Index

Introduction

Definitions

Relationship

Risk Management

  1. Asset Identification
    Analysis of the main organisation assets and the value they have for the organisation. This is crucial to be able to understand and analyse the impact of a risk in an organisation.

  2. Threat Assessment
    Analysis of which entities could pose a threat to the organisation, so as to understand them better and be able to ascertain what they would like from an organisation.

  3. Vulnerability Assessment
    Testing of the organisation’s systems, policies, procedures and physical environment to determine socio-technical and physical vulnerabilities that threats could exploit.

  4. Risk Assessment
    Combination of the three previous analyses to analyse the risks the organisation faces.

  5. Risk Treatment
    A consideration of the best course of action (Reduce, Transfer, Avoid or Accept the risk) to mitigate a risk, based on the risk analysis.

  6. Risk Monitoring
    A process of continuously updating the previous analyses to identify changes in terms of assets, threats, vulnerabilities and resulting risks, in order to determine whether the risk treatment needs to change.

Asset categories

Threat and Vulnerability Assessment

Asset valuation

The value of an asset is prioritised by the contribution it makes to the business. This may include:

Threat Assessment

Threat assessment identifies the threats to an organisation, and identifies the likely culprits of attacks.

Threat Agents

The threat agent is someone or something that may give rise to a threat. It is the likely culprit of a risk to the organisation. Threat agents can be natural, accidental, or malicious.

Threat agent Characteristics:

Threat Assessment Methodology

Formula:

$TC = (Q * 4) + (T * 3) + (H * 7) + (U * 6) + Pr$

Factor\Score 1 2 3 4 5 6
Group Size (Q) 1-25 26-50 51-100 101-200 201-300 >300
History of relevant activity (H) None Intermittent Occasional Occasional Regular Regular and widespread
Technical expertise (T) None Very limited Limited Limited Adequate High level
Prowess within community (Pr) Not part of a group Peripheral interest Interest within group Significant within group Important within group Very important within group
Reason for target selection (U) Curiosity Rebellion Criminal Gain Criminal Gain Belief Revenge, religion, racism, nationalism

Vulnerability Assessment

Vulnerability categories

Assurance Techniques

Techniques that allow us to establish the level of assurance we have about how secure a system is

Different techniques to find vulnerabilities in systems

The least suitable techniques in this case may be testing techniques, such as penetration testing and vulnerability scans, as any issue caused by this more active assurance techniques will entail a risk of information loss and infrastructure unavailability.

You could consider the actual context and domain of the organisation (eg testing the security of a normal IT system is not the same as a nuclear power plant). In particular, if has a web-based application, so one could consider potential ways in which attackers might exploit it.

Also, you may need to check for social engineering, for instance with regard to those custodians of the paper-based records.

Then, from the available possibilities, the most cost-effective ones should be chosen: that is, those with the lowest cost of performing them but which are most effective at discovering vulnerabilities.

Risk Assessment and Management

Risk Register:

Qualitative Risk Assessment

A qualitative risk analysis prioritizes the identified project risks using a pre-defined rating scale. Risks will be scored based on their probability or likelihood of occurring and the impact on project objectives should they occur.

Risk = Likelihoods (Threat x Vulnerability) x Impact

Quantitative Risk Assessment

A quantitative risk analysis is a further analysis of the highest priority risks during a which a numerical or quantitative rating is assigned in order to develop a probabilistic analysis of the project.

The Annualized Rate of Occurrence (ARO) is a business-friendly measure of the probability of occurrence of an event that measures how likely an event is to happen during a year.

The Annual Loss Expectancy (ALE) is a business-friendly measure of a risk in a quantitative risk assessment approach. It is calculated based on the annual rate of occurrence (ARO) and the single loss expectancy (SLE) for each risk.

Risk Treatment and Monitoring

Risk Treatment

Risk Monitoring

The frequency of monitoring may vary according to the type of threat:

The whole risk management cycle should be repeated over time, as some threats might disappear completely and new threats might emerge. The interval will depend largely upon the risk appetite of the organisation and may well be documented in a risk management strategy or policy document.

