Professional Documents
Culture Documents
w3 Information Security Risk Management
w3 Information Security Risk Management
LEARNING MODULE #: 2
WEEK: 3
LEARNING OBJECTIVES:
gathered, the attacker can create a back door, which is a way of bypassing security
mechanisms in systems, and gain undetected access to the network. An external
command and control system is then used by the attacker to continuously monitor the
system to extract information.
Insider Threat
Employees can represent an insider threat to an organization given their familiarity with the
employer’s systems and applications as well as what actions may cause the most damage,
mischief, or disorder. Employee sabotage—often instigated by knowledge or threat of
termination—is a critical issue for organizations and their systems. In an effort to mitigate the
potential damage caused by employee sabotage, the terminated employee’s access to IT
infrastructure should be immediately disabled, and the individual should be escorted off
company premises.
Examples of system-related employee sabotage include, but are not limited to:
• Destroying hardware or facilities;
• Planting malicious code that destroys programs or data;
• Entering data incorrectly, holding data, or deleting data;
• Crashing systems; and
• Changing administrative passwords to prevent system access.
Malicious Hacker
Malicious hacker is a term used to describe an individual or group who use an understanding
of systems, networking, and programming to illegally access systems, cause damage, or steal
information. Understanding the motivation that drives a malicious hacker can help an
organization implement the proper security controls to prevent the likelihood of a system
breach. Malicious hacker is a broad category of adversarial threats that can be broken out
into smaller categories depending on the specific actions or intent of the malicious hacker.
Some of the sub-categories adapted from NIST SP 800-82, Guide to Industrial Control
Systems (ICS) Security, include:
• Attackers. Attackers break into networks for the thrill and challenge or for bragging
rights in the attacker community. While remote hacking once required considerable
skills or computer knowledge, attackers can now download attack scripts and protocols
from the Internet and launch them against victim sites. These attack tools have
become both more sophisticated and easier to use. In some cases, attackers do not
have the requisite expertise to threaten difficult targets such as critical government
networks. Nevertheless, the worldwide population of attackers poses a relatively high
threat of isolated or brief disruptions that could cause serious damage to business or
infrastructure.
• Bot-Network Operators. Bot-network operators assume control of multiple systems to
coordinate attacks and distribute phishing schemes, spam, and malicious code. The
services of compromised systems and networks can be found in underground markets
online (e.g., purchasing a denial of service attack, using servers to relay spam or
phishing attacks).
UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
• Criminal Groups. Criminal groups seek to attack systems for monetary gain. Specifically,
organized crime groups use spam, phishing, and spyware/malicious code to commit
identity theft and online fraud. International corporate spies and organized crime
organizations also pose threats to the Nation based on their ability to conduct industrial
espionage, large-scale monetary theft, and the recruitment of new attackers. Some
criminal groups may try to extort money from an organization by threatening a cyber-
attack or by encrypting and disrupting its systems for ransom. Extortion or ransom
attacks have disrupted numerous businesses and cost significant resources and
planning to mitigate. Without effective backup plans and restoration procedures, many
businesses have resorted to paying costly ransoms to restore their encrypted systems.
• Foreign Intelligence Services. Foreign intelligence services use cyber tools as part of
their information gathering and espionage activities. In addition, several nations are
aggressively working to develop information warfare doctrines, programs, and
capabilities. Such capabilities enable a single entity to have a significant and serious
impact by disrupting the supply, communications, and economic infrastructures that
support military power – impacts that could affect the daily lives of U.S. citizens.
In some instances, threats posed by foreign government intelligence services may be
present. In addition to possible economic espionage, foreign intelligence services may
target unclassified systems to further their intelligence missions. Some unclassified
information that may be of interest includes travel plans of senior officials, civil defense
and emergency preparedness, manufacturing technologies, satellite data, personnel
and payroll data, and law enforcement, investigative, and security files.
• Phishers. Phishers are individuals or small groups that execute phishing schemes to steal
identities or information for monetary gain. Phishers may also use spam and
spyware/malicious code to accomplish their objectives.
• Spammers. Spammers are individuals or organizations that distribute unsolicited e-mail
with hidden or false information to sell products, conduct phishing schemes, distribute
spyware/malicious code, or attack organizations (e.g., DoS).
• Spyware/Malicious Code Authors. Individuals or organizations who maliciously carry out
attacks against users by producing and distributing spyware and malicious code.
Destructive computer viruses and worms that have harmed files and hard drives
include the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus,
Nimda, Code Red, Slammer, and Blaster.
• Terrorists. Terrorists seek to destroy, incapacitate, or exploit critical infrastructures to
threaten national security, cause mass casualties, weaken the U.S. economy, and
damage public morale and confidence. Terrorists may use phishing schemes or
spyware/malicious code to generate funds or gather sensitive information. They may
also attack one target to divert attention or resources from other targets.
