10 Class 03: Read Cyber Risk Analysis - VascoLucas01/cybersecurity-reading-notes GitHub Wiki

Introduction

Organizations face an almost dizzying array of cybersecurity risks, ranging from the reputational and financial damage associated with a breach of personal information to the operational issues caused by a natural disaster. The discipline of risk management seeks to bring order to the process of identifying and addressing these risks.

In this page it will be addressed the security model, security fundamentals, best practices to support CIA, risk management and their best practices.

Let's start with the goals of a security model.

Goals Of a Security Model

Source

The article discusses the goals of a security model, which should support the mission of the organization and be based on its risk tolerance. The security model is composed of different layers that have different types of goals to be accomplished in different time frames.

Operational goals are daily goals that focus on productivity and task-oriented activities to ensure the company's functionality in a smooth and predictable manner. These goals may include patching computers as needed, supporting users, updating anti-virus signatures, and maintaining the overall network on a daily basis.

Tactical goals are corresponding mid-term goals that involve moving computers into domains, installing firewalls, and segregating the network by creating a demilitarized zone. Other tactical goals could include integrating all workstations and resources into one domain so more central control can be achieved.

Strategic goals are long-term goals that involve significant changes, such as moving all the branches from dedicated communication lines to frame relay, implementing IPSec virtual private networks (VPNs) for all remote users, and integrating wireless technology with the comprehensive security solutions and controls existing within the environment.

The article emphasizes that planning is critical for implementing changes in an organization. The approach to strategy is called the planning horizon, and it requires companies to implement changes gradually because some changes are larger than others, and some changes cannot happen until others take place.

Security fundamentals: CIA

Source

The CIA Triad is a typical security framework intended to guide policies for information security within an organization.

Confidentiality

Confidentiality of information refers to protecting the information from disclosure to unauthorized parties.

Key areas for maintaining confidentiality:

  • Social engineering. Training and awareness, defining separation of duties at the tactical level, enforcing policies and conducting vulnerability assessments
  • Media reuse. Proper sanitization strategies
  • Eavesdropping. Use of encryption and keeping sensitive information off the network with adequate access controls

Integrity

The integrity of information denotes protecting sensitive information from being modified or damaged by unauthorized parties.

Key areas for maintaining confidentiality:

  • Implement encryption using integrity-based algorithms
  • Prevent intentional or malicious modification (message digest, MAC, digital signatures)

Availability

Availability of information signifies ensuring that all the required or intended parties are able to access the information when needed.

Key areas for maintaining availability:

  • Prevent single point of failure
  • Comprehensive fault tolerance (data, hard drives, servers, network links, etc.)

Best practices to support CIA

  • Separation of duties. Prevents any one person from becoming too powerful within an organization. This policy also provides singleness of focus. For instance, a network administrator who is concerned with providing users access to resources should never be the security administrator. This policy also helps prevent collusion as there are many individuals with discrete capabilities. Separation of duties is a preventative control.

  • Mandatory vacations. Prevents an operator from having exclusive use of a system. Periodically, that individual is forced to take a vacation and relegate control of the system to someone else. This policy is a detective control.

  • Job rotation. Similar in purpose to mandatory vacations, but with the added benefit of cross-training employees.

  • Least privilege. Allowing users to have only the required access to do their jobs.

  • Need to know. In addition to clearance, users must also have a “need to know” to access classified data.

  • Dual control. Requiring more than one user to perform a task.

Analyzing Risk

In an enterprise risk management (ERM) profram, organizations take a formal approach to risk analysis that begins with identifying risks, continues with determining the severity of each risk, and then results in adopting one or more risk managements strategies to address each risk

Before we move too deeply into the risk assessment process, let's define a few important terms:

  • Threats. Any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of our information or information systems.
  • Threat agent. The entity which carries out the attack.
  • Vulnerabilities. Weaknesses in our systems or controls that could be exploited by a threat.
  • Risks. Occur at the intersection of a vulnerability and a threat tha tmight exploit that vulnerability. A threat without a corresponding vulnerability does not pose a risk, nor does a vulnerability without a corresponding threat.
  • Controls. Physical, administrative and technical protections.

Let's consider an example drawn from the cybersecurity domain. Organizations regularly conduct vulnerability scans designed to identify potential vulnerabilities in their environment. One of these scans might identify a server that exposes TCP port 22 to the world, allowing brute-force SSH attempts by an attacker. Exposing port 22 presents a vulnerability to a brute-force attack. An attacker (Threat Agent) with a brute-force scanning tool presents a threat. the combination of the port exposure and the existence of attackers presents a risk.

In this case, you don't have any way to eliminate attackers, so you can't really address the threat, but you do have control over the services running on your systems. If you shut down the SSH service and close port 22, you eliminate the vulnerability and, therefore, also eliminate the risk.

Of course, we can't always completely eliminate a risk because it is not always feasible to shut down systems. We might instead to take action that mitigate the risk.

