CHAPTER ONE

INTRODUCTION TO SYSTEM SECURITY

1.1 Introduction
Computer/System security, cybersecurity or information technology
security (IT security) is the protection of computer systems and networks from
the theft of or damage to their hardware, software, or electronic data, as well as
from the disruption or misdirection of the services they provide.
The field is becoming more important due to increased reliance on computer
systems, the Internet and wireless network standards such as Bluetooth and Wi-
Fi, and due to the growth of "smart" devices, including smartphones, televisions,
and the various devices that constitute the "Internet of things". Owing to its
complexity, both in terms of politics and technology, cybersecurity is also one of
the major challenges in the contemporary world.

1.2 Vulnerabilities and Attack

A vulnerability is a weakness in design, implementation, operation, or internal
control. Most of the vulnerabilities that have been discovered are documented in
the Common Vulnerabilities and Exposures (CVE) database.
An exploitable vulnerability is one for which at least one working attack or
"exploit" exists. Vulnerabilities can be researched, reverse-engineered, hunted, or
exploited using automated tools or customized scripts.

To secure a computer system, it is important to understand the attacks that can

be made against it, and these threats can typically be classified into one of these
categories below:
i. Backdoor
A backdoor in a computer system, a cryptosystem or an algorithm, is any secret
method of bypassing normal authentication or security controls. They may exist
for a number of reasons, including by original design or from poor configuration.
They may have been added by an authorised party to allow some legitimate access,
or by an attacker for malicious reasons; but regardless of the motives for their
existence, they create a vulnerability. Backdoors can be very hard to detect, and
detection of backdoors are usually discovered by someone who has access to
application source code or intimate knowledge of the computer's Operating System.

ii. Denial-of-service attack

Denial of service attacks (DoS) are designed to make a machine or network resource
unavailable to its intended users. Attackers can deny service to individual victims,
such as by deliberately entering a wrong password enough consecutive times to
cause the victim's account to be locked, or they may overload the capabilities of a
machine or network and block all users at once. While a network attack from a
single IP address can be blocked by adding a new firewall rule, many forms
of Distributed denial of service (DDoS) attacks are possible, where the attack comes
from a large number of points – and defending is much more difficult. Such attacks
can originate from the zombie computers of a botnet or from a range of other
1
possible techniques, including reflection and amplification attacks, where innocent
systems are fooled into sending traffic to the victim.

iii. Direct-access attacks

An unauthorized user gaining physical access to a computer is most likely able to
directly copy data from it. They may also compromise security by making operating
system modifications, installing software worms, keyloggers, covert listening
devices or using wireless mice. Even when the system is protected by standard
security measures, these may be able to be by-passed by booting another operating
system or tool from a CD-ROM or other bootable media. Disk
encryption and Trusted Platform Module are designed to prevent these attacks.

iv. Eavesdropping
Eavesdropping is the act of surreptitiously listening to a private computer
"conversation" (communication), typically between hosts on a network. For
instance, programs such as Carnivore and NarusInSight have been used by
the FBI and NSA to eavesdrop on the systems of internet service providers. Even
machines that operate as a closed system (i.e., with no contact to the outside world)
can be eavesdropped upon via monitoring the faint electromagnetic transmissions
generated by the hardware; TEMPEST is a specification by the NSA referring to
these attacks.

v. Multi-vector, polymorphic attacks

Surfacing in 2017, a new class of multi-vector, polymorphic cyber threats surfaced
that combined several types of attacks and changed form to avoid cybersecurity
controls as they spread. These threats have been classified as fifth-generation
cyberattacks.

vi. Phishing
Phishing is the attempt to acquire sensitive information such as usernames,
passwords, and credit card details directly from users by deceiving the
users. Phishing is typically carried out by email spoofing or instant messaging, and
it often directs users to enter details at a fake website whose "look" and "feel" are
almost identical to the legitimate one. The fake website often asks for personal
information, such as log-in details and passwords. This information can then be
used to gain access to the individual's real account on the real website. Preying on
a victim's trust, phishing can be classified as a form of social engineering. Attackers
are using creative ways to gain access to real accounts. A common scam is for
attackers to send fake electronic invoices to individuals showing that they recently
purchased music, apps, or other, and instructing them to click on a link if the
purchases were not authorized.

An example of a phishing email, disguised as an official email from a (fictional)

bank. The sender is attempting to trick the recipient into revealing confidential
information by "confirming" it at the phisher's website. Note the misspelling of the
words received and discrepancy as received and discrepancy, respectively.
Although the URL of the bank's webpage appears to be legitimate, the hyperlink
points at the phisher's webpage.

vii. Privilege escalation

2
Privilege escalation describes a situation where an attacker with some level of
restricted access is able to, without authorization, elevate their privileges or access
level. For example, a standard computer user may be able
to exploit a vulnerability in the system to gain access to restricted data; or even
become "root" and have full unrestricted access to a system.

viii. Reverse engineering

Reverse engineering is the process by which a man-made object is deconstructed
to reveal its designs, code, architecture, or to extract knowledge from the object;
similar to scientific research, the only difference being that scientific research is
about a natural phenomenon.

ix. Social engineering

Social engineering, in so far as computer security is concerned, aims to convince a
user to disclose secrets such as passwords, card numbers, etc. by, for example,
impersonating a bank, a contractor, or a customer. Social engineering, in the
context of information security, is the psychological manipulation of people into
performing actions or divulging confidential information.

