Week 9- "Risk Management: Assessing and Controlling Risk"

Week 9

October 29, 2015

Risk Management: Assessing and Controlling Risk

This week we discussed about risk management and risk control strategies.

Lets talk about some security mistakes we do in our everyday work.

·             The not-so-subtle Post-it Note. Yes, those sticky yellow things can undo the most elaborate security measures.

·             Leaving unattended computers on

·             Opening Email form strangers “I Love You Virus”

·             Poor password selection. A good example is: "I pledge allegiance to the flag" becomes "ipa2tf."

·             Laptops have legs. Physical security

·             Loose lips sink ships. People talk about passwords

·             Plug and Play (technology that enables hardware devices to be installed and configured without the protection)

·             Unreported security violations

·             Behind the times in terms of patches

·             Not watching for dangers within your own organization.

So, to keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function. This environment must maintain confidentiality and privacy and assure the integrity and availability of organizational data. These objectives are met via the application of the principles of risk management.

Once ranked vulnerability risk worksheet complete, must choose one of four strategies to control each risk:

1.    Apply safeguards (avoidance)

    Avoidance is accomplished through:

·    Application of policy

·    Application of training and education

·    Countering threats

·    Implementation of technical security controls and safeguards

2.    Transfer the risk (transference)

This may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or by implementing service contracts with providers.

3.    Reduce impact (mitigation)

Mitigation is the control approach that attempts to reduce, by means of planning and preparation, the damage caused by the exploitation of vulnerability.

This approach includes three types of plans:

                               i.                    The disaster recovery plan (DRP),

                              ii.                    Incident response plan (IRP), and

                            iii.                    Business continuity plan (BCP).

Mitigation depends upon the ability to detect and respond to an attack as quickly as possible.

4. Understand consequences and accept risk (acceptance)

This control, or lack of control, assumes that it may be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not justify the security expenditure.

    The only valid use of the acceptance strategy occurs when the organization has:

§     Determined the level of risk to the information asset

§     Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability

§     Approximated the ARO of the exploit

§     Estimated the potential loss from attacks

§     Performed a thorough cost benefit analysis

§     Evaluated controls using each appropriate type of feasibility

§     Decided that the particular asset did not justify the cost of protection

Some rules of thumb on strategy selection are:

§  When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exercised.

§  When a vulnerability can be exploited: Apply layered controls to minimize the risk or prevent occurrence.

§  When the attacker’s potential gain is greater than the costs of attack: Apply protections to increase the attacker’s cost, or reduce the attacker’s gain, using technical or managerial controls.

§  When potential loss is substantial: Apply design controls to limit the extent of the attack, thereby reducing the potential for loss.

References:

Michael E. Whitman and Herbert J. Mattord, “ Management of Information

Security”, Published by Cengage Learning, Fourth Edition

Week-8, “Guide for Conducting Risk Assessments”

Week 8

October 25, 2015210

NIST SP 800-30 Rev.1 “Guide for Conducting Risk Assessments”

As the technological advancement and easily accessible Internet everywhere providing sophistication where as the complex and sophisticated threats are being imminent too.  Therefore, implementations of risk assessments are an essential tool for any organizations as a part of a comprehensive risk management program.

Risk assessments could help organizations to determine the most appropriate risk response to ongoing cyber attacks or threats for disaster (man-made or natural). It will guide investment strategies and decisions for the most effective cyber defenses to help protect organizational operations, assets, individuals, and other organization’s issues. Risk assessments also helps to maintain ongoing situational awareness with regard to the security state of organizational information systems and the environments in which the systems operate.

This updated National Institute of Standards and Technology Special Publication (NIST SP) 800-30 focuses exclusively on risk assessments, one of four steps in the risk management process. The risk assessment guideline has been significantly expanded to include more in-depth information on a wide variety of risk factors essential to determine Information Security (InfoSec) risk including threat sources and events, vulnerabilities and predisposing conditions, impact, and likelihood of the threat.  The three-step process mentioned in this special publication describes including key activities to prepare for risk assessments, activities to successfully conduct risk assessments, and approaches to maintain the currency of assessment results.

