The Complete Course from ExamCollection industry leading experts to help you prepare and provides the full 360 solution for self prep including CAS-004: CompTIA Advanced Security Practitioner (CASP+) CAS-004 Certification Video Training Course, Practice Test Questions and Answers, Study Guide & Exam Dumps.

Risk Strategies (Domain 4)

1. Risk Strategies (OBJ 4.1)

In this section of the course, we're going to cover risk strategies and how we can mitigate some of the risks that we've identified through our risk management and business continuity planning. We're going to be focused on Objective 4.1: given a set of requirements, apply the appropriate risk strategies; and Objective 4.4: explain the importance of business continuity and disaster recovery concepts. As we move through the section, we're going to start by discussing the first step of the risk management process in a bit more detail. If you recall, there are six steps to the risk management process. First, identify the assets and their value. Second, identify threats. Third, identify vulnerabilities. Fourth, determine the likelihood. Fifth, identify impact, and sixth, determine risk as a combination of likelihood and impact. So we're going to dive into these concepts, learning how you determine an asset's true value. so you can better determine how much time, effort, and resources you should apply to mitigate the risk associated with that particular thing. Next, we're going to dive into access control so we can better understand the categories and types of access control that we can apply to the mitigation of risk. Then we're going to discuss how we can create a risk aggregation score based on the three pillars of security: confidentiality, integrity, and availability. This score will help us to provide a way to quantify the risk associated with a given asset and its vulnerabilities. Finally, we're going to discuss some extreme or worst-case scenario planning, which is really helpful when you're doing your business continuity planning, disaster recovery planning, or incident response planning. So let's jump into this section on risk strategies.

2. Asset Value (OBJ 4.1)

In conducting risk management, it's helpful to use a step-by-step process to ensure that all assets are considered. Thankfully, the National Institute of Standards and Technology, also known as NIST, provides us with a suitable risk management process in their special publication 830, which has been commonly accepted in the information system security industry as the definitive guide. As discussed before, the NIST special publication 830 has six steps to it. We identify the assets and their values. We identify threats, we identify vulnerabilities, we determine the likelihood, and we identify the impact. And then we determine risk as a combination of likelihood and impact. The first step there is to identify the assets and their value. Now, when we do this, we have to remember that assets can be both tangible and intangible. Tangible assets include things like computers and servers, facilities, and supplies, and even our personnel. Intangible assets include things like our intellectual property, our data, and our organization's reputation. But how do we determine the value of these tangible and intangible assets? Well, there are a few ways to determine their value. The value the asset has to the owner; the work required to develop or obtain that asset; the cost to maintain the asset; the damage that would result if the asset were lost; the cost that a competitor would pay for the asset; or the penalties that might result if the asset were lost. So our goal in defining asset value is to place a financial value on each asset. Now, sometimes this is really easy to do, and other times it can be much harder. For example, if we're considering the value of a piece of hardware, we might calculate the retail price of the server, the software that's installed on it, and the hours that were spent by our technicians to build it and configure it. But some assets are much harder to quantify. For example, if we want to put a price on your brand's name or reputation, that becomes much harder to figure out. What is the value of the name DEON training? For example, what are all the positive reviews and previous student success worth? If I went to sell the company or if a breach occurred and that tarnished our good reputation, this would become much harder to quantify in dollars and cents. But it is important to gain acceptance within your organization. Now, this is because if we value our brand and reputation at, say, a million dollars, then we should be willing to spend a large amount of money to protect that brand. By knowing the value that it has for us, it can help us make the argument that it's okay to spend $10,000 per year on a service to protect our reputation, to protect us from a data breach, or whatever it is that we're trying to protect against. $10,000 is only 10% of the million-dollar value we placed on it. So it would be worth doing. Now, once again, we assign values to all of our different assets. And then we move into the second step of risk assessment, which is to identify the threats and vulnerabilities for that particular asset. Here we have six categories we can consider: human, natural, technical, physical, environmental, and operational. Human refers to both malicious and nonmalicious insiders and outsiders, spies, adversaries, terrorists, and others. Natural refers to phenomena like floods and fires, tornadoes and earthquakes, hurricanes, and other types of natural phenomena. Technical refers to the failure of hardware or software due to malicious codes such as viruses, Trojans, worms, and other technology that's used to inflict harm upon our assets. Physical refers to the failure of any of our physical security measures, things like our gates, fences, closed-circuit TVs, man traps, and others. Environmental refers specifically to the failures of our power, heating, and cooling systems. However, it may also have issues such as traffic, hazardous material spills, and other similar issues. Operational refers to any process or procedure that might affect one of our three tenets of information security, confidentiality, integrity, or availability. Then we move into step three. This is where we need to determine the likelihood of a threat or vulnerability being realized. So by starting out and identifying our assets, then identifying their value, and then determining the threats against them, we can then determine the likelihood of a threat or vulnerability being realised against them. And now we've laid the foundation for all the mitigations and controls that we may need to choose to protect this asset.