A common scam involves fake CEO emails sent to accounting and finance
departments. In early 2016, the FBI reported that the scam has cost US businesses
more than $2 billion in about two years. In May 2016, the Milwaukee
Bucks NBA team was the victim of this type of cyber scam with a perpetrator
impersonating the team's president Peter Feigin, resulting in the handover of all
the team's employees' 2015 W-2 tax forms.

x. Spoofing
Spoofing is the act of masquerading as a valid entity through falsification of data
(such as an IP address or username), in order to gain access to information or
resources that one is otherwise unauthorized to obtain. There are several types of
spoofing, including:
• Email spoofing, where an attacker forges the sending (From, or source) address
of an email.
• IP address spoofing, where an attacker alters the source IP address in a network
packet to hide their identity or impersonate another computing system.
• MAC spoofing, where an attacker modifies the Media Access Control (MAC)
address of their network interface to pose as a valid user on a network.
• Biometric spoofing, where an attacker produces a fake biometric sample to pose
as another user.

xi. Tampering
Tampering describes a malicious modification or alteration of data. So-called Evil
Maid attacks and security services planting of surveillance capability into routers
are examples.

xii. Malware
Malicious software installed on a computer can leak personal information, can give
control of the system to the attacker and can delete data permanently.[21]

3
1.3 Security principles
Security principles denote the basic guidelines that should be used when designing
a secured system. Experience shows that a crucial success factor in the design of
a secured system is the correct consideration of security principles. Vulnerabilities
and attacks in most cases can be ascribed to the inadequate application of some
principles.

The purpose of the security principles is to provide strategic guidance on how

organisations can protect their systems and information from cyber threats. These
cyber security principles are grouped into four key activities: govern, protect, detect
and respond.
• Govern: Identifying and managing security risks.
• Protect: Implementing security controls to reduce security risks.
• Detect: Detecting and understanding cyber security events.
• Respond: Responding to and recovering from cyber security incidents.

Maturity modelling
When implementing the security principles, organisations can use the following
maturity model to assess the implementation of either individual principles, groups
of principles or the cyber security principles as a whole. The five levels in the
maturity model are:
• Incomplete: The cyber security principles are either partially implemented
or not implemented.
• Initial: The cyber security principles are implemented, but in a poor or ad
hoc manner.
• Developing: The cyber security principles are sufficiently implemented, but
on a project-by-project basis.
• Managing: The cyber security principles are established as standard
business practices and robustly implemented throughout the organisation.
• Optimising: A deliberate focus on optimisation and continual improvement
exists for the implementation of the cyber security principles throughout the
organisation.

1.4 Account Security

Account security policies
User account security policies help ensure that user accounts are protected and
properly secured. Using account security policies, you can set the following account
policies for AD accounts:

1.5 What is file system security?

Whenever data is stored on physical media, it has the potential to become
compromised. For example, secret notes between Napoleon and his generals were
compromised and led, in part, to his defeat. Napoleon's secret notes were written
on leather or paper and sent by fast riders. In a computer context, those secret
notes are stored on a hard drive and either used locally or transmitted across a
network to a friend, coworker, Internet site, or other location beyond your server
or organization. In this chapter, you'll see who can access those secret notes on the
local hard drive and how to ensure only the desired people and groups can access
them. Techniques for ensuring that your data remains secret when transmitted on
a network will be covered in subsequent chapters.

4
The use of long-term computer data storage, whose benefits are numerous, raises
special security consideration for the system administrator: how do you protect
data so that only the intended user has access while ensuring some level of
recoverability over time? In this chapter, you'll learn how to use file permissions
and EFS?the two main file protection mechanisms provided by Windows Server
2003?to control user access to files. You'll see how to use these mechanisms
appropriately and how they are often misconfigured in ways that prevent desired
access. You'll also learn how to plan for a number of special security concerns
specific to the use of portable computers. These plans may include Syskey, a
special tool for protecting the account database, which I show you how to use
properly.
Types of file systems
File system types can be classified into disk/tape file systems, network file systems
and special-purpose file systems.

Disk file systems

A disk file system takes advantages of the ability of disk storage media to randomly
address data in a short amount of time. Additional considerations include the
speed of accessing data following that initially requested and the anticipation that
the following data may also be requested. This permits multiple users (or processes)
access to various data on the disk without regard to the sequential location of the
data. Examples
include FAT (FAT12, FAT16, FAT32), exFAT, NTFS, HFS and HFS+, HPFS, APFS,
UFS, ext2, ext3, ext4, XFS, btrfs, Files-11, Veritas File
System, VMFS, ZFS, ReiserFS, and ScoutFS. Some disk file systems are journaling
file systems or versioning file systems.

