Understanding Risk Management in IT Infrastructure

Posted on Sep 3, 2024 in Other subjects

Risk and Its Impact on Business

Understanding Risk

Risk is the likelihood of a loss occurring when a threat exposes a vulnerability. Losses can range from small to severe, potentially causing significant damage to a business.

  • Threat: Any activity posing a possible danger.
  • Vulnerability: A weakness that can be exploited.
  • Loss: A compromise of business functions or assets, resulting in tangible (cost) or intangible (goodwill) damages.

Compromise of Business Assets

  • Assets are anything with measurable value to a company.
  • Risk arises when an asset’s value (tangible or intangible) is at stake.

Example: Website Downtime

A company generates $5,000 per hour in revenue through its website. If the website experiences a two-hour outage with a $1,000 repair cost, the losses are:

  • Tangible Value: Lost revenue ($5,000 * 2) + Repair cost ($1,000) = $11,000
  • Intangible Value: Future lost revenue, customer acquisition cost, and negative customer influence.

Risk as a Driver of Business Cost

  • Risk significantly influences business costs. Identifying risks allows for mitigation strategies.
  • Countermeasures or controls often manage risks.
  • Managing risk costs must be factored into total business costs. Finding the balance is crucial:
    • Excessive spending on risk reduction can diminish profits.
    • Insufficient spending on countermeasures can lead to avoidable losses from threats and vulnerabilities.

Profitability vs. Survivability

  • Profitability is a company’s capacity to generate profit. Losses can severely impact profitability, even leading to business failure.
  • Survivability is a company’s ability to withstand losses caused by risks. While a loss may occur, it shouldn’t cripple the business entirely.
  • Risk managers must consider: out-of-pocket costs, lost opportunity costs, future costs, and client/stakeholder confidence.

Example: Antivirus Software Management

Having a comprehensive plan for managing antivirus software is essential for both profitability and survivability.

Seven Domains of a Typical IT Infrastructure

  1. User Domain: Encompasses usernames, passwords, biometric authentication, and social engineering aspects.
  2. Workstation Domain: Includes end-user systems like laptops, desktops, and cell phones.
  3. LAN Domain: Covers equipment forming an internal LAN, such as hubs, switches, and media.
  4. LAN-WAN Domain: Represents the transition zone between LAN and WAN, including routers and firewalls.
  5. WAN Domain: Includes routers and circuits connecting the wide area network.
  6. System/Application Domain: Encompasses applications running on the network, such as email, databases, and web applications.
  7. Remote Access Domain: Defines how remote or mobile users access the network, like through a Virtual Private Network (VPN).

Threats, Vulnerabilities, and Impact

Understanding the Relationship

  • Threats exploit vulnerabilities, leading to losses.
  • While threats cannot be entirely eliminated, they can be controlled.
  • Threats have independent probabilities of occurrence, often unaffected by organizational actions.
  • Threats aim to exploit vulnerabilities, potentially compromising the confidentiality, integrity, or availability of business assets.
  • A vulnerability is a weakness—procedural, technical, or administrative—that can be exploited.
  • Vulnerabilities can exist in physical, technical, or operational security.
  • Not all vulnerabilities result in losses. A loss occurs when an attacker successfully exploits a vulnerability.
  • Impact refers to the severity of the loss.

Risk Management: A Continuous Process

Risk management involves identifying, assessing, controlling, and mitigating risks. Threats and vulnerabilities are the primary drivers of risk.

Risk Management Elements/Process

  1. Identify risks
  2. Assess risks
  3. Select controls
  4. Implement and test controls
  5. Evaluate controls

Risk management aims to minimize identifiable risks and implement appropriate controls. It does not strive for complete risk elimination, as that is often impractical.

Balancing Risk and Cost for Profitability and Survivability

  • Consider both the cost of implementing a control and the cost of not implementing it.
  • While risk management spending rarely directly adds profit, it is crucial for ensuring business survivability.
  • The cost of managing a risk must be weighed against its potential impact.

Reasonableness in Risk Management

  • Reasonableness is a test to determine if a risk warrants management.
  • Risks failing the reasonableness test are accepted.