3. Access Control (OBJ 4.1)

In order to protect our information, we're going to utilise various types of access control. Now, access control measures are broken down into seven different categories. These are compensated, corrective, detective, deterrent, directive, preventive, and recovery. Let's take a look at each of these categories. First, we have compensated access controls, and these are going to be used in place of a primary access control measure in order to mitigate a given risk. These controls can be deployed to enforce and support a security policy. For example, we might require that two system administrators perform a certain action, like downloading a copy of the database to an external device. That way, we can minimise the risk of a trusted insider stealing that information. This mitigation is based on a policy of dual control, which might be considered an administrative control if you think back to our discussion of policies earlier on in the course. Now, second, corrective access controls are going to be used to reduce the effect of an undesirable event or attack. For example, we might have corrective access controls that include fire extinguishers, intrusion detection systems, antivirus solutions, and similar measures like that. This way, if a fire broke out, we could put out that fire by using the fire extinguisher. Next, we have detective measures. These are going to be used to detect an attack while it's occurring and to notify the proper personnel. Now, these types of controls include things like alarm systems, closed-circuit television systems, honey pots and honey nets, and other things like that. We also have deterrent controls. These are controls that are used to discourage any violation of the security policies, both by attackers and by insiders. Now, deterrent controls can go further than detective controls because they not only detect the event, but they also ensure consequences for those actions. For example, if I posted a sign outside my house saying, "This house has a video camera to record intrusions," this would be a deterrent control. I'm trying to tell potential burglars they should go to another house because if they try to break into mine, I can give that recording to the police and we can identify them and arrest them. Now, note in this example that the video recording itself is considered a detective control because it's used to identify the burglars after the fact, but the sign is the deterrent control because I'm trying to scare them off before they commit a crime. Next, we have directive controls, and these are used to force compliance with the security policy and practises within your organization. The most common directive controls we have are acceptable use policies, or a ups.These are going to dictate what behaviours are and are not allowed on a company's network system. Next, we have preventive controls, and preventive controls seek to prevent or stop an attack from even occurring in the first place. For example, you might have protections like password protection, security badges, antivirus software, and intrusion prevention systems. all those forms of preventive controls. Finally, we have recovery control measures that are used to recover a device after an attack has happened. The best known examples of recovery controls are disaster recovery plans, backups, and continuity of operation plans. Now, when we develop our security for our networks, we're also going to use the concept of defence in depth, and we're going to layer various access controls on top of one another for additional security. In order to achieve the goals of defence in depth, we have to implement security through three types of access controls. These are administrative, logical, and physical. The first type of access control is administrative controls, also known as management controls. These controls are implemented to manage the operational personnel and the assets through security policies, standards, procedures, guidelines, and baselines. Examples of administrative management controls include proper data, classification and labeling, supervision of personnel, and security awareness training. Security awareness training is one of the most important things that you can do as an administrator in any organization. In fact, studies have shown that incidents could have been prevented with the proper user training, and it's one of the most cost-effective ways to increase your organization's security. The second type of access control is logical control, also known as technical control. These controls are implemented through hardware or software, and they're used to prevent or restrict access to a system. Examples of logical or technical controls include installing new devices like firewalls, intrusion detection systems, intrusion prevention systems, authentication schemes, encryption, new protocols, auditing or monitoring software, biometrics, and more. Auditing and monitoring are both types of logical controls as well, but they do slightly differ in their use. Auditing is a onetime evaluation of your security posture. Monitoring, on the other hand, is an ongoing process that continually evaluates the system or your users. All organisations should be aiming to continually improve themselves in order to become either more effective, more efficient, or preferably both. To do this, the organisation must monitor any changes to their network in order to better understand the risks associated with each of those changes. Now, this often falls under the category of change management, where a baseline is going to be created and all changes to that baseline are tracked and assessed. Before those changes are implemented, though, they should be analysed for risk through the risk management program. To conduct efficient continuous monitoring, organisations need to automate the processes as much as is practical. For example, the collection of logs from security systems, applications, and network suites should be automatically collected, correlated, and prioritised by software and then displayed to an analyst. Continuous monitoring is also going to include overseeing the change management process, the configuration management process, monitoring your logs, and analysing status reporting that's being collected across your organization. This allows security professionals to evaluate the effectiveness of their existing security controls and make recommendations for improved controls if those are warranted. Now, the third type of access control we have is physical control. These are controls that are implemented to protect the organization's personnel and their facilities. For example, we have physical controls like fences, locks, security badges, proximity cards for getting into the building guards, man traps, access control points, biometrics, and other means of securing our facility. So, in summary, it's important to remember the seven different types of access control categories. These are compensated, corrective, detective, deterrent, directive, preventive, and recovery. Now, you also want to remember the three types of access controls: administrative, logical, and physical. Some controls may work in multiple categories and types, too. And that's okay when you're doing your planning. To ensure you're an athlete and your risk of applying defence in depth, you must take controls from a diverse range of different types and categories.