Optical discs[edit]
ISO 9660 and Universal Disk Format (UDF) are two common formats that
target Compact Discs, DVDs and Blu-ray discs. Mount Rainier is an extension to
UDF supported since 2.6 series of the Linux kernel and since Windows Vista that
facilitates rewriting to DVDs.

Flash file systems

A flash file system considers the special abilities, performance and restrictions
of flash memory devices. Frequently a disk file system can use a flash memory
device as the underlying storage media but it is much better to use a file system
specifically designed for a flash device.

Tape file systems

A tape file system is a file system and tape format designed to store files on
tape. Magnetic tapes are sequential storage media with significantly longer random
data access times than disks, posing challenges to the creation and efficient
management of a general-purpose file system.In a disk file system there is typically
a master file directory, and a map of used and free data regions. Any file additions,
changes, or removals require updating the directory and the used/free maps.
Random access to data regions is measured in milliseconds so this system works
well for disks. Tape requires linear motion to wind and unwind potentially very long
reels of media. This tape motion may take several seconds to several minutes to
move the read/write head from one end of the tape to the other.
5
Tape formatting
Writing data to a tape, erasing, or formatting a tape is often a significantly time-
consuming process and can take several hours on large tapes.[a] With many data
tape technologies it is not necessary to format the tape before over-writing new data
to the tape. This is due to the inherently destructive nature of overwriting data on
sequential media.
Because of the time it can take to format a tape, typically tapes are pre-formatted
so that the tape user does not need to spend time preparing each new tape for use.
All that is usually necessary is to write an identifying media label to the tape before
use, and even this can be automatically written by software when a new tape is
used for the first time.

Database file systems

Another concept for file management is the idea of a database-based file system.
Instead of, or in addition to, hierarchical structured management, files are
identified by their characteristics, like type of file, topic, author, or similar rich
metadata.[12]
IBM DB2 for i [13] (formerly known as DB2/400 and DB2 for i5/OS) is a database
file system as part of the object based IBM i [14] operating system (formerly known
as OS/400 and i5/OS), incorporating a single level store and running on IBM
Power Systems (formerly known as AS/400 and iSeries), designed by Frank G.
Soltis IBM's former chief scientist for IBM i. Around 1978 to 1988 Frank G. Soltis
and his team at IBM Rochester have successfully designed and applied
technologies like the database file system where others like Microsoft later failed to
accomplish.[15] These technologies are informally known as 'Fortress
Rochester'[citation needed] and were in few basic aspects extended from early Mainframe
technologies but in many ways more advanced from a technological
perspective[citation needed].
Some other projects that aren't "pure" database file systems but that use some
aspects of a database file system:
• Many Web content management systems use a relational DBMS to store and
retrieve files. For example, XHTML files are stored as XML or text fields, while
image files are stored as blob fields; SQL SELECT (with optional XPath)
statements retrieve the files, and allow the use of a sophisticated logic and more
rich information associations than "usual file systems." Many CMSs also have
the option of storing only metadata within the database, with the standard
filesystem used to store the content of files.
• Very large file systems, embodied by applications like Apache
Hadoop and Google File System, use some database file system concepts.

Transactional file systems

Some programs need to either make multiple file system changes, or, if one or more
of the changes fail for any reason, make none of the changes. For example, a
program which is installing or updating software may write executables, libraries,
and/or configuration files. If some of the writing fails and the software is left
partially installed or updated, the software may be broken or unusable. An
incomplete update of a key system utility, such as the command shell, may leave
the entire system in an unusable state.

6
Transaction processing introduces the atomicity guarantee, ensuring that
operations inside of a transaction are either all committed or the transaction can
be aborted and the system discards all of its partial results. This means that if
there is a crash or power failure, after recovery, the stored state will be consistent.

Network file systems

A network file system is a file system that acts as a client for a remote file access
protocol, providing access to files on a server. Programs using local interfaces can
transparently create,manage and access hierarchical directories and files in remote
network-connected computers. Examples of network file systems include clients
for the NFS, AFS, SMB protocols, and file-system-like clients
for FTP and WebDAV.

Shared disk file systems

A shared disk file system is one in which a number of machines (usually servers)
all have access to the same external disk subsystem (usually a SAN). The file system
arbitrates access to that subsystem, preventing write collisions. Examples
include GFS2 from Red Hat, GPFS, now known as Spectrum Scale, from
IBM, SFS from DataPlow, CXFS from SGI, StorNext from Quantum
Corporation and ScoutFS from Versity.

Special file systems

A special file system presents non-file elements of an operating system as files so
they can be acted on using file system APIs. This is most commonly done in Unix-
like operating systems, but devices are given file names in some non-Unix-like
operating systems as well.

