CompTIA CYSA+ CS0-002 – Risk Mitigation Part 2

4. Risk Calculation (OBJ 5.2)

Conducting an assessment. In this lesson we are going to talk about conducting an assessment and what that really means. Now, when we talk about an assessment, most businesses have to assess their different assets. Most business assets have a specific value associated with them. If I look at the computer that I’m recording this lesson on right now, there’s a value associated with it. It costs x amount of dollars for me to go out and buy a new one. If I look at a network switch, there’s a certain value associated with that product if I’m going to replace it. But there’s also values that could be assigned based on the workload that that thing is performing. For instance, this laptop that I’m using may have cost $1500, but it’s value to me is higher than $1500 because it has my data on there, it has my videos on there.

It has things that I’m recording that aren’t finished yet that are going to be turned into products that can make me more than fifteen hundred dollars. And so you have to think about this when you’re assigning a specific value to a particular business asset. Now in security terms though, when we talk about assets, these assets are valued according to the cost created by their loss or damage. So this laptop, even though if I could buy a new one for $1,500, may have an exponentially higher value to me. Because if all my data is on there and that data is worth, let’s say $10,000, well that could be a much higher value. Even though the asset itself is only 1500, the data on it raises that asset’s value. And so we have to consider that as well when we’re figuring out what the asset value is.

Now, why am I bringing up all these asset values? Well, because there are a lot of different liabilities that could cause loss or damage to an asset. And based on what you’re doing, you’re going to have to figure that out because that’s important to how you’re going to create the value of that asset. When you’re trying to value these different assets, you have to do it according to their liabilities against loss or damage. And in this case, you’d be looking at three main categories. These are business continuity, legal and reputational. When we talk about business continuity loss, this is a loss that’s associated with no longer being able to fulfill contracts or orders due to the breakdown of critical systems. For example, if my server that gives you access to my videos and my practice exams goes offline, that is a business continuity loss.

Now, I didn’t lose the data necessarily, but because it’s offline, you can’t access it and I can’t fulfill my contract with you, which is to provide you the training you’ve paid for. So that would be a business continuity loss. We have to consider. Now the next one we have is legal costs. When we talk about legal costs. This is a loss created by organizational liability due to prosecution, which would be criminal law, or damages, which would be civil law. Now, the important difference here is that when you’re dealing with criminal law, somebody can go to jail. When you’re talking about civil law, this is where somebody can sue you and usually you have to pay damages in the form of money or restitution. The third area that you have is reputational harm. This is a loss created by negative publicity and the consequential loss of market position or consumer trust.

For example, I’m a cybersecurity company. If my servers have been hacked, that’s going to have much more reputational harm than actual legal costs or business continuity costs. Because as a cybersecurity trainer it would look really bad if my systems were the victim of a data breach from some cyber attacker. So that’d be something that we as a company would be very worried about. Now, when you start conducting these different assessments, we are going to use system assessments. And system assessments are conducted to better posture your organization, to reduce your risk and prevent your losses. When we talk about a system assessment, this is the systematic identification of critical systems by compiling an inventory of the business processes and the tangible and intangible assets and resources that support those processes.

Now, there are lots of different things in this that categorize themselves under this tangible and intangible assets and resources that I just mentioned. Now, when you’re thinking about doing a system assessment you have to consider a lot of key areas. For example, you might consider the people. This is the employees, the visitors, the suppliers, the users, the customers. All of these are people who access that system for some given objective. Then we think about our tangible assets. We talk about tangible assets. These are things you can touch, things that you can feel. Things like your buildings, your furniture, your equipment, your computers, your electronic data files. Even those are considered tangible because you could print them out or store them on a hard drive and any kind of paper documents you might have.

Now, when you start talking about intangibles, these are things like ideas, commercial reputation, your brand name. All of these things are things you can’t touch or feel or really place a really easy to identify value on them but they are still important and so you have to consider those as well. And finally, we have to consider your procedures. These are things like your supply chains, your critical procedures of how you run your company, your standard operating procedures, your workflows, all the ways that you do business. Because a lot of that is stuff that is unique only to your company and there’s value there because if you’re doing it better than your competitors, there’s actually value as an intangible asset of your company in these procedures. So now that we’ve identified these four key areas the people, the tangible assets, the intangible assets, and the procedures.

