IT Security Management and Risk Assessment PDF

Summary

This document provides an overview of IT security management and risk assessment, including different approaches. It discusses various methods such as baseline, informal, and formal analyses. The document covers the essentials including what security assets require protection and threat assessment.

Full Transcript

IT Security Management and Risk Assessment
IT security management answers questions like:
- What assets do we need to protect?
- How are those assets threatened?
- What can we do to counter those threats?

More specifically, IT security management consists of first determining a clear view of an
organization’s IT security objectives and general risk profile.

Definition: The formal process used to develop and maintain appropriate levels of
computer security for an organization’s assets, by preserving their confidentiality, integrity,
availability, accountability, authenticity, and reliability.

Förenklad variant: The formal process of ensuring an organization’s assets are secure by
protecting their privacy (confidentiality), accuracy (integrity), accessibility (availability), tracking
of actions (accountability), trustworthiness (authenticity), and dependability (reliability).

IT security risk assessment
Next, an IT security risk assessment is needed for each asset in the organization that
requires protection; this assessment must answer the three key questions listed
Above.
- What do we need to protect?
- How are those assets threatened?
- What can we do to counter those treats?

An IT security risk assessment is needed for each asset in the organization that requires
protection. This assessment must answer each of the three questions above. What asset, hat
threats, and what counter action can be taken?

ChatGPT:
Security risk analysis is the process of identifying, assessing, and mitigating risks to an
organization's assets, information, and operations. The terms listed represent different
approaches and methods used in risk analysis:

Security Risk analysis involves various approaches, each suited for different needs and
circumstances. Baseline, Informal, Formal, Combines

1. Baseline Security Risk Analysis

Definition:
 ○ This approach involves comparing an organization’s current security measures to
established standards or best practices, such as ISO 27001 or NIST
cybersecurity frameworks.
○ Essentially, it’s like checking a checklist to see how your organization measures
up against proven security guidelines.
Purpose:
○ To identify where the organization is falling short (gaps) in its adherence to these
standards.
○ For example, if ISO 27001 recommends encryption for sensitive data, a baseline
analysis would check if this practice is implemented.
When to Use:
○ When you need to ensure compliance with industry regulations or best practices.
○ Ideal for organizations seeking certifications or assessing maturity against known
frameworks.

2. Informal Security Risk Analysis

Definition:
○ This is a less structured approach that relies on general observations,
brainstorming sessions, and expert opinions rather than detailed methodologies.
○ It’s more about “thinking on your feet” to identify risks based on experience and
intuition.
Purpose:
○ To quickly identify and evaluate risks when resources, time, or detailed data are
unavailable.
○ Useful for preliminary assessments or in crisis situations where rapid decisions
are needed.
Examples:
○ A team discussing potential threats during a meeting based on their recent
experiences.
○ Walking through a facility to spot obvious security weaknesses like unlocked
server rooms.
When to Use:
○ During early stages of risk identification.
○ In scenarios where formal processes would take too long or be impractical.

3. Formal Security Risk Analysis

Definition:
○ A structured and methodical approach that uses well-defined techniques to
assess risks.
 ○ Techniques may be quantitative (measuring risks in numerical terms, like
financial losses) or qualitative (categorizing risks as high, medium, or low based
on impact and likelihood).
Purpose:
○ To provide a detailed, repeatable, and evidence-based evaluation of risks.
○ Helps in creating prioritized action plans with documented justifications.
Examples:
○ Conducting a full risk assessment using tools like FAIR (Factor Analysis of
Information Risk) or OCTAVE (Operationally Critical Threat, Asset, and
Vulnerability Evaluation).
○ Using detailed questionnaires, threat modeling, and simulations to evaluate
potential vulnerabilities.
When to Use:
○ When a thorough, long-term strategy is needed for managing risks.
○ In environments with significant complexity or high regulatory requirements.