Along with the comprehensive approach in the process for assessing organization’s InfoSec risk, the SP 800-30 provides a specific guidelines, which describes how to apply the process at the three tiers in the risk management hierarchy the organization level, business process level, and information system level.  It also provides a framework for individual or groups to conduct risk assessments within organizations, a set of exemplary templates, tables, and assessment scales given maximum flexibility in designing risk assessments based on the organization’s purpose, scope, assumptions, and constraints established.

References:

NIST SP 800-30 Rev.1, “Guide for conducting Risk Assessments”, Published on NIST.gov on September 2012. Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

Week 7 Post- Why you should adopt the NIST Cybersecurity Framework?

Week 7

October 18, 2015

Why you should adopt the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework comprises best practices from various standards bodies that are proven and successful when implemented, and it also may deliver a regulatory and legal advantage that extends well beyond improved cybersecurity for organizations that adopt it early.

The framework provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs.  It comprises three primary components: Profile, Implementation Tiers, and Core.

For most organizations, whether they are owners, operators, or suppliers for critical infrastructure, the NIST Cybersecurity Framework may be well worth adopting solely for its stated goal of improving risk-based security. Organization that adopts the Framework at the highest possible risk-tolerance level may be better positioned to comply with future cybersecurity and privacy regulations.

It is impossible to include all the aspects of cybersecurity in one practice framework but NIST provides comprehensive, prescriptive guidelines for all entities across industries.  But the framework offers worthwhile standards for improving cybersecurity, it does not fully address several critical areas.

The NIST Cybersecurity framework represents a tipping point in the evolution of cybersecurity, one in which the balance is shifting from reactive compliance to proactive risk-management standards. Organizations across industries may gain significant benefits by adopting the guidelines at the highest possible risk-tolerance level given investment capital.

Although, Adopting the NIST Cybersecurity Framework have lots of benefits but implementation may involve certain challenges. Critical infrastructure owners and providers may find difficulties to assess their Implementation Tier, which demands a holistic view of the entire eco-system and the ability to the truly objective.

References:

·      NIST 2014, “Framework for Improving Critical Infrastructure Cybersecurity”, Published on NIST.gov, on February 12, 2014. Retrieved from: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

·      PWC 2014, “Why you should adopt the NIST Cybersecurity Framework”, Published on PWC.com, on May 2014, Retrieved From: https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf

Week -6- How to secure your Email communication ?

Week 6

October 10, 2015

How to secure your Email communication?

Communication is important to any organization and email is getting more popularity than ever. Now-a-day, using email as the main tool to communication with all individuals related to your organization benefiting in many ways. There is no doubt that to Internet based organization; email is bringing several threats that most of the employees are not even aware of it. So, there is always a need of training and awareness regarding how to use email, what to access, what not to, how to find out your email is trustworthy or not.

Here are some common issues and consideration to use email in a secure way and be cautious of possible threats come across the development of technology and several possible threats.

1.    Organization should implement acceptable use policy for email communication that all employees must comply with. This kind of policy will help organization to protect employee and business. The policy should provide necessary measure to monitor email communication in a regular basis.

2.    All email should be encrypted, which help to protect the information system and security of an organization as well as organization’s assets. While sending sensitive information via email, it is necessary to to use commonly used methods for email encryption such as PGP and S/MIME.

3.    Take necessary measure while sending or replying email. When responding email-using reply all function could send your classified information to non-related person, so it is important to check recipients carefully and avoid unwanted recipients from your email before sending your sensitive information.

4.    Keep your software up to date to avoid possible maleware or unnecessary threats, which could expose sensitive information or could be vulnerable to such threats.

