Risk Assessment

Lecture 3
SECURITY PROCESSES

▪ Education
▪ Vulnerability management
▪ Issue management
▪ Risk management
▪ Incident management
ISSUE MANAGEMENT
▪ Security issue management is a preventive and
corrective measure.
▪ It identifies and fixes exposures before the
abusers can take advantage of them.
SECURITY ISSUES
• Vulnerabilities uncovered by the security advisory
process.
• Deviation from security policy
• Vulnerability uncovered during security testing
• Security incidents
RESOLVING SECURITY ISSUES
•Issue fixed
• Fixing the security exposure is the best outcome.
•Issue mitigated
• Second option is to find a compromise. When a risk is
mitigated, a degree of security is implemented to reduce the
risk represented by the exposure. e.g. implementation of
firewall to block particular network traffic instead of installing
software patch on the server.
•Risk accepted
• Third option is to accept the risk and decide not to address
the security problem. This is the least desirable outcome.
EXAMPLE
•If a security vulnerability is found with in the Red Hat Linux
operating system, and a company can not upgrade the
various deployed servers because upgrading may break
business applications, a firewall may be able to block the
necessary ports to prevent attackers form exploiting
vulnerability.
SECURITY RISK MANAGEMENT
•This is a preventive security control .
•It compares the financial cost of implementing security
measures with possible cost of security breach.
•The risk management is an extension of issue management
process.
EXAMPLE
•If a Red Hat Linux server does not have the latest patch
installed, this exposure should be tracked through the
security issue management process.
•However imagine a situation in which the system
administrator notifies the application developers that a patch
is imminent, to this notice application developer respond the
warning that the implementation of the patch will break their
application . If management decides that the patch should be
installed regardless of the application problem the issue
management process is then followed until the issue is
closed.
•If the management agrees that the application is critical, the
management team must accept the risk and initiate the risk
management process.
RISK MANAGEMENT
PROCESS
•Assessing risk
• Quantitative risk assessment provide the financial figures by
comparing control cost vs. threat cost.
• Qualitative risk assessment consist of subjective
components, such as professional experience, education,
judgment to analyze the risk.
•Managing risk
• The accepted risk must be assessed on regular basis to
decide either to fix the problem or allow t to remain untreated.
SECURITY INCIDENT
MANAGEMENT

•The process is a detective and corrective security control.

•It contains the planning for the proper detective measures.
•It contains the necessary contact information and
procedures for quick, efficient and effective responses to
security threats.
…
It consist of the following concepts
• Preparation
• Reaction
• Assessment
PREPARATION
•Learn applicable laws
•Build a computer incidence response team
•Develop a communication plan
•Develop a response plan
•Conduct training
•Post no trespassing
•Detect malicious activity
REACTION
• stay calm
•Start a detailed log
•conduct thorough interviews
•Coordinate communication
•Determine the extent of the intrusion
•Protect evidence
•Contain the problem
•Determine the root of the problem
•Restore business operations
ASSESSMENT
It is time to review current security policies, processes and
practices for necessary improvements.
Further Readings
Chapter no.5 Plan for Security : Book: Principles of
Information Security by Michael.E Whitman
http://www.mpug.com/articles/pmp-prep-qualitative-vs-
quantitative-risk-analysis/