Sec+ preparation #12 (Risk Management, Data Leakage)

Jonas SatkauskasJonas Satkauskas
4 min read

Table of contents

Intro

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes concepts of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Risk Management

Threat and risk analysis (TaR)

  • Minimizing risks

  • What are the steps

  • Likelihood versus impact

  • SLE, ALE, ARO

  • Managing risks

  • Delphi method

  • Methodologies

Governance

  • Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives.

  • Information security is not only a technical issue .

  • For information security to be effective, it requires the active engagement of executive management. (could be a question)

Risk & Risk management

  • Risk is the probability of something happening. If you ever gambled, you know what is a probability.

  • What is acceptable level of probability?

  • Information Security (IS)

Categories of Risk

  • Man Made

  • Weather related

  • Physical damage

  • Human error

  • Inside and outside attacks

  • Power Failure

  • Application error

Asset & Information Value

  • Establishing asset value

  • Assign Quantitative value

    • Real and meaningful values

  • Assign Qualitative value

    • Subjective rating

    • Can be low, medium, high

Techniques to Minimize Risks (will be in exam)

  • Mandatory Vacation - workers must go on vacation regularly

    • A detective mechanism

    • The new person might found out about anomalies such as:

      • Scripts being schedule to run at regular intervals

      • Illegal usage of company resources

      • Script extracting data from the database

  • Job Rotation

    • New employee may see something is wrong

    • Mostly done in DoD and government agencies

    • Not very common in commercial companies

    • Should be combined with mandatory vacation

  • Separation of Duties (SoD)

    • A method of enforcing security

    • One person cannot complete a critical task

  • Least Privilege

    • Applies to processes and users

Qualitative Approach

  • Scenario based technique, it includes:

    • Brainstorming

      • Invite greatest minds in your company and just let them talk and brainstorm

    • Story boarding

    • Focus groups

    • Surveys

    • Questionnaires & Checklist

Quantitative Approach

Steps:

  • Assign value to information and assets

  • Estimate potential loss per risk

  • Perform a threat analysis

  • Derive the overall loss potential per threat

  • Reduce, assign, or accept the risk

Main risk management concepts

  • Exposure Factor (EF)

    • Based on likelihood (PERCENTAGE) and impact (DOLLARS/EURO)

  • Single Loss Expectancy (SLE)

    • Formula - Asset Value (AV) x Exposure Factor (EF)

  • Annualized Rate of Occurrence (ARO) - hard to count

    • Estimated frequency a threat will occur within a year

  • Annualized Loss Expectancy (ALE)

    • Formula is - SLE x ARO

Handling Risks

  • Risks CAN NEVER BE TOTALLY ELIMINATED

    • There’s no risk free environment

  • There are always some residual risks

  • What can you do about the risks you have?

    • Transfer the risk (Buy insurance)

    • Reduce the risk

    • Reject/Ignore the risk

    • Accept the risk

Risk mitigation Strategies

  • Implement controls based on risks

  • Change Management

  • Incident Management

  • User rights and permission review

    • Do it periodically. Make sure that people doesn’t have more permissions than they need.

  • Perform routine audits

Data Leakage & Fraud

Data leakage Protection (DLP)

Tools to prevent unauthorized persons from being able to take away confidential information

Real world examples of occurrences:

  • The Swedish military forgot a USB drive in a library

  • UK military forgot a laptop in a taxi

  • Barack Obama got his campaign idea stolen

Do not send Credit card number in clear text!!! Any sensitive information.

How does DLP work?

  • A user send an email with sensitive data

    • DLP analyzes it. If there’s a sensitive data it warns the user.

  • User tries to save a file to a USB Flash Drive

    • DLP identifies that it is intellectual property and blocks it. Of course there are ways to bypass that.

Fraud Detection

  • Look for obvious sign something is wrong

    • Governance is non existent

    • There is a lack of separation of duties

    • Management override internal controls

    • Environment is corrupted

What can i do?

  • Develop strong policies and enforce them

  • Develop a code of conduct for employees

  • Have a mechanism to report suspicious activity

  • Protect people who talk. Make them anonymous.

0
Subscribe to my newsletter

Read articles from Jonas Satkauskas directly inside your inbox. Subscribe to the newsletter, and don't miss out.

learningLearning Journeycomptia security+comptia security+ certificationSecurity#cybersecuritycybersecurityCyberSeccybrcyberpreparation

Written by

Jonas Satkauskas
Jonas Satkauskas