Ch 1 - Risk Management

Defining Risk

Terms relating to Risk Management….

Risk - the likelihood of a threat actor taking advantage of a vulnerability

by using a threat against an IT asset

Asset - any part of an IT infrastructure that has value

Data - Equipment - Servers - Printers - etc
People (especially Critical People) - Services

Likelihood - probability of an event occurring over time

An event such as an asset being damaged, or something happening to the asset

Threat Actor - anyone or anything with the motive and resources

to attack another's IT infrastructure

Hackers - person that’s trying to penetrate the infrastructure

Hacktivist - hacker with an activist attitude/behavior
Script Kiddies - someone that doesn’t have a lot of hacking skills,
so they use known scripts/pre-made attacks
Insiders - an employee, a vendor,
someone that has access to the internal structure (cleaning services)
Competitor - if you have something of value, they’ll want it
Shadow IT - any form of IT Infrastructure that’s being installed in an unofficial way
Coworker plugs in a WAP because they wanted wireless internet
Criminal Syndicates – work together to structure DoS Attacks
They will accept your money, and do an attack on anyone you want
State Actor - state sponsored, long-term types of actors
Russians trying to hack the Chinese government
Advanced Persistent Threat (APT) - long-term hacking to get information over time

Vulnerability - a weakness in the protection of an asset that leaves it open to a threat

Code that has weakness
Firewalls that have holes

Threat - action (exploit) by a Threat Actor they can use against a vulnerability
to perform harm to an asset
We want to reduce, or eliminate, as much threat as we can

Remediation - consider the Threat Actors, Threats, our Infrastructure, our Vulnerability,
and based on Likelihood, make decisions on what to do to get rid of Threat

Copyright Robert Mathisen & Total Seminars 2023

Threats and Vulnerabilities

CIA Security Triad -

Confidentiality - encryption
Integrity - hashing ensuring any unauthorized changes
Availability - ensure systems & data are available when we need them

We can get recommendations on things that might become Realized Threats

follow Cloud Security Recommendations to harden our environment

Microsoft Azure’s Security Center Recommendations….

Kali Linux - distribution that has vulnerability assessment & penetration testing tools
Depending on how you use it determin es whether you’re
an “Ethical Hacker” or “Malicious Actor”
Be Careful! It’s very easy to cross-the-line into doing something that is illegal.
You need written consent/permission of the system owner
we’re running the attach against

Attack Vectors - pathways to gain access to infrastructure via….

- Weak Configurations (strong PWs not enabled) - Missing Patches
- Lack of Multifactor Authentication (MFA) - Open Firewall Ports
- Lack of User Security Awareness - Infected USB Thumb Drives

Right-to-Audit clause - often with 3rd Party Outsourced Software Development,

there will be a contractual agreement that gives you
the right to audit at any time to make sure they’re compliant
with any laws, regulations, or data security standards

Copyright Robert Mathisen & Total Seminars 2023

Threat Intelligence

Threat Intelligence….
Knowledge of the latest threats,
so we can prevent it from happening to our systems

Hardening can reduce incident response time

Proactively develop an incident response,
so if an attack does occur, we can quickly contain it

Provide cybersecurity insight

Adversary Tactics, Techniques, and Procedures (TTP) -
Details how the attack occurs to gain access to the system
We need to apply security controls at each level

Threat Maps - graphical representation relating to the threats

example: geographical representation of malware outbreaks

Gain Threat Intelligence via Closed or Proprietary Information Sources -

private sources you sign up for with a vendor
for a feed of the latest threats & details related to them

Open-Source Intelligence (OSINT) -

Government Reports - National Security Agency (NSA)
Media
Academic Papers

Google Hacking Database (free)

intitle:”Web user login” - search will result in a list of webpage logins
This is one less step for a hacker to figure out
and now they can run their Brute Force attacks

File/Code Repositories - example: GitHub

Copyright Robert Mathisen & Total Seminars 2023

Vulnerability Databases -
Common Vulnerabilities and Exposures (CVEs) -
Uniquely numbered threat that’s known internationally
This database is an example of OSINT

CVE-2017-5638 - this CVE outlines the vulnerability

that was exploited in the Equifax Hack,
including code samples of how to create the exploit

Dark Web (aka Dark Net) - content on it is not indexed by a search engines
Tor Network / Tor Web Browser - overlay network that sits over
the standard internet protocols that we know,
and it anonymizes your origin location & encrypts the connection

Used by….
Journalists - send things anonymously to the media
Law Enforcement
Government Informants

We need to go to the Threat Intelligence Sources to learn about th em.