Device file systems

A device file system represents I/O devices and pseudo-devices as files,
called device files. Examples in Unix-like systems include devfs and, in Linux 2.6
systems, udev. In non-Unix-like systems, such as TOPS-10 and other operating
systems influenced by it, where the full filename or pathname of a file can include
a device prefix, devices other than those containing file systems are referred to by
a device prefix specifying the device, without anything following it.

How do you secure a file system?

Password Protect Folders and Files in Microsoft Windows. If you use Windows 10,
you can create hidden folders that are password protected without needing special
software. You can also edit the permissions settings of a folder to control access to
the contents.

7
 CHAPTER TWO
SECURITY RISK ASSESSSMENT

2.1 WHAT IS A SECURITY RISK ASSESSMENT?

A security risk assessment identifies, assesses, and implements key security controls in applications.
It also focuses on preventing application security defects and vulnerabilities. Carrying out a risk
assessment allows an organization to view the application portfolio holistically—from an attacker’s
perspective. It supports managers in making informed resource allocation, tooling, and security
control implementation decisions. Thus, conducting an assessment is an integral part of an
organization’s risk management process.

A cyber security risk assessment identifies the information assets that could be affected by a cyber-
attack (such as hardware, systems, laptops, customer data and intellectual property). It then
identifies the risks that could affect those assets.

The primary purpose of a cyber risk assessment is to help inform decision-makers and support proper
risk responses. They also provide an executive summary to help executives and directors make
informed decisions about security. Cybersecurity risk assessments help organizations understand,
control, and mitigate all forms of cyber risk. It is a critical component of risk management strategy
and data protection efforts.

Risk assessments are nothing new and whether you like it or not, if you work in information security,
you are in the risk management business. As organizations rely more on information technology and
information systems to do business, the digital risk landscape expands, exposing ecosystems to new
critical vulnerabilities.

The National Institute of Standards and Technology (NIST) has developed a Cybersecurity
Framework to provide a base for risk assessment practices.

The information security risk assessment process is concerned with answering the following
questions:
• What are our organization's most important information technology assets?
• What data breach would have a major impact on our business whether from malware, cyber
attack or human error? Think customer information.
• What are the relevant threats and the threat sources to our organization?
• What are the internal and external vulnerabilities?
• What is the impact if those vulnerabilities are exploited?
• What is the likelihood of exploitation?
• What cyber attacks, cyber threats, or security incidents could impact affect the ability of the
business to function?
• What is the level of risk my organization is comfortable taking?

If you can answer those questions, you will be able to make a determination of what to protect. This
means you can develop IT security controls and data security strategies to mitigate risk. Before you
can do that though, you need to answer the following questions:
• What is the risk I am reducing?
• Is this the highest priority security risk?
• Am I reducing the risk in the most cost-effective way?
This will help you understand the information value of the data you are trying to protect and allow
you to better understand your information risk management process in the scope of protecting
business needs.

8
2.2 WHAT IS CYBER RISK?
Cyber risk is the likelihood of suffering negative disruptions to sensitive data, finances, or business
operations online. Most commonly, cyber risks are associated with events that could result in a data
breach.
Examples of cyber risks include:
• Ransomware
• Data leaks
• Phishing
• Malware
• Insider threats
• Cyberattacks
Though commonly used interchangeably, cyber risks and vulnerabilities are not the same. A
vulnerability is a weakness that results in unauthorized network access when exploited, and a cyber
risk is the probability of a vulnerability being exploited.

Cyber risks are categorized from zero, low, medium, to high-risks. The three factors that feed into a
risk vulnerability assessment are:
• What is the threat?
• How vulnerable is the system?
• What is the reputational or financial damage if breached or made unavailable?
Using this simple framework, a high-level calculation of cyber risk can be developed:

Cyber risk = Threat x Vulnerability x Information Value

Imagine you were to assess the risk associated with a cyber attack compromising a particular
operating system. This operating system has a known backdoor in version 1.7 of its software that is
easily exploitable via physical means and stores information of high value on it. If your office has
no physical security, your risk would be high.
However, if you have good IT staff who can identify vulnerabilities and they update the operating
system to version 1.8, your vulnerability is low, even though the information value is still high
because the backdoor was patched in version 1.8.
A few things to keep in mind is there are very few things with zero risk to a business process or
information system, and risk implies uncertainty. If something is guaranteed to happen, it's not a
risk. It's part of general business operations.

2.3 IT SECURITY ASSESSMENTS

Cybersecurity assessments or IT security assessments map the risks of different types of cyber threats.
This is what makes these assessments a crucial instrument to guarantee operational business
continuity. However, there are quite a few types of these security assessments and periodically a new
one appears.

How do you know which IT security assessment is the best fit for your situation and what threats can
these assessments help you to defend against?

