UNIVERSITY OF CALOOCAN CITY

COLLEGE OF BUSINESS and ACCOUNTANCY

INFORMATION SECURITY & MANAGEMENT

PROFESSOR: DR. GEORGETTE CARPIO-BALAJADIA, CPA

LEARNING MODULE #: 2

WEEK: 3

TOPIC: INFORMATION SECURITY RISK MANAGEMENT

LEARNING OBJECTIVES:

To assess information security risks and treat information security risks to an

acceptable level

Threats and Vulnerabilities: A Brief Overview

A vulnerability is a weakness in a system, system security procedure, internal controls, or
implementation that could be exploited by a threat source. Vulnerabilities leave systems
susceptible to a multitude of activities that can result in significant and sometimes irreversible
losses to an individual, group, or organization. These losses can range from a single damaged
file on a laptop computer or mobile device to entire databases at an operations center being
compromised. With the right tools and knowledge, an adversary can exploit system
vulnerabilities and gain access to the information stored on them. The damage inflicted on
compromised systems can vary depending on the threat source.
Threat Source – The intent and method targeted at the intentional exploitation of a
vulnerability or a situation and method that may accidentally exploit a vulnerability.
A threat source can be adversarial or non-adversarial. Adversarial threat sources are
individuals, groups, organizations, or entities that seek to exploit an organization’s
dependence on cyber resources. Even employees, privileged users, and trusted users have
been known to defraud organizational systems. Non-adversarial threat sources refer to
natural disasters or erroneous actions taken by individuals in the course of executing their
everyday responsibilities.
If the system is vulnerable, threat sources can lead to threat events. A threat event is an
incident or situation that could potentially cause undesirable consequences or impacts. An
example of a threat source leading to a threat event is a hacker installing a keystroke monitor
on an organizational system. The damage that threat events may cause on systems varies
considerably. Some affect the confidentiality and integrity of the information stored in a
system while others only affect the availability of the system.
In order to protect a system from risk and to implement the most cost-effective security
measures, system owners, managers, and users need to know and understand the
vulnerabilities of the system as well as the threat sources and events that may exploit the
vulnerabilities. When determining the appropriate response to a discovered vulnerability, care
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY

should be taken to minimize the expenditure of resources on vulnerabilities where little or no

threat is present.

Examples of Adversarial Threat Sources and Events

The previous section defined threat sources and threat events. This section provides several
examples of each followed by a description.

Fraud and Theft

Systems can be exploited for fraud and theft by “automating” traditional methods of fraud or
by utilizing new methods. System fraud and theft can be committed by insiders (i.e.
authorized users) and outsiders. Authorized system administrators and users with access to
and familiarity with the system (e.g., resources it controls, flaws) are often responsible for
fraud. An organization’s former employees also pose a threat given their knowledge of the
organization’s operations particularly if access is not terminated promptly.
Financial gain is one of the chief motivators behind fraud and theft, but financial systems are
not the only systems at risk. There are several techniques that an individual can use to gather
information they would otherwise not have had access to. Some of these techniques include:
• Social Media. The ubiquity of social media (e.g., Facebook, Twitter, LinkedIn) has
allowed cyber criminals to exploit the platform to conduct targeted attacks. Using
easily-made, fake, and unverified social media accounts, cyber criminals can
impersonate co-workers, customer service representatives, or other trusted
individuals in order to send links to malicious code that steal personal or sensitive
organizational information. Social media exacerbates the ongoing issue of fraud, and
organizations should see it as a serious concern when implementing systems. Social
media accounts provide a means of gathering contact information, interests, and
personal connections of a targeted individual which in turn can be used to conduct a
social engineering attack.
• Social Engineering. Social engineering, in the context of information security, is a
technique that relies heavily on human interaction to influence an individual to violate
security protocol and encourages the individual to divulge confidential information.
These types of attacks are commonly committed via phone or online. Attacks
perpetrated over the phone are the most basic social engineering attacks being
committed. For example, an attacker may mislead a company into believing the
attacker is an existing customer and have that company divulge information about
that customer. Online, this technique is called phishing–an email-based attack
intended to trick individuals into performing an action beneficial to the attacker (e.g.,
clicking a link or divulging personal information). Social engineering online attacks can
also be accomplished by using attachments that contain malicious code, which target
an individual’s address book. The information obtained allows the attacker to send
malicious code to all the contacts in the victim’s address book, propagating the damage
of the initial attack.
• Advanced Persistent Threat (APT). An advanced persistent threat is a long-term intrusion
that attempts to gain access to specific data and information. Instead of trying to cause
damage, APT attacks are designed to harvest information from the network or target.
Some APT attacks can be so complicated that to remain undetected by intrusion
detection systems (IDSs) in the network, they require around the clock rewriting of
the code by an administrator. Once enough information about the network has been
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY

gathered, the attacker can create a back door, which is a way of bypassing security
mechanisms in systems, and gain undetected access to the network. An external
command and control system is then used by the attacker to continuously monitor the
system to extract information.