4. Aggregating Risk (OBJ 4.1)

In this video, we're going to discuss how you can aggregate risk. Now, we've already talked about the three tenets of information security: confidentiality, integrity, and availability. Under the Phipps One Nine Nine series, each asset or system receives a score of low, moderate, or high for each of these tenants. And this helps us to determine which security control measures should be implemented. This score is referred to as a security category and is designated for each asset. If a system is made up of multiple assets, then we get an aggregate CIA score that can be calculated and assigned to that system. Now let's consider a quick example of how the system might receive an aggregate score based upon three assets that compromise the system. Now let's say you have an organisation that hosts an ecommerce website that's going to consist of three parts. First, we have to have a website. Second, we need a database to store all the products and information. And third, we need a place to put all our accounting data so it can be stored and processed inside batches. So let's consider each piece of the system individually and see how they score. First, we have the website. Now, the website is going to be publicly accessible. And since it's a public website, we can classify the confidentiality needs as very low. Yet it does need to be highly accessible for integrity. We want the data to be an accurate representation of our products, so the integrity needs to be considered moderate at the very least. Now the organisation gets to determine at what level we're going to classify each of these areas. But the ones I gave you are what I would personally do if it was my site. Now, if your integrity is going to be classified as a high priority, then we're going to need to spend more money providing controls to ensure the integrity of our system is maintained. So I said I was going to go with moderate in this case. The second asset is our database. Now, the database is hosted on the same server as the website. Because of this, it's going to have many of the same controls, but we're going to evaluate it anyway. The confidentiality of the database is going to be paramount to its security, so we're going to classify that as high. The integrity of the data in the database should also be moderate because we need to make sure the product details are accurate most of the time. And finally, the availability must be high because if the database is offline, the website can't display the data for our products. The third and final asset we need to look at is the accounting data storage. Now, for reasons of confidentiality, the accounting data must be kept confidential because it contains information like credit card numbers. The integrity of this data also has to be high because otherwise we could be charging the wrong customer, which would be a bad thing, or the customer could be charged for the incorrect amount, which again would be a bad thing. But let's consider the availability of tenants. Since this data doesn't need to be accessed continually and we can process it in batches, we may rate the availability as low, and that would be okay. So let's look at the entire system and get an aggregate score. Notice that the aggregate CIA score is going to take the highest categorization from each tenant for each of these assets. And then we're going to assume that that tenant is going to be the same for the entire system. So in this case, we rated that we need high confidentiality, high integrity, and high availability in order to minimise the risk of these levels of security controls. We're going to need to reengineer this entire system to mitigate that risk to an acceptable level.

