Risk Assessment and Management 2024-1 Past Paper
Document Details
Uploaded by ResoluteStrait9315
Al Ain University
Abdulrazzak Swai
Tags
Summary
This document provides information on risk assessment and management, data versus information, definitions of network and internet security, and OSI security architecture aspects. It is a collection of notes on security concepts, principles, and practices.
Full Transcript
Risk Assessment and Management 2024-1 Abdulrazzak Swai 202210991 Index (Interactive, press a title to go to its introduction page) Chapter 1: Risk Based Information Security Chapter 2: Risky Businesses Chapter 3: Management Lifecycle Chapter 4: Risk Profiling Press me to go ba...
Risk Assessment and Management 2024-1 Abdulrazzak Swai 202210991 Index (Interactive, press a title to go to its introduction page) Chapter 1: Risk Based Information Security Chapter 2: Risky Businesses Chapter 3: Management Lifecycle Chapter 4: Risk Profiling Press me to go back to index page Chapter 1: Risk Based Information Security Definitions Data vs Information Definition of Definition of network Definition of internet OSI security architecture aspects: Information security viewed from a Data has no meaning. information security security: Measures, security: Measures, 1. Security attack: Any action that business context e.g. 2019, X12 according to NIST: policies, and procedures policies, and procedures compromises the security of Information security risk: The risk Information has meaning. Ensuring the CIA to protect data during to protect data during information owned by an to a nation, its organizations, e.g. The current year is 2019, pillars of information their transmission. their transmission over a organization (Passive or active). assets, individuals, or operations The upcoming bus is X12 system resources. collection of 2. Security mechanism: A process from unauthorized access, use, interconnected networks. (or a device incorporating such a disruption, or destruction of process) that is designed to information or systems. prevent, detect, or recover from a Decisions have to be risk-based. security attack. Threat: Potential violation of 3. Security service: A service that security. enhances the security of the data Risk is the overlap of asset, processing systems and the vulnerability, and threat. Risk information transfers of an arises when there is a valuable organization, implementing one or asset with a vulnerability that a more security mechanisms. threat could exploit Previously, security decision making was following the cooked-book approach, Vulnerability assessment should follow a risk-based which is based on best-practices and approach instead of a general scan approach. general rules. Specifically, it is based on: Instead of wasting money on fixing vulnerabilities and Checklists patching flaws, organizations must instead build a strong Previously, it was assumed that Best-practices risk model that focuses on the most critical risks. all outsiders pose risk and all One-Size-Fits-All methodology Risk management is about maximizing organizational insiders don’t pose any risk. However, this isn’t reliable and can’t be output while minimizing the chances of unexpected However, studies show that 48% applied to all companies and scenarios, negative outcomes. of attacks are caused by insiders. which is why risk-based approach is A security "common language" should be used withing an applied nowadays instead. This approach organization, which means that everyone in the studies the organizational context and organization uses the same terms and definitions for applies the appropriate risk analysis discussing risks. techniques, such as NIST CSF and FAIR. Press me to go back to index page Chapter 2: Risky Businesses Risk Management An organization’s goal must be to be Not every vulnerability A good-risk model will take Risk exposure measures the Risk: The probable frequency and magnitude secure enough, not to be 100% secure. needs to be fixed. into account the specific potential future loss from a of future loss affecting CIAA pillars. Risk threshold: The amount of risk that a Instead, the company needs and objectives of the specific activity or event. Risk management involves identifying, company is willing to accept. should maintain the organization. It’s often analyzed by assessing, prioritizing, and addressing these The information security function aims CIAA pillars at an It will guide the selection of ranking risks based on their risks. It involves reducing uncertainties to lower operational risk through strong acceptable level. the appropriate strategy. likelihood and the potential related to products and services and aligning security practices, allowing the A vulnerability without a It will also bring the level of loss. organizational components for optimal organization to take business risks that corresponding threat is risk exposure into an Risk exposure = Potential performance. competitors cannot. not a risk to the acceptable range. loss × Likelihood organization Main components of Advanced security security programs: controls can introduce complexities that may lead to errors or make unauthorized activity Policies Standards Procedures Guidelines harder to detect. They are broad, high-level statements They are mandatory They are step-by-step They are Balancing these created by senior management to elements for implementing instructions for recommendations controls is key to define the organization’s goals and policies, specifying details for implementing policies. for a policy. successful information positions. hardware and