CISSP Domain 1 Study Guide – Risk Management

CISSP ISC2 Code of Ethics

CISSP Risk Management

Risk management is the process of identifying, examining, measuring, mitigating or transferring risk. Its the main goal is to reduce the probability or impact of an identified risk. The risk management lifecycle includes all risk-related actions such as assessment, analysis, mitigation and ongoing risk monitoring.

CISSP Risk Management tools such as risk assessment and risk analysis are used to identify threats, classify assets, and to rate their vulnerabilities so that effective security measures and controls can be implemented.

Risk analysis allows us to prioritize these risks and ultimately assign a dollar value to each risk event. Once we have a dollar value for a particular risk, we can then make an informed decision as to which mitigation method best suits our needs. The process of risk management is carried out to identify potential risks, tools, practices, rate and reduce the risk to specific resources of an organization.

Some threats or events, such as natural disasters are largely unpredictable. Therefore, the main goal of risk management is risk mitigation that involves reducing risk to a level that’s acceptable to an organization.

RISK = THREAT x VULNERABILITY

Risk = Threat x Vulnerability

Impact

Impact is the severity of damage, sometimes expressed in dollars. Aka Consequences or cost.

Risk = Threat x Vulnerability x Impact

NIST Risk Management Framework 800-37 steps

  • Prepare to execute the Risk Management Framework
  • Categorize Determine the type, value and security objectives for the system based on an assessment of the impact if it were to be compromised.
  • Select  controls for the system and tailor them to achieve desired security objectives.
  • Implement controls for the system and its operating environment.
  • Assess Controls for the system and its operating environment to determine if they have been implemented correctly and are operating as intended.
  • Authorize  the system to operate based on the acceptance of the security risks associated with its operation.
  • Monitor the system, and associated cyber threats, security risks and controls, on an ongoing basis.

Lifecycle of CISSP risk management

  1. Risk Identification/ assessment: Categorize, classify and evaluate assets, as well as identify threats and vulnerabilities.Risk Profiling helps identify changes to internal and external risk environments at an enterprise and client level; and supports the identification of emerging risks. 
  2. Risk analysis: Once risks have been identified, they are evaluated in terms of their likelihood and the impact or consequence. This prioritises the risks that we really need to focus on (and those that need to be highlighted within the risk register).
  3. Risk mitigation/response: Includes reducing or avoiding risk, transferring risk, and accepting or rejecting risk. Once risks have controls in place, it is likely there will be actions required to ensure the likelihood and impact of the risk is minimised. It’s important that these actions have named owners in the business and dates to ensure they progress.
  4. Monitor Risks Risks should be managed on an ongoing basis to reflect changes in the business and control environments. This should include monitoring of key indicators that provide immediate management information on the performance of the risk and controls. 

Risk Identification/ Assessment:

Risk identification is the initial step in the risk management that involves identifying specific elements of the three components of risk: assets, threats, and vulnerabilities.

Asset (what we’re trying to protect)

An asset is any data, device or other component of an organization’s systems that is valuable –  People, property, and information.To determine the appropriate level of security, the identification of an organization’s assets and determining their value is a critical step. The value of an asset to an organization can be both quantitative (related to its cost) and qualitative (its relative importance).

Threat (what we’re trying to protect against)

A threat is any incident that could negatively affect an asset – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.

Threats can be categorized as circumstances that compromise the confidentiality, integrity or availability of an asset, and can either be intentional or accidental.

Vulnerability (a weakness or gap in our protection efforts)

A vulnerability is a weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to destroy, damage or compromise an asset. In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.