4. Combined Security Risk Analysis

Definition:
○ This approach blends elements of baseline, informal, and formal methods to
achieve a balance between depth and practicality.
○ For example, an organization might start with an informal brainstorming session
to spot risks, then perform a baseline comparison against standards, followed
by a formal assessment for critical areas.
Purpose:
○ To leverage the advantages of different methods while mitigating their limitations.
○ Allows for flexible, adaptable risk analysis that can cater to varying levels of
urgency, resource availability, and precision needs.
When to Use:
○ When a hybrid approach is more efficient or better suited to the organization’s
context.
○ For organizations looking for a balanced way to identify risks without
overcommitting to one rigid method.
Physical security control types
Physical Security Control Types are measures designed to protect an organization's physical
assets, such as data centers, buildings, or hardware, from unauthorized access, damage, or
theft. These controls can be categorized into three main types:

1. Deterrent (avskräckande) Controls: Fences, warning signs.
2. Preventive Controls: Locks, security guards.
3. Detective Controls: Alarms, surveillance cameras.

Security policy in an organization

Definition: A document outlining the principles, guidelines, and requirements for
maintaining security within an organization.

At the least, a security policy is an informal description of desired system behavior. Such
informal policies may reference requirements for security, integrity, and availability.
More usefully, a security policy is a formal statement of rules and practices that specify or
regulate how a system or organization provides security services to protect sensitive and
critical system resources.

In developing a security policy, a security manager needs to consider the following factors:
- The value of the assets being protected
- The vulnerabilities of the system
- Potential threats and the likelihood of attacks

Malicious Software
Malicious Software/ Malware (s.299-300)
Same thing
= a program that is inserted into a system with the intent of compromising the
confidentiality, integrity, or availability of the victim’s data, applications, or operating
system or otherwise annoying or disrupting the victim

Types of malware

1. Trojan Horse

Definition: A malicious program disguised as legitimate software, often used to trick
users into installing it. Once activated, it performs harmful actions.
 How It Works: It exploits the trust of the user or system, executing unwanted tasks in
the background.
Examples:
○ Fake Antivirus Software: A program claiming to clean your computer but
instead installs malware.
○ Infostealer Trojan: Embedded in a file, it steals sensitive data, like passwords,
when executed.

2. Worm

Definition: A standalone program that self-replicates and spreads across networks or
devices without requiring user intervention. A computer program that can run
independently and can propagate a complete working version of itself onto other
How It Works: Exploits vulnerabilities in systems or networks to propagate.
Examples:
○ Morris Worm (1988): One of the first worms to spread via the Internet, causing
widespread disruption.
○ ILOVEYOU Worm: Spread through email attachments, damaging files and
overwhelming networks.

3. Virus

Definition: A program that infects files or programs, replicating itself and spreading
further when the infected files are executed.
How It Works: Requires user action, like running an infected file, to activate and spread.
Examples:
○ Michelangelo Virus: A virus that activates on a specific date to delete files.
○ Melissa Virus: Spread through email attachments, infecting Word documents
and emailing itself to contacts.

Key Differences:

Trojan Horse: Needs user action to execute disguised malicious code.
Worm: Spreads independently across systems.
Virus: Infects other files and needs execution to spread.
Rootkit: Maintains control and hides an attacker’s presence.
APTs: Focused, persistent, and sophisticated attacks targeting specific entities for
strategic purposes.

These examples highlight the diverse tactics attackers use and the importance of tailored
defenses for each type of threat.
Understand types of network attacks
Network attacks are attempts to compromise the security of a network and its resources. They
can be cathegorized into two main types. Passive and active attacks.
Passive

Public key in Cryptography

Public-key cryptography uses two mathematically related keys: a public key (shared openly)
and a private key (kept secret). It is also called asymmetric encryption, as it requires two
keys, unlike symmetric encryption, which uses one.

Encryption
Encryption is the process of converting plain text or readable data (plaintext) into an
unreadable format (ciphertext) using a cryptographic algorithm and a key. The purpose is to
ensure confidentiality, protect data from unauthorized access, and secure communication
between parties. There are two different types of encryption; symmetric and asymmetric. The
three encryption algorithms are symmetric, asymmetric and hashing.

