Seguridad y Auditoria de sistemas clase 3

Seguridad y Auditoria de sistemas clase 3

Introduction to Risk Management Methodology

Overview of Recovery and Voting

  • The recovery sessions are scheduled for today and next Wednesday, with a total of 19 votes cast regarding risk management methodology.
  • This methodology allows organizations to follow systematic steps in managing information security risks.

Steps in Risk Management

  • The first step is identifying critical assets, which should have been completed by now; the outcome is an inventory of information assets.
  • Today's focus will be on completing the risk assessment process, which includes identification, analysis, and valuation phases.

Phases of Risk Assessment

Identification Phase

  • The identification phase involves finding threats and vulnerabilities to determine risks based on these factors.

Analysis Phase

  • In the analysis phase, the probability and impact of identified threats are assessed to calculate a risk level; higher numbers indicate greater concern requiring action.

Valuation Phase

  • The valuation phase discusses risk appetite, response types, and prioritization based on the calculated risk levels; it determines how serious a high-risk number is and what actions should be taken.

Treatment of Risks

Future Class Focus

  • Treatment measures will be discussed in the next class session; this includes control measures and proposals for mitigating identified risks.

Importance of Asset Identification

  • Identifying assets is crucial as it lays the groundwork for effective risk management; without this step, organizations cannot properly manage their risks.

Common Issues in Risk Management

Challenges Faced by Organizations

  • Many companies attempt to manage risks without first identifying their assets, leading to ineffective decisions such as unnecessary purchases (e.g., firewalls).

Consequences of Poor Asset Identification

  • Investing heavily in security technologies without proper asset evaluation can result in wasted resources or inadequate protection measures being implemented.

Completing the Asset Inventory

Filling Out Asset Inventory Format

  • Participants are instructed to fill out an asset inventory format shared previously; this document includes fields like process affected, area responsible, category type, asset code/name/description etc.

Criteria for Asset Categorization

  • It’s essential to categorize each asset correctly (e.g., primary vs support assets), ensuring that all relevant details are captured accurately within the inventory format provided.

Asset Identification and Valuation

Overview of Asset Identification

  • The process begins with identifying the asset, including a brief description and the owner's details. The owner is responsible for defining actions related to the asset.
  • Assets can have physical locations (e.g., servers) or logical locations (e.g., digital repositories like content management systems).
  • Classification of assets is crucial; they may be confidential, internal use, public, or unclassified.

Importance of Valuation

  • Valuing an asset is essential as it relates to the pillars of information security: confidentiality, integrity, and availability.
  • Integrity ensures that stored information remains intact and can only be modified through authorized processes. For example, patient records must be updated via specific applications rather than direct database updates.

Criteria for Information Security

  • Confidentiality requires that access to information is restricted to authorized personnel only.
  • Availability means that information must be accessible at all times for authorized users without interruptions.

Risk Analysis in Asset Management

  • An inventory of assets leads to valuation analysis based on confidentiality criteria. This includes assessing how data might be compromised in terms of confidentiality, integrity, and availability.
  • For instance, databases containing personal data are rated higher in confidentiality compared to publicly available documents.

Steps for Asset Valuation

  • The final step involves summing up values assigned to confidentiality, integrity, and availability to determine the overall value of an asset.

Identifying Processes within an Organization

Process Selection for Analysis

  • Participants are instructed to identify a company and select three processes as the scope for their analysis. Examples include sales, production, and logistics.

Documenting Assets Related to Processes

  • For each selected process, participants should identify relevant assets. Each asset should include its corresponding area or department where it is utilized.

Categorization of Assets

  • Assets are categorized based on predefined theories into primary (process-related), informational types or support categories such as hardware/software.

Example Asset Description

  • An example provided includes a customer database which stores detailed client information. It emphasizes that databases can vary from SQL systems to simple Excel files depending on their structure.

Understanding Asset Classification in Oracle Databases

Overview of Database Assets

  • Discussion begins with the context of customer databases stored in an Oracle instance, emphasizing the importance of identifying asset ownership, which is attributed to the sales manager.
  • The location of this information is specified as being on a particular server (e.g., Server 001), highlighting the need for precise asset classification.

Asset Classification Criteria

  • The classification can be categorized into three types: internal use, public use, or not applicable. This classification is crucial for determining how data should be handled.
  • A reference to an Excel sheet that summarizes primary and supporting assets based on theoretical frameworks discussed earlier. It serves as a practical tool for understanding classifications.

