COMP 4060: Advanced Risk Analysis

Lecture Number 7
March 6, 2023

Mark W. Baker
Virtually Delivered on Blackboard
 Final Exam
• Final Exam Time: 6:00 Pm Last Class, 2023 THE EXAM WILL BE IN CLASS
• Final Exam Duration: 1 hour

• Location: The exam will be in a “Final Exam” Folder. The exam will be visible at 6:00 PM EST last day of classes. I will be setting up the
folder shortly.

• Exam Structure:

• 1. 5 multiple choice questions – Each is worth 4 marks for a total or 20 marks.

a. There will be 4 potential answers only one is correct, choose the best answer.

b. I DO NOT subtract wrong answers from right answers.

• 2. 5 Short answer questions – Each is worth 16 marks for a total of 80 marks

a. Answer is to be about 150 words. If you write more, I will read it, but you are probably writing too much.

b. Point form is ok as long as I can understand it.

• The final exam is worth 25% of your final mark.

• Blackboard should allow me to run a collaboration session at the same time I have an exam, I will confirm this, so if you are confused
about a question, please chat or question. Of course, I cannot give you the answer, but I may be able to clear up a question.

• Good Luck!!

• Mark W. Baker
 Assignment #5
Use the Canadian Method under the sea ?

You have been assigned to do a Risk Assessment on Firewall application that Mu is

considering purchasing for protection of their national website.

Would you use the RCMP (Royal Canadian Mounted Police) HTRA (Harmonized
Threat and Risk Assessment). Why or why not? If not, what method do you think
you should use?
Would you add in information from the “Baseline Cyber Security Controls for Small
and Medium Organizations V1.2” (13 certification requirements)?

Any questions, please email

Due by 6:00 Pm next class
Submit via Blackboard

Please Submit via Blackboard and use references (300 words)

 Interesting Thoughts
– http://searchsecurity.techtarget.com/news/4504
01306/Secret-Service-cybersecurity-audit-shows-
unacceptable-flaw?utm_medium=EM&asrc=EM
_NLN_66462841&utm_campaign=20161019_Inv
estigation%20finds%20%22unacceptable%20vul
nerabilities%22%20in%20the%20U.S.%20Secret
%20%20Service%20IT%20environment_mbacon
&utm_source=NLN&track=NL-1820&ad=910616
&src=910616
 Interesting Thoughts
– https://www.businessinsurance.com/article/201
90618/NEWS06/912329097/State-cyberattack-p
oses-big-danger-for-UK-banks?utm_campaign=BI
20190618BreakingNewsAlert&utm_medium=em
ail&utm_source=ActiveCampaign
 A little more on the RCMP HTRA
• Harmonized Threat and Risk Assessment
(TRA) Methodology – RCMP, one of many
types
– Used for any threat to information security not
just IT
– All government departments in Canada
– https://cyber.gc.ca/en/guidance/harmonized-tra-
methodology-tra-1
actual link (lasts week wrong)
– https://cyber.gc.ca/en/ - worthwhile site
– https://www.cyber.gc.ca/en/publications
Threat and Risk Assessments - Privacy
• Privacy Impact Assessment
– In the UK … Privacy by design

– https://ico.org.uk/for-organisations/guide-to-the
-general-data-protection-regulation-gdpr/
 Threat and Risk Assessments – Privacy
(Around the World)
Can only scratch the surface –
Blink and you miss it
Europe
• The General Data Protection Regulation (GDPR)
– Regulation (EU) 2016/679 on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data. This
text includes the corrigendum published in the OJEU of 23 May 2018.

– The regulation is an essential step to strengthen individuals' fundamental rights

in the digital age and facilitate business by clarifying rules for companies and
public bodies in the digital single market. A single law will also do away with the
current fragmentation in different national systems and unnecessary
administrative burdens.
• https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
 Threat and Risk Assessments – Privacy
(Around the World)
Can only scratch the surface
Europe
• The General Data Protection Regulation (GDPR)
– Regulation (EU) 2016/679 on the protection of natural persons with regard
to the processing of personal data and on the free movement of such data.
This text includes the corrigendum published in the OJEU of 23 May 2018.

