fundamentals of information systems security chapter 8

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Fundamentals of Information

Systems Security

Lesson 8

Risk, Response, and Recovery

Fundamentals of Information Systems Security© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.Page 2Fundamentals of Information Systems Security


www.jblearning.com


Learning Objective(s)

Describe the principles of risk

management, common response

techniques, and issues related to recovery

of IT systems.


www.jblearning.com



www.jblearning.com


Key Concepts

Quantitative and qualitative risk assessment

approaches

Business impact analysis (BIA)

Business continuity plan (BCP)

Incident handling

Disaster recovery plan (DRP)


www.jblearning.com



www.jblearning.com


Risk Management and Information

Security

Seek a balance between the utility and cost of various risk management options

• Don’t spend more to protect an asset than it is worth

• A countermeasure without a corresponding risk is a solution seeking a problem; difficult to justify the cost


www.jblearning.com



www.jblearning.com


Risk Terminology

• Something (generally bad) that might happen

Threat

• Any exposure that could allow a threat to be realized

Vulnerability

• The likelihood that a particular threat will be realized against a specific vulnerability

Risk

• The amount of harm a threat exploiting a vulnerability can cause

Impact


www.jblearning.com



www.jblearning.com


Risk Terminology (cont.)

• A measurable occurrence that has an impact on the business

Event

• Any event that violates or threatens to violate your security policy

Incident

• Includes both safeguards and countermeasures

Control

• Addresses gaps or weaknesses in controls that could lead to a realized threat

Safeguard

• Counters or addresses a specific threat

Countermeasure


www.jblearning.com



www.jblearning.com


Elements of Risk

Assets

Vulnerabilities

Threats


www.jblearning.com



www.jblearning.com


Purpose of Risk Management

Identify risks

• Before they lead to an incident

• In time to enable you to plan and begin risk-handling activities (controls and countermeasures)

• On a continuous basis across the life of the product, system, or project


www.jblearning.com



www.jblearning.com


The Risk Management Process


www.jblearning.com



www.jblearning.com


Identify Risks

Develop scenarios for each threat to assess

the threats

Popular risk identification methods include:

• Brainstorming

• Surveys

• Interviews

• Working groups

• Checklists

• Historical information


www.jblearning.com



www.jblearning.com


Risk Register

A description of the risk

Expected impact if the event occurs

The probability of the event occurring

Steps to mitigate the risk

Steps to take should the event occur

Rank of the risk


www.jblearning.com



www.jblearning.com


Emerging Threats

New technology

Changes in culture of organization/environment

Unauthorized use of technology

Changes in regulations and laws

Changes in business practices


www.jblearning.com



www.jblearning.com


Static Environments

Supervisory Control and Data Acquisition (SCADA)

Embedded systems

Mobile devices (Android, iOS, Windows)

Mainframes

Gaming consoles

Vehicle systems


www.jblearning.com



www.jblearning.com


Assess Risks

Quantitative—Attempts to describe risk in

financial terms and put a dollar value on each risk

Qualitative—Ranks risks based on their

probability of occurrence and impact on business

operations


www.jblearning.com



www.jblearning.com


Calculating Quantified Risk

Determine annualized loss expectancy (ALE)

Determine how often a loss is likely to occur every year

Calculate the single loss expectancy (SLE)

Calculate the exposure factor (EF)

Calculate the asset value (AV)


www.jblearning.com



www.jblearning.com


Determining Quantified Risk

Calculation Formula

Single loss expectancy (SLE) AV × EF = SLE

Annualized rate of occurrence

(ARO)

ARO = Number of incidents

per year

Annualized loss expectancy

(ALE)

SLE × ARO = ALE


www.jblearning.com



www.jblearning.com


Qualitative Risk Analysis

Probability or

likelihood

Impact


www.jblearning.com



www.jblearning.com


Plan a Risk Response

• Reduce (reduction/mitigation)

• Transfer (transference/assignment)

• Accept (acceptance)

• Avoid (avoidance)

Negative risks

• Exploit (exploitation)

• Share (sharing)

• Enhance (enhancement)

• Accept (acceptance)

Positive risks


www.jblearning.com



www.jblearning.com


Acceptable Range of Risk


www.jblearning.com



www.jblearning.com


Total Risk and Residual Risk


www.jblearning.com



www.jblearning.com


Implement the Risk Response Plan

Administrative controls

• Manage the activity phase of security—the things

people do

Activity phase controls

• Either administrative or technical

• Correspond to the life cycle of a security program

- Detective controls

- Preventive controls

- Corrective controls

- Deterrent controls

- Compensating controls


www.jblearning.com



www.jblearning.com


Protecting Physical Security

HVACFire

suppressionEMI

shielding

Lighting SignsVideo

surveillance

Access lists Safety plan


www.jblearning.com



www.jblearning.com


Selecting Countermeasures

Fix known exploitable software flaws

Develop and enforce operational

procedures and access controls (data and

system)

Provide encryption capability

Improve physical security

Disconnect unreliable networks


www.jblearning.com



www.jblearning.com


Monitor and Control Risk Response

What problem is this countermeasure

designed to solve?

