L E C T U R E N O T E S : C O N T R O L T Y P E S A N D R I S K C A L C U L A T I O N Revision Date: 7/31/2014 Time: 1 hour OBJECTIVES The following objectives are covered in this Lecture Note. These objectives are from the CompTIA Objectives posted at the beginning of the course in the Course Start section. Some objectives will be covered in more detail in the Lecture or Reading Assignments. 2.1 Risk Related Concepts Control types Policies in reducing risk Risk calculation Vulnerabilities Threat vectors Quantitative vs. qualitative Risk-avoidance, transference, acceptance, mitigation, deterrence 2.7 Compare And Contrast Physical Security And Environmental Controls Environmental controls Control types Physical security Mantraps Proximity readers Access list Proper lighting Signs Guards Barricades Biometrics RISK RELATED CONCEPTS Risk is the possibility that something could happen to damage, destroy, or disclose data or other resources. Security controls are safeguards or counter measures to avoid, counteract or minimize data loss. Security management procedures use risk assessment and risk analysis to identify threats, categorize assets, and rate system vulnerabilities so that they can implement effective controls. These control types are categorized by the nature of the control. CONTROL GROUPS PREVENTIVE Preventive controls are intended to prevent an incident from occurring. Preventive controls include: Security Awareness Training Firewalls/Anti-viruses/Malware Security Guards Locks on Doors Cyanna Education Services, 2014 Page 1
DETECTIVE Detective controls monitor activity to identify instances where practices or procedures were not followed. It lets you know when a problem has occurred. These include: System Monitoring Documentation and Testing Motion Detectors CORRECTIVE Corrective controls are put in place to help investigate and correction a problem that has occurred. It can restore the system or process back to the state prior to a harmful event, and are put in place to minimize the impact of the loss by restoring the system to the point before the event. These include: Upgrades to systems Backup and Data Recovery Error statistics Audit trails DETERRENT Deterrent controls are put in place to warn others not to do something. COMPENSATING Compensating controls are alternate controls designed to be used when the other controls cannot be used due to limitations of the environment. This control uses a combination of controls to increase the risk protection. These include: Backup Generator (if power goes out) Server Isolation Alarm system (will activate if preventive locked doors or barriers are breached) CONTROL TYPES There are three control types that can be applied to mitigate risk. By using all three (layering them) you are using the defense in depth strategy to protect and secure data. These control types are Technical, Administrative/Managerial and Operational. TECHNICAL Technical Controls are logical controls that use software and data to secure resources and include: User authentication (login) access Antivirus software Cyanna Education Services, 2014 Page 2
Firewalls Access control lists Data encryption ADMINISTRATIVE/MANAGERIAL Administrative Controls are procedural controls that are written and implemented by people and include: Policies Procedures Standards Guidelines OPERATIONAL Operational Controls are controls that protect the work place. These controls monitor facilities and protect the workplace and are divided into physical and environment controls P H YS ICAL C ONT R OL S Mantraps Video Surveillance Gates /Fencing/ Barricades Proximity readers Access list have permission to enter a building or area Signs warn others to stay away Security Guards - provide access based upon facial recognition Biometrics - to authorize access to sensitive systems on a need-to-know basis Alarms Motion detection E NVIR ON ME NT A L CONT R OL S Heating, Ventilation, Air Conditioning (HVAC) keep employees and equipment comfortable/safe Proper lighting provide safety to employees Protected distribution (cabling) Fire extinguishers / Smoke alarms EMI shielding reduces electrostatic and electromagnetic fields by creating a barrier made of conductive materials Hot and cold aisles is a layout design concept for computing equipment. The goal is to conserve energy and lower cooling costs by managing air flow. Environmental monitoring Cyanna Education Services, 2014 Page 3
Temperature and humidity controls proper room temperature and humidity will protect sensitive computer equipment RISK REDUCING POLICIES It is important to establish security policies that are created by management given to employees and users. It goes without saying that policies in which the users have no knowledge have little effect on risk prevention. The following are policies that should be in place and shared: PRIVACY POLICY Personally Identifiable Information (PII) is any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. Many states have specific laws regarding PII and commercial websites or companies that handle this information must have and provide a privacy policy to it s customer s. PII includes: SSN Phone Number Email Address Credit Card Information ACCEPTABLE USE An Acceptable Use Policy specifies to employees or users what they may do with their network access and provide users the least possible access rights while allowing them to fulfill legitimate actions. This includes: Email and instant messaging usage for personal purposes Limitations on access times How much storage space available to each user An Acceptable Use Policy should contain: Clear, specific language Detailed standards of behavior Detailed enforcement guidelines and standards Outline of acceptable and not acceptable uses Consent forms Privacy statement Disclaimer of liability LEAST PRIVILEGE This Policies addresses the rights or privileges essential for each process, user or program to perform their work. It defines access that is necessary only to perform their legitimate task. This separation of work ensures that not one person has control or access to a Cyanna Education Services, 2014 Page 4
