CMGT 442 Philip Robbins – November 21, 2012 (Week 2) University of Phoenix Mililani Campus...
-
Upload
rose-burns -
Category
Documents
-
view
218 -
download
2
Transcript of CMGT 442 Philip Robbins – November 21, 2012 (Week 2) University of Phoenix Mililani Campus...
CMGT 442
Philip Robbins – November 21, 2012 (Week 2)University of Phoenix Mililani Campus
Information Systems Risk Management
Objectives: Week 2
• Risk Assessment (Part 1)- Review Week 1: Concepts- LT Activity: Week 1 & Week 2 Article Readings- Stuxnet- Week 2: Components of Risk- Quiz #2- Review Week 2: Questions- Assignments: IDV & LT Papers- Review Information Sharing Articles
Review: Information Security Services
Defense in Depth Primary Elements
IntegrityISS
AvailabilityISS
PEOPLE TECHNOLOGY
OPERATIONS
PR
OT
EC
T
DE
TE
CT
RE
AC
T
Information Security Services
INFORMATION SECURITY
ConfidentialityISS
Information Assurance Services
Continuity IAS
Physical IAS
Cyber IASConfiguration IASTraining IAS
Identity A&A IASContent IAS
DiD PDR Paradigm
INFORMATION ASSURANCE
Review: Information Assurance Services
Information Assurance Framework7. Information Content
Conditioning & Control
6. Identity Authentication & Authorization
5. Education Training & Awareness
4. Design, Configuration, Operations & Administration
1. Physical Security Services
FUNCTIONAL ASSESSMENT
CO
NT
RO
L M
EA
SU
RE
S
SUSTAIN DEFEND RESPOND
2. Cyber Security Services
CONTROL MEASURES
ASSESSMENT
3. Continuity of Operations
Information
Assurance
Services
(IAS)
Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.
Learning Team Activity
• Activity: Review Week 1 & 2 ‘Article’ Readings- 15 minutes: Read Articles- 10 minutes: Answer article questions- 10 minutes: Present your article to the class- Submit for credit.
LT Activity: Week 1 Article Readings
• Barr (2011)- What special issues must be addressed for a risk
management strategy that supports user-facing, web-based systems?
- What are the risks associated with disruption of these systems?
• Ledford (2012)- What special issues must be considered for corporate data
which are not fully digitized?- What are the risks associated with the loss of this data?- What recovery procedures do you recommend for these
situations?
LT Activity: Week 2 Article Readings
• Keston (2008)- How important is enterprise identity management for
reducing risk throughout the enterprise?- Explain why a viable risk management strategy must
include, at a minimum, a solid enterprise identity management process.
• Vosevich (2011)- What software must be considered to provide adequate
security management across the enterprise?
Future Risks
• Weapons in Cyberspace: Are we at war?• Cyber Crime vs. Cyber Warfare vs. Cyber Conflict
ATTACKDestruction
CYBER CONFLICT
CYBER WARFARE
CYBER CRIME
SABOTAGEDisruption
ESPIONAGESpying / Theft of Information
Review: Risk Definition
• What is Risk?
thus
• Units for measurement:
Confidentiality, Integrity, Availability
Source:Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
Defining Risk
• Risk is conditional, NOT independent.
Source:Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
Defining Risk
• Expected Value of Risk = Product of Risks
• Risk is never zero: “We can never be 100% confident for protection”
• Risk Dimension (units): confidence in the loss of ISS, C-I-A“Risk Loss Confidence”
Source:Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
Risk Behavior
Network Enclave #2
Network Enclave #3
Risk Loss Confidence Increases through interconnections with other
network enclaves (risks)!
Network Enclave #1
Risk Behavior
Network Enclave #2
Network Enclave #3
RiskEV = R1 x R2 x R3
RiskEV = LOW x MED x HIGHRiskEV = ?
Network Enclave #1
R1 = LOWR3 = HIGH
R2 = MED
Risk Behavior
Network Enclave #2
Network Enclave #3
RiskEV = R1 x R2 x R3
RiskEV = LOW x MED x HIGHRiskEV = HIGH
Network Enclave #1
R1 = LOWR3 = HIGH
R2 = MED
Risk Behavior
Network Enclave #2
Network Enclave #3
RiskEV = R1 x R2 x R3
RiskEV = LOW x MED x HIGHRiskEV = HIGH
Network Enclave #1
R1 = LOWR3 = HIGH
R2 = MED
Risk Behavior: REV & RLC
• Expected Value and Risk Loss Confidence vs. Cumulative Risk Product
Source:Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
Total Risk
• How do we quantify total risk?
- Average the risk to each Information Security Service:
Source:Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.
Risk Component: Threats
• Rapid growth of Advanced Persistent Threats (APTs)• Half million cases of cyber related incidents in 2012.
- Is this a problem?
- What about vulnerabilities
associated with
interconnections?
- How does risk management
help deal with APTs?
Source: US-CERT
Risk Component: Vulnerabilities
• What are vulnerabilities?
Any flaw or weakness that can be exploited.– Poorly communicated or implemented policy – Improperly configured systems or controls– Inadequately trained personnel
Semi-Quantitative Risk Matrix
Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5)
Catastrophic (5)
Material(4)
Major(3)
Minor(2)
Insignificant(1)
SE
VE
RE
HIG
H
ME
DIU
M
LOW
Likelihood
Imp
act
Risk Responses
Severity
Frequency
High
Accept /
Transfer Avoid
Low Accept
Accept /
Transfer
Low High
Risk Responses
• Risk Avoidance– Halt or stop activity causing risk
• Risk Transference– Transfer the risk (i.e. buy insurance)
• Risk Mitigation– Reduce impact with controls/safeguards
• Risk Acceptance– Understand consequences and accept risk
Information Systems Risk Components
• Let’s recap:What are the components of Information Systems Risk?
- Threats & Threat Agents
- Vulnerabilities (Weakness)
- Controls (Safeguards)
- Impact
How is each component important to understanding and managing risk?
Risk Component Relationship
Source: Harris, S. (2010). CISSP all in one exam guide, fifth edition. McGraw-Hill, New York, NY.
Question #1
What is the likelihood of a threat taking advantage of a vulnerability called?
A. A riskB. A residual riskC. An exposureD. A countermeasure
Question #1
What is the likelihood of a threat taking advantage of a vulnerability called?
A. A riskB. A residual riskC. An exposureD. A countermeasure
Question #2
Which of the following combinations best defines risk?
A. Threat coupled with a breach.B. Threat coupled with a vulnerability.C. Threat coupled with a breach of security.D. Vulnerability coupled with an attack.
Question #2
Which of the following combinations best defines risk?
A. Threat coupled with a breach.B. Threat coupled with a vulnerability.C. Threat coupled with a breach of security.D. Vulnerability coupled with an attack.
Question #3
What can be defined as an event that could cause harm to information systems?
A. A riskB. A threatC. A vulnerabilityD. A weakness
Question #3
What can be defined as an event that could cause harm to information systems?
A. A riskB. A threatC. A vulnerabilityD. A weakness
Question #4
What is the definition of a security exposure?
A. An instance of being exposed to losses from a threatB. Any potential danger to information or systemsC. Any potential danger to information or systemsD. Loss potential due to a threat
Question #4
What is the definition of a security exposure?
A. An instance of being exposed to losses from a threatB. Any potential danger to information or systemsC. Any potential danger to information or systemsD. Loss potential due to a threat
Question #5
The absence of a safeguard, or a weakness in a system that may possibly be exploited, is called a?
A. ThreatB. ExposureC. VulnerabilityD. Risk