We now have to figure out how do these things support our business functions? And there’s lots of different functions across your business. But the most important function in your business is what we call a mission essential function. Now, this is a business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all. So really, you have to ask yourself, what is your core mission? For example, let’s pretend that you worked for the United States Air Force. One of their mission essential functions is to run an airport in some far off lands. During combat operations, they have to be able to allow planes to take off and land. If they can’t do that, then nothing else matters. Now, there’s a lot of different functions and processes and business things they do to operate that airfield. But not all of those are mission essential functions.

For example, they run something that looks like a hotel so that their airmen have a place to sleep at night. They run something that looks like a cafeteria so people can eat. But neither of those are mission essential functions. If they had to delay feeding people by skipping lunch today and making their airmen wait until dinner, they could do that. They could delay it by four, five, six, 7 hours. Now, their people wouldn’t be happy, but they could do that and they could still do their mission. But if they can’t land that F 16 that’s coming back from a combat mission, well, that simply can’t be delayed for a few hours because that pilot would run out of fuel and the plane would crash. So therefore, running that airport is going to be their highest priority and it is their mission essential function. Now, I know that’s a lot of examples that don’t really tie directly to the cyber world, but I want you to get the concept here of what a mission essential function is.

And I think it’s a lot easier to see that in something like the Air Force where they have to land planes, but they don’t necessarily have to have someplace that people can sleep, at least not until tonight. So we can delay that if we needed to. Think about your own business, what are those things that are mission essential functions for you? Once you identify those, you’re going to be able to build your business and your risk management framework around that area. For example, in my company, one of our business essential functions is supporting our students because we know that when you have a question, you want an answer right away. Now, could I delay filming another video for my next course? Sure, I can wait till next week if I had to. But if I put you off for a week and answering your question, you’re going to be pretty upset.

So for us, that is a mission essential function. And so you have to figure out what that is for your business. Now another thing we have to do as part of our system assessment is we have to do an asset and inventory tracking. This uses software hardware solutions to track and manage any assets within your organization. Usually in most companies, this is going to be done as part of an asset management database. This will contain data such as the type, the model, the serial number, the asset ID, the location, the user, the value, and the service information for that asset. So, like I said, I’m using a laptop right now. As I’m recording this, I know everything about this laptop. I know what type it is, what model it is, what serial number it is, what asset ID it is inside my company, where it’s located, which users assigned to it, what the value of it is.

That $1,500 or whatever that assigned asset value will be. And the service information that has all the things that we’ve ever done to this laptop, all of that is in our asset management database. Now, another thing we’re going to do as part of our system assessment is look at threat and vulnerability assessment data. Now, this is an ongoing process of assessing assets against a known set of threats and vulnerabilities. When you’re looking at this, this is involving all of the cybersecurity analysts because a lot of your job is going to be focused on conducting vulnerability scans. Once you run those scans, you’re going to look at those reports and you’re going to tie that back to the threats you’re facing. And then you’re going to prioritize them based on those threats and figure out what should be patched first and what should be solved. We’ll talk more about that when we get to risk prioritization.

5. Business Impact Analysis (OBJ 5.2)

Business impact analysis. In this lesson, we are going to talk about the concept of a business impact analysis. And this is really focused on how do things affect our business. Now, when I talk about a business impact analysis, this is also abbreviated as a BIA. This is a systemic activity that identifies organizational risks and determines their effect on ongoing mission critical operations. Let me give you be a great example of a business impact analysis from my own company. My company happens to reside in Puerto Rico. Puerto Rico is a small island in the Caribbean. Now, you can see it here on the screen. Now, because our company is in Puerto Rico, we have to worry about natural disasters and their impact to our business. For example, after a massive hurricane in 2017, the island of Puerto Rico was without power for months.

So when we decided to move our company to Puerto Rico, we had to consider the impacts to our employees and our business if another huge storm came through, because we are in hurricane alley and we’re likely to get more storms. Now, another thing we have in Puerto Rico that happened recently is earthquakes. So right after I moved my company to Puerto Rico, the island started shaking and started having a series of earthquakes at the southern part of our island. Now, this started creating damage to many businesses, houses and churches, as you can see here. Now, because of our choice to be based out of Puerto Rico, our company, our employees and my family all have to have primary and backup plans to continue our operations even when the local power grid goes offline due to storms or earthquakes or any other reason.

That is one of the main things we have to think about as part of our business impact analysis. Now, when you’re conducting your business impact analysis, this is going to be governed by metrics that express your system in terms of availability. For example, are you 100% available or are you 90% available? In our company, we try to achieve 99% uptime, meaning we want to be available to you 99% of the time during normal business hours. Now, when we start talking about these metrics, there are lots of different ones we have to consider. We have things like our maximum tolerable Downtime or MTD. We have recovery time. Objective RTO the work recovery Time WRT or Recovery Point? Objective RPO let’s talk about each of these. Now, when we talk about a Maximum tolerable Downtime or MTD, this is the longest period of time a business can be inoperable without causing irrevocable business failure.

