PLEASE ASSIGN THE SAME WRITER WHO DID 63564 AND 62922please answer thequestions and will send you aresponse fromanother student so you can dothe second part of thetask feel free to send itanytime beforethe due date
Instructions PICT311 – Cyber Security in Practice Ed Moore Week 6 Information Security & Risk Management Lecture Outline Faculty of Arts | Department of Security Studies and Criminology 3 Definitions Controls Methods of risk assessment Creating a risk rating Implementing controls Edward Moore (EM) - Do this Definitions 4 Definitions Vulnerability A weakness in a mechanism that can threaten the confidentiality, integrity or availability of an asset or system Threat Someone uncovering a vulnerability and exploiting it Risk Probability of a threat being realised, and the corresponding potential damages that it may cause Exposure When a threat agent exploits a vulnerability Control A measure put in place to mitigate potential losses or damage 5 Relationship between Risks, threats & vulnerabilities 6 Controls Physical controls Controls that physically prevent an attacker entering Fences, doors, locks, etc Procedural controls Processes put in place Incident response, Disaster Recovery Plan, phishing training Technical controls Electronic counter-measures Anti-virus, firewalls, etc Compliance controls Policies and laws in place that force compliance Preventive controls A control designed to prevent an attack from occurring Detective controls A control designed to detect the incident Corrective controls A control designed to reduce the amount of damage caused AND 7 Edward Moore (EM) - This slide should be moved into risk management. Will also need to remove the questions from the quizzes. Risk assessment and analysis Assessment to: Identify an organisation’s assets Assign values to these assets Identify the asset’s vulnerabilities and threats Calculate their associated risks Estimate potential loss and damages if threat realised Provide solutions Risk analysis provides: Cost/benefit comparison 8 Methods of risk analysis 9 Methods of risk analysis Gap analysis Establish the minimum set of controls Select controls from standards or guidelines Make a security checklist Analyse the gap Check the security level using the checklist Analyse the gap between current level and necessary level of security 10 Methods of risk analysis Detailed analysis 11 Methods of risk analysis Quantitative & Qualitative analysis Quantitative Analysis Focuses on “what” Puts monetary cost to risk (damage and recovery costs) Qualitative Analysis Focuses on “how” Relative rating of risk 12 Methods of risk analysis Quantitative analysis AdvantagesDisadvantages Risks sorted by their financial impact, assets by their financial value Results expressed in specific management terminology Results based on objective models Security levels are better determined A cost analysis can be implemented for choosing best suited measures Management performance closely monitored More accurate dataCalculations are complex Difficult to implement without automated tools No universally accepted implementation Values of risk impacts are based on subjective opinion Results can be difficult to understand The process is very complex 13 Methods of risk analysis Qualitative analysis AdvantagesDisadvantages Easier to understand and observe the level of risk Calculation are simple to understand and implement No need to quantify frequency occurrence of the threats No need to determine the financial value of the assets Analysis process is easier No need for quantitative calculation of frequency and impact No need to estimate cost of measure to be implemented The most important areas of risk are evaluatedThe evaluation of risk and its result are subjective Reality may be defined incorrectly due to subjective perspective of assessor Performance hard to follow due to subjectivity A cost benefit analysis is not implemented which makes the implementation of controls difficult Insufficient differentiation between major risks Results depend on quality of the risk management team 14 Methods of risk analysis Combined Risk Analysis 15 Identifying threats After identifying the assets and risks for those assets, we then list them in a table This is a basic example of some risks: Risk No.VulnerabilityThreatRisk of CompromiseRisk Summary 1Patches to correct flaws in application software not installedMalicious use System compromise Unauthorised accessConfidentiality IntegrityExploitation of flaws could result in compromised confidentiality and integrity of data 2Patches to correct flaws in operating system not installedMalicious useConfidentiality IntegrityExploitation of flaws in operating system