If the cost of preventing a particular risk from becoming reality exceeds the value of the harm that could be caused by the event, then a cost/benefit risk calculation dictates that the risk should remain.
Key components of a risk-assessment process:
- Risks to Which the Organization is Exposed: An OS, server, or application may have known risks in certain environments.
- Risks That Need Addressing: This process helps an organization focus on its resources as well as on the risks that are most likely to occur.
- Coordination with BIA (Business Impact Analysis): It allows an organization to make intelligent decisions about how to respond to various scenarios.
Computing Risk Assessment
Formula: SLE x ARO = ALE
- SLE (Single Loss Expectancy): the expected monetary loss every time a risk occurs.
- SLE = AV * EF
- AV (Asset Value): A monetary value assigned to an asset. This may be based on its actual cost, or the cost of its replacement.
- EF (Exposure Factor): The proportion of an asset’s value that is likely to be destroyed by a particular risk, expressed as a percentage.
- ARO (Annualized Rate of Occurrence): the probability that a risk will occur in a particular year.
- ALE (Annualized Loss Expectancy): the expected monetary loss that can be expected for an asset due to a risk over a one year period.
1. You’re the administrator of a web server that generates $25,000 per hour in revenue. The probability of the web server failing is estimated to be 25%, and a failure would lead to 3 hours of downtime and cost $5,000 in components to correct. What is the ALE?
SLE = $80,000 (25,000 * 3 + 5,000)
ARO = .25
ALE = 80,000 * .25 = $20,000
2. You’re the administrator for a research firm that works on only one project at a time and collects data through the web to a single server. The value of each research project is approximately $100,000. At any given time, an intruder could commandeer no more than 90% of the data. The industry average for ARO is .33. What is the ALE?
SLE = 90,000 (100,000 * .9)
ARO = .33
ALE = 90,000 * .33 = $29,700
- Risk assessment can be either qualitative (opinion-based and subjective) or quantitative (cost-based and subjective).
Acting on Your Risk Assessment
- Risk Avoidance: involves identifying a risk and making the decision to no longer engage in the actions associated with that risk.
- Risk Transference: the burden of risk is shared with someone else, such as an insurance company.
- Risk Mitigation: taking steps to reduce the risk.
- Risk Deterrence: involves understanding something about the enemy and letting them know that harm that can come their way if they cause harm to you.
- Risk Acceptance: the choice made when the cost of implementing any of the other four exceeds the value of the harm that would occur if the risk came to fruition.
Risks Associated with Cloud Computing
Cloud Computing: using the Internet to host services and data instead of hosting it locally.
- Platform as a Service (PaaS): vendors allow apps to be created and run on their infrastructure (e.g. AWS and Google Code).
- Software as a Service (SaaS): applications are remotely run over the Web.
- Infrastructure as a Service (IaaS): utilizes virtualization and clients pay an outsourcer for resources used.
- Regulatory Compliance: depending on organization type and size there are a number of regulatory agency’s rules that must be complied with.
- User Privileges
- Data Integration/Segregation
Risks Associated with Virtualization
- Virtualization: allowing one set of hardware to host multiple virtual machines
- Breaking Out of the Virtual Machine: ability of malcontent to break out of the virtualization layer and access other virtual machines
- Network and Security Controls can Intermingle: possibility of privilege escalation and security compromise
- Hypervisor: the software that allows the VM to exist. If the hypervisor can be successfully attacked, the attacker can gain root access to all virtual systems.
Developing Policies, Standards, and Guidelines
Think of policies as providing the big picture on issues. Standards tell people what is expected, and guidelines provide specific advice on how to accomplish a given task or activity.
- Policies provide people in the organization with guidance about their expected behavior
- A well written policy is clear and concise, and outline consequences
- Key areas:
- Scope Statement: outlines the intended accomplishments and which documents, laws, and practices are addressed. It provides background to help readers understand what the policy is about and how it applies.
- Overview Statement: provides the goal of the policy, why it’s important, and how to comply.
- Policy Statement: should be clear and concise. May be presented in paragraph form, as bulleted lists, or as checklists.
- Accountability Statement: addressed who is responsible for ensuring the policy is enforced. It provides additional information about who to contact if a problem is discovered. It should also indicate the consequences of not complying with the policy.
- Exception Statement: provides specific guidance about the procedure or process that must be followed in order to deviate from the policy.
- Standards deal with specific issues or aspects of a business and are derived from policies
- Should provide enough detail that an audit can be conducted to determine if the standard is being met
- Key aspects:
- Scope and Purpose: should explain or describe the intention
- Roles and Responsibilities: outlines who is responsible for implementing, monitoring, and maintaining the standard
- Reference Documents: explains the relationship between the standard and different policies.
- Performance Criteria: outlines how to accomplish the task. An important aspect is benchmarking. You need to define what will be measured and the metrics that will be used to do so.
- Maintenance and Administrative Requirements: outlines the requirements to manage and administer the systems or networks.
- Audit: the process of evaluation
- Guidelines help an organization implement or maintain standards by providing information on how to accomplish policies and maintain standards
- Can be less formal than policies or standards
- Designed to help users comply with standards and policies
- Contents of a good guidelines document:
- Scope and Purpose: provide an overview and statement of the guideline’s intent. Where the scope and purpose are separate headings, the “Purpose” section states why it exists, and the “Scope” section tells who it applies to.
- Roles and Responsibilities: this section identifies which individuals or departments are responsible for accomplishing specific tasks.
- Guideline Statements: provide the step-by-step instructions on how to accomplish a specific task in a specific manner.
- Operational Considerations: specify and identify what duties are required and at what intervals.
- Guidelines help in three (3) ways:
- Helps to refresh memory
- Can improve the learning curve of a new worker
- Can keep one from becoming unglued in a crisis or high-stress situation
- Addresses organizational and departmental business issues as opposed to corporate-wide personnel issues
- Primary areas of concern:
- Separation of duties: designed to reduce the risk of fraud and prevent other losses
- Due care policies: identify the level of care used to maintain the confidentiality of private information
- Physical access control: refers to the authorization of individuals to access facilities or systems that contain information
- Document disposal and destruction: defines how information that is no longer needed is handled
- Acceptable use: describes how employees of an organization can use company systems and resources: both software and hardware
- Security policy: defines what controls are required to implement and maintain the security of systems, users, and networks
- Mandatory vacations: requires all users to take time away from work and refresh
- Job rotation: defines intervals at which employees must rotate through positions
- Least privilege: giving users only the permissions that are needed to do their job and no more
Understanding Control Types, False Positives, and Change and Incident Management
- Control type categories:
- False Positives: events that aren’t really incidents.
- Change Management: the structured approach that is followed to secure the company’s assets
- Incident Management: the steps followed when events occur