Threats and vulnerabilities



Download 15.63 Kb.
Date06.06.2022
Size15.63 Kb.
#58954
CHAPTER 6 notes

CHAPTER 6

Threats and vulnerabilities


 The second step in the ISO27001 risk assessment process is to identify the threats to the identified assets.
 The third step is to identify the vulnerabilities those threats might exploit.

——


Difference between ’threat’ and ‘vulnerabilities’
 It is very important to always differentiate clearly between these two attributes of a risk, because the existence of the risk itself is dependent on the co-existence of a threat and a vulnerability.
 Vulnerabilities are flaws or weaknesses in an asset, whereas,
 Threats can accidentally trigger or intentionally exploit a vulnerability to compromise some aspect of the asset.

——


Is threat related to the organization?
 The first thing to remember is that there are many threats that have absolutely no relevance to many organizations.
 A simplistic example would be an organization that has no Internet connectivity – no existence of threat
 The moment organization gets connected through Internet; it does need to be concerned; the point of connection is by definition a possible point of vulnerability and, therefore, an area where controls might be required.
 Likelihood and impact of threat can help in control selection

———

Are threats external to information assets?
 Threats are external to information assets, and vulnerabilities are typically attributes of the asset – aspects of the asset that the threat can exploit.
 Vulnerabilities are security weaknesses in the existing systems, which can either be exploited by threats or which allow damage, accidental or otherwise, to information assets.
 Example:
 Dropping a laptop (Threat/Vulnerability)
 The lack of robustness in the laptop’s design (Threat/Vulnerability)

————
Threat vulnerability combinations


 It should also be noted that a threat to one asset is not necessarily a threat to another.
 For example, a fire in the server room is a threat to a number of systems based there, but is unlikely to be a threat to an organization’s externally- hosted mobile phone network
 Good risk assessment tool: Whilst threat and vulnerability databases are not widely available, any good risk assessment tool should contain both.

——


Threat
 Threats to confidentiality,  Threats to integrity, and  Threats to availability.
A number of external threats might be classified under all three headings. For EXAMPLE:
A hacker might be able to steal confidential data and then disrupt the information system so that data is no longer available or, if it is, it is corrupted.
A virus can not only affect the integrity and availability of data but also, because it could mail out a copy of an address book, confidentiality as well.
A business interruption, such as a fire in the server room, or a filing cabinet, is initially likely to affect the availability and integrity of information.

———

Vulnerabilities
 Identify vulnerabilities and also identify controls
 Analyze whether existing controls are appropriate for identified risks
 Attacks are often devised to exploit specific vulnerabilities.
Integrity and availability of data are, often, more likely to be compromised by these threat-vulnerability combinations than is confidentiality.
————

Technical Vulnerabilities


 Many of the threats related to information technology arise because of technical vulnerabilities.
 All wireless (WiFi) products, for example, are designed to communicate ‘out of the box’ with one another and, therefore, come without any security settings configured.
 Routers and other access control units come with default password settings that are widely known.
All software has imperfections, and the more complex the software, the more imperfections it will have. Each imperfection is a potential vulnerability.
———

Defining Impact


 ISO2700l requires that the organisation ‘analyzes the impacts that losses of confidentiality, integrity and availability may have on each of the assets’

———

Risk Treatment - Types of Controls

For Risk treatment control types can fall into three different categories:


 Technical controls, which usually involve system, hardware or software packages, measures and configurations and deal with, for example, identity, cryptography and security administration:


 Operational controls, those controls that deal with day- to-day issues such as backups, physical security and so on:
 prevent
 detect
 correct (or recover).
 prevent
 detect
 correct (or recover).
 Management controls, which relate to direction, guidelines, policies and procedures put in place by management:
 prevent
 detect
 correct (or recover).

———

Risk treatment and selection of control
 It is essential that the controls that are implemented are cost-effective.
 The principle is that the cost of implementing and maintaining a control should be no greater than the cost of the impact at the identified frequency, and this principle should be written into the board-approved risk acceptance criteria contained in the information security policy.

———

Selection of control
 There are also practical considerations that should be borne in mind when selecting controls:
 Likely effectiveness of the recommended control;
 Legislation and regulatory requirements (both for and against);
 Organisational policy;
 Operational impact (is the control likely to have a negative effect on the operational capacity of resources?);
 Safety and reliability.

———

Selection of control
 ISO Standards suggested that there are six constraints that should be considered when selecting controls:
 Time constraints
 Financial constraints
 Technical constraints
 Cultural or sociological constraints  Environmental constraints
 Legal constraints

———

Selection of control
 Time constraints: controls should be capable of implementation within an acceptable timescale, in relation to both the lifetime of the system and the period of exposure to the risk.
 Financial constraints: control implementations should be carried out within the set budget and the constraints of the cost-benefit analysis.
 Technical constraints: issues such as the compatibility of programs, software and hardware have to be taken into account.

———

Selection of control
Cultural or sociological constraints: the active support of staff for a control is usually essential and if, therefore, staff do not understand or support a control decision, it is unlikely to be effective.
Environmental constraints: space availability, climatic conditions, geography, and so on, can all influence the selection of controls.
Legal constraints: legal factors, such as data protection or privacy requirements, may restrict the selection of controls, as could HR regulations and other laws.

———

Selection of control

Residual risk:


 Whatever risk is left after all selected controls have been applied is known as ‘residual risk’. In most cases, this residual risk will be below the acceptable threshold and, therefore, obtaining management’s approval (prior to implementation) should be a formality.

Gap Analysis:


 The gap analysis is the essential step in the creation of the Risk Treatment Plan and, when compared to the original ‘benchmark starting point’, can act as a progress report.
 This gap analysis can be conducted either bottom-up or top- down.

———

Gap Analysis – Top Down
 A top-down approach starts with the controls identified in the Statement of Applicability and assesses, by comparison with the existing controls, the extent to which the new requirements have already been met.
 The preferred approach is the top-down one, as this will most quickly identify the critical loopholes in the existing security systems, as well as the controls that are unnecessary and can be eliminated or limited.
 The Statement of Applicability will be complete once all the identified risks have been assessed and the applicability of all the identified controls has been considered and documented. Usually, the statement is started before any controls are implemented and completed as the final control is put in place.

————

Risk Treatment Plan
 ISO standard requires the organization to ‘formulate a risk treatment plan that identifies the appropriate management action, responsibilities and priorities for managing information security risks’.
 At the heart of this plan is a detailed schedule, which shows for each identified asset:
each threat-vulnerability relationship and the associated risk level (from the risk assessment tool);
the gap between the assessed risk and the acceptable level of risk;
how the organization has decided to treat the risk (accept, reject, control, transfer);

———

Risk Treatment Plan
 …… At the heart of this plan is a detailed schedule, which shows for each identified asset:
the control gap analysis:
what controls are already in place and their nature (e.g. deterrent, preventive,
what additional controls are considered necessary, and their nature (and details of any supporting cost- benefit analysis);
the resources required for the task (financial, technical and human); the timeframe for implementing the controls.

———



Summary
 The Risk Treatment Plan links the risk assessment (contained in the chosen risk assessment tool and its outputs) to the identification and design of appropriate controls,
 As described in the Statement of Applicability, such that the board- defined approach to risk is implemented, tested and improved.
 Risk Treatment Plan as the key document that links both components of the risk management process and all four phases of the PDCA cycle for the ISMS.


————
Download 15.63 Kb.

Share with your friends:




The database is protected by copyright ©ininet.org 2024
send message

    Main page