Guide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis

Similar documents
Internet of Things Toolkit for Small and Medium Businesses

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

QuickBooks Online Security White Paper July 2017

K12 Cybersecurity Roadmap

7.16 INFORMATION TECHNOLOGY SECURITY

Physical and Environmental Security Standards

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

What is Penetration Testing?

Information Security Policy

EXHIBIT A. - HIPAA Security Assessment Template -

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Information Security in Corporation

UNLOCKED DOORS RESEARCH SHOWS PRINTERS ARE BEING LEFT VULNERABLE TO CYBER ATTACKS

University of Pittsburgh Security Assessment Questionnaire (v1.7)

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

L E C T U R E N O T E S : C O N T R O L T Y P E S A N D R I S K C A L C U L A T I O N

Security+ SY0-501 Study Guide Table of Contents

Cybersecurity for Health Care Providers

HIPAA RISK ADVISOR SAMPLE REPORT

Internet of Things. The Digital Oilfield: Security in SCADA and Process Control. Mahyar Khosravi

10 Hidden IT Risks That Might Threaten Your Business

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

Nine Steps to Smart Security for Small Businesses

Vendor Security Questionnaire

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Heavy Vehicle Cyber Security Bulletin

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

CND Exam Blueprint v2.0

Information Security Data Classification Procedure

Smart Grid Security: Build in Now or Blackout Later

Keys to a more secure data environment

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Information Technology General Control Review

Security Fundamentals for your Privileged Account Security Deployment

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

CCISO Blueprint v1. EC-Council

MIS5206-Section Protecting Information Assets-Exam 1

NEN The Education Network

2. Firewall Management Tools used to monitor and control the Firewall Environment.

3.3 Understanding Disk Fault Tolerance Windows May 15th, 2007

HIPAA Compliance Assessment Module

Security Standards for Electric Market Participants

Annual Report on the Status of the Information Security Program

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Business continuity management and cyber resiliency

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

INTELLIGENCE DRIVEN GRC FOR SECURITY

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

The Data Breach: How to Stay Defensible Before, During & After the Incident

A practical guide to IT security

HIPAA SECURITY RISK ASSESSMENT

Network Performance, Security and Reliability Assessment

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Cyber Protections: First Step, Risk Assessment

Risk Management. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

CompTIA Advanced Security Practitioner (CASP) (Exam CAS-001)

Risk-Based Cyber Security for the 21 st Century

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Your Data and Artificial Intelligence: Wise Athena Security, Privacy and Trust. Wise Athena Security Team

A Comedy of Errors: Assessing and Managing the Human Element of Cyber Risk

Going Paperless & Remote File Sharing

Breaches and Remediation

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

Firewalls (IDS and IPS) MIS 5214 Week 6

HIPAA Federal Security Rule H I P A A

Transportation Security Risk Assessment

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

Information Technology Update

Start the Security Walkthrough

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

Data Backup and Contingency Planning Procedure

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Why the Threat of Downtime Should Be Keeping You Up at Night

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Securing Industrial Control Systems

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Information Security and Cyber Security

Article Summary of: Understanding Cloud Computing Vulnerabilities. Michael R. Eldridge

Security of Information Technology Resources IT-12

Best Practices Guide to Electronic Banking

Green Treatment Center

Canada Life Cyber Security Statement 2018

CompTIA Cybersecurity Analyst+

Checklist: Credit Union Information Security and Privacy Policies

Carbon Black PCI Compliance Mapping Checklist

2. INTRUDER DETECTION SYSTEMS

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cloud FastPath: Highly Secure Data Transfer

Transcription:

Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis

Objectives Explain the fundamental concepts of risk analysis Describe different approaches to risk analysis Explain the process of risk analysis Describe techniques to minimize risk Guide to Network Defense and Countermeasures, Second Edition 2

Fundamental Concepts of Risk Analysis There is no situation in which security is perfect Risk analysis Determines the threats that face the organization Security policy Statement that spells out What defenses should be configured How the organization will respond to attacks How employees should safely handle the organization s resources Guide to Network Defense and Countermeasures, Second Edition 3

