-
Notifications
You must be signed in to change notification settings - Fork 0
/
Cyber security Risk Assessment
142 lines (111 loc) · 6.47 KB
/
Cyber security Risk Assessment
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
What is Cyber security Risk:
Cybersecurity risk refers to the potential loss or damage resulting from a cyberattack or data breach. It involves identifying and assessing threats and vulnerabilities within an organization’s digital systems and networks.
Examples:
-Ransomware
-Malware
-Insider threats
-Phishing attacks
Risk Assesment Approaches:
Avoid:
-Avoiding Untrusted Software.
-Zero-Trust permissions.
-Network Segmentation i.e Vlan.
Mitigate:
-Risk Assessments
-Implement Network Access Controls i.e MFA,Zero-Trust permissions.
-Regular Software Updates.
-Employee Training.
-Encryption: Protect sensitive data by encrypting it both in transit and at rest.
-Backup Data.
-Monitor and Respond.
-Implement Security Policies.
Transfer:
-Outsourcing certain IT or security functions to third-party providers i.e MSP,Cloud etc.
-Cyber Insurance: Purchasing insurance policies that cover financial losses from cyber incidents, including data breaches, legal fees, and recovery costs.
Accept:
-Accepting the residual risk after implementing all feasible security controls. This is a strategic decision based on a thorough risk assessment.
-Accept risks that are low-impact, have a low likelihood of occurring, or when the cost of mitigation is too high compared to the potential damage1.
-Legacy Systems: Continuing to use older systems that are costly to upgrade but have minimal exposure to critical threats.
-Review and Reassessment: Regularly review accepted risks to ensure they remain within acceptable levels and reassess them as the threat landscape evolves2.
Frameworks:
NIST Special Publication (SP) 800-39, (Managing Information Security Risk: Organization, Mission, and Information System View):
Provides comprehensive guidance for managing information security risks across an organization. Here are the key points:
Components:
-Risk Framing: Establishing the context for risk-based decisions.
-Risk Assessment: Identifying and evaluating risks to information systems.
-Risk Response: Determining appropriate actions to address identified risks.
-Risk Monitoring: Continuously overseeing the risk environment and the effectiveness of risk responses2.
-Integration with Other Standards: SP 800-39 complements other NIST standards and guidelines, providing a holistic view of risk management1.
-Applicability: While primarily designed for federal information systems, the principles and practices can be applied by any organization seeking to improve its information security risk management2.
*https://csrc.nist.gov/pubs/sp/800/39/final
Threat Modelling:
Threat modeling is a structured process used to identify, assess, and address potential security threats to a system or application. Here are the key aspects:
Purpose:
The main goal is to understand the security risks and vulnerabilities within a system and to develop strategies to mitigate these risks1.
Process:
Identify Assets: Determine what needs protection, such as data, systems, or applications.
Create an Architecture Overview:
Diagram the system to understand how data flows and where potential vulnerabilities might exist.
Identify Threats:
Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to categorize potential threats2.
Mitigate Threats:
Develop and implement strategies to reduce or eliminate identified threats.
Validate:
Continuously review and update the threat model to ensure it remains effective as the system evolves3.
Benefits:
Early Risk Identification:
Helps identify security issues early in the development process, making them easier and cheaper to fix.
Improved Security Awareness:
Encourages a security-first mindset among developers and stakeholders2.
Enhanced System Understanding:
Provides a deeper understanding of the system’s architecture and potential attack vectors2.
Applications:
Threat modeling can be applied to various domains, including software applications, networks, IoT devices, and business processes1.
Types:
STRIDE Model(Spoofing,Tampering,Repudiation,Information Disclosure,Denial of Service (DoS),Elevation of Privilege)
*https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool
Diamond:
Breaks down an intrusion event into four key components.
-Adversary:
The individual or group responsible for the attack. This could be a hacker, a criminal organization, or even a nation-state.
-Infrastructure:
The tools and resources used by the adversary to carry out the attack. This includes servers, malware, and communication channels.
-Capability:
The methods and techniques used by the adversary. This could involve specific types of malware, phishing tactics, or other attack vectors.
-Victim:
The target of the attack, which could be an individual, organization, or system.
These components are interconnected, forming a diamond shape that helps analysts understand the relationships and dynamics of an intrusion12.
How It Works:
-Event:
At the center of the diamond is the event, which is the actual occurrence of the intrusion.
- Meta-Features:
Additional details such as timestamps, geolocation, and other contextual information that provide deeper insights into the event.
-Benefits:
Comprehensive Analysis: By examining each component, analysts can gain a thorough understanding of the attack.
-Improved Mitigation:
Understanding the adversary’s methods and infrastructure helps in developing effective defense strategies.
-Enhanced Communication:
The model provides a common language for discussing and documenting threats.
*https://www.threatintel.academy/wp-content/uploads/2020/07/diamond-model.pdf
*https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/diamond-model-intrusion-analysis/
*https://kravensecurity.com/diamond-model-analysis/
Information Security Governance:
Overview:
Policies:
Definition: A high-level statement that outlines an organization’s intentions and direction regarding specific issues.
Example:
-A company policy might state that all employees must protect confidential information.
Standards:
Definition: Specific, measurable requirements that must be met to comply with a policy.
Example:
-Password Policy specifiy a certain complexity.
Procedures:
Detailed, step-by-step instructions on how to implement policies and standards.
Example:
-A procedure might outline the steps for creating a secure password, including how to reset it if forgotten.
SECURITY POLICY:
Acceptable use
Passsword
Data Classification i.e sensitivty and importance
Change Management
Dissaster Recovery