2.3.1 Five Different IT Security Assessment Types and When To Apply Them
1. Vulnerability assessment
This technical test maps as many vulnerabilities that can be found within your IT environment as
possible. During the vulnerability assessment, testers look at the (potential) severity of a possible
attack on each part of a system, as well as recovery options and scenarios. The outcome is a priority
list of issues that should be addressed.

9
When to perform a vulnerability assessment?
This test is particularly relevant when not much has been done about security. The aim of the
assessment is to fix as many defects as possible, based on a priority list, available budgets and time.
Budgeting can also be determined after the Vulnerability Assessment has taken place so that there is
always sufficient budget to solve a detected vulnerability.

2. Penetration testing
With the penetration test, a specific potential target is inspected. For example domain rights that could
be hacked, but also customer or payment data that could be stolen, or stored information that could
be altered by cybercriminals. The outcome of the penetration test will show whether the current
security posture is sufficient or not.

When to perform the Penetration Test?

This is mainly used to confirm that the configuration of software, version management and local
written code is safe. For this, several tests have already been performed in advance. This is a test at a
higher level and for the best results, experienced testers should be used to perform the inspection.

White/Grey/Black-box security test assessments

The White, Grey and Black-box 'assessments' are part of penetration testing. The colours indicate
how much information a tester has at their disposal. White stands for a test in which the tester has full
access to the code, network diagrams and other relevant information. With a grey-box assessment
that level of access and information is not complete, but only partly provided and available. A black-
box tester has no prior knowledge about the system that will be targeted.
In the case of a black-box assessment, the tester acts like an external hacker that tries to find
weaknesses using all sorts of methods and tactics.

3. Red Team assessment

A Red Team assessment consists of a group of people who assess the security of company
information. The Blue Team is responsible for securing this information. The Red Team is an
independent, external group that challenges the Blue Team. The goal of a Red Team Assessment is
to improve the effectiveness of the Blue Team.
It is important that the Red Team really is independent, so the Blue Team is put to the test and
regularly exposed to the modern and constantly changing (unexpected) attack methods while
monitoring the effectiveness of the team and cyber defences.

When is a Red Team Assessment relevant?

A Red Team Assessment is only useful for companies that apply advanced network security tactics.
Moreover, this assessment only makes sense if the Blue Team installed is normally

4. IT Audit
An IT Audit charts whether the current configuration matches the desired compliance standard. This
can be based on both technical aspects and documentation. So it does not really test how secure a
network is. It only shows how people define security within a company. The result is a document that
shows whether the compliance rules are met.

When to perform an IT Audit?

Audits are primarily instruments that demonstrate compliance. Often companies that are compliant
are stricter on safety. However, an audit does provide proof of the level or quality of network security.

5. IT Risk Assessment

10
A risk assessment determines the acceptable level and the actual level of risk. This cybersecurity
assessment type analyzes 2 dimensions of risk: the probability and the impact. This can be measured
both quantitatively and qualitatively.
After the analysis, the team decides which actions should be initiated to mitigate the actual risk level
to an acceptable level as much as possible. The IT Risk Assessment comes with a list of prioritized
risks that should be mitigated and recommended actions.

When is the IT Risk Assessment relevant?

In fact, 'risk assessment' is an umbrella term for mapping and identifying potential risks to the assets
of a company and how the organization wants to protect those assets. This is why the risk assessment
useful in many cases.

2.3.2 Reduce risk with a cybersecurity assessment

With a cybersecurity assessment, you accurately determine potential exposure to cyber threats. Which
fits best with your company depends on the level of security and previous tests performed. Infradata
advises you and is then able to perform and arrange IT assessments for you. Together, we bring your
company's security policy to a higher level.

2.3.3 Why Perform a Cyber Risk Assessment?

There are a number of reasons you want to perform a cyber risk assessment and a few reasons you
need to. Let's walk through them:
• Reduction of long-term costs
• Identifying potential threats and vulnerabilities, then working on mitigating them has the
potential to prevent or reduce security incidents which saves your organization money and/or
reputational damage in the long-term
• Provides a cybersecurity risk assessment template for future assessments
• Cyber risk assessments aren't one of the processes, you need to continually update them, doing
a good first turn will ensure repeatable processes even with staff turnover
• Better organizational knowledge
• Knowing organizational vulnerabilities gives you a clear idea of where your organization
needs to improve
• Avoid data breaches
• Data breaches can have a huge financial and reputational impact on any organization
• Avoid regulatory issues
• Customer data that is stolen because you failed to comply with HIPAA, PCI DSS or APRA
CPS 234
• Avoid application downtime
• Internal or customer-facing systems need to be available and functioning for staff and
customers to do their jobs
• Data loss
• Theft of trade secrets, code, or other key information assets could mean you lose business to
competitors
• Beyond that, cyber risk assessments are integral to information risk management and any
organization's wider risk management strategy.

2.3.4 Who Should Perform a Cyber Risk Assessment?

Ideally, organizations should have dedicated in-house teams processing risk assessments. This means
having IT staff with an understanding of how your digital and network infrastructure works,
executives who understand how information flows, and any proprietary organizational knowledge
that may be useful during assessment.