Examples:

  • Threat of nuclear war
  • Threat of hurricanes or earthquakes in regions prone to them

Varying Perceptions of Risk

Different roles within an organization often have varying perceptions of risk:

  • Management: Primarily concerned with the cost of risk.
  • System Administrator: Focused on locking down systems.
  • Tier 1 Administrator: Prioritizes system availability.
  • Developer: Often grapples with integrating security into design versus adding it as an afterthought.
  • End User: Most concerned with usability.

Addressing these diverse perceptions through targeted training is essential for effective risk management.

Risk Identification Process

  1. Identify threats
  2. Identify vulnerabilities
  3. Estimate the likelihood of a threat exploiting a vulnerability

Understanding Threats

  • A threat is any activity presenting a possible danger.
  • In IT, threats can adversely impact confidentiality, integrity, and availability (CIA).
  • Effective risk management requires comprehensive knowledge of threats.

The Uncontrollable Nature of Threats

  • Threats cannot be entirely eliminated; they are ever-present.
  • You cannot directly control the threat itself.
  • You can take actions to reduce the likelihood of a threat occurring and minimize its impact.

Types of Threats

Unintentional Threats

  • Environmental: Fire, wind, lightning, flooding, accidents, equipment failures
  • Human: Keystroke errors, procedural errors, programming bugs

Intentional Threats

  • Driven by greed, anger, or the desire to cause damage
  • Common attackers include: criminals, advanced persistent threats (APTs), vandals, saboteurs, disgruntled employees, activists, other nations, and hackers

Best Practices for Managing Threats

  • Create a comprehensive security policy.
  • Purchase appropriate insurance.
  • Implement access controls.
  • Utilize automation.
  • Include input validation.
  • Provide regular security training.
  • Use antivirus software.
  • Secure the network boundary.

Understanding and Managing Vulnerabilities

  • Countermeasures reduce risk and potential losses by mitigating vulnerabilities and minimizing the impact of losses.

Threat/Vulnerability Pair

  • Occurs when a threat successfully exploits a vulnerability.
  • A vulnerability provides a pathway for the threat, leading to a harmful event or loss.
  • Both the threat and the vulnerability must coincide for a loss to occur.

Example 1: Fire Hazard

  • Threat Source: Fire or negligence
  • Vulnerability: Lack of sprinklers, inadequate fire suppression measures
  • Loss: Potential total business loss
  • Mitigation: Install and maintain a functional sprinkler system

Example 2: Unauthorized Access

  • Threat Source: Unauthorized users (e.g., hackers)
  • Vulnerability: System design flaws, unpatched vulnerabilities
  • Loss: Compromise of data confidentiality, integrity, and availability
  • Mitigation: Implement strong authentication, access controls, and regular patching

Vulnerability Mitigation Techniques

  • Policies and procedures
  • Documentation
  • Training
  • Separation of duties
  • Configuration management
  • Version control
  • Patch management
  • Intrusion detection
  • System hardening
  • Incident response
  • Continuous monitoring
  • Technical controls
  • Physical controls

Best Practices for Managing Vulnerabilities

  • Proactively identify vulnerabilities.
  • Match threat/vulnerability pairs.
  • Implement appropriate mitigation techniques.
  • Conduct regular vulnerability assessments.

Understanding and Managing Exploits

  • An exploit leverages a vulnerability to compromise a system, application, or data.
  • Exploits often involve executing code against IT systems, taking advantage of weaknesses.
  • Public-facing servers are common targets, including web servers, email servers (SMTP), and file transfer servers (FTP).

Common Exploits Targeting Public-Facing Servers

  • Buffer overflow
  • SQL injection
  • Denial of Service (DoS) attacks
  • Distributed Denial of Service (DDoS) attacks

Risk Mitigation Techniques for Public-Facing Servers

  • Remove or change default configurations.
  • Reduce the attack surface.
  • Keep systems up to date with patches.
  • Enable firewalls.
  • Implement intrusion detection systems (IDSs) and intrusion prevention systems (IPSs).
  • Install and maintain antivirus software.

Best Practices for Managing Exploits

  • Harden servers.
  • Use configuration management tools.
  • Conduct regular risk assessments.
  • Perform vulnerability assessments.

