Chapter 17 – Risk Management doc
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (114.87 KB, 25 trang )
Security+
All-In-One Edition
Chapter 17 – Risk Management
Brian E. Brzezicki
Risk Management
Risk Management (493)
The idea of analyzing your business processes and
determining what are the risks that threaten those
processes, and choosing cost effective
countermeasures to minimize the risks and the
associated losses.
Risk Management Terms (494)
•
Risk – the possibility of suffering harm or loss
•
Risk Management/Risk Analysis – the overall
decision making process of identifying the risks
(threats and vulnerabilities) and mitigating actions to
determined the impact of an event that would affect
a project, program or business
(more)
Risk Management Terms (494)
•
Asset – resource or information an organization
needs to conduct it’s business
•
Threat – any circumstance or event with the potential
to cause harm to an asset.
•
Vulnerability - A software hardware or procedural
weakness that may provide an attacker the
opportunity to obtain unauthorized access.
•
Impact – the resulting loss when a threat exploits a
vulnerability
(more)
Risk Analysis Terms (495)
•
Countermeasures / control / safeguard – a measure
taken to detect, prevent, or mitigate the risk
associated with a threat.
•
Qualitative Risk Analysis – The process of
subjectively determining the impact of an event.
•
Quantitative Risk Analysis – The process of
objectively determining the impact of an event.
Specifically assigning numbers to understand the
event (probability, Loss, cost etc)
(more)
Random Thoughts (497)
Risks are not just about network security.
Risks can be
•
Fires
•
Tornados
•
Floods
•
Blizzards
•
Hacking
•
Vendors going out of business
•
Revenue Streams stopping
•
Fraud
(more)
Random Thoughts
Risk Management always is concerned with providing
COST EFFECTIVE safeguards…
Don’t bother protecting something if the cost of
protecting it, is more than it’s worth!
Risk also can be hard to quantify (reputation)?
What’s a reputation worth to a business?
Risk management Flowchart (496)
Quantitative Risk Analysis
Terms
EF - Exposure Factor (507)
EF – if you have a building and you determine in the
event of a fire 25% of the building will be destroyed
on average Your EF is 25% (.25) you use the EF to
determine the SLE
SLE – Single Loss Expectancy
(507)
SLE = how much you expect to lose if an event occurs
SLE= Asset Value * EF
Ex. if you have a building worth $1,000,000.00 and
your EF is .25 what is your SLE?
SLE = Asset Value * EF
SLE = $1,000,000 * .25
SLE = $250,000
ARO – Annual Rate of Occurrence
(507)
ARO – How many times you expect a certain event to
occur in 1 year.
Ex. If you expect 2 fires a year
ARO = 2
Ex. If you expect 1 fire every 10 years
ARO = (1 fire)/(10 years)
ARO = .1
Use ARO to determine ALE
ALE – Annual Loss Expectancy
(507)
ALE – how much money you expect to loss in a year
due to a certain threat.
ALE = SLE * ARO
Ex. If your warehouse fire SLE = $250,000 and you
expect 2 fires a year
ALE = SLE * ARO
ALE = $250,000 * 2
ALE = $500,000
Choosing a Countermeasure
When analyzing a countermeasure you need to look
at the ALE BEFORE the countermeasure, and the
ALE AFTER the countermeasure and compare that
to the cost of the countermeasure.
If a countermeasure reduces the ALE more than the
countermeasure costs, then it is COST effective
and should be applied.
(ALE before) – (ALE after) > Cost of Countermeasure
(more)
Risk Analysis Example problem
You have an important server. For every hour that the
server is down it costs your company $1000.00.
There is a 25% chance every month that the server
will get hacked, if it does it will cost you 4 hours to
clean and reinstall the server (nobody will be able to
use it)
There is an intrusion prevention system that will take
the risk of hacked system to 0% (don’t we wish),
however it costs $5,000.00 per year subscription
fee.
Should you purchase the IPS? If you do how much
money will you save or lose?
Choosing a Countermeasure
You may also decide to “transfer” the risk (buy
insurance)
If neither of these (countermeasure or transfer) are
COST effective, you may choose to AVOID the
risk or ACCEPT the risk?
What is avoiding the risk?
Risk Analysis Example problem
You have an important server. For every hour that the
server is down it costs your company $1000.00.
There is a 25% chance every month that the server will
get hacked, if it does it will cost you 4 hours to clean
and reinstall the server (nobody will be able to use it)
There is an intrusion prevention system that will take
the risk of hacked system to 0% (don’t we wish),
however it costs $5,000.00 per year subscription fee.
Should you purchase the IPS? If you do how much
money will you save or lose?
Residual Risk (501)
Understand that no countermeasure can 100%
reduce the risk There will always be some risk
left over after applying controls. This is called
Residual Risk.
Quantitative Risk Analysis (502)
Truly quantitative analysis, requires a lot of number
crunching You should use software to automate
this task. Be aware you cannot truly 100% eliminate
risk, and you cannot truly 100% quantify risk (some
things simply cannot be measured)
Qualitative Risk Analysis
Qualitative Risk analysis doesn’t try to crunch
numbers to analyze risk, instead all involved parties
get together to try to subjectively understand risk.
•
What business functions are critical
•
What would happen if a function was lost
•
What functions are more important that others
•
What are threats
•
How can we mitigate threats.
Chapter 17 - Review
Q. Define EF
Q. Define SLE
Q. Define ARO
Q. Define ALE
Chapter 17 - Review
Q. Any countermeasure you deploy should ultimately
be ______ _______
Q. If my ALE for a threat is $50K a year, and a
countermeasure to eliminate the threat costs $30K
a year, should I implement it?
Q. If my ALE is $50K a year, a countermeasure will
reduce the ALE by 50%, and the countermeasure
costs 30K a year, should I implement it?
Chapter 17 - Review
Q. What is “residual risk”
Q. What is risk transference
Q. What is risk avoidance
Q. What is risk acceptance
Chapter 17 - Review
Q. What is quantitative vs. qualitative risk
analysis?
Q. Can you get automated tools for quantitative
analysis, how about qualitative analysis.
Q. What is due diligence, due care?