Automated Indicator Sharing (AIS) -

exchange of Cybersecurity Intelligence (CI) between entities
Structured Threat Information eXpression (STIX) - data exchange format for CI

Trusted Automated eXchange of Intelligence Information (TAXII) -

Real-Time CI Feeds

Copyright Robert Mathisen & Total Seminars 2023

Risk Management Concepts

- Risk management frameworks (RMFs)

provide guidance on identifying and managing risk
- Security regulations and standards such as GDPR, HIPAA, and PCI DSS
are designed to protect sensitive data
- Organization security policies are designed to protect assets

Risk Vectors (Attack Vectors) -

mission-critical IT systems (such as being related to)
Payment Processing - Human Resources - Emergency Systems

For these systems,

to manage any risks related to that data need to know
What data we have
Where it is

3rd Party Access

Software we’re using
Contractors working on our systems

Physical Risk Vectors -

Access Control Vestibules (Mantraps) - 2 doors to enter a building
Locks to protect Server Rooms & locks on the Racks
Limit USB bootable devices

Cybersecurity Risk Management….

Risk Management Framework (RMFs) - manages Risk Vectors
Center for Internet Security (CIS) - publishes Cybersecurity best practices

National Institute of Standards & Technology (NIST)

NIST Risk Management Framework (RMF) aka Cybersecurity Framework (CSF)

International Organization for Standardization

/ International Electrotechnical Commission (ISO/IEC) -
international standards related to IT System and Information Security

Copyright Robert Mathisen & Total Seminars 2023

Financial RMFs - verify the integrity of Financial documents
with internal controls (SSAE SOC2 controls)
Statement on Standards for Attestation Engagements System and Organization

Guide for Conducting Risk Assessments - NIST Special Publication 800-30, Revision 1

Data Privacy Regulations and Standards….

General Data Protection Regulation (GDPR) - applies to the private information

related to European Union (EU) citizens
regardless of where that info is being processed, gathered, or shared.
If it’s EU citizen data, GDPR data privacy rules will apply.

Health Insurance Portability and Accountability Act (HIPAA) -

protects American patient Medical Information

Payment Card Industry Data Security Standard (PCI DSS) -

Protect Cardholder Information (debit or credit cards)

Types of Security Policies….

Acceptable Use Policy (AUP) - outlines how employees can use

email, social media, web browsing, etc.

Resource Access Policies - app or file access

Account Policies - Account Hardening (enabling MFA, or complex passwords)

Data Retention Policies - often dictated by regulations

Change Control Policies - IT Team

Asset Management Policies - IT Team

Copyright Robert Mathisen & Total Seminars 2023

Security Controls

- Managerial security controls include

administrative functions such as background checks
- Operational security controls include policy reviews
- Technical controls relate to specific IT security solutions
- Security control types include
physical, detective, corrective, preventive, deterrent, and compensating

Security Controls - solution that mitigates a threat

example: mitigate malware infections with a Malware scanner
Implemented differently based on platform, vendor, or user
Network infrastructure devices (switches, routers, firewalls)

Security Control Categories….

Managerial / Administrative - what should be done?

Employee Background Checks

Operational - how often should we do it?

Periodic Review of Security Policies

Technical - how will we solve the problem of this risk?

Firewall Rule Configuration
Up-to-date Malware Scanners

Physical -
Access Control Vestibule (Mantrap)

Detective - detect if a security incident is occurring, or has occurred

Log Analysis

Corrective -
Patching known Vulnerabilities

Deterrent -
Device Logon Warning Banner

Compensating - 2nd Pick - the desired control is too expensive/complicated

Network Isolation for Internet of Things (IoT) devices

Copyright Robert Mathisen & Total Seminars 2023

shodan.io - website that allows you to search for vulnerable devices on the internet
Just because you see a vulnerable device,
this does not give you the license to try to exploit or sign in
without permission of the owner

If something shows up on shodan as being vulnerable,

it’s because proper security controls were not put into place.