Confidentiality Levels

  • Definition of "confidential" assets includes information that must not be disclosed to unauthorized individuals due to potential significant impacts like economic loss or legal sanctions.
  • Examples provided include vulnerability reports and personal data banks, underscoring what constitutes confidential information.

Internal Use vs. Public Use Information

  • "Internal use" refers to information meant solely for organizational circulation; sharing it externally would constitute a breach.
  • "Public use" indicates that any individual can access this information without restrictions, while some assets may not fit into either category.

Valuation and Risk Assessment

  • The valuation process involves assigning numerical values (1 to 3) based on logical criteria related to confidentiality, integrity, and availability.
  • A matrix is introduced where each criterion's severity level is assessed; this helps determine appropriate risk levels associated with different assets.

Analyzing Confidentiality Risks

  • The discussion focuses on assessing risks related to confidentiality breaches—specifically when loss or failure leads to unauthorized disclosure without severe repercussions.
  • Contrastingly, if sensitive customer data were disclosed improperly leading to serious consequences like competitive disadvantage or malicious misuse, it would warrant a higher risk assessment.

Economic Losses and Legal Implications

Understanding the Severity of Data Breaches

  • Economic losses can arise from significant issues such as legal non-compliance and lawsuits, highlighting the gravity of data breaches.
  • The disclosure of sensitive information, like personal or medical data, can lead to lawsuits and irreparable damage to an organization's reputation.
  • A case study is mentioned where a company’s reputation has severely declined due to vulnerabilities in handling sensitive identification information.

Criteria for Integrity Assessment

  • Integrity is compromised when loss or failure of an asset leads to modification or adulteration of information, which can have severe consequences.
  • Examples include SQL injection attacks that alter databases, potentially damaging institutional credibility and leading to investigations by regulatory bodies like SUNEDU.

Availability Impact on Business Operations

  • If an asset's unavailability results in economic loss or legal repercussions, it is rated as critical (three).
  • Conversely, if the unavailability does not affect processes or finances significantly, it may be rated lower (one).

Asset Evaluation Matrix

Filling Out the Asset Evaluation Table

  • Participants are instructed to fill out criteria for each asset based on a provided table that guides their evaluations.
  • The evaluation process involves summing scores; higher totals indicate more critical assets requiring risk assessment.

Defining Critical Assets

  • Organizations should determine what constitutes a critical asset based on their own thresholds (e.g., values greater than five).

Discussion on Processes and Software

Identifying Key Processes

  • Discussion includes identifying key business processes such as sales management and financial accounting while ensuring proper classification of assets involved.

Clarification on Asset Classification

  • Emphasis is placed on completing valuation columns related to confidentiality and availability for comprehensive risk analysis.

Classification of Information Systems

Understanding Classification in Information Systems

  • The discussion begins with a clarification on the classification of information systems, emphasizing that "primary" is not an appropriate label for certain data fields.
  • A suggestion is made to create a column based on a provided matrix to categorize data as either "internal use," "confidential," or "public."
  • It is noted that client-related information should be classified as confidential, while other internal systems may vary based on their content.

Database and Cloud Considerations

  • Questions arise regarding the ownership and classification of cloud-based databases, confirming they belong to the organization but require careful classification.
  • The mobile application for online payments is identified as having its own database server in the cloud, which also falls under internal use.

Process Management and Asset Identification

  • The conversation shifts to sales processes, highlighting that various sales procedures are distinct yet categorized under process management.
  • An example is given about different sales procedures (e.g., burial vs. cremation), indicating that these are treated as separate assets within the system.

Clarifying Active Types: Processes vs. Documents

  • There’s confusion over whether a sales procedure should be considered an active process or merely documentation describing it.
  • The distinction between processes and documents is emphasized; a document detailing steps in a sale can be seen as an asset but must be categorized correctly.

Finalizing Asset Descriptions

  • An example from another industry illustrates how procedural documents can serve as assets, stressing the need for clear categorization between types of assets (processes vs. documents).
  • Participants are encouraged to refine descriptions of their identified assets, ensuring clarity on what constitutes each type of asset within their framework.

Discussion on Process Management and Documentation

Importance of Documented Procedures

  • The discussion highlights the potential risks associated with losing critical documents, questioning whether sales would cease if a procedure document is deleted. It suggests that while it may not halt sales, proper knowledge of procedures is essential for continuity.
  • Emphasizes that even if one person is unaware of a procedure, others can assist each other, indicating a level of redundancy in knowledge within teams. However, poor execution due to lack of adherence to documented procedures can lead to significant issues.