The CISSP Risk Management Process

Managing risks is an ongoing process. The NIST SP 800 30 provides guidance for conducting risk assessments of information systems and organizations. The following steps are officially part of a risk assessment as per NIST 800-30:

  1. System Characterization – Scope
  2. Threat Identification – Find threat (Risk = Threat x Vulnerability)
  3. Vulnerability Identification – Find vulnerability (Risk = Threat x Vulnerability)
  4. Control Analysis – Analyzes security controls (safeguards) planned to mitigate risk
  5. Likelihood Determination
  6. Impact Analysis
  7. Risk Determination
  8. Control Recommendations
  9. Results Documentation

There are three main elements that are used to determine the value of assets:

  • Initial and maintenance costs: This is most often a tangible dollar value and may include purchasing, licensing, development, maintenance, and support costs.
  • Organizational value: This is often a difficult and intangible value. It may include the cost of creating, acquiring, and re-creating information, and the business impact or loss if the information is lost or compromised.
  • Public value: Public value can include loss of proprietary information or processes and loss of business reputation.

Threat modeling methodologies

What is Threat Modeling?

Threat modeling is a method of optimizing network security by locating vulnerabilities, identifying objectives, and developing countermeasures to either prevent or mitigate the effects of cyber-attacks against the system.

STRIDE (Microsoft) is a threat model, created by Microsoft engineers, which is meant to guide the discovery of threats in a system. It is used along with a model of the target system. This makes it most effective for evaluating individual systems. STRIDE is an acronym for the types of threats it covers, which are:

  • Spoofing — a user or program pretends to be another
  • Tampering — attackers modify components or code
  • Repudiation — threat events are not logged or monitored
  • Information disclosure — data is leaked or exposed
  • Denial of service (DoS) — services or components are overloaded with traffic to prevent legitimate use
  • Elevation of Privilege — attackers grant themselves additional privileges to gain greater control over a system

PASTA is an attacker-centric methodology with seven steps. It is designed to correlate business objectives with technical requirements. PASTA’s steps guide teams to dynamically identify, count, and prioritize threats.

The steps of a PASTA threat model are:

  1. Define business objectives
  2. Define the technical scope of assets and components
  3. Application decomposition and identify application controls
  4. Threat analysis based on threat intelligence
  5. Vulnerability detection
  6. Attack enumeration and modeling
  7. Risk analysis and development of countermeasures

VAST refers to Visual, Agile, and Simple Threat modeling. VAST is a foundational element of a threat modeling platform called Threat Modeler. VAST integrates within workflows designed using the principles of DevOps.

TRIKE is a security audit framework for managing risk and defense through threat modeling techniques. Trike defines a system, and an analyst enumerates the system’s assets, actors, rules, and actions to build a requirement model. Trike generates a step matrix with columns representing the assets and rows representing the actors. Every matrix cell has four parts to match possible actions (create, read, update, and delete) and a rule tree — the analyst specifies whether an action is allowed, disallowed, or allowed with rules. 

DREAD stands for damage potential, reproducibility, exploitability, affected users, and discoverability.

  1. Damage potential outlines how much damage can result from a negative event
  2. Reproducibility determines how easy it is to replicate an attack
  3. Exploitability refers to the ease with which an actor can launch an attack
  4. Affected users involve detailing the percentage of users affected by the event
  5. Discoverability examines how easy it is to locate the vulnerability

OCTAVE Threat Modeling – The Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology were one of the first created specifically for cybersecurity threat modeling. Developed at Carnegie Mellon University’s Software Engineering Institute (SEI) in collaboration with CERT, OCTAVE threat modeling methodology is heavy-weighted and focused on assessing organizational (non-technical) risks that may result from breached data assets. Using this threat modeling methodology, an organization’s information assets are identified and the datasets they contain receive attributes based on the type of data stored. The intent is to both eliminate confusion about the scope of a threat model and to reduce excessive documentation for assets that are either poorly defined or are outside the purview of the project.

Common Vulnerability Scoring System (CVSS) – This method provides a way to capture a vulnerability’s principal characteristics and assigning a numerical score (ranging from 0-10, with 10 being the worst) showing its severity. The score is then translated into a qualitative representation (e.g., Low, Medium, High, and Critical). This representation helps organizations effectively assess and prioritize their unique vulnerability management processes.

