people layer security lecture 9 supakorn kungpisdan [email protected]
TRANSCRIPT
Outline
Attacking People Layer Defending People Layer Risk Management
NETE4630 Advanced Network Security and Implementation 2
Introduction
OSI 7-layer reference model is a framework for data communications Security can be breached by exploiting the flaws and weaknesses of
protocols and their implementation, at each layer of the OSI model Hardware and software behaviors are repeatable But people are not consistent as machines; some refuses to follow
basic security rules e.g. do not read necessary manuals, take shortcuts, and so on
The people layer (layer 8) has been added to address impact of human error
NETE4630 Advanced Network Security and Implementation 3
Attacking the People Layer
Hacking needs to attack where the information is stored Computers or People?? Which one is easier to get the information?
80% of a corporation’s knowledge resides with its employees
This helps attackers in two ways: Employees have a treasure trove of information Humans are easier targets than computers
NETE4630 Advanced Network Security and Implementation 4
Attacking the People Layer (cont.)
“Whatever the potential of the Internet, most observers recognize that information collection today is more widespread offline and online” US Federal Trade Commission chairman, Timothy J. Muris
“The greatest risk of misuse of your personal information is from lost or stolen wallets and purses, not online information, as many think”Jan Dulney, president of Better Business Bureau of Western Ontario
NETE4630 Advanced Network Security and Implementation 5
Social Engineering
Social engineering is the process of using psychology to encourage people to give you the information or access that you want
Involves deceit and manipulation, and can be done face-to-face, remotely but still interactively (e.g. by phone), or indirectly through technology
NETE4630 Advanced Network Security and Implementation 6
Social Engineering (cont.)
Authority Pretend as being in a position o authority
Linking A social engineer appears likeable; most people will react to him or her in a positive way
Reciprocation When someone gives us a gift or does us a favor, we want to give something in return
Social Validation People want to be accepted, and the best way to belong is to be like everyone else
Scarcity People want things that are in short supply or only available for a short time. If offerred, he or she is motivated to accept it.
NETE4630 Advanced Network Security and Implementation 7
In Person
It is safer to use social engineering from afar (e.g. over the phone)
Suitable if the goal is to gain physical access to a computer system or to obtain materials that are not in electronic form
People are often more suspicious of unusual requests made over the phone, than by someone presenting a request in person
Examples: unauthorized entry, theft
NETE4630 Advanced Network Security and Implementation 8
Unauthorized Entry
Piggybacking (aka Tailgating): follow an authorized person through entrance or door
Making a fake ID is available online at www.myoids.com , www.phidentity.com
If a door requires a personal identification number (PIN) for entry, try shoulder surfing
Once the unauthorized entry is achieved, the attacker can do many things, including install a hardware keystroke logger
Two types of keystroke loggers: hardware and software
NETE4630 Advanced Network Security and Implementation 9
Hardware Keyloggers
Completely undetectable by software, can record all keystrokes, and can record keystrokes before the OS is loaded (e.g. BIOS password)
But the attacker has to return to retrieve the hardware keylogger.
NETE4630 Advanced Network Security and Implementation 10
Software Keyloggers
Can be installed through social engineering Can tell which program the user is executing Can categorize the keystrokes for the attacker Can send the captured keystorkes to the attacker via
email, IRC, or other communication channel
NETE4630 Advanced Network Security and Implementation 11
Spector360
NETE4630 Advanced Network Security and Implementation 12
http://www.spector360.com/overview/record.htm
Spector360 (cont.)
NETE4630 Advanced Network Security and Implementation 13
Spector360 (cont.)
NETE4630 Advanced Network Security and Implementation 14
Spector360 (cont.)
NETE4630 Advanced Network Security and Implementation 15
Spector360 (cont.)
NETE4630 Advanced Network Security and Implementation 16
Spector360 (cont.)
NETE4630 Advanced Network Security and Implementation 17
Spector360 (cont.)
