#CompTIA Security+ 501 exam Chapter02 Conducting Risk Analysis
Posted by Superadmin on November 16 2018 13:50:17

Conducting Risk Analysis

 

As a security professional, you will need to understand that identifying and managing risks can help to keep your company environment safe from various types of attacks. In this chapter we will look at types of threats and vulnerabilities and the role that different threat actors play.

We will cover the following exam objectives in this chapter:

 

 

Risk management

 

Risk management is the process of identifying risks within a company and making decisions about how to reduce the risks so that an incident does not cause harm to the company and its assets. You may not be able to eliminate the risk completely, but you may be able to put procedures in place to reduce it or keep it an acceptable level.

The first step in risk management is to identify the asset. Is it a top—secret document? If that was the case you'd limit the access to the document. The top—secret document would be stored in a secure area at all times; nobody would be able to take copies or photographs of it.

For example, if you had 1 kg of trash and you placed it outside your front door at night, you would be certain that in the morning it would still be there; however, if the asset was 1 kg of 24 carat gold and you left it outside your house at night, it would probably not be there in the morning.

The first step in risk management is identifying the asset because how we classify the asset will then determine how the asset is handled, stored, protected, and who has access to the asset.

 

 

Importance of policy, plans, and procedures

 

Creating policies, plans, and procedures is a part of risk management and helps reduce the attack surface and prevent incidents from happening. Let us look at the different type of policies that can be used.

 

 

 

Standard operating procedures

 

Standard Operating Procedures (SOP) give us step—by—step instructions as to how an activity is to be carried out. An example would be how to carry out the backing up of data. The SOP will state which data needs to be backed up daily, weekly, or monthly. Critical data would be backed up every two hours whereas archive data may be backed up monthly. The SOP would also state what the medium is to be used for the backup; it may be backed up to a NetApp or network share rather than to tape so that quicker recovery can be carried out.

Stage one in risk assessment is the classification of the asset; this then determines how it is accessed, stored, and handled.

 

 

Agreement types

 

Contracts between companies that want to purchase or sell services are very common as they protect both partners participating in the contract. We will now look at different agreement types that may be used in those contracts.

SLA is measure in metrics, as to what percentage has been achieved.

 

For example, your company has an SLA with a service provider that will fix the printer within 4 hours. If the printer breaks down then the service provider needs to repair the printer within four hours or face a penalty. An SLA only relates to one product or service at one time. A company may have several SLAs in place that cover all of their equipment.

 

 

Personnel management—policies and procedures

 

Employing personnel is a key function in a successful business; however, employing people is high risk as we need to employ the right type of person, who must be bright enough to identify cyber—crime attacks. To help reduce the risk that employees face or to prevent human resources from employing the wrong person and prevent fraud on an ongoing basis the following policies can be adopted:

 

Let's look at an example. All members of the IT team can make any changes to the network firewall; this creates a huge risk to the network. An auditor could recommend that each time a firewall rule is changed it is authorized by the Change Advisory Board and two people should be responsible for checking the changes to the firewall. With two people being responsible for making the changes, any errors should be eliminated. This is an example of separation of duties.

Let's look at a second example. When I first got married, we opened a joint back account that only my wages were paid into. My wife did the spending from this account even though she had her own account. I paid in, my wife withdrew—a true separation of duties. Nowadays I have my own account!

Separation of duties is where one person does not complete all configuration or transactions by themselves.

 

Other policies adopted by the company to help reduce risk are as follows:

 

 

 

 

Role—based awareness training

 

Role—based awareness training is mandatory training that an employee carries out on an annual basis; an example of this would be security awareness training that is used by companies to reduce their security risks. During the training, employees will learn about social engineering attacks where the employee is targeted, for example a phishing email. There will be more information about attacks in Chapter 8Protecting Against Attacks and Vulnerabilities, of this book.

Policy violation is where SOP and policies have been ignored. Transferring data from outside the company should be done via VPN.

 

 

General security policies

 

General security policies affecting an employee using the internet are:

 

 

Business impact analysis concepts

 

Business impact analysis (BIA) looks at the financial loss relating to an incident and does not look at how the threat or how an event occurred. It measures the additional cost due to various factors. 

Financial loss factors include the following:

Impact factors include the following:

BIA looks at the financial loss but does not look at the threat.

 

 

Privacy threshold assessment/privacy impact assessment

 

Personal data use, storage, and access are regulated and a company would be fined if they did not handle the data properly. There are two policies that we need to look at and these are the privacy threshold assessment and the privacy impact assessment. Let us now look at these:

 

 

Mission—essential functions/identification of critical systems

 

When we look at BIA as a whole we have to see what the company's mission—essential functions are; for example, an airline depends heavily on its website to sell airline tickets. If this was to fail it would result in a loss of revenue. Critical systems for the airline would be the server that the website was placed on and its ability to contact a backend database server such as SQL that would hold ticketing information and process the credit card transactions and order history for each of their customers.

