10 - Risk Management Flashcards
Why do we need risk assessment
- Avoid doing same mistakes
- Know how many resources to use and how (GDPR, testing etc)
5 steps to security
IIDIC
- Identify the target
- Identify the source of insecurity
- Determine the threats
- Implement measures that protect assets in a cost effective manner
- Continuous review
Risk Management vs Risk Assessment
Risk assessment is the identification phase
Risk management includes assessment AND implementation
Risk is a function that takes into account?
THreat, Asset and vulnerability
Risk management meaning
- Minimisation of risks
- Control affects of risks
Techniques of risk management
AMCTAR
- Avoidance
- Mitigation
- Cost Benefit analysis
- Transfer (the risk to 3rd party)
- Acceptance
- Residual Risk
Risk
Inappropriately configed firewall rule set allows unauth LAN access
Avoid:
Reduce:
Transfer
Avoid: Periodic review of firewall
Reduce: Install IDS: weekly scanning
Transfer: Outsource net management
Risk assessment: List based on asset or threat
Asset
List each asset THEN the threat to it
3 Challenges of Risk Assessment
SIE
- Static process for moving target
- Information availability
- Estimating the impact
Quantitiative Risk Assessment vs Qualitative
- Quantitative: Calculates absolute financial values, losses and costs
- Qualitative: Calculates relative values, losses and costs
Risk between likelihood and impact
Imagine 3x3 grid with impact and likelihood
First thing you try to test a vulnerability
pen testing
Risk ID: Threats to consider (… or …_
- External or internal
- Natural or manmade
- Intentional or accidental
Risk ID: Identifying vulnerabilities
- Audit
- Certification/accreditation records
- Sys logs
- prior events
- trouble reports
- incident response teams
Threat and vulnerability paired = ____
Threat Action showing the impact
Prior to conducting risk assessement:
- Identify assessment scope (mission)
- Review previous findings
Identifying assets and activites
Make a list and prioritise
List of assets to consider:
- Physical
- Hardware
- Software
- Personnel (eg is a job done by just one person)
- Data and information
Internal assessments
Security pros exploit internal systems to learn about vulnerabilties
External assessments
Personnel outside the company exploit systems to learn
Procedure for vulnerability assessment
- Documentation
- Review logs
- Vulnerability scans and other assessment tools
- audit and personnel interviews
- System testing
- Verifying user rights and permissions
Exploit assessments
Attempt to simulate an attack to see if it can succeed.
2 Different controls
In-place (in the operational system)
Planned (in documents)
Control classes
Procedural
Technical
Physical
Procedural Class examples
- Policies
- Security Plans
- Insurance
- Awareness and training
3 Technical Class examples
- Login identifier
- System logs
- Firewalls
Physical Class examples
- Locked doors
- Video cameras
- Fire detection
WannaCry 2017
NHS using outdated and unpatched Win7/WinXP versions
They had been warned a year before
Lack of clear disaster recovery plan
Hive Ransomware
Vulnerability in Microsoft’s Exchange Server (ProxyShell)
Over 1,500 victims