software use. They detail how They are not security. They are essential to a mature They ensure consistent employees should act in mandatory. information security program and security controls across the specific situations or should be guided by risk management. IT system and may be complete a task. They include the main policy and influenced by external additional policies on specific topics, requirements. such as change management, data, and An exception approval human resources. process should be implemented from day one for new policies or standards. Risk Management 3 important security Categories of threats of States of data: principles: information: Unauthorized disclosure Corruption DoS Lease privilege Defense in depth Separation of duties In process Inability to prove the In transit At rest Subjects (users, applications, etc.) It involves using multiple It means that no Data as it is being source of an attack should have the minimum access security layers to minimize individual or group used by the system needed for their job functions. exposure if one control is has complete or application. Balancing practical management compromised. authority over all of access with precise restrictions For example, combining a critical functions. is key, as overly complex firewall with IDS. Example: Monitoring a restrictions can lead to errors and It includes different control system admin’s reduced security. categories (preventive, activities. detective, and responsive) and establishing zones of control. Enclave (Zone): A group of systems with the same risk profile and business function, separated from other enclaves. A DMZ (De-Militarized Zone) is a common enclave example for Internet-facing services like email or web servers. Not all DMZ services should be treated the same; resources with different risk profiles must be separated to minimize transitive risk (where a less secure resource affects a more secure one). Sensitive data should not be stored in a DMZ due to higher attack risks, though DMZ systems can interface with it. Risk Management Move beyond using Fear, Return on Investment (ROI) for Qualitative vs. Quantitative Uncertainty, and Doubt security spending: analysis approaches: (FUD) and limited resources. Avoid cost center view: Shift Expect external examination from seeing security as a cost from auditors, customers, center to making risk-based regulators, or courts. decisions that align with Quantitative Qualitative Comparison Follow standards: Use business objectives. Focuses on hard numbers to Assesses the probability between the two established standards. Avoid “Chicken Little determine risk exposure. and impact of individual Facilitate decision making: Mentality”: Focus on providing It measures both the likelihood project risks using a Assess risks before risk-based decisions rather of a threat occurring and its predefined scale. making business than reacting with fear. potential impact on a business Its purposes are to Qualitative Quantitative decisions. Evaluate security metrics: process or mission. prioritize risks, enhance Level: Risk-level. Level: Project- For third-party Before reporting a metric, It assigns numerical ratings to understanding, and Evaluation: level. evaluations, use the assess the value of the activity develop a probabilistic analysis. identify key risk exposure Subjective evaluation Evaluation: Standardized being measured. For example, It relies on accurate historical areas. of probability and Probabilistic Information Gathering evaluate the effectiveness of data and advanced math impact. estimates of time (SIG) questionnaire. auditing efforts based on concepts. Time: Quick and easy and cost. actual benefits, not just man Risk Exposure = Risk Impact × to perform. Time: Time- hours. Probability. Tools: No special consuming. Risk Exposure = Sensitivity × software or tools Tools: May require Severity × Probability. required. specialized tools. Exposure Rating = Severity² × Threat. Press me to go back to index page Chapter 3: Management Lifecycle Risk Management Lifecycle Definitions of risk: Definitions of risk management: Stages of the Risk Management Remember: Your environment is The resource owner must inform the An expectation of loss The process of identifying, Lifecycle: constantly changing, requiring regular security team about any changes to expressed as the measuring, and managing 1. Identify critical resources to protect. re-evaluation of threats and the resource that might require an probability that a risks in information systems 2. Identify threats and vulnerabilities exposures. immediate risk assessment, outside particular threat will to reduce them to a level to these resources. Triggers for re-evaluation: the regular schedule. exploit a particular appropriate for the value of 3. Rate the risk exposure. Changes in the sensitivity of target Similar to updating document vulnerability with a the assets being protected. 4. Determine appropriate mitigation resources. classifications, risk assessments particular harmful result. The process of controlling strategies. Significant shifts in the threat must be regularly updated based on The possibility of loss (mitigating) uncertain events 5. Implement controls. landscape. changes in threats or resource because of one or more that may affect information 6. Evaluate the effectiveness of Updates to legal or regulatory sensitivity to stay accurate and threats to information. system resources. controls. requirements. effective. 