Insider Threat
Employees can represent an insider threat to an organization given their familiarity with the
employer’s systems and applications as well as what actions may cause the most damage,
mischief, or disorder. Employee sabotage—often instigated by knowledge or threat of
termination—is a critical issue for organizations and their systems. In an effort to mitigate the
potential damage caused by employee sabotage, the terminated employee’s access to IT
infrastructure should be immediately disabled, and the individual should be escorted off
company premises.
Examples of system-related employee sabotage include, but are not limited to:
• Destroying hardware or facilities;
• Planting malicious code that destroys programs or data;
• Entering data incorrectly, holding data, or deleting data;
• Crashing systems; and
• Changing administrative passwords to prevent system access.

Malicious Hacker
Malicious hacker is a term used to describe an individual or group who use an understanding
of systems, networking, and programming to illegally access systems, cause damage, or steal
information. Understanding the motivation that drives a malicious hacker can help an
organization implement the proper security controls to prevent the likelihood of a system
breach. Malicious hacker is a broad category of adversarial threats that can be broken out
into smaller categories depending on the specific actions or intent of the malicious hacker.
Some of the sub-categories adapted from NIST SP 800-82, Guide to Industrial Control
Systems (ICS) Security, include:
• Attackers. Attackers break into networks for the thrill and challenge or for bragging
rights in the attacker community. While remote hacking once required considerable
skills or computer knowledge, attackers can now download attack scripts and protocols
from the Internet and launch them against victim sites. These attack tools have
become both more sophisticated and easier to use. In some cases, attackers do not
have the requisite expertise to threaten difficult targets such as critical government
networks. Nevertheless, the worldwide population of attackers poses a relatively high
threat of isolated or brief disruptions that could cause serious damage to business or
infrastructure.
• Bot-Network Operators. Bot-network operators assume control of multiple systems to
coordinate attacks and distribute phishing schemes, spam, and malicious code. The
services of compromised systems and networks can be found in underground markets
online (e.g., purchasing a denial of service attack, using servers to relay spam or
phishing attacks).
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY

• Criminal Groups. Criminal groups seek to attack systems for monetary gain. Specifically,
organized crime groups use spam, phishing, and spyware/malicious code to commit
identity theft and online fraud. International corporate spies and organized crime
organizations also pose threats to the Nation based on their ability to conduct industrial
espionage, large-scale monetary theft, and the recruitment of new attackers. Some
criminal groups may try to extort money from an organization by threatening a cyber-
attack or by encrypting and disrupting its systems for ransom. Extortion or ransom
attacks have disrupted numerous businesses and cost significant resources and
planning to mitigate. Without effective backup plans and restoration procedures, many
businesses have resorted to paying costly ransoms to restore their encrypted systems.
• Foreign Intelligence Services. Foreign intelligence services use cyber tools as part of
their information gathering and espionage activities. In addition, several nations are
aggressively working to develop information warfare doctrines, programs, and
capabilities. Such capabilities enable a single entity to have a significant and serious
impact by disrupting the supply, communications, and economic infrastructures that
support military power – impacts that could affect the daily lives of U.S. citizens.
In some instances, threats posed by foreign government intelligence services may be
present. In addition to possible economic espionage, foreign intelligence services may
target unclassified systems to further their intelligence missions. Some unclassified
information that may be of interest includes travel plans of senior officials, civil defense
and emergency preparedness, manufacturing technologies, satellite data, personnel
and payroll data, and law enforcement, investigative, and security files.
• Phishers. Phishers are individuals or small groups that execute phishing schemes to steal
identities or information for monetary gain. Phishers may also use spam and
spyware/malicious code to accomplish their objectives.
• Spammers. Spammers are individuals or organizations that distribute unsolicited e-mail
with hidden or false information to sell products, conduct phishing schemes, distribute
spyware/malicious code, or attack organizations (e.g., DoS).
• Spyware/Malicious Code Authors. Individuals or organizations who maliciously carry out
attacks against users by producing and distributing spyware and malicious code.
Destructive computer viruses and worms that have harmed files and hard drives
include the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus,
Nimda, Code Red, Slammer, and Blaster.
• Terrorists. Terrorists seek to destroy, incapacitate, or exploit critical infrastructures to
threaten national security, cause mass casualties, weaken the U.S. economy, and
damage public morale and confidence. Terrorists may use phishing schemes or
spyware/malicious code to generate funds or gather sensitive information. They may
also attack one target to divert attention or resources from other targets.
• Industrial Spies. Industrial espionage seeks to acquire intellectual property and know-
how using clandestine methods.