5.    Always use secure software before spreading malware and victimizing from Phishing attacks. It is necessary to use trusted security software approved by your organization and keep them up to date malware prevention, and a securely configured firewall.

6.    Avoid email from unknown users and un-trusted email contains. Do not click any attached websites or any attachments to your email. Malicious emails often contain attachments that contain malware or hidden in your attached pdf and zip files. Always perform security scanning to your mail before opening any contents.

7.    Always disable automatic content downloads, because those download could open door to hackers to access your system and your organization’s sensitive information.

8.    Always use unique and strong password to your email to prevent an attacker for accessing your email account and sensitive information stored or linked to your system. Always use algorithmic pattern to create password, use at least 8 characters, and include numbers and special characters.

9.    Always logout your system after checking or sending email out. It will provide security measures and avoid unauthorized user accessing to the system.

10.  Perform email filter and delete or archive old email or email which are no longer in use.

There is no doubt that all organization has their set of policies and guideline to use email in a secure manners and avoid vulnerability of sensitive information from disaster. And always keep a close eye to monitor the security software and make sure all software has latest updates.  

 References:

PJ 2009, “Secure Email Communication and Use”, Published on MindfulSecurity.com, Retrieved From: http://mindfulsecurity.com/2009/11/06/secure-email-communication-and-use/

Information Security Policy

Week 5

October 4, 2015

Information Security Policy

Information Security Policy (ISP) is designed to safeguard the confidentiality, integrity, and availability of all physical and electronic assets of the organization to ensure that regulatory, operational and contractual requirements are fulfilled. ISP should outline the overall goals of an organization such as: compliance with laws, regulations, and guidelines; comply requirements of confidentiality, integrity, and availability for organization’s employees and other users; establish necessary control for protecting information and information systems against theft, abuse and other form of harm and loss; motivate employees to maintain the responsibility for, ownership of the knowledge about information security, in order to reduce the risk of security incidents; and etc. (Whitman and Mattord)

The ISP should be address current business strategy and framework for risk management and provide guidelines for identifying assessing evaluating and controlling information related risks through establishing and maintaining the ISP. So, to secure operations at organization even after incidents, and should ensure the availability of continuity plans, backup procedures, defense against damaging code and malicious activities, system and information access control, incident management and reporting.

One of the examples of ISP is Bull’s-eye model. This is a proven mechanism for prioritizing complex changes, and a widely accepted among InfoSec practitioners. This model is focused on systematic solutions where issues are addressed by moving from the general to the specific. (Whitman and Mattord)

It is necessary that policy should directly address how issues should be addressed and technologies should be used, rather than specifying the proper operation of equipment or software. ISP should outline the consequences for unacceptable behaviors.

                        For an organization to have a complete ISP, management has to define Enterprise Information Security Policy (EISP), Issue-Specific Security Policies, and System-Specific Security Policies (SysSP) which are based on NIST SP 800-14 published on 1996. While developing these policies, first organization has to create the EISP, which is the highest level of policy and than after that, general security policy needs tare met by developing ISSP and SysSP policies. (Whitman and Mattord)

                        NIST SP 800-14 generally accepted principles and practices for securing IT systems describes best practices and information on commonly accepted information security principles that can be used to develop a security blue print. Described principles that should be integrated into the information security process. The more significant points made in the SP 800-14 are:

·    Security supports the mission of the organization

·    Security is an integral element of sound management

·    Security should be cost-effective

·      Systems owners have security responsibilities outside their own organizations

·    Security responsibilities and accountability should be made explicit

·    Security requires comprehensive and integrated approach

·    Security should be periodically reassessed

·    Security is constrained by societal factors

                        In fact, policy drives the performance of personnel in ways that enhance the InfoSec of as organization’s information assets. InfoSec policies are the least expensive means of control, they are often the most difficult to implement.

References:

Michael E. Whitman and Herbert J. Mattord, “ Management of Information

Security”, Published by Cengage Learning, Fourth Ed