DoS (Denial of Service) & Distributed Denial of Service (DDoS)
Denial of Service Dos: A Dos Attack aims to make a network, service or server unavailable to
legit users by overwhelming it with excessive traffic or resources requests. This prevents normal
operations, causing loss resource request. This prevents normal operations, causing
inconvenience, loss of productivity, and potential financial harm to the targeted organization.
DoS:
○ Overloads a network or server with traffic, making it unavailable to legitimate
users.
○ Example: Sending large volumes of requests to exhaust server resources.
Distributed Denial of Service (DDoS): A Distributed denial of Service DDos attack is a more
sophisticated version of a DoS attack.It involves multiple devices, often forming a botnet,
working together to amplify the attack and make it more difficult to mitigate.
DDoS:
○ A distributed attack using multiple devices (often part of a botnet) to amplify the
impact of a DoS attack.
○ Targets include websites, online services, or network infrastructure.

Intrusion with or without data breaches
Intrusion with or without Data Breaches:
Intrusion: Unauthorized access to a system or network.
Data Breach: A specific intrusion where sensitive data is accessed or stolen.

Intrusion with Data Breach
 Definition: An unauthorized entry into a system where sensitive data is accessed,
stolen or exposed. This can include personal information, financial records or intellectual
property.

Implications: Data breaches are severe because they compromise sensitive information
leading to potential legal consequences for the affected organization. GDPR etc.

Detection and Response: Involves identifying unauthorized access, stopping data
exfiltration and assessing the full extent of data exposure. Response often includes
notifying affected individuals and implementing further data protection measures.

Intrusion without Data Breach:
Definition: An unauthorized entry where no sensitive data is accessed or stolen. The
attacker may explore the network, probe for weaknesses, or install malware without
exfiltrating any data. However, remember that an intrusion without data breach is much
less common than with data breach. This is because once an intrusion has happened,
the data breach happens almost immediately after. The question is what kind of data
breach is it? In terms of what kind of data has been possible to access.

Implications: Although less immediately damaging, this type of intrusion still indicates a
vulnerability. Attackers may return later with the intent to escalate their access or cause
other harm, such as a denial-of-service attack or installing ransomware.

Detection and Response: Focuses on identifying and closing vulnerabilities, tracking
the attacker’s movements, and removing any backdoors or malware planted.
Preventative actions are taken to secure the system against future breaches.

Introduction to Buffer Overflow
A buffer overflow is a powerful and dangerous vulnerability that can lead to data corruption,
program crashes or unauthorized system control. Buffer overflow exploits software flaws to
manipulate how the system behaves.

A buffer overflow, also known as a buffer overrun or buffer overwrite.
Definition:
Buffer Overrun: A condition at an interface under which more input can be placed into a buffer
or data holding area than the capacity allocated, overwriting other information. Adversaries
exploit such a condition to crash a system or to insert specially crafted code that allows them to
gain control of the system.”

A buffer overflow occurs when a program writes more data into a buffer (a fixed-sized block of
memory) than it can hold. This excess data spills into adjacent memory locations, potentially
overwriting critical data such as control variables or function pointers.
 The consequences of this error:
○ corruption of data used by the program
○ unexpected transfer of control in the program
○ possible memory access violations, and very likely eventual program termination.

Buffer Overflow in Relation to DoS
While Denial of Service (DoS) attacks aim to disrupt service availability by overwhelming a
resource, buffer overflow attacks focus on exploiting software vulnerabilities to manipulate
system behavior.

DoS: Targets availability of a service.
Buffer Overflow: Exploits code flaws to corrupt or take control of the system.

Function of firewall
Firewalls, also known as Gateways, are designed to regulate and monitor traffic between
internal networks and external networks.

The firewall is inserted between the premises network and the Internet to establish a
controlled link and to erect an outer security wall or perimeter.

