security+ all-in-one edition chapter 17 – risk management brian e. brzezicki
TRANSCRIPT
![Page 1: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/1.jpg)
Security+All-In-One Edition
Chapter 17 – Risk Management
Brian E. Brzezicki
![Page 2: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/2.jpg)
Risk Management
![Page 3: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/3.jpg)
Risk Management (493)
The idea of analyzing your business processes and determining what are the risks that threaten those processes, and choosing cost effective countermeasures to minimize the risks and the associated losses.
![Page 4: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/4.jpg)
Risk Management Terms (494)• Risk – the possibility of suffering harm or loss• Risk Management/Risk Analysis – the overall
decision making process of identifying the risks (threats and vulnerabilities) and mitigating actions to determined the impact of an event that would affect a project, program or business
(more)
![Page 5: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/5.jpg)
Risk Management Terms (494)
• Asset – resource or information an organization needs to conduct it’s business
• Threat – any circumstance or event with the potential to cause harm to an asset.
• Vulnerability - A software hardware or procedural weakness that may provide an attacker the opportunity to obtain unauthorized access.
• Impact – the resulting loss when a threat exploits a vulnerability
(more)
![Page 6: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/6.jpg)
Risk Analysis Terms (495)• Countermeasures / control / safeguard – a measure
taken to detect, prevent, or mitigate the risk associated with a threat.
• Qualitative Risk Analysis – The process of subjectively determining the impact of an event.
• Quantitative Risk Analysis – The process of objectively determining the impact of an event. Specifically assigning numbers to understand the event (probability, Loss, cost etc)
(more)
![Page 7: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/7.jpg)
Random Thoughts (497)Risks are not just about network security.Risks can be• Fires• Tornados• Floods• Blizzards• Hacking• Vendors going out of business• Revenue Streams stopping• Fraud
(more)
![Page 8: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/8.jpg)
Random ThoughtsRisk Management always is concerned with
providing COST EFFECTIVE safeguards…
Don’t bother protecting something if the cost of protecting it, is more than it’s worth!
Risk also can be hard to quantify (reputation)?
What’s a reputation worth to a business?
![Page 9: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/9.jpg)
Risk management Flowchart (496)
![Page 10: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/10.jpg)
Quantitative Risk Analysis Terms
![Page 11: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/11.jpg)
EF - Exposure Factor (507)
EF – if you have a building and you determine in the event of a fire 25% of the building will be destroyed on average.. Your EF is 25% (.25) you use the EF to determine the SLE
![Page 12: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/12.jpg)
SLE – Single Loss Expectancy (507)
SLE = how much you expect to lose if an event occurs
SLE= Asset Value * EF
Ex. if you have a building worth $1,000,000.00 and your EF is .25 what is your SLE?
SLE = Asset Value * EF
SLE = $1,000,000 * .25
SLE = $250,000
![Page 13: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/13.jpg)
ARO – Annual Rate of Occurrence (507)
ARO – How many times you expect a certain event to occur in 1 year.
Ex. If you expect 2 fires a yearARO = 2
Ex. If you expect 1 fire every 10 yearsARO = (1 fire)/(10 years)ARO = .1
Use ARO to determine ALE
![Page 14: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/14.jpg)
ALE – Annual Loss Expectancy (507)
ALE – how much money you expect to loss in a year due to a certain threat.
ALE = SLE * ARO
Ex. If your warehouse fire SLE = $250,000 and you expect 2 fires a year
ALE = SLE * ARO
ALE = $250,000 * 2
ALE = $500,000
![Page 15: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/15.jpg)
Choosing a Countermeasure
When analyzing a countermeasure you need to look at the ALE BEFORE the countermeasure, and the ALE AFTER the countermeasure and compare that to the cost of the countermeasure.
If a countermeasure reduces the ALE more than the countermeasure costs, then it is COST effective and should be applied.
(ALE before) – (ALE after) > Cost of Countermeasure
(more)
![Page 16: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/16.jpg)
Risk Analysis Example problemYou have an important server. For every hour that the
server is down it costs your company $1000.00.There is a 25% chance every month that the server
will get hacked, if it does it will cost you 4 hours to clean and reinstall the server (nobody will be able to use it)
There is an intrusion prevention system that will take the risk of hacked system to 0% (don’t we wish), however it costs $5,000.00 per year subscription fee.
Should you purchase the IPS? If you do how much money will you save or lose?
![Page 17: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/17.jpg)
Choosing a Countermeasure
You may also decide to “transfer” the risk (buy insurance)
If neither of these (countermeasure or transfer) are COST effective, you may choose to AVOID the risk or ACCEPT the risk?
What is avoiding the risk?
![Page 18: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/18.jpg)
Risk Analysis Example problem
You have an important server. For every hour that the server is down it costs your company $1000.00.
There is a 25% chance every month that the server will get hacked, if it does it will cost you 4 hours to clean and reinstall the server (nobody will be able to use it)
There is an intrusion prevention system that will take the risk of hacked system to 0% (don’t we wish), however it costs $5,000.00 per year subscription fee.
Should you purchase the IPS? If you do how much money will you save or lose?
![Page 19: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/19.jpg)
Residual Risk (501)
Understand that no countermeasure can 100% reduce the risk.. There will always be some risk left over after applying controls. This is called Residual Risk.
![Page 20: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/20.jpg)
Quantitative Risk Analysis (502)
Truly quantitative analysis, requires a lot of number crunching.. You should use software to automate this task. Be aware you cannot truly 100% eliminate risk, and you cannot truly 100% quantify risk (some things simply cannot be measured)
![Page 21: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/21.jpg)
Qualitative Risk AnalysisQualitative Risk analysis doesn’t try to crunch
numbers to analyze risk, instead all involved parties get together to try to subjectively understand risk.
• What business functions are critical• What would happen if a function was lost• What functions are more important that
others• What are threats• How can we mitigate threats.
![Page 22: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/22.jpg)
Chapter 17 - Review
Q. Define EF
Q. Define SLE
Q. Define ARO
Q. Define ALE
![Page 23: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/23.jpg)
Chapter 17 - ReviewQ. Any countermeasure you deploy should ultimately
be ______ _______
Q. If my ALE for a threat is $50K a year, and a countermeasure to eliminate the threat costs $30K a year, should I implement it?
Q. If my ALE is $50K a year, a countermeasure will reduce the ALE by 50%, and the countermeasure costs 30K a year, should I implement it?
![Page 24: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/24.jpg)
Chapter 17 - Review
Q. What is “residual risk”
Q. What is risk transference
Q. What is risk avoidance
Q. What is risk acceptance
![Page 25: Security+ All-In-One Edition Chapter 17 – Risk Management Brian E. Brzezicki](https://reader035.vdocuments.site/reader035/viewer/2022062618/55143c3e550346284e8b46da/html5/thumbnails/25.jpg)
Chapter 17 - Review
Q. What is quantitative vs. qualitative risk analysis?
Q. Can you get automated tools for quantitative analysis, how about qualitative analysis.
Q. What is due diligence, due care?