NETE4630 Advanced Network Security and Implementation 18
Spector360 (cont.)
NETE4630 Advanced Network Security and Implementation 19
Spector360 (cont.)
NETE4630 Advanced Network Security and Implementation 20
Spector360 (cont.)
NETE4630 Advanced Network Security and Implementation 21
Spector360 (cont.)
NETE4630 Advanced Network Security and Implementation 22
Spector360 (cont.)
NETE4630 Advanced Network Security and Implementation 23
Spector360 (cont.)
NETE4630 Advanced Network Security and Implementation 24
Detecting Hardware Keyloggers
Can only be done by inspecting keyboard connection They don’t run inside the computer as a program; there’s
no information in memory KeyGhost Ltd. makes a keyboard with built-in keystroke
logger, so that even visual inspection is insufficient
NETE4630 Advanced Network Security and Implementation 25
Detecting Software Keyloggers
Using scanning software to inspect files, memory, and the registry for signatures of known keyloggers and other spyware
Some programs that detect keyloggers are: FaceTime Enterprise Edition Windows Defender Ad-Aware Spybot Search & Destroy Webroot Spy Sweeper Enterprise Spyware Doctor
NETE4630 Advanced Network Security and Implementation 26
Theft
A 2005 survey conducted by the Computer Security Institute and FBI found that laptop theft is the second greatest security threat (after viruses), tied only with insider abuse of network access.
Irwin Jacobs, the founder and CEO of Qualcomm lost his laptop after a presentation. Unfortunately, the laptop containing sensitive information was gone.
NETE4630 Advanced Network Security and Implementation 27
MOM
There are three components of theft: means, opportunity, and motive (MOM).
The means for this theft was having a scheme The motive was the value of the computer and its data The opportunity came from poor protection of the
computer.
NETE4630 Advanced Network Security and Implementation 28
Defending Against Theft
STOP Security Plate
NETE4630 Advanced Network Security and Implementation 29
http://www.computersecurity.com/stop/index_b.html
Motion Sensor Alarm Lock Sounds 110 db alarm if cable is cut When motion sensor is on it also sounds
alarm if moved Heavy duty construction suitable for
computers and A/V equipment in laboratories and public areas
NETE4630 Advanced Network Security and Implementation 30
www.securitykit.com/drive_locks.htm#alarms
Defending Against Theft (cont.)
To recover a stolen laptop, you can use a program that will phone home when your laptop is connected to the Internet, such as: www.securitykit.com/pc_phonehome.htm www.absolute.com/public/computraceplus/laptop-security.asp www.xtool.com/p_computertracker.asp www.ztrace.com/zTraceGold.asp
NETE4630 Advanced Network Security and Implementation 31
Dumpster Diving
Searching trash for useful information Dumpster diving depends on a human weakness: the lack
of security knowledge. Many things can be found dumpster diving (e.g., CDs,
DVDs, hard drives, company directories, and so forth).
NETE4630 Advanced Network Security and Implementation 32
Example
The most famous example of dumpster diving was performed by Jerry Schneider in southern California.
While in high school in 1968, Jerry found documentation regarding Pacific Telephone’s automated equipment ordering and delivery system, which he produced the equipments and sold it as “refurbished”.
He accumulated hundreds of thousands of dollars worth of telephone equipment and established Creative Systems Enterprises to sell it; some of it was sold back to Pacific Telephone.
NETE4630 Advanced Network Security and Implementation 33
Example (cont.)
In January, 1972, he was arrested Police raid CSE's offices and warehouse. The District
Attorney estimates the found equipment is worth $8,000. At this time, they learn that Schneider had made off with
$125,000 worth of gear. Schneider later admits to nearly $900,000.
At the age of 21, he started a security company in 1973 that he left in 1977.
NETE4630 Advanced Network Security and Implementation 34
Password Management
Users are given a lot of advice about setting passwords: make them long, complex, unique, and change them frequently.
Ironically, users that try to heed this advice sometimes fall into another pitfall: they write their passwords down and protect them poorly.
