A series of cyber security study notes.....................................(Risk Management)

1. Lec-3: Cyber Security
Mr. Islahuddin Jalal
MS (Cyber Security) – UKM Malaysia
Research Title – 3C-CSIRT Model for Afghanistan
BAKHTAR UNIVERSITY ‫باخترپوهنتون‬ ‫د‬

2. Managing Risk
• If you are connected to the Internet, your system is exposed to
countless risks.
• Cybersecurity is primarily about risk management.
• Minimize your risk through smart practices.
• Ensure your systems are properly configured, patched, and audited.
• Ensure your workforce is trained and regularly tested.
• Make cybersecurity part of your daily business practices.

3. Life is full of Risk………….

4. As a Security Consultant or Executive
• Primary Responsibilities
• To manage Risk
• To protect your business
• Create an environment for business to grow
• Risk can not be removed 100% but can be managed at every level of your
business.
• Important to create and maintain a risk management program owned
at the most senior levels and designed to cascade throughout the
business to where each employee knows and understand that they
are valued stakeholders in the risk management program.

5. What are your risks?
• Understand
• Where you are vulnerable?
• To whom or what
• Likelihood of someone exploiting those vulnerabilities
Essential for
determining your
risk Posture

6. • Most companies do not have a clue as to what their cyber risk profile
is nor do they know how to calculate it.
• Many believed that there is no means to calculate your cybersecurity
risk.
• but its not true………………
Cybersecurity risk can be calculated using
some of the same techniques as calculating
risk in other sectors

7. Example: vulnerability Checklist (Cyber
Espionage, Theft and Exploitation)
1. Do you have intellectual property and trade secrets you need to protect?
2. Do you currently or in the future have market competitors who would benefit
by having access to your intellectual property and trade secrets?
3. Do you store your intellectual property and trade secrets on computer systems?
4. Are your computer systems connected to the Internet?
5. Do your computer systems have Universal Serial Bus (USB) connections that
enable thumb drives to be connected?
6. Do your computers have read–write DVD/compact disk drives?
7. Do you have frequent and regularly scheduled backups of your information?
8. Do you store your backup information in an off-site location?
9. Do you use any data feeds from other sources into your network?
10. Do you contract your system administration, maintenance, or software support?

8. Your answers
• How many “yes” answers did you have?
• If you had one or more, then you are susceptible to cyber-based risk.

9. Technical Risks
• Technical risks are those risks presented through the operations and
maintenance of the technical systems used by your business, for
example, computers, processors, monitors, controllers, timers,
alarms, etc.

10. Example: Vulnerability Checklist (CTR)
1. Have you or your business ever been hacked?
2. Have you ever found malicious code (such as viruses, trojans, or worms) or
unauthorized software on your systems?
3. Is your network being probed by outside entities?
4. Do any of the members of your IT staff fail to maintain current industry
certifications in their specialties?
5. Are there more current software versions, including patches, available for your
system?
6. Do you store data “in the cloud”?
7. Does your workforce use mobile devices such as smart phones, tablet computers,
and laptops to conduct your corporate business?
8. Does your business solely rely on passwords to control access to the network
and information?
9. Does your business conduct annual vulnerability scans of your network?
10. Do you allow remote access to your network?

11. • If you answered “yes” to any of these questions, you have technical
risks that need to be addressed.

12. Cyber Security is a Team Effort

13. Human Risks
• Because cybersecurity is a team effort, as an executive or security
consultant, you need to recognize the strengths and weaknesses of your
team.
• Not everyone on your team is a superstar when it comes to cybersecurity
• Poorly trained workforce presents the greatest cybersecurity threat to you
and your business.
• Human risks to your cybersecurity posture are profound. From the top of
your organization to the bottom, your workforce presents significant risks
that you need to address.
• Wonder what kinds of human risks you and your company may face in the
cybersecurity realm?

14. Introduction
Risk Analysis and Management Framework
Assets Threats Vulnerabilities
Risks
Security Measures
}
}
Analysis
Management

15. Key Terms definition of Risk Management
The definition of the following terms in this area is not universally
agreed. We will use the following
• Threat: Harm that can happen to an asset
• Impact: A measure of the seriousness of a threat
• Attack: A threatening event
• Attacker: The agent causing an attack (not necessarily human)
• Vulnerability: a weakness in the system that makes an attack more
likely to succeed
• Risk: a quantified measure of the likelihood of a threat being realised

16. Key Terms definition of Risk Management
• Risk Analysis: involves the identification and assessment of the levels
of risk, calculated from the
• Values of assets
• Threats to the assets
• Their vulnerabilities and likelihood of exploitation
• Risk Management: involves the identification, selection and adoption
of security measures justified by
• The identified risks to assets
• The reduction of these risks to acceptable levels

17. Risk Analysis
• RA is important requirement for any organization .
• To determine hurdles and problems, which halt or slow down the
progress of internal operations as well as external reputation of the
organizations.

