CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. Gibson Darril
Чтение книги онлайн.

Читать онлайн книгу CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide - Gibson Darril страница 29

СКАЧАТЬ through the circumvention of security controls and is able to directly imperil assets.

The elements asset, threat, vulnerability, exposure, risk, and safeguard are related, as shown in Figure 2.4. Threats exploit vulnerabilities, which results in exposure. Exposure is risk, and risk is mitigated by safeguards. Safeguards protect assets that are endangered by threats.

Figure 2.4 The elements of risk

Identify Threats and Vulnerabilities

      An essential part of risk management is identifying and examining threats. This involves creating an exhaustive list of all possible threats for the organization’s identified assets. The list should include threat agents as well as threat events. It is important to keep in mind that threats can come from anywhere. Threats to IT are not limited to IT sources. When compiling a list of threats, be sure to consider the following:

      ■ Viruses

      ■ Cascade errors (a series of escalating errors) and dependency faults (caused by relying on events or items that don’t exist)

      ■ Criminal activities by authorized users

      ■ Movement (vibrations, jarring, etc.)

      ■ Intentional attacks

      ■ Reorganization

      ■ Authorized user illness or epidemics

      ■ Malicious hackers

      ■ Disgruntled employees

      ■ User errors

      ■ Natural disasters (earthquakes, floods, fire, volcanoes, hurricanes, tornadoes, tsunamis, and so on)

      ■ Physical damage (crushing, projectiles, cable severing, and so on)

      ■ Misuse of data, resources, or services

      ■ Changes or compromises to data classification or security policies

      ■ Government, political, or military intrusions or restrictions

      ■ Processing errors, buffer overflows

      ■ Personnel privilege abuse

      ■ Temperature extremes

      ■ Energy anomalies (static, EM pulses, radio frequencies [RFs], power loss, power surges, and so on)

      ■ Loss of data

      ■ Information warfare

      ■ Bankruptcy or alteration/interruption of business activity

      ■ Coding/programming errors

      ■ Intruders (physical and logical)

      ■ Environmental factors (presence of gases, liquids, organisms, and so on)

      ■ Equipment failure

      ■ Physical theft

      ■ Social engineering

      In most cases, a team rather than a single individual should perform risk assessment and analysis. Also, the team members should be from various departments within the organization. It is not usually a requirement that all team members be security professionals or even network/system administrators. The diversity of the team based on the demographics of the organization will help to exhaustively identify and address all possible threats and risks.

       The Consultant Cavalry

      Risk assessment is a highly involved, detailed, complex, and lengthy process. Often risk analysis cannot be properly handled by existing employees because of the size, scope, or liability of the risk; thus, many organizations bring in risk management consultants to perform this work. This provides a high level of expertise, does not bog down employees, and can be a more reliable measurement of real-world risk. But even risk management consultants do not perform risk assessment and analysis on paper only; they typically employ complex and expensive risk assessment software. This software streamlines the overall task, provides more reliable results, and produces standardized reports that are acceptable to insurance companies, boards of directors, and so on.

Risk Assessment/Analysis

      Risk management/analysis is primarily an exercise for upper management. It is their responsibility to initiate and support risk analysis and assessment by defining the scope and purpose of the endeavor. The actual processes of performing risk analysis are often delegated to security professionals or an evaluation team. However, all risk assessments, results, decisions, and outcomes must be understood and approved by upper management as an element in providing prudent due care.

      All IT systems have risk. There is no way to eliminate 100 percent of all risks. Instead, upper management must decide which risks are acceptable and which are not. Determining which risks are acceptable requires detailed and complex asset and risk assessments.

      Once you develop a list of threats, you must individually evaluate each threat and its related risk. There are two risk assessment methodologies: quantitative and qualitative. Quantitative risk analysis assigns real dollar figures to the loss of an asset. Qualitative risk analysis assigns subjective and intangible values to the loss of an asset. Both methods are necessary for a complete risk analysis. Most environments employ a hybrid of both risk assessment methodologies in order to gain a balanced view of their security concerns.

      Quantitative Risk Analysis

      The quantitative method results in concrete probability percentages. That means the end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards. This report is usually fairly easy to understand, especially for anyone with knowledge of spreadsheets and budget reports. Think of quantitative analysis as the act of assigning a quantity to risk – in other words, placing a dollar figure on each asset and threat. However, a purely quantitative analysis is not sufficient; not all elements and aspects of the analysis can be quantified because some are qualitative, subjective, or intangible.

      The process of quantitative risk analysis starts with asset valuation and threat identification. Next, you estimate the potential and frequency of each risk. This information is then used to calculate various cost functions that are used to evaluate safeguards.

The six major steps or phases in quantitative risk analysis are as follows (Figure 2.5):

      1. Inventory assets, and assign a value (asset value, or AV). (Asset value is detailed further in a later section of this chapter named “Asset Valuation.”)

      2. Research each asset, and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) and single loss expectancy (SLE).

      3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year – that is, the annualized rate of occurrence (ARO).

      4. Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE).

      5. Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure.

      6. Perform a cost/benefit СКАЧАТЬ