Risk Related Concepts (part 1)

Video Activity

As a continuance of the previous lesson, we discuss risk related controls and controls types and explain the concepts behind them. We define what a control is, and what function it serves. You'll learn what types of policies and procedures are developed as a technical, management and operational control, and why those distinctions are significant. ...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 47 minutes
Difficulty
Beginner
CEU/CPE
3
Video Description

As a continuance of the previous lesson, we discuss risk related controls and controls types and explain the concepts behind them. We define what a control is, and what function it serves. You'll learn what types of policies and procedures are developed as a technical, management and operational control, and why those distinctions are significant. You'll also learn what types of privacy policies should be developed and what types of risks are associated with each kind. [toggle_content title="Transcript"] Section 2.1 of the security plus syllabus explains the importance of risk related concept, what is a control? A control could be hardware or software to implement and enforce a policy. It is a solution we put in place to implement and enforce the policy. Some organizations are able to implement policies but not enforce it, but by using controls best practices you want to implement the control and enforce the control. Controls are no good if they are implemented and do not be enforced, so we have different types of controls. We have technical controls, these could be also regarded as logical controls; passwords, encryptions so examples would be passwords and encryptions those are technical controls. You could also have management controls in the form of policies, procedures. Policies, practices, best practice these are management procedures. Operational controls involve how, controls that govern the operation within the business environment and this could be in the form of procedures, standards, and best practices. All of these are to implement and enforce the directives of management. When you put controls in place, it's possible that your controls are too lax or too tight and this gives room to what we call false positives or false negatives. So now we will be discussing false positives and false negatives. What do we mean false positive? your security controls are saying there is a problem but in reality there is no problem. Say we have a user can access a facility the user then decides to access the facility, the user has been authorized to access the facility, but when the user decides to access the facility the alarms go off- intruder, intruder, intruder. This person is authorized to access but the system is saying there is an intruder that is a false positive. Yes it is a positive but it's false, there is no intruder. The person that the alarm is going off on is authorized to access the system. Now for false negative, the system is saying that there is no problem but in reality there is a problem. Say you visit a store, you are meant to pay for every item you pick. But you visit the store; you pick the items and not pay. And as you walk to the door the alarms don't go off, so the system is saying oh there is no problem but in reality there is a problem because you haven't paid for those items in the bag. So that is a false negative, it is seeing it as nothing is happening but in reality something is happening. Items are leaving the store that have not been paid for, so when your system is saying things that shouldn't be alerted and its alerting on those, we call it a false positive and when your system fails to alert on instances where it should alert that is a false negative. Now we discuss the importance of policies to reduce risk. Organizations implement policies, create policies to reduce risk in the organization without the policies in place there are no rules and that way the risk could be so high within the enterprise. The first we look at is the privacy policy. The privacy policies would be policies that dictate how privacy should be carried out within the organization. PCIDS dictates standards to be followed if we collect credit card information, how to store, how to safe guard those data on our networks. Regulations protect health records. These are all privacy policies to reduce the risk of unauthorized disclosure of information, that risk will be reduced. If you don't follow best practices for privacy, within the organization, organizations will suffer from indirect loss, financial indirect loss in the sense of we have law suits I have given you my credit card and my credit card is breached, I could sue that organization or even my medical records, individuals could sue certain organizations. So to reduce the risk of law suits, organizations are best to advised to follow the privacy policy. The acceptable used policy; this is a policy put in place to dictate acceptable use of equipment or resources within an organization. So in the big seeking to use these resources cannot say they don't know. They are not meant to use the resources in certain ways because before the resource is made available to you, you should be taught and educated as to how you can use it, what you are allowed to use it for and what you cannot use it for. The acceptable use policy is put into place by organizations to protect themselves so that should a staff be using say the organization vehicle for unauthorized means, the organization, knows that the individual is better educated that okay we should not use this for personal use but only for official use. So the acceptable use policy is simply a policy to dictate what is allowed or not allowed when we use resources made available by the organization. The security policy could be one policy or a group of policies. The security policy would dictate how security roll within the organization maybe it will be how accounts are created, maintained and decommissioned. How users interact with the system in case of password generation, password complexity, password length and re-use. Security policy would govern everything as it relates to security within the organization. The principle of mandatory vacation; the principle of mandatory vacation dictates that our users should go on periodic vacation, this way their activities can also be investigated. Somebody else will sit at their desk and do their job, so should it be that these persons are committing some form of fraud or crime this is opportunity for us to disclose this, to discover. Somebody else is doing their job they could then discover that oh user A has always been doing this, why is he doing it so that then you can better investigate to see that some people are committing fraud. People that tend to resist vacation have a tendency of doing something malicious on the network. Job rotation: the principle of job rotation dictates that we rotate our staff amongst jobs a form of cross training for them to learn other people's roles. So in the absence of one person another person can step into their shoes and carry out their job function, there is no vacuum created by the loss of one person. It is not a single point of failure so multiple people can learn multiple roles if one person is missing, somebody else is available. This helps ensure the availability concept of the CIA (Confidentiality, Integrity& Availability). The principle of separation of duties: this principle dictates that critical job functions be broken down into multiple roles not one person starts all the way to the end. When you have only one person handling a critical job function, there is possibility for fraud, they abuse the function or they are not even doing it right. So the principle dictates that multiple job roles should be made available to service a critical job function. If person A starts if off, person B continues, person C could finish it off. That way you limit the risk of fraud within the organization or abuse of power. The principle of least privilege dictates that our users be given only the permission they need to do their work no more no less. If you give insufficient permission they will all be calling help desk, I can't get my work done no productivity. If you give the exact amount of permission they can work and you give them too much they will abuse it. We should have periodic audits to check permissions to ensure that we've only assigned the least privilege possible, that way there is no room to abuse privilege. [/toggle_content]

