Security and Risk Management Lecture 3 PDF

Summary

This lecture provides an overview of security and risk management concepts, including CIA Triangle, various access control models (ABAC, DAC, HBAC, MAC, IBAC, OrBAC, RBAC, RAC), and strategies for risk assessment and response.

Full Transcript

Security and Risk Management
CIA Triangle:
1- Confidentiality 2- Integrity 3- Availability
Non-Repudiation: Non-repudiation is a security principle that
ensures an individual or entity cannot deny having performed a
particular action.
Access control components:
Authentication: is the process of verifying the identity of a user.
Authorization: is the method of enforcing policies and determines
the extent of access to the network and what type of services and
resources are accessible by the authenticated user.
Access: After the successful authentication and authorization, their
identity becomes verified, this allows them to access the resource
to which they are attempting to log in.
Audit: The access control audit method enables organizations to
follow the principle. This allows them to collect data about user
activities and analyze it to identify possible access violations.
Manage: Organizations can manage their access control system by
adding and removing authentication and authorization for users and
systems.
Access control Models:
Attribute-based Access Control (ABAC): In this model, access is
granted or declined by evaluating a set of rules, policies, and
relationships using the attributes of users, systems and
environmental conditions.
Discretionary Access Control (DAC): In DAC, the owner of data
determines who can access specific resources. (owner)
Decisions will be based only on user ID and ownership. DAC is less
secure to use.
History-Based Access Control (HBAC): Access is granted or
declined by evaluating the history of activities of the inquiring party
that includes behavior, the time between requests and content of
requests, considers a user’s previous actions or access history to
decide future permissions. It is designed to mitigate risk by
examining patterns of behavior over time.
Mandatory Access Control (MAC): A control model in which
access rights are regulated by a central authority based on multiple
levels of security. Security Enhanced Linux is implemented using
MAC on the Linux operating system. (system/admins)
Identity-Based Access Control (IBAC): By using this model
network administrators can more effectively manage activity and
access based on individual requirements.
Organization-Based Access control (OrBAC): This model allows
the policy designer to define a security policy independently of the
implementation (hierarchical organization). Manage permission to
parts of organization.
Role-Based Access Control (RBAC): RBAC allows access based on
the job title. RBAC eliminates discretion on a large scale when
providing access to objects. For example, there should not be
permissions for human resources specialists to create network
accounts.
Rule-Based Access Control (RAC): RAC method is largely context
based. An example of this would be only allowing students to use
the labs during a certain time of day.
Risk = Event Probability of Occurrence x Event Impact
Risk Management:
1- Determine your assets
2- Risk analysis
These 2 steps called “Risk Assessment”
3- Risk mitigation
4- Monitor risks
These 2 steps called “Risk control”
Risk Assessment:
1- Qualitative Method:
Risks are typically ranked on scales (e.g., high, medium, low)
Subjective and potentially inconsistent, as it relies on expert
judgment.
2- Quantitative Method: (Objective)
This method uses numerical data to estimate the probability
and financial impact of risks, often in terms of cost or loss.
1- ALE = SLE x ARO 2- SLE = AV x EF
ALE (Annualized Loss Expectancy)
SLE (Single Loss Expectancy)
ARO (Annualized Rate of Occurrence)
AV (Asset Value), EF (Exposure Factor)
Risk response strategies:
1- Risk Acceptance: Acknowledging the risk and preparing to
deal with its consequences if it occurs. This may involve
setting aside contingency resources or creating a recovery
something that might possibly happen in the future, usually
plan. causing problems or making further arrangements necessary:
suitable for low-impact risks where the cost of mitigation
exceeds the potential damage.
2- Risk Mitigation: Reducing the impact of the negative risk on
the project, often through safeguards and controls.
3- Risk Transfer: Shifting the risk, or a portion of it, to a third party
to share responsibility or mitigate the impact.
4- Risk avoidance: Eliminating the risk by changing plans,
processes, or behaviors so that the threat no longer exists or
affects the organization.
control levels
Control Categories:
1- Administrative (Management): security controls refer to
policies, procedures, or guidelines that define personnel or
business practices in accordance with the organization’s
security goals
2- Physical (Operational): controls are the implementation of
security measures in a defined structure used to deter or
prevent unauthorized access to sensitive material.
Like: Motion or thermal alarm systems and Security guards.
 3- Logical (Technical): using technology to reduce vulnerabilities
in hardware and software Automated software tools are
installed and configured to protect these assets.
Like: Antivirus, Firewall, Encryption, IDS, IPS and SIEM.
Control Types:
1- Deterrent: Controls are designed to discourage or deter
individuals from attempting to breach security policies or
engage in malicious activities.
2- Preventive: controls are designed to stop security incidents or
threats before they occur. They actively block or eliminate the
ability to perform unauthorized actions. Like IPS (Intrusion
Prevention System).
3- Detective: controls identify and alert to suspicious or
unauthorized activities after they have occurred or while they
are occurring. Like IDS (Intrusion Detection System).
4- Recovery: controls are aimed at restoring systems and data
after a security incident or disaster has occurred.
5- Corrective: controls are used to fix or correct vulnerabilities
and issues that allowed a security incident to occur.
Security governance:
1- Policies
2- Procedures
3- Standards
4- Guidelines
Assets:
1- Tangible
2- Intangible
Quiz:
1- Develop the appropriate activities to ensure delivery of critical
infrastructure services is......... in cybersecurity framework.
2-............ performs hacking process without getting permission,
but not for criminal purposes.
3- Data have different states such as.......... ,............. and........
4- Cyber security cube involves........... ,............ ,..............
5- Where data is stored in hard disk, here it is in.......... state.
6-........... time affects positively on the network availability.
7- Countermeasure dimension in cyber security cube involves....... ,........ and..........
8-............. is a security method that is ready to detect and respond
to cyber-attack.
9-............ is an unintentional event that violates security.
10-........... is security evaluation phase where recommendations
are supported
11-........... is a step of access control that comes after the
successful authentication and authorization.
12-........... is an access control method that can be used in the
context of analyzing CPU stack instructions or network traffic.
13- Qualitative risk assessment is......... method.
14- Insurance is an example of.......... risk response method.
15- Security governance involves........... ,........... ,......... and..............
The solutions:
1- Protect ####
2- Gray Hat Hacker
3- In rest, in motion, Processing (in use)
4- CIA, Data states, Security safeguards
5- Rest
6- Uptime
7- Policy, People, Technology
8- Reactive Method
9- Threat
10- Conclusion
11- Access
12- HBAC
13- Subjective
14- Transfer
15- Policies, Procedures, Standards, Guidelines