could result in compromise of confidentiality and integrity of data 3Remote access to server console not properly monitoredSystem compromise Unauthorised accessConfidentiality Integrity Without controls in place, the confidentiality and integrity of data will be at risk 4Power outage in server roomSystem unavailableAvailabilityIf a power outage were to occur, systems would be unavailable for legitimate customers 16 Create a risk rating Risk Likelihood We then need to come up with a scale to assess the likelihood of our threats This is an example of a risk likelihood scale: Note: many scales use 5 options rather than 3 - this is simplified Definition Low0-25% chance of successful exercise of threat in a 1 year period Moderate26-75% chance of successful exercise of threat in a 1 year period High75-100% chance of successful exercise of threat in a 1 year period 17 Create a risk rating Risk Consequence (IMPACT) We then need to come up with a scale to assess the consequences of our threats Consequence is best defined in terms of impact upon availability, integrity and confidentiality This is an example of a risk consequence scale: Note: many scales use 5 options rather than 3 - this is simplified ConfidentialityIntegrityAvailability LowLoss of confidentiality leads to a limited effect on the organisationLoss of integrity leads to a limited effect on the organisationLoss of availability leads to a limited effect on the organisation ModerateLoss of confidentiality leads to a serious effect on the organisationLoss of integrity leads to a serious effect on the organisationLoss of availability leads to a serious effect on the organisation HighLoss of confidentiality leads to a severe effect on the organisationLoss of integrity leads to a severe effect on the organisationLoss of availability leads to a severe effect on the organisation 18 Create a risk rating Risk Consequence (IMPACT) It is also possible to define the consequences on a more tangible organisational effect This is an example of a risk consequence scale: Note: many scales use 5 options rather than 3 - this is simplified Mission CapacityFinancial lossEffect on human life LowTemporary loss of one or more minor mission capabilitiesUnder $5,000Minor harm (e.g. cuts and scrapes) ModerateLong term loss of one or more minor or temporary loss of one primary mission capability$5,000-$100,000Significant harm HighLong term loss of one or more primary mission capabilitiesOver $100,000Loss of life or life threatening injury 19 Create a risk rating Risk Matrix Determining your risk matrix is the next step There are different variants of risk matrices and they will vary based on your previous steps 20 Create a risk rating Risk Matrix When creating risk ratings, it’s vital to remember to tailor them for the business Be consistent with terminology (impact vs consequence) This is an example of a 3 scale risk matrix Consequence LikelihoodHighModerateLow HighHighHighModerate ModerateHighModerateLow LowModerateLowLow 21 Create a risk rating Risk Matrix This is an example of a 5 scale risk matrix Consequence LikelihoodInsignificantMinorSignificantMajorSevere Almost CertainMediumHighVery highExtremeExtreme LikelyMediumMediumHighVery highExtreme ModerateLowMediumMediumHighVery high UnlikelyVery lowLowMediumMediumHigh RareVery lowVery lowLowMediumMedium 22 Create a risk rating Numeric Risk Matrix Another option is to use numeric values In this case, we allocate each likelihood and consequence a number In this case we will use 1-5 (1 being the lowest) We then multiply the numbers to get the risk rating 23 Create a risk rating Numeric Risk Matrix Consequence LikelihoodInsignificant (1)Minor (2)Significant (3)Major (4)Severe (5) Almost Certain (5)510152025 Likely (4)48121620 Moderate (3)3691215 Unlikely (2)246810 Rare (1)12345 24 Create a risk rating risk appetite Risk Appetite is the risk that an organisation is willing to accept After determining the risk matrix, we can take an overview of our business and determine what our risk appetite should be This number varies a great deal based on the organisation 25 Create a risk rating risk appetite In this example the organisation has chosen to have a high risk appetite meaning that they will accept any risks that sit below that Consequence LikelihoodInsignificantMinorSignificantMajorSevere Almost CertainMediumHighVery highExtremeExtreme LikelyMediumMediumHighVery highExtreme ModerateLowMediumMediumHighVery high UnlikelyVery lowLowMediumMediumHigh RareVery lowVery lowLowMediumMedium 26 Create a risk rating risk appetite Consequence LikelihoodInsignificant (1)Minor (2)Significant (3)Major (4)Severe (5) Almost Certain (5)510152025 Likely (4)48121620 Moderate (3)3691215 Unlikely (2)246810 Rare (1)12345 The same can be done for a numeric risk rating. In this example the organisation has chosen a risk rating of 9 27 Create a risk rating Allocating risk Now that we have setup our risk matrices, we can allocate a consequence and likelihood to the risks Risk No.VulnerabilityLikelihoodConsequenceRisk Rating 1Patches to correct flaws in application software not installedLikelySignificantHigh 2Patches to correct flaws in operating system not installedRareSignificantLow 3Remote access to server console not properly monitoredUnlikelySevereHigh 4Power outage in server roomUnlikelyMajorMedium 5Remote attackAlmost certainSevereExtreme 28 Create a risk rating Risk Management Mitigate We can implement controls designed to fix flaws or provide some form of compensation to reduce the likelihood or impact associated with the flaw Transference Allowing another party to accept the risk on your behalf (e.g. insurance). This does not decrease the likelihood or fix the flaw but does reduce the overall (at least financial) impact on the organisation Acceptance Allowing the system to operate with a known risk. This is usually done with low risk levels. It is rare but not unheard of for larger risks to be accepted. Avoidance Remove the vulnerability entirely. This is often not an option due to the system being tied to business processes 29 Create a risk rating Implementing controls Now that we have our risk matrix, we can allocation controls to mitigate the likelihood/consequence Risk No.VulnerabilityLikelihoodConsequenceRisk RatingControlAdjusted LikelihoodAdjusted ConsequenceAdjusted Risk Rating 1Patches to correct flaws in application software not installedLikelySignificantHighImplement software to force updates on software. Install protection softwareRareMinorMedium 2Patches to correct flaws in operating system not installedRareSignificantLowACCEPTRareSignificantLow 3Remote access to server console not properly monitoredUnlikelySevereHighProperly monitorRareSevereMedium 4Power outage in server roomUnlikelyMajorMediumImplement UPSUnlikelyMinorLow 5Remote attackAlmost certainSevereExtremeImplement use of security keys. Review accessUnlikelyMajorMedium 30 Create a risk rating Review Now that we have an updated list of risk with controls that have been implemented we review! Any risks that still have a rating above the risk appetite defined within the company need to have additional controls implemented (or acceptance). 31 The end 32 Resource List http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx https://www.simplilearn.com/cobit-5-overview-and-key-features-of-tutorial-video https://securitycommunity.tcs.com/infosecsoapbox/articles/2018/08/09/defense-depth-%E2%80%93-what-strategy-follow https://info.knowledgeleader.com/bid/161685/what-are-the-five-components-of-the-coso-framework https://www.cio.com/article/2439501/infrastructure-it-infrastructure-library-itil-definition-and-solutions.html https://scm.ncsu.edu/scm-articles/article/six-sigma-where-is-it-now http://www.primvis.com/service-1/ Create a risk rating RISK APPETITE • In this example the organisation has chosen to have a high risk appetite meaning that they will accept any risks that sit below that Consequence Likelihood Insignificant Minor Significant Major Severe Almost Certain Medium High Very high Extreme Extreme Likely Medium Medium High Very high Extreme Moderate Low Medium Medium High Very high Unlikely Very low Low Medium Medium High Rare Very low Very low Low Medium Medium Create a risk rating RISK APPETITE •In this example the organisation has chosen to have a high risk appetite meaning that they will accept any risks that sit below that Consequence Likelihood InsignificantMinor SignificantMajor Severe Almost Certain MediumHigh Very highExtremeExtreme Likely MediumMediumHigh Very highExtreme ModerateLow MediumMediumHigh Very high UnlikelyVery lowLow MediumMediumHigh Rare Very lowVery lowLow MediumMedium Week 6 External Forum This week we are looking at Information Security Risk Management. Firstly, watch the brief talk given at the RSA 2016 (this has some very interesting Ted talk like speakers on various issues in IT security) conference on the issues with Defence in Depth (although the speakers proclaims it is dead - it still very current in industry). Then look at the SANS white paper on risk assessment and finally a brief video on risk identification. Your task Your educational institution is moving a database of student details (IDs, email addresses, grades) to the cloud for access by a group of lecturers and tutors. You are security analyst and have been asked to produce a Threat and Vulnerability Assessment. Using p5 of