Cybersecurity Essentials - Module 26 Cheat Sheet

# Module 26: Risk Management and Security Controls :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### **26.1 Risk Management** --- #### **26.1.1 Risk Types** - **Risk Definition**: The probability of loss due to a threat, which could be a malicious act or an unexpected event damaging systems or assets. - **Risk Impact**: Damage or disruption caused by an event affecting services or assets. **Levels of Risk Management**: | **Level** | **Description** | |-------------------------|------------------------------------------------------------------------------------------------| | **Negligence** | No actions or controls are taken. Risk is **high**, and the cost of an incident could be **catastrophic**. | | **Due Care** | Reasonable steps are taken to **lower risk**, but some risk still exists. | | **Due Diligence** | Multiple reasonable steps and controls are implemented to **eliminate risk** as much as possible. | **Key Points**: - Risks can be **internal**, **external**, or **both**. - Risk impacts can ripple across the organization and beyond. - Promoting **risk awareness** helps employees understand existing risks, potential impacts, and management strategies. --- #### **26.1.4 The Risk Management Process** **Definition**: A formal process to measure the impact of threats and determine the cost of implementing controls to manage the risks. **Key Concepts**: - Risk **cannot be completely eliminated**, but it can be managed to an **acceptable level**. - Cost of mitigation (countermeasures) **must not exceed** the value of the asset being protected. **Stages of the Risk Management Process**: 1. **Identify Threats**: - Identify organizational threats: - Loss or damage to processes/products. - Attacks. - Failure or disruption of services. - Harm to reputation. - Legal liability. - Loss of intellectual property. 2. **Assess and Analyze Risks**: - Determine the **severity** of identified threats: - **Quantitative Analysis**: Measured in financial terms. - **Qualitative Analysis**: Scaled impact on operations. 3. **Develop Action Plan**: - Rank and prioritize threats. - Choose a **response strategy**: - **Eliminate**: Remove the risk entirely. - **Mitigate**: Reduce the risk impact or probability. - **Transfer**: Share risk with a third party (e.g., insurance). - **Accept**: Acknowledge and monitor residual risk. 4. **Review and Monitor**: - Continuously monitor risk reductions and mitigation efforts. - Closely monitor accepted risks that cannot be eliminated. - Use a **Risk Register** (software or cloud service): - Logs identified risks. - Details controls implemented or strategies adopted. >[!Warning]Recap >Risk is the probability of loss due to a threat, a malicious act, or an unexpected event that damages information systems or organizational assets. Risk impact is the damage incurred by an event which causes loss of asset(s) or disruption of service(s). The goal of risk management is to reduce these threats to an acceptable level and to implement controls to maintain that level. Risk can be internal, external, or both. Its impact can ripple through the whole organization and affect other external entities. The process of risk management requires that you frame the risk, assess the risk, and respond to the risk. ### **26.2 Risk Assessment** --- #### **26.2.1 Threat Source Types** | **Threat Source** | **Description** | |------------------------|------------------------------------------------------------------------------------------| | **Adversarial** | Threats from individuals, groups, organizations, or nations. | | **Accidental** | Actions without malicious intent. | | **Structural** | Equipment and software failures. | | **Environmental** | Natural or human-caused disasters like fires, floods, or earthquakes. | **Key Concept**: - **Threat**: The potential for a vulnerability to be identified and exploited. - **Threat Vector**: The path an attacker uses to impact a target. --- #### **26.2.3 Risk Assessment Methodology** Organizations evaluate operational risks to align their risk management with business goals. 1. **Assess Threat Probability**: - Analyze human threats based on skill level, motive, opportunity, and size. 2. **Evaluate Vulnerabilities**: - Factors: Ease of discovery, exploitability, awareness, and intrusion detection. - Use estimation combined with historical data for accuracy. 3. **Determine Impact Magnitude**: - Range: From **very low** (insignificant) to **very high** (catastrophic). --- #### **26.2.4 Risk Analysis** Risk analysis identifies and evaluates risks to organizational assets. **Goals of Risk Analysis**: 1. Identify **assets** and their value. 2. Identify **vulnerabilities** and **threats**. 3. Quantify **probability** and **impact**. 4. Balance the **cost of countermeasures** with the threat impact. **1. Quantitative Risk Analysis** Quantitative analysis assigns **numeric values** to risks. | **Metric** | **Definition** | |--------------------------------|------------------------------------------------------------------------------| | **Asset Value** (AV) | Cost of replacing the asset or income derived from it. | | **Exposure Factor** (EF) | Percentage of asset lost during a threat (e.g., EF = 1.0 for total loss). | | **Annualized Rate of Occurrence** (ARO) | Frequency of the threat occurring within a year. | | **Single Loss Expectancy** (SLE)| AV × EF: Estimated loss from a single occurrence. | | **Annual Loss Expectancy** (ALE)| SLE × ARO: Annualized cost of expected losses. | **Example**: ![image](https://hackmd.io/_uploads/SknX79nNke.png) **2. Qualitative Risk Analysis** Qualitative analysis uses **opinions and scenarios** to evaluate risks. - Likelihood and impact are ranked (e.g., likely but marginal impact). - **Risk Matrix**: A tool to prioritize risks by plotting likelihood against impact. - **Risk Heat Map**: A color-coded version of the risk matrix. **Example:** ![image](https://hackmd.io/_uploads/r1MHX52Vkx.png) --- #### **26.2.7 Risk Mitigation** **Definition**: Reducing the likelihood or severity of losses from threats. | **Strategy** | **Description** | |------------------------------------------|---------------------------------------------------------------------------------| | **Accept the Risk** | A short-term approach involving periodic reassessment and contingency plans. | | **Reduce the Risk** | Implement controls like software updates, patches, firewalls, and authentication. | | **Avoid the Risk** | Change approaches entirely to avoid the identified risk. | | **Transfer the Risk** | Shift risk to third parties through