Risk Management - Introduction to Network Security - Lecture Slides, Slides of Network security

Download Risk Management - Introduction to Network Security - Lecture Slides and more Slides Network security in PDF only on Docsity!

1

Risk Management

2

Risk Management

• Risk controls
• Control categories
• Cost-benefit analysis
• Risk control methods

4

Risk Controls

• Avoidance refers to either reducing or

eliminating threats posed by identified

vulnerabilities

• Methods available are:
  • Apply policy already in place
  • Provide training to key personnel
  • Educate all involved about the vulnerability
  • Implement security controls

5

Risk Controls

• Transference refers to shifting the risk to

other entities of the organizations

• Example: When the inventory system is

under attack, move the inventory update

process to another server where the

partners have access to update. Using

additional validation techniques the data is

then transferred to the main server

connected to the sales terminals.

7

Risk Controls

• Disaster recovery plan involves:
  • Procedures for recovering lost data
  • Procedures for resumption of service
  • Take systems offline to assess damage and protect data
• Business continuity plan involves:
  • Procedures to activate the backup site (hot, warm, or cold)
  • Procedures for resumption of telecommunication among the key personnel

8

Risk Controls

• Acceptance involves:
  • Knowing the level of risk assumed from an attack
  • Estimate the potential loss
  • Perform a cost-benefit analysis
  • Evaluate controls in place
  • Cost required to protect an asset does not justify the damage caused by an attack

10

Control Categories

• Control function
  • Preventive (policy change, access control)
  • Detective (IDS, audit trail)
• Architectural control
  • Connection between internal and external networks
  • Access to extranets
  • Use of DMZs
  • Allowed applications

11

Control Categories

• Information Security control involves:
  • Confidentiality
  • Integrity
  • Availability
  • Authentication
  • Authorization
  • Accountability
  • Privacy

13

Cost – Benefit Analysis

• Benefit is the value to the organization coming from the security system
• Value could be intrinsic or acquired due to the security provided to information
• Value could also be calculated by the cost of replacing the information system in place
• Value to owners
• Value to competitors
• Loss of productivity
• Loss of revenue

14

Cost – Benefit Analysis

• Single loss expectancy (SLE) is the loss from a single attack
• SLE = AV * EF where AV denotes asset value and EF denotes exposure factor
• Annual Loss Expectancy (ALE) is the loss expected from all threats during one year
• ALE = SLE * ARO where ARO denotes annual rate of occurrence (i.e. the number of times a particular type of loss is likely to occur in one year)

16

Cost – Benefit Analysis

• CBA = ALE ( pre-control ) – ALE ( post-control ) – ACS where CBA is the cost-benefit analysis amount and ACS is the Annual Cost to Safeguard
• In calculating CBA the organization should view security as an investment and not as an expense
• ROI should not be the only factor in evaluating security investments
• Many of the security investment benefits are intangible, such as goodwill generated due to the reliability of the operational system

17

Risk control methods

• Qualitative measure could be on a scale of 1 to 10 for assessing the value of information that needs to be protected. This usually refers to an individual developing the ranking.
• Delphi technique method is a qualitative method, except that the qualitative value is averaged out from a group of people giving their rankings rather an individual providing the ranking
• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) method developed by CERT is another tool available for risk valuation