Scribd
Upload
6 views

Chapter 3 Lecture Topics

Chapter 3 discusses the principles of risk management, identifying risks, and the importance of countermeasures in IT infrastructure. It outlines various types of risks, threats, and vulnerabilities, as well as the processes for assessing and prioritizing them. Additionally, it covers the roles of different attackers and common attack vectors, emphasizing the need for continuous risk assessment and effective response strategies.

Uploaded by

Nahid F. Gh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
6 views

Chapter 3 Lecture Topics

Chapter 3 discusses the principles of risk management, identifying risks, and the importance of countermeasures in IT infrastructure. It outlines various types of risks, threats, and vulnerabilities, as well as the processes for assessing and prioritizing them. Additionally, it covers the roles of different attackers and common attack vectors, emphasizing the need for continuous risk assessment and effective response strategies.

Uploaded by

Nahid F. Gh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 45

CHAPTER 3

Risks, Threats,
and
Vulnerabilities

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Learning Objective(s) and Key Concepts

Learning Objective(s) Key Concepts

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Describe the principles of risk  The principles of organizational risk
management, risk assessments, management
and issues related to threats and
 Risks, threats, and vulnerabilities
vulnerabilities in an IT
infrastructure.  IT and network infrastructures
 Malicious attacks
 Attack perpetrators and attack
vectors
 The importance of
countermeasures
Risk Management and Information Security (1 of 2)

 Seek a balance between the utility and cost of various risk management options

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Identify risks and apply risk management solutions to ensure that critical
business functions can continue to operate
 Key risk management principles:
 Do not spend more to protect an asset than it is worth.
 Every countermeasure requires resources to implement and therefore should be
aligned with a specific risk.
Risk Management and Information Security (2 of 2)

 Conduct a business impact analysis (BIA)

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Create or maintain a business continuity plan (BCP)
 Develop or maintain a disaster recovery plan (DRP)
Risk Terminology (1 of 2)

 Risk
 Likelihood that something bad will happen to an asset

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Threat
 Something bad that might happen to an organization

 Vulnerability
 Any exposure that could allow a threat to be realized

 Impact
 The amount of risk or harm caused by a threat or vulnerability that is exploited by a
perpetrator
Risk Terminology (2 of 2)

 Event
 A measurable occurrence that has an impact on the business

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Incident
 Any event that violates or threatens to violate your security policy

 Control
 Includes both safeguards and countermeasures

 Safeguard
 Addresses gaps or weaknesses in controls that could lead to a realized threat

 Countermeasure
 Counters or addresses a specific threat
Elements of Risk

 Component parts of risk:


 Assets

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Vulnerabilities
 Threats

 Perform risk assessments to identify new or changed risks over time


 More than a quarter of all reported attacks are by insiders
 The impact of insider attacks is proportionately worse than attacks by outsiders
Purpose of Risk Management

 Identify risks:
 Before they lead to an incident

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 In time to enable a plan and begin risk-handling activities (controls and
countermeasures)
 On a continuous basis across the life of the product, system, or project

 Risk can never be reduced to zero


 Contingency planning focuses on planning to anticipate and respond to risk
without interrupting the most critical business functionality
 Identify the tolerable risk level and apply controls to reduce risks to that level
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
The Risk Management Process
Identify Risks

 Brainstorming

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Surveys
 Interviews
 Working groups
 Checklists
 Historical information
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Sample Risk Register
Risk Register Components

 A description of the risk

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 The expected impact if the
associated event occurs
 The probability of the event’s
occurring
 Steps to mitigate the risk
 Steps to take should the event
occur
 Rank of the risk
Assess and Prioritize Risks

 Quantitative risk assessment


 The cost or value of the identified risk and its financial impact are examined

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Attempts to describe risk in financial terms and put a dollar value on each risk
 Qualitative risk assessment
 The risk impact is examined by assigning a rating for each identified risk
 Ranks risks based on their probability of occurrence and impact on business
operations
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Quantitative Versus Qualitative Risk Assessments
Quantitative Risk Assessment

