Risk Assessment

Risk assessment is the process of assessing security-related risks to an organization’s computers and networks from both internal and external threats. Such threats can prevent an organization from meeting its key business objectives. The goal of risk assessment is to identify which investments of time and resources will best protect the organization from its most likely and serious threats.

Steps of general security risk assessment


- Identify the set of IT assets about which the organization is most concerned. Priority is typically given to those assets that support the organization’s mission and the meeting of its primary business goals.

- Identify the loss events or the risks or threats that could occur, such as a distributed denial-of-service attack or insider fraud.

- Assess frequency of events or the likelihood of each potential threat; some threats, such as insider fraud, are more likely to occur than others.

- Determine the impact of each threat occurring. Would the threat have a minor impact on the organization, or could it keep the organization from carrying out its mission for a lengthy period of time.

- Determine how each threat can be mitigated so that it becomes much less likely to occur or, if it does occur, has less of an impact on the organization.

- Assess the feasibility of implementing the mitigation options.

- Perform a cost-benefit analysis to ensure that your efforts will be cost effective. No amount of resources can guarantee a perfect security system, so organizations must balance the risk of security breach with the cost of preventing one.

- Make the decision on whether or not to implement a particular countermeasure. If you decide against implementing a particular countermeasure, you need to reassess if the threat Is truly serious and, if so, identify a less costly countermeasure.


Establishing a Security Policy


A security policy defines an organization’s security requirement, as well as the controls and sanctions needed to meet those requirements. A good security policy delineates responsibilities and the behavior expected of members of the organization. A security policy outlines what needs to be done but not how to do it. The details of how to accomplish the goals of the policy are typically provided in separate documents and procedure guidelines.

The SANS (SysAdmin, Audit, Network, Security) Institute’s Web site offers a number of security-related policy templates that can help an organization to quickly develop effective security policies. The templates and other security policy information can be found at www.sans.org/security-resources/policies. The following is a partial list of the templates available from the SANS Institute:

Ethics Policy – This template defines the means to establish a culture of openness, trust, and integrity in business practices.
Information Sensitivity Policy—This sample policy defines the requirements for classifying and securing the organization’s information in a manner appropriate to its level of sensitivity.
Risk Assessment Policy—This template defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the organization’s information infrastructure associated with conducting business.
Personal Communication Devices and Voicemail Policy—This sample policy describes Information Security’s requirements for Personal Communication Devices and Voicemail.


Why do you need a Security Policy


Who is responsible for securing an organization's information?  Perhaps the Research and Evaluation department?  Not exactly.  The Management Information System (MIS) staff?  Wrong again.  Ultimately, it is not only individual employees or departments that are responsible for the security of confidential information, but also the institution itself. It is, therefore, incumbent upon top administrators, who are charged with protecting the institution's best interests, to ensure that an appropriate and effective security policy is developed and put into practice throughout the organization.


How to Develop Policy


• Identify sensitive information and critical systems
• Incorporate local, state, and federal laws, as well as relevant ethical standards
• Define institutional security goals and objectives
• Set a course for accomplishing those goals and objectives
• Ensure that necessary mechanisms for accomplishing the goals and objectives are in place



Steps to Creating a Secure IT Environment


- Policies and Procedures

Policies and procedures are the cornerstones of your IT governance. This is the “what is going to happen and how is going to happen” of your security posture, and from the big picture your entire IT infrastructure. Creating a solid policy and procedure document or documents will provide your organization with an IT and security blueprint for your initial build, maintenance, management and remediation of issues. Solid policy and procedure manual(s) will also prepare the environment to work within any framework and meet compliance requirements.

Mobile Protection, Remote Access, and Virtual Private Networks (VPN)

• Mobile devices are more popular than ever, especially as millennials become more prevalent in the workplace. This creates an especially unique situation for InfoSec pros who are tasked with securing modern environments.

• The options for securing these environments is growing on an almost daily basis. From mobile device management (MDM) to wireless networks that prevent devices from connecting to the network unless they pass authentication and a scan to ensure the mobile device meets the preset requirements. Examples include not allowing 3rd party downloads outside of the prescribed manufacturers’ store, ensuring anti-virus and anti-malware is installed and up to date and ensuring the mobile operating systems is updated to the prescribed revision range.

- Multi-Factor Authentication (MFA)

The industry is full of MFA providers, from Google Authenticate to Yubikey and many others. Whether it’s token based, hardware or biometric-based, MFA it is important to understand that the second form of authentication needs to be separate from the initial authentication system and it needs to be secure. For example, biometric authentication is very popular, but if it is simply used as a shortcut to enter an insecure password then it is not a secure solution.


