1.

RISK CONTROL STRATEGY:

 Once ranked vulnerability risk worksheet complete, must choose one of

five strategies to control each risk:
 Apply safeguards (defend)
 Transfer the risk (transfer)
 Reduce impact (mitigate)
 Understand consequences and accept risk (acceptance)
 Avoid activities that are too risky (terminate)

DEFEND:

 Attempts to prevent exploitation of the vulnerability

 Preferred approach; accomplished through countering threats, removing
asset vulnerabilities, limiting asset access, and adding protective
safeguards
 Three common methods of risk avoidance:
 Application of policy
 Training and education
 Applying technology

TRANSFER:
 Control approach that attempts to shift risk to other assets, processes, or
organizations
 If lacking, organization should hire individuals/firms that provide security
management and administration expertise
 Organization may then transfer risk associated with management of
complex systems to another organization experienced in dealing with
those risks
 MITIGATE:
 Attempts to reduce impact of vulnerability exploitation through planning
and preparation
 Approach includes three types of plans:
 Incident response plan (IRP)
 Disaster recovery plan (DRP)
 Business continuity plan (BCP)

ACCEPT:
 Doing nothing to protect a vulnerability and accepting the outcome of its
exploitation
 Valid only when the particular function, service, information, or asset
does not justify cost of protection
 Risk appetite describes the degree to which organization is willing to
accept risk as trade-off to the expense of applying controls

TERMINATE:
 Directs the organization to avoid those business activities that introduce
uncontrollable risks
 May seek an alternate mechanism to meet customer needs.

2. TYPES OF IDPS:

 IDSs operate as network-based or host-based

 All IDSs use one of three detection methods:
 Signature-based
 Statistical anomaly-based
 Stateful packet inspection
NIDPS:
  Resides on computer or appliance connected to segment of an
organization’s network; looks for signs of attacks
 Installed at specific place in the network where it can watch traffic going
into and out of particular network segment
 When examining packets, a NIDPS looks for attack patterns
 Done by using special implementation of TCP/IP stack:
 In process of protocol stack verification, NIDPSs look for
invalid data packets
 In application protocol verification, higher-order protocols
are examined for unexpected packet behavior or improper
use
HIDPS:
 Host-based IDPS (HIDPS) resides on a particular computer or server and
monitors activity only on that system
 Benchmark and monitor the status of key system files and detect when
intruder creates, modifies, or deletes files
 Most HIDPSs work on the principle of configuration or change
management
 Advantage over NIDPS: can usually be installed so that it can access
encrypted information when traveling over network

Signature Based IDPS:

 Examine data traffic in search of patterns that match known signatures
 Widely used because many attacks have clear and distinct signatures
 Problem with this approach is that as new attack strategies are identified,
the IDPS’s database of signatures must be continually updated

Statistical Anomaly-Based IDPS:

 The statistical anomaly-based IDPS (stat IDPS) or behavior-based IDPS
sample network activity to compare to traffic that is known to be normal
 When measured activity is outside baseline parameters or clipping level,
IDPS will trigger an alert
 IDPS can detect new types of attacks
  Requires much more overhead and processing capacity than signature-
based
 May generate many false positives

Stateful Protocol Analysis IDPS:

 SP 800-94: stateful protocol analysis (SPA) process of comparing
predetermined profiles of definitions of benign activity for each protocol
state against observed events to identify deviations
 Stores and uses relevant data detected in a session to identify intrusions
involving multiple requests/responses; allows IDPS to better detect
specialized, multisession attacks (deep packet inspection)
 Drawbacks: analytical complexity; processing overhead; may fail to
detect unless protocol violates fundamental behavior; may cause
problems with protocol it’s examining

3. Scanning and Analysis Tools:

 Typically used to collect information that attacker would need to launch

successful attack
 Attack protocol is series of steps or processes used by an attacker, in a
logical sequence, to launch attack against a target system or network
 Footprinting: the organized research of Internet addresses owned or
controlled by a target organization
 Fingerprinting: systematic survey of all of target organization’s Internet
addresses collected during the footprinting phase
 Fingerprinting reveals useful information about internal structure and
operational nature of target system or network for anticipated attack
 These tools are valuable to network defender since they can quickly
pinpoint the parts of the systems or network that need a prompt repair to
close the vulnerability

PORT SCANNERS:
 Tools used by both attackers and defenders to identify computers active
on a network and other useful information
 Can scan for specific types of computers, protocols, or resources, or their
scans can be generic
 The more specific the scanner is, the better it can give attackers and
defenders useful information

FIREWALL ANALYSIS TOOLS:

 Several tools automate remote discovery of firewall rules and assist the
administrator in analyzing the rules
 Administrators who feel wary of using the same tools that attackers use
should remember:
 It is intent of user that will dictate how information gathered will
be used
 In order to defend a computer or network well, it is necessary to
understand ways it can be attacked
 A tool that can help close up an open or poorly configured firewall will
help network defender minimize risk from attack

OPERATING SYSTEM DETECTION TOOLS:

 Detecting a target computer’s operating system (OS) is very valuable to
an attacker
 There are many tools that use networking protocols to determine a remote
computer’s OS

PACKET SNIFFERS:
 Network tool that collects copies of packets from network and analyzes
them
 Can provide network administrator with valuable information for
diagnosing and resolving networking issues
 In the wrong hands, a sniffer can be used to eavesdrop on network traffic
 To use packet sniffer legally, administrator must be on network that
organization owns, be under direct authorization of owners of network,
and have knowledge and consent of the content creators

WIRELESS SECURITY TOOLS:

 Organization that spends its time securing wired network and leaves
wireless networks to operate in any manner is opening itself up for
security breach
 Security professional must assess risk of wireless networks
 A wireless security toolkit should include the ability to sniff wireless
traffic, scan wireless hosts, and assess level of privacy or confidentiality
afforded on the wireless network

1. Design of Security Architecture:

To inform the discussion of information security program

architecture and to illustrate industry best practices, the following
sections outline a few key security architectural components. Many
of these components are examined in detail in later chapters of this
book, but this overview can help you assess whether a framework
and/or blueprint are on
target to meet an organization’s needs.

