CompTIA CYSA+ CS0-002 – Risk Mitigation Part 1

1. Risk Mitigation (Introduction)

In this section of the course, we’re going to cover risk mitigation. Now, we’re going to be covering domain five in this section of the course. Specifically objective 5. 2. Objective 5. 2 states that given a scenario, you must apply security concepts in support of organizational risk mitigation. As we move through this section of the course, we’re going to start out by outlining the risk identification process that’s used in enterprise risk management. Then we’re going to talk about how an assessment is conducted using inventory systems and software, as well as how we conduct a threat and vulnerability assessment. After that, we’ll cover how risk is calculated both qualitatively and quantitatively.

Then we’re going to move into how we can conduct a business impact analysis and perform risk prioritization. This is really important because we never have enough time or money to mitigate every risk within our systems. But by prioritizing them, we can get the most bang for our buck during our mitigation. Next, we’re going to cover how we can communicate risk to key decision makers in our organizations. And finally, we’re going to discuss training and exercises. This includes concepts like tabletop exercises, penetration tests, and red team and blue team exercises that help us mitigate organizational risks that may exist. So let’s get started talking all about risk mitigations. You.

2. Risk Identification Process (OBJ 5.2)

Risk identification process. In this lesson we are going to talk about risk and how you can identify it. Now, one of the big things we’re going to talk about with risk is the idea of enterprise risk management. Now, enterprise risk management is the comprehensive process of evaluating, measuring and mitigating the many different risks that pervade an organization. This is important because in all of our organizations we face risk. There are risks to our systems, there’s risk from attackers and there’s risk from the environment. And we’re going to talk about all of this throughout our risk management journey.

Now, what is risk management and why is it adopted by organizations? Well, quite simply put, we have to manage risk and adopt risk management so we can see all the different risk that is out there and then put controls in place to help bring the level of risk down to an acceptable level. Now, when we start talking about enterprise risk management, there are lots of reasons that we adopt it. For example, we might want to keep our confidential data confidential. We want to make sure that all of that customer data and all that corporate data we have doesn’t get into the hands of unauthorized parties. We also want to make sure that we avoid financial losses.

This can occur by people attacking our systems and damaging our resources or attacking our data and having data leaks. All of these are things that can cost us money. And so by doing proper risk management, we can minimize that and avoid those financial losses. We also want to make sure we can avoid legal troubles. If we have our systems hacked, that data can then be breached. And if it is, we can have legal consequences to that, such as civil lawsuits for not protecting that data appropriately. And so we want to make sure that we’re avoiding any legal issues by doing proper risk management. Also, we want to maintain a positive brand image.

Now, this is important because even though you might be protected from the legal ramifications or you might have been able to mitigate the cost, if you have some sort of a data breach, you can have your brand tarnished and that is something that you can’t get back very easily. They say it takes decades to build a brand, but only moments to lose it. So we want to make sure we can maintain a positive brand image. Also, we want to ensure continuity of business operations, also known as coup, the continuity of operations plan. By doing this, we can make sure that even if there is a natural disaster or a man made disaster, we can survive that and keep our businesses running.

We’ll talk more about that as we go through this lesson. Another great reason for doing risk management is to ensure that you can establish trust and mitigate your liability. All of this is involved in your business relationships between you and other businesses. As well as you and your clients. And finally, we want to make sure we’re meeting the stakeholders objectives. We have different stakeholders, whether those are shareholders in our company, whether that’s executives in the company, managers or technicians, or even our customers. All of these stakeholders have objectives. And if we’re not doing proper risk management, we can’t meet their objectives and we can’t get them what they need.

Now, just for a moment, I want to take a sidebar and talk a little bit more about these stakeholders because this is a critical concept. You as a cybersecurity technician or cybersecurity analyst are not going to be making all the risk decisions. You’re just not. That’s not your job. Instead, these decisions have to be made by the different business stakeholders or by a different project management team or by the customer service team or whoever is the relevant stakeholder in that situation. Now, as a cybersecurity analyst, you are in a unique position, though, to understand all the different technical risks that exist out there. And so it is your job to take those, make them easier to understand and bring them back to the attention of those key decision makers.

And that’s why it’s important for you to understand risk management and the risk management process, because you’re going to have to plug into that to be able to get your points across and be able to get the right controls in place to mitigate that risk. Now, when we talk about risk management, the go to guide for this is Managing Information Security Risk, which is a publication put out by NIST. This is the NIST special publication 839. This is a great starting point for applying a process for risk identification and assessment. When you look inside this guide, you’re going to see a diagram that looks like this. You’re going to see here the components of information Security, Risk Management, this is a framework as described by the special publication 839.

Now notice we have three main corners to this triangle. We have assess, respond, and moderate. And in between all of these, you see the word Frame. Now in between all four of these things, we have information and communication flows going up and down and left and right, because all of these different pieces of the risk management framework are going to talk to each other so we can get information and pass it between them. Let’s take a look at what each of these four dots represent. When we talk about Frame, this is our goal to establish a strategic risk management framework that is supported by decision makers, those key stakeholders at the top tier of the organization. When we talk about Frame, our goal here is to create this framework that everything else is going to reside around.

