Module 2:
Risk analysis is a fundamental aspect of cybersecurity. Understanding and effectively managing risks is crucial for safeguarding sensitive data and maintaining the integrity of systems and networks. In this post, we will explore the concept of risk analysis, its importance, and how it plays a vital role in the CompTIA Security+ certification.
Risk Management
The process of identifying risks, analyzing them, developing a response strategy for them and mitigating their future impact.
- Helps prevent or lesson the effects of security incidents.
- Four Phases
- Assessment
- Analysis
- Response
- Mitigation
Components of Risk Analysis
Determine:
- Vulnerabilities that a threat can exploit.
- The possibility of damage occurring.
- The extent of the potential damage.
Phases
Risk analysis is used to assess the risk damages that may affect an organization.
- Asset ID
- Vulnerability ID
- Threat assessment
- Probability Quantification
- Impact analysis
- Countermeasure Determination.
Categories Of Threat Type
| Threat Category | Description |
|---|---|
| Natural | Related to weather or other uncontrollable events that are residual occurrences of the activities of nature. |
| Man-made | Residual Occurrences of individual or collective human activity. Intentional or unintentional. |
| System | Related to any weakness or vulnerability found in a network, service, application or device. |
Risk Analysis Methods
| Method | Description |
|---|---|
| Qualitative |
|
| Quantitative |
|
| Semi-quantitative |
|
Risk Calculation
- SLE: The financial loss expected from a single adverse event.
- ALE: The total annual cost of risk to an organization.
- ARO: The number of times per year that a particular loss is expected to occur.
- ALE = SLE x ARO
- Risk calculation depends on both costs of losses and costs of mitigation.
- Vulnerability tables can help document risk calculation factors.
| Vulnerability | Identification Source | Risk of Occurrence 1=Low 5=High | Impact Estimate | Mitigation |
|---|---|---|---|---|
| Flood Damage | Physical Plant | 5 | $950,000 | Physical Adjustments and Flood Insurance |
| Electrical Failure | Physical Plant | 2 | $100,000 | Generator and UPS |
| Flu Epidemic | Personnel | 4 | $200,000 | Flu Shots |
Risk Response Techniques
| Response Technique | Description |
|---|---|
| Accept |
|
| Transfer |
|
| Avoid |
|
| Mitigate |
|
Risk Mitigation and Control Types
Technical Controls: Hardware or software installations that are implemented to monitor and prevent threats and attacks to computer systems and services.
Management Controls: Procedures that are implemented to monitor the adherence to organizational security policies.
Operational Controls: Security measures that are implemented to safeguard all aspects of day-to-day operations, functions and activities.
Loss/Damage Controls: Security measures that are implemented to prevent key assets from being damaged.
Change Management
A systematic way of approving and executing change to assure maximum security and availability of information technology services.
- Changes in hardware, software, infrastructure and documentation can have ripple effects on an organizations security.
- Quantify the costs of training, support, maintenance and implementation.
- Analyze the benefits and complexities of each change.
| Analyze | Plan | Implement |
|---|---|---|
| Need for change | Change roles | Manage transition phase |
| Type of change | Change duties | Confirm adoption of change |
| Organizational culture | Address resistance | Conduct post-project review |
- New service pack fixes several security vulnerabilities for a production server.
- Server hosts a custom app that must remain available.
Change management policy requires form approval for all service packs.
- The new service pack must be tested on a lab server prior to deployment.
- Test results could indicate the service pack crashes the custom app.
- The custom app must be revised and retested before the service pack is deployed to the production server.
Guidelines for Analyzing Risk
- Clearly define organizational expectations for security.
- Identify assets requiring protection and determine their values.
- Look for possible vulnerabilities that could adversely affect the organizations security goals.
- Determine possible threats to assets.
- Determine the likelihood of the threats exploiting any vulnerabilities.
- Determine the threat impact.
- Identify the optimal risk analysis method.
- Identify possible countermeasures.
- Clearly document all findings and decisions.
Scenario: Analyzing Risks to the Organization
- Evil-Corp has concerns about the security of the server room.
- The server room holds the employee data server and client data server.
- The server room is on the first floor at main headquarters
- The room is next to the main lobby, has no windows, and has a numeric keypad for access.
- The room contains employee data server and client data server.