Lifecycle of Risk Management

The lifecycle of risk management passes through several steps:

  • Risk Identication
  • Risk Calculation
  • Risk Assessment

Let's dive deep into them.

Risk Identification

The risk identification process requires identifying the threats and vulnerabilities that exist in the organization. Indeed, it is important to be aware of the different categories of risks, because risks can come from a wide variety of sources.

  • External Risks. Those risks that originate from a source outside the organization.
  • Internal Risks. Those risks that originate from within the organization.
  • Multiparty Risks. Those that impact more than one organization.
  • Legacy Systems. Pose a unique type of risk to organizations.
  • Intellectual Property (IP) Theft Risks. Occur when an organization possesses trade secrets or other proprietary information which, if disclosure, cloud compromise the organization's business advantage.
  • Software complaince/licensing risks. Occur when an organization licenses software from a vendor and intentionally or unintentionally runs afoul of usage limitation that expose the customer to financial and legal risk.

Risk Calculation

Not all risks are equal and it is important to balance which are the most likely to occur in conjuction with their impact. This process is known as risk calculation.

When we evaluate any risk, we do so by using two different factors:

  • The likelihood of occurence
  • Impact

Using these two factors, we can assign each risk to a conceptual score by combining them together.

Risk Severity = Likelihood x Impact

It's important to point out that this equation does not always have to be interpreted literally. Although you may wind up multiplying these values together in some risk assessment processes, it's bets to think of this conceptually as combining the likelihood and impact to determine the severity of a risk.

Additionally, the laws and regulations facing an industry may play a significant role in determining the imapct of a risk. For example, an organization subject to the EU's GDPR (European Union's General Data Protection Regulation) faces significant fines if they have a data breach affecting the personal information of EU residents. The size of these fines would factor significantly into the impact assessment of the risk of a privacy breach.

Risk Assessment

Risk assessments are formalizedapproach to risk prioritization that allows organizations to conduct their reviews in a structured manner. Risk assessments follow two different analysis methodologies:

  • Quantitative risk assessments
  • Qualitative risk assessments

Most quantitative risk assessments processes follow a similar methodology that includes the following steps:

1. Determine the asset value (AV) of the asset affected by the risk. The asset value is expressed in dollars, or other currency.

2. Determine the likelihood that the risk will occur. This is expressed as the number of times the risk is expected each year and is described as annualized rate of occurrence (ARO).

3. Determine the amount of damage that will occur to the asset if the risk materializes. This is known as the exposure factor (ER) and is expressed as the eprcentage of the asset expected to be damaged.

4. Calculate a single loss expectancy. The single loss expectancy (SLE) is calculated by multiplying the AV by the EF.

5. Calculate the annualized loss expectancy. The annualized loss expectancy (ALE) is calculated by multiplying the SLE and the ARO.

It is important to note that these steps assess the quantitative scale of a single risk: that is one combination of a threat and a vulnerability.

On the other hand, qualitative risk assessment techinques seek to overcome the limitations of quantitative techniques by substituting judgement for the objective data. Qualitative techniques still use the same probability and magnitude factors to evalutate the severity of a risk but do so using subjective categories.

Managing Risk

Risk management is the process of systematically addressing the risks facing an organization. The risk assessment serves two important roles in the risk management process:

  • The risk assessment provides guidance in prioritizing risks so that the risks with highest probability and magnitude are addressed first
  • Qunatitative risk assessments help determine whether the potential impact of a risk justifies the costs incurred by adopting a risk management approach.

Risk managers should work their way through the risk assessment and identify an appropriate management strategy for each risk included in the assessment. They have four strategies to choose from:

  • Risk Mitigation. Is the process of applying security controls to reduce the probability and/or magnitude of a risk.
  • Risk Avoidance. Is a risk management strategy where we change our business practices to completely eliminate the potential that a risk will materialize.
  • Risk Trnasference. Shifts some of the impact of a risk from the organization experiencing the risk to another entity.
  • Risk Acceptance. Is the final risk management strategy and it boils down to deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk.

Risk Analysis

Key terms:

  • Inherent Risk. Which is facing an organization is the original level of risk that exists before implementing any controls.
  • Residual Risk. Is the risk that remains after an organization implements controls designed to mitigate, avoid, an/or transfer the inherent risk.
  • Risk Apetite. Is the level of risk that an organization is willing to accept as a cost of doing business.

Disaster Recovery Planning

Disaster Recovery Planning (DRP) is the discipline of developing plans to recover operations as quickly as possible in the face of a disaster. The disaster recovery planning process creates a formal, broad disaster recovery plan for the organization and, when required, develops specific functional recovery plans for critical business functions.

Definition of disaster. A disaster is any event that has the potential to disrupt an organization's business.

Business Impact Analysis

The Business Impact Analysis (BIA) is a formal process designed to identify the mission essential functions within an organization and facilitate the identification of the critical systems that support those functions.

