Security and Risk Management Lecture PDF
Document Details
Uploaded by SuppleDidactic
Tags
Related
Summary
This document is a lecture on security and risk management. It covers various security models and principles, such as CIA triangle, access control models (MAC, DAC, HBAC, RBAC), and risk assessment.
Full Transcript
Lecture -3&4 Security and Risk Management Security and Risk Management Security Security and Risk Management Security CIA triangle 1. Security and Risk Management Security...
Lecture -3&4 Security and Risk Management Security and Risk Management Security Security and Risk Management Security CIA triangle 1. Security and Risk Management Security Confidentiality CIA triangle Security and Risk Management Security Confidentiality CIA triangle Security and Risk Management Security Confidentiality Availability CIA triangle 1. Security and Risk Management Security Confidentiality 24/7 Availability CIA triangle Security and Risk Management Security Confidentiality Availability Integrity CIA triangle 1. Security and Risk Management Security Confidentiality Availability Integrity CIA triangle Security and Risk Management Security Confidentiality Availability Integrity CIA triangle Security and Risk Management Security Security and Risk Management Security Authenticity and nonrepudiation Security and Risk Management Security Authenticity and nonrepudiation It wasn't me! Security and Risk Management Authentication: is the process of verifying the identity of a user. User authentication is the process of verifying the identity of a user when Audit:The access control audit method enables that user logs in to a computer system organizations to follow the principle. This allows them to collect data about user activities and analyze it to identify possible Authorization determines the extent of access access violations. to the network and what type of services and resources are accessible by the authenticated Access control components user. Authorization is the method of enforcing policies. Access:After the successful authentication and Manage: Organizations can manage their access authorization, their identity becomes verified, control system by adding and removing This allows them to access the resource to authentication and authorization for users and which they are attempting to log in. systems. 1. Security and Risk Management Attribute-based Access Control (ABAC): In this model, access is granted or declined by evaluating a set of rules, policies, and relationships using the attributes of users, systems and environmental conditions. Mandatory Access Control (MAC):A control model in which access rights are regulated by a central authority based on multiple levels of security. Security Enhanced Linux is Discretionary Access Control (DAC): In DAC, implemented using MAC on the Linux the owner of data determines who can access operating system.(system/admins) specific resources.(owner) Access control Models History-Based Access Control (HBAC): Access Identity-Based Access Control (IBAC): By using this is granted or declined by evaluating the history model network administrators can more effectively of activities of the inquiring party that includes manage activity and access based on individual behavior, the time between requests and requirements content of requests.. Security and Risk Management Organization-Based Access control (OrBAC):This model allows the policy designer to define a security policy independently of the implementation(hierarical Rule-Based Access Control (RAC): RAC organization. method is largely context based. Example of Manage permission to parts of organization. this would be only allowing students to use the labs during a certain time of day. Access control Models Role-Based Access Control (RBAC): RBAC allows access based on the job title. RBAC eliminates discretion on a large scale when providing access to objects. For example, there should not be permissions for human resources specialist to create network accounts.. User Attributes: Security and Risk Management Concerning the characteristics of the person who requested the access. Examples include: Environment Attributes: ▪ User ID ▪ Information connected with the history ▪ Department connected with the citizen, who has ▪ Security clearance level proposed the access demand. Examples ▪ Group memberships include: ▪ Time of day ▪ Date ▪ The geographical location of the activities that are being or may be performed, such as ABAC Resource Attributes: IP address of the device, geographical The attributes of the resource accessed for use by location of the device, etc. a certain community for its objectives. Examples ▪ Device type include: ▪ Current status of network protection (for ▪ Resource Type (e. g document type, database instance – VPN, firewall). type) Action Attributes: ▪ Resource owner Some of the characteristic associated with the ▪ Classification (e.g., classified, open) completion of that action. Examples include: ▪ Creation date ▪ Action type ( e. g. ; read, write, delete) ▪ Data classification ▪ HTTP verbs (e. g. , GET, POST) Security and Risk Management The owner can determine the access and privileges and can restrict the resources based on the identity of the users. Decisions will be based only on user ID and ownership. DAC DAC is less secure to use. Users will be provided access based on their identity and not using levels.. Security and Risk Management HBAC may be used in the context of analyzing CPU stack instructions or network traffic analysis to identify when specific actions or HBAC applications are anomalies and adjust access control decisions. HBAC is a model that considers the historical behavior of programs to make access decisions. Access requests are evaluated based on the past actions of the user or the resource, and anomaly detection is used to identify when a current action or authorization request differs from past behavior and contexts. Security and Risk Management Rule-based access control (RuBAC) is an access In rule-based systems, administrators define the control system that allows user access to network conditions users must meet before gaining access. resources according to pre-defined rules The access management system