Does this countermeasure solve this problem?

• Countermeasures might pose new risk to the

organization

• Perform certification and accreditation of

countermeasure programs

• Follow best practices and exercise due

diligence


www.jblearning.com



www.jblearning.com


Business Continuity Management

(BCM)


• Contains the actions needed to keep critical business

processes running after a disruption


• Details the steps to recover from a disruption and

restore the infrastructure necessary for normal

business operations

Disruptions include extreme weather, criminal activity,

civil unrest/terrorist acts, operational, and application

failure disruptions


www.jblearning.com



www.jblearning.com


Terminology


Critical business function (CBF)

Maximum tolerable downtime (MTD)

Recovery time objective (RTO)

Recovery point objective (RPO)

Emergency operations center (EOC)


www.jblearning.com



www.jblearning.com


Assessing Maximum Tolerable

Downtime (MTD)


www.jblearning.com



www.jblearning.com


Business Impact Analysis

Security pro should ask two questions:

• What can affect the business?

• How will it affect the business?

Conduct a BIA for these reasons:

• Set value of each business unit or resource as it

relates to how the entire organization operates

• Identify critical needs to develop a business recovery

plan

• Set order or priority for restoring the organization’s

functions after a disruption


www.jblearning.com



www.jblearning.com


Critical Dependencies

Information processing

Personnel Communications

Equipment FacilitiesOther

organizational functions

Vendors Suppliers


www.jblearning.com



www.jblearning.com


Assessing the Impact of Downtime

PropertyDataSystemsPeople


www.jblearning.com



www.jblearning.com


Review and Test the Plan

Important to review and update BCP

regularly

Tests for a BCP and DRP

• Checklist

• Structured walk-through

• Simulation

• Parallel

• Full interruption


www.jblearning.com



www.jblearning.com


Backing Up Data and Applications

Plans must include dealing with:

• Backup storage media

• Location

• Access

Backups provide extra copies of needed resources, such as:

• Data

• Documentation

• Equipment


www.jblearning.com



www.jblearning.com


Types of Backups

Full

Differential

Incremental


www.jblearning.com



www.jblearning.com


Incident Handling

Documentation and reporting

Recovery and followup

Response

Notification

Identification

Preparation


www.jblearning.com



www.jblearning.com


Recovery from a Disaster

A disaster recovery plan (DRP):

• Establishes an emergency operations

center (EOC) as an alternate location from

which the BCP/DRP will be coordinated and

implemented

• Names an EOC manager

• Determines when that manager should

declare an incident a disaster


www.jblearning.com



www.jblearning.com


Activating the Disaster Recovery

Plan

Restore business operations

Return operations to their original state

before the disaster


www.jblearning.com



www.jblearning.com


Operating in a Reduced/Modified

Environment

Suspend normal processes

Identify minimum recovery resources as

part of the recovery needs

Combine services that were on different

hardware platforms onto common servers

Continue to make backups of data and

systems


www.jblearning.com



www.jblearning.com


Primary Steps to Disaster Recovery

Ensure the safety of individuals

Contain the damage

Assess damage and begin recovery

operations according to the DRP and BCP


www.jblearning.com



www.jblearning.com


Restoring Damaged Systems

Know where to get configuration charts, inventory lists,

and backup applications and data

Have access control lists to make sure that the system

allows only legitimate users on it

Update the operating systems and applications with the

most current patches

Make sure the operating systems and applications are

current and secure

Activate the access control rules, directories, and remote

access systems to permit users to get on the new systems


www.jblearning.com



www.jblearning.com


Recovery Alternatives

A dedicated site operated by the business, such as a secondary

processing center

A commercially leased facility, such as a hot site or mobile facility

An agreement with an internal or external facility


www.jblearning.com



www.jblearning.com


Comparing Common Recovery Site

OptionsFeature Hot

Site

Warm

Site

Cold

Site

Multiple

Sites

Cost High Medium Low No direct

costs

Computer

equipped

Yes Yes No Yes

Connectivity

equipped

Yes Yes No Yes

Data equipped Yes No No Yes

Staffed Yes No No Yes

Typical lead time

to readiness

Minutes

to hours

Hours to

days

Days to

weeks

Moments to

minutes


www.jblearning.com



www.jblearning.com


Summary

Quantitative and qualitative risk assessment

approaches



Incident handling


fundamentals of information systems security chapter 8

Education