Chapter 2: Lesson 4



visit us at www.wilber-learndev.com

Sources:

visit us at www.wilber-learndev.com

Watters, P. A. (2024). Cybercrime and Cybersecurity. CRC Press.
https://privacy.gov.ph/resources/other-resources/
https://sherloc.unodc.org/cld/en/education/tertiary/cybercrime/module-9/index.html

visit us at www.wilber-learndev.com


Risk


visit us at www.wilber-learndev.com

Watters, P. A. (2024) emphasizes the need for a risk management approach in designing secure systems, as achieving a completely assured computing environment may be infeasible. In the context of computer security, risk is defined as the probability of an adverse event occurring, considering both the likelihood of the event and its potential impact. The goal is to engineer a low-risk environment in which threats and potential damage are actively minimized.

visit us at www.wilber-learndev.com

The analogy of driving to work illustrates key risk management concepts. Human safety, particularly life safety, is prioritized above other outcomes. Minor property damage is considered acceptable and reparable. Risks can arise from both accidental and intentional events, and systematic assessment involves ranking risks by severity and probability. Mitigation approaches should be directed towards the highest-risk activities, acknowledging that it’s impossible to protect against all potential risks. Acceptance of residual risk becomes a key responsibility in computer security management.

visit us at www.wilber-learndev.com

The processes of assessing and mitigating risks are described below according to Watters, P. A. (2024):

visit us at www.wilber-learndev.com

    1. Risk Assessment Scope (Scoping)
    2. Analyzing Data (Analyzing)
    3. Risk Mitigation or Acceptance

visit us at www.wilber-learndev.com

Risk Assessment Scope

visit us at www.wilber-learndev.com

According to Watters, P. A. (2024), scoping is a crucial aspect of risk assessment in cybersecurity. The author highlights the importance of finding the right balance in scope – if too broad, interpreting results becomes challenging and data collection becomes resource-intensive; if too narrow, significant threats may be overlooked. The scope of a risk assessment in computer security can range from individual users to entire regions, countries, services, applications, or any combination of these entities.

visit us at www.wilber-learndev.com

Determining the scope depends on factors such as the specific problem at hand. For example, assessing the impact of installing Microsoft Windows in a data center environment may involve focusing on the data center, its physical environment, staff, internal and external networks, and applications. However, in cases like running an e-commerce site facing constant fraud from multiple countries, defining the boundary may be challenging. The cost of data collection and management’s willingness to bear the cost are crucial considerations. If the cost outweighs potential mitigations or exceeds the management’s security expenditure appetite, narrowing the scope may be necessary.

visit us at www.wilber-learndev.com

Analyzing:

visit us at www.wilber-learndev.com

According to Watters, P. A. (2024), the process of analyzing data for a risk assessment involves utilizing a matrix-based system commonly used across various industries. This system creates a matrix that correlates the severity of a threat with the probability of its occurrence. Threat events with high severity and probability are considered the most significant, while those with lower priority and severity are rated accordingly.

visit us at www.wilber-learndev.com

Historical data is valuable in determining the severity of specific threats. For instance, rootkits are regarded as severe because they can enable malware to take control of an entire system, whereas spyware advertising while disclosing personal information, may be considered less impactful at the system level. The assessment of risks may require prioritization to ensure that the most dangerous threats receive appropriate attention, especially given the rapid evolution of different malware types.

visit us at www.wilber-learndev.com

Severity is also linked to the value of the entities involved, whether tangible or intangible. Quantifying the impact of intangible consequences, such as harm caused by service unavailability, can be challenging. Watters highlights the difficulty in measuring the intangible aspects, such as losing business or reputation due to highly publicized intrusions.

visit us at www.wilber-learndev.com

Identifying threats involves categorizing them into deliberate (e.g., spear-phishing attacks) and accidental (e.g., bushfires). Historical data in computer security allows for reasonable quantitative estimates of likelihood, impact, and severity. Once threats are identified, the next step is to determine safeguards to mitigate them. For example, antivirus software is a common safeguard against malware, and building standards guidelines can protect against bushfires in high-risk areas. The analysis may include assessing the effectiveness of existing safeguards and considering new ones if the threat is not adequately mitigated.