Now, as a cybersecurity analyst, you’re not going to be the one creating the Frame portion. Instead, you’re going to be working a lot more in the assess, respond, and monitor. But Frame is going to dictate all three of those because it puts out the strategic framework for your organization. Now, next we’re going to talk about assess, and this is something you’re going to do as a cybersecurity analyst. It is going to be your job to identify and prioritize the different business processes and workflows in the organization. When you start looking at this from the assess perspective, this is where you’re doing systems assessments to determine which assets are there and which assets support which workflows in the business.

As you start to identify that, you’re going to be able to identify different risks to each of those systems. Maybe there’s software that’s not been patched that is a risk. Maybe there’s an attacker is going after that type of system that’s a risk. And these are things you have to assess to understand what the risk level is. We’ll talk more about that later as well. The second area we want to look at is respond. Now, when you’re going to respond, you have to mitigate each risk factor through the deployment of managerial, operational, and technical security controls. It’s our job here to put things in place to help lower that risk. And we’re going to talk all about what we can do to control risk as we go through the section of the course.

And finally, we need to monitor. When we monitor, we’re going to evaluate the effectiveness of the risk response measures and identify changes that could affect risk management and those processes. Now, monitor is our last thing we’re going to do here because what we’re going to do is we’re going to assess something, we’re going to figure out what risk it has we’re thinking, and put some controls in place. And then we’re going to monitor to make sure those controls are effective and are giving us the risk results that we want. Now, as we start with risk identification, remember this takes place by evaluating all the threats, identifying the vulnerabilities, and assessing the probability or likelihood of an event affecting an asset or a process.

Now, risk identification really is this first step inside of risk management that we as cybersecurity analysts are going to take as we start this identification that helps us to assess things and then we can respond to them and monitor them as we go forward. Now, the final thing I want to briefly mention here is how do we measure risk? Well, there are two main methods. The first is quantitative methods. This is where you can count something. If I can look at the risk and quantify it in dollars and cents, that is a quantitative method. We’re going to dig into this more later in this section. And the second way is qualitative methods.

When we talk about qualitative methods, these are things where we kind of feel or have an opinion about how risky something is. We categorize these as high, medium and low. We don’t have an exact dollar amount, but we can kind of understand how risky something is without even calculating the damage. I know how risk it is for me to get my my car and drive to work every day. It’s a relatively low risk. I’ve been driving to work for 30 years now, and I’ve never gotten into an accident on my way to work. So I find that to be a low risk event. That is a qualitative measurement, though. It is not a quantitative measurement, because I don’t have a dollars and cents calculation to it. I just know that it’s a low risk. We’ll talk more about these concepts as we go through this section of the course.

3. Conducting an Assessment (OBJ 5.2)

Conducting an assessment. In this lesson we are going to talk about conducting an assessment and what that really means. Now, when we talk about an assessment, most businesses have to assess their different assets. Most business assets have a specific value associated with them. If I look at the computer that I’m recording this lesson on right now, there’s a value associated with it. It costs x amount of dollars for me to go out and buy a new one. If I look at a network switch, there’s a certain value associated with that product if I’m going to replace it. But there’s also values that could be assigned based on the workload that that thing is performing.

For instance, this laptop that I’m using may have cost $1500, but it’s value to me is higher than $1500 because it has my data on there, it has my videos on there. It has things that I’m recording that aren’t finished yet that are going to be turned into products that can make me more than fifteen hundred dollars. And so you have to think about this when you’re assigning a specific value to a particular business asset. Now in security terms though, when we talk about assets, these assets are valued according to the cost created by their loss or damage. So this laptop, even though if I could buy a new one for $1,500, may have an exponentially higher value to me. Because if all my data is on there and that data is worth, let’s say $10,000, well that could be a much higher value.

Even though the asset itself is only 1500, the data on it raises that asset’s value. And so we have to consider that as well when we’re figuring out what the asset value is. Now, why am I bringing up all these asset values? Well, because there are a lot of different liabilities that could cause loss or damage to an asset. And based on what you’re doing, you’re going to have to figure that out because that’s important to how you’re going to create the value of that asset. When you’re trying to value these different assets, you have to do it according to their liabilities against loss or damage. And in this case, you’d be looking at three main categories. These are business continuity, legal and reputational.

When we talk about business continuity loss, this is a loss that’s associated with no longer being able to fulfill contracts or orders due to the breakdown of critical systems. For example, if my server that gives you access to my videos and my practice exams goes offline, that is a business continuity loss. Now, I didn’t lose the data necessarily, but because it’s offline, you can’t access it and I can’t fulfill my contract with you, which is to provide you the training you’ve paid for. So that would be a business continuity loss. We have to consider. Now the next one we have is legal costs. When we talk about legal costs. This is a loss created by organizational liability due to prosecution, which would be criminal law, or damages, which would be civil law.