Post-it notes are left on monitors or under keyboards Forms of password attacks:
finding passwords and guessing passwords
NETE4630 Advanced Network Security and Implementation 35
Password Management (cont.)
With physical access to a computer, additional opportunities become available.
If an attacker doesn’t mind being detected, he or she can change the administrator’s password instead of cracking it.
This type of attack involves booting the system from an alternate operating system (e.g., Linux) via CD, equipped with a New Technology File System (NTFS) driver for Windows.
NETE4630 Advanced Network Security and Implementation 36
Password Management (cont.)
Some programs that reset the password this way are: Windows Password Recovery Petter Nordahl-Hagen’s Offline NT Password & Registry Editor Emergency Boot CD Austrumi
NETE4630 Advanced Network Security and Implementation 37
Password Management (cont.)
People have multiple passwords for various things (e.g., bank accounts, investment sites, e-mail accounts, instant messaging accounts, and so forth).
How can a person remember so many unique passwords without writing them down?
NETE4630 Advanced Network Security and Implementation 38
Phone
Social engineering by phone has one advantage over in-person attacks: an easy getaway. As long as the call isn’t traceable, all an attacker has to do is
hang up. Another advantage is that people only have to sound, not
look, authentic on the phone. Having the caller’s spoofed ID on the target’s phone
display an internal extension or the name and number of another company location, gives the attacker credibility as an insider.
NETE4630 Advanced Network Security and Implementation 39
Fax
Generally, a fax is a poor communication medium for social engineering, because there is no personal interaction.
However, a fax does show the telephone number of the sending fax machine, which comes from the configuration of the sending fax machine.
Combine this with authentic-looking stationery, and it is easy to fool people.
Fax machines located out in the open are vulnerable, because passersby can take documents that are left on top of the machine.
NETE4630 Advanced Network Security and Implementation 40
Fax (cont.)
There aren’t many fax machines being used anymore that use an ink ribbon or Mylar ink sheet; however, if you do find one, you might be able to read what was printed on the ribbon.
The waste basket nearest to the fax machine is also a good place to look for interesting discarded faxes.
Fax servers also deliver faxes to e-mail inboxes. E-mail accounts usually use insecure protocols such as
SMTP and POP that transfer passwords in clear text; therefore, they are quite vulnerable.
NETE4630 Advanced Network Security and Implementation 41
Internet
Social engineering can also be conducted over the Internet.
E-mail messages and fraudulent Web sites might carry an air of legitimacy and authority that is lacking on the telephone.
It is easy to spoof the e-mail address of a sender to make it look legitimate.
E-mail messages can contain Hypertext Markup Language (HTML) to make them look professional. Armed with false legitimacy, several popular scams can occur.
NETE4630 Advanced Network Security and Implementation 42
Internet (cont.)
One such scam involves a person claiming to be a Nigerian government official who asks the reader for help transferring money out of his or her country.
If the reader agrees to allow monetary transfers into his or her bank account, he or she is supposed to receive a substantial fee.
Once the reader agrees to participate, the scammer asks him or her to pay various bribes and fees, which actually goes to the scammer.
Of course, the big transfer never occurs and the reader never gets paid.
NETE4630 Advanced Network Security and Implementation 43
Internet (cont.)
The “You have already won one of these three great prizes!” scam works by the user sending the scammer a “handling fee” who in turn is supposed to forward the prize.
The amount of the handling fee is unspecified and is usually greater than the value of the prize.
NETE4630 Advanced Network Security and Implementation 44
Phreaking
Before cellular phones (also known as cell phones), there were pay phones and phone cards.
All of these items could be obtained surreptitiously by shoulder-surfing the card owner while he or she entered the digits on the payphone.
Another way to get free telephone services is to use electronic devices known as Phreak Boxes (also known as blue boxes).
