© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Managing Risk in Information Systems Lesson

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Managing Risk in Information Systems

Lesson 4

Key Components of Risk Assessment

Page 2Managing Risk in Information Systems© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Learning Objectives

Identify assets and activities to protect within an organization.

Identify threats, vulnerabilities, and exploits. Identify and analyze risk mitigation security

controls.


Key Concepts

Identification of key activities and assets Recognize value of data Basic planning steps of a BIA Techniques used to identify relevant

threats, vulnerabilities, and exploits Identify and compare procedural, technical,

physical, and functional controls


DISCOVER: CONCEPTS


Risk Assessment Approaches


Quantitative Risk Assessment


Best Practices for Risk Assessment


Activities

• System Access• System Availability• System Functions:

Manual and Automated

Identifying Activities

Eliminate single points of failure (SPOF)• Part of a system that

can cause entire system to fail

• If SPOF fails, entire system fails


System Access and Availability

Goal: 99.999 percent up time Failover cluster RAID


Identifying Assets

People can also be single points of failure

• Hire additional personnel

• Cross train• Job rotation

Assets

• Hardware Assets• Software Assets• Personnel Assets


Identifying Data Assets

Protect data

Ensure methods are available to retrieve data• Data warehousing• Data mining

Data and Information

• Customer• Intellectual

Property• Data bases


Types of Assessments

Threat Assessment

Vulnerability Assessments

Exploits Assessments


Threat Assessments

Identifies and evaluates threats• Determines impact on confidentiality

• Determines impact on integrity• Determines impact on availability


Vulnerability Assessments

Vulnerabilities are any weaknesses in an IT infrastructure.

Assessments identify vulnerabilities within an organization:• Servers• Networks• Personnel

Entire networks can be vulnerable if access controls aren’t implemented


Internal/External Vulnerability Assessments

• Security professionals exploit internal systems to learn about vulnerabilities

Internal assessments

• Personnel outside the company exploit systems to learn about vulnerabilities

External assessments


Intrusion Detection System Outputs

IDS uses logs Logs can be used in assessments


Verifying Rights and Permissions

Verify user rights and permissions• Principle of least privilege


Exploit Assessments

Exploit assessments attempt to exploit vulnerabilities• They simulate an attack to determine

if attack can succeed An exploit test:• Uually starts with a vulnerability test

to determine vulnerabilities• Follows with an attempt to exploit the

vulnerability


In-Place Controls

Installed in an operational system

Replace in-place controls that don’t meet goals

Three primary objectives of controls:

• Prevent

• Recover

• Detect


Planned Controls

Those that have been approved but not yet installed

Identify planned controls before approving others

Vulnerabilities that planned controls mitigate still exist

Evaluate effectiveness of a planned control through research


Functional ControlsControls Based on Function Being Performed

Preventive• Hardening• Patching

Detective• Audit trails• IDS

Corrective• Backups• File

Recovery


NIST SP 800-53 Control Families Access Control (AC) Audit and Accountability (AU) Awareness and Training (AT) Configuration Management (CM) Contingency Planning (CP) Identification and Authentication (IA) Incident Response (IR) Maintenance (MA) Media Protection (MP) Personnel Security (PS)


NIST SP 800-53 Control Families (Cont.)

Physical and Environment Protection (PE) Planning (PL) Program Management (PM) Risk Assessment (RA) Security Assessment and Authorization (CA) System and Communications Protection (SC) System and Information Integrity (SI) System and Services Acquisition (SA)


Procedural Control Examples

Policies and procedures

Security plans

Insurance and bonding

Background and financial checks


Procedural Control Examples (Cont.)