18. Goals of Risk Analysis
• All assets have been identified
• All threats have been identified
• Their impact on assets has been valued
• All vulnerabilities have been identified and assessed

19. Problems of Measuring Risk
Businesses normally wish to measure in money, but
• Many of the entities do not allow this
• Valuation of assets
• Value of data and in-house software - no market value
• Value of goodwill and customer confidence
• Likelihood of threats
• How relevant is past data to the calculation of future probabilities?
• The nature of future attacks is unpredictable
• The actions of future attackers are unpredictable
• Measurement of benefit from security measures
• Problems with the difference of two approximate quantities
• How does an extra security measure affect a ~10-5 probability of attack?

20. Risk Levels
• Precise monetary values give a false precision
• Better to use levels, e.g.
• High, Medium, Low
• High: major impact on the organisation
• Medium: noticeable impact (“material” in auditing terms)
• Low: can be absorbed without difficulty
• 1 - 10
• Express money values in levels, e.g.
• For a large University Department a possibility is
• High
• Medium
• Low

21. Risk Analysis Steps
• Decide on scope of analysis
• Set the system boundary
• Identification of assets & business processes
• Identification of threats and valuation of their impact on assets
(impact valuation)
• Identification and assessment of vulnerabilities to threats
• Risk assessment

22. Risk Analysis – Defining the Scope
• Draw a context diagram
• Decide on the boundary
• It will rarely be the computer!
• Make explicit assumptions about the security of neighbouring
domains
• Verify them!

23. Risk Analysis - Identification of Assets
• Types of asset
• Hardware
• Software: purchased or developed programs
• Data
• People: who run the system
• Documentation: manuals, administrative procedures, etc.
• Supplies: paper forms, magnetic media, printer liquid, etc.
• Money
• Intangibles
• Goodwill
• Organization confidence
• Organisation Reputation or image

24. Risk Analysis – Impact Valuation
Identification and valuation of threats - for each group of assets
• Identify threats, e.g. for stored data
• Loss of confidentiality
• Loss of integrity
• Loss of completeness
• Loss of availability (Denial of Service)
• For many asset types the only threat is loss of availability
• Assess impact of threat
• Assess in levels, e.g H-M-L or 1 - 10
• This gives the valuation of the asset in the face of the threat

25. Risk Analysis – Process Analysis
• Every company or organisation has some processes that are critical to its
operation
• The criticality of a process may increase the impact valuation of one or
more assets identified
So
• Identify critical processes
• Review assets needed for critical processes
• Revise impact valuation of these assets

26. Risk Analysis – Vulnerabilities 1
• Identify vulnerabilities against a baseline system
• For risk analysis of an existing system
• Existing system with its known security measures and weaknesses
• For development of a new system
• Security facilities of the envisaged software, e.g. Windows NT
• Standard good practice, e.g. BS 7799 recommendations of good practice

27. Risk Analysis – Vulnerabilities 2
For each threat
• Identify vulnerabilities
• How to exploit a threat successfully;
• Assess levels of likelihood - High, Medium, Low
• Of attempt
• Expensive attacks are less likely (e.g. brute-force attacks on encryption keys)
• Successful exploitation of vulnerability;
• Combine them Likelihood of Attempt
Likelihood
of Success
Low
Low
Low
Med Med
Low
Med High
HighHigh
High
Med
Med
Low
Low

28. RISK LIKELIHOOD DETERMINATION
• According to the ISO 31000 standard, likelihood can be defined as the
chance that something might happen.
• Likelihood can be defined, determined, or measured objectively or
subjectively and can be expressed either qualitatively or
quantitatively (Using mathematics).

29. Likelihood Description Table

30. Risk Likelihood Rating

31. Risk Assessment
Assess risk
• If we had accurate probabilities and values, risk would be
• Impact valuation x probability of threat x probability of exploitation
• Plus a correction factor for risk aversion
• We construct matrices such as
Risk
Impact valuation
Low
Low
Low
Med Med
Low
Med High
HighHigh
High
Med
Med
Low
Low
Vulnerability

32. Responses to Risk
Responses to risk
• Avoid it completely by withdrawing from an activity
• Accept it and do nothing
• Reduce it with security measures

33. Security Measures
Possible security measures
• Transfer the risk, e.g. insurance
• Reduce vulnerability
• Reduce likelihood of attempt
• e.g. publicise security measures in order to deter attackers
• e.g. competitive approach - the lion-hunter’s approach to security
• Reduce likelihood of success by preventive measures
• e.g. access control, encryption, firewall
• Reduce impact, e.g. use fire extinguisher / firewall
• Recovery measures, e.g. restoration from backup

34. Risk Management
• Identify possible security measures
• Decide which to choose
• Ensure complete coverage with confidence that:
• The selected security measures address all threats
• The results are consistent
• The expenditure and its benefits are commensurate with the risks

35. Iterate
• Adding security measures changes the system
• Vulnerabilities may have been introduced
• After deciding on security measures, revisit the risk analysis and
management processes
• e.g. introduction of encryption of stored files may remove the threat to
Confidentiality but introduce a threat to Availability
• What happens if the secret key is lost?

36. Conclusion: Problems of Risk Analysis and
Management
• Lack of precision
• Volume of work and volume of output
• Integrating them into a ”normal” development process

37. Assignment#01
Write a Risk Assessment and Analysis Report on your
organization.
Bakhtar University 37

38. Thank You
For Your Patience