Phreak boxes work by sending special tones over a communication channel that is established for a voice conversation
NETE4630 Advanced Network Security and Implementation 45
Phreak Boxes
NETE4630 Advanced Network Security and Implementation 46
Phreak Boxes (cont.)
Joe Engressia (a.k.a. joybubbles) discovered that the telephone network reacted to whistling into the phone at exactly 2600 Hertz (Hz).
He learned that that particular tone signaled a long-distance trunk line (i.e., free long distance).
Joe passed this information on to John Draper, who took that information and his knowledge of electronics and created the first phreak box, which played the 2600Hz tone onto a phone line.
NETE4630 Advanced Network Security and Implementation 47
Caller ID Spoofing and Cell Phones
Using TeleSpoof or some other type of caller ID-spoofing Web service, an attacker accessed Paris Hilton’s T-Mobile Sidekick account and downloaded all of her data.
Her account authenticated her on the basis of caller ID instead of a password
Even though her Sidekick account was password-protected, an attack on T-Mobile’s Web site reset Hilton’s password.
A social engineering attack was used by an adversary claiming to be with T-Mobile customer service.
The caller ID display on her phone verified this.
NETE4630 Advanced Network Security and Implementation 48
Short Message Service
The Short Message Service (SMS) permits a cell phone or Web user to send a short text message to another person’s cell phone.
If the recipient’s cell phone is Web-enabled, clicking on a hyperlink appearing in a SMS message will cause the cell phone to surf to the Web site addressed by that hyperlink.
The Web site could download malicious content to the cell phone, which could cause a number of problems (e.g., revealing the phone’s contact list).
NETE4630 Advanced Network Security and Implementation 49
Disguising Programs
Default setting in Windows XP is to hide extensions. The attacker can create a malicious program and name it syngress.jpg.exe or something similar.
When Windows hides the .exe filename extension, syngress.jpg appears to have a filename extension, but is considered to be a filename without an extension.
Because the bogus extension does not indicate an executable file, the recipient feels safe in opening it.
NETE4630 Advanced Network Security and Implementation 50
Phishing
Another attack that combines social engineering and technology is called phishing.
An e-mail message is sent that appears to be from a company that the recipient has an account with
The message contains some pretext for needing the recipient’s account identification and authentication credentials (usually a password).
To verify the recipient’s account, the target is asked to click on a hyperlink in the e-mail message.
The displayed address looks like a legitimate address, but the actual address links to the attacker’s Web site
NETE4630 Advanced Network Security and Implementation 51
Phishing (cont.)
NETE4630 Advanced Network Security and Implementation 52
SSL MITM Attacks
Because the communications are secured with SSL, the intercepted information would not be readable.
An attacker could replace the website certificate with his or her own certificate and send it to a user, but the certificate would have problems
The attacker’s certificate could be for the wrong domain name, or it could have the correct domain name but not be issued by a known or trusted CA
Most users would not know what to do with this. They are less likely to heed the warning and more likely to click OK.
NETE4630 Advanced Network Security and Implementation 53
SSL MITM Attacks (cont.)
Attacker creates his or her own certificate On any other document, the signature would be detected as a
forgery. However, if the attacker makes up a convincing name of a CA that
he or she controls, the digital signature on the certificate will belong with that certificate.
The only problem is that the identity of the attacker’s CA is unknown to the browser, and therefore, the browser warns the user that there is no root certificate for the signer of this certificate
NETE4630 Advanced Network Security and Implementation 54
Outline
Attacking People Layer Defending People Layer Risk Management
NETE4630 Advanced Network Security and Implementation 55
Defending the People Layer
People appear to be the weakest link in the security chain. Once a computer is programmed to behave a certain way,
it behaves that way consistently. However, the same can’t be said about people, who can be
a major source of risk. However, there are things that can be done to ameliorate
that risk. The first line of defense is security policies.
NETE4630 Advanced Network Security and Implementation 56
Policies, Procedures, and Guidelines
All security flows from policies, which expresses the general way that a company operates and is the basis for all decision making.
