthy,
complete, and have not been
accidentally altered or modified by
an unauthorized user.
Availability means data are accessible
when you need them.
 SECURITY GOVERNANCE PRINCIPLES
Security governance principles play a crucial role in maintaining an
organization’s cybersecurity posture. There are six key principles:
Responsibility
Strategy
Acquisition
Performance
Conformance
Human Behavior
 SECURITY GOVERNANCE PRINCIPLES
Responsibility- Clearly define roles and responsibilities for security
across the organization.
Strategy- Align security efforts with the overall business strategy
Acquisition- When acquiring new technologies or services, evaluate
their security implications.
Performance- Continuously monitor and assess security performance.
Conformance- Ensure compliance with relevant regulations, standards,
and policies.
Human Behavior- Promote secure behaviors among employees.
 CYBERATTACK- Is an attempt by
cybercriminals, hackers or other digital
adversaries to access a computer network
or system, usually for the purpose of
altering, stealing, destroying or exposing
information.
 Common types cyberattacks
Malware- or malicious software — is any program or code that is created with the intent to do
harm to a computer, network or server.
Ransomware- an adversary encrypts a victim’s data and offers to provide a decryption key in
exchange for a payment.
Fileless Malware- Fileless malware is a type of malicious activity that uses native, legitimate
tools built into a system to execute a cyber attack.
Spyware- type of unwanted, malicious software that infects a computer or other device and
collects information about a user’s web activity without their knowledge or consent.
Adware- type of spyware that watches a user’s online activity in order to determine which ads to
show them. While adware is not inherently malicious, it has an impact on the performance of a
user’s device and degrades the user experience.
 Common types cyberattacks
Trojan- malware that appears to be legitimate software disguised as native operating
system programs or harmless files like free downloads. Trojans are installed through
social engineering techniques such as phishing or bait websites.
Worm- a self-contained program that replicates itself and spreads its copies to other
computers.
Rootkits- a collection of software designed to give malicious actors control of a
computer network or application. Once activated, the malicious program sets up
a backdoor exploit and may deliver additional malware.
Keylogger- are tools that record what a person types on a device.
 Common types cyberattacks
Denial -of-Service (DoS) attacks- is a malicious, targeted attack that floods a network
with false requests in order to disrupt business operations.
Phishing- type of cyberattack that uses email, SMS, phone, social media, and social
engineering techniques to entice a victim to share sensitive information — such as
passwords or account numbers.
Spear Phishing- type of phishing attack that targets specific individuals or
organizations typically through malicious emails.
Whaling- is a type of social engineering attack specifically targeting senior or C-level
executive employees with the purpose of stealing money or information, or gaining
access to the person’s computer in order to execute further cyberattacks.
 Common types cyberattacks
Denial -of-Service (DoS) attacks- is a malicious, targeted attack that floods a network
with false requests in order to disrupt business operations.
Phishing- type of cyberattack that uses email, SMS, phone, social media, and social
engineering techniques to entice a victim to share sensitive information — such as
passwords or account numbers.
Spear Phishing- type of phishing attack that targets specific individuals or
organizations typically through malicious emails.
Whaling- is a type of social engineering attack specifically targeting senior or C-level
executive employees with the purpose of stealing money or information, or gaining
access to the person’s computer in order to execute further cyberattacks.
 Common types cyberattacks
Smishing- is the act of sending fraudulent text messages designed to trick individuals into sharing sensitive
data such as passwords, usernames and credit card numbers.
Vishing- a voice phishing attack, is the fraudulent use of phone calls and voice messages pretending to be
from a reputable organization to convince individuals to reveal private information such as bank details and
passwords.
Spoofing- is a technique through which a cybercriminal disguises themselves as a known or trusted source.
Man-in-the-middle attack- is a type of cyberattack in which an attacker eavesdrops on a conversation
between two targets with the goal of collecting personal data, (passwords or banking details).
Social engineering- is a technique where attackers use psychological tactics to manipulate people into taking
a desired action.
Tailgating/piggybacking- is a type of physical security breach in which an unauthorized person follows an
authorized individual to enter secured premises.