Cloud Security Control Documents….

Cloud Security Alliance (CSA) -

Cloud Controls Matrix (CCM) - excel file (.xlsx)
helps you decide what should be implemented & how,
and the aspect of our IT ecosystem it will protect

Payment Card Industry Data Security Standard (PCI DSS) -

Protect Cardholder Information (debit or credit cards)

Risk Example….
Risk - theft of online banking credentials
Attack Vector - spoofed email msg with link to spoofed website
Mitigation via Security Controls - User Security awareness /
Antivirus Software / Spam Filters

Copyright Robert Mathisen & Total Seminars 2023

Risk Assessments and Treatments

- A risk assessment strives to determine the likelihood and impact of threats

- Risk types include environmental, person-made, internal, and external
- Risk treatments (management) include
acceptance, mitigation, transference, and avoidance

To Manage Risk, you must Assess it first

Risk Assessment….
Applies to….
Entire Organization Department Project
Company Merger Acquisition System

Targets….
Servers Legacy Systems
Intellectual Property (IP) Software Licensing

Conducting the Assessment….

Risk Awareness
Cybersecurity Intelligence Sources

Evaluating Security Controls

Inherent (current) and Residual Risk

Implement Security Controls

Periodically Review

Risk Types….
Environmental - Flood / Hurricane

Person-made - Riots / Terrorism / Sabotage

Internal - Malicious Insider / Malware Infections

External - DDoS Attacks

Copyright Robert Mathisen & Total Seminars 2023

Risk Treatments….
Mitigation / Reduction
Security Controls

Transference / Sharing
Some risk is transferred to a 3rd Party
example: Cybersecurity Insurance

Avoidance
Avoid an activity
because the risks outweigh the potential gains

Acceptance
The current level of risk is acceptable
The risk falls within the organization ’s risk appetite

Copyright Robert Mathisen & Total Seminars 2023

Quantitative Risk Assessments

- The Single Loss Expectancy (SLE) is calculated by

multiplying the Asset Value (AV) by the Exposure Factor (EF)
- The Annualized Loss Expectancy (ALE) is calculated by
multiplying the Annualized Rate of Occurrence (ARO) by the SLE

Quantitative Risk Assessment - based on Numeric Values (often $$)

Is it worth putting the Security Control in place to protect the Asset?

Asset Value (AV) - value ($) of the asset

Exposure Factor (EF) - % of the Asset Value loss when an incident occurs

Single Loss Expectancy (SLE) - amount of loss is experienced

during a single incident

example: Asset Value (AV) = $24,000/day Risk of downtime: 3 hrs

Exposure Factor (EF) = 12.5% 3 hrs / 24 hrs = 12.5%

SLE = AV x EF When there’s one incident,

= $24,000 x 0.125 we’re expecting a loss of $3,000
= $3,000 during those 3 hours.

Annual Rate of Occurrence (ARO) - expected # of yearly occurrences

Annualized Loss Expectancy (ALE) - total yearly cost due to incidents

SLE - loss ($) experienced in a single event
ARO - expected # of annual occurrences

example: ARO = 2 times per year

ALE = SLE x ARO Spending less than $6,000 Annually

= $3,000 x 2 on Security Controls
= $6,000 is worthwhile.

Copyright Robert Mathisen & Total Seminars 2023

Qualitative Risk Assessments

Qualitative Risk Assessment - based on subjective opinion regarding….

Threat Likelihood different people will rate these
Impact of the Realized Threat same aspects differently
Threats are given a Severity Rating

Risk Register - properly manages the different types of risks in a list

to simplify looking at the relative severity ratings
Centralized list of….
Risks - Severity Ratings
Responsibilities - Mitigations (Security Controls)

Organizations should have one (or more)

Risk Heat Map - Risk Severity levels denoted by color on a map

The numbers are the Risk #s

from the Risk Register

Risk Matrix - Table of Risk Details

Similar to Heat Map (but no colors)

Copyright Robert Mathisen & Total Seminars 2023

Business Impact Analysis

Consider the impact the realized threats could have against your assets

Business Impact Analysis (BIA) - prioritize mission-critical processes

Payment Processing Systems
Customer / Patient Records

Assess Risk - required before being able to determine the impact of the threat
Identify…. Sensitive Data - Single Points of Failure
Security Controls & Compliance

Business Impact -
Financial - fines, loss of contracts
Reputation - reduces confidence
Data Loss - breach notification; escalation requirements; exfiltration

maximum tolerable amount of….