U.S. Government Risk Management Initiatives

Several U.S. government agencies and initiatives focus on risk management and cybersecurity:

  • National Institute of Standards and Technology (NIST)
  • Department of Homeland Security (DHS)
  • National Cybersecurity and Communications Integration Center (NCCIC)
  • U.S. Computer Emergency Readiness Team (US-CERT)
  • MITRE Corporation – Common Vulnerabilities and Exposures (CVE) List

U.S. Compliance Laws

While the U.S. lacks a single comprehensive data protection law, numerous federal laws address specific data types, requiring organizations to implement security controls. Compliance is mandatory.

Key U.S. Compliance Laws

  • Federal Information Security Management Act (FISMA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Sarbanes-Oxley Act (SOX)
  • Family Educational Rights and Privacy Act (FERPA)
  • Children’s Internet Protection Act (CIPA)

Privacy and Information Security

  • Privacy: An individual’s right to control the use and disclosure of their personal information.
  • Control: Individuals can decide how their data is collected, used, and shared.
  • Information Security: Processes and measures to protect data privacy. Security is the means; privacy is the outcome.

Federal Information Security

The U.S. government, as a significant information creator and user, holds data critical for operations, business functions, and national security.

Federal Information Security Management Act (FISMA)

  • Enacted in 2002 to safeguard federal agency data.
  • Federal agencies are responsible for:
    • Protecting IT systems and data
    • Complying with FISMA requirements
    • Integrating security into all processes
  • Annual inspections include:
    • IT system effectiveness testing
    • Security risk assessments and reporting

Health Insurance Portability and Accountability Act (HIPAA)

  • Covers any organization handling health data, including medical facilities, insurance companies, and businesses with health plans.
  • Privacy Rule: Dictates how covered entities protect the privacy of protected health information (PHI). Consent is required for use and disclosure, with exceptions.
  • Security Rule: Mandates safeguards to protect electronic protected health information (ePHI), including an information security program and adherence to security principles.

Gramm-Leach-Bliley Act (GLBA)

  • Enacted in 1999, addressing the merger of banking and insurance institutions.
  • Key IT security aspects:
    • Financial Privacy Rule: Requires notifying customers about privacy practices, including data collection and sharing.
    • Safeguards Rule: Mandates a security plan to protect customer information, ensuring data confidentiality, integrity, and risk management. Employee training is essential.

Sarbanes-Oxley Act (SOX)

  • Enacted in 2002, applicable to publicly traded companies.
  • Holds executives and board members accountable for financial data accuracy, with penalties for inaccuracies.
  • CEOs and CFOs must verify and prove the accuracy of financial statements.
  • Section 404: Focuses on data accuracy, requiring internal controls, and internal and external audit reports for compliance verification.

Family Educational Rights and Privacy Act (FERPA)

  • Enacted in 1974, protecting the privacy of student education and health records.
  • Applies to schools receiving U.S. Department of Education funding.
  • Grants parents (and students over 18) rights to inspect and request corrections to records.
  • Protects personally identifiable information (PII), requiring consent for disclosure, with exceptions.

Children’s Internet Protection Act (CIPA)

  • Enacted in 2000, limiting access to offensive content on school and library computers receiving E-Rate funding.
  • Requires schools and libraries to:
    • Block or filter access to inappropriate content (obscene, child pornography, harmful to minors)
    • Monitor online activity of minors
    • Implement an internet safety policy

U.S. Compliance Regulatory Agencies

  • Securities and Exchange Commission (SEC): Regulates the securities industry, including stocks, bonds, and options trading.
  • Federal Deposit Insurance Corporation (FDIC): Promotes confidence in U.S. banks, insuring deposits up to $250,000 and preventing bank runs.
  • Department of Homeland Security (DHS): Protects the U.S. from terrorist attacks and responds to natural disasters. Key divisions include:
    • Office of Cybersecurity and Communications
    • National Cybersecurity and Communications Integration Center (NCCIC)
    • United States Computer Emergency Readiness Team (US-CERT)
  • State Attorney General (AG): Primary legal advisor and chief law enforcement officer for the state. Responsibilities vary by state.
  • U.S. Attorney General (DOJ): Enforces federal laws, defends U.S. interests, ensures public safety, combats crime, and promotes fair justice.