Video Transcription
00:04
section 2.1 of the security plus a lover's explained the importance of risk related concepts. What is a control
00:11
control could be a hardware or software
00:15
toe implement and enforce a policy.
00:18
It is a solution we put in place toe implement on, enforce the policy.
00:23
Some organizations, I am ableto implement policies but not enforce it. But by using control's best practices, you want to implement the control on enforced. The control.
00:35
Controls are no good if they're implemented but do not enforce. So we have different types of controls. You have technical controls. This could be
00:44
also regarded as logical. Controls. Passwords encryption. So
00:51
examples will be possible down the encryption.
01:02
Those are technical controls.
01:04
You could also have management controls in the form off policies, procedures,
01:10
policies,
01:14
practices best practiced. These are management procedures or pushing up controls
01:21
involved. How
01:23
controls that governed operation within the business environment. And this could be in the form of procedures,
01:32
standards
01:36
on best practices.
01:38
All of these are toe implement
01:42
on. Enforce the directives off management.
01:46
When you put controls in place,
01:48
it is possible that your controls are too lax or too tight,
01:53
and this gives room toe what we call false positives off false negatives.
01:59
So now we will be discussing false positives on false negatives. What do we mean? False? Positive? Your security controls are saying there's a problem,
02:08
but in reality there is no problem.
02:12
I say we have a user can access the facility.
02:15
The user ident decides to access the facility.
02:19
The user has been authorized to access the facility.
02:22
But when you use that decides to access the facility, the alarms go off.
02:25
Intruder, Intruder, Intruder! This person is authorized to access. But the system is saying there's an intruder.
02:31
That is the false positive. Yes, it is a positive, but it is false.
02:37
There's no intruder. The person that the alarm is going off on is authorized to access the system
02:43
Now for false negative. The system is saying that there is no problem. But in reality there is a problem. Say you visit a store
02:53
you are meant to pay for every item you peek.
02:57
But you visit the store, you pick the items are not pee on. As you walked through the door.
03:02
The alarms don't go off. So this is that you're saying, Oh, there's no problem
03:07
But in reality there is a problem because you haven't paid for those items in the bag, so that is a false negative. It is seeing it as nothing is happening. But in reality, something is happening. Items are leaving the store that have not been paid for, So when your system is saying things that
03:25
shouldn't be alerted and it's a Latin on those, we call it a false positive on when your system fails to alert on
03:35
instances where it should alert that is a false negative.
03:38
Now we discuss the importance off policies to reduce risk
03:45
organizations, implement policies,
03:46
create policies to reduce risk in the organization. Without the policies in place, there are no rules,
03:54
and that way the risk could be so high. Within the enterprise
04:00
the force will look at is a privacy policy.
04:02
The privacy policies will be policies that dictate how privacy should be carried out within the organization.
04:11
PC Idea says dictates
04:15
standouts toe before load. If we collect
04:17
credit card information, how to store out to save God, those data on our networks
04:25
keep our regulations
04:27
protect health records.
04:29
These are all privacy policies to reduce the risk off
04:33
on authorized disclosure of information.
04:38
That risk will be reduced if if you don't follow best practices for privacy. Ah,
04:44
within the organization organization school so far from indirect loss off financial indict loss in the sames off we have lawsuits. Your I've given you my credit card and my credit card is breached. I could sue that organization or even my medical records Individual school sue a certain organizations. So
05:03
to reduce
05:03