• Industrial Spies. Industrial espionage seeks to acquire intellectual property and know-
how using clandestine methods.
Malicious Code
Malicious code refers to viruses, Trojan horses, worms, logic bombs, and any other software
created for the purpose of attacking a platform.
UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
• Virus. A code segment that replicates by attaching copies of itself to existing executables.
The new copy of the virus is executed when a user executes the new host program.
The virus may include an additional "payload" that triggers when specific conditions
are met.
Trojan Horse. A program that performs a desired task, but that also includes unexpected
and undesirable functions. For example, consider an editing program for a multiuser
system. This program could be modified to randomly and unexpectedly delete a user’s
files each time they perform a useful function (e.g., editing).
• Worm. A self-replicating program that is self-contained and does not require a host
program or user intervention. Worms commonly use network services to propagate to
other host systems.
• Logic Bomb. This type of malicious code is a set of instructions secretly and intentionally
inserted into a program or software system to carry out a malicious function at a
predisposed time and date or when a specific condition is met.
• Ransomware. Is a type of malicious code that blocks or limits access to a system by
locking the entire screen or by locking down or encrypting specific files until a ransom
is paid. There are two different types of ransomware attacks—encryptors and lockers.
Encryptors block (encrypt) system files and demand a payment to unblock (or decrypt)
those files. Encryptors, or crypto-ransomware, are the most common and most
worrisome (e.g., WannaCry). Lockers are designed to lock users out of operating
systems. The user still has access to the device and other files, but in order to unlock
the infected computer, the user is asked to pay a ransom. To make matters worse,
even if the user pays the ransom, there is no guarantee that the attacker will actually
provide the decryption key or unlock the infected system.
Introduction
The question of how a security concept should be developed for the institution is generally
the most difficult one to answer. The main procedures for developing an security concept
involve assessing the risk and selecting the correct information security safeguards. Choosing
the method of risk assessment is particularly important, since the method selection has a
decisive effect on the amount of work required to develop an IT security policy. The procedure
according to IT-Grundschutz (German Federal Office for Information Security (BSI)) describes
a method that is appropriate for the majority of applications. Compared with classical
quantitative risk analysis, it is much more cost-effective and has been tried and tested in
practice for many years. As an added bonus, the IT-Grundschutz Methodology not only
describes how an ISMS functions in principle but, together with the IT Grundschutz, also
portrays how specific measures might be implemented in practice.
UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
All the most common methods, best practice examples and management of information
security standards barely differ in the explanations that they provide regarding the security
process or the duties of the management. The greatest differences lie in the manner in which
the policy for information security is specifically developed, i.e. how the risk assessment is
formulated and how the information security safeguards are selected. We shall therefore at
hits point describe the basic procedure for developing a policy for information security in
accordance with IT-Grundschutz.
Risk assessment
Risk assessment in information security differs in important areas from classical methods of
actuarial mathematics or controlling. Precise calculation of the extent of damages and
occurrence probabilities is usually not possible in a "classical" or quantitative risk analysis,
since appropriate figures are not available. Even if a calculation is possible, interpreting the
results remains very difficult.
Example: In the case of classical risk analyses, the risk can be calculated from multiplying
the extent of damage with the occurrence probability. If, for instance, the destruction of a
computer centre due to an aeroplane crash results in damages costing 20 million euros and
occurs statistically once in 20,000 years, the theoretical risk is 1,000 euros per year. This is
the same as the risk of damages due to the theft of a notebook (without loss of data)
estimated at 2,000 euros and occurring statistically once in two years. Although the value of
the risk is the same computationally, these two damage scenarios must be dealt with
completely differently in the context of risk management.
Furthermore, for many scenarios there are insufficient values based on experience available
to allow reliable occurrence probabilities to be ascertained because, for instance, new
technologies are being used or because there is not enough reliable basic information
available. Even if sufficient data are available to allow the occurrence probability and extent
of damage to be calculated fairly reliably for certain damage events, the development of a
policy for information security on the basis of classical risk analysis is extremely involved and
expensive. A well founded expertise and the processing of large amounts of data are required
for an individual analysis of vulnerabilities for all essential business processes and the
associated IT components as well as for the compilation of possible damage events including
attribution of the occurrence probability and damage extent parameters.
The IT-Grundschutz Methodology therefore already includes a qualitative method for risk
assessment that provides the necessary information for assessing information security
incidents that are damaging to business. With the IT-Grundschutz Methodology, one assumes
that the threats to secure operation of information processing are similar regardless of the
type and orientation of an institution, business related information needs to be processed
securely everywhere in the organization, common and therefore related IT systems used, and
comparable environmental conditions exist. This means that comparable risks usually also
exist although the security requirements of the business processes and applications are
specific to those processes and applications and can differ, in practice though, they usually
lead to similar and comparable security requirements.
UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
Only those threats which, after careful analysis, are shown to have such a high probability of
occurring or such drastic consequences that information security safeguards must be taken
are considered. Typical threats that everyone must protect themselves against include, for
example, damage due to fire, burglary, computer viruses and hardware defects. This approach
has the advantage that users do not need to perform threat and vulnerability analyses or
calculate occurrence probabilities for a major part of the IT operations, since therefore a public
agency has already done this work for them.
Supplementary security analysis and possibly a risk analysis must be performed for
information and business processes that require a high or very high level of protection or for
application environments
Classification of risks
Various damage scenarios should be examined in order to describe damages and the negative
effects of IT security incidents as vividly as possible, for example:
When running through the scenarios, the damages that can arise due to a loss of
confidentiality, integrity or availability should be investigated.
For example, in the case of the "violation of laws" scenario, the discussion should, among
other things, centre around which data must be handled in confidence and what the
consequences would be if these conditions were breached due to negligence.
Performing a precise calculation of potential damages is in most cases not useful or perhaps
even impossible, and is also not necessary for selecting appropriate IT security measures. It
is therefore advisable to divide damages into a few classes. Attempting to calculate damage
"precisely" can even endanger security in many cases, since this gives the false impression
that a particular degree of precision has been achieved and those responsible are lulled into
a "false sense of security".
Based on possible damages, three protection requirement categories are defined in the
context of IT-Grundschutz and are later used for classifying the items that are in need of
protection (e.g. IT systems).
UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
"Normal protection requirements": The impact of any loss or damage is limited and
calculable.
Every institution and for every damage scenario, one must specify how "normal", "high" and
"very high" should be interpreted, i.e. which prevailing conditions should be applied for
making the classification in the protection requirement categories. Since this has a direct
effect on how risks are dealt with as well as on the demand for resources, this must be
specified by the topmost management level of the institution. The specification of protection
requirement categories can vary greatly depending on the type and size of the institution and
only the topmost management level can specify them in cooperation with the information
security management. The BSI can therefore only give examples for appropriate values which
then need to be adapted to suit the particular conditions.
Normal protection requirements exist when financial damages are considered tolerable for an
institution. In a small enterprise, this can mean that no damages exceeding 10,000 euros
must be allowed to occur due to information security incidents. Higher protection
requirements exist if damages would result in considerable financial losses but would not
threaten the livelihood of the enterprise. In a small enterprise, this can lie between 10,000
euros and 100,000 euros.
Very high protection requirements exist when financial damages threaten the livelihood of the
institution. In a small enterprise, this could already be the case with a damage potential of
over 100,000 euros. Other values would of course be arrived at for an institution like a large
commercial bank.
Risk assessment
Within the framework of the structure analysis, the relevant items to be protected, such as
information, IT applications, IT systems, networks, rooms and buildings as well as responsible
staff members, must be ascertained for the examined information domain (i.e. area of
application or business process).
During the structure analysis, the relationships and dependencies between the individual
items to be protected must also be described. By recording these dependencies in particular
it is possible to identify the effects of information security incidents to business activities to
be able to provide an appropriate response.
The degree of protection required is determined for each of the values ascertained during the
structure analysis.
Example: If the failure of an IT system can result in a great deal of damage, the value
determined is high since the IT system has a correspondingly high protection requirements.
In this case the protection requirements of the business processes must first be ascertained.
On the basis of this, the protection requirements of the applications that were registered
during the IT structure analysis can then be determined. In the process, one must consider
what type of information is being processed with these applications. In most institutions it is
sufficient at this point to consider only very few information groups. Examples of this are
customer data, publicly accessible information (e.g. addresses, opening times) or strategic
data for the management. Subsequently, one must examine what information needs to be
processed where and with what IT systems in order to be able to accomplish the business
processes.
The protection requirements of the applications are also conferred upon the IT systems that
support the particular applications. The protection requirements of the IT rooms are derived
from the protection requirements of the applications and IT systems that are operated there.
Example: The business process involving the management of customer data is essential for
maintaining business operations. This business process runs on server XY which consequently
has high protection requirements. The room in which the server is housed therefore also has
at least a high protection requirement.
However, a classical quantitative risk analysis can also be chosen as the method for the areas
concerned. If only a small area of information processing is affected, the effort required for
an additional risk analysis is usually low. If, for example, only a specific IT system is affected
for which no IT Grundschutz module exists, consultation with the manufacturer or
independent IT security consultant about this specific issue can generally already provide
enough help to assess the risk and select appropriate information security safeguards.
The combination of standard security measures with supplementary risk analysis for those
areas whose protection requirements exceed the normal protection requirements is
considerably more efficient than a complete quantitative risk analysis. Afterwards, the
UNIVERSITY OF CALOOCAN CITY
COLLEGE OF BUSINESS and ACCOUNTANCY
identified measures must then be integrated and consolidated in the remaining information
security process.
REFERENCES: