Instructions
PICT311 – Cyber Security in Practice
Ed Moore
Week 6
Information Security & Risk Management
Lecture Outline
Faculty of Arts | Department of Security Studies and Criminology
3
Definitions
Controls
Methods of risk assessment
Creating a risk rating
Implementing controls
Edward Moore (EM) - Do this
Definitions
4
Definitions
Vulnerability
A weakness in a mechanism that can threaten the confidentiality, integrity or availability of an asset or system
Threat
Someone uncovering a vulnerability and exploiting it
Risk
Probability of a threat being realised, and the co
esponding potential
damages that it may cause
Exposure
When a threat agent exploits a vulnerability
Control
A measure put in place to mitigate potential losses or damage
5
Relationship between Risks, threats & vulnerabilities
6
Controls
Physical controls
Controls that physically prevent an attacker entering
Fences, doors, locks, etc
Procedural controls
Processes put in place
Incident response, Disaster Recovery Plan,
phishing training
Technical controls
Electronic counter-measures
Anti-virus, firewalls, etc
Compliance controls
Policies and laws in place that force compliance
Preventive controls
A control designed to prevent an attack from occu
ing
Detective controls
A control designed to detect the incident
Co
ective controls
A control designed to reduce the amount of damage caused
AND
7
Edward Moore (EM) - This slide should be moved into risk management. Will also need to remove the questions from the quizzes.
Risk assessment and analysis
Assessment to:
Identify an organisation’s assets
Assign values to these assets
Identify the asset’s vulnerabilities and threats
Calculate their associated risks
Estimate potential loss and damages if threat realised
Provide solutions
Risk analysis provides:
Cost
enefit comparison
8
Methods of risk analysis
9
Methods of risk analysis
Gap analysis
Establish the minimum set of controls
Select controls from standards or guidelines
Make a security checklist
Analyse the gap
Check the security level using the checklist
Analyse the gap between cu
ent level and necessary level of security
10
Methods of risk analysis
Detailed analysis
11
Methods of risk analysis
Quantitative & Qualitative analysis
Quantitative Analysis
Focuses on “what”
Puts monetary cost to risk (damage and recovery costs)
Qualitative Analysis
Focuses on “how”
Relative rating of risk
12
Methods of risk analysis
Quantitative analysis
Advantages Disadvantages
Risks sorted by their financial impact, assets by their financial value
Results expressed in specific management terminology
Results based on objective models
Security levels are better determined
A cost analysis can be implemented for choosing best suited measures
Management performance closely monitored
More accurate data Calculations are complex
Difficult to implement without automated tools
No universally accepted implementation
Values of risk impacts are based on subjective opinion
Results can be difficult to understand
The process is very complex
13
Methods of risk analysis
Qualitative analysis
Advantages Disadvantages
Easier to understand and observe the level of risk
Calculation are simple to understand and implement
No need to quantify frequency occu
ence of the threats
No need to determine the financial value of the assets
Analysis process is easie
No need for quantitative calculation of frequency and impact
No need to estimate cost of measure to be implemented
The most important areas of risk are evaluated The evaluation of risk and its result are subjective
Reality may be defined inco
ectly due to subjective perspective of assesso
Performance hard to follow due to subjectivity
A cost benefit analysis is not implemented which makes the implementation of controls difficult
Insufficient differentiation between major risks
Results depend on quality of the risk management team
14
Methods of risk analysis
Combined Risk Analysis
15
Identifying threats
After identifying the assets and risks for those assets, we then list them in a table
This is a basic example of some risks:
Risk No. Vulnerability Threat Risk of Compromise Risk Summary
1 Patches to co
ect flaws in application software not installed Malicious use
System compromise
Unauthorised access Confidentiality
Integrity Exploitation of flaws could result in compromised confidentiality and integrity of data
2 Patches to co
ect flaws in operating system not installed Malicious use Confidentiality
Integrity Exploitation of flaws in operating system could result in compromise of confidentiality and integrity of data
3 Remote access to server console not properly monitored System compromise
Unauthorised access Confidentiality
Integrity
Without controls in place, the confidentiality and integrity of data will be at risk