Malicious Code
Malicious code refers to viruses, Trojan horses, worms, logic bombs, and any other software
created for the purpose of attacking a platform.
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY

• Virus. A code segment that replicates by attaching copies of itself to existing executables.
The new copy of the virus is executed when a user executes the new host program.
The virus may include an additional "payload" that triggers when specific conditions
are met.

 Trojan Horse. A program that performs a desired task, but that also includes unexpected
and undesirable functions. For example, consider an editing program for a multiuser
system. This program could be modified to randomly and unexpectedly delete a user’s
files each time they perform a useful function (e.g., editing).
• Worm. A self-replicating program that is self-contained and does not require a host
program or user intervention. Worms commonly use network services to propagate to
other host systems.
• Logic Bomb. This type of malicious code is a set of instructions secretly and intentionally
inserted into a program or software system to carry out a malicious function at a
predisposed time and date or when a specific condition is met.
• Ransomware. Is a type of malicious code that blocks or limits access to a system by
locking the entire screen or by locking down or encrypting specific files until a ransom
is paid. There are two different types of ransomware attacks—encryptors and lockers.
Encryptors block (encrypt) system files and demand a payment to unblock (or decrypt)
those files. Encryptors, or crypto-ransomware, are the most common and most
worrisome (e.g., WannaCry). Lockers are designed to lock users out of operating
systems. The user still has access to the device and other files, but in order to unlock
the infected computer, the user is asked to pay a ransom. To make matters worse,
even if the user pays the ransom, there is no guarantee that the attacker will actually
provide the decryption key or unlock the infected system.

Examples of Non-Adversarial Threat Sources and Events

Errors and Omissions

Errors and omissions can be inadvertently caused by system operators who process hundreds
of transactions daily or by users who create and edit data on organizational systems. These
errors and omissions can degrade data and system integrity. Software applications, regardless
of the level of sophistication, are not capable of detecting all types of input errors and
omissions. Therefore, it is the responsibility of the organization to establish a sound
awareness and training program to reduce the number and severity of errors and omissions.
Errors by users, system operators, or programmers may occur throughout the life cycle of a
system and may directly or indirectly contribute to security problems. In some cases, the
error is a threat, such as a data entry error or a programming error that crashes a system.
In other cases, the errors cause vulnerabilities. Programming and development errors, often
referred to as “bugs,” can range from benign to catastrophic.
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY

Loss of Physical and Infrastructure Support

The loss of supporting infrastructure includes power failures (e.g., outages, spikes,
brownouts), loss of communications, water outages and leaks, sewer malfunctions, disruption
of transportation services, fire, flood, civil unrest, and strikes. A loss of supporting
infrastructure often results in system downtime in unexpected ways. For example, employees
may not be able to get to work during a winter storm, although the systems at the work site
may be functioning as normal. Additional information can be found in section 10.11, Physical
and Environmental Protection.

Impacts to Personal Privacy of Information Sharing

The accumulation of vast amounts of personally identifiable information by government and
private organizations has created numerous opportunities for individuals to experience privacy
problems as a byproduct or unintended consequence of a breach in security. For example,
migrating information to a cloud service provider has become a viable option that many
individuals and organizations utilize. The ease of accessing data from the cloud has made it a
more attractive solution for long term storage. Everything that is written, uploaded, or posted
is stored in a cloud system that individuals do not control. However, unbeknownst to the cloud
service user, personal information can be accessed by a stranger with the right tools and
technical skill sets.
Individuals’ voluntarily sharing PII through social media has also contributed to new threats
that allow malicious hackers to use that information for social engineering or to bypass
common authentication measures. Linking all this information and technology together,
malicious hackers have the ability to create accounts using someone else’s information or
gain access to networks.
Organizations may share information about cyber threats that includes PII. These disclosures
could lead to unanticipated uses of such information, including surveillance or other law
enforcement actions.

