Risk is a crucial element in all our lives. In every action we plan to take in our personal and professional lives, we need to analyze the risks associated with it. From a cyber security perspective, industries such as energy, healthcare, banking, insurance, retail, etc., involves a lot of risks which impedes the adoption of technology and which needs to be effectively managed. The associated risks which need to be addressed evolve quickly and must be handled in a short period of time.

Computing technology is not restricted to Mainframes and PCs anymore. Both simple and advanced devices are now part of our everyday lives, ranging from road signs to intelligent vending machines to advanced diagnosing medical services. Each of these new types of devices needs to be secured since they all have their own requirements regarding Confidentiality, Integrity, and Availability of the data or resources they provide.

Risk management involves comprehensive understanding, analysis and risk mitigating techniques to ascertain that organizations achieve their information security objective. Risk is fundamentally inherent in every aspect of information security decisions and thus risk management concepts help aid each decision to be effective in nature.

The major components of Security and Risk Management crucial for CISSP are:

  • Information security within the organization / Security Model
  • The triad of information security – Confidentiality, Integrity and Availability
  • Security governance principles
  • Business continuity requirements
  • Policies, standards, procedures, and guidelines
  • Risk management concepts
  • Threat modeling

Goals of a Security Model

The two primary objectives of information security within the organization from a risk management perspective include:

  • Have controls in place to support the mission of the organization.
  • All the decisions should be based on risk tolerance of organization, cost and benefit.

Figure 1: Security Model

  • Strategy leads to Tactics; Tactics lead to Operations.

Operational goals may include patching computers as needed, supporting users, updating anti-virus signatures, and maintaining the overall network on a daily basis. Corresponding tactical goals could involve moving computers into domains, installing firewalls, and segregating the network by creating a demilitarized zone. Then, the strategic goals may refer to having all domains centrally administered and implementing VPNs and RADIUS servers to provide a highly secure environment that provides a good amount of assurance to the management and employees.

  • A security model has different layers, but it also has different types of goals to accomplish in different time frames. Daily goals, or operational goals, focus on productivity and task-oriented activities to ensure the company’s functionality in a smooth and predictable manner. Mid-term goals, or tactical goals, could mean integrating all workstations and resources into one domain so more central control can be achieved. A long-term goal, or strategic goal, may involve moving all the branches from dedicated communication lines to frame relay, implementing IPSec virtual private networks (VPNs) for all remote users instead of dial-up entry, and integrating wireless technology with the comprehensive security solutions and controls existing within the environment.
  • This technique and approach to strategy is called the planning horizon. A company cannot usually implement all changes at once, and some changes are larger than others. Several times there arises a situation wherein certain changes cannot happen until some other changes take place. If an organization whose network is currently decentralized, and works in workgroups without any domain trust, wants to implement its own certificate authority (CA) and public key infrastructure (PKI) enterprise wide, this cannot happen in a week’s time. The operational goals are to keep production running smooth and make small steps towards readying the environment for a domain structure. The tactical goal would be to put all workstations and resources into a domain structure and centralize access control and authentication. The strategic goal is to have all workstations, servers, and devices within the enterprise use the public key infrastructure to deliver authentication, encryption, and additional secure communication channels.

Generally, security works best if it’s Operational, Tactical, and Strategic goals are defined and work to support each other. This can be more difficult than it appears.

Security Fundamentals 

Confidentiality, integrity and availability (the CIA triad) is a typical security framework intended to guide policies for information security within an organization.

1. Confidentiality: Prevent unauthorized disclosure

Confidentiality of information refers to protecting the information from disclosure to unauthorized parties.

Key areas for maintaining confidentiality:

  • Social Engineering: Training and awareness, defining Separation of Duties at the tactical level, enforcing policies and conducting Vulnerability Assessments
  • Media Reuse: Proper Sanitization Strategies
  • Eavesdropping: Use of encryption and keeping sensitive information off the network with adequate access controls

2. Integrity: Detect modification of information

The integrity of information denotes protecting the sensitive information from being modified by unauthorized parties.