 Calculate asset value (AV)

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Calculate exposure factor (EF)
 Calculate single loss expectancy (SLE)
 Determine how often a loss is likely to occur every year
 Determine annualized loss expectancy (ALE)
Determining Quantified Risk (1 of 2)

Calculation Formula

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Single loss expectancy (SLE) AV × EF = SLE

Annualized rate of occurrence (ARO) ARO = Number of incidents per year

Annualized loss expectancy (ALE) SLE × ARO = ALE


Determining Quantified Risk (2 of 2)

100 users in an organization use laptop computers

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Each computer with software and data = $1,500
Organization loses an average of six computers per year
SLE is $1,500
ARO is 6
ALE is $9,000 ($1,500 × 6)
Suggested countermeasure is to purchase hardware locks at a cost of $10 each to
reduce yearly losses from six to one
Cost of countermeasure is $1,000 ($10 × 100 computers)
New ARO is 1
New ALE is $1,500 ($1,500 × 1)
Qualitative Risk Analysis

Judge risk on two scales:

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Probability or likelihood: Some
things, such as the malfunction of a
badge reader on the employee
entrance, will seldom happen, whereas
other things, such as employees
calling in sick, will almost certainly
happen.
 Impact: Some things, such as a
workstation that fails to boot up, will
have a minor impact on productivity,
whereas other things, such as a
production system breaking down, will
have a major impact.
Plan a Risk Response Strategy

 Negative risks
 Reduce (reduction/mitigation)

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Transfer (transference/assignment)
 Accept (acceptance)
 Avoid (avoidance)
 Positive risks
 Exploit (exploitation)
 Share (sharing)
 Enhance (enhancement)
 Accept (acceptance)
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Acceptable Range of Risk
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Total Risk and Residual Risk
Implement the Risk Response Plan

 Administrative controls
 Manage the activity phase of security—the things people do

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Activity phase controls
 Either administrative or technical
 Correspond to the life cycle of a security program
 Detective controls
 Preventive controls
 Corrective controls
 Deterrent controls
 Compensating controls
Protecting Physical Security (1 of 3)

 Heating, ventilating, and air conditioning (HVAC)

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Fire suppression
 Electromagnetic interference (EMI) shielding
 Lighting
 Signs
 Fencing
 Barricades
Protecting Physical Security (2 of 3)

 Guards

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Motion detectors
 Video surveillance
 Locks
 Mantraps
 Access lists
 Proximity readers
Protecting Physical Security (3 of 3)

 Biometrics

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Protected access (cabling)
 Alarms
 Escape plan
 Escape routes
 Drills
 Control testing
Selecting Safeguards and Countermeasures

 Fix known exploitable software flaws

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Develop and enforce operational procedures and access controls
(data and system)
 Provide encryption capability
 Improve physical security
 Disconnect unreliable networks
Pricing/Costing a Countermeasure

 Product costs

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Implementation costs
 Compatibility costs
 Environmental costs
 Testing costs
 Productivity impact
Monitor and Control Risk Response

 What problem is this countermeasure designed to solve?

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Does this countermeasure solve this problem?
 Countermeasures might pose new risk to the organization
 Perform certification and accreditation of countermeasure programs
 Follow best practices and exercise due diligence
Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
IT and Network Infrastructure
Intellectual Property

 The central asset of many organizations


 Patents

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Drug formulas
 Engineering plans
 Sales and marketing plans
 Scientific formulas
 Recipes
 Protecting intellectual property is a top-of-mind consideration for any
organization
Finances and Financial Data

 Financial assets are among highest-profile assets in any organization

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Loss of financial assets due to malicious attacks is a worst-case scenario for all
organizations
 Represents significant physical loss
 Can have long-term effects on a company’s reputation and brand image
Service Availability and Productivity

 Critical services
 Must be available for use when organizations need them

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Downtime
 The time during which a service is not available due to failure or maintenance

 Unintentional downtime
 The result of technical failure, human error, or attack

 Opportunity cost
 The amount of money a company loses due to either intentional or unintentional
downtime
Reputation

 Companies that suffer from security breaches and malicious attacks that
expose assets are likely to face serious negative consequences in the public

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
eye
 Even if the company’s response were swift and solved the problem effectively

 Negative public perception could lead to a decline in the organization’s


revenue, net worth, and market capitalization
Who Are the Perpetrators?