7. Monitor changes over time. Changes in security policies. Scheduled reviews based on resource sensitivity. Changes in a resource’s intended use should prompt updates to its security controls. Most breaches happen Critical resources should be when controls aren’t updated to reflect changes in how reassessed periodically based resources are used. on their importance. Employ a mix of preventive and detective controls to Highly critical assets may need manage scope creep (uncontrolled changes) effectively. annual evaluations, while less Measure how many issues are self-identified by resource sensitive ones can be reviewed owners vs those discovered by the security team. every 2 to 5 years. Resource owners should be responsible for protecting their own resources. Risk Management Workflow Stages 1. Resource Profiling 2. Risk Assessment 3. Risk Evaluation 4. Documentation Before performing a risk assessment, a security risk This step includes: After assessing risks, you must weigh and Document your risk assessment and profile for the resource should be created. 1. Risk analysis: Measuring the prioritize them to decide which ones to address. evaluation throughout the process, Establish categories, levels, or tiers for your resources. likelihood and severity of potential Options for addressing risk: not just as a final stage. The security risk profile collects details about a resource undesirable events. a. Accept: Decide to accept the risk as it is. Details to be documented for each to assess its sensitivity to security risks. 2. Vulnerability assessment: b. Avoid: Avoid the activity causing the risk. risk finding: The profile should focus on the resource itself, not Identifying technical weaknesses. c. Transfer: Shift responsibility to another party. Rating Justification specific threats or vulnerabilities. 3. Threat modelling: Evaluating d. Mitigate: Limit the exposure to the risk. Compensating Controls Example: Determine if an application is internal or potential threats to understand When evaluating risk, consider indirect costs Considered accessible via the internet. risks better. such as Implementation, support, training, and Business Justification decreased effectiveness costs. Mitigation Plans (both long- and Balance these against the potential cost of not short-term) implementing the control. Policy Exceptions/Risk 2.1. Vulnerability Assessment 2.2. Risk Exposure Ensure control costs do not exceed the asset's Acceptance Identifies and rates weaknesses based on It describes the outcome if a value or risk impact. general exploitation knowledge, without vulnerability is successfully considering the specific context or exploited by a threat. environment. It combines the likelihood of Usefulness: exploitation, the severity of the Provides metrics to assess the exploit, and the sensitivity of the effectiveness of controls like patch asset to determine the risk management and server hardening. exposure rating. Identifies resources vulnerable to Avoid assuming solutions when specific exploits or prohibited services. describing the risk; focus on clearly Useful for identifying weaknesses visible articulating the potential impact to attackers, as attackers often use and consequences. similar scans during reconnaissance. Differences Between Risk Assessment and Vulnerability Assessment: Vulnerability Assessment: Focuses on finding and rating weaknesses without context-specific analysis. Risk Assessment: Maps vulnerabilities to likely threats, evaluates their severity in the specific environment, and articulates the resulting risks, considering the sensitivity and context of the resource. Risk Management Workflow Stages 5. Mitigation Planning and Long-term 6. Validation 7. Monitoring and Audit Strategy After implementing controls to This final step in the risk There are several options for mitigating mitigate a risk, you must verify their management lifecycle occurs after risk, with the goal of reducing risk effectiveness through active testing the formal risk assessment and exposure to an acceptable level rather or review. execution of mitigation plans. than eliminating it entirely. Testing Levels Include: Common Triggers for To mitigate a risk, you can: Vulnerability scanning Reassessment: Reduce the likelihood of occurrence. Penetration testing Significant changes to Limit the severity of the impact. Configuration review resources. Decrease the sensitivity of the The goal of testing is to identify areas Alterations in the threat resource. where controls may not adequately landscape. The most common risk decision is mitigate the risk or may be Shifts in business focus. mitigation, which aims to limit the misconfigured. Changes in regulatory or legal likelihood or impact of exposure. Organizations often establish a requirements. Most controls in this category focus on Certification and Accreditation (C&A) Detection of weaknesses in detection and recovery. process to formally document and current controls. Risk remediation involves the actual validate these controls before an Elapsed predetermined time removal or patching of a vulnerability. application or system goes live. period. Remediation fixes the underlying issue, A predetermined schedule is set while mitigation reduces exposure but for each resource to identify any does not eliminate the vulnerability. changes that may warrant a reassessment. The schedule should be based on the resource's sensitivity level: High Sensitivity: 1 year Moderate Sensitivity: 3 years Low Sensitivity: 5 years Regular assessments of the threat landscape are also necessary to identify areas needing additional attention. Press me to go back to index page Chapter 4: Risk Profiling It is better to study this chapter from the PPT.