Essentially, how long can you be down without going out of business? Now, the MTD is going to be different for each organization. And even within each organization, each of your business processes can have its own MTD. For example, some may be just a couple of minutes or a couple of hours. For critical functions, you may have up to 24 hours for urgent functions and up to seven days or longer for normal functions. It really does depend on your organization and you have to figure that out for yourself. Now the MTD is going to set your upper limit on the recovery time that the system and the asset owners have to have to resume your operations. So, keeping that in mind, let’s take a look at my own business. I already mentioned that power was a really important thing for us.

So we know that power is critical to our business functions. Without it, we really can’t do our job. I can’t film courses and I can’t answer student questions if I don’t have power to turn on my computers and be able to run our Internet. Now without this power, we can’t do our job at all. So, we have multiple backup systems to protect power to our building. First we have power from our local electrical company coming through the wires on their grid. Then we have solar power that provides us a backup during the day if the grid goes out. And it actually acts as our primary electrical source during the day because it’s so bright and sunny in Puerto Rico. Now after that, we have some Tesla power walls that we’ve installed. These are batteries and these collect power from our solar system during the day. And that way, even if the grid goes out, we can end up having those batteries provide the power to us.

And that can happen at night as well. When the sun goes down, we can actually survive off those batteries if the grid is gone. Now, if it becomes cloudy, then the solar won’t work. Well, we still have the batteries. And so we have primary of grid, secondary solar, tertiary of batteries, but for us that’s not enough. We actually in addition to that, have a diesel generator as well. And that diesel generator has 100 gallons of fuel. That’s enough for us to run seven days straight without the need for more fuel. So for us to be without power takes a lot these days because we have the grid, we have solar, we have battery, we have diesel, we have all of these systems in place because we realize that as an important mission, essential thing for us is to have power for us to be able to do our jobs.

Now, if the power grid goes out for more than 60 minutes, we found another issue though, and that’s that our primary Internet connection from our cable rider dies. Now, that isn’t a problem for me if I’m filming, but if I’m trying to answer your questions and do student support, we can’t do that without Internet because we have to be able to reach to you, right? And so that’s another issue for us. And so we have a secondary service for that. We have a cellular modem that we use as a backup. Now we realized recently there was a big storm that came through, and our area lost power for three days. Now, we didn’t lose power because we had all these systems in place, but our Internet connection died. And so we tried to switch over to the cellular modem, and we found out the speed was horrible. Why? Because everybody else was out as well.

And they all went on to their modems. And because they went to a cellular modem, the cell towers were being flooded with users. And so we were getting speeds that were ten or 20 or 30 or 40. We were hardly able to even open up our ticket system to be able to answer our students questions. So now that we’ve learned from that, we have a third Internet provider as well that provides a service over microwave, and they have a better backup plan for power outages. So they maintain services up even when the local cable company is down. So this helps eliminate that bottleneck. My point here is that you have to do this business impact for yourself in your organization and figure out what things are critical to your operations and put things in place to help protect those.

So when I look at my support services, what is our MTD for our support services? Well, we calculated that our maximum tolerable downtime is 12 hours. Now, how do I come up with 12 hours? Well, we started thinking about if I was a student, what was the longest period of time I would want to go without getting an answer to my questions. And we figured that 12 hours was a reasonable time in an emergency situation. Now, to accommodate that, we actually have our staff split in two parts. Half of my team resides in Puerto Rico. The other half of my team is in the Philippines. They are 12 hours off sync from each other. So when it’s daytime in the Philippines, it’s nighttime in Puerto Rico. And when it’s daytime in Puerto Rico, it’s nighttime in the Philippines. And so we actually can cover almost 24 hours a day using these two locations because each side works 8 hours, and there’s a little bit of time that isn’t covered by both teams. Now, that again, works within our 12 hours of time.

Now, the other good thing about this is because they’re so geographically distanced, if there’s a big storm that takes out Puerto Rico, hopefully it doesn’t affect the Philippines. If there’s a big storm that takes out the Philippines, hopefully it won’t affect Puerto Rico. And so by having our geographic diversity here, it allows us to maintain that twelve hour response time, because even if Puerto Rico was down, well, in the 12 hours, the Philippines team would be awake and they’d be able to take on that load of be able to answer your questions. And so that’s why we do that, and that’s why we break up our company. It was a risk management decision that we’ve made to provide better service to our students. Now, again, you need to figure out what your MTD is for your company in the real world so you can design your risk management plan around supporting that MTD.

