Week 3: Cyber Risk Management

Contents
Week 3: Cyber Risk Management................................................................................................................1

Threats, Vulnerability & Risk....................................................................................................................2

Terms...................................................................................................................................................2

Identifying Assets....................................................................................................................................3

Identifying Vulnerabilities........................................................................................................................3

Identifying Threats...................................................................................................................................4

Devices................................................................................................................................................4

Vulnerability Assessment.........................................................................................................................4

Sources................................................................................................................................................5

Risk Management....................................................................................................................................6

Risk Assessment......................................................................................................................................7

Risk Analysis............................................................................................................................................7

Quantitative.........................................................................................................................................8

Quantitative.........................................................................................................................................8

Risk Mitigation.........................................................................................................................................9

Risk Mitigation – Ways to manage...........................................................................................................9

Accept..................................................................................................................................................9

Avoid....................................................................................................................................................9

Mitigate/Reduce................................................................................................................................10

Transfer..............................................................................................................................................10

Business Policies....................................................................................................................................10
Threats, Vulnerability & Risk
Attackers want to access assets such as data and intellectual property from computers, smartphones and
tablets. Analysists must prepare for any type of attack as its their job to secure the organizations
network.

Terms
To do this an analysist must identify three key aspects.

- Assets – Items of value to the organization that must be protected – Data, End Devices,
Infrastructure devices.

- Vulnerabilities – A weakness in the system that can be exploited by a malicious user.

- Threats – Any Potential danger to an asset.

Other key terms

- Attack Surface – Total sum of vulnerabilities in a system that can be used to gain access by a
malicious user. Attack surfaces are points where an attacker can get into the system and where
they can extract data.

- Exploit – Mechanism used to use a vulnerability to compromise an asset, these maybe remote or
local, remote being used without any access to the network with local being on the network
executed by an attacker with some user permissions either user or administrator.

- Risk – Likelihood that a threat will exploit a vulnerability of an asset and result in undesirable
consequences
Identifying Assets
- Collection of all devices and information owned or managed by the organisation are assets

- These assets must be inventoried and assessed for the level of protection needed to counter
attacks

- Asset management is the inventory of assets and then developing and implementing policies
and procedures to protect them.

- This task can be difficult as many organizations must protect internal users, resources, mobile
workers and cloud-based/virtual services

- Organizations need to identify where critical information is stored and how access is gained to
that information

- Information assets vary as do the threats they face. Each asset attracts different threat actors
who have different skill levels and motivation.

Identifying Vulnerabilities
- Threat identification provides an organization with a list of likely threats f0r a particular
environment

Questions to ask.

- What are the possible vulnerabilities of a system?

- Who may want to exploit those vulnerabilities to access specific information assets – Think
about their competency(skill level)

- What are the consequences if system vulnerabilities are exploited and assets are lost

An example of this for E-Banking will be.

- Internal system compromise – Attackers use an exposed e-banking server to break into internal
bank system

- Stolen customer data – Attackers steal personal and financial data of bank customers from
customer database.

- Phony transactions from external server – Attackers alter code of e-banking application and
makes transaction by impersonating a legitimate user
Identifying Threats
Organizations must use defence-in-depth approach to identify threats and secure assets, This uses
multiple layers of security at the network edge, within the network and network endpoints

- Router screens traffic before forwarding it to a dedicated firewall appliance such as Cisco ASA

- Routers and Firewall are not the only devices that are used in defence-in-depth

- Other security devices include Intrusion prevention systems (IPS), Advanced malware protection
(AMP), Web and Email content security systems, identity services, network access controls and
more.

Layers of Defence in depth must work together to create a security architecture in which the failure of
one safeguard does not affect the other safeguards effectiveness.

Devices
Edge Router – First line of defence. Has rules on what traffic to accept or deny, Passes all connections
intended for internal LAN to firewall

Firewall – Second line of defence. Preforms additional filtering and tracks state of connections, it denies
initiation of connections from untrusted networks to the trusted network while allowing internal users to
establish connections to these untrusted networks

Internal Router – Apply final filtering before traffic is forwarded to its final destination

Vulnerability Assessment
Sources
Hardware & Software design flaws

Lack of Security monitoring

Unencrypted data

Lack of user training

OWASP Top 10

Poor Patch Management

Inadequate network defence

Risk Management
Risk management is the process that balances operational costs of providing protective measures with
gains achieved by protecting assets.

There are 4 wats to manage risk.