A policy tells employees what is expected of them in the corporate environment.
Most company’s have a mission statement that defines the organization’s purpose.
Policies should be written consistent with the organization’s mission statement.
The mission statement and policies must also comply with all applicable laws.
NETE4630 Advanced Network Security and Implementation 57
Policies, Procedures, and Guidelines (cont.)
General policies are broad. A procedure gives detailed instructions of how to accomplish a
task in a way that complies with policy. A practice is similar to a procedure, but not as detailed. A standard specifies which technologies and products to use
in to comply with policy. Guidelines explain the spirit of policies, so that in the absence
of appropriate practices and procedures, an employee can infer what management would like him or her to do in certain situations.
NETE4630 Advanced Network Security and Implementation 58
Types of Policies
General policies cover broad topics (e.g., the secure use of company property and computing facilities).
Information security policy is restricted to protecting information.
Issue-specific security policies cover narrower topics such as the appropriate use of the e-mail system.
System-specific security policies cover the differences between how MACs and PCs should be used and secured
NETE4630 Advanced Network Security and Implementation 59
Policies, Guidelines, and Procedures
NETE4630 Advanced Network Security and Implementation 60
Who Creates Security Policy?
Effective policies must come from the highest levels of management. A Chief Information Security Officer (CISO) should be appointed
to write policies that make information security an integral part of business practices.
Business managers must be included in developing the policies to understand security measures
You will get the benefit of their knowledge in their respective business areas, while also instilling in them some ownership of the policies, which will motivate them to enforce the policies.
NETE4630 Advanced Network Security and Implementation 61
Data Classification
Public: Anyone inside or outside the company can obtain this information.
Internal: This information is not made available outside the company.
Limited Distribution: This information is only given to the individuals named on the distribution list. Each copy is uniquely identified; additional copies are never made.
Personal: This information pertains to an employee’s individual status (e.g. employment terms, appraisals, benefit claim, and so forth).
NETE4630 Advanced Network Security and Implementation 62
US Military Classification
Unclassified: Information that can be copied and distributed without limitation.
Sensitive But Unclassified (SBU): “Any information of which the loss, misuse, or unauthorized access to, or modification of might adversely affect U.S. National interests, the conduct of Department of Defense (DoD) programs, or the privacy of DoD personnel.”
Confidential: “Any information or material the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.
NETE4630 Advanced Network Security and Implementation 63
US Military Classification (cont.)
Secret: “Any information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security.
Top Secret: “Any information or material the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.
NETE4630 Advanced Network Security and Implementation 64
Education, Training, and Awareness Program
Security is not intuitive; most people do not think in those terms (e.g., a help desk analyst is trained to be helpful, not suspicious).
Therefore, if everyone is a potential vulnerability and employees do not have the necessary outlook and knowledge, there is a clear need for education, training, and awareness programs
NETE4630 Advanced Network Security and Implementation 65
Education
Only countermeasure to social engineering is education. Employees should know what social engineering attacks
look like. Short educational demonstrations depicting an employee
and a social engineer can provide a good introduction to the principles of social engineering attacks, which include authority, liking, reciprocation, consistency, social validation, and scarcity.
NETE4630 Advanced Network Security and Implementation 66
Education (cont.)
All employee should: Know to challenge people trying to enter the building without a badge Understand data classification labels and data handling procedures Know what to do with attachments to received e-mail messages Know not to bring in software from home
Some employees need specialized security training: Programmers need to learn how to develop secure applications Information security personnel need to know the procedures for selecting and
applying safeguards to assets Network infrastructure specialists need to know how to deploy network
components securely
NETE4630 Advanced Network Security and Implementation 67
Education (cont.)
Upper management plays an important role in information security Management funds the security projects Management is responsible for due care and due diligence Data owners are officers of the company and must classify data Data custodians implement and maintain the management data
classification decisions Management ensures that everyone in the company (including
them) does their part to secure the enterprise Management sets an example and adheres to security policies
NETE4630 Advanced Network Security and Implementation 68
Due Care and Due Diligence
Due care Steps taken to show that a company has taken responsibility for the activities that occur within the corporation and has taken the necessary steps to help protect the company, its resources, and employees.