– The regulation is an essential step to strengthen individuals' fundamental

rights in the digital age and facilitate business by clarifying rules for
companies and public bodies in the digital single market. A single law will
also do away with the current fragmentation in different national systems
and unnecessary administrative burdens.
• https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
 Threat and Risk Assessments – Privacy
(Around the World)
GDPR cont.
• Set of rules designed to give EU citizens more control
over their personal data. Simplifies the regulatory
environment for business so both citizens and
businesses in the European Union can fully benefit from
the digital economy
• Organizations must ensure that personal data is
gathered legally and under strict conditions, and those
who collect and manage it are obliged to protect it from
misuse and exploitation, as well as to respect the rights
of data owners - or face penalties for not doing so.
 Threat and Risk Assessments – Privacy
(Around the World)
GDPR cont.
• GDPR applies to any organization operating
within the EU, as well as any organizations
outside of the EU which offer goods or
services to customers or businesses in the EU.
• Almost every major corporation in the world
needs a GDPR compliance strategy.
 Threat and Risk Assessments – Privacy
(Around the World)
GDPR cont.
• There are data processors and data controllers
• Roles of data processors and data controllers are
closely related.
– Data controller is the entity (person, organization,
etc.) that determines the why and the how for
processing personal data.
– Data processor, on the other hand, is the entity that
performs the data processing on the controller's
behalf.
 Threat and Risk Assessments – Privacy
(Around the World)
GDPR cont.
• The controller is responsible for the lawfulness, fairness and
transparency of information. Data controllers are also
required to protect accuracy, storage limitation, and the
confidentiality of personal data. This means that data
controllers should only choose data processors that comply
with GDPR, to avoid fines and penalties.
• Though a data controller can process collected data using its
own procedures, in some cases a controller will work with a
third party or another service to analyze data. For example, a
payroll service provider is a third-party data controller
because it specifies exactly what to do with payroll.
 Threat and Risk Assessments – Privacy
(Around the World)
GDPR cont.
• Data Involved
– Includes name, address, and photos plusss….
something like an IP address can be personal data.
Sensitive personal data such as genetic data, and
biometric data which could be processed to
uniquely identify an individual.
 Threat and Risk Assessments – Privacy
(Around the World)
GDPR cont.
• The GDPR sets out seven principles for the lawful
processing of personal data. Processing includes the
collection, organization, structuring, storage, alteration,
consultation, use, communication, combination, restriction,
erasure or destruction of personal data. Broadly, the seven
principles are :
– Lawfulness, fairness and transparency
– Purpose limitation
– Data minimization
– Accuracy
– Storage limitation
– Integrity and confidentiality (security)
 Threat and Risk Assessments – Privacy
(Around the World)
GDPR cont.
• GDPR doesn't say what good security practices
look different for every organization.
• A bank will protect information in a more
robust way than a dentist.
• Broadly, proper access controls to information
should be put in place, websites should be
encrypted, and pseudonymisation is
encouraged.
 Threat and Risk Assessments – Privacy
(Around the World)
• Will probably have to
– Requiring the consent of subjects for data
processing
– Anonymizing collected data to protect privacy
– Providing data breach notifications
– Safely handling the transfer of data across borders
– Requiring certain companies to appoint a data
protection officer to oversee GDPR compliance
 Threat and Risk Assessments – Privacy
(Around the World)
GDPR cont.
• Consequences of non-compliance to GDPR are
significant, with fines of up to 20 million euros
or 4% of global turnover (whichever is higher)
plus other sanctions

• Again just scratched the surface

– Grab your lawyers and compliance officers
 Threat and Risk Assessments – Privacy
(Around the World)
GDPR cont.
• Got this from
– https://www.zdnet.com/article/gdpr-an-executiv
e-guide-to-what-you-need-to-know/
– https://digitalguardian.com/blog/what-gdpr-gene
ral-data-protection-regulation-understanding-and
-complying-gdpr-data-protection
– https://www.zdnet.com/article/gdpr-an-executiv
e-guide-to-what-you-need-to-know/
– https://www.ironmountain.com/resources/gener
al-articles/d/data-processor-vs-data-controller#:~
:text=According%20to%20Article%204%20of,proc
 Threat and Risk Assessments – Privacy
(Around the World)
In the UK
• Same as Europe…Even with BREXIT
• For the moment…maybe
– But with bigger fines…maybe…talk to us after
COVID
• Watch this space for changes
 Threat and Risk Assessments - Privacy
Impact Assessment
• Privacy Impact Assessment
– In the USA … Departments…Homeland Security
– It is a decision tool used by DHS to identify and mitigate
privacy risks that notifies the public:

• What Personally Identifiable Information (PII) DHS is

collecting;
• Why the PII is being collected; and
• How the PII will be collected, used, accessed, shared,
safeguarded and stored.

