6 IT Security and Risk Management Flashcards
6.1.1 Foundations (Grundlagen)
Security:
Risk:
6.1.2 Why IT Security?
Negative impact of incidents
Loss of reputation for company/brand (68%)
Impairment (Beeinträchtigung) of business connections (52%)
Decline in employee moral/motivation (28%)
6.1.3 IT Security Properties
• Confidentiality (Vertraulichkeit / Diskretion)
o Information about system or its users cannot be learned by an attacker
• Integrity (Korrektheit)
o The system continues to operate properly, only reaching states that would occur if there were no attacker
• Availability
o Actions by an attacker do not prevent users from having access to use of the system
6.1.3.1Alice in Wonderland example
Security is about …
Confidentiality: Attacker does not learn Alice’s secrets
Integrity: Attacker does not undetectably corrupt system’s function for Alice
Availability: Attacker does not keep system from being useful to Alice
6.1.4.1 Methods to achieve Basic Security Service Objectives
**Confidentiality** o Encryption (symmetric vs. asymmetric)
Integrity
o Hash-Functions
Authentication
o Knowledge of a secret (e.g.: password)
o Possession of a certain object (e.g.: chip card) o Human characteristics (e.g.: finger print)
Availability
o Redundancy
6.1.5.2 Further Classification of Threats (in Networked Organizations)
• External Attacks
o Actions against IT infrastructure that harm it or degrade its service without actually gaining access to it
o E.g., Denial of Service attacks
• Intrusion (Eindringen)
o Attacks actually gaining access to the IT infrastructure o Gaining access to passwords
o Attacking software vulnerabilities
• Viruses & Worms
o Malicious software programs
o Damage could be minor or severe
6.1.5.3Threat Trees
Threat trees summarize potential threats in a top-down view.
6.1.6 Defensive Measures
Security Policies
o What kind of passwords are users allowed to create for use on company systems? How often should they change password?
o Who is allowed to have accounts on company systems?
Firewalls
Encryption
Patching and Change Management
Intrusion detection and network monitoring
- 2 IT Risk Management
- 2.2 Risk Categorization
• Known risks
o Those risks that can be uncovered after careful evaluation of the project plan, the business and technical environment in which the project is being developed, and other reliable information sources (e.g., unrealistic delivery date)
• Predictable risks
o Those risks that are extrapolated (hochgerechnet) from past project experience (e.g., past turnover)
• Unpredictable risks
o Those risks that can and do occur, but are extremely difficult to identify in advance (e.g., zero-day attack)
6.2.4 Project Characteristics
- Size of project —in terms of workers/years of effort
- Degree of company-relative technology experience
- Degree of inherent structure
- How well-defined are the project’s outputs?
- How well does the implementation team understand what has been requested? o Have they built a system like this before (plan to throw one away…)
6.2.5 Further Complications (Hindernisse)
Risk always increases exponentially with size. Growth factor depends greatly on the organization and its prior IT project experience.
Methods and approaches to project management which work well for one project type may be quite inappropriate for another
