top of page
Search

Security & Risk Management Concepts

  • Writer: Abhilasha
    Abhilasha
  • Jul 8, 2024
  • 5 min read

Critical Assets in an Enterprise


Asset is anything of value: Physical Assets & Logical Assets

• People and skills

• Goodwill

• Hardware/ Software

• Data

• Documentation

• Supplies

• Physical plant

• Money


Threats in cybersecurity can be summarized as:

  • An expression of intention to inflict evil injury or damage: Represents the intent or capability of a malicious actor to cause harm to an organization's assets, operations, or reputation.

  • Attacks against key security services: These include:

  • Confidentiality: Unauthorized access to sensitive information.

  • Integrity: Unauthorized alteration or modification of data.

  • Availability: Disruption or denial of access to services or resources


  • T01 Access (Unauthorized to System - logical): Unauthorized attempt to access computer systems or networks.

  • T02 Access (Unauthorized to Area - physical): Unauthorized access to physical areas or premises.

  • T03 Airborne Particles (Dust): Potential damage or disruption caused by airborne dust particles.

  • T04 Air Conditioning Failure: System failure leading to potential overheating or environmental issues.

  • T05 Application Program Change (Unauthorized): Unauthorized modification or alteration of software applications.

  • T06 Bomb Threat: Threat of explosives or similar destructive devices.

  • T07 Chemical Spill: Accidental or intentional release of hazardous chemicals.

  • T08 Civil Disturbance: Disruption caused by civil unrest or public disturbances.

  • T09 Communications Failure: Failure or disruption of communication systems.

  • T10 Data Alteration (Error): Unintentional alteration or corruption of data.

  • T11 Data Alteration (Deliberate): Intentional alteration or manipulation of data.

  • T12 Data Destruction (Error): Accidental loss or deletion of data.

  • T13 Data Destruction (Deliberate): Intentional destruction or deletion of data.

  • T14 Data Disclosure (Unauthorized): Unauthorized access leading to the disclosure of sensitive information.

  • T15 Disgruntled Employee: Actions or threats posed by dissatisfied employees.

  • T16 Earthquakes: Natural disasters causing potential damage or disruption.

  • T17 Errors (All Types): Errors in operations, processes, or systems.

  • T18 Electro-Magnetic Interference: Interference caused by electromagnetic radiation.

  • T19 Emanations Detection: Unauthorized monitoring of electromagnetic signals emitted by electronic devices.

  • T20 Explosion (Internal): Internal explosion causing physical damage.

  • T21 Fire, Catastrophic: Severe fire incidents causing extensive damage.

  • T22 Fire, Major: Significant fire incidents impacting operations.

  • T23 Fire, Minor: Minor fire incidents affecting localized areas.

  • T24 Floods/Water Damage: Damage caused by floods or water-related incidents.

  • T25 Fraud/Embezzlement: Fraudulent activities or financial misappropriation.

  • T26 Hardware Failure/Malfunction: Failure or malfunction of hardware components.

  • T27 Hurricanes: Severe storms causing widespread damage.

  • T28 Injury/Illness (Personal): Personal injury or illness affecting operations.

  • T29 Lightning Storm: Storms accompanied by lightning strikes.

  • T30 Liquid Leaking (Any): Leakage of liquids causing damage or disruption.

  • T31 Loss of Data/Software: Loss or corruption of data or software.

  • T32 Marking of Data/Media Improperly: Incorrect labeling or marking of data or media.

  • T33 Misuse of Computer/Resource: Unauthorized use or misuse of computer systems or resources.

  • T34 Nuclear Mishap: Accidental or deliberate nuclear incidents.

  • T35 Operating System Penetration/Alteration: Unauthorized access or alteration of operating systems.

  • T36 Operator Error: Errors caused by human operators.

  • T37 Power Fluctuation (Brown/Transients): Fluctuations or surges in electrical power.

  • T38 Power Loss: Complete loss of electrical power.

  • T39 Programming Error/Bug: Errors or bugs in software programming.

  • T40 Sabotage: Deliberate destruction or disruption of systems or operations.

  • T41 Static Electricity: Damage caused by static electricity discharge.

  • T42 Storms (Snow/Ice/Wind): Storms such as snowstorms, ice storms, or windstorms.

  • T43 System Software Alteration: Unauthorized alteration of system software.

  • T44 Terrorist Actions: Acts of terrorism affecting operations or infrastructure.

  • T45 Theft (Data/Hardware/Software): Theft of data, hardware, or software.

  • T46 Tornado: Destructive tornado incidents.

  • T47 Tsunami (Pacific area only): Tsunamis affecting coastal areas.

  • T48 Vandalism: Malicious damage or destruction of property or assets.

  • T49 Virus/Worm (Computer): Computer viruses or worms causing damage or disruption.

  • T50 Volcanic Eruption: Eruption of volcanoes causing environmental damage.




Vulnerabilities: Flaws or weaknesses in a system that can be exploited to compromise the system's integrity or security. These vulnerabilities can arise from various sources, including:

  • Security Procedures: Inadequacies or gaps in security protocols or practices.

  • Design Weaknesses: Flaws in the design of software or hardware that create avenues for exploitation.

  • Implementation Inadequacies: Errors or oversights during the implementation or deployment of systems or controls.


  • Physical

  • V01: Vulnerable to unauthorized building access.

  • V02: Computer room susceptible to unauthorized access.

  • V03: Media library susceptible to unauthorized access.

  • V04: Inadequate visitor control procedures.