– http://www.dhs.gov/privacy-impact-assessments
 Threat and Risk Assessments - Privacy
Impact Assessment
Canada - PIPEDA -Personal Information Protection and Electronic Documents Act

PIPEDA applies to organizations that are federally regulated and fall under the
legislative authority of the Parliament of Canada, such as the telecommunications
and broadcasting industry, and all local businesses in Yukon, Nunavut, and the
Northwest Territories.

PIPEDA also applies to the private sector of each province unless a province has
enacted its own privacy law that is substantially similar to PIPEDA. Only British
Columbia, Alberta, and Quebec have privacy laws that have been deemed to be
“substantially similar” to PIPEDA.

However, even if an organization is located in BC, Alberta, or Quebec, if in the

course of a commercial activity personal information crosses borders, PIPEDA may
apply to that information.
 Threat and Risk Assessments - Privacy
Impact Assessment
• 10 privacy principals
– Accountability
– Identifying Purposes
– Consent
– Limiting Collection
– Limiting Use, Disclosure, and Retention
– Accuracy
– Safeguards
– Openness
– Individual Access
– Challenging Compliance
 Threat and Risk Assessments - Privacy
Impact Assessment
• What happens when things go wrong in the
Great White North
– Breach reporting requirements.
• Any breach of your data must be reported to the Office of
the Privacy Commissioner, the impacted individuals, and
records of all breaches must be kept by your business.
– Fines of up to $100,000 for non-compliance
– Here is your form…
https://www.priv.gc.ca/en/report-a-concern/report-
a-privacy-breach-at-your-organization/report-a-priv
acy-breach-at-your-business/
– Here is your process…
 Threat and Risk Assessments - Privacy
Impact Assessment
• https://www.priv.gc.ca/en/privacy-topics/pri
vacy-laws-in-canada/the-personal-informati
on-protection-and-electronic-documents-act
-pipeda/
• http://www.privacysense.net/10-privacy-pri
nciples-of-pipeda/
• https://www.cira.ca/blog/cybersecurity/pipe
da-what-canadian-businesses-need-know

• Almost didn’t provide links…things change

quickly…do you own reading and research
 Threat and Risk Assessments - Privacy
Impact Assessment

KNOW YOUR JURISDICTION!!!

Your data resides in, flows in or affects

someone in, their regulations may
affect YOU!!!
Grab all members of your risk groups
INCLUDING Lawyers, Auditors and
 Asset Identification and Classification
Another way of looking at risk…what is at risk

• Asset Identification - Confidentiality,

Integrity, and Availability
– CIA triad Confidentiality, integrity and
availability - is a model designed to guide
policies for information security within an
organization (Not just IT) (Also the AIC triad
(availability, integrity and confidentiality)
– Considered the three most crucial components
of security.
You know this
Asset Identification and Classification
Another way of looking at risk…what is at risk

• Confidentiality –
– roughly equivalent to privacy
– designed to prevent sensitive information from the wrong people,
– ensures right people can in fact get it, Access must be restricted
to those
– Data can be categorized according to the amount and type of
damage. Measures can then be implemented according to those
categories.
– Can involve special training for uses. Includes risks that could
threaten this information and helps familiarize authorized people
with risk factors and how to guard against them.
• Strong passwords and password-related best practices
• Social engineering methods - to prevent them from bending data-
handling rules with good intentions and potentially disastrous results.
Asset Identification and Classification
Another way of looking at risk…what is at risk
• Confidentiality cont.
– account number or routing number when banking online.
– Data encryption is a common method of ensuring confidentiality (can
be broken or avoided)
– User IDs and passwords constitute a standard procedure; (two-factor
authentication is becoming the norm)
– Biometric verification
– security tokens, key fobs or soft tokens.
– Users can take precautions to minimize the number of places where
the information appears and the number of times it is actually
transmitted to complete a required transaction
– Extra measures might be taken in the case of extremely sensitive
documents
• air gapped computers, disconnected storage devices for highly sensitive
information
• hard copy form only (because this has worked so well in the past)
Asset Identification and Classification
Another way of looking at risk…what is at risk