4 Power outage in server room System unavailable Availability If a power outage were to occur, systems would be unavailable for legitimate customers
16
Create a risk rating
Risk Likelihood
We then need to come up with a scale to assess the likelihood of our threats
This is an example of a risk likelihood scale:
Note: many scales use 5 options rather than 3 - this is simplified
Definition
Low 0-25% chance of successful exercise of threat in a 1 year period
Moderate 26-75% chance of successful exercise of threat in a 1 year period
High 75-100% chance of successful exercise of threat in a 1 year period
17
Create a risk rating
Risk Consequence (IMPACT)
We then need to come up with a scale to assess the consequences of our threats
Consequence is best defined in terms of impact upon availability, integrity and confidentiality
This is an example of a risk consequence scale:
Note: many scales use 5 options rather than 3 - this is simplified
Confidentiality Integrity Availability
Low Loss of confidentiality leads to a limited effect on the organisation Loss of integrity leads to a limited effect on the organisation Loss of availability leads to a limited effect on the organisation
Moderate Loss of confidentiality leads to a serious effect on the organisation Loss of integrity leads to a serious effect on the organisation Loss of availability leads to a serious effect on the organisation
High Loss of confidentiality leads to a severe effect on the organisation Loss of integrity leads to a severe effect on the organisation Loss of availability leads to a severe effect on the organisation
18
Create a risk rating
Risk Consequence (IMPACT)
It is also possible to define the consequences on a more tangible organisational effect
This is an example of a risk consequence scale:
Note: many scales use 5 options rather than 3 - this is simplified
Mission Capacity Financial loss Effect on human life
Low Temporary loss of one or more minor mission capabilities Under $5,000 Minor harm (e.g. cuts and scrapes)
Moderate Long term loss of one or more minor or temporary loss of one primary mission capability $5,000-$100,000 Significant harm
High Long term loss of one or more primary mission capabilities Over $100,000 Loss of life or life threatening injury
19
Create a risk rating
Risk Matrix
Determining your risk matrix is the next step
There are different variants of risk matrices and they will vary based on your previous steps
20
Create a risk rating
Risk Matrix
When creating risk ratings, it’s vital to remember to tailor them for the business
Be consistent with terminology (impact vs consequence)
This is an example of a 3 scale risk matrix
Consequence
Likelihood High Moderate Low
High High High Moderate
Moderate High Moderate Low
Low Moderate Low Low
21
Create a risk rating
Risk Matrix
This is an example of a 5 scale risk matrix
Consequence
Likelihood Insignificant Minor Significant Major Severe
Almost Certain Medium High Very high Extreme Extreme
Likely Medium Medium High Very high Extreme
Moderate Low Medium Medium High Very high
Unlikely Very low Low Medium Medium High
Rare Very low Very low Low Medium Medium
22
Create a risk rating
Numeric Risk Matrix
Another option is to use numeric values
In this case, we allocate each likelihood and consequence a numbe
In this case we will use XXXXXXXXXXbeing the lowest)
We then multiply the numbers to get the risk rating
23
Create a risk rating
Numeric Risk Matrix
Consequence
Likelihood Insignificant
(1) Mino
(2) Significant (3) Majo
(4) Severe
(5)
Almost Certain
(5) 5 10 15 20 25
Likely
(4) 4 8 12 16 20
Moderate
(3) 3 6 9 12 15
Unlikely
(2) 2 4 6 8 10
Rare
(1) 1 2 3 4 5
24
Create a risk rating
isk appetite
Risk Appetite is the risk that an organisation is willing to accept
After determining the risk matrix, we can take an overview of our business and determine what our risk appetite should be
This number varies a great deal based on the organisation
25
Create a risk rating
isk appetite
In this example the organisation has chosen to have a high risk appetite meaning that they will accept any risks that sit below that
Consequence
Likelihood Insignificant Minor Significant Major Severe
Almost Certain Medium High Very high Extreme Extreme
Likely Medium Medium High Very high Extreme
Moderate Low Medium Medium High Very high
Unlikely Very low Low Medium Medium High
Rare Very low Very low Low Medium Medium
26
Create a risk rating
isk appetite
Consequence
Likelihood Insignificant
(1) Mino
(2) Significant (3) Majo
(4) Severe
(5)
Almost Certain
(5) 5 10 15 20 25
Likely
(4) 4 8 12 16 20
Moderate
(3) 3 6 9 12 15
Unlikely
(2) 2 4 6 8 10
Rare
(1) 1 2 3 4 5
The same can be done for a numeric risk rating.
