Ch+1+ +Risk+Management
Ch+1+ +Risk+Management
Defining Risk
Threat - action (exploit) by a Threat Actor they can use against a vulnerability
to perform harm to an asset
We want to reduce, or eliminate, as much threat as we can
Remediation - consider the Threat Actors, Threats, our Infrastructure, our Vulnerability,
and based on Likelihood, make decisions on what to do to get rid of Threat
Kali Linux - distribution that has vulnerability assessment & penetration testing tools
Depending on how you use it determin es whether you’re
an “Ethical Hacker” or “Malicious Actor”
Be Careful! It’s very easy to cross-the-line into doing something that is illegal.
You need written consent/permission of the system owner
we’re running the attach against
Threat Intelligence….
Knowledge of the latest threats,
so we can prevent it from happening to our systems
Dark Web (aka Dark Net) - content on it is not indexed by a search engines
Tor Network / Tor Web Browser - overlay network that sits over
the standard internet protocols that we know,
and it anonymizes your origin location & encrypts the connection
Used by….
Journalists - send things anonymously to the media
Law Enforcement
Government Informants
Guide for Conducting Risk Assessments - NIST Special Publication 800-30, Revision 1
Physical -
Access Control Vestibule (Mantrap)
Corrective -
Patching known Vulnerabilities
Deterrent -
Device Logon Warning Banner
Risk Example….
Risk - theft of online banking credentials
Attack Vector - spoofed email msg with link to spoofed website
Mitigation via Security Controls - User Security awareness /
Antivirus Software / Spam Filters
Risk Assessment….
Applies to….
Entire Organization Department Project
Company Merger Acquisition System
Targets….
Servers Legacy Systems
Intellectual Property (IP) Software Licensing
Periodically Review
Risk Types….
Environmental - Flood / Hurricane
Transference / Sharing
Some risk is transferred to a 3rd Party
example: Cybersecurity Insurance
Avoidance
Avoid an activity
because the risks outweigh the potential gains
Acceptance
The current level of risk is acceptable
The risk falls within the organization ’s risk appetite
Consider the impact the realized threats could have against your assets
Assess Risk - required before being able to determine the impact of the threat
Identify…. Sensitive Data - Single Points of Failure
Security Controls & Compliance
Business Impact -
Financial - fines, loss of contracts
Reputation - reduces confidence
Data Loss - breach notification; escalation requirements; exfiltration
Data Classification….
Top Secret - Secret - Confidential
Standard Classification….
PII (Personally Identifiable Information)
PHI (Protected Health Information)
Proprietary - Public / Private - Critical - Financial
We need to….
be able to discover data that needs to be protected.
be compliant with any laws / regulations
consider the data roles & responsibilities
Privacy-Enhancing Technologies….
Anonymization - removal of sensitive info that could tie it back to the person
GDPR allows anonymized data collection & use it without user con sent
Anonymization Techniques….
Pseudo-Anonymization - replace PII with fake identifiers
Data Minimization - limit stored sensitive data (Credit Card information)
Tokenization - digital token authorizes access
instead of the original credentials
Data Masking - hide sensitive data from unauthorized users
Masked our credit card number digits on a receipt
Data Sovereignty….
location of data and laws that apply to it
Where did the data originate?
Where does the data reside?
Which laws / regulations apply to the data?
Data Destruction….
Cryptographic Erasure
destroy storage media decryption key
User Onboarding….
Non-Disclosure Agreement (NDA)
Proprietary Secrets - PII / PHI
Security Policy Awareness
User Sign-Off
User Account and Resource Access
Issue Security Badge / Smart Card
User Habits….
Clean Desk Policies
Physical & Digital Document Shredding
Mitigates Dumpster Diving & Data Recovery
Personally-Owned Devices
Mobile Device Management (MDM) - register large number of
Mobile Devices so they can be centrally & consistently managed
Bring Your Own Device (BYOD)
User Offboarding….
Termination Letter
Exit Interview
Return of Equipment
Knowledge Transfer
Account Disablement vs Deletion
Agreement Types….
Interconnection Security Agreement (ISA) - linking companies / agencies
This can be legally binding, so it might require Legal review
Interconnection between the 2 networks may be connected in a way
that is compliant with the regulations of the organizations
(example: requiring encryption for site-to-site VPN Tunnel)
Vulnerability Scan Results
Mandatory Training / Certification
Input from IT Security Professionals