• Integrity:
– Maintaining the consistency, accuracy, and
trustworthiness of data over its entire life cycle
• Data must not be changed in transit,
• data cannot be altered by unauthorized people (These
measures include file permissions and user access controls)
• Erroneous changes or accidental deletion by authorized users
becoming a problem (use version control but this does not
prevent everything)
• There should be means to detect any changes in data that
might occur from other events
– server crash
– Power failure
– Natural events/disasters
– Electomagnetic pulses (solar flare)
Asset Identification and Classification
Another way of looking at risk…what is at risk

• Integrity cont.:
– Backups/redundancies can restore the affected
data to its correct state. Factors include
• Frequency of backup
• Location of backup
• Type of backup/restoration (walk the tapes over)
• Restoration issues
– Testing of restoration
– Testing of restored data
Asset Identification and Classification
Another way of looking at risk…what is at risk

• Availability:
– Can you get the data when you need it?
– Rigorously maintain all hardware
• Performing hardware repairs
– Maintain a correctly functioning operating system
environment that is free of software conflicts
• Keep current with all necessary system upgrades.
– Providing adequate communication bandwidth,
prevent occurrence bottlenecks (especially for
work a home environment and for disaster
management)
Asset Identification and Classification
Another way of looking at risk…what is at risk
• Availability (cont.):
– Redundancy (duplication) not always bad -relates for places to failover
• RAID (Redundant Array of Independent disks) can though not always provide
redundancy
• High-availability clusters - group of hosts that act like a single system and
provide continuous uptime
• To the cloud!!! – has its own problem
• High Quality – IT disaster recovery is essential
– Be able to handle natural disasters and human disasters (good risk assessment)
– Backups to be “stored/located/hosted” in a geographically-isolated location
» Leads to restoration issues

– Extra security equipment (physical) or software such as

– firewalls and proxy servers can help guard against downtime and
unreachable data
• denial-of-service (DoS) attacks
• network intrusions.
 Asset Identification and Classification
Another way of looking at risk…what is at risk
• Some issues in the CIA concept – But do you
know this
– CIA?
– Big data
• Sheer volume of information to be kept safe
• Multiple sources
• Variety of formats
• High costs of
– Duplicate data sets
– disaster recovery plans
– Little oversight due to statistical deep dives and interpretations
» Intersection point of Snowdon and Ashley Madison
 Asset Identification and Classification
Another way of looking at risk…what is at risk

• Some issues in the CIA concept

– Security and Privacy of the Internet of things (IoT)
– Requirement to protect information of individuals
from exposure in the IoT environment, any
physical or logical entity or object can be given a
unique identifier and the ability to communicate
autonomously over the Internet or a similar
network. Issues when even fragmented data from
multiple endpoints is gathered, collated and
analyzed, it can yield sensitive information (deep
statistical dives)
Asset Identification and Classification
Another way of looking at risk…what is at risk
• Some issues in the CIA concept (cont.)
– So many Internet-enabled devices on IoT often go
unpatched and/or are configured with default or weak
passwords
– Could be used as separate attack vectors or part of a
thingbot. In a recent proof-of-concept exploit, for
example, researchers demonstrated that a network could
be compromised through a Wi-Fi-enabled light bulb.
– In December 2013, a researcher at Proofpoint, an
enterprise security firm, discovered that hundreds of
thousands of spam emails were being logged through a
security gateway. Proofpoint traced the attacks to a
botnet made up of 100,000 hacked appliances.
 Asset Identification and Classification
Another way of looking at risk…what is at risk
Other ways than CIA

• AAA Model or triple-A model.