Challenge for Risk Management

Security Organisation, Policies, and Compliance

Security Culture

Information Security is more than just technical countermeasures. It is as much about people as it is about anything else. People have to be educated, motivated and appropriately regulated.

New CISO

Responsible for protecting their organisation’s computers, networks and data against threats, such as security breaches, computer viruses or attacks by cyber-criminals.

Four faces

Challenges

CISO Position

The CISO should ideally be part of the board of directors of GANT. This is due to a number of reasons, which we could divide into two categories:

Authority within the organisation

External incentive

Security Roles

Security Policies

Policy

A high-level statement of an organisation’s values, goals and objectives in a specific area.

A policy doesn’t say how it should be implemented, but it states the end-goal.

Standard

More prescriptive than a policy, a standard quantifies what needs to be done and provides consistency in controls that can be measured.

Designed to support policy and states what must be done and how it should be achieved.

Procedure

A set of detailed working instructions that describe what, when, how and by whom something should be done.

Guideline

Guidelines provide advice, direction and best practice in instances where it is often difficult to regulate how something should be done.

Compliance

Check compliance

Externally imposed requirements

Risk assessment and management are key elements that inform the security policy hierarchy, but they are not the only ones. For instance, an organisation also needs to comply with external requirements.

Statutory requirements

Statutory requirements are legal requirements that must be fulfilled. For instance law enforcement agencies must be contacted should certain laws be broken or are suspected of being broken. The downloading of child pornography would be such a case. Compliance with these requirements may influence how an enterprise’s incident reporting procedures are organised. For example how, when and by whom should the authorities be contacted? Privacy legislation such as the Data Protection Act will influence how information is stored and managed within the enterprise and how resources are deployed to ensure that it complies with this legislation.

Regulatory requirements

Regulatory requirements are often imposed by trade bodies, and they specify how an enterprise should operate to conform to certain standards. Although they are not legal obligations, regulatory bodies have extensive powers, and failure to comply could lead to possible fines or, in extreme cases, exclusion from trading in a particular environment. The finance sector is a good example of this as it maintains strict controls to prevent financial malpractices such as fraud or money laundering.

Advisory requirements

Advisory requirements may arise from government agencies or utility companies and may provide advice as to what arrangements should be put into place to help cope with instances such as fires, natural disasters and acts of terrorism. These requirements are not legally binding and are generally issued to help encourage best practice.

Security Controls

Preventative security attempts to stop an exploit from being exploited.
Detective security tries to discover if an attack is underway.
Reactionary tries to respond to an attack and reduce its impact.

Types

Adequate level of protection

First of all, recall that any decisions on the security controls to be implemented should be based on a risk analysis. In this case, there is a need to balance the risk of malware against the costs of purchasing and implementing countermeasures.

A good starting point would be to:

Other countermeasures could also be considered depending on the financial capability of GANT (eg network firewall or IDS, etc).

Relevant legislation for Security Control

Legislation applies to all types of security controls: technical, physical and procedural. Whether writing policy, designing CCTV or other monitoring systems, procuring storage and backup from third parties, everything needs to be checked against relevant legislation.

Privacy laws exist to protect the rights of individuals.

The rights of employees are also vital to consider.

Finally, it is worth emphasising that most of the time when gathering information we care only about the meta-data (data about data), not the data itself.

Cloud Computing Security

The practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer.

Cloud computing is the practice of using a network of remote serves hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. It is useful as it allows a small company to gain access to powerful computers that would normally be out of reach.

Legal implications: They must consider the physical location of services (Data Protection Rules), access to information (cloud provider can read all data), if GANT can audit the cloud provider (verify if the cloud is keeping the data secure) and legal issues around the cloud providers sub-contractors.

Security Risks: Cloud providers can be hacked and the information is leaked publicly. This is an example of risk-sharing as while the cloud provider is liable - the data leaked can be embarassing to the organisation. Also the data can be deleted/lost if the cloud provider suffers a crash and does not keep regular backups. Or the data could not be deleted completely when needed.