Guide to Network Defense and Countermeasures, Second Edition 4

Risk Analysis Factors Risk is defined as the possibility of damage or loss Risk analysis Study of the likelihood of damage or loss Should encompass hardware, software, and data warehouses Assets Physical assets Data assets Application software assets Personnel assets Guide to Network Defense and Countermeasures, Second Edition 5

Risk Analysis Factors (continued) Threats Events that have not occurred but might occur Threats increase risks Can be universal or specific to your systems Circumstance-specific threat examples Power supply Crime rate Facility-related Industry The seriousness of a threat depends on the probability that it will occur Guide to Network Defense and Countermeasures, Second Edition 6

Risk Analysis Factors (continued) Probabilities Factors that affect the probability that a threat will actually occur Geographic Physical location Habitual Exposure Increases if you have factors that increase threat probabilities Make a list and rank your threats probabilities Guide to Network Defense and Countermeasures, Second Edition 7

Guide to Network Defense and Countermeasures, Second Edition 8

Risk Analysis Factors (continued) Vulnerabilities Situations or conditions that increase a threat probability Which in turn increases risk Examples OS flaws Application software flaws Poorly configured firewalls or packet filters Unprotected passwords and log files Wireless networks Guide to Network Defense and Countermeasures, Second Edition 9

Risk Analysis Factors (continued) Consequences Significance of an attack impact Some consequences can be estimated Some consequences are difficult to anticipate Return on investment (ROI) Helps you calculate your losses after an attack You can compare your losses with the cost of your security measures Security measures costs should always be less than your losses Guide to Network Defense and Countermeasures, Second Edition 10

Guide to Network Defense and Countermeasures, Second Edition 11

Guide to Network Defense and Countermeasures, Second Edition 12

Risk Analysis Factors (continued) Safeguards Measures you can take to reduce threats Examples include Firewalls and IDSs Locking doors Using passwords and encryption Residual risk What is left over after countermeasures and defenses are implemented Guide to Network Defense and Countermeasures, Second Edition 13

Guide to Network Defense and Countermeasures, Second Edition 14

Approaches to Risk Analysis Survivable Network Analysis (SNA) Threat and Risk Assessment (TRA) Guide to Network Defense and Countermeasures, Second Edition 15

Survivable Network Analysis Security process developed by the CERT Coordination Center group Assumes that a system will be attacked Leads you through a four-step process designed to ensure the survivability of a network Network key properties Resistance Recognition Recovery Adaptation and evolution Guide to Network Defense and Countermeasures, Second Edition 16

Survivable Network Analysis (continued) Fault tolerance Capability of an object to continue operations despite a failure SNA steps System definition Essential capability definition Compromisable capability definition Survivability analysis Guide to Network Defense and Countermeasures, Second Edition 17

Threat and Risk Assessment TRA approaches risk analysis from the standpoint of threats and risks to an organization s assets TRA steps Asset definition Threat assessment Risk assessment Recommendations TRA is carried out in different ways by security agencies all over the world Guide to Network Defense and Countermeasures, Second Edition 18

Guide to Network Defense and Countermeasures, Second Edition 19

Guide to Network Defense and Countermeasures, Second Edition 20

Risk Analysis: An Ongoing Process Risk analysis is not a one-time activity Evolves to take into account an organization s changing size and activities Initial risk analysis Used to formulate a security policy New threats and intrusions Create the need for a reassessment of the risk Guide to Network Defense and Countermeasures, Second Edition 21

Risk Analysis: General Activities to Follow Risk analysis Group of related activities that follow a sequence Sequence of activities Holding initial team sessions Conduction assets valuation Evaluating vulnerability Calculating risk Guide to Network Defense and Countermeasures, Second Edition 22

Analyzing Economic Impacts Estimating financial impact or losses You can use different statistics models Or a software program such as Project Risk Analysis by Katmar Software Basic information to estimate Likely cost Low cost High cost Monte Carlo simulation Analytical method that simulates real-life system by randomly generating values for variables Guide to Network Defense and Countermeasures, Second Edition 23

