Tài liệu Module 4: Analyzing Security Risks pptx

Contents Overview 1 Lesson: Introduction to Risk Management 2 Lesson: Creating a Risk Management Plan 9 Lab A: Analyzing Security Risks 19 Module 4: Analyzing Security Risks... After

Contents

Overview 1

Lesson: Introduction to Risk Management 2

Lesson: Creating a Risk Management Plan 9

Lab A: Analyzing Security Risks 19

Module 4: Analyzing Security Risks

and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2002 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries

The names of actual companies and products mentioned herein may be the trademarks of their respective owners

appropriate level of protection for each resource

After completing this module, students will be able to:

„ Explain the purpose and operation of risk management

„ Draft the elements of a risk management plan

To teach this module, you need Microsoft® PowerPoint® file 2830A_04.ppt

It is recommended that you use PowerPoint version 2002 or later to display the slides for this course If you use PowerPoint Viewer or an earlier version of PowerPoint, all of the features of the slides may not be displayed correctly

To prepare for this module:

„ Read all of the materials for this module

„ Complete the practices

„ Complete the lab and practice discussing the answers

„ Read the additional reading for this module, located under Additional

Reading on the Web page on the Student Materials CD

„ Visit the Web links that are referenced in the module

How to Teach This Module

This section contains information that will help you to teach this module

Lesson: Introduction to Risk Management

This module, and Module 3, “Identifying Threats to Network Security,”

combine to give students the information that they will use to justify to upper management the need to allocate time and resources on security Risk management in particular enables IT professionals to document realistic needs based on threats and the likelihood and impact of those threats occurring Students will likely debate the categories of the examples provided in the slide Explain that the categories are relative and are intended as a starting point for beginning to prioritize the vast collection of assets on a typical network

Emphasize that business decision-makers often require financial justification for expenditures Calculating asset values and performing quantitative risk analysis are two ways to use numbers to estimate risk Acknowledge that the calculations are only as good as the original numbers used, so ensure that students do not rely too heavily on the numbers Explain the term exposure in the context of this page; it is simply part of a more precise measurement of probability The following lesson describes probability and impact in greater detail

Use the practices as an opportunity for discussion

Lesson: Creating a Risk Management Plan

Be sure to read the white paper, MOF Risk Management, under Additional

Reading on the Web page on the Student Materials CD, before teaching this

module Explain that risk statements are a useful way to state clearly what is at risk and why

Risk analysis can become complicated This page lists examples of both qualitative and quantitative risk analysis Explain the similarities between the two Also emphasize that quantitative analysis can be performed in many different ways, and that the method shown on this page is intended as a very basic example

Students may confuse avoidance and mitigation Avoidance seeks to remove the cause of the threat, sometimes by drastically restricting business operations Mitigation seeks to minimize probability and impact through proactive efforts

In this context, avoidance is a form of severe mitigation When discussing answers to lab and review questions, remember the distinction and allow for class discussion on the topic

Use the practices as an opportunity for discussion

Assessment

There are assessments for each lesson, located on the Student Materials compact disc You can use them as pre-assessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning

Lab A: Analyzing Security Threats

To begin the lab, open Microsoft Internet Explorer and click the name of the lab Play the video interviews for students, and then instruct students to begin the lab with their lab partners Give students approximately 20 minutes to complete this lab, and spend about 10 minutes discussing the lab answers as a class

In this lab, students must perform both qualitative and quantitative risk analysis The qualitative analysis is comprised of a list of risk statements regarding portable computers and a threat model of the portable computers Have students use the risk statements to enter probability and impact values in the threat model spreadsheet in order to calculate the relative risks involved Explain to students that portable computers include laptops, and for the purpose of the labs, are synonymous

For the qualitative risk analysis in this lab, students open a Microsoft Excel spreadsheet named R&D Portable Computer Threat Model.xls and add information to it They may use this spreadsheet in a subsequent lab Ensure that students rename the file and save the spreadsheet to the Lab Answers folder on their desktops for discussion

When discussing the qualitative answers, we included best estimates If the numbers prove too confusing during lab discussion, use a low-medium-high range of ranking Use discrepancies or disagreements among students to generate discussion If some students believe that everything is a risk, play the part of a manager and respond by saying something like, “All of the risks may

be important, but I can only afford to protect against five of them Which ones are most important?”

The answers to the qualitative risk analysis are located in the spreadsheet Lab 4 R&D Portable Computer Threat Model_Suggested

Answers.xls, located in the Answers folder under Webfiles on the Student

Materials CD Be sure to print the answers out and study them before you conduct the lab

For the qualitative risk analysis, students use the values in the e-mails from Helmut Hornig to calculate the potential savings gained by each of the security measures listed Ensure that students do not become hindered by the vagueness

of the scenario Acknowledge that several details, such as annual asset depreciation, and the value of the data on the laptops, have been omitted for the sake of brevity, and tell students to use the information provided to guide their efforts

For general lab suggestions, see the Instructor Notes in Module 2, “Creating a Plan for Network Security.” Those notes contain detailed suggestions for facilitating the lab environment used in this course

Important

Important

General lab suggestions

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

This module includes only computer-based interactive lab exercises, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization

The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the

end of the Automated Classroom Setup Guide for Course 2830A, Designing

Security for Microsoft Networks

Overview

In this module, you will learn how to determine what resources in your organization require protection and how to prioritize those resources based on their value You will then develop a risk management plan, based on the Microsoft Operations Framework (MOF) risk model, to identify and analyze risks proactively and to determine an appropriate level of protection for each resource

After completing this module, you will be able to:

„ Explain the purpose and operation of risk management

„ Draft the elements of a risk management plan

Introduction

Objectives

Lesson: Introduction to Risk Management

Risk management is the act of examining the relative value of your assets and then allocating your security resources based on the likelihood of the risk occurring and the value of the asset Risk management helps you prioritize your efforts and spending to secure your network

After completing this lesson, you will be able to:

„ Describe the different elements of risk management

„ Explain why risk management is important

„ Identify common assets to protect

„ Categorize assets according to type

„ Calculate the value of an asset

Introduction

Lesson objectives

Elements of Risk Management

A risk is the possibility of suffering a loss, and the impact or extent of damage that would result if the loss occurs Risk management is the process of identifying risks, analyzing the risks, and creating a plan to manage the risks There are two types of risk analysis:

„ Qualitative Ranks risks according to their relative impact on business

operations Qualitative analysis often requires you to estimate the probability of a threat and the impact of the threat occurring on a scale of

1 to 10 You then multiply the two numbers for the probability and impact

and use the product to rank the risk relative to other risks

„ Quantitative Places actual values on the probability and impact of threats to

determine how to allocate security resources Although quantitative risk analysis uses advanced financial accounting skills, it remains an inexact

science

Neither qualitative nor quantitative risk analysis is necessarily superior to the other Both are essential parts of a risk management strategy

For more information about managing risk, see:

„ Risk Management Guide for Information Systems, from the National

Institute of Standards and Technology (NIST), at http://csrc.ncsl.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

„ The Microsoft white paper, Risk Model for Operations, under Additional

Reading on the Web page on the Student Materials CD

Key points

Note

Additional reading

Why Risk Management Is Important

Risk management helps ensure that your security plan is rational and that you apply your resources to maximize results By assessing risks and creating a risk management plan, you can:

„ Prioritize security risks You can rank security risks to your organization

relative to other risks This helps your organization determine how to

allocate resources to secure the network

„ Determine the appropriate amount of security You can discover the point at

which incremental improvements to security become inefficient and costly

„ Justify costs You can use a quantitative risk analysis to justify the expense

of security personnel, hardware, and software

„ Document all potential security issues Risk management requires a

thorough assessment of threats to your network and their potential impacts

An organization that chooses to respond to security threats randomly may

overlook critical security issues on its network

„ Create metrics Risk management uses metrics that help you judge the

success of your security plan You can also use metrics to prepare

compensation plans for executives and security personnel

For more information about risk management, watch the 25-minute

presentation, Building a Business Case for IT Investments using REJ, at:

Common Assets to Protect

In addition to protecting physical assets listed in the table, a large part of the role of security is protecting public confidence and the trust of business partners In Generally Accepted Accounting Practices (GAAP), this type of

asset is known as goodwill, which can be placed on financial statements when a

company is sold

Consider, for example, that an attacker defaced your organization’s Web site You notify customers that the attacker has stolen the private information of the Web site’s users, including their addresses and credit card numbers In addition

to incurring direct financial losses from lost business, your organization also suffers a loss of goodwill because the company’s image is tarnished

Key points

How to Categorize Assets

After you identify all of the assets in your risk management plan, organize the assets into discrete categories, such as public, private, confidential, or secret, according to their security requirements

Categorizing assets helps you prioritize assets and assign owners Assigning ownership ensures that someone is ultimately responsible for the security of the asset It also ensures that you assign similar levels of protection to assets that have similar security requirements By categorizing assets, you will avoid giving minor information, such as cafeteria menus, the same degree of protection as information critical to the success of your business, such as the source code to an enterprise accounting application

Key points

How to Calculate the Value of Assets

Determining the monetary value of an asset is an important part of risk management Business managers often rely on the value of an asset to guide how much money and resources to spend securing it Many organizations maintain a list of asset values as part of their disaster recovery plans

To assign a value to an asset appropriately, determine three main factors:

„ The overall value of the asset to your organization Calculate or estimate the

asset’s value in direct financial terms For example, if you have an e-commerce Web site that generates an average of $2,000 per hour in revenue from customer orders, you can state with confidence that the annual value of the Web site in terms of sales revenue is $17,520,000

„ The immediate financial impact of losing the asset If the Web site were

unavailable for six hours, the calculated exposure is 000685 percent a year

By multiplying this number by the annual value of the asset, you can predict the directly attributable losses to be $12,000

„ The indirect business impact of losing the asset In this example, you

estimate that your company would spend $10,000 in advertising to counteract the negative publicity that the incident caused You also estimate

a loss of 01 of 1 percent of annual sales, or $17,520 By combining the extra advertising expenses and the loss in annual sales revenue, you can predict a total of $27,520 in indirect losses

Also consider the value of the asset to your competitors For example, if your competitors were able to acquire the customer information from your Web site, you may estimate that you would lose $5 million in revenue to your competitor

Key points

Practice: Categorizing Assets

In the table below, draw a line connecting each asset in the left column to its type in the right column: public, private, confidential, or secret

Introduction