visit us at www.wilber-learndev.com

Risk Mitigation or Acceptance

visit us at www.wilber-learndev.com

According to Watters, P. A. (2024), after analyzing risk assessment data, the next step involves interpreting the results in the context of either explicit risk acceptance or implementing countermeasures to mitigate the risk. The results of data analysis are typically ranked based on the threat, and strategies for mitigating each threat are identified and cost. It is common for multiple mitigations to be available for each threat, each with varying associated costs.

visit us at www.wilber-learndev.com

Management plays a key role in identifying and allocating the budget to fund necessary mitigations. Once countermeasures are implemented, the residual risk is accepted. At the management level, appropriate countermeasures are selected, and their implementation is then carried out at the organizational or technical level. The process of selecting the most suitable countermeasures involves asking questions and conducting a “what if” analysis. This analysis considers the changes from the status quo when a particular safeguard or set of countermeasures is implemented.

visit us at www.wilber-learndev.com

For instance, questions like “what if” antivirus software is installed to protect against malware are considered. The analysis compares the difference between doing nothing or using alternative measures like better access controls or physically separating high-risk and low-risk activities at the system level. However, reducing qualitative data into two dimensions can be challenging, considering factors such as policies, laws, customs, technical constraints, and other non-functional requirements.

visit us at www.wilber-learndev.com

Watters emphasizes the importance of reviewing and monitoring the effectiveness and impact of countermeasures over time, recognizing that constraints may change. This ongoing evaluation is crucial in ensuring that the selected countermeasures actively reduce the identified risks.

visit us at www.wilber-learndev.com


Incident Response and Management


visit us at www.wilber-learndev.com

According to Watters, P. A. (2024), the operational response to managing threats should employ a defense[1]in-depth approach to prevent, deter, manage, and solve incidents, whether they are tactical or strategic threats. In practice, this means:

visit us at www.wilber-learndev.com

    1. Preventing incidents from occurring in the first place, where possible, using situational crime prevention strategies
    2. Putting in place sufficient external/perimeter controls to minimize the chance of an incident occurring in the first place
    3. Using operational assurance measures to monitor activity and to detect events that might indicate that an incident is taking place
    4. Ensuring that an appropriate post-incident response (including forensics) can be used to prevent future incidents using the same attack vector, or to limit the damage from an ongoing incident.

visit us at www.wilber-learndev.com

Situational Crime Prevention

visit us at www.wilber-learndev.com

According to Watters, P. A. (2024), situational crime prevention in criminology aims to prevent intentional security incidents by reducing opportunities for crime. The framework, based on Ron Clarke’s 1995 study, involves five dimensions: (1) increasing effort, (2) increasing risk, (3) reducing rewards, (4) reducing provocations, and (4) removing excuses. These dimensions can be applied to protect systems and networks. For instance, in the first dimension, organizational targets can be hardened with perimeter defenses and access control. The content emphasizes the importance of using the situational crime prevention framework for planning defenses before considering incident response, and minimizing resources spent on responding to incidents.

visit us at www.wilber-learndev.com

Ron Clarke’s 5 Dimension of Situational Crime Prevention

visit us at www.wilber-learndev.com

    • Increasing the effort, by hardening targets, using access control, deflecting offenders, and controlling weapons
    • Increasing the risk, by employing suitable guardians, enhancing surveillance, and reducing anonymity
    • Reducing the rewards, by concealing and removing targets, identifying property, disrupting markets, and minimizing benefits
    • Reducing provocations, by avoiding disputes, discouraging imitation, and reducing arousal and stress
    • Removing excuses, by setting policies and rules, posting clear instructions, alerting consciences, assisting compliance, and controlling drugs and alcohol

visit us at www.wilber-learndev.com

Incident Response

visit us at www.wilber-learndev.com

According to Watters, P. A. (2024), incident response in large organizations involves the presence of a Computer Emergency Response Team (CERT) dedicated to managing security incidents. CERTs become aware of incidents through advisories on potential vulnerabilities, referrals from the helpdesk regarding suspicious messages, or monitoring and auditing for anomalous behavior. Time is crucial during CERT investigations, especially in the context of phishing attacks, where response times for takedowns directly impact financial implications.