 

 

Example

 

What would be the mission essential functions for a newspaper and what would be its critical systems?

Newspapers generate revenue not only via sales but more importantly by selling advertisement space in the paper. The mission—essential function would be the ad creation program that creates the advertisements and the critical systems would be the server that the program resides upon, the database for processing payments, and the systems used to print the newspapers.

 

 

Supply chain risk assessment

 

Your supply chain is the companies that you totally rely upon to provide the materials for you to carry out a business function or make a product for sale. Let's say that you are a laptop manufacturer and Company A provides the batteries and Company B provides the power supplies; if any of these runs short of either batteries or power supplies it stops you from manufacturing and selling your laptops.

 

 

Example

 

Company C provides your broadband internet access and you are totally reliant upon them for the internet—you may mitigate the risk of the internet failing by adopting vendor diversity, where you purchase broadband from Company D so that if either of your suppliers fails you still have internet access, which is now crucial to any modern business.

 

 

Business impact analysis concepts

 

The following concepts are used for determining the business impact analysis:

RPO is the acceptable downtime whereas RTO is the return to an operational state.

 

 

Calculating loss

 

The following concepts can be used to calculate the actual loss of equipment throughout the year and may be used to determine whether we need to take out additional insurance against the loss of the equipment:

 

 

Example

 

A multinational corporation loses 300 laptops annually and these laptops are valued at $850; would they take out an insurance policy to cover the costs of replacement if the insurance premiums were $21,250 monthly?

The answer is no, because the cost of replacing them is the same as the cost of the insurance, they would take a risk on not losing 300 laptops next year.

The calculations are as follows:

Annual loss expectancy = Single loss expectancy X Annual rate of occurrence.

 

 

 

 

Risk procedures and concepts

 

Risk is the probability that an event will happen—it could bring profit to you, for example if you place a bet on the roulette wheel in a casino then you win more money. It is, however, more likely that a risk will result in financial loss or loss of service. Companies will adopt a risk management strategy to reduce the risk being posed to them but may not be able to eliminate the loss completely. In information technology, newer technology comes out every day and poses more risk to a business so therefore risk management is ever evolving.

The main components are assets, risks, threats, and vulnerabilities:

A threat is something that will pose a danger by exploiting vulnerability. Vulnerability is a weakness that may be exploited and risk is the probability that an event will happen.

 

 

Threat assessment

 

A threat assessment helps a company classify its assets and then looks at the vulnerabilities of that asset. It will look at all of the threats the company may face, the probably of the threat happening, and the potential loss should the threat be successful:

 

 

Threat actors

 

A threat actor is another name for a hacker or attacker who is likely to attack your company; they all have different attributes. They will investigate your company from the outside looking for details or social media and search engines. Security companies provide an open source intelligence test and inform you of your vulnerabilities in terms of threat actors. Let us now look at threat actor types:

A competitor is a threat actor who will try and steal a company's trade secrets to gain a market edge.

 

 

Risk treatment

 

Risk treatment looks at each individual risk by the risk owner who is the best person to classify the asset; they will then decide what action is best to take to reduce the risk to the company. The risk will then be included in the company's risk register so that it can be monitored. New risks should be recorded in the risk register immediately and the risk register should be reviewed every six months as risks change frequently as technology changes.

Residual risk is the amount of risk remaining after you mitigate the risk. Remember you cannot eliminate a risk totally.

 

 

Risk register

 

When we look at the overall risk for the company we will use a risk register. This is a list of all of the risks a company could face. The risk to the finance department with be assessed by a the financial director and IT—related risk would be looked at by the IT manager. Each department can identify the assets, classify them, and decide on the risk treatment. The financial director and IT manager are known as risk owners—they are responsible for them:

Ser

Date

Owner

Description

Probability

Impact

Severity

Treatment

Contingency

Action taken

1

01/05/18

IT Manager

Loss of Switch

Low

High

High

Transfer—2—hour fix SLA

Purchase spare switch

02/05/2018

 

 

 

 

 

 

 

 

Qualitative/quantitative risk analysis

 

There are two different approaches to risk management and they are qualitative and quantitive risk assessments. Let us look at both of them:

In this example, we are going to grade a risk and its probability from 1—9, with 1 being low and 9 being high. If we look at the impact of losing a mail server, the qualitive risk analysis would say that it is high but the probability of losing it would be low:

Qualitative

Probability

Quantitative risk

9

3

9*3=27

 

 

Review questions

 

  1. What is the purpose of standard operating procedures?

  2. What is the purpose of BPA?

  3. What is the difference between an MOU and an MOA?

  4. What is the purpose of an ISA?

  5. What is the benefit of introducing separation of duties into the finance department?

  6. What is the purpose of a risk register?

  7. What is the purpose of job rotation?

  8. What is the purpose of mandatory vacations?

  9. What is the first stage in risk assessment?

  10. Why would a company introduce a clean desk policy?

  11. If someone brought their own laptop to be used at work apart from an On-Boarding policy,what other policy should be introduced?

  12. What is the purpose of an exit interview?

  13. When would you adopt risk avoidance?

 

  1. What is the purpose of risk transference?

  2. What are rules of behavior?

  3. Why would a company run an annual security awareness training programme?

  4. What is cognitive hacking and what should we avoid to mitigate it?

  5. What would happen if I tried to sell my car and sent an email to everyone who worked in my company using my Gmail account?

  6. Why would I make a risk assessment from one of my main suppliers?

  7. What is the driving force of Business Impact Analysis?

  8. What is the relationship between RPO and RTO?

  9. What information can be established from MTTR?

  10. What is the purpose of MTBF?

  11. What is the purpose of SLE and how is it calculated?

  12. How can we calculate the Annual Loss Expectancy (ALE)?

 

 

Answers and explanations

 

  1. Standard operating procedures are step-by-step instructions and how a task should be carried out so that employees know exactly what to do.

  2. A BPA is used by companies in a joint venture and it lays out each party's contribution, their right and responsibilities, how decisions are made, and who makes them.

  3. A Memorandum of understanding is a formal agreement between two parties but it is not legally binding whereas the memorandum of agreement is similar but is legally binding.

  4. An Interconnection Security Agreement (ISA) states how connections should be made between two business partners. They decide on what type of connection and how secure it for example they may use a VPN to communicate.

  5. If we adopted separation of duties in the finance department, we would ensure that nobody in the department did both parts of a transaction. For example, we would have one person collecting revenue and another person authorizing payments.

  6. A risk register lays out all of the risks that a company faces; each risk will have a risk owner who specializes in that area as well as the risk treatment.

  7. Job rotation ensures that employees work in all departments so that if someone leaves at short notice or is ill, cover can be provided. It also ensures that any fraud or theft can be detected.

  8. Mandatory vacations ensure that an employee takes at least five days of holiday and someone provides cover for them; this also ensures that fraud or theft can be detected.

  9. The first stage in risk assessment is identifying and classifying an asset. How the asset is treated, accessed, or scored is based on the classification.

  10. A Clean Desk policy is to ensure that no document containing company data is left unattended overnight.

  11. Someone bringing their own laptop is called BYOD and this is governed by two policies, the on—boarding policy and the Acceptable Use Policy (AUP). The AUP lays out how the laptop can be used, and accessing social media sites such as Facebook or Twitter are forbidden whilst using the device at work.

  1. An exit interview is to find out the reason why the employee has decided to leave; it may be the management style or that other factors in the company are not good. The information from an exit interview may help the employer improve terms and conditions and therefore have a higher retention rate.

  2. When a risk is deemed too dangerous or high risk and could end in loss of life or financial loss, we would treat the risk with risk avoidance and avoid the activity.

  3. Risk transference is where the risk is medium to high and you wish to offload the risk to a third party, for example insuring your car.

  4. Rules of behavior are how people should conduct themselves at work to prevent sexual discrimination, bullying, or discrimination.

  5. Annual security awareness training advises employees of the risk of using email, the internet, and posting information on social media websites. It also informs employees of any new risk posed since the last training.

  6. Cognitive hacking is where a computer or information system attack relies on changing human users' perceptions and corresponding behaviors in order to be successful. This is a social engineering attack and we could reduce the risk by being careful what we post on social media websites.

  7. Sending an email to everyone who works in your company using your Gmail account is a violation of the AUP and could lead to disciplinary action.

  8. A manufacturing company would carry out supply chain risk assessment as they need a reputable supplier of raw materials so that they can manufacture goods.

  9. Business impact analysis is just money; it looks at the financial impact following an event. The loss of earning, the cost of purchasing new equipment, and regulatory fines are calculated.

  10. The Recovery Point Object (RPO) is the acceptable downtime that a company can suffer without causing damage to the company, whereas the Recovery Time Object (RTO) is the time that the company is returned to an operational state—this should be within the RPO.

  11. Mean Time to Repair (MTTR) is the average time it takes to repair a system, but in the exam, it could be seen as the time to repair a system and not the average time.

  12. Mean Time Between Failure (MTBF) is the measurement of the reliability of a system.

  13. Single Loss Expectancy (SLE) is the cost of the loss of one item; if I lose a tablet worth $1,000, then the SLE is $1,000.

  14. The Annual Loss Expectancy (ALE) is calculated by multiplying the SLE by the ARO (the number of losses per year). If I lost six laptops a year worth $1,000 each, the ALE would be $6,000.