Lewis University

Information Security Practicum

Step-by-Step of Conducting Risk Analysis and

Management to Digital Zone Corporation

Spring 2013

Student’s name: Yaser Aljohani

Instructor’s name: Dr. Faisal Abdullah

1

Introduction of Risk Analysis and Management

• Risk analysis and management is a very significant part

to any organization that wants to have a secure

computing environment.

• It helps organizations to improve their security against

any threats or risks that could harm their sensitive

information, assets, and business.

2

Digital Zone Corporation

• It is an organization for computer & digital services

• It provides different kinds of IT services to their customers

such as, computer repair, computer upgrade,

wireless/wired network setup for home or business,

troubleshooting, and establish web site.

• To provide services to their customer, they collect

customer information such as, first name, last name,

phone number, home address, and email address,

and store them in their system.

3

Goals and objectives

• Assets evaluation and their values: number of servers,

computers, networks…etc.

• Using risk assessment tools and security checklist

• Finding all vulnerabilities

• Finding all threats

• Finding all risks

4

Goals and objectives Cont.

• Finding top 5 risks

• Finding all mitigations or remedies for risks and all

suggestions and recommendations

• Establishing Information Risk Management (IRM) policy

• Establishing security awareness program for both

employees and customers

• Establishing Insurance and contingency plan or recovery

plan

5

What is Risk Analysis?

• Risk analysis is the process of analyzing and defining

the dangers to businesses, individuals, and government

agencies posed by potential natural and human-caused

adverse events.

• In IT, the report of risk analysis can be used to align

company's business objectives with technology-related

objectives.

• The report of risk analysis can be either qualitative or

quantitative.

6

What is the difference between Risk analysis

and Risk management?

• Risk analysis includes assess and identifying the levels of

risks estimated from the known values of assets,

vulnerabilities of assets, and the levels of threats.

• Risk management includes selecting, identifying, and

adopting of countermeasures that is justified by the identified

risks to assets and the mitigation of risks to the acceptable

level.

7

Why we use it and When?

• We used Risk Analysis because it helps us understand

risk, so that we can manage it, and minimize its

disruption.

• We used risk analysis when we plan projects,

improving safety and managing potential risks in the

workplace, preparing for events such as theft,

equipment or technology failure, natural disasters, or

planning for changes in our environment.

8

Where we use it and how?

• We can use risk analysis in any place that have assets

such as computers, servers, networks, sensitive

information…. etc.

• We use the Risk Analysis for many different Components

such as, assets, threats, vulnerabilities, likelihoods,

impacts, and safeguards

9

How to Calculate the Risk?

• Two kinds of risk assessment: Quantitative risk assessment and Qualitative risk assessments.

• Quantitative risk assessment draws upon methodologies used by financial institutions and insurance companies and it considered as the standard way of measuring risk in many fields.

• Qualitative risk assessments assume that there is already a great degree of uncertainty in the likelihood and impact values and defines them, and thus risk, in somewhat subjective or qualitative terms and it gives risk results of “High”, “Moderate” and “Low”.

10

Steps for Risk analysis and management

1. Systems inventory : identify all the assets that are

involved in critical business processes support.

2. Threat analysis: identify the potential threats to the

critical systems

3. Infrastructure vulnerability assessment: identify

technology vulnerabilities that could be exploited.

11

Steps for Risk analysis and management

Cont.

4. Develop the security control suggestions: link the

risk management strategy recommendations to the

results of the assessment.

5. Decision: act or accept (Risk management decision)

6. Monitoring and communication: management and

user support are important to make the control

implementation successfully.

12

Risk, Threats, and Vulnerabilities

• Risk is the possible damage that could result from some current or future process/event .

• Threats are defined as any act that could assist to the tampering, damaging or denial of service.

