CYBERSEC FINALS

Risk management

is a concept that has been around as long as companies have had assets to protect. The simplest example may be insurance. Life, health, auto, and other insurance are all designed to help a person protect against losses.

Characterize the System (Process, Function, or Application)

This should include asking the following questions: o What is it?

• What kind of data does it use?

• Who is the vendor?

• Who uses the system?

• What are the internal and external interfaces that may be present?

• What is the data flow?

• Where does the information go?

Identify Threats

Some basic threats are going to be in every risk assessment; however, depending on the system, additional threats could be included.

Unauthorized access (malicious or accidental)

This could be from a direct hacking attack/compromise, malware infection, or internal threat.

Misuse of information (or privilege) by an authorized user

This could be the result of unapproved use of data or changes made without approval.

Data leakage or unintentional exposure of information

This includes permitting the use of unencrypted USB and/or CD-ROM without restriction, deficient paper retention and destruction practices, transmitting Non-Public Personal Information (NPPI) over unsecured channels, or accidentally sending sensitive information to the wrong recipient.

Loss of data

– This can be the result of poor replication and backup processes.

Determine Inherent Risk and Impact

This step is done without considering the control environment. Factoring on how the system is characterized, the impact on an organization could be determined if the threat was exercised.

• High – The impact could be substantial.

• Medium – The impact would be damaging, but recoverable, and/or would be inconvenient. o

• Low – The impact would be minimal or non-existent

Analyze the Control Environment

Look at several categories of information to assess the control environment adequately. Ultimately, threat prevention, mitigation, detection, or compensating controls and their relationship to identified threats need to be identified.

• Satisfactory – meets control objective criteria, policy, or regulatory requirement

• Satisfactory with Recommendations – meets control objective criteria, policy, or regulatory requirement with observations for additional enhancements to existing policies, procedures, or documentation

• Needs Improvement – partially meets control objective criteria, policy, or regulatory requirement

• Inadequate – does not meet control objective criteria, policy, or regulatory requirements.

Determine a Likelihood Rating

The likelihood of the given exploit must be determined while taking into account the control environment that an organization has in place.

• High – The threat-source is highly motivated and sufficiently capable, and the controls to prevent the vulnerability from being exercised are ineffective.

• Medium – The threat-source is motivated and capable, but the controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

• Low – The threat-source lacks motivation or capability, or the controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

Calculate the Risk Rating

Even though there is a ton of information and work that goes into determining the risk rating, it all comes down to a simple equation:

Impact (if exploited) * Likelihood (of exploit in the assessed control environment) = Risk Rating

Strategic risk

related to adverse business decisions or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals.

Reputational risk

is related to negative public opinion.

Operational risk

is related to loss resulting from inadequate or failed internal processes, people, and systems or external events

Transactional risk

is related to problems with service or product delivery.

Compliance risk

is related to violations of laws, rules, or regulations, or noncompliance with internal policies or procedures or business standards.

Monitoring of Cyber Risk Management

The monitoring program of the future is focused on cyber risks to the business

Alignment

It refers to the whole organization, horizontally and vertically, around top cyber risks.

Data

This is to support business event detection rather than technology event detection.

Analytics

This is to transform from an indicator-driven approach to a pattern-detection approach

Talent

It is also a talent model to enable evolution from reactive to proactive action models.

Security incident management

is the process of identifying, managing, recording, and analyzing security threats or incidents in real-time. It seeks to give a robust and comprehensive view of any security issues within an IT infrastructure.

Incident Documentation/Report

It is the process of documenting all workplace injuries, near misses, and accidents. This should be completed at the time an incident occurs no matter how minor the incident. It is also a tool that documents any event that may or may not have caused injuries to a person or damage to a company asset and is used to capture injuries and accidents, near misses, property and equipment damage, health and safety issues, security breaches and workplace misconduct.

Backup and recovery

a representative copy of data at a specific time. usually refers to the transfer of copied files from one (1) location to another, along with the various operations performed on those files.

Netiquette

a combination of the words “network” and “etiquette” and is defined as “a set of rules for acceptable online behavior.”

exists to help people to communicate more effectively while online, as well as to avoid unnecessary misunderstandings and potential conflicts. Similarly, online ethics focuses on the acceptable use of online resources in an online social environment.

firewall

a software program or built-in hardware device with a specific purpose to defend one’s home or business against electronic threats by screening viruses, hackers, and works that infiltrate the computer through the Internet. It also serves as a gatekeeper between a company’s servers and the outside world. It keeps external threats out while alerting the user to more elusive problems by diverting outgoing data.

AttackIQ FireDrill

his was created to watch the watchers. It is a penetration testing tool but is configured to operate from the inside, with the primary goal of identifying flaws, misconfigurations, and outright shortcomings in all other cybersecurity defenses.

Bitglass

This is essentially an agentless and lightweight platform without any of the over-burdensome complexity or draconian rules those mobile management tools normally require. Bitglass is installed in the cloud, which technically makes it a cloud access security broke

Fidelis Deception

This software combats hackers by creating realistic living deception assets.

GreatHorn

This takes a modern and highly effective approach to protecting enterprise e-mail that goes well beyond the capabilities of legacy mail scanners.

JASK Autonomous Security Operations Center (ASOC)

This software helps in facilitating the link between the local console and the brains of the platform in the cloud.

SlashNext

This software has taken the adage of doing one (1) thing very well to heart. There are two (2) products available to organizations. The first is a detailed and dedicated phishing threat feed that can be used to block phishing sites as they pop up. The second is an appliance that provides even more protection which can halt even targeted attacks aimed at a single organization that wouldn’t trigger other kinds of alert

Authentication

is the process of recognizing a user’s identity. It is the mechanism of associating an incoming request with a set of identifying credentials. The credentials provided are compared to those on a file in a database of the authorized user’s information on a local operating system or within an authentication server.

Passwords

• a shared secret known by the user and presented to the server to authenticate the user.

• the default authentication mechanism on the Web today.

Hard Tokens

These are small hardware devices that the owner carries to authorize access to a network service. The device may be in the form of a smart card, or it may be embedded in an easily carried object such as a key fob or USB drive

Soft Tokens

These software-based security token applications typically run on a smartphone and generate a One Time Password (OTP) for signing in.

Biometric Authentication

authentication methods include retina, iris, fingerprint and finger vein scans, facial and voice recognition, and hand or even earlobe geometry.

Contextual Authentication

collects signals like geolocation, IP address, and time of day to help establish assurance that the user is valid.

Contextual

comparing a given signal value to a prescribed list of allowed or prohibited values

Behavioral

comparing a given signal value to the expected value based on a previously established pattern

Correlative

comparing a given signal value to a different collected signal value and looking for inconsistencies in the data.

Device Identification

establishes a fingerprint that is somewhat unique to that device. Over time, this fingerprint allows the authentication server to recognize and determine when the user associated with attempts to authenticate from a different device, which could indicate fraudulent activity.