Upload
yaser-alrefai
View
147
Download
3
Tags:
Embed Size (px)
Citation preview
Lewis University
Information Security Practicum
Step-by-Step of Conducting Risk Analysis and
Management to Digital Zone Corporation
Spring 2013
Student’s name: Yaser Aljohani
Instructor’s name: Dr. Faisal Abdullah
1
Introduction of Risk Analysis and Management
• Risk analysis and management is a very significant part
to any organization that wants to have a secure
computing environment.
• It helps organizations to improve their security against
any threats or risks that could harm their sensitive
information, assets, and business.
2
Digital Zone Corporation
• It is an organization for computer & digital services
• It provides different kinds of IT services to their customers
such as, computer repair, computer upgrade,
wireless/wired network setup for home or business,
troubleshooting, and establish web site.
• To provide services to their customer, they collect
customer information such as, first name, last name,
phone number, home address, and email address,
and store them in their system.
3
Goals and objectives
• Assets evaluation and their values: number of servers,
computers, networks…etc.
• Using risk assessment tools and security checklist
• Finding all vulnerabilities
• Finding all threats
• Finding all risks
4
Goals and objectives Cont.
• Finding top 5 risks
• Finding all mitigations or remedies for risks and all
suggestions and recommendations
• Establishing Information Risk Management (IRM) policy
• Establishing security awareness program for both
employees and customers
• Establishing Insurance and contingency plan or recovery
plan
5
What is Risk Analysis?
• Risk analysis is the process of analyzing and defining
the dangers to businesses, individuals, and government
agencies posed by potential natural and human-caused
adverse events.
• In IT, the report of risk analysis can be used to align
company's business objectives with technology-related
objectives.
• The report of risk analysis can be either qualitative or
quantitative.
6
What is the difference between Risk analysis
and Risk management?
• Risk analysis includes assess and identifying the levels of
risks estimated from the known values of assets,
vulnerabilities of assets, and the levels of threats.
• Risk management includes selecting, identifying, and
adopting of countermeasures that is justified by the identified
risks to assets and the mitigation of risks to the acceptable
level.
7
Why we use it and When?
• We used Risk Analysis because it helps us understand
risk, so that we can manage it, and minimize its
disruption.
• We used risk analysis when we plan projects,
improving safety and managing potential risks in the
workplace, preparing for events such as theft,
equipment or technology failure, natural disasters, or
planning for changes in our environment.
8
Where we use it and how?
• We can use risk analysis in any place that have assets
such as computers, servers, networks, sensitive
information…. etc.
• We use the Risk Analysis for many different Components
such as, assets, threats, vulnerabilities, likelihoods,
impacts, and safeguards
9
How to Calculate the Risk?
• Two kinds of risk assessment: Quantitative risk assessment and Qualitative risk assessments.
• Quantitative risk assessment draws upon methodologies used by financial institutions and insurance companies and it considered as the standard way of measuring risk in many fields.
• Qualitative risk assessments assume that there is already a great degree of uncertainty in the likelihood and impact values and defines them, and thus risk, in somewhat subjective or qualitative terms and it gives risk results of “High”, “Moderate” and “Low”.
10
Steps for Risk analysis and management
1. Systems inventory : identify all the assets that are
involved in critical business processes support.
2. Threat analysis: identify the potential threats to the
critical systems
3. Infrastructure vulnerability assessment: identify
technology vulnerabilities that could be exploited.
11
Steps for Risk analysis and management
Cont.
4. Develop the security control suggestions: link the
risk management strategy recommendations to the
results of the assessment.
5. Decision: act or accept (Risk management decision)
6. Monitoring and communication: management and
user support are important to make the control
implementation successfully.
12
Risk, Threats, and Vulnerabilities
• Risk is the possible damage that could result from some current or future process/event .
• Threats are defined as any act that could assist to the tampering, damaging or denial of service.