Recovery Point Objective (RPO) - ….data loss (backup frequency)
Recovery Time Objective (RTO) - ….downtime

Failed Component Impact -

Mean Time Between Failures (MTBF) -
avg time between repairable component failures
Software Patching

Mean Time To Failure (MTTF) -

avg time between non-repairable component failures
hard disks - switches - routers

Mean Time To Repair (MTTR) -

avg time to repair a failed component

Locating Critical Resources -

Data Discovery & Classification (sensitive Health / Financial / etc. info)
Privacy Threshold Assessment (PTA)

Impact on Sensitive Data

Privacy Impact Assessment (PIA) Regulatory Compliance

Copyright Robert Mathisen & Total Seminars 2023

Data Types and Roles

- Data Classification - assigns labels to data to facilitate management

- Common Data Privacy Standards - HIPAA, PCI DSS, and GDPR
- Data Owners - determine data management policies
- Data Custodians - apply data management policies

Data Classification….
Top Secret - Secret - Confidential

Standard Classification….
PII (Personally Identifiable Information)
PHI (Protected Health Information)
Proprietary - Public / Private - Critical - Financial

Data Privacy Standards….

Ensure Data Privacy and Breach notification
Levy Fines
Protect Intellectual Property (IP)
HIPAA (Health Insurance Portability and Accountability Act)
PCI DSS (Payment Card Industry Data Security Standard) - cardholder info
GDPR (General Data Protection Regulation)
protects EU citizens’ data regardless of location

Data Classification Tools….

Any method of applying metadata (example: cloud resource tagging)
AWS Amazon Macie - discovers data you have stored in the cloud
and automatically classify it for you

Data Roles and Responsibilities….

Owner - Legal data owner. Set policies on how data will be managed
Controller - ensure data complies with applicable regulations
Processor - handles data in accordance with privacy guidelines
Custodian / Steward - responsible for managing data
in alignment with data owner policies (permissions, backup, etc.)
Data Privacy Officer (DPO) - ensures data privacy regulation compliance

We need to….
be able to discover data that needs to be protected.
be compliant with any laws / regulations
consider the data roles & responsibilities

Copyright Robert Mathisen & Total Seminars 2023

Security and the Information Life Cycle

Information Life Cycle….

Security involved at every phase
Data Collection - need consent!
Implementation demands on Regulations / Standards

Collection → Store → Process → Share → Archive / Delete

Personal Identifiable Information (PII)….

sensitive information that can be traced back to a person
Social Security Number Email Address
Credit Card Number Home Address
Web browser cookie containing sensitive session identifiers

Protected Health Information (PHI)….

sensitive medical information that can be traced back to a person
Health Insurance Plan Number
Blood Type Patient Medical Ailments

Privacy-Enhancing Technologies….
Anonymization - removal of sensitive info that could tie it back to the person
GDPR allows anonymized data collection & use it without user con sent

Anonymization Techniques….
Pseudo-Anonymization - replace PII with fake identifiers
Data Minimization - limit stored sensitive data (Credit Card information)
Tokenization - digital token authorizes access
instead of the original credentials
Data Masking - hide sensitive data from unauthorized users
Masked our credit card number digits on a receipt

Data Sovereignty….
location of data and laws that apply to it
Where did the data originate?
Where does the data reside?
Which laws / regulations apply to the data?

Copyright Robert Mathisen & Total Seminars 2023

Data Destruction

- Data Sanitization - ensures sensitive data cannot be recovered

- Organizational Policies - define how physical and digital data is safely destroyed
- Data sanitization methods - burning, shredding, cryptographic erasure,
disk wiping tools, and degaussing

Data Destruction….

Paper, Film, Magnetic Tape….

Burning - Pulping - Shredding (Pulverized)

Digital Data Destruction for Storage Devices….

Failed or Decommissioned
End-of-Life policies
Reuse? Donate? Destroy?
Update Asset Inventory

Digital Media Sanitization….