Now, the important difference here is that when you’re dealing with criminal law, somebody can go to jail. When you’re talking about civil law, this is where somebody can sue you and usually you have to pay damages in the form of money or restitution. The third area that you have is reputational harm. This is a loss created by negative publicity and the consequential loss of market position or consumer trust. For example, I’m a cybersecurity company. If my servers have been hacked, that’s going to have much more reputational harm than actual legal costs or business continuity costs. Because as a cybersecurity trainer it would look really bad if my systems were the victim of a data breach from some cyber attacker. So that’d be something that we as a company would be very worried about.

Now, when you start conducting these different assessments, we are going to use system assessments. And system assessments are conducted to better posture your organization, to reduce your risk and prevent your losses. When we talk about a system assessment, this is the systematic identification of critical systems by compiling an inventory of the business processes and the tangible and intangible assets and resources that support those processes. Now, there are lots of different things in this that categorize themselves under this tangible and intangible assets and resources that I just mentioned. Now, when you’re thinking about doing a system assessment you have to consider a lot of key areas. For example, you might consider the people.

This is the employees, the visitors, the suppliers, the users, the customers. All of these are people who access that system for some given objective. Then we think about our tangible assets. We talk about tangible assets. These are things you can touch, things that you can feel. Things like your buildings, your furniture, your equipment, your computers, your electronic data files. Even those are considered tangible because you could print them out or store them on a hard drive and any kind of paper documents you might have. Now, when you start talking about intangibles, these are things like ideas, commercial reputation, your brand name. All of these things are things you can’t touch or feel or really place a really easy to identify value on them but they are still importantand so you have to consider those as well.

And finally, we have to consider your procedures. These are things like your supply chains, your critical procedures of how you run your company, your standard operating procedures, your workflows, all the ways that you do business. Because a lot of that is stuff that is unique only to your company and there’s value there because if you’re doing it better than your competitors, there’s actually value as an intangible asset of your company in these procedures. So now that we’ve identified these four key areas the people, the tangible assets, the intangible assets, and the procedures. We now have to figure out how do these things support our business functions? And there’s lots of different functions across your business.

But the most important function in your business is what we call a mission essential function. Now, this is a business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all. So really, you have to ask yourself, what is your core mission? For example, let’s pretend that you worked for the United States Air Force. One of their mission essential functions is to run an airport in some far off lands. During combat operations, they have to be able to allow planes to take off and land. If they can’t do that, then nothing else matters. Now, there’s a lot of different functions and processes and business things they do to operate that airfield. But not all of those are mission essential functions.

For example, they run something that looks like a hotel so that their airmen have a place to sleep at night. They run something that looks like a cafeteria so people can eat. But neither of those are mission essential functions. If they had to delay feeding people by skipping lunch today and making their airmen wait until dinner, they could do that. They could delay it by four, five, six, 7 hours. Now, their people wouldn’t be happy, but they could do that and they could still do their mission. But if they can’t land that F 16 that’s coming back from a combat mission, well, that simply can’t be delayed for a few hours because that pilot would run out of fuel and the plane would crash.

So therefore, running that airport is going to be their highest priority and it is their mission essential function. Now, I know that’s a lot of examples that don’t really tie directly to the cyber world, but I want you to get the concept here of what a mission essential function is. And I think it’s a lot easier to see that in something like the Air Force where they have to land planes, but they don’t necessarily have to have someplace that people can sleep, at least not until tonight. So we can delay that if we needed to. Think about your own business, what are those things that are mission essential functions for you? Once you identify those, you’re going to be able to build your business and your risk management framework around that area.

For example, in my company, one of our business essential functions is supporting our students because we know that when you have a question, you want an answer right away.Now, could I delay filming another video for my next course? Sure, I can wait till next week if I had to. But if I put you off for a week and answering your question, you’re going to be pretty upset. So for us, that is a mission essential function. And so you have to figure out what that is for your business. Now another thing we have to do as part of our system assessment is we have to do an asset and inventory tracking. This uses software hardware solutions to track and manage any assets within your organization. Usually in most companies, this is going to be done as part of an asset management database.

This will contain data such as the type, the model, the serial number, the asset ID, the location, the user, the value, and the service information for that asset. So, like I said, I’m using a laptop right now. As I’m recording this, I know everything about this laptop. I know what type it is, what model it is, what serial number it is, what asset ID it is inside my company, where it’s located, which users assigned to it, what the value of it is. That $1,500 or whatever that assigned asset value will be. And the service information that has all the things that we’ve ever done to this laptop, all of that is in our asset management database.

Now, another thing we’re going to do as part of our system assessment is look at threat and vulnerability assessment data. Now, this is an ongoing process of assessing assets against a known set of threats and vulnerabilities. When you’re looking at this, this is involving all of the cybersecurity analysts because a lot of your job is going to be focused on conducting vulnerability scans. Once you run those scans, you’re going to look at those reports and you’re going to tie that back to the threats you’re facing. And then you’re going to prioritize them based on those threats and figure out what should be patched first and what should be solved. We’ll talk more about that when we get to risk prioritization.

• Category: Uncategorized