Mais conteúdo relacionado

Similar a Assess risks to IT security.pptx(20)



Assess risks to IT security.pptx

  2. What is Cyber Security? Cyber Security involves the practice of implementing multiple layers of security and protection against digital attacks across computers, devices, systems, and networks. Usually, organizations have a system and a framework in place for how they tackle attempted or successful cyberattacks. A good framework can help detect and identify threats, protect networks and systems, and recover in case any attack was successful.
  3. Scale of Cyber Security Threats  Both cyber-defense tactics and Cyber Security threats are evolving in an attempt to outdo one another. As a result, there is a growth of malicious software and threats in new forms that constantly need protection against. Any individual or organization that uses any form of network is equally vulnerable to such attacks and is a potential target.  There are three different types of Cyber Security threats that one needs to be aware of: 1. Cybercrime: Committed by one or more individuals who target systems for financial gain or to cause havoc 2. Cyberterrorism: Designed to break into systems and instill fear 3. Cyberattacks: Often carried out for political reasons and aimed at collecting and/or distributing sensitive data
  4. ASSESS RISKS TO IT SECURITY • The term “information security risk” refers to the damage that attacks against IT systems can cause. IT risk encompasses a wide range of potential events, including data breaches, regulatory enforcement actions, financial costs, reputational damage, and more. • Although “risk” is often conflated with “threat,” the two are subtly different. “Risk” is a more conceptual term: something that may or may not happen. A threat is a specific, actual danger. • Worries about security risk can often slow progress and keep companies from meeting their goals. On the other hand, by taking the time to understand the risks you face and the best security measures you can implement, a company can create a strategy that balances cybersecurity risk with opportunity – one that allows you to grow while safeguarding your sensitive information.
  5. What are some potential IT security risks?  Viruses and worms. Viruses and worms are malicious software programs (malware) aimed at destroying an organization's systems, data and network. ...  Botnets. ...  Drive-by download attacks. ...  Phishing attacks. ...  Distributed denial-of-service (DDoS) attacks. ...  Ransomware. ...  Exploit kits. ...  Advanced persistent threat attacks.
  6. Phishing  Phishing is a fraudulent attempt to send emails claiming to be from reputable sources to obtain sensitive data such as credit card numbers, usernames, passwords, etc. Phishing is the most common type of cyberattack. It can be prevented if the public is educated on it and if the latest technology solutions screen such malicious emails
  7. Ransomware  Ransomware is malicious software designed as a means to extort money. Attackers block access to files or systems until a demanded ransom is paid by the victim. However, paying the ransom does not necessarily guarantee file recovery or system restoration, which can again be a huge setback.
  8. Malware  Malware is a software that is designed to attain unauthorized access to systems or cause damage. These types of malicious software include viruses, worms, ransomware, and spyware. Clicking on malicious links or attachments installs the software that activates the malware. Once activated, it can:  Stealthily acquire data by transmitting it from the hard drive (spyware)  Block users from accessing key network components (ransomware)  Make systems inoperable by disrupting individual components  Install malicious software that can cause harmful effects
  9. Social Engineering  Social engineering is a tactic to manipulate people into giving up confidential information, including bank information, passwords, or access to their computer to covertly install malicious software that can steal such information from the system.  Social engineering may also work in conjunction with other cyber threats to make it more likely for users to click on malicious links, sources, or malware download links.
  10. Advanced Persistent Threats (APTs)  APT happens when someone unauthorized gains access to a system or network and stays there undetected for a long time. These threats generally do not harm the network or machines and are more focused on data theft. APTs are known to go unnoticed and undetected by traditional security systems, but they are notorious to be the reason for a number of large, costly data breaches.
  11. SQL Injection  SQL injection involves inserting a malicious code into a server that uses SQL and allows the attacker to intervene with queries. This web security vulnerability can be as simple as entering the code into an unprotected website search box. The infection causes the server to release sensitive information.
  12. Man in the Middle (MITM)  MITM attacks, self-evidently, occur when hackers alter a two-party transaction and steal data. Any unsecured public Wi-Fi network is prone to such kinds of attacks. The attackers who resort to such tactics insert themselves between the visitor and the network and, with the help of malware, carry out malicious activities.
  13. Denial of Service (DoS)  A Denial of Service (DoS) is intended to shut down a machine or network so that it cannot respond to any requests and to make it inaccessible for users. This type of attack is carried out by flooding the target with traffic and triggering a crash.