Data is still recoverable
Deleted Files - Repartitioned - Reformatted Drives
Disk Wiping Tools
SSD & HD - multiple pass disk overwrites
HD - degaussing

Cryptographic Erasure
destroy storage media decryption key

Copyright Robert Mathisen & Total Seminars 2023

Personnel Risk and Policies

- Securing personnel management can be implemented with

job rotation, mandatory vacations, and separation of duties
- Employee and contractor background checks help ensure trustworthiness
- User onboarding occurs after hiring - includes training & account provisioning
- Clean desk & secure data disposal policies - reduce risk of security breaches

Personnel Management Policies….

Standard Operating Procedure (SOP) - steps for sending sensitive data via email
Mandatory Vacation & Job Rotation - Detection of Irregularities
Separation of Duties - multi-person control
multiple workers completing a process, rather than just one person
Reduce likelihood of Internal Fraud
Does not prevent Collusion

Employee / Contractor Hiring….

Social Media Analysts
Web Search
Background Check
Criminal Record - Unpaid Fines - Credit Check
Interviews with friends, family, colleagues

User Onboarding….
Non-Disclosure Agreement (NDA)
Proprietary Secrets - PII / PHI
Security Policy Awareness
User Sign-Off
User Account and Resource Access
Issue Security Badge / Smart Card

User Habits….
Clean Desk Policies
Physical & Digital Document Shredding
Mitigates Dumpster Diving & Data Recovery
Personally-Owned Devices
Mobile Device Management (MDM) - register large number of
Mobile Devices so they can be centrally & consistently managed
Bring Your Own Device (BYOD)

Copyright Robert Mathisen & Total Seminars 2023

User Training….
Ongoing - should be Role-based
Computer-based Training (CBT)
Gamification - making it fun to learn by playing a game (it could be competitive!)
Capture the Flag Contests - hacking competition
Phishing Campaigns / Simulations
Lunch & Learn
Can be part of a penetration test

User Offboarding….
Termination Letter
Exit Interview
Return of Equipment
Knowledge Transfer
Account Disablement vs Deletion

Copyright Robert Mathisen & Total Seminars 2023

Third-Party Risk Management

- Measurement Systems Analysis (MSA) - can identify supply chain improvements

- Supply Chain Risks - include unstable or insecure hardware, software,
or contractors, or suppliers not meeting security standards
- Sensitive data stored in the public cloud presents a third-party risk
- Intentional/Unintentional disclosure of sensitive data can be controlled with DLP

Third-Party Risk Management….

Measurement System Analysis (MSA) - quality assurance

Data Loss Prevention (DLP) systems -

reduce intentional / unintentional sensitive data exfiltration

Supply Chain Security Risks….

Hardware & Software Vendors
End-of-Service Life (EOSL) - no more patches / support
Cloud Service Providers Security Compliance
Contractors - should have Data Privacy Notices if signing into a VPN
Company Mergers & System Linking
Software Developers using Third-Party components

Copyright Robert Mathisen & Total Seminars 2023

Agreement Types

- Interconnection Security Agreements (ISAs) - apply when connecting

different entities together
- Service level agreements (SLAs) detail expected service uptime from a provider
- Memorandums of Understanding (MOUs) - state broad agreement terms
between parties, memorandums of agreement (MOAs) are more detailed
- Non-Disclosure Agreements (NDAs) - prevent data disclosure to 3rd parties

Agreement Types….
Interconnection Security Agreement (ISA) - linking companies / agencies
This can be legally binding, so it might require Legal review
Interconnection between the 2 networks may be connected in a way
that is compliant with the regulations of the organizations
(example: requiring encryption for site-to-site VPN Tunnel)
Vulnerability Scan Results
Mandatory Training / Certification
Input from IT Security Professionals

Service Level Agreement (SLA) - contractual document stating level of service

Guaranteed Service Uptime
Consequences for not meeting requirements

Memorandum of Understanding - broad terms of agreement between parties

Memorandum of Agreement - detailed terms between parties

Business Partnership Agreement (BPA) -

Legal Document
Responsibilities, Investment, Decision-making

Non-Disclosure Agreement (NDA) -

Prevent sensitive data disclosure to Third Parties

Copyright Robert Mathisen & Total Seminars 2023