Key areas for maintaining confidentiality:

  • Encryption – Integrity based algorithms
  • Intentional or Malicious Modification
    • Message Digest (Hash)
    • MAC
    • Digital Signatures

    3. Availability: Provide timely and reliable access to resources

    Availability of information signifies ensuring that all the required or intended parties are able to access the information when needed.

    Key areas for maintaining availability:

    • Prevent single point of failure
    • Comprehensive fault tolerance (Data, Hard Drives, Servers, Network Links, etc.)

    Best Practices to Support CIA

    • Separation of Duties: Prevents any one person from becoming too powerful within an organization. This policy also provides singleness of focus. For instance, a network administrator who is concerned with providing users access to resources should never be the security administrator. This policy also helps prevent collusion as there are many individuals with discrete capabilities. Separation of Duties is a preventative control.
    • Mandatory Vacations: Prevents an operator from having exclusive use of a system.  Periodically, that individual is forced to take a vacation and relegate control of the system to someone else. This policy is a detective control.
    • Job rotation: Similar in purpose to mandatory vacations, but with the added benefit of cross-training employees.
    • Least privilege: Allowing users to have only the required access to do their jobs.
    • Need to know: In addition to clearance, users must also have “need to know” to access classified data.
    • Dual control: Requiring more than one user to perform a task.

    Risk Management

    Risk management is the process of identifying, examining, measuring, mitigating, or transferring risk. Its main goal is to reduce the probability or impact of an identified risk. The risk management lifecycle includes all risk-related actions such as Assessment, Analysis, Mitigation, and Ongoing Risk Monitoring which we will discuss in the latter part of this article.

    The success of a security program can be traced to a thorough understanding of risk. Without proper consideration and evaluation of risks, the correct controls may not be implemented. Risk assessment ensures that we identify and evaluate our assets, then identify threats and their corresponding vulnerabilities.

    Risk analysis allows us to prioritize these risks and ultimately assign a dollar value to each risk event. Once we have a dollar value for a particular risk, we can then make an informed decision as to which mitigation method best suits our needs. And finally, as with all elements of a security policy, ongoing evaluation is essential. New attacks and other threats are always emerging, and security professionals must stay informed and up to date.

    Risk – Key points to be aware of

    • Every decision starts with looking at risk.
    • Determine the value of your assets.
    • Evaluate and identify cost effective solutions to reduce risk to an acceptable level (rarely can we eliminate risk).
    • Keep in mind that Safeguards are proactive and Countermeasures are reactive.

    The following definitions are crucial for risk management:

    • Asset: Anything of value to the company
    • Vulnerability: A weakness; the absence of a safeguard
    • Threat: Things that could pose a risk to all or part of an asset
    • Threat Agent: The entity which carries out the attack
    • Exploit: An instance of compromise
    • Risk: The probability of a threat materializing
    • Controls: Physical, Administrative and Technical Protections
      • Safeguards
      • Countermeasures

    Multiple scenario-based use cases are evaluated in CISSP, based on the following general sources of risk:

    • Weak, unpatched or non-existing anti-virus software
    • Disgruntled employees posing internal threat
    • Poor physical security controls
    • Weak access controls
    • Lack of change management
    • Lack of formal processes for hardening systems
    • Poorly trained users and lack of awareness

    The following outline represents the lifecycle of Risk Management

    • Risk Assessment
      • Categorize, Classify and Valuate Assets
      • Know/Identify Threats and Vulnerabilities
    • Risk Analysis
      • Qualitative
      • Quantitative
    • Risk Mitigation/Response
      • Reduce/Avoid
      • Transfer
      • Accept/Reject

    Each section within the lifecycle is crucial for CISSP and has been further defined below:

    Risk Assessment:

    • Looks at risks corresponding to identified parameters for a specific period and must be reevaluated periodically. Managing risks is an ongoing process.
    • The following steps are officially part of a Risk Assessment as per NIST 800-30:
      • System Characterization
      • Threat Identification
      • Vulnerability Identification
      • Control Analysis
      • Likelihood Determination
      • Impact Analysis
      • Risk Determination
      • Control Recommendation
      • Results Documentation