Due diligence The process of systematically evaluating information to identify vulnerabilities, threats, and issues relating to an organization’s overall risk.
NETE4630 Advanced Network Security and Implementation 69
Training
Education is about principles; it’s more general. Training is about procedures; it’s more specific. There should be separate training programs for general
employees, programmers, security professionals, and management
Training is necessary because people benefit from repetition, it shows the ongoing commitment to security, and because the security situation of the company changes as the company and the world around it change.
NETE4630 Advanced Network Security and Implementation 70
Security Awareness Programs
Once an employee has been trained, we must continue to reinforce the messages to make them stick, and to increase the employee’s understanding
NETE4630 Advanced Network Security and Implementation 71
Security Awareness Tools A column in the weekly or monthly company periodical A security newsletter—on paper or in e-mail A sticker on the employee’s keyboard Posters in the common area Contests that reward employees for positive behavior with respect to security Banner messages that appear when a user logs onto their computer, or when they
start a specific program such as e-mail A note in their paycheck envelope An announcement on the public address system A special mailing to the employees’ homes A measured goal on the employee’s performance plan, to be evaluated in the
employee’s appraisal Employees should sign an agreement to follow the policies when hired, and then
annually
NETE4630 Advanced Network Security and Implementation 72
Evaluation
Only attendance in the classes is not sufficient. Evaluation can tell us if the knowledge is present in the
employee. Evaluation can be broken down into levels. It allows an employee to have some success even before
he’s able to master all the things that we want him to know
NETE4630 Advanced Network Security and Implementation 73
Testing
Written evaluations measure knowledge, but what we want most is to measure performance.
How well will individuals, and the enterprise as a whole, perform when faced with a threat?
Companies should perform periodic penetration tests. If several individuals are involved, then this group is called
a tiger team or a red team. The pen test is only conducted with the written permission
of management.
NETE4630 Advanced Network Security and Implementation 74
Penetration Testing
A full pen test attacks the following areas: Technical Controls Firewalls, servers, applications Physical Controls Guards visitor log, surveillance cameras Administrative Controls Policies and procedures Personnel Compliance with policies and procedures, awareness
of social engineering
NETE4630 Advanced Network Security and Implementation 75
White-box VS Black-box Pen Test
A white-box test could be performed by company insiders and takes advantage of all the documentation for the network architecture, the policies and procedures, the company directory, etc.
A black-box penetration test must be done by outsiders, since it requires that the testers have no advance knowledge of the company’s internal workings.
NETE4630 Advanced Network Security and Implementation 76
Outline
Attacking People Layer Defending People Layer Risk Management
NETE4630 Advanced Network Security and Implementation 77
Risk Management
Risk management is the process of identifying risks to an organization’s assets and then implementing controls to mitigate the effects of those risks
An asset is a person or object that adds value to an organization.
We also need to know how to protect assets from threats (e.g., theft, hurricane, and sabotage).
This determination measures our vulnerability to the threat.
Then we begin thinking about specific protection mechanisms, called controls
NETE4630 Advanced Network Security and Implementation 78
Risk Management (cont.)
Once the controls are in place, we evaluate them using vulnerability assessments to see how vulnerable our systems and processes remain.
We conduct penetration tests to emulate the identified threats; if the results fall short of our expectations, we get better or additional controls
NETE4630 Advanced Network Security and Implementation 79
General Risk Management Model
NETE4630 Advanced Network Security and Implementation 80
Asset Identification
Personnel Buildings Equipment Furniture Software (purchased and home-grown) Intellectual property Inventory Cash Processes Reputation
NETE4630 Advanced Network Security and Implementation 81
Asset Valuation
The cost to design and develop or acquire, install, maintain, protect the asset
The cost of collecting and processing data for information assets The value of providing information to customers The cost to replace or repair the asset Depreciation; most assets lose value over time Acquired value; information assets may increase in value over time The value to a competitor The value of lost business opportunity if the asset is compromised A reduction in productivity while the asset is unavailable
NETE4630 Advanced Network Security and Implementation 82
Threat Assessment
Quantitative assessment: try to assign accurate numbers to such things as the seriousness of threats and the frequency of occurrence of those threats.