• Examples of threats: Floods, Fire, Natural Disasters, Heat, Freezing, Manmade threats, Malware, Virus, Worms, Trojans, and Spyware
• Vulnerability is any weakness or flaw in the design, procedures of system security, internal controls, or implementation that can be used and result in violation of the system’s security policy or a security breach.
13
Threats elements
Three critical elements of threat:
1. The profile of threat- what threats and risks that could
affect the asset?
2. The probability of threat- what is the threats
occurrence likelihood?
3. The consequence of Threat- what would the loss of the
asset effect or impact on the organization operations or
its employees?
14
The Information Risk Management
(IRM) policy
• It explains the role of security and the acceptable level of
risk
• It should address the following issues:
• The IRM team Objectives
• What is considered as an acceptable risk
• the formal processes of risk identification
15
The Information Risk Management
(IRM) policy Cont.
• The connection between the organization's strategic planning processes and the IRM policy
• It’s roles and responsibilities
• Mapping of risk to the internal controls
• Mapping of risks to budgets and performance objectives
• Key indicators to monitor the effectiveness of controls
• The approach that would change resource allocation and staff behaviors in response to risk assessment
16
Security Checklists
• There are security checklists in many different components such as, networks, computers, servers, switches, firewall, routers, copiers, workstations, scanners…etc.
• Each one of these components provide recommendations that could help security specialists to find out all vulnerabilities and threats that could happen to system.
• by applying all these suggested recommendations, this will reduce and mitigate all risks that could results from threats.
17
Contingency plan
1. Disaster recovery plan: It relates with the recovery that will occur on-site.(long- term service interruption)
2. Incident response plan: includes recovering from an incident, identifying, and responding .(short-term events).
3. Business continuity plan: It relates with the long-term incidents that require the organization to do the recovery to the off-site locations. (long- term service interruption)
18
Security Assurance Program
• It helps both of employees and customers to understand
risks and the consequences of risks and how they
could avoid them.
• It gives guidelines and instructions for many different
elements such as, E-mail security, username and
password security, acceptable use of technology, mobile
devices, staying safe and secure online, remote access,
network, and sensitive information.
• It helps for reducing the probability of risks occurrence
19
Cycle of Risk Management
• The U.S government Accounting Office has recommended for organizations a cycle of risk management activities for managing their information security risks which are as follows:
1. Conducting risk assessments for all their systems
2. Establishing information security policies and procedures that are commensurate with risk and that comprehensively address significant threats
3. Providing sufficient computer security training to their employees
20
Cycle of Risk Management Cont.
4. Testing and evaluating controls as part of their
management assessments
5. Implementing documented incident handling procedures
6. Identifying and prioritizing their critical operations and
assets and determine the priority for restoring these
assets should a disruption in critical operations occur
21
Advantages of Risk Analysis
and Management
• It builds strong IT infrastructure in organization
• It increases the confidence between organization and
customers
• It builds a good communication between management, IT
department, and end users.
• Customers will have a good quality of services.
• It will increase profits of organization
• Organization will have an Information Risk management (IRM)
policy, Security Assurance Program, and Contingency plan.
22
Security Assessment Methodologies and
tools
23
Nessus SAINT OCTAVE FRAP
Practical Threat Analysis (PTA) Sara NIST COBRA
Microsoft Baseline Security
Analyzer
Risk Watch Whisker
PTA- Assets
24
PTA-Vulnerabilities
25
PTA-Threats
26
PTA-Countermeasures
27
PTA-Results
28
NESSUS
29
Nessus-Scan list
30
Nessus-Vulnerabilities
Summary
31
Nessus-Host Summary
32
Nessus-Filters options
33
Nessus- Result after filters
34
Nessus- Description of Vulnerability
35
Baseline Security Analyzer
36
Adjusting settings of scan
37
Scanning process
38
Result after Scan
39
Conclusion
• There are three critical elements that should be considered in the
risk analysis and management, which are, information
confidentiality, system availability, and information integrity.
40
Thank you
41