  • Administrative

  • V41: Lack of management support for security.

  • V42: No separation of duties policy.

  • V43: Inadequate or no computer security plan policy.

  • V47: Inadequate or no emergency action plan.

  • Personnel

  • V56: Inadequate personnel screening.

  • V57: Personnel not adequately trained for their job responsibilities.

  • Software

  • V62: Inadequate or missing audit trail capability.

  • V63: Audit trail log not reviewed weekly.

  • V64: Inadequate control over application or program changes.

  • Communications

  • V87: Inadequate communications system.

  • V88: Lack of encryption.

  • V89: Potential for disruptions.

  • Hardware

  • V92: Lack of hardware inventory.

  • V93: Inadequate monitoring of maintenance personnel.

  • V94: No preventive maintenance program.

  • V100: Susceptible to electronic emanations.


Controls/Countermeasures are measures put in place to mitigate vulnerabilities. Here's a brief overview:

  • Preventive Controls:

  • Implemented to prevent vulnerabilities from being exploited.

  • Examples: Access control mechanisms, encryption, firewalls, authentication mechanisms.

  • Detective Controls:

  • Used to detect and identify security incidents or breaches.

  • Examples: Intrusion detection systems (IDS), security monitoring tools, audit logs.

  • Recover Controls:

  • Applied to recover from security incidents and restore normal operations.

  • Examples: Incident response plans, backups and recovery procedures, disaster recovery plans.

  • Cost and Coverage:

  • Assess the effectiveness and efficiency of controls in terms of cost and the extent to which they cover potential vulnerabilities and threats.

  • Integration with Vulnerability and Threat Analysis:

  • Controls should be aligned with vulnerabilities and threats identified through risk assessment and analysis processes.

  • They should address specific risks identified to reduce the overall risk exposure of the organization.


Physical Controls:

  • C01 Access control devices - physical: Physical barriers and access control mechanisms to restrict unauthorized entry.

  • C02 Access control lists - physical: Lists defining authorized personnel for physical access.

  • C21 Install walls from true floor to true ceiling: Physical barriers to protect sensitive areas.

Software Controls:

  • C03 Access control - software: Authentication mechanisms and access controls within software systems.

  • C28 Encrypt password file: Encryption of files containing sensitive passwords.

  • C29 Encrypt data/files: Encryption of sensitive data and files to protect confidentiality.

Administrative Controls:

  • C06 Conduct risk analysis: Regular assessments to identify and prioritize risks.

  • C08 Develop emergency action plan: Plans outlining responses to security incidents.

  • C24 Restrict numbers of privileged users: Limiting the number of users with administrative privileges.

Personnel Controls:

  • C23 Investigate backgrounds of new employees: Background checks for new hires to mitigate insider threats.

  • C30 Hardware/software training for personnel: Training programs to ensure employees understand security protocols.

Technical Controls:

  • C07 Develop backup plan: Regular backups to ensure data integrity and availability.

  • C48 Conduct hardware/software inventory: Inventory management to track assets and prevent unauthorized changes.

Communications Controls:

  • C51 Update communications system/hardware: Regular updates to maintain secure communication channels.

  • C52 Monitor maintenance personnel: Supervision of personnel to prevent unauthorized access during maintenance.

Environmental Controls:

  • C53 Shield equipment from electromagnetic interference/emanations: Physical measures to protect against electromagnetic interference.


Risk/Control Trade Offs

Only Safe Asset is a Dead Asset

– Asset that is completely locked away is safe, but

useless

– Trade-off between safety and availability

Do not waste effort on assets with low loss value

– Don’t spend resources to protect garbage

Control only has to be good enough, not absolute

– Make it tough enough to discourage enemy


Need for Risk Management Process

Security risk management

– A process for identifying, prioritizing and managing risk to an

acceptable level within the organization

A formal security risk management process can address

the following:

– Threat response time

– Regulatory compliance

– Infrastructure management costs

– Risk prioritization and management


  • Executive leadership sponsorship:

  • Strong support and involvement from top management ensure cybersecurity initiatives receive necessary resources and attention.

  • Well-defined list of stakeholders:

  • Clearly identifying all parties affected by or involved in cybersecurity ensures comprehensive engagement and accountability.

  • Organizational maturity:

  • A mature organization has established processes and practices that support effective cybersecurity measures and adaptability to emerging threats.

  • Open communication and teamwork:

  • Fostering an environment where information flows freely and teams collaborate enhances responsiveness and effectiveness in addressing cybersecurity challenges.

  • Holistic view of the organization:

  • Understanding how cybersecurity fits into the broader organizational strategy and operations ensures alignment and integration of security measures.

  • Security risk management team authority:

  • Empowering the team responsible for managing security risks with decision-making authority enables timely and effective responses to threats and vulnerabilities.


Strategies for Risk Management

Reactive

– A process that responds to security events as they

occur

Proactive

– A process that reduces the risk of new vulnerabilities

in your organization



 
 
 

Recent Posts

See All
PE internals

Linked Libraries and Functions Imported Functions: Definition: These are functions used by a program that are actually stored in...

 
 
 
OS internals

Privilege Separation Concept: Modern operating systems separate user applications (untrusted) from critical operating system components...

 
 
 
Memory Management in short

Address Space CPU Access: To run instructions and access data in main memory, the CPU needs unique addresses for that data. Definition:...

 
 
 

Comments

Subscribe Form

Thanks for submitting!

©2021 by just dump 1. Proudly created with Wix.com

bottom of page