– Authentication: Process of proving that you are who you say you are. Authentication
requires proof in one of three possible forms:
• something you know, like a password;
• something you have, like a key;
• something you are, like fingerprint.
– Authorization: Providing correct level of access a user should have based on credentials.
Principle of least privilege, which state that users, devices, programs and processes should
be granted enough permission to do their required functions and no more. Any
authorization beyond the normal job function opens the door for either accidental or
malicious violations of confidentiality, integrity and availability. (Yes, you can combine the
concepts)
– Accounting, Keeping track of what users do while they are logged into a system. Keeping
track of users and their actions is very important. From a forensics perspective, tracing back
to events leading up to a cybersecurity incident can prove very valuable to an investigation.

• Fm Nweke, Livinus Obiora, PM World Journal, Using the CIA and AAA Models to explain Vol. VI, Issue XII – December 2017 Cybersecurity
Activities,,www.pmworldjournal.net
 Threat Identification
Different ways of classifying a threat (risk)

• Attacker-centric
– Attacker-centric threat modeling starts with an attacker, and evaluates
their goals, and how they might achieve them. Attacker's motivations are
often considered:
• Reading of Email
• Copying and sharing of DVD
• Often starts from either entry points or assets.
• Software-centric
– Software-centric threat modeling (also called 'system-centric,' 'design-
centric,' or 'architecture-centric') starts from the design of the system,
and attempts to step through a model of the system, looking for types of
attacks against each element of the model.
• Asset-centric
– Involves starting from assets entrusted to a system, such as a collection of
sensitive personal information.
 Threat Identification
Different ways of classifying a threat (risk)
• Defenders perspective (you)
– Threats are examined and countermeasures, or
security services, identified at the design state of
the application before any code is written.
– Defensive mechanisms are built into the code as it
is written rather than patched in later.
• cost effective and increases security awareness in the
development team.
• However not all threats can not be identified unless the
code is t simple
• threat modeling on a defender's perspective may cause
the development team to falsely believe code is secure.
 Threat Identification
Different ways of classifying a threat (risk)
• High level overview defensive perspective threat modeling steps are:
• Define the application requirements:
– Identify business objectives
– Identify user roles that will interact with the application
– Identify the data the application will manipulate
– Identify the use cases for operating on that data that the application will facilitate
• Model the application architecture
– Model the components of the application
– Model the service roles that the components will act under
– Model any external dependencies
– Model the calls from roles, to components and eventually to the data store for each use case as
identified above
• Identify any threats to the confidentiality, availability and integrity of the data and the
application based on the data access control matrix that your application should be
enforcing (there are many possible mistakes here)
• Assign risk values and determine the risk responses (Very subjective)
• Determine the countermeasures to implement based on your chosen risk responses
• Continually update the threat model based on the emerging security landscape.
 Threat Identification
Different ways of classifying a threat (risk)
• Other methods of threat identification and
modelling
• https://www.owasp.org/index.php/Threat_Ris
k_Modeling
• https://developer.apple.com/library/mac/doc
umentation/Security/Conceptual/Security_Ov
erview/ThreatModeling/ThreatModeling.html
• https://www.owasp.org/index.php/Definition
_for_Security_Assessment_Techniques
 Assignment #6
You are the head of IT Security at the new Atlantean Data Base. Unfortunately, as you swim to the office, you get a
text and are told there is a breach. When you get to work, you see this person’s image on your computer screen.

In a deep voice you hear “All of your databases have been encrypted. We have downloaded the credit card
information on all your clients. If we do not receive 100 bitcoin forwarded to our bank account (Bank of Luthor
1233212332-b) in the Cayman Islands in 2 days, we will sell information on the dark web. If we receive our
Bitcoin we will erase the credit card data and provide you the decryption key. “

Preliminary investigation shows - Only one data base appears to have been encrypted. It has client addresses,
phone numbers and information on what products/services you provide them as well as various linking data to
other databases (these other data bases have not been encrypted or so it seems). The Accounting Department
says there is no credit card info on this data base as this service has been outsourced.

• Create an action list of at least 6 actions as to what you would do to uncover the perpetrator and limit the
damage (IT, human and even legal)
– Provide 3 human based actions – i.e. how would deal with employees, suppliers, the law, etc.
– Provide 3 IT(Computer based actions)
– Would you pay the ransom?
– What would you do about data privacy – Information on the King and Queen of Atlantis in was in the Data Base!

Any questions, please email