More generally, a firewall is a boundary system that separates different security
domains within and between organizations. The aim of this system is to protect the
internal network from attacks and to provide a single choke point where security and
auditing can be imposed.
The firewall may be a single computer system or a set of two or more systems that
cooperate to perform the firewall function.

Characteristics of Firewalls

Mandatory Traffic Flow: All traffic between the internal and external networks must
pass through the firewall.
Centralized Placement: Positioned at a network's central point to effectively monitor
and control data flows.
Authorization Enforcement: Allows only authorized and compliant traffic, rejecting or
blocking unauthorized data packets.
Penetration Resistance: Firewalls are designed to withstand attacks themselves,
ensuring they remain secure and effective.

"Defense in Depth":
Firewalls contribute to a layered security approach, where multiple defenses work
together to protect the network.
"Defense in Depth" is a cybersecurity approach that employs multiple layers of security
measures to protect a network or system from various threats. Each layer addresses a different
aspect of security, providing overlapping protections. Firewalls play a vital role in this strategy as
a critical layer of defense.

Access control

An access control system manages who can use system resources like apps, fuels and
databases.
First, it checks if the user or process is allowed to access the system. This is done by
authentication. Then it decides if the user has permission for the specific action they’re
trying to take.
A security administrator sets up rules in a database that define what each user is allowed to
do. The system use this database to approve or deny access and keeps records of all user
activity.

There are some fundamental components of the access control system, which ensures that
resources are securely and appropriately accessed.
The basic parts of access control are:
 1. Subject: The user or process trying to access a resource. A subject acts on behalf of a
user or application and inherits their permissions. Actions by subjects are recorded in
logs to track security-related activities. There are three types of subjects:
○ Owner: The creator or designated administrator of a resource.
○ Group: A set of users with shared access rights.
○ World: All other users with the least access permissions.
2. Object: The resource being accessed, such as files, directories, or programs. Objects
can also include smaller elements like records, messages or even hardware like
processors.
3. Access Rights: Define what action a subject can perform on an object. Such as:
○ Read: View or copy information.
○ Write: Add, change, or delete data.
○ Execute: Run a program.
○ Delete: Remove files or records.
○ Create: Make new resources.
○ Search: Look through directories

The balance between security and usability determines how these elements are applied. Access
control systems aim to balance security (protecting resources from unauthorized access) and
usability (ensuring that users can perform their tasks efficiently):

Access control mechanisms
Access control mechanisms are security measures designed to regulate who or what can view
or use resources in a computing environment.

Access control involves following functions:
Authentication - verification of credentials of user/system are valid.
Authorization - Granting permission to the system access system resources.
Determines who is trusted into the system.
Audit - A review of system records and activities to check if controls are adequate,
ensure rules are followed, identify security issues and suggest improvements to controls,
policies and procedures.

Authentication & authorization
Authentication: Verifying a user’s identity (e.g., password, biometrics).
Authorization: Granting permissions to access specific resources based on a user's
identity and role.

Access control is often handled by multiple components, including the operating system,
security tools, and specific applications like databases. Firewalls and other external devices can
also help control access.
 Discretionary access control (DAC): Access is managed based on who is making the
request and rules about what they are allowed to do. It is called discretionary because
someone with access can choose to allow others to use the resource.
Example: File permissions in operating systems where a user can decide who
can access their files, A Google Drive folder etc

Mandatory access control (MAC): Access is controlled by matching security labels
with security clearance. The labels are showing the resource sensibility and the security
clearance is showing who is allowed access.
Example: Government systems using classification labels.

Role-based access control (RBAC): Controls access based on the roles that users
have within the system
Example: A hospital information system where roles like "Doctor," "Nurse,"
and "Administrator" determine access.

Attribute-based access control (ABAC): Access is controlled based on the user’s
attributes, the resource, and the current environment.
Example : A remote work platform where access to sensitive resources is
granted only if specific conditions are met: user must have a valid role, access
must occur during business hours etc.