Spheres of Security The spheres of security, shown in Figure 5-8, are

the foundation of the security framework. Generally speaking, the
spheres of security illustrate how information is under attack from a
variety of sources. The sphere of use, on the left-hand side of Figure
5-8, illustrates the ways in which people access information. For
example, people read hard copies of documents and can also access
information through systems. Information, as the most important
asset in this model, is at the center of the sphere. Information is
always at risk from attacks whenever it is accessible by people or
computer systems. Networks and the Internet are indirect threats, as
exemplified by the fact that a person attempting to access
information from the Internet must traverse local networks. The
sphere of protection, on the right-hand side of Figure 5-8, illustrates
that between each layer of the sphere of use there must exist a layer
of protection, represented in the figure by the shaded bands. For
example, the items labeled “Policy and law”.

Physical Security Sphere: The physical security sphere includes

controls that protect the physical assets of an organization. This
includes access control systems, video surveillance, alarms, and
physical barriers. Physical security controls are designed to prevent
unauthorized access to physical assets, such as data centers, servers,
and other critical infrastructure.

Technical Security Sphere: The technical security sphere includes

controls that protect the digital assets of an organization. This
includes firewalls, intrusion detection and prevention systems,
encryption, and access control systems. Technical security controls
are designed to prevent unauthorized access to digital assets, such as
data, applications, and systems.
 Administrative Security Sphere: The administrative security
sphere includes controls that protect the policies, procedures, and
people of an organization. This includes security policies and
procedures, security awareness training, background checks, and
security incident response planning. Administrative security controls
are designed to ensure that security policies and procedures are
implemented and followed, and that security incidents are handled
appropriately.

2. Business continuity process:

Business continuity planning is an essential process for disaster

management in information security. The goal of business continuity
planning is to ensure that an organization can continue its operations
during and after a disruptive event. A disruptive event can be
anything that disrupts normal business operations, such as a natural
disaster, cyber-attack, or other emergency.

The business continuity process typically involves several phases:

1. Risk Assessment: The first step in the business continuity process

is to identify the potential risks and threats that could impact an
organization's operations. This may include natural disasters, cyber-
attacks, power outages, and other types of emergencies.

2. Business Impact Analysis: The next step is to assess the potential

impact of each risk and threat on the organization's operations. This
involves identifying critical business processes and systems, as well
as the potential impact on customers, employees, and other
stakeholders.

3. Business Continuity Planning: Once the risks and potential

impacts have been identified, the organization can develop a
business continuity plan that outlines the strategies and procedures to
be used in the event of a disruptive event. This plan should include
procedures for backup and recovery of critical systems and data,
 communication with stakeholders, and other key elements of the
organization's operations.

4. Testing and Training: The business continuity plan should be

tested regularly to ensure that it is effective and up-to-date. This may
involve tabletop exercises, simulation drills, or other types of testing.
Employees should also be trained on the procedures outlined in the
business continuity plan, so that they can respond appropriately in
the event of a disruptive event.

5. Maintenance and Updates: Finally, the business continuity plan

should be regularly reviewed and updated to ensure that it remains
effective against new risks and threats. This may involve updating
procedures, testing new technologies, or other changes to the plan.

By following this business continuity process, organizations can be

better prepared to manage the impact of a disruptive event on their
operations. By identifying risks, assessing potential impacts,
developing a plan, and testing and training employees, organizations
can minimize the impact of a disaster and maintain critical
operations during and after the event.

Same question with a scenario

Scenario: A large financial services company experiences a cyber-attack

that compromises their customer data and critical systems. The attack
disrupts the company's operations, leaving customers unable to access
their accounts and causing financial losses for the company.

Business Continuity Process:

 Risk Assessment: The company's information security team
conducts a risk assessment and determines that cyber-attacks are a
potential threat to the organization's operations.
 Business Impact Analysis: The team conducts a business impact
analysis and identifies critical business processes and systems, such
as customer account management, transaction processing, and data
storage. They determine that a cyber-attack could have a significant
impact on the company's operations, resulting in financial losses and
damage to the company's reputation.
 Business Continuity Planning: The company develops a business
continuity plan that includes procedures for backup and recovery of
critical systems and data, communication with customers and other
stakeholders, and other key elements of the organization's
operations. The plan also outlines roles and responsibilities for key
personnel, such as the incident response team and IT staff.
 Testing and Training: The company regularly tests the business
continuity plan through tabletop exercises and simulation drills.
They also provide training for employees on the procedures outlined
in the plan, such as how to respond to a cyber-attack and how to
communicate with customers and other stakeholders.
 Maintenance and Updates: The company reviews and updates the
business continuity plan regularly to ensure that it remains effective
against new risks and threats. They also incorporate new
technologies and procedures to improve the plan's effectiveness.