  14. What are the security concerns?  Misconfiguration. At 77%, misconfiguration was the most common concern—and for good reason. ...  Phishing. ...  Poor Passwords. ...  Lost or Stolen Devices. ...  Orphaned Accounts. ...  Prioritizing Security Weaknesses With Penetration Testing.
  15. WHAT ARE THE STEPS FOR AN INFORMATION SECURITY RISK ASSESSMENT? A successful cybersecurity strategy (one that can feed into larger enterprise risk management efforts) starts with a risk assessment. While all risk assessments will differ depending on your individual needs, there are certain common elements that you can use as a framework.  Identify Start by identifying every security risk your company is currently facing or could reasonably face in the near future. Including future risks in this step is crucial, as IT risk changes frequently when new technologies develop.  Analyze In this step, examine each risk and determine both its likelihood of occurring and the potential impact. Not every risk will require the same amount of attention, and risk analysis can help you prioritize the risks that have the largest potential for harm.
  16. RISK ASSESSMENT  Prevent Once you understand what risks are faced by your company, you’ll need to develop controls and procedures to either minimize the damage or prevent it altogether. Your incident response strategy will also be developed during this step. The four most common types of risk response (discussed below) will help you create a risk management program that is tailored to your company and your goals.  Document Clear documentation of your policies and risk mitigation efforts will serve you well long term. Creating a risk register with your risks, assignments, and controls will keep everyone on the same page and minimize confusion and miscommunication. Documentation will also help you revisit your policies and revise them if change is needed in the future.  Monitor and Reassess Your security risks will change as your business operations evolve, or as new technologies emerge, or as attackers find new ways to penetrate IT defenses. So monitor the success of your security efforts, reassess your risks periodically (usually once a year), and adjust your policies, procedures, and controls as necessary.
  17. WHAT ARE THE FOUR TYPES OF RISK RESPONSE? Deciding how to respond to your risks is an important element in your risk management process. There are four primary types of response, and you should assess your information systems as well as each risk individually to determine which approach will be the most effective.  Accept This response understands that a certain amount of risk is always present. Also known as risk retention, risk acceptance is the decision that the potential gain for a given scenario outweighs the chance of loss. Determining what risks are worth taking will depend on your company’s predetermined risk tolerance and appetite. It is up to your company to decide what constitutes an acceptable level of risk. In IT, a certain degree of risk acceptance will always be present when adopting new technologies that can provide growth for your organization.  Share Another common strategy is to share risk with an outside contractor or partner. An example of risk sharing in IT risk management would be using a cloud storage service like AWS or Microsoft Azure. These companies have data protection baked into their agreements, and while such arrangements won’t entirely absolve you from responsibility, they will help you control and correct the damage should a security incident occur.
  18. RISK RESPONSE  Transfer Risk transfer is when you move the responsibility for the risk onto an outside party. This is usually done by purchasing insurance for the issue in question. Security threats like malware or ransomware are frequently covered in IT insurance. Cybersecurity insurance is still a developing market, but could be a useful investment depending on your circumstances and goals.  Avoid Risk avoidance is generally the safest of these strategies. Avoidance, however, can keep your company from progressing the way you might want. To grow your business, a certain amount of risk will be required, and this is particularly true of IT risk. While it may seem wise to rely on trusted technology, risk avoidance in the IT realm can quickly render your company obsolete.
  19. INFORMATION SECURITY RISK MANAGEMENT BEST PRACTICES IT risk management goes beyond listing your risks. To provide the best possible protection against cyber threats you’ll need to embed risk management into your company at every level.  Educate Your Staff Your staff are your first and best defense against cyber breaches. Providing them with training and informing them of your policies can help you identify the warning signs of a breach and stop the damage before it starts. This kind of training can also help mitigate human error, prevent unauthorized access, and instill strong security hygiene throughout your organization.  Monitor Your Progress Providing the strongest possible security for your will require consistent attention. The documentation that you created during your risk assessment will be instrumental in assuring that your security policy is up to date. A list of risks – more commonly known as a risk register – will also assist with changes in staff and make sure that all of your risks are correctly assigned and accounted for.  Embrace Change Successful risk management is flexible and will change over time as new threats emerge and old threats become redundant. It’s important that you revisit and revise the policies surrounding your information assets at least annually, or whenever your company undergoes significant change. Adjusting your risk management program to changes will ensure that your security controls remain effective against new innovations in cybercrime.