Organizational Policies for Compliance: Fiduciary Responsibility

  • Fiduciary: A relationship of trust where one party acts in the best interests of another, avoiding conflicts of interest.
  • Examples: Attorney-client, CEO-board of directors, shareholders-board of directors
  • Due diligence (identifying risks) and due care (protecting against risks) are crucial.

Elements of an Organizational Policy

  • Mandatory Vacations: Reduce fraud and embezzlement risks by requiring employees to take time off, allowing others to review their work.
  • Job Rotation: Provides oversight and uncovers suspicious activity by having different employees handle tasks.
  • Separation of Duties: Prevents fraud, theft, and errors by ensuring no single person controls an entire process. Also mitigates conflicts of interest.
  • Acceptable Use Policy (AUP): Defines acceptable use of IT systems and data.

Industry Standards and Frameworks

Various standards and frameworks guide risk management and IT security practices:

  • PCI DSS (Payment Card Industry Data Security Standard)
  • NIST (National Institute of Standards and Technology) frameworks
  • GAISP (Generally Accepted Information Security Principles)
  • COBIT (Control Objectives for Information and Related Technologies)
  • ISO/IEC 27000 series (Information Security Management Systems)
  • ITIL (Information Technology Infrastructure Library)
  • CMMI (Capability Maturity Model Integration)
  • RMF (Risk Management Framework)
  • DoD (Department of Defense) standards

PCI DSS (Payment Card Industry Data Security Standard)

  • Created by the Payment Card Industry Security Standards Council (American Express, Discover, JCB, Mastercard, Visa) to prevent cardholder data theft.
  • Merchants handling cardholder data must comply.
  • Establishes goals and processes for:
    • Building and maintaining a secure network
    • Protecting cardholder data
    • Maintaining a vulnerability management program
    • Implementing strong access controls
    • Regularly monitoring and testing networks
    • Maintaining an information security policy

COBIT (Control Objectives for Information and Related Technologies)

  • Provides a framework for IT governance and management.
  • Key areas include:
    • Strategic alignment
    • Value delivery
    • Resource management
    • Risk management
    • Performance measurement

ITIL (Information Technology Infrastructure Library)

  • A set of best practices for IT service management.
  • Lifecycle phases:
    • Service strategy
    • Service design
    • Service transition
    • Service operation
    • Continual service improvement

CMMI (Capability Maturity Model Integration)

  • Focuses on improving organizational processes.
  • Areas of interest:
    • Product and service development
    • Service establishment, management, and delivery
    • Product and service acquisition

Risk Management Framework (RMF) for DoD IT

  • Replaced DIACAP in 2014.
  • Six steps:
    • Categorize system
    • Select security controls
    • Implement security controls
    • Assess security controls
    • Authorize system
    • Monitor security controls

Objectives of a Risk Management Plan

A risk management plan serves as a roadmap, outlining:

  • Threats
  • Vulnerabilities
  • Risk costs
  • Mitigation recommendations
  • Recommendation costs
  • Cost-benefit analysis
  • Reports/documentation

It’s a living document, adaptable throughout the risk management process.

Key Steps in Risk Management Planning

  1. Identify threats
  2. Identify vulnerabilities
  3. Define scope and assign responsibilities
  4. Identify costs
  5. Provide recommendations
  6. Identify recommendation costs
  7. Conduct a cost-benefit analysis (CBA)
  8. Document accepted recommendations
  9. Track implementation
  10. Create a plan of action and milestones (POAM)

Defining Scope and Responsibilities

  • Scope: Defines the plan’s boundaries. Scope creep (uncontrolled changes) can lead to cost overruns and missed deadlines. Stakeholder involvement is crucial for scope management.
  • Responsibilities: Assigning responsibilities ensures accountability. Entities must have the authority to complete assigned tasks. Use tools like affinity diagrams to organize and assign responsibilities effectively.

Describing Procedures and Schedules

  • Provide detailed solutions for each threat and vulnerability, aiming for risk mitigation.
  • Outline steps, timelines, and responsible parties for each solution.
  • Management is responsible for choosing controls and managing residual risk.

