Security+: Risk Mitigation Strategies (SY0-401)
Please note: this article is based on information about the previous version of the Security+ exam (SY0-401), which expired in May of 2018. For updated information, please see our up-to-date Security+ listing.
Once a thorough risk analysis has been performed, various solutions can be implemented, including avoidance, transference, acceptance, mitigation, and deterrence. The following sections describe the various risk-mitigation strategies, such as change management, incident response, user rights and permission reviews, routine audits, policy and procedure enforcement to prevent data loss and theft, and enforcement of technology controls. The understanding of these strategies is also significant for the aspirants of Security+ exam.
Change management is the process of making sure that the change doesn’t affect the security of an organization’s IT infrastructures, such as computers, networks, or IT procedures. A change in a secure IT environment can introduce loopholes, overlaps, oversights, and missing objects that can produce new vulnerabilities. To manage the change, the change management team maintains security through extensive planning, logging, testing, auditing, and monitoring the activities regarding security controls.
Once the change management is performed successfully, its record can be used to identify the agents of change. These agents can be subjects, objects, programs, or communication channels.
If the change doesn’t work properly, the change management team is responsible for rolling back that change to a previous secured state. The change management has various goals, including:
- Detailed auditing and documentation of the change so that it can be scrutinized and reviewed by management, later on.
- Complete documentation of all changed or unchanged software tools, computer systems, servers, and various other devices in order to avoid theft or misuse.
- A testing process to verify that the change is fruitful.
- Systematic analysis of the effects of the change.
A parallel run is an example of change management. It is, in fact, a system deployment testing technique whereby both the old and the new system are run in parallel to determine that the new system performs the same required functions as its predecessor. If their functionality is the same, then the new system can be replaced with the older one. Under such circumstances, it can be said that the change management has taken place successfully.
Incident management is the detection and monitoring of security events in an organization’s IT infrastructure and the execution of countermeasures and safeguards in the light of the organization’s security policies, as well as local laws and regulations. The first step of incident management is incident handling, which involves two important terms:
- Incident: A bad event that affects the confidentiality, integrity, or availability of data.
- Event: Something that takes place or happens during a certain period.
The proper management and implementation of the security policy is the best practice to identify incidents. Thus, the security policy must contain the list of all potential violations and the ways to deal with them. In additional, the list must occasionally be updated so that newly emerging threats and violations can be included in it.
Moreover, an incident takes place when a violation or an attack is carried out against an enterprise’s IT infrastructure. An incident has four general categories: scanning, data breach, malicious code, or denial of services. The attackers can use one or more of these four areas to compromise a system. While developing the security policy, the organizations must consider these four areas in order to reduce the chances of an incident’s occurrence. Most enterprises have their own dedicated teams who are responsible for investigating computer security incidents. These dedicated teams are known as computer security incident response teams (CSIRTs) or simply computer incident response teams (CIRTs). If an incident takes place, the CIRT has four primary responsibilities:
- Determine the cost of damage inflicted by the incident
- Determine if any sensitive data and information was stolen during the incident
- Implement recovery procedures
- Oversee the implementation of additional security safeguards and countermeasures necessary to prevent the incident from happening again
User Rights and Permission Reviews
User rights and permission reviews constitute a review of assigned resources and system privileges. A privilege is a level of permission or access granted to users to perform a particular task. Assignment of privileges is designed to limit job responsibilities and prevent unauthorized access. The principle of least privilege is a rule of thumb in the realm of security. It suggests that employees should be granted only that level of access that is required to perform a particular assigned task, rather than giving users unlimited access.
Misuse of privileges is called privilege escalation or privilege abuse. Privilege abuse occurs when a user attempts to gain unauthorized access to higher-level privileges, such as stealing login details of an administrative account.
Reviewing and auditing of privileges and access should be performed frequently to track and monitor privilege assignment, usage, and the unauthorized escalation.
Perform Routine Audits
Performing routine audits or reviews of system security is the fundamental element of an organization’s security management. Hence, auditing should be carried out periodically across the organization, both of physical facility elements and logical infrastructure components. In addition, security management should perform routine audits of the storage and the retention policies that define how long the data will be retained.
Enforce Policies and Procedures to Prevent Data Theft or Loss
Data theft prevention must be a part of an organization’s security infrastructure. Data theft is committed not only by external actors but also by internal users. Security management must implement the precautions, deterrents, and prevention techniques to mitigate the risk of data theft. Besides, they should also perform a proper “backup and restoration” solution to prevent data loss due to an accident, malicious code, or oversight. Another great method to thwart data leakage or loss is data loss prevention (DLP). DLP techniques include hardware and software tools to detect and prevent unauthorized access to sensitive data.
Enforce Technology Controls
Technology control techniques are used to prevent data from theft or leakage. Various technology controls include DLP solutions, on-device storage encryption, tracking and logging, multifactor authentication, and granular authentication. As already mentioned, a DLP solution ensures that a user doesn’t send sensitive data or information outside of the company network. DLP monitors and flags unauthorized activities, such as print and fax operations, copy/paste, and a screen capture that involve sensitive data.
On-device storage encryption makes the data inaccessible even if the device is stolen or physically destroyed. Multifactor authentication mitigates the risk of unauthorized access via impersonation. Furthermore, detailed tracking and logging monitor the users who interact with the valuable data. Granular authentication aims at reducing the risk of data loss by limiting the accounts that have access to sensitive data.
InfoSec Security+ Boot Camp
Fortunately, the InfoSec Institute offers a Security+ Boot Camp that teaches you the information theory and reinforces theory with hands-on exercises that help you learn by doing.
Moreover, the InfoSec Institute has been one of the most awarded (42 industry awards) and trusted information security training vendors for 17 years.
InfoSec also offers thousands of articles on all manner of security topics.