Budget and Metrics
Metrics can greatly assist the information security budgeting process. They help illustrate potentially costly risks and demonstrate effectiveness (and potential cost of savings) of existing controls.
- Accept the Risk – it may be cheaper to leave an asset unprotected. Risk acceptance Criteria – Low likelyhood/low consequence risks are candidates for risk acceptance. High or extreme risks cannot be accepted. Data protected by law or regulations or risk to human life or safety are examples of risks that cannot be accepted.
- Mitigate the Risk – Lowering risk acceptance level or risk reduction by performing reduction analysis. In some cases the risk can be removed entirely
- Transfer the Risk – ie Insurance model. Pay the insurance company to assume the risk for them
- Risk Avoidance – A thorough risk analysis should be completed before taking on a new project. If the risk analysis discovers high or extreme risk that cannot be mitigated avoiding the risk (and the project) maybe the best option.
If ALE is higher than ROI, avoidance might be best option
Quantitative and Qualitative risk analysis
- Quantitative – Uses hard metrics such as dollars and more objective. Examples ALE
- Qualitative – Uses simple approximate values and more subjective. Examples Risk Analysis Matrix
- Hybrid Risk analysis – uses quantitative for hard numbers and qualitative for remainder
The Risk Management Process
US NIST – Risk management guide – 9 Step risk analysis
- System Characterization – Scope
- Threat Identification – Find threat (Risk = Threat x Vulnerability)
- Vulnerability Identification – Find vulnerability (Risk = Threat x Vulnerability)
- Control Analysis – Analyzes security controls (safeguards) planned to mitigate risk
- Likelihood Determination
- Impact Analysis
- Risk Determination
- Control Recommendations
- Results Documentation
Types of attacker
Malicious individual who attacks computer systems. Malicious hacker, blackhat and cracker.
Blackhats and Whitehats
Blackhat bad guy attacks systems with malicious intent, whitehat good guy ethical hackers. Gray hat goal to improve network and system security by exploiting it by making it known to public. The difference between gray hats and whitehats are whitehats alerts owners and vendors without exposing it to public.
Attacks computer systems with tools they have little or no understanding of. Security novices can use metasploit to compromise systems due to the quality of the tool.
Unauthorized attackers with no authorized privilege access to a system or organization. Outsiders launch majority of the attacks.
An insider attack is launched by an internal user who may be authorized to use the system that is attacked. They maybe intentional or accidental. NIST special publication lists the following threat actions.
- Assault on an employee
- Browsing of proprietary information
- Computer abuse
- Fraud and theft
- Information Bribery
- Input of falsified, corrupted data
- Malicious code (virus, logic bomb, trojan horse
- Sale of personal information
- System bugs
- System intrusion
- System sabotage
- Unauthorized system access
Hacker activist, someone who attacks computer systems for political reasons.
Bots and Botnets
A bot (aka zombie) is a computer system running malware that is controlled via a botnet. A botnet contains a central command and control (C&C) network managed by humans called bot herders. Systems become bots after becoming compromised via server side attacks, client side attacks, and running remote access trojans.
Phishers and spear phishers
Malicious attackers who attempts to trick users into divulging credentials or PII. Phishing attacks tend to be large scale and uses emails that contains links to malicious sites that contains backdoors used to compromise your system. Spear phishing targets far fewer user but of high value, often executives and are very targeted (whaling). Vishing is voice phishing – telling using using automated scripts using VOIP to automate calls to thousands.