  • Mean Time Between Failures (MTBF). Is a measure of the reliability of a system. It is the expected amount of time that will elapse between system failures.
  • Mean Time To Repair (MTTR). Is the average amount of time to restore a system to its normal operating state after a failure.
  • Recovery Time Objetive (RTO). Is the amount of time that an organization can tolerate a system being down before it is repaired.
  • Recovery Point Objective (RPO). Is the amount of data that the organization can tolerate losing during an outage.

Each of these metrics allows the organization to evaluate the impact of different risks on its operations and the acceptability of the state of its disaster recovery controls.

As organizations evaluate the state of their environment, they should pay particular attention to single point of failure.

Privacy

Cybersecurity professionals are responsible for protecting the confidentiality, integrity and availability of all information under their care.

When privacy breaches occur, they clearly have a negative impact on the individuals whose information was lost in the breach. Those individuals may find themselves exposed to identity theft and other personal risks. Privacy breaches also have organizational consequences for the business that loses control of personal information.

Organizations seeking to codify their privacy practices may adopt a privacy notice that outlines their privacy commitments.

Sensitive Information Inventory

The first step in managing this sensitive data is developing an inventory of the types of data maintained by the organization and the places where it is stored, processed,a nd transmitted.

Organizations should include the following types of information in their inventory:

  • Personally indentifiable information (PII)
  • Protected health information (PHI)
  • Financial information
  • Government information

Information Classification

Information classification programs organize data into categories based on the sensitivity of the information and the impact on the organization should the information be inadvertently disclosed.

Let's see four major classification categories:

  • Top Secret. Information that requires the highest degree of protection.
  • Secret. Information that requires a substantial degree of protection.
  • Confidential. Information that requires some protection.
  • Unclassified. Information that does not meet the standards for classification under other categories.

Data Roles and Responsibilities

One of the most important thing that an organization can do to protect their data is to create their clear data ownership policies and procedures. Using this approach, the organization designates specific senior executive as the data owners for different data types.

Clear lines of data ownership place responsibility for data in the hands of executives who best understand the impact of decisions about that data on business.

It is important to be familiar with some important data privacy roles:

  • Data Controllers. Entities who determine the reasons for processing personal information and direct the methods of processing that data.
  • Data Stewards. Individuals who carry out the intent of the data controller and are delegated responsibility from the controller.
  • Data Custodians. Individuals or teams who do not have controller or stewardship responsibility but are responsible for the secure safekeeping of information.
  • Data Processors. Service providers that process personal information on behalf of a data controller.

Information Lifecycle

At the eaerly state of the data lifecycle, organizations should practice data minimization, where they collect the smallest possible amount of information necessary to meet their business requirements.

Although information remains within the care of the organization, the organization should practice purpose limitation. This means that information should be used only for the purpose that it was originally collected and that was consented to by the data subjects.

At the end of data lifecycle, the organization should implement data retention standards that guide the end of the data lifecycle. Data should only be kept for as long as it remains necessary to fulfill the purpose of qhich it was originally collected. At conclusion of its lifecycle, data shoulb be securely destroyed.

Privacy Enhancing Technologies

If we can't completely remove data from a dataset, we can often transform it into a format where the original sensitive information is anonymized.

The de-identification process removes the ability to link data back to an individual, reducing its sensitivity.

An alternative to de-identifying data is transforming it into a format where the original information can't be retrieved. This is a process called data obfuscation.

  • Hashing. Uses a hash function to transform a value in our dataset to a corresponding hash value.
  • Tokenization. Replaces sensitive values with a unique identifier using a lookup table.
  • Data Masking. Redacts sensitive information by replacing some or all of sensitive fields with blank characters.

Privacy and Data Breach Notification

In the unfortunate event of a data breach, the organization should immediately activate its cybersecurity incident response plan.

Organizations may also have a rsponsibility under national and regional laws to make public notifications and disclosures in the wake of a data breach.

Questions

1. Consider a bank ATM that allows users to access bank account balances. What measures can the ATM incorporate to cover the principles of the CIA triad?

The bank ATM can ensure confidentiality, integrity and availability by encryption, digital signature and redundancy measures.

2. Name three best practices that support the CIA triad.

  • Separation of duties
  • Job rotation
  • Least privilege

3. What are the three stages of the risk management lifecycle? What is each stage’s main goal or objective?

The three stages of the risk management lifecycle are:

  1. Risk Identification
  2. Risk Calculation
  3. Risk Assessment

The main objective of risk identification is to identify potential risks and vulnerabilities that could impact the organization, including external and internal risks, multiparty risks, legacy systems, intellectual property theft risks, and software compliance/licensing risks.

The main goal of risk calculation is to evaluate the likelihood and impact of identified risks to determine their severity. The risk severity is calculated by combining the likelihood and impact of the risk, and the laws and regulations of the industry may also factor into the impact assessment.

The main objective of risk assessment is to prioritize and manage the identified risks in a structured manner. This stage involves two analysis methodologies: quantitative and qualitative risk assessments.