    Risk Analysis:

    • Determining a value for a risk.
    • Qualitative vs. Quantitative
      • Qualitative analysis (subjective, judgment-based)
        • Subjective in nature
        • Uses words like “high,” “medium,” “low” to describe likelihood and severity of impact of a threat exposing a vulnerability
      • Quantitative Analysis (objective, numbers driven)
        • More experience required than with Qualitative
        • Involves calculations to determine a dollar value associated with each risk element
        • Business decisions are fundamentally driven by this type of analysis.
          • More experience required than with Qualitative
          • Involves calculations to determine a dollar value associated with each risk element
          • Business decisions are fundamentally driven by this type of analysis.
          • Essential for a cost/benefit analysis
          • Key pointers to be remembered
            • AV – Asset Value
            • EF – Exposure Factor
            • ARO – Annual Rate of Occurrence
            • Single Loss Expectancy = AV * EF
            • Annual Loss Expectancy = SLE*ARO
            • Cost of control should be the same or less than the potential for loss.
          • Risk Value = Probability * Impact
          • Probability: How likely is it to materialize the threat?
          • Impact: What is the extent of damage?
            • Could also be referred to as likelihood and severity.

          Mitigating Risk

          • Three acceptable risk responses:
            •  Reduce
            • Transfer
            • Accept
          • Continue to monitor for risks
          • How we decide to mitigate business risks becomes the basis for Security Governance and Policy.

          Security Governance

          The goal of security governance is to ensure that security strategies, goals, risks and objectives are assessed according to a top-down model. By doing so, we ensure that those ultimately responsible for the success or failures of a security program are directly involved.

          To achieve security governance, security blueprints have to be created to allow organizations to implement practices and procedures to support their security goals and the overall mission of the organizations. Various industry consortiums have provided insight into the goals, objectives, and means of developing successful Information Security Management Systems (ISMS).

          The following industry standards are some of those which provides multiple frameworks that could be reviewed when creating security baselines to achieve security governance.

          • BS 7799, ISO 17799, and 27000 Series
          • COBIT and COSO
          • OCTAVE
          • ITIL

          Approach to Security Management

          Poor security management causes the majority of a company’s security problems. Security needs to be directed and supported by top management, referred to as the top-down approach, because without that, any security efforts will be doomed. Unfortunately, most companies follow a bottom-up approach, where the IT department takes security seriously and attempts to develop a security program. This approach usually will not provide those individuals with the necessary funds, support, resources, or attention. Thus, it is often doomed from the start.

          Information Management Security Program primarily consists of the following key areas to be aware of:

          • Roles and Responsibilities
          • Policies/Standards/Procedures/Guidelines
          • SLA’s Service Level Agreements/Outsourcing
          • Data Classification/Security
          • Auditing

          Senior management’s roles and responsibilities across the following areas are generally evaluated for CISSP and are crucial for the overall understanding of the security risk management for any organization.

          • Development and Support of Policies: Senior management is responsible for the company-wide policies within an organization. These policies should be high-level statements from management that detail the company’s philosophy and commitment to security. Additionally, it is the management’s responsibility to ensure the enforcement of these policies, and to lead by example.
          • Allocations of Resources: Senior management is also responsible for providing the necessary resources to enable policies to be carried out. A true understanding of issues regarding liability is necessary in order to justify the resources.
          • Decisions based on Risk: It is senior management’s task to be the ultimate decision-makers for the organization. Once provided with the facts from a risk analysis, it is up to management to make decisions on forms of Risk Mitigation.
          • Security Policy: The organization’s security policy is a high-level document that contains generalized terms of the management’s directive pertaining to security’s role within the organization. It establishes how a security program will be set up, dictates the program’s goals, assigns responsibility, shows the background, and explains the strategic and tactical values of security. It explains how enforcement will be carried out and addresses laws and regulations that it fulfills. It will provide scope and direction for all future activities within the organization. After the security policy is defined, the next step is creating the standards, guidelines, procedures, baselines, etc. The Security Policy should always support the strategic goals of the organization.

           

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Section Guide

Ryan
Fahey

View more articles from Ryan