Data loss prevention program

Awareness training

Rules of behavior

Software testing


Technical Control Examples

Login identifier

Session timeout

System logs and audit trails

Data range and reasonableness checks

Firewalls and routers

Encryption

Public key infrastructure (PKI)


Firewalls and Routers Filters traffic• Access control lists (ACLs)


Using Digital Signatures


Physical Control Examples

Locked doors, guards, CCTV

Fire detection and suppression

Water detection

Temperature and humidity detection

Electrical grounding and circuit breakers


DISCOVER: PROCESS


Business Impact Analysis (BIA)

A Business impact analysis (BIA) differentiates critical (urgent) and non-critical (non-urgent) organization functions/activities. Critical functions are those whose disruption is regarded as unacceptable. Perceptions of acceptability are affected by the cost of recovery solutions. A function may also be considered critical if dictated by law. For each critical (in scope) function, two values are then assigned:

Recovery Point Objective (RPO) – the acceptable latency of data that will not be recovered. For example is it acceptable for the company to lose 2 days of data

Recovery Time Objective (RTO) – the acceptable amount of time to restore the function.

The recovery point objective must ensure that the maximum tolerable data loss for each activity is not exceeded. The recovery time objective must ensure that the Maximum Tolerable Period of Disruption (MTPoD) for each activity is not exceeded.http://en.wikipedia.org/wiki/Business_continuity_planning#Business_impact_analysis_.28BIA.29

http://en.wikipedia.org/wiki/Business_continuity_planning#Business_impact_analysis_.28BIA.29

http://en.wikipedia.org/wiki/Business_continuity_planning#Business_impact_analysis_.28BIA.29


BIA Planning Introduction

Identifies impact of sudden loss

Define the scope

Identify objectives

Identify mission-critical functions and processes

Map functions and processes to IT systems


Assessing Vulnerabilities

Documentation review

Review logs

Vulnerability scans

Audits and personnel interviews

Process and output analysis

System testing


Process Analysis and Output Analysis

Firewall has five rules• Use process analysis

Firewall has 100 rules• Use output analysis


Procedure for Assessing Exploits

Identification

Mitigation

Implementation

Remediation


Suggested Steps for Implementing Security Controls

Selection of security control Documentation of each control Implementation of each control• Insurance• Avoidance• Reduction• Retention


DISCOVER: ROLES


Data and Information Assets

Data protected by:• Access controls• Backups


Data Classifications

OrganizationClassifications

Proprietary

Private

Public

Freely available

Protected Internally

Highest Level of Protection

Government Top Secret Secret Confidential


Data and Information Asset Categories

Organization Customer Intellectual property

Data warehousing Data mining


Internal Threats

Internal threats• Users with unintentional access• Users responding to phishing

attempts• Users forwarding viruses• Disgruntled ex-employees• Equipment failure• Data loss• Attacks


External Threats

Attack public-facing servers Weather conditions and natural

disasters


Risk Mitigation Functions

Senior management

IT management

Functional management and employees

Contractors/vendors


DISCOVER: CONTEXTS


Identify Assets

First step in risk management• You can’t plan the protection if you

don’t know what you’re protecting

When do you want to identify a single point of failure?• Before it fails?• Or after if fails?


Threat Modeling

What system are you trying to protect? Is the system susceptible to attacks? Who are the potential adversaries? How might a potential adversary attack? Is the system susceptible to hardware

or software failure? Who are the users? How might an internal user misuse the

system?


Key to Risk Management

Risk = Threat X Vulnerability• Threat assessments

- Help reduce impact of threats• Vulnerability assessments

- Help reduce vulnerabilities• Exploit assessments

- Help validate actual threats and vulnerabilities


Controls Mitigate Risk Controls reduce impact of threats

Controls reduce vulnerabilities to an acceptable level

Hundreds of controls• Best to evaluate based on categories


DISCOVER: RATIONALE


Identify Valuable Assets

Ask a system owner• How much downtime can you

accept?- Answer: “None”

• How much data loss can you accept?- Answer: “None”

Then ask• “How much money are you willing to

spend?”


System Testing

Functionality testing ~ • Defining requirements

Access controls ~ • Verifying user rights and allocations

Penetration testing ~ • Verifying security countermeasures

Tests transactions with applications


Variety of Controls Needed What is missed if only technical

controls are used?

What is missed if only procedural controls are used?

What is missed if only physical controls are used?


Summary

Identification of key activities and assets Recognize value of data Basic planning steps of a BIA Techniques used to identify relevant

threats, vulnerabilities, and exploits Identify and compare procedural,

technical, physical, and functional controls

Documents

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Managing Risk in Information Systems Lesson