Data Deletion: Multiple copies of data; Virtualization; Multiple users (Data gets tangled together); Multiple components; Multiple logical layers; Underlying hardware (E.g., Different storage media - SSDs); Third-party and Offline backups (- e.g., other services / tapes)

Security Economics

Moral Hazard

A moral hazard is a situation in which one party gets involved in a risky event knowing that it is protected against the risk.

In Information Security, this would apply when people engage in activities that can cause an Information Security risk thinking they are somehow protected.

For instance, one may engage with riskier and less secure websites thinking that the anti-malware they have installed will protect them.

Market for Lemons

The market for lemons was an example introduced by Akerlof (Noble prize winner) in 1970 to explain the concept of asymmetric information in economics.

It presents the following simple yet profound insight: suppose that there are 100 used cars for sale in a town: 50 well-maintained cars worth 2000 dollar each, and 50 lemons (said of a car that turns out to have several manufacture defects not apparent to the buyer) worth 1000 dollar. The sellers know which is which, but the buyers don’t. What is the market price of a used car? You might think 1500 dollar; but at that price no good cars will be offered for sale. So the market price will be close to 1000 dollar. This is one reason poor security products predominate. When users can’t tell good from bad, they might as well buy a cheap antivirus product for 10 dollar as a better one for 20 dollar, and we may expect a race to the bottom on price.

Business Continuity Management (BCM)

Business continuity management (BCM) is a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creation activities.

Business Continuity Plan

  1. Assigning responsibilities
    • Senior management must approve the plan.
    • Likely an appointment at boardroom or executive level to oversee, and an appointment to take the programme forward.
  2. Establishing and implementing the plan
    • Scope, aim and objectives, and the activities required if the plan is triggered, i.e. What are the likely problems that will pop up? How can we deal with them?
  3. Ongoing management
    • Regular review of the continuity plan (i.e. it can easily become out of date and no longer reflect real business operations). Similar to the Plan-Do-Check-Act model.

In order to create an effective business continuity plan, we need to:

Business impact analysis

Business impact analysis predicts the consequences of disruption of a business function and process, and gathers information needed to develop recovery strategies.

First, list products that could be disrupted and for each identified product, consider the impact of disruption in terms of stakeholders and the organisation’s ability to meet its aims and objectives.

Secondly, we need to figure out what the maximum length that the disruption can be managed without interrupting the business is. In other words, if a service or a product is disrupted, how long will it take for the disruption to be felt by the business in terms of profit, reputation, etc.

We also need to identify the recovery time objective (RTO), which is a point in time at which each key product or service would need to be resumed in the event of a disruption.

Finally, we need to identify the critical activities necessary to deliver the products and services. These are the activities that we need to protect and in order to do that we need to quantify the resources (people, premises, technology, information, suppliers, etc) required over time to maintain these activities at an acceptable level to and meet our RTO.

Developing and implementing the busines continuity plan

Outline:

The plan must be exercised regularly in order to ensure that arrangements are reliable.

Discussion based exercises

Bring staff together and inform them about their responsibilities. Discuss with staff to identify problems and solutions.

Testing

Not everything can be tested, however, you can consider the contact list, activation process and the relied upon hardware such as communication lines, power supply, etc.

Table-top exercise (ie think board games)

In this exercise, you bring staff together around a table to make decisions as events unfold in the same way as if the incident actually happened. This can take between a couple of hours and half a day. The benefit of this format is that it can generate high levels of realism and lets everyone know each other.

Live exercise

Live exercises are necessary for some components such as evacuation that cannot be tested effectively in any other way. While single component tests are relatively simple to set up, full tests are much more complex and can be costly.

Disaster recovery

Main goals

Recovery Plan Contents

BCM and DR

Disaster recovery is that part of business continuity that addresses the need to recover IT services and voice services and data following a business-threatening impact.

Disaster recovery prioritises those services and information that are critical to the business. Disaster recovery includes planning for crisis situations and having in place the means to identify incidents, contain and recover them.

Usable Security

According to the computing research association, usable security is “Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future”. One example could be the indicators in browsers about whether a connection is secure (HTTPS) or insecure (HTTP).