company s vital assets. It is an important design consideration in enhancing the protection of data and functionality A System Administrator can configure and maintain computers in a domain, but only the System Assurance Officer can add new computers to the domain SEPARATION OF DUTIES This policy is a preventative control that is put in place to ensure that power is balanced so no individual cannot complete a critical task or have control over a system by his or herself. MANDATORY VACATIONS /JOB ROTATION Job Rotation is the practice used where employees switch roles in the company for a period of time With this policy, access is rotated between individuals in order to reduce corruption, allow for cross-checks, and minimize personnel loss. RISK CALCULATION LIKELIHOOD To calculate risk, use this formula: Risk = Threat Vulnerability SINGLE LOSS EXPECTANCY (SLE) SLE equals asset value multiplied by the threat exposure factor or probability. The formula looks like this: SLE = Asset value Probability Example: If an attack or system failure affects 25% of sales which are $100,000/day. SLE = $100,000 x.25 or $25,000 ANNUALIZED RATE OF OCCURRENCE (ARO) The ARO is the estimated possibility of a specific threat taking place in a one-year time frame. Example: if a company estimates that an attack will occur to be 50%, the ARO is.50 ANNUAL LOSS EXPECTANCY (ALE) ALE determines the probability of failures per year. This is done by calculating SLE and the value of the asset. ALE equals the SLE times the ARO. ALE = SLE ARO Cyanna Education Services, 2014 Page 5
From the example above, if we have SLE of $25,000 and ARO of.50, our ALE = $12,500 ALE is used to determine the number of failures per year MTTR Mean Time to Repair (MTTR) is the time needed to repair a failed hardware module MTTF Mean Time to Failure (MTTR) is a basic measure of reliability for non-repairable systems. MTBF Mean Time Between Failure (MTBF) is a term used to provide the amount of failures per million hours for a product. QUANTITATIVE /QUALITATIVE MEASURES Quantitative measures allow for the clearest measure of relative risk and expected return on investment or risk reduction on investment. Qualitative risk assessment can involve brainstorming, focus groups, surveys, and other similar processes to determine asset worth and valuation to the organization. RISK RESPONSES Risk management deals with the alignment of five potential responses with an identified risk: ACCEPTANCE Risk Acceptance is an important step in identifying residual risk because now something can be done to mitigate that risk. Once risk has been identified, it needs to be accepted so its impact can be determined. Risk acceptance must be documented, approved and regularly reviewed by management. AVOIDANCE Avoiding risk by eliminating vulnerability is the most effective solution, but often not possible due to organizational requirements. For example, in order to avoid email viruses, you could eliminate company email, but this is not realistic in order to run a business. Cyanna Education Services, 2014 Page 6
MITIGATION/DETERRENCE Risk mitigation involves the reduction in likelihood or impact of a risk s exposure. Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated. Most risk management decisions focus on mitigation and deterrence, balancing costs and resources against the level of risk and mitigation that will result. TRANSFERENCE Transference of risk is done to limit exposure. This can be a simple as purchasing insurance on equipment or hiring an outside company to host content. RISKS ASSOCIATED WITH CLOUD COMPUTING AND VI RTUALIZATION There are a number of risks associated with cloud computing. These include: CLOU D RI S K N O. 1: S H A R E D ACCE S S One of the key tenets of public cloud computing is multitenancy, meaning that multiple, usually unrelated customers share the same computing resources: CPU, storage, memory, namespace, and physical building. CLOU D R I S K N O. 2: VIRTUA L E X PLO IT S Every large cloud provider is a huge user of virtualization. However, it holds every risk posed by physical machines, plus its own unique threats, including exploits that target the virtual server hosts and the guests. You have four main types of virtual exploit risks: Server host only Guest to guest Host to guest Guest to host. CLOU D RI S K N O. 3: A U T H E NT I CATI ON, A U T H ORIZAT IO N, A N D A CCESS C ONT R OL A cloud vendor's choice of authentication, authorization, and access control mechanisms is crucial. Things to look for in a secure cloud vendor are: Data protection - Is data encryption is used and enforced, are private keys shared among tenants? Does the vendor share a common namespace with other tenants? Where is data physically stored? How is it handled when no longer needed? CLOU D RI SK N O. 4: A VA I LA B IL IT Y As a customer of a public cloud provider, redundancy and fault tolerance are not under your control. Cyanna Education Services, 2014 Page 7
CLOU D R I S K NO. 5: O WNE R S H IP Often the customer is not the only owner of the data. Cloud vendors like owning the data because it gives them more legal protection if something goes wrong plus, they can search and mine customer data to create additional revenue opportunities for themselves. CONTINUITY PLAN A continuity plan is a plan for how operations should continue if adverse conditions occur. The plan includes recovering operations or moving operations to another location if a disaster occurs at a worksite or datacenter. An overall continuity plan includes the RTO and RPO RECOVERY TIME OBJECTIVE Recovery time objective (RTO) is the maximum desired length of time allowed between an unexpected failure or disaster and the resumption of normal operations and service levels. RTO defines the point in time after a failure or disaster at which the consequences of the interruption become unacceptable. RECOVERY POINT OBJECTIVE Recovery Point Objective (RPO) is the acceptable amount of data loss measured in time due to an incident. Cyanna Education Services, 2014 Page 8