Analysis of Process Areas

  • Questions the naming convention of areas involved in processes, specifically pointing out that the "process" area does not directly handle sales but rather creates procedures. This distinction raises questions about accountability and clarity in roles.
  • Clarifies that the analysis focuses on process management and its relevance to sales operations. It stresses understanding where documentation fits into critical processes rather than merely categorizing them under general process management.

Relevance of Assets in Sales Processes

  • Discusses how assets should be categorized based on their relevance to specific processes like sales rather than being generalized under process management. This approach aims for more effective identification and utilization of key documents.
  • Suggests that each procedure should be linked directly to the process it supports (e.g., sales), which helps identify critical processes more effectively than simply analyzing all procedural documents together.

Evaluation Recommendations

  • Advises focusing on critical processes when identifying assets within an organization’s system. It suggests prioritizing those that have direct impacts on outcomes over support processes which may not contribute as significantly.
  • Recommends removing less relevant processes from evaluations to streamline focus on those with substantial impact, such as financial management or personnel management instead of just procedural documentation.

Clarity in Financial Documentation

  • Raises concerns regarding what constitutes a financial document (e.g., billing records). It emphasizes the need for clarity about whether these are physical or digital files since this affects how they are managed and utilized within systems.
  • Stresses the importance of defining what types of documents exist within finance departments—whether they are PDFs, Excel files, or physical records—to ensure accurate tracking and historical validation.

Final Thoughts on Process Management

  • Concludes with an acknowledgment that further review is needed across various groups but encourages participants to improve their understanding based on provided insights regarding asset evaluation and documentation practices.
  • Highlights a clarification request regarding naming conventions for health-related processes within human resources, emphasizing distinctions between different types of processes rather than areas alone.

This structured summary captures key discussions around process management and documentation from the transcript while providing timestamps for easy reference back to specific points in the conversation.

Identification of Assets and Risk Management

Overview of Asset Identification

  • The instructor addresses confusion regarding asset identification, urging students to utilize the Excel criteria provided in the next tab.
  • Students are required to complete two matrices for asset identification, with a total of 15 assets needed—five per process.

Transition to Risk Discussion

  • The discussion shifts towards risk management after completing asset identification, emphasizing the importance of understanding risks previously covered in class.
  • Key definitions are revisited: threats as potential causes of unwanted incidents, vulnerabilities as weaknesses in assets.

Identifying Critical Assets and Risks

  • After inventorying assets, the next step is identifying risks associated with all assets, particularly focusing on critical ones valued at 6 or above.
  • Non-critical assets (valued below 5) may not require risk assessment; however, this can vary by organization.

Risk Identification Process

  • The first activity in risk evaluation is identifying risks that could impact the organization. This requires comprehensive information about critical asset usage and context analysis.
  • A completed inventory with valuation is essential for effective risk identification.

Filling Out Risk Matrices

  • Students must fill out a new matrix based on identified risks linked to their asset inventory. This matrix includes more complex parameters than previous ones.
  • Each entry requires detailed information such as weaknesses, vulnerabilities, processes involved, impacts of risks, and ownership details.

Practical Application Using Excel

  • The instructor emphasizes practical application through an Excel file containing various tabs for data entry related to risk management.
  • Specific instructions are given regarding which sections of the matrix need completion while noting that some columns contain hidden information relevant to broader organizational risks beyond security.

Understanding Asset Risk Identification

Overview of the Matrix Structure

  • The initial columns in the matrix include unit, process, subprocess, objective, and asset. These are derived from the asset matrix.
  • Users need to transfer their assets into this matrix and identify two risks for each asset, leading to a duplication of assets.

Filling Out the Matrix

  • The matrix requires filling out six key columns: threat, weakness, risk, effect/consequence/impact, owner, and COI (Control Owner).
  • Users must update area and process names in the tables provided within the Excel sheet to reflect their organization’s terminology.

Updating Processes and Areas

  • Only three processes need updating; others can be deleted if not relevant. This is designed for ease of use to minimize errors during data entry.
  • The active name will come from the existing asset matrix; clarity on these updates is emphasized.

Identifying Threats and Vulnerabilities

  • Column I focuses on selecting threats associated with each asset. A standard table of threats exists for reference.
  • There are 104 specific threats listed that users should consider when identifying potential risks related to their assets.

Importance of Structured Threat Identification

  • A structured approach ensures that users do not arbitrarily select threats but rather choose from established parameters.
  • Both threats and vulnerabilities must be linked directly to the specific asset being analyzed for accurate risk assessment.

Case Study: Analyzing a Public User Portal

  • The example given is a public user consultation portal where external users access information. It is crucial that its identification reflects its public nature.
  • When analyzing potential threats to this portal, it’s important to select relevant threats based on logical analysis rather than random selection.

Types of Threat Considerations

  • Different types of physical damage (e.g., fire or water damage) may not apply directly to web portals but are critical for other assets like data centers.
  • Understanding which types of threats are applicable helps ensure that assessments remain relevant and focused on actual risks faced by specific assets.

Threats to Data Centers and Information Security

Types of Threats to Data Centers

  • Major accidents can lead to significant damage, such as the collapse of structures or destruction of equipment. For instance, if a data center's cooling system fails, it could severely impact operations.
  • Natural disasters like earthquakes and tornadoes pose serious risks to data centers. These events can disrupt services and cause physical damage.
  • Other threats include electromagnetic disturbances and radiation that primarily affect electronic equipment, particularly storage devices and servers.
  • It's important to recognize that some threats are beyond control, such as natural disasters or fires. Understanding these uncontrollable factors is crucial for risk management.

Information Compromise Threats

  • The most common threats involve information compromise rather than direct attacks on physical assets like data centers or storage systems. This includes unauthorized access to databases and sensitive information.
  • Techniques such as signal interception (e.g., using sniffers) can lead to espionage where attackers gain unauthorized access to networks or communications.
  • Theft of physical devices (like laptops containing sensitive data), along with document theft from databases or cloud services, represents a significant risk for organizations.

Technical Failures and Unauthorized Actions

  • Technical failures can occur unexpectedly in relatively new equipment due to hardware malfunctions. Such failures represent a critical vulnerability in any IT infrastructure.
  • Unauthorized actions by individuals within an organization can degrade system performance or corrupt data. This includes misuse of access rights by employees who may exploit their privileges for personal gain.

Cybersecurity Risks

  • Cyber threats encompass hacking attempts, social engineering tactics, and unauthorized intrusions into systems which can lead to severe breaches of security protocols.
  • Internal personnel also present risks; disgruntled employees may engage in sabotage or fraud that compromises organizational integrity and security measures.

Identifying Vulnerabilities

  • Organizations must identify various vulnerabilities related to both hardware (e.g., susceptibility to humidity, inadequate maintenance) and software (e.g., bugs, lack of stress testing).
  • Understanding the nature of threats is essential for effective risk assessment; organizations should select relevant threats based on their specific assets while recognizing that vulnerabilities exist across all levels of technology used.

Understanding Network Vulnerabilities and Threats

Identifying Vulnerabilities in Network Architecture

  • The discussion begins with identifying various vulnerabilities within network architecture, including disorganized cabling and unprotected communication lines.
  • It highlights the importance of recognizing personnel-related vulnerabilities such as inadequate recruitment procedures and lack of training.
  • A distinction is made between threats (external, uncontrollable risks) and vulnerabilities (internal weaknesses that can be managed).

Analyzing Specific Threats to Assets

  • The speaker introduces a scenario involving a user consultation portal, discussing potential threats like information compromise and technical failures.
  • Examples of specific threats include server overload due to excessive requests leading to portal saturation.
  • Other identified threats involve software malfunctions that could disrupt service availability.

Linking Threats to Vulnerabilities

  • The conversation shifts to understanding how identified threats relate to internal weaknesses or vulnerabilities associated with the asset.
  • It emphasizes that a threat materializes when it finds an existing vulnerability; thus, selecting relevant vulnerabilities is crucial for risk assessment.

Types of Vulnerabilities Affecting Assets

  • Various examples of vulnerabilities are discussed, such as software errors leading to system saturation or complicated user interfaces causing operational issues.
  • The speaker elaborates on coding errors in software that prevent proper memory management as a significant vulnerability impacting performance.

Importance of Regular Assessments

  • Emphasis is placed on the need for regular assessments and controls regarding access management and change control processes within organizations.
  • The discussion concludes by reiterating that vulnerabilities stem from organizational deficiencies, which must be addressed proactively.

Identification and Analysis of Risks in Software Systems

Understanding Risk Description

  • The speaker discusses the importance of describing risks associated with software vulnerabilities, specifically focusing on saturation as a threat due to programming errors.
  • A clear example is provided where the risk leads to user portal interruptions caused by memory resource issues stemming from software bugs.
  • The direct effect of this risk is identified as the unavailability of the user portal, emphasizing its impact on operations.
  • Ownership of the risk is attributed to the infrastructure area, highlighting accountability in managing such threats.
  • Reference numbers are introduced for further clarification, guiding users to specific sections in a matrix that detail impacts and opportunities related to security objectives.

Identifying Control Measures

  • The process transitions into identifying existing control measures aimed at mitigating risks, marking a shift from identification to analysis.
  • Key columns for analysis include existing control measures, their effectiveness, probability of impact, multiplication factors, and overall risk levels.
  • A measure of control is defined as actions currently taken by an organization to reduce or manage identified risks effectively.
  • An example illustrates how antivirus software serves as an existing control measure against ransomware threats faced by user computers.
  • The complexity of ransomware compared to traditional viruses is noted, stressing the need for advanced protective measures.

Evaluating Effectiveness of Controls

  • Discussion continues on evaluating current controls; it’s emphasized that while antivirus may not provide complete protection against ransomware, it still qualifies as a measure in place.
  • Participants are encouraged to identify what exists currently within their systems that can help mitigate risks effectively.
  • Additional information about controls includes various forms they can take—policies, devices, practices—which contribute towards reducing risk exposure.
  • Monitoring resources continuously is highlighted as an effective existing measure that alerts when potential saturation issues arise before they escalate.
  • Expanding server memory capacity is also mentioned as another proactive step taken towards managing system performance and preventing saturation.

Understanding Control Measures and Risk Assessment

Efficacy of Control Measures

  • The discussion begins with the absence of existing control measures, indicating that if none are present, it should be marked as "not applicable."
  • Efficacy is defined with options: strong, moderate, weak, or not applicable. Strong efficacy means effective controls are in place to mitigate risks.
  • A strong measure indicates that implemented controls have proven effective in risk mitigation and opportunity exploitation.
  • Weak efficacy occurs when no controls exist or they are insufficient to mitigate risks; moderate indicates some effectiveness but not fully reliable.
  • The next steps involve assessing probability and impact on the analysis.

Probability and Impact Assessment

  • Probability is rated from one to five based on how likely a risk will materialize; this includes evaluating potential threats like portal saturation.
  • Impact assessment follows probability; it gauges the severity of consequences if a risk occurs, also rated from one to five.
  • Focus is placed on negative risks in security contexts; positive values represent opportunities which are not prioritized here.
  • A reference table helps determine ratings for both probability and impact based on historical occurrences over the past year.

Rating System for Risks

  • A rating of one is assigned when existing controls are moderate/strong or if risks have low likelihood due to exceptional circumstances.
  • If a threat has occurred at least once in the last year, it may receive a low rating; multiple occurrences increase its rating significantly.
  • High frequency (5–9 times/year) warrants a high rating (four), while more than ten occurrences suggests an extremely high likelihood (five).

Understanding Impact Levels

  • Similar to probability, impact ratings range from one (insignificant effects on objectives—0%–20%) to five (severe impacts—81%–100%).
  • An impact level of five indicates severe consequences affecting confidentiality, integrity, or availability of critical information assets.

Finalizing Risk Analysis Matrix

  • The matrix simplifies decision-making regarding what ratings to assign for both probability and impact based on established criteria.
  • The speaker emphasizes using these guidelines effectively during assessments to ensure accurate evaluations of potential risks.

Risk Analysis and Management

Understanding Risk Probability and Impact

  • The speaker discusses the frequency of an event occurring, stating it has happened 10 to 11 times in the last year, leading to a probability rating of five.
  • According to a risk matrix, an impact score of four is assigned based on the likelihood of occurrence, which results in a calculated risk level of extreme (20).
  • If the probability were rated lower (one), while the impact remains unchanged, the overall risk level would still be significant but not classified as extreme.

Importance of Risk Assessment Tools

  • The speaker emphasizes that Excel is utilized for comprehensive risk analysis; however, it is not considered a deliverable but rather a tool for presentation.
  • Students are instructed to prepare two matrices: one for assets and another for their next class discussion on risks.

Expectations for Upcoming Classes

  • For upcoming assessments, students are expected to identify approximately two threats per asset, totaling around 30 threats across 15 assets.
  • Clarification is provided regarding what needs to be submitted for partial credit; only the two Excel files are required without additional templates or formats.