What we’ve done for us was thinking about the biggest threats to us, which are natural disasters. And so we have our MTD built around that for our student support services and we put power and internet connectivity at the top of that list of things that we need to have two and three and four different mechanisms to be able to provide backups to our backups to make sure we can always support you. Now, the next one we want to talk about is our RTO. This is our recovery time objective. Now, this is the length of time it takes after an event to resume your normal business operations activities. When you start thinking about recovery time objective, I want you to think about the fact of something went down, we lost power. How quickly do you need it back? In my case, we have a 62nd time for power. We want to make sure our power is back up and online within 60 seconds.

Now. Is that Achievable? Yes. If you have a backup diesel generator, it will turn on in about 45 seconds and transfer power to the diesel generator. Now, my wife wasn’t happy with 45 seconds or 60 seconds and she wanted a recovery time of zero. Now, can I achieve that? The answer is yes. And that’s one of the reasons why we have those battery backup systems, because if power goes away, those batteries come on instantly. There is zero lag time there and so we’re able to hit a recovery time objective for power of 0 second. Now, the overall power of getting it back to the grid, we can’t control that, that’s up to our local power company, but we can make sure that we can recover our business and make sure we’re on battery, on solar or on generator within 0 second. Now, it’s our recovery time objective.

Now, the next one we want to talk about is work recovery time, or WRT. This is the length of time, in addition to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event. So let me give you an example. Let’s say in my organization, we had a power outage and we didn’t have the batteries yet, we had to rely on those generators, so we had a 62nd recovery time. Well, in 45 seconds, power comes back up. But if those systems went down because of a power surge and I had to replace one of my servers, well, that’s going to take additional work recovery time. I fixed the main problem, the recovery time objective of getting the power up. But now I have to fix the second and third order effects to get work product going again.

Which might be rebooting a computer, it might be rebuilding a computer, it might be replacing a hard drive. Whatever those things are, I have to perform that reintegration and testing to bring those systems back online in an upgrade or restored state to be able to get us back to regular work product. And our final one we want to talk about is RPO. This is our recovery point objective. This is the longest period of time that an organization can tolerate lost data being unrecoverable. Now, the way I like to think about this one when I think about RPO is think about ransomware. If you have ransomware on a system, it’s going to encrypt your files. Now, you’ve got a couple of choices here. You can pay the ransom, which we never recommend. You could try to crack the ransomware key, which could take you days, weeks or months or years depending on how strong it is.

Or you can actually wipe that system and recover from a known good backup. Well, that’s great. Let’s go ahead and choose that option. Well, if we do that, what is the longest period of time that we can tolerate data loss? Well, there’s going to be time that we’re going to be lagging as we’re recovering all that data back. And that data may have several hours since it was last backed up. For instance, if you run your backup once a day at midnight, that’s when your data was backed up. And if this ransomware hits you at six in the morning, you have 6 hours worth of lost data because you don’t have a backup of that. This is what we’re talking about when we’re talking about recovery point objective, that 6 hours is going to be lost period of time. And so if your RPO was 12 hours, that’s fine. If your RPO is 4 hours, you’ve just broken your RPO. So you need to keep that in mind.

When you’re thinking about your recovery point objective, you are focused on how long you can be without your data. That is the whole idea here. Now, when we start thinking about your MTD and your RPO, these are key terms that you need to know for the exam. They’re going to help you determine which business functions are critical and they’re going to specify appropriate risk countermeasures to help you make sure that you’re going to be able to get those systems up and running and within those MTD and RPOs. For example, if your RPO is measured in days, then a simple tape backup will work fine. Or you could use a network attached storage array or something like that. But if your RPO is zero or measured in minutes or seconds, then a more expensive server cluster backup and redundancy solution is going to be needed. A good example of this is my own company.

We have a server cluster backup and full redundancy solution for our web servers. This is because we can’t afford to be down for long periods of time when over 2000 students are relying on our servers to learn from our videos and our practice exams to prepare to pass their certifications. When I sold you a course, I sold you access to that course. We want to make sure you have access and we can’t say, oh, I’m sorry, we lost all of your data for the last three weeks. We’re going to have to have you start over. So we want to make sure we have that set up right. And so we’ve taken the risk management mitigations to help make sure we maintain a good MTD and RPO based on that need, keeping our MTD very low in time and our RPO very low in time. So you get a better experience.

• Category: Uncategorized