Your job is to conduct a full risk assessment of the server rooms physical security.
Business Impact Assessment (BIA)
A systematic activity that identifies organizational risks and determines their impact on ongoing, business-critical operations and processes.
- Do vulnerability assessments and evaluations.
- Determine risks and consequences.
- Cover every aspect of the business.
- Can be part of a Business continuity plan(BCP).
- Estimation of tolerable downtime.
- Effect of financial loss.
- Resources needed to restore.
- Probability of reduced efficiency.
- Prioritization of critical processes.
Impact scenarios
| Impact | Description |
|---|---|
| Life | Natural disasters and intentional man-made attacks. Severe weather events Seismic events Arson and other fires Terrorist attacks |
| Property | Natural disasters and intentional man-made attacks. Severe weather events Seismic events Arson and other fires Terrorist attacks Break-ins Equipment damage |
| Safety | Natural disasters and intentional man-made attacks, and unintentional man-made risks. Severe weather events Seismic events Arson Terrorist Attacks Excessive employee illnesses or epidemics |
| Finance | Natural disasters and intentional man-made attacks, and unintentional man-made risks, and system risks. Severe weather events Seismic events Arson and other fires Terrorist attacks Break-ins Theft Equipment Damage File Destruction Information disclosure (intentional or inadvertent) User error Social networking and cloud computing Excessive employee illnesses or epidemics Unsecure mobile and networking devices Unstable virtualization environments Email and account-management vulnerabilities. |
| Reputation | Man-made risks and system risks Response time for restoration of disrupted. Services or damaged files Frequent information disclosure Perception of recurring problems Perception of susceptibility Organizational response to risks: Price gouging during natural disasters Response time for addressing information disclosure. |
Privacy Assessments
- Privacy Impact Assessment (PIA) A tool for identifying and analyzing risks to privacy during the life cycle of a program.
- Privacy Threshold Assessment (PTA) A document used to determine when a PIA is required.
- Personally Identifiable Information (PII) Information that a company uses to identify or contact employees and other individuals.
- Required for any US agency that collects PII online.
- Other regulations might require them for different organizations.
Critical Systems and Functions
- Mission-essential
- Quantitative Comparison
- MTD: Maximum Tolerable Downtime
- MTTF: Mean time to failure
- MTTR: Mean time to repair/replace
- MTBF: Mean time between failures
- RTO: Recovery time objective
- RPO: Recovery point objective
Maximum Tolerable Downtime
The longest time period that a business outage can occur without causing irrecoverable business failure.
- An MTD for each business process
- Can range from minutes to hours to delays
- Vary by company and event
Recovery Point Objective
The longest period of time that an organization can tolerate lost data being unrecoverable.
- Usually Expressed in hours
- Helps to determine backup frequency
Recovery Time Objective
The length of time it takes after an event to resume normal business operations and activities.
- RPO plus time spent preparing to resume processing.
- Must be achieved before MTD
Mean Time to Failure
The average time that a device or component is expected to be in operation.
- Measure of reliability for non-repairable devices and components
- Total hours of operation/number of failures
Mean Time to Repair
The average time it takes for a device or component to recover from failure.
- Less than RPO when the component is relevant to the recovery effort.
- Also referred to as mean time to recover (or replace).
Mean Time Between Failures
The rating on a device or component that predicts the expected time between failures.
- Measure of reliability
- Can indicate a need for redundancy measures.
-
MTBF = MTTR + MTTR
Guidelines for Performing a Business Impact Analysis (BIA)
- Identify Mission-essential functions and critical systems.
- Identify impact scenarios.
- Calculate MTD, RPO, RTO, MTTF, MTTR, and MTBF.
- Conduct a privacy threshold assessment and privacy impact assessments when required.
- Identify single points of failure.
Risk analysis is an essential component of a robust cybersecurity strategy. By understanding and effectively managing risks, you can make informed decisions to protect your organization’s assets. Whether you’re studying for the CompTIA Security+ certification or enhancing your cybersecurity knowledge, this post provides a comprehensive overview of risk analysis.
You can find all of our CompTIA Sec+ guides here: CompTIA Sec+
We also have guides for the CompTIA A+ here: CompTIA A+
Recommendation:
Basic Security Testing with Kali Linux: https://amzn.to/3S0t7Vq