visit us at www.wilber-learndev.com

The global Anti-Phishing Working Group (APWG) reported an average uptime of 46 hours and 3 minutes for phishing sites, emphasizing the need for swift action. One research challenge is automating the identification of messages related to security events, with existing automated systems classifying messages into threat or benign categories. Analyzing features such as URL strings, email headers, and natural language text can provide valuable clues about the perpetrators of an attack.

visit us at www.wilber-learndev.com

CERTs become aware of incidents through the following means:

visit us at www.wilber-learndev.com

    • Advisories noting potential vulnerabilities being released by vendors or national CERTs. The CERT team will then coordinate the internal response to determine if there is a vulnerability locally and provide or apply a remedy or fix.
    • A helpdesk might refer a suspicious message (such as an email) to the CERT, which will then determine if a message comprises a security event. One or more events may be evidence of an incident occurring.
    • Monitoring or auditing through operational assurance might uncover some evidence of anomalous or suspicious behavior, which the CERT will then investigate.

visit us at www.wilber-learndev.com

Disaster Response

visit us at www.wilber-learndev.com

According to Watters, P. A. (2024), disaster response at the strategic level involves addressing threats that have the potential to cripple an entire organization. Unlike incident response, which focuses on immediate threats, disaster response requires a contingency planning team to plan for the resumption and recovery of business operations after a disaster. This team may include representation from key functional business areas in addition to technology responsibilities.

visit us at www.wilber-learndev.com

The contingency planning process involves several steps, including target identification, target protection, threat identification, and strategy execution. Target identification entails identifying critical business functions that must be resumed in the event of a disaster, and reprioritizing them based on importance and resource constraints. Target protection involves determining the necessary resources for each critical function. Threat identification focuses on predicting likely disasters and planning the response, recovery, and resumption stages. Strategy execution involves verifying and validating disaster recovery strategies using real-world data.

visit us at www.wilber-learndev.com

The basic steps include as per Watters, P. A. (2024):

visit us at www.wilber-learndev.com

    • Target identification—identifying the critical business functions that must be resumed in the event of a disaster, and reprioritizing in the order in which they will be resumed. This is because, with reduced resources available, it will certainly be necessary to resume some services ahead of others.
    • Target protection—for each target in a ranked list of critical functions, determining which resources are necessary to support those functions.
    • Threat identification—predicting which disasters are likely to affect the organization, and identifying how the initial response, service recovery, and business resumption stages will be implemented for a broad category of disasters.
    • Strategy execution—verifying and validating disaster recovery strategies using real-world data and examples where possible.

visit us at www.wilber-learndev.com

Critical business functions are identified by examining the structure and function of business units, referring to business plans, mission statements, or founding documentation. Resources necessary for organizational operation include staff, systems and networks, premises, the Internet, business applications, critical infrastructure, financial systems, and paper records. Various disasters, such as natural disasters or regulatory changes, can impact organizations, and planning should be informed by proper risk assessment.

visit us at www.wilber-learndev.com

Disaster recovery planning at the technical level involves options ranging from hot sites that fully duplicate live site functions to cold sites that can be easily reactivated. Redundant sites mirror the primary site, allowing for a seamless switch, while reciprocal agreements enable organizations to offer each other primary site use as a failover. The extent of replication is constrained by cost, emphasizing the importance of cost-effective planning informed by risk assessment. In sum, there are a wide range of potential disasters that can affect any organization, and the best place to start anticipating them is to look at physical, geographical, historical, and political factors that might influence future events. Such scenarios might include:

isit us at www.wilber-learndev.com

    • Company headquarters being burnt to the ground during a bushfire
    • A regional office responsible for payroll being flooded by a tropical storm or flood
    • The company CEO and board are killed in an airplane disaster
    • The forced nationalization of a company’s subsidiary in a foreign country by that country’s government
    • Regulatory changes including changes to taxation legislation

visit us at www.wilber-learndev.com


— END OF LESSON 4 —


visit us at www.wilber-learndev.com


Leave a Comment