Risk Control Strategies

And
Physical Security

By William Gillette
Top 10 Security Mistakes

1. The not-so-subtle Post-it Note. Yes, those sticky yellow

things can undo the most elaborate security measures.
2. Leaving unattended computers on
3. Opening Email form strangers I Love You Virus
4. Poor password selection. Vice president of IT at General
Dynamics Corp. attended a demonstration with about 20 of
his top engineers and some anti-hacking experts from NASA.
Within 30 minutes, the NASA folks broke 60% of the
engineers' passwords. A good example is: "I pledge
allegiance to the flag" becomes "ipa2tf."
Top 10 Security Mistakes

5. Laptops have legs. physical security

6. Loose lips sink ships. People talk about passwords
7. Plug and Play (technology that enables hardware
devices to be installed and configured without the
protection)
8. Unreported security violations
9. Behind the times in terms of patches
10. Not watching for dangers within your own organization.
Types of Risk Control strategies

Avoidance
Transference
Migration
Acceptance
Quick Review
Risk avoidance

Defined:
A risk control strategy that attempts to prevent attacks to
organizational assets, through there vulnerabilities.
This is the most preferred risk control strategy as it
seeks to avoid risk/treats entirely.
Avoidance is accomplish through countering treats,
removing vulnerabilities in assets, limiting access to
assets, and adding protective safeguards.
Methods of risk avoidance

Avoidance through application of policy.

Avoidance through application of training and
education.
Avoidance though application of technology.
Risk Transference

Defined
Is a control approach that attempts to shift the risk to other
assets, other processes, or other organization.
This is accomplished through
rethinking/reengineering services, revising
development models, outsourcing to other
organizations or implementing service contracts
Common choice for larger companies
Risk Transference

Advantages outsourcing
Outsource company focuses their energy and
resource on their expertise
Allows parent company to concentrate on the
business they know. Example Kodak
Disadvantages
Cost tend to be high for these services, and they
require very detailed legal contracts to garreteer
service and recovery.
Risk Migration

Defined
control approach that attempts to reduce the impact caused
by the exploitation of vulnerability through planning and
preparation.
Three type of plans.
Disaster recovery plan
Incident response plan
Business continuity plan
Each of these strategies depends on the ability to detect and
respond to an attack as quickly as possible. All migration
strategies start with early detection.
Disaster Recovery Plan

Define
Preparations for recovery should a disaster occur; Strategies to limit losses
before and during disasters; Step by step instructions to regain normalcy.(This
is the most common of the migration procedures)
Examples
Procedures to recover loss data (data/media back up)
Procedures for the reestablishment of lost services.
Procedures to protect currently available assets(shut down)
When its Deployed
Immediately after the incident is labeled a disaster
Time frame
Short-term recovery
 Incident Response Plan

Define
Actions an organization takes during an attack, IRPs are predefined, specific
or ad hoc, and reactive.
The what do I do now!
Example
information analysis, intelligence gathering, list of steps to be taken
during an attack
unauthorized copy example
When its deployed
as the attack or disaster unfolds.
Time frame
immediate and real-time reaction
Business Recovery plan

Define
Steps to ensure continuation of the overall business when the scale of the
disaster requires relocations.
Examples
Preparations steps for the activation of a secondary data center.
Establishment of a hot site in a remote location. Many companies have
this service as a contingency against disastrous events
When its deployed
after it has been determined that a disaster/attack affects the continuos
operation of the organization.
Time frame
long term recovery.
 Acceptance

Define
In contrast to other control, acceptance is a method of doing nothing to
protect vulnerabilities and accept the outcome of its exploitation.
To use this control the following must be taken into account.
Determined the level of risk
Assessed the probability of attack
Estimated the potential damage that could occur from attacks
Performed a thorough cost benefit analysis
Take in account the feasibility of other controls
Decide if particular functions /assets/data do not justify the cost of protection
 yes yes
System/program Is system/program Is system/program
as designed vulnerable exploitable?

No
No

No Risk No Risk

yes yes Risk is

Risk Is the attackers Is expected
Unacceptable
Exists gain > cost? loss > acceptable level

No No

Risk can be Risk can be

accepted accepted
Categories of controls

Control function:
Controls and safeguards designed to defend vulnerabilities
through prevention or detection.
Uses both technological protection (encryption) and
enforcement measures Policies
Architectural layer
Controls applied to more then one layer of a system
Firewalls
Strategic
Controls that are specific to a risk control method
Other Factor on Deciding a
Risk Control Method

Feasibility studies
Cost benefit analysis
Asset validation
Organizational feasibility
Technical feasibility
Physical Security

Defined
Describes protection needed out-side a system
/program
Typically physical controls include Id cards, guards,
locks, and cameras. But can also include items to
protect against disasters.
 Types of Physical security

Access and control

Used to ward off the sticky figure bandit
Use of biometrics, smart cards, access door locks, mantraps,
electronic monitoring, shredding, and guards.
Natural disaster
Flood (both natural and unnatural), Fire, power
fluctuation, and so on
Use of raised floors, dedicated cooling, humidifier for tape
rooms, emergency lighting, electrical/nonH2O fire
extinguisher, surge suppressor, emergency power shut off,
and emergency replacement server/off site system.
Bibliography

Information Technology for Management

Henry C. Lucas 7th Edition Irwin McGraw-Hill
Principles of Information Security Michael E.
Whitman Thomson Course Technology.
www.computerworld.com