Risk assessment deals with the threats, vulnerabilities, and impacts of a loss of information-processing capabilities
or a loss of information itself.
A vulnerability is a weakness that could be exploited
by a threat.
Each risk that can be identified should be outlined, described, and evaluated for the likelihood of it occurring.
The key here is to think outside the box. Conventional threats and risks are often too limited when considering risk assessment.
Key components of a risk-assessment :
- Developing scenarios to mitigate risks
- Creating a plan for dealing with system risks
- Addresing risks that are most likely to occur
- Coordination with BIA business impact analysis (BIA), to make intelligent decisions about how to respond to various scenarios
Risk Calculations
- ALE is the annual loss expectancy value. measure of how much
- loss you could expect in a year.
- SLE is single loss expectancy how much you expect to lose at any one time:
- The SLE can be divided into two components:
- AV (asset value)
- EF (exposure factor)
- ARO is annualized rate of occurrence the likelihood, drawn from historical data, of an event occurring within a year
Risk Assessment Formula :
SLE × ARO = ALE
Example : Expect SLE, which is equal to (AV) times (EF), will be the equivalent of $1,000 and that there will be seven such occurrences a year (ARO), then the ALE is $7,000.
If there is 10 percent chance of an event occurring within a year time period (ARO = 0.1), then the ALE drops to $100.
Risk-Assessment Computations
As a security professional, you should know how to compute SLE, ALE, and ARO. Given any two of the numbers, it’s possible to calculate the third.
Example: You’re the administrator of a web server that generates $25,000 per hour in revenue. The probability of the web server failing during the year is estimated to be 25 percent. A failure would lead to three hours of downtime and cost $5,000 in components to correct.
What is the ALE?
The SLE is $80,000 ($25,000 × 3 hours + $5,000), and the ARO is 0.25. Therefore the ALE is $20,000 ($80,000 × 0.25).
Key to any risk assessment is identifying both assets and threats. You first have to identify what it is that you want to protect and then what possible harm could come to those assets.
Quantitative vs Qualitative
- Qualitative Risk Analysis
- Quantitative Risk Analysis
The main difference between qualitative and quantitative risk analysis is that the former uses a relative or descriptive scale to measure the probability of occurrence whereas quantitative analysis uses a numerical scale.
For example, a qualitative analysis would use a scale of "Low, Medium, High" to indicate the likelihood of a risk event occurring.
A quantitative analysis will determine the probability of each risk event occurring. For example, Risk #1 has an 80% chance of occurring, Risk #2 has a 27% chance of occurring, and so on.
Qualitative: risk-level
Quantitative: project-level
Qualitative: subjective evaluation of probability and impact
Quantitative: probabilistic estimates of time and cost
Qualitative: quick and easy to perform
Quantitative: time consuming
Qualitative: no special software or tools required
Quantitative: may require specialized tools
Additional Risk Terminology
Likelihood : The meaning of the word likelihood is a score of representing the possibility of threat initiation.
Threat Vectors : It is a way in which an attacker poses a threat.
This can be a particular tool (vulnerability scanner) or the path(s) of attack that they follow.
It can be a fake email that lures you into clicking a link (phishing) or an unsecured hotspot (rouge access point) and everything in between.
Mean Time Between Failures(MTBF): is the measure of the anticipated incidence of failure for a system or component.
If the MTBF of a cooling system is one year, you can anticipate that the system will last for a one-year period; this means that you should be prepared to replace or rebuild the system once a year.
If it lasts longer it’s a bonus. MTBF is helpful in evaluating a system’s reliability and life expectancy.
Mean Time to Failure : Similar to MTBF, it is the average
time to failure for a nonrepairable system.
If the system can be repaired, the MTBF is the measurement to focus on, but if it cannot, then MTTF is the number to look at.
Mean Time to Restore : measurement of how long it takes to repair a system or component (also referenced as mean time to repair.)
In the case of a computer system, if the MTTR is 24 hours, this tells you that it will typically take 24 hours to repair it when it breaks.
Recovery Time Objective(RTO) : is the maximum amount of time that a process or service is allowed to be down and the consequences still be considered acceptable.
Beyond this time, the break in business continuity is considered to affect the business negatively. The RTO is agreed on during BIA creation.
Recovery Point Objective (RPO) : is similar to RTO, but it defines the point at which the system needs to be restored. This could be where the system was two days before it crashed (whip out the old backup tapes) or five minutes before it crashed (requiring complete redundancy). As a general rule, the closer the RPO matches the item of the crash, the more expensive it is to obtain.
Risks Response
Risk Avoidance : Involves identifying a risk and making the decision not to engage any longer in the actions associated with that risk.
For example, a company may decide that many risks are associated with email attachments and choose to forbid any email attachments from entering the network.
Another example is if you think that one server on your company needs to be replaced but you can't because you need to save money here you can avoid risk by moving services and load to another server
Risk Transference : share some of the burden of the risk with someone else, such as an insurance company.
A typical policy would pay you a cash amount if all of the steps were in place to reduce risk and your system was still harmed.
example from previous example of server where you can transfer the risk by submitting the findings to your boss.
Risk Mitigation : Taking steps to reduce risks. This category includes installing antivirus software, educating users about possible threats, monitoring network traffic, adding a firewall, and so on.
Risk Deterrence : Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated. such as IDS, Security Cameras.
Risk Acceptance : Realizing that such possibility exists which administrator or manager is unaware of it has to be identified to understand the potential cost or damage which is helpful to create memorable examples to help in understanding.
Risk transference, mitigation, avoidance, and deterrence are all proactive solutions that require planning and implementation ahead of time. Risk acceptance, on the other hand, merely adopts a “do nothing” approach.
Awareness Training Suggestions :
- Keep security messages fresh and in circulation.
- Target new employees and current staff members.
- Set goals to ensure that a high percentage of the staff is trained on security best practices.
- Repeat the information to raise awareness.
No comments:
Post a Comment