11
Organizational transparency is key to a thorough cyber risk assessment.
Small businesses may not have the right people in-house to do a thorough job and will need to
outsource assessment to a third-party. Organizations are also turning to cybersecurity
software to monitor their cybersecurity score, prevent breaches, send security questionnaires and
reduce third-party risk.

2.3.5 How To Perform A Cyber Risk Assessment

We'll start with a high-level overview and drill down into each step in the next sections. Before you
start assessing and mitigating risks, you need to understand what data you have, what infrastructure
you have, and the value of the data you are trying to protect.
You may want to start by auditing your data to answer the following questions:
• What data do we collect?
• How and where are we storing this data?
• How do we protect and document the data?
• How long do we keep data?
• Who has access internally and externally to the data?
• Is the place we are storing the data properly secured? Many breaches come from poorly
configured S3 buckets, check your S3 permissions or someone else will.
Next, you'll want to define the parameters of your assessment. Here are a few good primer questions
to get you started:
• What is the purpose of the assessment?
• What is the scope of the assessment?
• Are there any priorities or constraints I should be aware of that could affect the assessment?
• Who do I need access to in the organization to get all the information I need?
• What risk model does the organization use for risk analysis?
A lot of these questions are self-explanatory. What you really want to know is what you'll be
analyzing, who has the expertise required to properly assess, and are there any regulatory
requirements or budget constraints you need to be aware of.

2.3.6 Steps taken to Complete thorough Cyber Risk Assessment

Now let's look at what steps need to be taken to complete a thorough cyber risk assessment, providing
you with a risk assessment template.
Step 1: Determine information value
Most organizations don't have an unlimited budget for information risk management so it's best to
limit your scope to the most business-critical assets.
To save time and money later, spend some time defining a standard for determining the important of
an asset. Most organizations include asset value, legal standing and business importance. Once the
standard is formally incorporated into the organization's information risk management policy, use it
to classify each asset as critical, major or minor.
There are many questions you can ask to determine value:
• Are there financial or legal penalties associated with exposing or losing this information?
• How valuable is this information to a competitor?
• Could we recreate this information from scratch? How long would it take and what would be
the associated costs?
• Would losing this information have an impact on revenue or profitability?
• Would losing this data impact day-to-day business operations? Could our staff work without
it?
• What would be the reputational damage of this data being leaked?

Step 2: Identify and prioritize assets

The first step is to identify assets to evaluate and determine the scope of the assessment. This will
allow you to prioritize which assets to assess. You may not want to perform an assessment on every
12
building, employee, electronic data, trade secret, vehicle, and piece of office equipment. Remember,
not all assets have the same value.
You need to work with business users and management to create a list of all valuable assets. For each
asset, gather the following information where applicable:
• Software
• Hardware
• Data
• Interface
• End-users
• Support personal
• Purpose
• Criticality
• Functional requirements
• IT security policies
• IT security architecture
• Network topology
• Information storage protection
• Information flow
• Technical security controls
• Physical security controls
• Environmental security

Step 3: Identify cyber threats

A cyber threat is any vulnerability that could be exploited to breach security to cause harm or steal
data from your organization. While hackers, malware, and other IT security risks leap to mind, there
are many other threats:
• Natural disasters: Floods, hurricanes, earthquakes, lightning and fire can destroy as much as
any cyber attacker. You can not only lose data but servers too. When deciding between on-
premise and cloud-based servers, think about the chance of natural disasters.
• System failure: Are your most critical systems running on high-quality equipment? Do they
have good support?
• Human error: Are your S3 buckets holding sensitive information properly configured? Does
your organization have proper education around malware, phishing and social engineering?
Anyone can accidentally click a malware link or enter their credentials into a phishing scam.
You need to have strong IT security controls including regular data backups, password
managers, etc.
• Adversarial threats: third party vendors, insiders, trusted insiders, privileged insiders,
established hacker collectives, ad hoc groups, corporate espionage, suppliers, nation-states

Some common threats that affect every organization include:

• Unauthorized access: both from attackers, malware, employee error
• Misuse of information by authorized users: typically an insider threat where data is altered,
deleted or used without approval
• Data leaks: Personally identifiable information (PII) and other sensitive data, by attackers or
via poor configuration of cloud services
• Loss of data: organization loses or accidentally deleted data as part of poor backup or
replication
• Service disruption: loss of revenue or reputational damage due to downtime
After you've identified the threats facing your organization, you'll need to assess their impact.

13
Step 4: Identify vulnerabilities
Now it's time to move from what "could" happen to what has a chance of happening. A vulnerability
is a weakness that a threat can exploit to breach security, harm your organization, or steal sensitive
data. Vulnerabilities are found through vulnerability analysis, audit reports, the National Institute for
Standards and Technology (NIST) vulnerability database, vendor data, incident response teams,
and software security analysis.