the risk off lawsuits, organizations are best advised to follow the privacy policy.
05:11
The acceptable use policy.
05:14
This is a policy put in place to dictate acceptable use off equipment or resources within an organization. So individuals seeking to use these resources cannot say they don't know.
05:28
They're not meant to use the resources in certain ways because before the resource is made available to you, you should be taught on educated as to how
05:39
you can use it, What you're allowed to use it for or not use it for the acceptable use policy is put in place by organizations toa protect themselves so that should a stuff be using, say, the organization's vehicle for unauthorized means.
05:54
The organization knows Abby Individual is better educated. That okay We should not use this for personal use only for official duties. So the acceptable use policy is simply a policy to dictate what is allowed or not allowed. When we use
06:11
resources made available by the organization.
06:14
The security policy
06:15
could be one policy or a group of policies.
06:18
The security policy would dictate
06:21
how security is wrong within the organization. Maybe it will be how accounts are created,
06:29
maintained on decommissioned.
06:31
How users interact with this system In the case off password generation, password, complexity, password lent and reuse,
06:42
security policy would govern everything as it relates to security within the organization.
06:47
The principle of mandatory vacation,
06:50
the principle of mandated vacation dictates that
06:53
I use that should go on periodic vacation.
06:56
This way their activities could also be investigated. Somebody else will sit at their desk and do their job. So surely be that these persons are committing some form of fraud or crime.
07:08
This is opportunity for us to disclose this, to discover somebody else is doing their job. They couldn't discover that Oh, user has always been doing this. Why is it doing it so that then you can better investigate to see that some people are committing fraud,
07:26
people that tend to resist vacations.
07:29
I have a tendency off, maybe
07:31
during something Miley shows on the network
07:33
job rotation.
07:36
The principle of job rotation dictates that we wrote it. Our stuff amongst jobs,
07:42
a form of cross trained for them to learn other people's rules. So in the absence of one person,
07:48
another person can step into their shoes on, carry out their job function. There is no vacuum created by the loss of one person.
07:57
It is not a single point of failure, so multiple people can learn multiple rules. If one person is missing, somebody else is available.
08:07
This helps ensure the availability concept off the C. I. A.
08:13
Confidentiality, integrity and availability.
08:16
The principle of separation of duties.
08:18
This principle dictates that critical job functions be broken down into multiple rules.
08:24
Not one person starts all the way to the end.
08:28
When you have only one person 100 a critical job function, there's possibility for fraud.
08:35
There's a possibility they abuse the function or they're not even doing it right.
08:39
So
08:39
the principal addictive that multiple job roles will be made available. Tow service, a critical job function if person started off person be continue person sequel. Finish it off. That way you limit the risk
08:54
off fraud within the organization or abuse of power.
09:00
The principal of this privilege details that our users being given only the permission they need to do their work
09:07
no more, no less.
09:09
If you give insufficient permissions, they all be calling Hail desk. I can get my work done. I can't get my work done.
09:16
No productivity. If you give the exact amount of permission they can work on you give them too much. They would abuse it.
09:24
So we should have periodic audits to check
09:28
permissions
09:30
to ensure that we only assigned the least privileged possible. That way there's no room toe abuse privilege.
Up Next
IT Security Governance

IT Security Governance is a type of risk management process that can be applied to business operations, identifying critical information and protecting that information from enemies

Instructed By