- Risk Acceptance – When the cost of risk management outweighs the cost of risk the risk is
accepted and no action is taken

- Risk Avoidance – Avoiding any exposure to risk by eliminating the activity thus resulting in losing
any benefits from the activity

- Risk Reduction – Reduces the exposure to risk. Most commonly used risk mitigation strategy.
Requires careful evaluation of costs of loss and benefits gained from the activity or operation

- Risk transfer – Some or all risk is transferred to a willing 3rd party such as insurance companies

Risk Assessment
A risk assessment identifies, assesses and implements key security controls in a system. It also focuses on
preventing security defects and vulnerabilities. Risk assessments address the following issues.
 - Asset identification

- Creating risk profiles for each asset

- Understand what data is stored, transmitted and generated by said assets.

- Assessing asset criticality regarding business operations, Including impacts to revenue,

reputation and likelihood of exploitation

- Measure risk ranking for assets and priority them for assessment

- Applying mitigation controls for each asset based on assessment results.

There are 4 steps in risk assessment.

- Identification – Determine all critical assets of the technology infrastructure, diagnose sensitive
data that is created, stored and transmitted by assets and create a risk profile for each.

- Assessment – Administer an approach to identified security risks for critical assets, after
evaluation determine how to effectively allocate time and resources towards risk mitigation.

- Mitigation – Define a mitigation approach and enforce security controls for each risk

- Prevention – Implement tools and processes to minimize threats and vulnerabilities from
occurring in your firms resources

Risk Analysis
- Identify assets and their value.

- Identify vulnerabilities and threats.

- Quantify the probability and impacts of threats

- Balance the impact of the threat against cost of countermeasure

There are two approaches.

- Quantitative Analysis – Assigns numbers to risk analysis process – Based of cost to organisation
and based on frequency

- Qualitative Analysis – User opinions and scenarios

Quantitative

Based financially impact and occurrence of the risk happening leading to overall yearly cost.

Value is based on the assessment of the assets

Occurrence is based on research or current trends.

Exposure factor is how many of these assets are on the server.

Quantitative

NIST standard 800-53 states risk assessment requires knowledge of

- Threats

- Potential Vunrabilities

- Likelihood and impacts of axploting vulnerability

Risk Mitigation
In creating a risk mitigation strategy there are 5 sets to follow

- Identify the Risk

- Preform a Risk assessment.

- Prioritize – Prioritize which risks are most important to resolve.

- Track Risks – Track risks monitor if new developments counter your resolution.

- Implement and monitor progress – Preform tests to see if controls in place are still effective.

Risk Mitigation – Ways to manage.

Accept
Risks posed by threats or vulnerabilities will not significantly impact your assets, Accepting risks means
other controls can cover issues without needing a dedicated counter measure.

Low-impact and contract risks such as viruses and malware can be identified and controlled by the likes
of controls such as firewall and anti-malware programs

Accepting risk does not reduce the effects of risk however if likelihood of loss is low why deploy
expensive counters.

Avoid
Seeks to eliminate the possibility of risk by avoiding the activity that creates the exposure to the risk

This however will limit a companies opportunities such as not collecting sensitive data or not allowing
remote access or avoiding trends such as BYOD
Mitigate/Reduce
Reduces the possibility of severing loss while participating in an activity by applying security controls
which requires knowledge of potential vulnerabilities.

The most common strategies are user training, monitoring, authentication and least privilege

Transfer
Risk transfer is a common risk management approach where the potential loss from an adverse result
faced by the organization is shifted to a 3rd party.

Common items of transferred are.

- Physical Security

- Insurance

- Outsourcing security functions

- Cloud Security Provisions

Business Policies
These policies are guidelines developed by an organisation to govern its actions, these usually outline
the behaviour for the business and its employees.

Company Policies

- Establishes rules of conduct and the responsibilities of both employees and employers

- Protects rights of workers and businesses interests

Employee Polices

- Created and maintained by HR.

- Salary, Pay Schedule, Employee Benefits, Schedule

Security Policies

- Outlines rules for behaviour

- Defines legal consequences.

- Gives security staff backing of management.

- Demonstrates organizations committed to security.

- Multiple policies under this defining how users must act or conform to standards

o Password Policies

o Incident Handing Polices

o Network Maintenance Polices

o Remote access policies

BYOD Policies

BYOD is a new trend in work allowing for reduced costs to the company on assets however with a greater
risk of security breach. Therefore, this policy will outline.

- Who may use their own devices?

- Which devices are supported?

- Describe rights of security staff over personal assets

- Regulations employees must adhere to

- Identify safeguards that will be put in place if device is compromised

Some other policies on BOYD for the employee will be.

- Password protection access

- Back up data

- Enable “Find my device” – Device locator with remote wipe.

- Company provided antivirus.