You can reduce organizational software-based vulnerabilities with proper patch management via
automatic forced updates. But don't forget physical vulnerabilities, the chance of someone gaining
access to an organization's computing system is reduced by having keycard access.
Step 5: Analyze controls and implement new controls

Analyze controls that are in place to minimize or eliminate the probability of a threat or vulnerability.
Controls can be implemented through technical means, such as hardware or software, encryption,
intrusion detection mechanisms, two-factor authentication, automatic updates, continuous data leak
detection, or through nontechnical means like security policies and physical mechanisms like locks
or keycard access.

Controls should be classified as preventative or detective controls. Preventative controls attempt to

stop attacks like encryption, antivirus, or continuous security monitoring, detective controls try to
discover when an attack has occurred like continuous data exposure detection.

Step 6: Calculate the likelihood and impact of various scenarios on a per-year basis
Now you know the information value, threats, vulnerabilities and controls, the next step is to identify
how likely these cyber risks are to occur and their impact if they happen. It's not just whether you
might face one of these events at some point, but what it's potential for success could be. You can
then use these inputs to determine how much to spend to mitigate each of your identified cyber risks.

Imagine you have a database that store all your company's most sensitive information and that
information is valued at $100 million based on your estimates.
You estimate that in the event of a breach, at least half of your data would be exposed before it could
be contained. This results in an estimated loss of $50 million. But you expect that this is unlikely to
occur, say a one in fifty-year occurrence. Resulting in an estimated loss of $50m every 50 years or in
annual terms, $1 million every year. Arguably justifying a $1 million budget each year to be
prevented.

Step 7: Prioritize risks based on the cost of prevention vs information value

Use risk level as a basis and determine actions for senior management or other responsible individuals
to mitigate the risk. Here are some general guidelines:
• High - corrective measures to be developed as soon as possible
• Medium - correct measures developed within a reasonable period of time
• Low - decide whether to accept the risk or mitigate

Remember, you have now determined the value of the asset and how much you could spend to protect
it. The next step is easy: if it costs more to protect the asset than it's worth, it may not make sense to
use a preventative control to protect it. That said, remember there could be reputational impact, not
just financial impact so it is important to factor that in too.
Also consider:
• Organizational policies
• Reputational damage
• Feasibility
• Regulations
14
 • Effectiveness of controls
• Safety
• Reliability
• Organizational attitude towards risk
• Tolerance for uncertainty regarding risk factors
• The organizational weighting of risk factors

Step 8: Document results from risk assessment reports

The final step is to develop a risk assessment report to support management in making decision on
budget, policies and procedures. For each threat, the report should describe the risk, vulnerabilities
and value. Along with the impact and likelihood of occurrence and control recommendations.
As you work through this process, you'll understand what infrastructure your company operates, what
your most valuable data is, and how you can better operate and secure your business. You can then
create a risk assessment policy that defines what your organization must do periodically to monitor
its security posture, how risks are addressed and mitigated, and how you will carry out the next risk
assessment process.

Whether you are a small business or multinational enterprise information risk management is at the
heart of cybersecurity. These processes help establish rules and guidelines that provide answers to
what threats and vulnerabilities can cause financial and reputational damage to your business and
how they are mitigated.
Ideally, as your security implementations improve and you react to the contents of your current
assessment, your cybersecurity score should improve.

2.3.7 HOW DOES A SECURITY RISK ASSESSMENT WORK

Factors such as size, growth rate, resources, and asset portfolio affect the depth of risk assessment
models. Organizations can carry out generalized assessments when experiencing budget or time
constraints. However, generalized assessments don’t necessarily provide the detailed mappings
between assets, associated threats, identified risks, impact, and mitigating controls.
If generalized assessment results don’t provide enough of a correlation between these areas, a more
in-depth assessment is necessary.

The 4 steps of a successful security risk assessment model

1. Identification. Determine all critical assets of the technology infrastructure. Next, diagnose
sensitive data that is created, stored, or transmitted by these assets. Create a risk profile for
each.
2. Assessment. Administer an approach to assess the identified securityrisks for critical assets.
After careful evaluation and assessment, determine how to effectively and efficiently allocate
time and resources towards risk mitigation. The assessment approach or methodology must
analyze the correlation between assets, threats, vulnerabilities, and mitigating controls.
3. Mitigation. Define a mitigation approach and enforce security controls for each risk.
4. Prevention. Implement tools and processes to minimize threats and vulnerabilities from
occurring in your firm’s resources.

2.3.8 What problems does a security risk assessment solve?

A comprehensive security assessment allows an organization to:
• Identify assets (e.g., network, servers, applications, data centers, tools, etc.) within the
organization.
• Create risk profiles for each asset.
• Understand what data is stored, transmitted, and generated by these assets.
• Assess asset criticality regarding business operations. This includes the overall impact to
revenue, reputation, and the likelihood of a firm’s exploitation.
15
 • Measure the risk ranking for assets and prioritize them for assessment.
• Apply mitigating controls for each asset based on assessment results.