Risk Analysis

Key pointers to be remembered for risk analysis include:

  • AV: Asset value
  • EF: Exposure factor. The percentage of damage that would result from a successful threat on a specific asset.
  • ARO: Annual rate of occurrence
  • Single Loss Expectancy (SLE): the financial amount of loss due to a single successful threat on a specific asset.  = AV * EF
  • Annual Rate of Occurrence (ARO): the number of times that a specific threat is expected to occur within one year.
  • Annualized Loss Expectancy (ALE): the total loss expected per year due to all occurrences of a specific threat targeting a certain asset.
    The ALE can be calculated using the following formula: ALE = SLE x ARO
  • Risk value = probability * impact (Probability is how likely it is for the threat to materialize and impact the extent of the damage)
  • Total Cost of Ownership (TCO)- Total cost of mitigating a safeguard (Annual)
  • Return on Investment (ROI) – Amount of money saved by implementing the safeguard. If TCO > ALE = Positive ROI. If TCO < ALE = negative ROI

Quantitative and Qualitative risk analysis

Risk analysis can be divided into two major types:

  • Quantitative – Uses hard metrics such as dollars and more objective. Examples ALE
  • Qualitative – Uses simple approximate values and more subjective. Examples Risk Analysis Matrix

And also

  • Hybrid Risk analysis – uses quantitative for hard numbers and qualitative for remainder

Quantitative Risk Analysis:

A Quantitative risk analysis attempts to assign an objective numeric value (cost) to the components (assets and threats) of the risk analysis. In quantitative risk analysis all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability are measured and assigned a numeric value. However, achieving a purely quantitative risk analysis is impossible.

Qualitative Risk Analysis:

A qualitative risk analysis is scenario-driven and doesn’t attempt to assign numeric values to the components (assets and threats) of the risk analysis. In qualitative risk analysis, we develop real scenarios that describe a threat and potential losses to organizational assets. Unlike a quantitative risk analysis, it’s possible to conduct a purely qualitative risk analysis.

Risk Control:

As a security professional you must accept that all risks can be mitigated and there are other options for Risk Control. Risk Control is a safeguard or countermeasure that reduces risk associated with a specific threat. The absence of a safeguard against a threat creates vulnerability and increases the risk.

Risk control can be done through one of the following remedies:

Mitigate the Risk

Lowering risk acceptance level or risk reduction by performing reduction analysis. In some cases the risk can be removed entirely

Risk reduction:

Mitigating risk by implementing the necessary security controls, policies, and procedures to protect an asset. This can be achieved by altering, reducing, or eliminating the threat and/or vulnerability associated with the risk.

Risk assignment:

To avoid the outcomes of risk, we can assign the potential loss associated with a risk to a third party, such as an insurance company.

Risk acceptance:

It may be cheaper to leave an asset unprotected. Risk acceptance Criteria – Low likelyhood/low consequence risks are candidates for risk acceptance. High or extreme risks cannot be accepted. Data protected by law or regulations or risk to human life or safety are examples of risks that cannot be accepted.

Risk Avoidance

A thorough risk analysis should be completed before taking on a new project. If the risk analysis discovers high or extreme risk that cannot be mitigated avoiding the risk (and the project) maybe the best option.
If ALE is higher than ROI, avoidance might be best option

Risk Transference

Risk Transference is a strategy used by a company, business or organization to transfer the risk or threat of loss, injury, or damage it anticipates to a third party. The third party is therefore tasked with taking responsibility for the liabilities of the company. ie Insurance model. Pay the insurance company to assume the risk for them

By SuperTechman

Leave a Reply

Your email address will not be published. Required fields are marked *

Top Posts

Tech Tips

How to Use Tabs in File Explorer on Windows 11

Tech Tips

How to Use Focus Sessions in Windows 11 to Boost Productivity

Cyber Security Blog Tech Tips

How to Increase Security by Using Passkeys in Windows 11

Tech Tips

How to Customize the Quick Settings Panel in Windows 11