Attached resources documents for references
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Managing Risk in Information Systems
Chapter 2
Managing Risk: Threats, Vulnerabilities,
and
Exploits
Page 2Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objectives
Explain methods of mitigating risk by
managing threats, vulnerabilities, and
exploits.
Describe the components of an effective
organizational risk management program.
Page 3Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Risk, threats, vulnerabilities, and exploits
Public resources for risk management
Use of threat/vulnerability pairs in managing risk
Fundamental components of a risk management
plan
Objectives of a risk management plan
Objectives and scope of a risk management plan
Importance of assigning responsibilities
Significance of planning, scheduling, and
documentation
Page 4Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Chapter 2 Slides
Chapter 2: “Managing Risk: Threats,
Vulnerabilities, and Exploits”
Page 5Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Uncontrollable Nature of Threats
Threats can’t be eliminated.
Threats are always present.
You can take action to reduce the
potential for a threat to occur.
You can take action to reduce the
impact of a threat.
You cannot affect the threat itself.
Page 6Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Unintentional Threats
Environmental Human
Accidents Failures
Page 7Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Intentional Threats
Greed Anger
Desire to
Damage
Page 8Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Unintentional Threats Intentional Threats
Environmental:
Fire, wind
Lighting, flooding
Accident
Equipment failures
Individuals or Organizations:
Hackers
Criminals
Disgruntled employees
Human:
Keystroke errors
Procedural errors
Programming bugs
Page 9Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Common Attackers
Criminals
Advanced persistent threats (APTs)
Vandals
Saboteurs
Disgruntled employees
Activists
Other nations
Hackers
Page 10Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Best Practices for Managing Threats
Create a security policy.
Purchase insurance.
Use access controls.
Use automation.
Page 11Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Best Practices for Managing Threats
(Cont.)
Include input validation.
Provide training.
Use antivirus software.
Protect the boundary.
Page 12Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Understanding and Managing
Vulnerabilities
Countermeasures reduce risk and loss
• Reduce vulnerabilities
• Reduce impact of loss
Page 13Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Threat/Vulnerability Pair
Occurs when a threat exploits a vulnerability
A vulnerability provides a path for the threat
that results in a harmful event or a loss
Both the threat and the vulnerability must
come together to result in a loss
Page 14Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Threat/Vulnerability Pair and
Threat
Action
• Ex-employee
Threat
• Ex-employee
who still has
access to the
system
Vulnerability
• Accessing
proprietary
data
Threat
Action
Page 15Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Threat/Vulnerability Pair Example 1
Threat Source
• Fire or negligent person
Vulnerability
• Sprinklers used to suppress fire damage
• Protective tarpaulins not in place
Threat Action
• Sprinkler system turned on
Page 16Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Threat/Vulnerability Pair Example 2
Threat Source
• Unauthorized users (e.g., hackers)
Vulnerability
• Identified flaws in system design
• New patches not applied
Threat Action
• Unauthorized access to files
Page 17Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Vulnerability Mitigation Techniques
Policies and procedures
Documentation
Training
Separation of duties
Page 18Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Vulnerability Mitigation Techniques
(Cont).
Configuration management
Version control
Patch management
Intrusion detection
Page 19Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Vulnerability Mitigation Techniques
(Cont).
Incident response
Continuous monitoring
Technical controls
Physical controls
Page 20Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Best Practices for Managing
Vulnerabilities
Identify vulnerabilities.
Match the threat/vulnerability pairs.
Use as many of the mitigation techniques as feasible.
Perform vulnerability assessments.
Page 21Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Understanding and Managing
Exploits
An exploit is the act of taking advantage of a
vulnerability
Executes a command or program against an IT
system to take advantage of a weakness
Results in a compromise to the system, an
application, or data
Page 22Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Understanding and Managing
Exploits (Cont.)
Attacks executed by code primarily affect public-
facing servers:
Web servers
Simple Mail Transfer Protocol (SMTP) e-mail servers
File Transfer Protocol (FTP) servers
Page 23Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Attack public-facing servers
• Buffer overflow
• SQL injection
• DoS attack
• DDoS attack
Exploits
Page 24Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Mitigation Techniques for
Protecting Public-Facing Servers
Remove or change defaults.
Reduce the attack surface.
Keep systems up to date.
Enable firewalls.
Page 25Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Risk Mitigation Techniques for
Protecting Public-Facing Servers
Enable intrusion detection systems (IDSs)
Enable intrusion prevention systems (IPSs)
Install antivirus software
Page 26Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Best Practices for Managing Exploits
Harden servers.
Use configuration management.
Perform risk assessments.
Perform vulnerability assessments.
Page 27Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
U.S. Government
Risk Management Initiatives
The National Institute of Standards and Technology
(NIST)
The Department of Homeland Security
The National Cybersecurity and Communications
Integration Center (NCCIC)
U.S. Computer Emergency Readiness Team
(US-CERT)
The MITRE Corporation – Common Vulnerabilities
Exposure (CVE) List
Page 28Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Relationships Among Organizations
Managing Risk
in Information
Systems
Powered by vLab Solutions
JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES
LABORATORY MANUAL TO ACCOMPANY
VERSION 2.0
INSTRUCTOR VERSION
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.
11
Introduction
Ask any IT manager about the challenges in conveying IT risks in terms of business risks, or
about translating business goals into IT goals. It’s a common difficulty, as the worlds of business
and IT do not inherently align. This lack of alignment was unresolved until ISACA developed a
framework called COBIT, first released in 1996. ISACA is an IT professionals’ association
centered on auditing and IT governance. This lab will focus on the COBIT framework. The lab
uses the latest two versions: COBIT 4.1, which is currently the most implemented version, and
COBIT 5, which is the latest version released in June 2012.