- Backup and Disaster Recovery


• Backup and disaster recovery (BDR) services are essential to an organization’s incident planning to stay up and running in the event of a major catastrophe. BDR consists of backup and recovery of key IT systems and planning for the continuance of operations in the event that the organization encounters catastrophic events. Such events may that cause the corporate or remote locations to become inoperable, destroyed or infected with destructive malware such as ransomware.

• When choosing a BDR service you absolutely need to ensure that they will meet the organization’s needs 100%. Ensure that they provide a Service Level Agreement (SLA) of a minimum of 99.999% reliability.

- Technical Training

• Every website in the security industry has several articles about the shortage of good technical talent for the security industry.

• Organizations now recognize that investment in security is a necessity. Yet with a current estimated 350,000 open cybersecurity positions in the US, and a predicted global shortfall of 3.5 million cybersecurity jobs by 2021 — according to Cybersecurity Ventures — the industry clearly has a massive problem regarding supply and demand.

End User Security Awareness Training

• Last but definitely not least. If you ask any security professional, IT person and most managers what the weakest link in any environment is - their answer will be a resounding “The End Users”.

• So how do you fix that? 90% of all end users want to do the right thing but they just don’t know how. Most people do not come with the built-in skepticism to doubt everything and look for proof. Therefore you have hundreds of thousands of breaches each year, simply because an unknowing end user clicked on a link that downloaded a virus, malware or botnet. Train your end users and it will make your life easier.


Prevention

No organization can ever be completely secure from attack. The key is to implement a layered security solution, if an attacker breaks through one layer of security, there is another layer to overcome.

- Installing a Corporate Firewall

Installation of a corporate firewall is the most common security precaution taken by businesses. A firewall stands guard between an organization’s internal network and the Internet, and it limits network access based on the organization’s access policy.


- Intrusion Prevention System

An intrusion prevention system (IPS) – sometimes referred to as an intrusion detection prevention system (IDPS) – is a network security technology and key part of any enterprise security system that continuously monitors network traffic for suspicious activity and takes steps to prevent it. Largely automated, IPS solutions help filter out this malicious activity before it reaches other security devices or controls, effectively reducing the manual effort of security teams and allowing other security products to perform more efficiently.


How intrusion prevention system works?

Unlike its predecessor the intrusion detection system (IDS) – which is a passive system that scans traffic and reports back on threats – the IPS is placed inline, directly in the flow of network traffic between the source and destination. Usually sitting right behind the firewall, the solution is actively analyzing and taking automated actions on all traffic flows that enter the network. These actions can include:

• Sending an alarm to the administrator (as would be seen in an IDS)
• Dropping the malicious packets
• Blocking traffic from the source address
• Resetting the connection
• Configuring firewalls to prevent future attacks


Types of Intrusion Prevention Systems

There are several types of IPS solutions, which can be deployed for different purposes. These include:

Network intrusion prevention system (NIPS), which is installed only at strategic points to monitor all network traffic and proactively scan for threats.

Host intrusion prevention system (HIPS), which is installed on an endpoint and looks at inbound and outbound traffic from that machine only. Often combined with NIPS, an HIPS serves as a last line of defense for threats.

Network behavior analysis (NBA) analyzes network traffic to detect unusual traffic flows and spot new malware or zero-day vulnerabilities.

Wireless intrusion prevention system (WIPS) simply scans a Wi-Fi network for unauthorized access and removes any unauthorized devices from the network.


- Installing Antivirus Software on Personal Computers

Antivirus software should be installed on each user’s personal computer to scan a computer’s memory and disk drives regularly for viruses. Antivirus software scans for a specific sequence of bytes, known as a virus signature, that indicates the presence of a specific virus.


- Implementing Safeguards Against Attacks by Malicious Insiders

User accounts that remain active after employees leave a company are potential security risks. To reduce the threat of attack by malicious insiders, IT staff must promptly delete the computer accounts, login IDs, and passwords of departing employees and contractors.


Detection
Even when preventive measures are implemented, no organization is completely secure from a determined attack. Thus, organizations should implement detection systems to catch intruders in the act. Organizations often employ an intrusion detection system to minimize the impact of intruders.


Response

An organization should be prepared for the worst—a successful attack that defeats all or some of a system’s defenses and damages data and information systems. A response plan should be developed well in advance of any incident and be approved by both the organization’s legal department and senior management. A well-developed response plan helps keep an incident under technical and emotion control.

Comments