outsourcing, insurance, or maintenance contracts. | **Key Consideration**: Effective mitigation **balances** the benefit of risk reduction against the **negative impacts** of controls. >[!Warning]Recap >Threat assessment is the foundation for risk assessment. A threat is the potential that a vulnerability will be identified and exploited. A threat vector is the path that an attacker utilizes to impact the target. Threat source types are categorized as adversarial, accidental, structural, and environmental. They can be internal or external. Organizations assess and examine their operational risks by performing a risk assessment to ensure their risk management meets all their business objectives. They determine if the threat is low, acceptable, or high. A risk analysis has four goals: identify assets and their value, identify vulnerabilities and threats, quantify the probability and impact of the identified threats, and balance the impact of the threat against the cost of the countermeasure. > >A quantitative risk analysis assigns numbers to the risk analysis process. Several formulas are used that require the asset value, exposure factor, single loss expectancy, annualized rate of occurrence, and the annualized loss expectancy. Qualitative risk analysis uses opinions and scenarios plotting the likelihood of a threat against its impact. A risk matrix is a tool that helps prioritize risks to determine which ones the organization needs to develop a response for. The results can be ranked and used as a guide to determine whether the organization takes any action. Good risk mitigation finds a balance between the negative impact of countermeasures and controls and the benefit of risk reduction. Several approaches may be considered including accepting the risk and periodically reassessing, reducing the risk by implementing controls, avoiding the risk totally by changing the approach, and transferring the risk to a third party. ### **26.3 Security Controls** --- #### **26.3.1 Control Types** **Security controls** are safeguards implemented to reduce or manage risks to organizational assets. These controls are categorized into three types: | **Control Type** | **Description** | |-------------------------|----------------------------------------------------------------------------------------------------| | **Administrative** | Procedures and policies that dictate how people handle sensitive information and behave. | | **Technical** | Hardware and/or software solutions that manage risk and provide system protection. | | **Physical** | Mechanisms such as fences, locks, or physical barriers to protect systems, facilities, and people. | --- #### **26.3.2 Functional Security Controls** Functional controls are chosen based on their role in protecting assets. They serve different purposes, as described below: | **Control Type** | **Description** | **Examples** | |-------------------------|------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------| | **Preventive** | Stop unwanted or unauthorized activity from happening. | User privileges, firewalls blocking access to vulnerable ports, access control systems. | | **Deterrent** | Discourage malicious behavior or actions, though they cannot stop them entirely. | Warning signs, surveillance cameras, visible security personnel, security awareness training. | | **Detective** | Identify unauthorized activity and alert system operators. | Motion detectors, intrusion detection systems (IDS), security guards, system logs, audit trails. | | **Corrective** | Restore systems to a secure state after a threat occurs, maintaining confidentiality, integrity, and availability. | Antivirus software, alarms, incident response plans, intrusion prevention systems (IPS), system resets. | | **Recovery** | Restore systems, data, and functions back to normal operations following a security incident. | Backups, fault-tolerant drives, server clustering, database shadowing, disaster recovery plans. | | **Compensative** | Provide alternative measures when an ideal control cannot be implemented. | Motion detector with spotlight (replacing a guard), security policies, personnel supervision. | --- #### **26.3.3 Controls and Compliance** The **Center for Internet Security (CIS)** has developed mappings of its **18 critical security controls** to widely used compliance frameworks, assisting organizations in achieving and maintaining regulatory compliance. **Common Compliance Frameworks Mapped to CIS Controls**: - PCI DSS (Payment Card Industry Data Security Standard) - NIST Cybersecurity Framework (CSF) - FISMA (Federal Information Security Management Act) - HIPAA (Health Insurance Portability and Accountability Act) - GDPR (General Data Protection Regulation) - ISO/IEC 27001 (International Standards for Information Security Management) **CIS Resources**: - CIS provides detailed guidance and tools, such as **CIS-CAT Pro**, to assess compliance and align security controls with specific regulatory frameworks. **How to Access**: - Search for “**site:cisecurity.org mapping and compliance**” on Google for direct access to CIS controls and compliance resources. >[!Warning]Recap >Security controls are safeguards or countermeasures that an organization implements to avoid, detect, counteract, or minimize security risks to organizational assets. Administrative controls consist of procedures and policies that an organization puts into place when dealing with sensitive information. Technical controls involve hardware and/or software implemented to manage risk and provide protection. Physical controls are mechanisms such as fences and locks deployed to protect systems, facilities, personnel, and resources. Functional security controls include preventive, deterrent, detective, corrective, recovery, and compensative controls. Preventive security controls stop unwanted and unauthorized activity from happening and/or apply restrictions for authorized users. A deterrent aims to discourage something from happening. Cybersecurity professionals and organizations use deterrents to limit or mitigate an action or behavior. Access control detection identifies different types of unauthorized activity. Corrective controls counteract something undesirable by restoring the system back to a state of confidentiality, integrity, and availability. They can also restore systems to normal after unauthorized activity occurs. Recovery security controls restore resources, functions, and capabilities back to a normal state after a violation of a security policy. Compensative controls provide options to other controls to bolster enforcement in support of a security policy.