5.3 Flashcards
Risk management
is the continuous process of
handling risks to organizational operations,
including mission-critical services and functions, physical and logical assets, and people
The results of this risk management might be
- Establishing the context for risk-related activities
- Conducting an asset and risk assessment
- Implementing a risk mitigation strategy based on established
risk treatment - Employing techniques and procedures for the continuous
monitoring of the security state of information systems
Inherent (total) risk:
- The vulnerabilities and risks that the organization
faces before safeguards are implemented - The present baseline or system/application state
before a formal assessment begins
Residual risk:
The vulnerability or risk that remains after the
mitigating controls are introduced
*Residual = inherent risk − safeguards (controls)
5 key elements of risk analysis are:
- Assets or an asset class
- Incident or scenario
- Timeframe (fiscal/calendar year)
- Impact (magnitude)
- Likelihood (probability)
qualitative risk analysis
most common method used in risk and security
Descriptive approach using subjective opinions, history, and scenarios to determine risk levels
things to determines risk levels:
- Expert judgement
- Best practices
- Experience
- Intuition
examples of qualitative risk analysis
s interviews, questionnaires, surveys
(Delphi), and conducting brainstorming sessions and workshops addressing assets, known risks, known
vulnerabilities, common threats, and historical
impacts
Quantitative risk analysis
a scientific/mathematical approach to getting
monetary and numeric results
Quantitative risk analysis is based on:
- Asset values (cost and depreciated)
- Impact (magnitude) or severity of the incident
- Probability (likelihood) of occurrence
- Threat frequency
- Costs and effectiveness of safeguards
Quantitative risk analysis resulting probabilities are based on:
percentages, mathematical formulas, and calibrated
estimation
- AV (asset value)
Value of the asset according to the organization
EF (exposure factor):
Percentage of asset loss caused by identified
threat
- SLE (single loss expectancy)
- Potential loss if attack occurs
- (Asset value * exposure factor)
ARO (annualized rate of occurrence)
- Estimated frequency the threat will occur within a single year
quantitative formula
ALE (annualized loss expectancy) = (SLE * ARO)
risk appetite (treatment)
Any combination of treatments
can be used with risk
management
**Analysts must also consider any
exemptions or exceptions for
certain privileged users, air gapped systems, or special use case applications
Risk acceptance:
- Do not implement any additional safeguards
- Justification in writing is often required
- This can also be the process of “ignoring” the risk
Risk acceptance examples:
- Only having one supplier or vendor for hardware or
services relying on their uptime reputation - Leasing a facility in a 100-year flood zone
- Deciding not to add a cyber security rider to your existing business insurance policy
- Continuing with a Wi-Fi Protected Access (WPA2)-
secured wireless local-area network (WLAN)
Risk transference (risk sharing)
Passing off risk to a third party or shared party
Risk transference examples:
- Purchasing an insurance policy or additional cyber
insurance - Leveraging a shared responsibility model (SRM) with a cloud service provider (IaaS)
- Leasing a warm/cold disaster recovery facility with another similar business that is several miles away
using a reciprocal agreement
Risk avoidance
involves deciding not to undertake
actions or engage in activities that introduce or increase risk
**Being too risk-averse can lead to missing out on opportunity or advantages
Risk avoidance examples:
- Not processing and storing credit card information of
customers on-premises - Not using a cloud service provider for DevOps or
managed data services - Avoiding the use of any clear-text protocols, such as
HTTP, Lightweight Directory Access Protocol (LDAP),
File Transfer Protocol (FTP), Simple Mail Transfer
Protocol (SMTP), or telnet - Not storing sensitive data in a personal cloud service,
such as Dropbox or Google Drive
Risk Mitigation
involves the strategic and tactical use of
an array of technical, administrative, and physical controls to reduce risk to an acceptable level
Risk Mitigation examples:
- Implementing endpoint protection, such as Palo Alto
Cortex XDR - Upgrading the edge firewall appliance
- Using a cloud-based security information and event
management (SIEM)/security orchestration,
automation, and response (SOAR) solution like Azure
Sentinel or a managed security service provider
(MSSP) solution from Fortinet - Hiring armed security guards
three risk handling approaches
Expansionary Conservative
Neutral
Expansionary
Enterprise intends to
increase the number of
resources to allocate to
treat risk as needed on
an ongoing basis
Conservative
Enterprise is frugal and
extremely careful to
spend more money,
acquire controls, add
personnel
They would rather find
compensating controls
Neutral
Enterprise will take a
balanced approach to
risk treatment
The appetite is neither
expansionary or
conservative unless
necessary
Risk assessment documents
will record the processes used
to identify probable threats and propose
subsequent action plans if the hazard occurs
The risk assessment document will declare
assets at risk (people,
buildings, information technology, utility systems,
machinery, raw materials, and finished goods)
Risk owners
are persons or entities responsible for
managing threats and vulnerabilities that might be
exploited such as a chief information security
officer (CISO), data custodian, virtual asset
manager, or other technical risk stakeholder
Key risk indicators (KRIs)
are meaningful metrics
for measuring the likelihood and impact of an incident and if the results exceed established risk
appetite
risk threshold
a quantifiable level of
uncertainty and impact from risk, below which an organization will accept a risk and above which an organization will not accept a risk
Risk reports
should have just as much information as necessary
but not a “data overload”
Reports should be concise and yet comprehensive:
- Written reports and summaries
- White papers, special publications
- Published to an intranet
- Live presentations (in-person or conferencing sessions)
Analysts may need to express in simpler terms or have different
reports for different target audiences:
Possibly include a glossary of terms
Understand the optimal aspects of visual communications:
- Avoid three-dimensional representation
- Use a palette of sequential colors
- Consider possible “color blindness” and sight-impaired audiences
- Avoid pie charts or simple histograms
consider using what for risk reports?
- Scatterplots
- Bars and bubble charts
- Density plots
- Boxplots
business impact analysis (BIA)
predicts the consequences of a
disruption to a business and collects
information needed to develop recovery
strategies
Recovery Time Objective (RTO)
the amount of
time needed to recover a resource, service,
application, or function
It must be less than or equal to the maximum
tolerable downtime (MTD)
Ways to reduce RTO include
- Adding physical security
- Adding redundancy
- Purchasing insurance
- Investing in better generators
- Investing in faster recovery solutions
maximum tolerable downtime (MTD) is also
called maximum allowable downtime (MAD)
represents the absolute maximum amount of time that a resource, service, or function can be unavailable before the entity starts to experience a catastrophic loss
**When the MTD is exceeded, the disaster recovery
plans (DRPs) are often triggered
Recovery Point Objective (RPO)
often represented as the target amount of time within which a process must be restored after disruption
(RPO) The activity point, relative to a disaster, is where the
recovery process begins:
- Last Known Good Configurations
- Database transaction logs
- Snapshots
- Recovery volumes
- State machine instances
(MTTR) This BIA measurement is heavily affected by:
supply
chain disruptions, backorders, and vendor
(manufacturers, wholesalers, distributors)
dislocation
mean time to repair or replace (MTTR)
determines how long it will take in minutes, hours, or days to repair or replace a
failed system, component, application, or service
mean time between failures (MTBF)
the measurement of the reliability of a
hardware system (Cisco/Juniper router),
component, or hot spare
MTTR formula
MTTR = (total down time)/(number of breakdowns)