 Black-hat hackers
 Try to break IT security and gain access to systems with no authorization to prove

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
technical prowess or potentially steal sensitive data
 White-hat (or ethical) hackers
 Information systems security professionals who have authorization to identify
vulnerabilities and perform penetration testing
 Gray-hat hackers
 Hackers with average abilities who may one day become black-hat hackers but
could also choose to become white-hat hackers
 Crackers
 Have a hostile intent, possess sophisticated skills, may be interested in financial
gain, and represent the greatest threat to networks and information resources
Risks, Threats, and Vulnerabilities in an IT Infrastructure

 End-User Licensing Agreement (EULA)


 Transfers software companies’ risk to its end users from having vulnerable software

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
and being held liable for a software vulnerability
 Hackers continuously look for known software vulnerabilities as a means to find
an exploitable weakness
 Vulnerability window
 The gap in time between the announcement of a vulnerability and the application of
a patch
 Zero day (in zero-day vulnerability)
 A vulnerability window of zero days because there is no patch yet for a known
software vulnerability
The Most Common IT Infrastructure Threats

 Malicious software
 Hardware or software failure

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Internal attacker
 Equipment theft
 External attacker
 Natural disaster
 Industrial espionage
 Terrorism
Threat Targets and Types

 Threat Targets
 Identify where in the seven domains of an IT infrastructure threats are likely to

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
occur
 Threat Types
 Disclosure threats
 Alteration threats
 Denial or destruction threats
What Is a Malicious Attack?

 Four categories of attacks


 Fabrications

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Interceptions
 Interruptions
 Modifications
Types of Active Threats

 Birthday attacks  Man-in-the-middle attacks

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Brute-force password attacks  Masquerading
 Credential harvesting and stuffing  Eavesdropping
 Dictionary password attacks  Social engineering
 Internet Protocol (IP) address  Phreaking
spoofing
 Phishing
 Hijacking
 Pharming
 Replay attacks
What Are Common Attack Vectors?

 Attacks on availability

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Attacks on people
 Attacks on IT assets
Social Engineering Attacks

 Authority  Shoulder surfing

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Consensus/social proof  Smishing
 Dumpster diving  Tailgating
 Familiarity/liking  Trust
 Hoaxes  Trusted users
 Impersonation  Urgency
 Intimidation  Vishing
 Scarcity  Whaling
Wireless Network Attacks

 Bluejacking  Packet sniffing

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Bluesnarfing  Replay attack
 Evil twin  Rogue access point
 Initialization vector (IV) attack  War chalking
 Jamming/ interference  War driving
 Near field communication attack
Web Application Attacks

 Arbitrary/remote code execution  Integer overflow

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Buffer overflow  Lightweight Directory Access
Protocol (LDAP) injection
 Client-side attack
 Local shared objects (LSO)
 Cookies and attachments
 Malicious add-on
 Cross-site scripting (XSS)
 SQL injection
 Cross-site request forgery (CSRF)
 Watering hole attack
 Directory traversal/command
injection  XML injection
 Header manipulation  Zero day
The Importance of Countermeasures

 Focus on countermeasures and implement security controls that can help


mitigate the risk caused by threats and vulnerabilities

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Best strategy is to identify vulnerabilities and reduce them to avoid attacks
 Attack response should be as aggressive, proactive, and reactive as the attack
itself
 Develop plans to rapidly restore computer and network resources, closing holes
in the organization’s defenses, and obtaining evidence for prosecution of
offenders
 Responding to attacks involves planning, policy, and detective work
Summary

 The principles of organizational risk management

Copyright © 2023 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
 Risks, threats, and vulnerabilities
 IT and network infrastructures
 Malicious attacks
 Attack perpetrators and attack vectors
 The importance of countermeasures

You might also like