  20. CYBER SECURITY TOOLS • Cyber Security tools consist of various apps and solutions that are used to mitigate risks and safeguard sensitive information from cyber threats. Examples of some of the widely used tools are: • Wireshark • Web security • Nmap • Metasploit • Ncat • Entersoft Insights • Aircrack-ng • Nikto
  21. WHAT IS SECURITY TESTING? • Security testing checks whether software is vulnerable to cyber attacks, and tests the impact of malicious or unexpected inputs on its operations. Security testing provides evidence that systems and information are safe and reliable, and that they do not accept unauthorized inputs. • Security testing is a type of non-functional testing. Unlike functional testing, which focuses on whether the software’s functions are working properly (“what” the software does), non-functional testing focuses on whether the application is designed and configured correctly (“how” it does it). • Security testing is structured around several key elements:  Assets—things that need to be protected, such as software applications and computing infrastructure.  Threats and vulnerabilities – activities that can cause damage to an asset, or weaknesses in one or more assets that can be exploited by attackers. Vulnerabilities can include unpatched operating systems or browsers, weak authentication, and the lack of basic security controls like firewalls.  Risk—security testing aims to evaluate the risk that specific threats or vulnerabilities will cause a negative impact to the business. Risk is evaluated by identifying the severity of a threat or vulnerability, and the likelihood and impact of exploitation.  Remediation—security testing is not just a passive evaluation of assets. It provides actionable guidance for remediating vulnerabilities discovered, and can verify that vulnerabilities were successfully fixed.
  22. WHAT ARE THE DIFFERENT TYPES OF CYBERSECURITY TESTING? • The best way to use cybersecurity testing methods is to create a schedule for various tests to keep your security systems robust and up to date. Explore the different testing methods and security testing processes to find out what processes your company may benefit from most. • 1. Cybersecurity Audit • A cybersecurity audit is designed to be a comprehensive overview of your network, looking for vulnerabilities as it assesses whether your system is compliant with relevant regulations. These audits usually give companies a proactive approach to the security design process. Once they know what gaps they need to fill, they can design a security setup with more intention.
  23. WHAT ARE THE DIFFERENT TYPES OF CYBERSECURITY TESTING? • Independent IT professionals usually conduct audits to eliminate any conflict of interest. Sometimes, they’re handled internally, but it’s a rare occurrence. There’s a range of regulated procedures used in an audit to ensure IT professionals assess every area of a security system. • A complete audit process covers substantial ground, and it usually starts with a review of a company’s data security policies. During the review, professionals will consider how policies support the confidentiality, availability and integrity of a company’s data. Creating a wide few of security environments gives IT professionals a sense of what needs the most attention.
  24. 2. Often called pen testing, penetration testing is a form of ethical hacking. During a pen test, IT professionals will intentionally launch a cyberattack on a system to access or exploit applications, websites and networks. The main objective of a pen test is to identify areas of weakness in a security system. The specific goals of a pen test depend on the area professionals hack. In the case of networks, the aim is to calibrate firewall rules, close unused ports and eliminate any loopholes. For websites, professionals want to identify and report notable vulnerabilities like cross-site scripting and buffer overflow. There are several methods of penetration testing, and the type that IT workers use will depend on an organization’s goals and security concerns:  Internal tests: These pen tests are performed within a company’s environment and simulate events where a hacker penetrates the network perimeter or an authorized user abuses access to private data.  External tests: IT professionals perform external tests by hacking a network perimeter through an outside source, like the internet.
  25. 2.  Blind tests: In a blind test, testers will simulate the actions of a real hacker. IT professionals go into the process with little to no information about a company’s security infrastructure, and they attempt to access the network perimeter. During the test, they rely on third-party online information to access the network, which can reveal how much private information is readily available to the public.  Double-blind tests: This test is similar to a blind test, but members in the company, like IT personnel, are unaware of the penetration test. This method tests threat identification processes and associated procedures to determine how well they can hold up against a hacker.  Targeted tests: Unlike blind tests, targeted tests require complete transparency. IT teams are involved in the process to address specific concerns about a network. These tests take less time to execute, but they may not provide a full picture of a company’s cybersecurity. Typically, businesses should perform penetration tests annually or after any major changes to network infrastructure
  26. • A vulnerability scan is the process of identifying security weaknesses in systems and software with the goal of protecting an organization from breaches. This scan is often confused with penetration testing because they have similar functions. However, they’re different. • While pen testing involves simulated hacking that can locate the root cause of gaps, vulnerability scanning is an automated test that simply identifies gaps. IT professionals use designated software to identify vulnerabilities. These scanners create an inventory for all systems and run them against a database of known vulnerabilities to see potential matches. At the end of the scan, known vulnerabilities will be highlighted for a company to handle.
