CSSLP Tutorial: This section of module 1, is over risk management.
What we need to analyze is the comparison between the value of what we are protecting and the cost of what we spend. Remember the purpose of security is to support the business. So, if we are adding more security than what is necessary, then it’s a problem for the business. When a person is trying to work a system and they come up against security screen after security screen, and the data is of high value, then it’s worth it. But, if it’s low value like someone selling calendars and posters in one of the kiosk sites in one of the middle sections of a mall, then may need to rethink having so many security mechanisms. The aspects of risk management include: identity, assess, treat, and monitor. This will be discussed in a later section associated with risk management. At this point, a simple understanding is that risk management is what drives the amount of implementation of these security mechanisms.
So this first section as an introduction to risk has to do with definitions of terms. Then, we’ll talk about different types of risks. Then, we’ll talk about models of risk management and some options when dealing with risk. This very first part is associated with the terms and their definitions.
CSSLP Tutorial: There’s a number of terms to define. The first is asset.
The other terms are: risk, threat, vulnerability exploit, controls, secondary risk, residual risk, fall back plan, and workaround. So, the definition for asset is that it is something we value or something we want to protect. Assets can be tangible as in actual hardware, or it can be intangible like , modifications or customized options. For example, if I purchased a computer last year at $400, while the hardware would certainly be reduced and the value of the computer would be reduced to perhaps $250, the data would be substantially more valuable. That’s the intangible portion, where it may have taken many hours to create and produce the data which is currently housed in the computer. It could have value to my customer; it could have value to my competitors. Intellectual property, proprietary information like procedures for a tool used in a lab setting, whichever kind of information, which allows for the organization to have a competitive edge against the milieu of companies with similar products or processes, all have greater value.
CSSLP Tutorial: Threats are anything that will harm the asset.
A vulnerability is where there is a weakness within the system. The potential for loss is looking at the likelihood that a threat will open up a vulnerability and misuse it, which defines the term risk. Risk is when there is a likelihood of a threat that will materialize. The instance of compromise or the point in time when our system is vulnerable and has been exposed to the threat is the exploit, itself. Controls are when we have developed some set of options and actions to reduce the threats or have some sort of risk mitigation strategy we’ve developed and it’s ready to go. So, if threats can harm the system then controls are ways to help fight against the threats. There are different types of controls.
There are two main types of controls.
The first type is proactive where we talk about sanitizing our data, doing input validation and such. This is where the design is to stop the attack. The second type is reactive, where we talk about how exceptions are handled or how options like intrusions, etc. are handled. Others that are reactive designs are detection systems, audit logs and so on. We need both the proactive and reactive types of controls developed on our system to reduce the threat or at least the degree of attack.
CSSLP Tutorial: There are at least three main types of risks.
There are total risks, residual risks, and secondary risks. The total risks are the amount of risk before implementing any safeguards. For example, if there isn’t any input validation on developed webpages or if there isn’t anything done about a possible code injection, what is the potential for loss? So, the risk that ‘s involved before anything is done to reduce the threats is referred to as the total risks. Obviously, the total risk is high and it’s too high to be satisfactory to your management team, you will find ways to reduce the total risk. Eliminating risks to a zero percent is not realistic, and becomes more and more expensive the closer you reach the zero percent mark. So, the part that’s left over once you initiate mitigation strategies, is referred to as the residual risk. You just have to match it to what their expectations are and so can have a bit, but make sure to meet your manager’s expectations. There’s a third type of risk referred to as secondary risk. This secondary risk is something that happens when trying to fix problems. For example, if you open one OS patch, it may fix a security problem but by being used, then open up a whole other set of issues. When we’ve fixed one problem but that just leads to another secondary risk. Overall, there are three main types of risks.
CSSLP Tutorial: These all represent very important terms to define as an introduction to the concepts of risk management.
There’s two other concepts to master. They are the fall back plan and the workaround. The fall black plan is when the first mitigation plan doesn’t work or doesn’t work as well as we’d hoped, that we have to have a fall black plan. The fall back plan is a planned response while the workaround isn’t. The workaround is when the other plans don’t work. This is the duct tape, chewing gum and living on a wing and a prayer, hoping it works when all else fails. The concepts associated with risk management will be further discussed after this set of definitions in the introduction.