compares information about the user to a rules database. If they meet the conditions, they can use apps, move files, or view records. If not, the system restricts user permission RAC 1. Security and Risk Management Role-based access control uses employee roles to authorize and limit access to critical Role-based controls can be permanent and last as long as resources. In RBAC systems, every network user the employee remains in their role. They can also provide has a role. This role determines the user's privileges temporary access as required. For example, staff may join and is linked to seniority, responsibilities, and job project teams for short periods. RBAC can accommodate descriptions. temporary changes without compromising security. RBAC Security and Risk Management OrBAC allows the policy designer to define a security policy independently of the implementation. The chosen method to fulfil ▪ Subjects are abstracted into roles. A role is a set of this goal is the introduction of an abstract level. subjects to which the same security rule apply. ▪ Similarly, an activity is a set of actions to which the same security rule apply. ▪ a view is a set of objects to which the same security rule apply ORBAC Security and Risk Management Security Security and Risk Management Security Data center 1. Security and Risk Management Security Data center Security and Risk Management Security Data center 1. Security and Risk Management Security Risk Data center Security and Risk Management Security Risk Data center Security and Risk Management Security Risk Security and Risk Management Security Risk 1. Security and Risk Management Security Risk management Security and Risk Management Security Risk management 1. Security and Risk Management Security 1. Determine your assets Risk management Security and Risk Management Security 1. Determine your assets 2. Risk analysis Risk management 1. Security and Risk Management Security 1. Determine your assets 2. Risk analysis Risk management Risk = Event Probability of Occurrence x Event Impact Security and Risk Management Security 1. Determine your assets 2. Risk analysis Risk management 3. Risk mitigation 1. Security and Risk Management Security 1. Determine your assets 2. Risk analysis Risk management 3. Risk mitigation 4. Monitor risks Security and Risk Management Security Risk assessment 1. Determine your assets 2. Risk analysis Risk management 3. Risk mitigation 4. Monitor risks Security and Risk Management Security Risk assessment 1. Determine your assets 2. Risk analysis Risk management Risk control 3. Risk mitigation 4. Monitor risks Security and Risk Management Security Risk assessment 1. Determine your assets 2. Risk analysis Security and Risk Management Risk assessment 1. Determine your assets Security 2. Risk analysis Security and Risk Management Risk assessment Security 1. Security and Risk Management Security Risk assessment Security and Risk Management Security Quantitative method Qualitative method Risk assessment 1. Security and Risk Management Security Quantitative method Qualitative method Risk assessment Objective Security and Risk Management Security Quantitative method Qualitative method Risk assessment Objective Subjective 1. Security and Risk Management Security Quantitative method Qualitative method Risk assessment Security and Risk Management Security Quantitative method Qualitative method Risk assessment 1. Security and Risk Management Security Quantitative method Qualitative method Risk assessment Security and Risk Management Security Quantitative method Qualitative method Risk assessment 1. Security and Risk Management Security Quantitative method Qualitative method Risk assessment Security and Risk Management Security Quantitative method Qualitative method Risk assessment Security and Risk Management Security Quantitative method Risk assessment Security and Risk Management Security Quantitative method Risk assessment ALE = SLE x ARO SLE = AV x EF Security and Risk Management Security Quantitative method Risk assessment ALE = SLE x ARO Annualized Loss SLE = AV x EF Expectancy Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO Single Loss Expectancy SLE = AV x EF Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO Annualized Rate of Occurrence SLE = AV x EF Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO SLE SLE = AV x EF 1. Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV Asset Value Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV Exposure Value Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV Example: Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV Example: Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV Example: Asset Value (AV) = SAR 5,000 Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV Example: Asset Value (AV) = SAR 5,000 Exposure Factor (EV) = 0.3 Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV Example: Asset Value (AV) = SAR 5,000 Single Loss Expectancy (SLE) = 0.3 * SAR 1500 Exposure Factor (EV) = 0.3 Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV Example: Annualized rate of occurrence (ARO) = Once a year = 1 Asset Value (AV) = SAR 5,000 Single Loss Expectancy (SLE) = 0.3 * SAR 1500 Exposure Factor (EV) = 0.3 Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV Example: Annualized rate of occurrence (ARO) = Once a year = 1 Annualized Loss Expectancy Asset Value (AV) = SAR 5,000 Single Loss Expectancy (ALE) = 1500 * 1 = SAR 1500 (SLE) = 0.3 * SAR 1500 Exposure Factor (EV) = 0.3 Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV 1. Security and Risk Management Security Quantitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV Security and Risk Management Security Quantitative method Qualitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV 1. Security and Risk Management Security Quantitative method Qualitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV Security and Risk Management Security Quantitative method Qualitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV 1. Security and Risk Management Security Quantitative method Qualitative method Risk assessment ARO ALE = SLE x ARO SLE AVxxEF EV SLE = AV Low High Med High Security and Risk Management Security Quantitative method Qualitative method