  27. • There are several vulnerabilities a scan might identify within a network. In 2020, the Cybersecurity and Infrastructure Security Agency (CISA) identified the most encountered vulnerabilities. The most common vulnerability they found was remote code execution (RCE). This vulnerability involves a hacker running code of any kind with system-level privileges on networks with the required weaknesses. • Other vulnerabilities include: • Arbitrary code execution: An attacker can run commands or code on a vulnerable device. • Arbitrary file reading: An attacker can read or write any content in a file system. • Path traversal: A vulnerability that gives attackers access to unauthorized files.
  28. • A security or configuration scan searches for misconfiguration in a system. A misconfiguration is an incorrect or suboptimal design of a system or system component that can lead to vulnerabilities. When security systems aren’t defined or the default values aren’t maintained, a misconfiguration occurs. • Unfortunately, hackers know misconfigurations are easy to detect. Typically, exploited misconfigurations can lead to high-volume data leakage that can cause harm to businesses. • Common misconfigurations include:  Default account settings  Unencrypted files  Unpatched systems  Outdated web apps  Insufficient firewall
  29. • These incorrect designs can classify as a vulnerability that may be identified during a vulnerability scan. However, security scans operate under the intention of only looking for misconfigurations, making them a more pointed cybersecurity test. • As more applications shift to the cloud, misconfigurations are easy to overlook. Many misconfigurations come from the cloud and hybrid environments brought about by an increase in remote workforces. Research conducted by Gartner claims that 99% of cloud misconfigurations through 2025 will be the customer’s fault. • That said, companies have complete oversight into network configurations — it’s a matter of paying attention to them. Among all other IT demands, it can be easy to miss them, even though they’re easy to address. This fact is the reason security scans are essential to companies’ cybersecurity frameworks. • Considering the ease of overlooking misconfigurations, performing regular security scans can give your team the foresight it needs to secure its network. While annual security scans are a smart move, you may choose to conduct them more frequently. Performing them a few times a year can help your company keep up with possible vulnerabilities.
  30. • A cybersecurity risk assessment is a process that analyzes the various security controls in an organization and what possible threats can occur within them. These assessments are comprehensive processes that assess existing risks and create strategies for mitigating them. • The information assets that are vulnerable to risks include hardware, software, intellectual property, customer data and more. There are four essential steps to a risk assessment:  Identify: The first step is about identifying all essential assets in your company’s technology infrastructure. IT professionals will determine all sensitive data associated with said assets and create a profile of risks for each one.
  31.  Assess: IT team members will evaluate risk levels and determine how many resources a company will need to dedicate to risk mitigation. This step aims to find the relation between vulnerabilities, assets and mitigation.  Mitigate: The risk assessment team will create a plan for risk mitigation and enforce security controls for all identified risks.  Prevent: A company’s personnel will enforce ongoing mitigation by implementing designated tools and processes to minimize threats as they arise. According to priorities, risk assessment teams will roll out mitigation and prevention. Some risks will pose more potential harm than others, making mitigation critical. As a general rule, companies should conduct risk assessments at least once yearly. These assessments should also occur when your business changes its technology infrastructure, which may include cloud migration, new applications or large expansions.
  32. • A posture assessment is the best initial test among the security testing methods because it can guide your approach to security. This assessment refers to your cybersecurity posture — the strength of your protocols and controls at preventing cyber threats. • IT professionals perform posture assessments through a range of processes that look at internal and external factors. Unlike audits or pen tests, posture assessments can provide definite guidance for improving cybersecurity maturity. This guidance often seeks to maximize return-on-investment (ROI) for security protocols. • These assessments can use a combination of methods like ethical hacking, security scanning and risk assessments to define security posture to: Identify and address the value of company data Define threat exposure and risks Evaluate if appropriate security methods are in place Recommend a concrete plan for strengthening defenses
  33. • Conducting posture assessments can be a wise move in a variety of circumstances — you can conduct them to optimize ROI, get started with a new strategy, prepare for organizational changes or address security gaps. While you may not need to perform them regularly, they’re an excellent option for companies of all sizes.
  34. 7. HOST-BASED ASSESSMENT • Host-based Vulnerability Assessment is an evaluation process that provides a comprehensive insight into the potential internal and external risk exposure and the impact that it can have on business. It is an assessment that performs an in-depth evaluation of systems, and networks for identifying security weaknesses that needs to be addressed. • The assessor scans the system from the security perspective of a user who may have an access to the system/network from within the organization. So, with this assessment it provides an insight on potential insider threat to systems and networks. The assessment helps identify suspicious insider activities and detects intruders having already infiltrated the system. This way the Host-based Assessment provides an additional level of security that helps prevent internal misuse or external intruders compromising the security and accessing information.