INFORMATION SECURITY MANAGEMENT RISK ASSESSMENT

Introduction

The question of how a security concept should be developed for the institution is generally
the most difficult one to answer. The main procedures for developing an security concept
involve assessing the risk and selecting the correct information security safeguards. Choosing
the method of risk assessment is particularly important, since the method selection has a
decisive effect on the amount of work required to develop an IT security policy. The procedure
according to IT-Grundschutz (German Federal Office for Information Security (BSI)) describes
a method that is appropriate for the majority of applications. Compared with classical
quantitative risk analysis, it is much more cost-effective and has been tried and tested in
practice for many years. As an added bonus, the IT-Grundschutz Methodology not only
describes how an ISMS functions in principle but, together with the IT Grundschutz, also
portrays how specific measures might be implemented in practice.
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY

The security process in accordance with IT-Grundschutz

All the most common methods, best practice examples and management of information
security standards barely differ in the explanations that they provide regarding the security
process or the duties of the management. The greatest differences lie in the manner in which
the policy for information security is specifically developed, i.e. how the risk assessment is
formulated and how the information security safeguards are selected. We shall therefore at
hits point describe the basic procedure for developing a policy for information security in
accordance with IT-Grundschutz.

Risk assessment

Risk assessment in information security

Risk assessment in information security differs in important areas from classical methods of
actuarial mathematics or controlling. Precise calculation of the extent of damages and
occurrence probabilities is usually not possible in a "classical" or quantitative risk analysis,
since appropriate figures are not available. Even if a calculation is possible, interpreting the
results remains very difficult.

Example: In the case of classical risk analyses, the risk can be calculated from multiplying
the extent of damage with the occurrence probability. If, for instance, the destruction of a
computer centre due to an aeroplane crash results in damages costing 20 million euros and
occurs statistically once in 20,000 years, the theoretical risk is 1,000 euros per year. This is
the same as the risk of damages due to the theft of a notebook (without loss of data)
estimated at 2,000 euros and occurring statistically once in two years. Although the value of
the risk is the same computationally, these two damage scenarios must be dealt with
completely differently in the context of risk management.

Furthermore, for many scenarios there are insufficient values based on experience available
to allow reliable occurrence probabilities to be ascertained because, for instance, new
technologies are being used or because there is not enough reliable basic information
available. Even if sufficient data are available to allow the occurrence probability and extent
of damage to be calculated fairly reliably for certain damage events, the development of a
policy for information security on the basis of classical risk analysis is extremely involved and
expensive. A well founded expertise and the processing of large amounts of data are required
for an individual analysis of vulnerabilities for all essential business processes and the
associated IT components as well as for the compilation of possible damage events including
attribution of the occurrence probability and damage extent parameters.

The IT-Grundschutz Methodology therefore already includes a qualitative method for risk
assessment that provides the necessary information for assessing information security
incidents that are damaging to business. With the IT-Grundschutz Methodology, one assumes
that the threats to secure operation of information processing are similar regardless of the
type and orientation of an institution, business related information needs to be processed
securely everywhere in the organization, common and therefore related IT systems used, and
comparable environmental conditions exist. This means that comparable risks usually also
exist although the security requirements of the business processes and applications are
specific to those processes and applications and can differ, in practice though, they usually
lead to similar and comparable security requirements.
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY

Only those threats which, after careful analysis, are shown to have such a high probability of
occurring or such drastic consequences that information security safeguards must be taken
are considered. Typical threats that everyone must protect themselves against include, for
example, damage due to fire, burglary, computer viruses and hardware defects. This approach
has the advantage that users do not need to perform threat and vulnerability analyses or
calculate occurrence probabilities for a major part of the IT operations, since therefore a public
agency has already done this work for them.

Supplementary security analysis and possibly a risk analysis must be performed for
information and business processes that require a high or very high level of protection or for
application environments

Classification of risks

The general requirement for classifying risks is accomplished in IT Grundschutz in the

following steps:

1. Orientation to damage scenarios

Various damage scenarios should be examined in order to describe damages and the negative
effects of IT security incidents as vividly as possible, for example:

 Violation of laws, regulations or contracts

 Impairment of informational self-determination
 Physical injury
 Impaired performance of duties
 Negative internal or external effects
 Financial consequences

When running through the scenarios, the damages that can arise due to a loss of
confidentiality, integrity or availability should be investigated.

For example, in the case of the "violation of laws" scenario, the discussion should, among
other things, centre around which data must be handled in confidence and what the
consequences would be if these conditions were breached due to negligence.

2. Classifying damages: definition of protection requirement categories

Performing a precise calculation of potential damages is in most cases not useful or perhaps
even impossible, and is also not necessary for selecting appropriate IT security measures. It
is therefore advisable to divide damages into a few classes. Attempting to calculate damage
"precisely" can even endanger security in many cases, since this gives the false impression
that a particular degree of precision has been achieved and those responsible are lulled into
a "false sense of security".