5. Scenario Planning (OBJ 4.1)

Lesson. We're going to talk about scenario planning, specifically extreme and worst-case scenario planning, because these are going to be used by the organisation to think about the planning of catastrophic events before they happen. Now, there are five distinct steps to conducting this type of planning. First, we need to analyse all the threats that the organisation faces. Second, we should determine what the organisation wants to protect from those threats. Third, we're going to develop a scenario incorporating those threats and assets. Fourth, we develop an attack tree for each of those scenarios. And fifth, we're going to determine the security controls that are used to protect the assets from those identified threats. All right, let's dig a little deeper into each of those steps. The first step is to analyse all the threats facing the organization. These threats come in two categories: internal and external actors. Now, internal actors include employee threats—things like a disgruntled employee, an untrained employee, or an uncaring employee. Other internal actors can be people who are conducting espionage against our organisation, like governmental or corporate spies. Further, our own partners or vendors could be an internal threat to our organization. Now, external actors are going to include things like competitors, hackers, activists, vandals, terrorists, nation states, cyber attackers, data miners, criminals, and many others. These internal and external actors can also be categorised into two distinct groups: hostile or nonhostile. A great example of this is shown in the internal actors, where I talked about a disgruntled employee. Now, a disgruntled employee is hostile, while an untrained employee is somebody who is not hostile. But they're still both dangerous to our operations because the untrained employee can still make mistakes that bring down our servers. So when you analyse each of these threat actors, you may find it helpful to rank them and categorise them based on the different criteria. The most common criteria we use are skill level, resource limits, visibility, objectives, and outcomes. The threat actor's skill level is referred to as his or her competence. Are they very adept? Are they average? Are they minimally skilled, or are they inept? Based on this, we can determine how much of a threat they really are to our organization. Resources refer to whether the threat exists as an individual, a team, a large team or organisation, or even a nation, state, or government. Generally, the more resources a threat has, the more of a threat they really are to your organization. For example, let's say I work as a defence contractor for the US. Government, and a foreign government like China, Russia, or Iran wants to steal the software code that I'm developing for the government. That would be a huge threat to us because they could put a tonne of resources into it. Focusing on stealing my code as a company, I definitely don't have as much resources or money as a foreign government does. So they could outspend me and eventually find a way to overcome all my defences and be able to get that software code if they wanted to. Limits refer to how the threat operates. So do they follow a strict code of conduct, such as legal guidelines? Or are they more focused on anarchy? Knowing the threat's limits will help us predict what they might do when they're attacking our organization. Again, a nation-state hacker has different rules they have to follow, as opposed to a criminal hacker who's just in it to make some money by putting ransomware on your systems. Next, we have visibility. And visibility refers to whether the threat actor cares if they get caught. Are they covert like a spy, or are they overt like an activist? Now, do they even care if they're going to get caught by the authorities? It all really depends on that actor. If I were a hacktivist, I would want the whole world to see that I hacked a big oil company as part of my political statement. But if I was a nation-state hacker, I don't want anyone to know that I was able to hack into the national oil company of Country X in the last nine months. And I'm just sitting there waiting for the right time to turn off that country's oil supply. Next, we have an objective. And an objective is a goal that the threat actor is attempting to achieve. Are they trying to copy and steal our data? Or do they want to destroy our servers? Maybe they're trying to injure our personnel. What is that threat's real goal? That's what we're asking for with objectives. Finally, we have the outcome. This refers to what they're achieving through their attack on our organization. Are they trying to gain a business advantage if they're our competitor? Are they trying to embarrass us by stealing confidential information and posting it on the Web? All these are things that could happen. So based on these six criteria, our organisation needs to analyse some of those potential threat