Risk assessment Security and Risk Management Security Security and Risk Management Security Risk Response Strategies Security and Risk Management Security Risk Response Strategies Security and Risk Management Security Risk Acceptance Risk Response Strategies 1. Security and Risk Management Security Risk Acceptance Risk Response Strategies Security and Risk Management Security Risk Acceptance Risk Response Strategies Security and Risk Management Security Risk Acceptance Risk Response Strategies Security and Risk Management Security Risk Acceptance Risk Mitigation Risk Response Strategies Security and Risk Management Security Risk Acceptance Risk Mitigation Risk Response Strategies Security and Risk Management Security Risk Acceptance Risk Mitigation Risk Transfer Risk Response Strategies Security and Risk Management Security Risk Acceptance Risk Mitigation Risk Transfer Risk Response Strategies Security and Risk Management Security Risk Acceptance Risk Mitigation Risk Transfer Risk Response Strategies 1. Security and Risk Management Security Risk Acceptance Risk Mitigation Risk Transfer Risk avoidance Risk Response Strategies Security and Risk Management Security Risk Acceptance Risk Mitigation Risk Transfer Risk avoidance Risk Response Strategies Security and Risk Management Security Risk Acceptance Risk Mitigation Risk Transfer Risk avoidance Risk Response Strategies Security and Risk Management Security Security and Risk Management Security Control levels Security Security and Risk Management Security Controls Categories Security and Risk Management Security Administrative (Management) Controls Categories Security and Risk Management Security Administrative (Management) Physical (Operational) Controls Categories 1. Security and Risk Management Security Administrative (Management) Physical (Operational) Logical (Technical) Controls Categories Security and Risk Management Security Administrative (Management) Physical (Operational) Logical (Technical) Controls Categories Administrative security controls refer to policies, procedures, or guidelines that define personnel or business practices in accordance with the organization’s security goals Security and Risk Management Security Administrative (Management) Physical (Operational) Logical (Technical) Controls Categories Physical controls are the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material. Examples of physical controls are: Closed-circuit surveillance cameras Motion or thermal alarm systems Security guards Picture IDs Locked and dead-bolted steel doors Security and Risk Management Security Administrative (Management) Physical (Operational) Logical (Technical) Controls Categories At the most basic level, technical controls, also known as logic controls, use technology to reduce vulnerabilities in hardware and software. Automated software tools are installed and configured to protect these assets. Examples of technical controls include: Encryption Antivirus And Anti-Malware Software Firewalls Security Information And Event Management (SIEM) Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) Security and Risk Management Security Administrative (Management) Physical (Operational) Logical (Technical) Controls Categories Security and Risk Management Security Administrative (Management) Physical (Operational) Logical (Technical) Controls Categories Controls Types 1. Security and Risk Management Security Administrative (Management) Physical (Operational) Logical (Technical) Controls Categories Controls Types Deterrent Security and Risk Management Security Administrative (Management) Physical (Operational) Logical (Technical) Controls Categories Controls Types Deterrent Preventive 1. Security and Risk Management Security Administrative (Management) Physical (Operational) Logical (Technical) Controls Categories Controls Types Deterrent Preventive Detective Security and Risk Management Security Administrative (Management) Physical (Operational) Logical (Technical) Controls Categories Controls Types Deterrent Preventive Detective Recovery Security and Risk Management Security Administrative (Management) Physical (Operational) Logical (Technical) Controls Categories Controls Types Deterrent Preventive Detective Recovery Corrective Security and Risk Management Security Controls Types Deterrent Preventive Detective Recovery Corrective Security and Risk Management Security Security and Risk Management Security Security and Risk Management Security Security and Risk Management Security Security and Risk Management Contractual Security Security and Risk Management Contractual Security Privacy requirements Security and Risk Management Contractual Security Privacy requirements Legal Security and Risk Management Contractual Security Privacy requirements Legal Regulatory requirements Security and Risk Management Contractual Security Privacy requirements Industry standards Legal Regulatory requirements Security and Risk Management Security Security and Risk Management Privacy Security Finance E-commerce Import/export Security and Risk Management Security Security governance Security and Risk Management Security Security governance Security and Risk Management Security Policies Procedures Security governance Standards Guidelines Security and Risk Management Security Policies Procedures Security governance Standards Guidelines Security and Risk Management Security and Risk Management Tangible assets Security and Risk Management Tangible assets Intangible assets Public image(public opinion of custome Security and Risk Management Defense-in-Depth Model Tangible assets Intangible assets Public image Security and Risk Management Defense-in-Depth Model Tangible assets Intangible assets Public image Security and Risk Management Defense-in-Depth Model Tangible assets Intangible assets Public image Security and Risk Management Defense-in-Depth Model Tangible assets Intangible assets Public image Security and Risk Management Defense-in-Depth Model Tangible assets Intangible assets Public image Security and Risk Management Defense-in-Depth Model Tangible assets Intangible assets Public image Security and Risk Management Defense-in-Depth Model Tangible assets Intangible assets Public image THANK YOU