Based on possible damages, three protection requirement categories are defined in the
context of IT-Grundschutz and are later used for classifying the items that are in need of
protection (e.g. IT systems).
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY

"Normal protection requirements": The impact of any loss or damage is limited and
calculable.

"High protection requirements": The impact of any loss or damage may be

considerable.
"Very high protection requirements": The impact of any loss or damage can attain
catastrophic proportions which could threaten the very survival of the
agency/company.

Every institution and for every damage scenario, one must specify how "normal", "high" and
"very high" should be interpreted, i.e. which prevailing conditions should be applied for
making the classification in the protection requirement categories. Since this has a direct
effect on how risks are dealt with as well as on the demand for resources, this must be
specified by the topmost management level of the institution. The specification of protection
requirement categories can vary greatly depending on the type and size of the institution and
only the topmost management level can specify them in cooperation with the information
security management. The BSI can therefore only give examples for appropriate values which
then need to be adapted to suit the particular conditions.

Examples for the classification of financial damages:

Normal protection requirements exist when financial damages are considered tolerable for an
institution. In a small enterprise, this can mean that no damages exceeding 10,000 euros
must be allowed to occur due to information security incidents. Higher protection
requirements exist if damages would result in considerable financial losses but would not
threaten the livelihood of the enterprise. In a small enterprise, this can lie between 10,000
euros and 100,000 euros.

Very high protection requirements exist when financial damages threaten the livelihood of the
institution. In a small enterprise, this could already be the case with a damage potential of
over 100,000 euros. Other values would of course be arrived at for an institution like a large
commercial bank.

Risk assessment

1. Structure analysis: identification of items to be protected

Within the framework of the structure analysis, the relevant items to be protected, such as
information, IT applications, IT systems, networks, rooms and buildings as well as responsible
staff members, must be ascertained for the examined information domain (i.e. area of
application or business process).

During the structure analysis, the relationships and dependencies between the individual
items to be protected must also be described. By recording these dependencies in particular
it is possible to identify the effects of information security incidents to business activities to
be able to provide an appropriate response.

Example: If "server XY" is affected by an information security incident, it is necessary to find

out very quickly which applications or business processes have been affected by this.
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY

2. Assessing the protection requirements: analyzing the effects of information security

incidents on the examined business processes.

The degree of protection required is determined for each of the values ascertained during the
structure analysis.

Example: If the failure of an IT system can result in a great deal of damage, the value
determined is high since the IT system has a correspondingly high protection requirements.
In this case the protection requirements of the business processes must first be ascertained.
On the basis of this, the protection requirements of the applications that were registered
during the IT structure analysis can then be determined. In the process, one must consider
what type of information is being processed with these applications. In most institutions it is
sufficient at this point to consider only very few information groups. Examples of this are
customer data, publicly accessible information (e.g. addresses, opening times) or strategic
data for the management. Subsequently, one must examine what information needs to be
processed where and with what IT systems in order to be able to accomplish the business
processes.

The protection requirements of the applications are also conferred upon the IT systems that
support the particular applications. The protection requirements of the IT rooms are derived
from the protection requirements of the applications and IT systems that are operated there.

Example: The business process involving the management of customer data is essential for
maintaining business operations. This business process runs on server XY which consequently
has high protection requirements. The room in which the server is housed therefore also has
at least a high protection requirement.

3. Supplementary security analysis

Application of the procedures in accordance with IT-Grundschutz enables a level of

information security to be achieved that is sufficient and appropriate for normal protection
requirements. If the protection requirements for a particular area (such as an application or
IT system) are higher or if no IT-Grundschutz measures exist for an area, a supplementary
security analysis should be performed after IT-Grundschutz has been implemented. The BSI
has developed its own method for risk analysis for this purpose that is based on the
implementation of IT-Grundschutz.

However, a classical quantitative risk analysis can also be chosen as the method for the areas
concerned. If only a small area of information processing is affected, the effort required for
an additional risk analysis is usually low. If, for example, only a specific IT system is affected
for which no IT Grundschutz module exists, consultation with the manufacturer or
independent IT security consultant about this specific issue can generally already provide
enough help to assess the risk and select appropriate information security safeguards.

The combination of standard security measures with supplementary risk analysis for those
areas whose protection requirements exceed the normal protection requirements is
considerably more efficient than a complete quantitative risk analysis. Afterwards, the
 UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY

identified measures must then be integrated and consolidated in the remaining information
security process.

REFERENCES:

Nieles , et al (2017), An Introduction to Information Security

Godesberger (2008), BSI-Standard 100-1 Information Security Management System

OUTPUT FOR NEXT MEETING:

Get ready for a quiz (20 items Multiple Choice Item)

Topic 1-3