actors. Maybe our organisations can decide that. We're only going to consider the worst-case scenario, like a very adept and skilled attacker who works as part of a large organisation or government and doesn't follow the rules or their code of conduct. So this threat actor may be clandestine, and they desire to copy information to give their country a technical advantage by stealing all of our intellectual property. Now, once we have this smaller list of threat actors in mind, we can then consider exactly what we want to protect inside our organization. We're going to call these vital assets. After all, we don't have enough time, resources, or people to protect everything. So we have to focus on just the most important things. Now, we can start by constructing these scenarios and keeping in mind the what-ifs that may occur. For each scenario, a risk determination is going to be made, and the organisation is going to develop an attack tree, listing out the steps and conditions that were necessary for that attack to occur. If we're focused on cyber attacks, we're often going to use the Miter attack matrix as a great way to display the conditions that need to occur for this attack to be successful. Finally, we have to determine the security controls that would be used to manage the risk of the worst-case scenario being realized. Each security control should be mapped back to the steps and conditions from our attack tree that we created. Now, let's walk through a very basic analysis of how to conduct extreme scenario and worst-case scenario planning for a catastrophic event by providing a real-world example here. Let's start off by pretending that we work for a soda company, and we just invented the best new recipe for a new drink. Now, the recipe is going to be stored on our business network, and we need to ensure it is protected from thieves. Remember, there are five distinct steps for conducting this type of planning. First, we analyse all the threats facing the organization. Second, we determine what the organisation wants to protect from those threats. Third, we develop a scenario incorporating those threats and assets. Fourth, we develop an attack tree for each scenario. And fifth, we determine the security controls used to protect the assets from the identified threats. All right, let's dig a little bit deeper into each step. The first step is to analyse all the threats facing the organization. Based on our research, the most threatening actor for us is either an internal actor, like a corporate spy, or an external threat, like our competitors, who are hiring a hacker to steal our formula from our business network. Next, we need to figure out what needs to be protected. In our case, we're worried about the corporate theft of our formula. So the formula needs to be protected, but we can't just protect the formula; we also need to protect the systems that are housing that formula, too.Then we think about the extreme or worst-case scenario for our threat and our asset. Let's assume the corporate spy has worked his way into our organization. That is our threat. This is an insider threat. Now, our asset is the formula that's sitting on our corporate file servers. So maybe our scenario is something like this. The corporate spy is going to log onto our network, copy the file containing the formula to a thumb drive without being noticed, and then walk right out the front door and give it to our competitors. Then the competitor creates a competing soft drink, and our sales begin to plummet. All right, this is a really simple example, and your scenarios are going to be a lot more indepth. But for our purposes, this abbreviated example will work to illustrate the methods used in scenario planning just fine. The attack scenario in our case is that of an inside corporate spy stealing our data. And so we're going to move onto our last step, determining our security controls. How are we going to prevent this type of thing from being realized? Well, we could add some physical security controls like man traps and guards and random searches of our personnel as they enter or leave the building. Alternatively, we can add some logical controls, such as access control lists, to the files and folders containing the formula, limiting access to the fewest number of users who actually need to know it. And we can attack this problem from lots of different sides, depending on how we want to do it. Often, we're going to have lots of different controls in both the physical and logical domains to help protect this information. So, as you can see, this type of planning can get really in-depth really quickly. Most of this type of planning takes a team of security professionals who consider the problem from various perspectives to truly create a holistic solution to minimise the risk. In this lesson, we just covered a quick overview of this type of process, but you're going to get much more in depth on this when you start working on these types of problems in the real world.