Because COBIT 4.1 is freely available at the time of this writing, the lab uses this version to
present handling of risk management. Presentation is done making use of a set of COBIT control
objectives called P09. COBIT P09’s purpose is to guide the scope of risk management for an IT
infrastructure. The COBIT P09 risk management controls help organize the identified risks,
threats, and vulnerabilities, enabling you to manage and remediate them. This lab will also
present how COBIT shifts from the term “control objectives” to a set of principles and enablers
in version 5.
In this lab, you will define COBIT P09, you will describe COBIT P09’s six control objectives,
you will explain how the threats and vulnerabilities align to the definition for the assessment and
management of risks, and you will use COBIT P09 to determine the scope of risk management
for an IT
infrastructure.
Learning Objectives
Upon completing this lab, you will be able to:
Define what COBIT (Control Objectives for Information and related Technology) P09 risk
management is for an IT infrastructure.
Describe COBIT P09’s six control objectives that are used as benchmarks for IT risk
assessment and risk management.
Explain how threats and vulnerabilities align to the COBIT P09 risk management definition
for the assessment and management of IT risks.
Use the COBIT P09 controls as a guide to define the scope of risk management for an IT
infrastructure.
Apply the COBIT P09 controls to help organize the identified IT risks, threats, and
vulnerabilities.
Lab #2 Aligning Risks, Threats, and Vulnerabilities to
COBIT P09 Risk Management Controls
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.
13
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Instructor Lab Manual
Hands-On Steps
Note:
This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft®
Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing
application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab
deliverable files.
3. Review the seven domains of a typical IT infrastructure (see Figure 1).
Figure 1 Seven domains of a typical IT infrastructure
4. On your local computer, open a new Internet browser window.
5. In the address box of your Internet browser, type the URL
http://www.isaca.org/Knowledge-Center/cobit/Pages/FAQ.aspx and press Enter to open the
Web site.
6. Review the information on the COBIT FAQs page.
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.
14 | LAB #2 Aligning Risks, Threats, and Vulnerabilities to COBIT P09 Risk
Management Controls
ISACA—45 Years Serving Auditors and Business
ISACA is a global organization that defines the roles of information systems governance, security, auditing, and
assurance professionals worldwide. ISACA standardizes a level of understanding of these areas through two well-
known certifications, the Certified Information Systems Auditor (CISA) and Certified Information Security Manager
(CISM). In recent years, ISACA has expanded its certification offerings to include two other certifications around risk
and IT governance.
ISACA was previously an acronym expanding to Information Systems Audit and Control Association, but today is
known by the name ISACA alone to better serve its wider audience.
Similarly, COBIT was originally an acronym for Control Objectives for Information and related Technology. Now,
ISACA refers to the framework as just COBIT, in part because the concept of “control objectives” ends with COBIT
version 4.1. COBIT 5 focuses on business-centric concepts and definitions, distinguishes between governance and
management, and includes a product family of “enabler guides” and “practice guides.” The recent release of COBIT
version 5 is a complete break from COBIT 4. In addition, COBIT 5 also incorporates other ISACA products, including
Val IT and Risk IT.
7. Describe the primary goal of the COBIT v4.1 Framework. Define COBIT.
8. On the left side of the COBIT Web site, click the COBIT 4.1 Controls Collaboration link.
9. At the top of the page, read about the COBIT Controls area within ISACA’s Knowledge
Center.
10. Describe the major objective of the Controls area.
11. Scroll down the Web page to the COBIT Domains and Control Objectives section.
12. Click the Text View tab.
13. List each of the types of control objectives and briefly describe them based on the
descriptions on the Web site. Include the following:
Plan and Organize
Acquire and Implement
Monitor and Evaluate
Delivery and Support
Process Controls
Application Controls
14. On the Web site, under the Plan and Organize Control Objective description, click the
View all the PO Control Objectives link.
15. Scroll down and find the P09 Control Objectives, which are labeled Assess and Manage
IT Risks.
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.
GCUNNINGHAM0003
Highlight
GCUNNINGHAM0003
Highlight
GCUNNINGHAM0003
Highlight
15
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Instructor Lab Manual
Note:
COBIT 5 is not an evolutionary but a revolutionary change. Naturally, risk management is covered, but it is done in a
holistic, end-to-end business approach, rather than in an IT-centered approach.
16. Click the P09.1, IT Risk Management Framework link.
17. Scroll down to about the middle of the page to read about the IT Risk Management
Framework.
18. Expand the View value and Risk Drivers and View Control Practices links to learn more.
19. Describe what this objective covers.
20. Click the other P09 Control Objectives by first clicking the back button to return to the
COBIT Domains and Control Objectives section of the COBIT 4.1 Controls
Collaboration page.
21. Click the Text View tab.
22. Click the View all the PO Control Objectives link.
23. Scroll down to the P09 Control Objectives.
24. Finally, click the P09.2, Establishment of Risk Context link.
25. Repeat this set of instructions for each of the other P09 listings.
26. Read about each of these.
27. Explain how you use the P09 Control Objectives to organize identified IT risks, threats,
and vulnerabilities so you can then manage and remediate the risks, threats, and
vulnerabilities in a typical IT infrastructure.
Note:
This completes the lab. Close the Web browser, if you have not already done so.
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.
GCUNNINGHAM0003
Highlight
GCUNNINGHAM0003
Highlight
- Pages from 9781284058680_ILMx_Risk20