Qualitative assessment: utilize the experience and wisdom of our personnel to rank and prioritize threats.
NETE4630 Advanced Network Security and Implementation 83
Quantitative Assessment
Single Loss Expectancy (SLE)
SLE = asset value x exposure factor
The percentage of the asset value that would be lost is the exposure factor (EF)
SLE can be greater than 100% Likelihood of the incident frequency of threats each year is the
Annualized Rate of Occurrence (ARO) If we expect a threat to occur three times per year on average, then
the ARO equals 3.
NETE4630 Advanced Network Security and Implementation 84
Annual Loss Expectancy
The ALE represents the yearly average loss over many years for a given threat to a particular asset
ALE = SLE x ARO
NETE4630 Advanced Network Security and Implementation 85
Annual Loss Expectancy
Some risk assessment professionals add another factor: uncertainty
ALE = SLE x ARO x uncertainty
where uncertainty ranges from 1 for completely certain, to numbers greater than one for more uncertainty
NETE4630 Advanced Network Security and Implementation 86
Quantitative Assessment (cont.)
NETE4630 Advanced Network Security and Implementation 87
Qualitative Assessment
A qualitative assessment is based on the experience, judgment, and wisdom of the members of the assessment team.
Delphi Method A procedure for a panel of experts to reach consensus without meeting face-to-face.
Modified Delphi Method May include extra steps such as validating the expertise of panel members, or allowing some personal contact.
Brainstorming Somewhat less structured. A group leader establishes ground rules and guides the experts through the process
NETE4630 Advanced Network Security and Implementation 88
Qualitative Assessment (cont.)
Storyboarding Processes are turned into panels of images depicting the process, so that it can be understood and discussed.
Focus Groups Employ panels of users who can evaluate the user impact and state their likes and dislikes about the safeguard being evaluated.
Surveys Used as an initial information-gathering tool. The results of the survey can influence the content of the other evaluation methods.
Questionnaires Limit the responses of participants more than surveys, so they should be used later in the process when you know what the questions will be
NETE4630 Advanced Network Security and Implementation 89
Qualitative Assessment (cont.)
Checklists Used to make sure that the safeguards being evaluated cover all aspects of the threats.
Interviews Useful in the early stages of evaluation. They usually follow the surveys to get greater detail from participants, and to give a free range of responses.
These techniques are used to rank the risks in order to determine which should be handled first, and which should get the largest budget for countermeasures.
NETE4630 Advanced Network Security and Implementation 90
Control Design and Evaluation
Deterrent Make it not worth it to the attacker to intrude Preventive Prevent incidents from occurring Detective Detect incidents when they occur Recovery Mitigate the impact of incidents when they occur Corrective Restore safeguards and prevent future
incidents
NETE4630 Advanced Network Security and Implementation 91
Residual Risk Management
Avoidance Reduce the probability of an incident Transference Give someone else (insurance company)
the risk Mitigation Reduce the impact (exposure factor) of an
incident Acceptance Determine that the risk is acceptable without
additional controls
NETE4630 Advanced Network Security and Implementation 92
Residual Risk Management
Risk cannot be eliminated; it can only be reduced and handled. After reducing risk through avoidance, transference, or
mitigation, whatever risk remains is known as residual risk. If the residual risk is at a level which the company can live with,
then the company should accept the risk, and move on to the next threat.
If the residual risk is too large to accept, then additional controls should be implemented to avoid, transfer, and mitigate more risk.
NETE4630 Advanced Network Security and Implementation 93
Question?