Guide to Network Defense and Countermeasures, Second Edition 24

Guide to Network Defense and Countermeasures, Second Edition 25

Guide to Network Defense and Countermeasures, Second Edition 26

Deciding How to Minimize Risk Risk management Process of identifying, choosing, and setting up countermeasures justified by the risk you identify Countermeasures go into your security policy Guide to Network Defense and Countermeasures, Second Edition 27

Securing Hardware Think about obvious kinds of physical protection Such as environmental conditions Lock up your hardware Decide which devices you want to be locked Pay special attention to laptops Laptops can be lost or stolen easily Install startup passwords and screen saver passwords Experienced thieves can circumvent them though Encrypt files with programs such as PGP Guide to Network Defense and Countermeasures, Second Edition 28

Securing Hardware (continued) Conduction a Hardware inventory Make a list of servers, routers, cables, computers, printers, and other hardware Be sure to include your company s network assets Make a topology map of your network Guide to Network Defense and Countermeasures, Second Edition 29

Guide to Network Defense and Countermeasures, Second Edition 30

Ranking Resources To Be Protected Rank resources in order of importance Values can be arbitrary numbers Focus your security efforts on most critical resources first Work in cooperation with your team and higher management Guide to Network Defense and Countermeasures, Second Edition 31

Securing Information Electronic assets Word processing, spreadsheet, Web page, and other documents Logical assets E-mail messages, any records of instant messaging conversations, and log files Data assets Personnel, customer, and financial information Guide to Network Defense and Countermeasures, Second Edition 32

Securing Information (continued) Maintaining customer and employee privacy Isolate critical information from the Internet Move information from the original directory to a computer that is not connected to the Internet Configure backup software to save critical files Other measures Encryption Message filtering Data encapsulation Redundancy Backups Guide to Network Defense and Countermeasures, Second Edition 33

Securing Information (continued) Protecting Corporate Information Measures include Never leave company-owned laptops unattended Always password-protect information on corporate devices Encrypt and financial information Password-protect all job records and customer information Restrict personnel information to human resources staff and/or upper management Guide to Network Defense and Countermeasures, Second Edition 34

Conducting Routine Analysis Risk analysis is an ongoing process Company s situation changes constantly Risk analysis should be done routinely to include these changes Consider the following questions How often will a risk analysis be performed? Who will conduct the risk analysis? Do all hardware and software resources need to be reviewed every time? Human emotions can influence risk evaluations Some companies do not allow these calculations to be done manually Guide to Network Defense and Countermeasures, Second Edition 35

Handling Security Incidents Security policy should state how you will respond to break-ins Fill out a form to record what happened Incident-handling procedures Describe who will respond to security incidents Describe the kinds of incidents to be addressed Alarms sent by intrusion detection systems Repeated unsuccessful logon attempts Unexplained changes to data or deletion of records System crashes Poor system performance Guide to Network Defense and Countermeasures, Second Edition 36

Guide to Network Defense and Countermeasures, Second Edition 37

Handling Security Incidents (continued) Assembling a response team Security policy should state which security staff need to be notified in case of an incident Security incident response team (SIRT) Staff people designated to take countermeasures when an incident is reported SIRT contains IT operations and technical support staff IT application staff Chief security officer Information security specialists Others Guide to Network Defense and Countermeasures, Second Edition 38

Handling Security Incidents (continued) Escalation procedure Set of roles, responsibilities, and measures taken in response to a security incident Guide to Network Defense and Countermeasures, Second Edition 39

Handling Security Incidents (continued) Including worst-case scenarios Worst-case scenarios Descriptions of the worst consequences to an organization if a threat happens Might be unlikely Can help you determine the value of a resource at risk Guide to Network Defense and Countermeasures, Second Edition 40

Summary Risk Analysis plays a central role in defining a security policy Risk analysis covers company s computer hardware, software, and informational assets Your first task is to assess the level of risk to your network and its users Determine countermeasures for minimizing risk Assess threats to your network and the probability that they might happen Determine safeguards and countermeasures Guide to Network Defense and Countermeasures, Second Edition 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback