+1 (208) 254-6996 [email protected]
  

 After reading chapter 1, define the following terms risk, threat, vulnerability, asset, and impact of loss.  After you define each term identify their role within an organizations security posture. 

300-500 words

Don't use plagiarized sources. Get Your Custom Essay on
Week 1 Discussion Post
Just from $13/Page
Order Essay

Please refer attached pdf files (Chapters 1 and 2)

CHAPTER 1

Risk Management Fundamentals

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Learning Objective(s) and Key Concepts

Describe the components of and approaches to effective risk management in an organization.

Risk and its relationship to threat, vulnerability, and asset loss

Classifying business risk in relation to the seven domains of a typical IT infrastructure

Risk identification techniques

Risk management process

Strategies for handling risk

Learning Objective(s)

Key Concepts

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

What Is Risk?

Risk: The likelihood that a loss will occur; losses occur when a threat exposes a vulnerability that could harm an asset

Threat: Any activity that represents a possible danger

Vulnerability: A weakness

Asset: A thing of value worth protecting

Loss: A loss results in a compromise to business functions or assets.

Tangible

Intangible

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Risk-Related Concerns for Business

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Compromise of business functions

Compromise of business assets

Driver of business costs

Profitability versus survivability

Threats, Vulnerabilities, Assets, and Impact

Threats can be thought of as attempts to exploit vulnerabilities that result in the loss of confidentiality, integrity, or availability of a business asset:

Confidentiality: Preventing unauthorized disclosure of information

Integrity: Ensuring data or an IT system is not modified or destroyed

Availability: Ensuring data and services are available when needed

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Vulnerabilities

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

A vulnerability is a weakness

A loss to an asset occurs only when an attacker is able to exploit the vulnerability

Vulnerabilities may exist because they’ve never been corrected

Vulnerabilities can also exist if security is weakened either intentionally or unintentionally

Assets

Tangible value is the actual cost of the asset:

Computer systems—Servers, desktop PCs, and mobile computers

Network components—Routers, switches, firewalls, and any other components necessary to keep the network running

Software applications—Any application that can be installed on a computer system

Data—Includes large-scale databases and the data used and manipulated by each employee or customer

The intangible value cannot be measured by cost, such as client confidence or company reputation:

Future lost revenue—Any purchases customers make with another company are a loss to the company

Cost of gaining the customer—If a company loses a customer, the company’s investment is lost

Customer influence—Customers commonly share their experience with others, especially if the experience is exceptionally positive or negative

Reputation—One customer’s bad experience could potentially influence other current or potential customers to avoid future business transactions

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Impact

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Very High

Indicates multiple severe or catastrophic adverse effects

High

Indicates a severe or catastrophic adverse effect

Moderate

Indicates a negligible adverse effect

Low

Very Low

Indicates a serious adverse effect

Indicates a limited adverse effect

Classify Business Risks

Risks posed by people:

Leaders and managers

System administrators

Developer

End user

Risks posed by a lack of process:

Policies

Standards

Guidelines

Risks posed by technology:

User Domain

Workstation Domain

LAN Domain

LAN-to-WAN Domain

WAN Domain

Remote Access Domain

System/Application Domain

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Classify Business Risks (Cont.)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Seven Domains of a Typical IT Infrastructure

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Risk Identification Techniques

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Identify threats

Identify vulnerabilities

Estimate impact and likelihood of a threat exploiting a vulnerability

Identifying Threats and Vulnerabilities

ComponentType or Source
ThreatsExternal or internal Natural or man-made Intentional or accidental
VulnerabilitiesAudits Certification/accreditation records System logs Prior events Trouble reports Incident response teams

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Balancing Risk and Cost

Consider the cost to implement a control and the cost of not implementing the control

Spending money to manage a risk rarely adds profit; important point is that spending money on risk management can help ensure a business’s survivability

Cost to manage a risk must be balanced against the impact value

Reasonableness: “Would a reasonable person be expected to manage this risk?”

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Balancing Risk and Cost (Cont.)

Low Impact (0%—10%)Medium Impact (11%—50%)High Impact (51%—100%)
High-threat likelihood—100% (1.0)10 × 1 = 1050 × 1 = 50100 × 1 = 100
Medium-threat likelihood—50% (.50)10 × .50 = 550 × .50 = 25100 × .50 = 50
Low-threat likelihood—10% (.10)10 × .10 = 150 × .10 = 5100 × .10 = 10

A threat-likelihood-impact matrix.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Risk Management Process

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Risk Management

Risk: Probability of loss

Vulnerability: System weakness

Threat: Potential harm

Risk Management Process (Cont.)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Assess risks

Identify risks to manage

Select controls

Implement and test controls

Evaluate controls

Cost-Benefit Analysis

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Principle of Proportionality

Cost-benefit analysis (CBA)

Cost of control

Projected benefits

The amount spent on controls should be proportional to the risk

Helps determine which controls, or countermeasures, to implement

Profitability Versus Survivability

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Out-of-pocket costs

Lost opportunity costs

Future costs

Client and stakeholder confidence

Total cost of security

Risk-Handling Strategies

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Various Techniques of Risk Management

Avoiding

Sharing or transferring

Mitigating

Accepting

Residual Risk

Summary

Risk and its relationship to threat, vulnerability, and asset loss

Classifying business risk in relation to the seven domains of a typical IT infrastructure

Risk identification techniques

Risk management process

Strategies for handling risk

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

10/8/2020

21

CHAPTER 2

Managing Risk: Threats, Vulnerabilities, and Exploits

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Learning Objective(s) and Key Concepts

Describe techniques for identifying, analyzing, and mitigating relevant threats, vulnerabilities, and exploits.

Understanding and managing threats, vulnerabilities, and exploits

Use of threat/vulnerability pairs in managing risk

U.S. federal government risk management initiatives

Learning Objective(s)

Key Concepts

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Understanding and Protecting Assets

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

An asset represents anything of value that needs to be protected

In the IT world, assets include data, people, processes, and technology systems

Weaknesses in any of these areas can be exploited by threats to harm these assets

Understanding and Managing Threats

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Risk =

Threat × Vulnerability × Asset

Uncontrollable Nature of Threats

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Threats cannot be eliminated

Threats are always present

Threats can persist for a long period of time

Action can be taken to reduce the potential for a threat to occur

Action can be taken to reduce the impact of a threat

Unintentional Threats

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Environmental

Human

Accidents

Failures

Intentional Threats

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Greed

Anger

Desire to damage

Intentional and Unintentional Threats

Unintentional ThreatsIntentional Threats
Environmental: Fire, wind Lightning, flooding Accident Equipment failuresIndividuals or organizations: Criminals Advanced persistent threats (APTs) Vandals Saboteurs Disgruntled employees Activists Other nations
Human: Keystroke errors Procedural errors Programming bugs

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Best Practices for Managing Risk Within an IT Infrastructure

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Create a security policy

Purchase insurance

Use access controls

Use automation

Include input validation

Provide training

Use antivirus software

EY Global Information Security Survey 2018–2019

Cyberrisks are evolving

Organizations must:

Protect the enterprise

Optimize security

Increase efficiency

Reinvest in tech that enhances protection

6.4 billion fake emails sent; average cost of breach $3.62 million

40% had same budget as previous year, 15% plan to increase budget, 1% had 25% budget decrease

Largest source of vulnerabilities is careless or unaware employees

Cybersecurity needs to be in the DNA of the organization

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Understanding and Managing Vulnerabilities

Countermeasures reduce risk and loss

Reduce vulnerabilities

Reduce impact of loss

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Threat/Vulnerability Pairs

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Occurs when a threat exploits a vulnerability

A vulnerability provides a path for the threat that results in a harmful event or a loss

Both the threat and the vulnerability must come together to result in a loss

Vulnerabilities Can Be Mitigated

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Identify and prioritize vulnerabilities

Reduce the exposure of the vulnerabilities

Reduce the rate of occurrence

Reduce the impact of the loss

Provide security education, training, and awareness

Mitigation Techniques

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Policies and procedures

Documentation

Training

Separation of duties

Configuration management

Version control

Patch management

Intrusion detection system (IDS)

Incident response

Continuous monitoring

Technical controls

Physical controls

Best Practices for Managing Vulnerabilities Within an IT Infrastructure

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Identify vulnerabilities

Match the threat/vulnerability pairs

Use as many of the mitigation techniques as feasible

Perform vulnerability assessments

Use security analytical tools

Understanding and Managing Exploits

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

An exploit is the act of taking advantage of a vulnerability

Executes a command or program against an IT system to take advantage of a weakness

Results in a compromise to the system, an application, or data

Understanding and Managing Exploits

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Attacks executed by code primarily affect public-facing servers

Web servers

Simple Mail Transfer Protocol (SMTP) email servers

File Transfer Protocol (FTP) servers

Exploits

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Attack public-facing servers

Buffer overflow

SQL injection

Denial of service (DoS) attack

Distributed denial of service (DDoS) attack

How Do Perpetrators Initiate an Exploit?

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Public server discovery

Server fingerprinting

Vulnerability discovery

Programmers

Attackers

Where Do Perpetrators Find Information About Vulnerabilities and Exploits?

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Blogs

Forums

Security newsletters

2600: The Hacker Quarterly

Common Vulnerabilities and Exposures (CVE) list

Reverse engineering

The dark web

Mitigation Techniques

Remove or change defaults

Reduce the attack surface

Keep systems up to date

Enable firewalls

Enable IDS

Enable an intrusion prevention system

Install antivirus software

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Best Practices for Managing Exploits Within an IT Infrastructure

Harden servers

Use configuration management

Perform risk assessments

Perform vulnerability assessments

Use security information and event management (SIEM) tools

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

U.S. Federal Government Risk Management Initiatives

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

The National Institute of Standards and Technology (NIST)

The Department of Homeland Security

The National Cybersecurity and Communications Integration Center (NCCIC)

U.S. Computer Emergency Readiness Team (US-CERT)

The MITRE Corporation – Common Vulnerabilities Exposure (CVE) List

Relationships Among Organizations Involved in the U.S. Federal Government Risk Management Initiatives

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Summary

Understanding and managing threats, vulnerabilities, and exploits

Use of threat/vulnerability pairs in managing risk

U.S. federal government risk management initiatives

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

10/8/2020

25

Order your essay today and save 10% with the discount code ESSAYHELP