• Examples of threats: Floods, Fire, Natural Disasters, Heat, Freezing, Manmade threats, Malware, Virus, Worms, Trojans, and Spyware

• Vulnerability is any weakness or flaw in the design, procedures of system security, internal controls, or implementation that can be used and result in violation of the system’s security policy or a security breach.

13

Threats elements

Three critical elements of threat:

1. The profile of threat- what threats and risks that could

affect the asset?

2. The probability of threat- what is the threats

occurrence likelihood?

3. The consequence of Threat- what would the loss of the

asset effect or impact on the organization operations or

its employees?

14

The Information Risk Management

(IRM) policy

• It explains the role of security and the acceptable level of

risk

• It should address the following issues:

• The IRM team Objectives

• What is considered as an acceptable risk

• the formal processes of risk identification

15

The Information Risk Management

(IRM) policy Cont.

• The connection between the organization's strategic planning processes and the IRM policy

• It’s roles and responsibilities

• Mapping of risk to the internal controls

• Mapping of risks to budgets and performance objectives

• Key indicators to monitor the effectiveness of controls

• The approach that would change resource allocation and staff behaviors in response to risk assessment

16

Security Checklists

• There are security checklists in many different components such as, networks, computers, servers, switches, firewall, routers, copiers, workstations, scanners…etc.

• Each one of these components provide recommendations that could help security specialists to find out all vulnerabilities and threats that could happen to system.

• by applying all these suggested recommendations, this will reduce and mitigate all risks that could results from threats.

17

Contingency plan

1. Disaster recovery plan: It relates with the recovery that will occur on-site.(long- term service interruption)

2. Incident response plan: includes recovering from an incident, identifying, and responding .(short-term events).

3. Business continuity plan: It relates with the long-term incidents that require the organization to do the recovery to the off-site locations. (long- term service interruption)

18

Security Assurance Program

• It helps both of employees and customers to understand

risks and the consequences of risks and how they

could avoid them.

• It gives guidelines and instructions for many different

elements such as, E-mail security, username and

password security, acceptable use of technology, mobile

devices, staying safe and secure online, remote access,

network, and sensitive information.

• It helps for reducing the probability of risks occurrence

19

Cycle of Risk Management

• The U.S government Accounting Office has recommended for organizations a cycle of risk management activities for managing their information security risks which are as follows:

1. Conducting risk assessments for all their systems

2. Establishing information security policies and procedures that are commensurate with risk and that comprehensively address significant threats

3. Providing sufficient computer security training to their employees

20

Cycle of Risk Management Cont.

4. Testing and evaluating controls as part of their

management assessments

5. Implementing documented incident handling procedures

6. Identifying and prioritizing their critical operations and

assets and determine the priority for restoring these

assets should a disruption in critical operations occur

21

Advantages of Risk Analysis

and Management

• It builds strong IT infrastructure in organization

• It increases the confidence between organization and

customers

• It builds a good communication between management, IT

department, and end users.

• Customers will have a good quality of services.

• It will increase profits of organization

• Organization will have an Information Risk management (IRM)

policy, Security Assurance Program, and Contingency plan.

22

Security Assessment Methodologies and

tools

23

Nessus SAINT OCTAVE FRAP

Practical Threat Analysis (PTA) Sara NIST COBRA

Microsoft Baseline Security

Analyzer

Risk Watch Whisker

PTA- Assets

24

PTA-Vulnerabilities

25

PTA-Threats

26

PTA-Countermeasures

27

PTA-Results

28

NESSUS

29

Nessus-Scan list

30

Nessus-Vulnerabilities

Summary

31

Nessus-Host Summary

32

Nessus-Filters options

33

Nessus- Result after filters

34

Nessus- Description of Vulnerability

35

Baseline Security Analyzer

36

Adjusting settings of scan

37

Scanning process

38

Result after Scan

39

Conclusion

• There are three critical elements that should be considered in the

risk analysis and management, which are, information

confidentiality, system availability, and information integrity.

40

Thank you

41