Reporting Requirements

  • Reports inform management decisions on recommendations.
  • Categories:
    • Presenting recommendations
    • Documenting management responses (accept, defer, modify)
    • Tracking implementation of accepted recommendations
    • Creating a POAM for task and milestone tracking

Cost-Benefit Analysis (CBA)

  • Determines how to manage risk by comparing control costs with potential benefits.
  • Includes:
    • Recommendation cost (initial and ongoing)
    • Projected benefits (financial gains or losses reduced)
  • Management makes informed decisions based on CBA findings.
  • Accurate cost estimation is crucial for reliable CBA.

Risk Statements

  • Communicate risks and their potential impact using”if/the” statements.
  • Example:”If antivirus software is not installed, then the server is at high risk of infection, potentially leading to downtime and lost sales”
  • Align risk statements with project scope and objectives.

Plan of Action and Milestones (POAM)

  • Tracks progress, assigns task responsibilities, and facilitates management follow-up.
  • Essential for audited projects.
  • A living document that evolves with the project.

Documenting Management Response

  • Document management decisions on recommendations (accept, defer, modify) to ensure clarity and prevent misinterpretations over time.

Techniques of Risk Management

  • Avoidance
  • Mitigation
  • Cost-Benefit Analysis
  • Residual Risk Acceptance
  • Transfer (e.g., insurance)

Risk Assessment (RA)

  • A systematic process to identify and evaluate risks.
  • Determines the quantitative or qualitative value of risks.
  • Helps prioritize safeguards (controls).
  • Essential for evaluating risks and controls.
  • Determines acceptable risk levels and resource allocation.

Importance of Risk Assessment

  • Identifies critical systems and assets for protection.
  • Provides insights into the effectiveness of controls.

When to Conduct Risk Assessments

  • When evaluating risks
  • When evaluating controls
  • Periodically after control implementation

Steps in Risk Assessment

  1. Identify threats and vulnerabilities.
  2. Determine the likelihood of risk occurrence.
  3. Assess asset values.
  4. Determine the impact of risks.
  5. Evaluate the usefulness of controls.

Critical Components of Risk Assessment

Identify scope of assessment Identify critical areas Identify team

Quantitative RAs Calculates absolute financial values, losses, and costs Qualitative RAs Calculates relative values, losses, and costs

Quantitative Risk Assessment ▪ An objective method that uses numbers such as dollar values ▪ It require collecting substantial amount of data ▪ Results can help you: • Identify the priority of risks • Determine the effectiveness of controls

Quantitative Risk Assessment Key Measures Single loss expectancy (SLE): The total loss expected from a single incident Annual rate of occurrence (ARO): The number of times an incident is expected to occur in a year Annual loss expectancy (ALE): The expected loss for a year = SLE × ARO Safeguard value: The cost of a control

Quantitative Risk Assessment Benefits ▪ Becomes a simple math problem ▪ Provides a cost-benefit analysis (CBA) • Accurate values for SLE, ARO, and safeguard value let’s you calculate CBA ▪ Management often familiar with quantitative assessment terminology; easy to grasp details of the assessment and its recommendations ▪ Formulas use verifiable and objective measurements

Quantitative Risk Assessment Limitations ▪ Accurate data isn’t always available • Especially true when identifying ARO reductions • In previous example, how accurate is the assumption that HW lock will reduce ARO from 4 to 1? ▪ Ensuring that people use the control as expected • May need to take additional steps, such as creating policies or provide training, to ensure users are aware of the importance of the control

Qualitative Risk Assessment Risk Level based on Probability The likelihood that a threat will exploit a vulnerability Impact The negative result if a risk occurs

Risk Level=Probability X Impact

Qualitative Risk Assessment Benefits ▪ Uses the opinions of experts ▪ Is easy to complete ▪ Uses words that are easy to express and understand

Qualitative Risk Assessment Limitations ▪ Subjective ▪ Based on expertise of the experts • Value of the assessment is only as valuable as the expertise of the experts ▪ No CBA ▪ No real standards

Comparing Assessment Methods Quantitative ▪Objective ▪Monetary values ▪Historical data ▪Key terms: • SLE, ARO, ALE Qualitative ▪Subjective ▪Word values ▪Expert opinions ▪Key terms: • Probability and impact

Steps Used in Risk Assessments Identify assets and activities to address. Identify and evaluate relevant threats. Identify and evaluate relevant vulnerabilities. Identify and evaluate relevant countermeasures. Assess threats, vulnerabilities, and exploits. Evaluate risks. Develop and present recommendations