In this example the organisation has chosen a risk rating of 9
27
Create a risk rating
Allocating risk
Now that we have setup our risk matrices, we can allocate a consequence and likelihood to the risks
Risk No. Vulnerability Likelihood Consequence Risk Rating
1 Patches to co
ect flaws in application software not installed Likely Significant High
2 Patches to co
ect flaws in operating system not installed Rare Significant Low
3 Remote access to server console not properly monitored Unlikely Severe High
4 Power outage in server room Unlikely Major Medium
5 Remote attack Almost certain Severe Extreme
28
Create a risk rating
Risk Management
Mitigate
We can implement controls designed to fix flaws or provide some form of compensation to reduce the likelihood or impact associated with the flaw
Transference
Allowing another party to accept the risk on your behalf (e.g. insurance). This does not decrease the likelihood or fix the flaw but does reduce the overall (at least financial) impact on the organisation
Acceptance
Allowing the system to operate with a known risk. This is usually done with low risk levels. It is rare but not unheard of for larger risks to be accepted.
Avoidance
Remove the vulnerability entirely. This is often not an option due to the system being tied to business processes
29
Create a risk rating
Implementing controls
Now that we have our risk matrix, we can allocation controls to mitigate the likelihood/consequence
Risk No. Vulnerability Likelihood Consequence Risk Rating Control Adjusted Likelihood Adjusted Consequence Adjusted Risk Rating
1 Patches to co
ect flaws in application software not installed Likely Significant High Implement software to force updates on software. Install protection software Rare Minor Medium
2 Patches to co
ect flaws in operating system not installed Rare Significant Low ACCEPT Rare Significant Low
3 Remote access to server console not properly monitored Unlikely Severe High Properly monitor Rare Severe Medium
4 Power outage in server room Unlikely Major Medium Implement UPS Unlikely Minor Low
5 Remote attack Almost certain Severe Extreme Implement use of security keys. Review access Unlikely Major Medium
30
Create a risk rating
Review
Now that we have an updated list of risk with controls that have been implemented we review!
Any risks that still have a rating above the risk appetite defined within the company need to have additional controls implemented (or acceptance).
31
The end
32
Resource List
http:
www.isaca.org/Knowledge-Cente
COBIT/Pages/Overview.aspx
https:
www.simplilearn.com/cobit-5-overview-and-key-features-of-tutorial-video
https:
securitycommunity.tcs.com/infosecsoapbox/articles/2018/08/09/defense-depth-%E2%80%93-what-strategy-follow
https:
info.knowledgeleader.com
id/161685/what-are-the-five-components-of-the-coso-framework
https:
www.cio.com/article/2439501/infrastructure-it-infrastructure-li
ary-itil-definition-and-solutions.html
https:
scm.ncsu.edu/scm-articles/article/six-sigma-where-is-it-now
http:
www.primvis.com/service-1
Create a risk rating
RISK APPETITE
• In this example the organisation has chosen to have a high risk appetite meaning that they will accept
any risks that sit below that
Consequence
Likelihood
Insignificant Minor Significant Major Severe
Almost
Certain
Medium High Very high Extreme Extreme
Likely Medium Medium High Very high Extreme
Moderate Low Medium Medium High Very high
Unlikely Very low Low Medium Medium High
Rare Very low Very low Low Medium Medium
Create a risk rating
RISK APPETITE
•In this example the organisation has chosen to have a high risk appetite meaning that they will accept
any risks that sit below that
Consequence
Likelihood
InsignificantMinor SignificantMajor Severe
Almost
Certain
MediumHigh Very highExtremeExtreme
Likely MediumMediumHigh Very highExtreme
ModerateLow MediumMediumHigh Very high
UnlikelyVery lowLow MediumMediumHigh
Rare Very lowVery lowLow MediumMedium
Week 6 External Forum
This week we are looking at Information Security Risk Management.
Firstly, watch the
ief talk given at the RSA 2016 (this has some very interesting Ted talk like speakers on various issues in IT security) conference on the issues with Defence in Depth (although the speakers proclaims it is dead - it still very cu
ent in industry). Then look at the SANS white paper on risk assessment and finally a
ief video on risk identification.
Your task
Your educational institution is moving a database of student details (IDs, email addresses, grades) to the cloud for access by a group of lecturers and tutors.
You are security analyst and have been asked to produce a Threat and Vulnerability Assessment. Using p5 of