2.5 RISK ANALYSIS

Risk analysis is the process of identifying and analyzing potential issues that could negatively impact
key business initiatives or projects. This process is done in order to help organizations avoid or
mitigate those risks.

Performing a risk analysis includes considering the possibility of adverse events caused by either
natural processes, like severe storms, earthquakes or floods, or adverse events caused by malicious
or inadvertent human activities. An important part of risk analysis is identifying the potential for harm
from these events, as well as the likelihood that they will occur.
Enterprises and other organizations use risk analysis to:
• anticipate and reduce the effect of harmful results from adverse events;
• evaluate whether the potential risks of a project are balanced by its benefits to aid in the
decision process when evaluating whether to move forward with the project;
• plan responses for technology or equipment failure or loss from adverse events, both
natural and human-caused; and
• identify the impact of and prepare for changes in the enterprise environment, including
the likelihood of new competitors entering the market or changes to government
regulatory policy.

2.5.1 Benefits of risk analysis

Organizations must understand the risks associated with the use of their information systems to
effectively and efficiently protect their information assets.
Risk analysis can help an organization improve its security in a number of ways. Depending on the
type and extent of the risk analysis, organizations can use the results to help:
• identify, rate and compare the overall impact of risks to the organization, in terms of both
financial and organizational impacts;
• identify gaps in security and determine the next steps to eliminate the weaknesses and
strengthen security;
• enhance communication and decision-making processes as they relate to information
security;
• improve security policies and procedures and develop cost-effective methods for
implementing these information security policies and procedures;
• put security controls in place to mitigate the most important risks;
• increase employee awareness about security measures and risks by highlighting best
practices during the risk analysis process; and
• understand the financial impacts of potential security risks.

Done well, risk analysis is an important tool for managing costs associated with risks, as well as for
aiding an organization's decision-making process.

Steps in risk analysis process

The risk analysis process usually follows these basic steps:
1. Conduct a risk assessment survey: This first step, getting input from management and
department heads, is critical to the risk assessment process. The risk assessment survey is
a way to begin documenting specific risks or threats within each department.
2. Identify the risks: The reason for performing risk assessment is to evaluate an IT system
or other aspect of the organization and then ask: What are the risks to the software,
hardware, data and IT employees? What are the possible adverse events that could occur,

16
 such as human error, fire, flooding or earthquakes? What is the potential that the integrity
of the system will be compromised or that it won't be available?
3. Analyze the risks: Once the risks are identified, the risk analysis process should
determine the likelihood that each risk will occur, as well as the consequences linked to
each risk and how they might affect the objectives of a project.
4. Develop a risk management plan: Based on an analysis of which assets are valuable and
which threats will probably affect those assets negatively, the risk analysis should produce
control recommendations that can be used to mitigate, transfer, accept or avoid the risk.
5. Implement the risk management plan: The ultimate goal of risk assessment is to
implement measures to remove or reduce the risks. Starting with the highest-priority risk,
resolve or at least mitigate each risk so it's no longer a threat.
6. Monitor the risks: The ongoing process of identifying, treating and managing risks
should be an important part of any risk analysis process.
The focus of the analysis, as well as the format of the results, will vary depending on the type of risk
analysis being carried out.

2.5.2 Qualitative vs. quantitative risk analysis

The two main approaches to risk analysis are qualitative and quantitative. Qualitative risk analysis
typically means assessing the likelihood that a risk will occur based on subjective qualities and the
impact it could have on an organization using predefined ranking scales. The impact of risks is often
categorized into three levels: low, medium or high. The probability that a risk will occur can also be
expressed the same way or categorized as the likelihood it will occur, ranging from 0% to 100%
.
Quantitative risk analysis, on the other hand, attempts to assign a specific financial amount to adverse
events, representing the potential cost to an organization if that event actually occurs, as well as the
likelihood that the event will occur in a given year. In other words, if the anticipated cost of a
significant cyberattack is $10 million and the likelihood of the attack occurring during the current
year is 10%, the cost of that risk would be $1 million for the current year.

A qualitative risk analysis produces subjective results because it gathers data from participants in the
risk analysis process based on their perceptions of the probability of a risk and the risk's likely
consequences. Categorizing risks in this way helps organizations and/or project teams decide which
risks can be considered low priority and which have to be actively managed to reduce the effect on
the enterprise or the project.

A quantitative risk analysis, in contrast, examines the overall risk of a project and generally is
conducted after a qualitative risk analysis. The quantitative risk analysis numerically analyzes the
probability of each risk and its consequences.
The goal of a quantitative risk analysis is to associate a specific financial amount to each risk that has
been identified, representing the potential cost to an organization if that risk actually occurs. So, an
organization that has done a quantitative risk analysis and is then hit with a data breach should be
able to easily determine the financial impact of the incident on its operations.
A quantitative risk analysis provides an organization with more objective information and data than
the qualitative analysis process, thus aiding in its value to the decision-making process.

17