14. Technologies
We also should take a look at the different technologies, again having that overview. So an information security manager should have good conceptual understanding of some of the following things like application security. Now, when we talk about application security, we can look at it from many different perspectives. It could be very well. Does the application run? Does it have bugs? Does it crash? Are there known flaws that we try to work around? Because if we don’t do it information, the data can’t be trusted or worthwhile. That’s a lot of different things in there, right? Bugs in the application, the output of the application not being accurate, that would be disastrous for us. But we also can look at application security as well as from what we might call fuzzing attacks, where people put in purposely bad information to see if they can make it break or to see how it reacts.
Some people may use your web applications as a way to issue commands to your database server to do disastrous things within your network. So those are all aspects that you might look at from when we say application security and you’ll notice that I’m looking at things about how it functions, how it works, what its output looks like and how people can exploit that particular application. We can say the same thing with physical security as well. We talk about that. We have to remember the old adage is that if I can touch it, I own it. And that’s very true when it comes to routers switches, firewalls, hardware, devices, almost all of them have on their own public websites the steps I would go through to do password recovery.
And almost every single one of them I know results in my having to have physical contact with the device so that I can appropriately manipulate its controls at southside or front panel while making a connection to be able to do that break in. Other aspects of physical security could be from the theft of items. A lot of people invest money in cable locks for their laptops so that people won’t walk away with a whole laptop. But if I’m really a hacker and I’m after the data, I don’t care if I smash your laptop into pieces, I want the hard drive that’s in it. So some of those aspects again, I’m just trying to point in directions of how you might look at physical security. You may also look at things like entry doors, whether piggybacking is allowed, the availability of having guards, or people that you register with access cards and the rest of it. Your environmental control is also very important.
Obviously, electronic equipment does not do very well at high temperatures. Unless you have a fire, I’m not expecting that you’re going to melt something. But performance certainly does begin to degrade as components get too hot and it can cause permanent damage to the actual system boards. Likewise, we can have environments that have too much humidity causing corrosion, too little humidity causing the availability of static electricity. And yes, it is possible for you through a static charge to destroy system boards and other hardware devices. So all of those are examples of things we would look at environmentally, as well as, of course, power supply, the condition of the power, if there’s a lot of line noise in the power, or if there’s a lot of surges or brownouts. Your logical and network access controls.
So logically, a lot of these controls are things you might see like signing in passwords. Usernames network access controls could be devices that look for biometrics. A lot of these I’m describing are authentication measures, but part of access control is having proper authentication and then having the authorization, knowing what you’re allowed to do. Network equipment is a very vague or very broad term. Network equipment you could even make the argument is your operating systems for your network devices, your servers, certainly, the routers, the switches, the firewalls, repeaters, wireless access points, on and on it goes. Each of them have their own issues that we should be familiar with as far as what they’re capable of doing in areas that we want to be familiar about weaknesses, specifically in the network equipment.
I did talk about some things that might be classified as your security equipment. Security equipment, though, is not just technological right. It’s not just firewalls, intrusion detection, antivirus scanning. Security equipment can also be the type of locks that you use on the doors as one example. I do a lot of training in the realm of ethical hacking. We had an advanced class that we used, and we actually taught people how to pick the locks on your regular Tumblr doorknobs. And you’d be surprised that in 30 minutes time I can teach an entire class how to be able to easily pick those Tumblr locks and to gain entry to any facility that has that kind of security. So that might be another type of security equipment, you know, taking care of data when it’s in motion and at rest.
We talk about that a lot, that it needs to be safe. We do that through encryption technologies, usually, and there’s a variety of types of encryption technologies, a lot of different protocols or algorithms, I should say, that we can use for encryption. A lot of options we have for how we encrypt things when it’s stored, how we encrypt communications. Malware seems to be something that we, I think we all can relate to. That’s a broad category of your viruses, trojans, worms on a ghost. It’s software generally that’s doing things that you either don’t know about or didn’t approve.
And we have a whole new realm of things we have to be careful of when we’re talking about technologies and that’s telecommunications. Now, when I say it’s a whole new realm, we are seeing a big push into moving voice traffic into the data network. And as such, that means that we now have well, we have eliminated some risks that we may have had if we had a regular PBX or other type of outside line. But we have a new set of risks that we have to look at that deal with the regular data traffic moving across our networks, which your voice messages are turned into regular data packets, but I can take the telecommunications and probably expand it from there.
We’re seeing a huge increase in smartphones phones that can connect to your own network through VPNs. I realize, as an example, Juniper has a little technology app that you can use on your smartphone to create a secure VPN connection back into the network. So this device is something I may want to be careful of, as well as it introduces new risks or new points of access. Telecommunications, again, with voice over IP could move into the world of pads, all sorts of great things that are very helpful for our network, but can bring in a new set of risks that we need to evaluate.
15. Lesson 4: Implementing Risk Management
We’re going to take a look at implementing risk management. Now, as we’ve said, for effective information security, risk management, for it to not be bypassed or subverted, then there must be an effective process for the implementation and that process should be established. Now, you have to think about this as you kind of digest that statement that during implementation it is possible that we, we can bypass a lot of our security or subvert it as we’re trying to come to that point where we get to that desired state of security. And in that process, we also have to realize how far reaching it might be and what we have to look for.
So we’re going to talk about the implementation. And just on the outside, what we kind of just mentioned, although maybe not directly, is that there’s even risk involved in implementing risk management, even risk in doing the risk management incorrectly, again being able to bypass or subvert some of the results. All right, so what do we need for implementing now? The process of risk management often has a few concepts, things that we need to look at our terms, things like scope and boundaries, which you could talk about as your global parameters. Remember, we’re trying to avoid having specific business units sitting as their own little silos, that we want to realize that there may be some overlapping duties, some overlapping functions, but we still needed to make sure, at least when we are working with risk management, that we know what those scopes and boundaries are.
Through that process, we have risk assessment, which is the identification of risk, the risk analysis, and even the risk evaluation. The risk treatment would be our strategies that we use to deal with any of the identified risks that we have. Having the acceptance of residual risk is a management decision. That is part of our goal of what we’re trying to manage, which is getting risk reduced down to a level that the organization has the appetite to accept. And of course, risk communication and monitoring is the ability for us to exchange information that we’ve learned about this process of risk management to all of the people that have the associated roles and responsibilities.
16. The Risk Management Framework
When we look at risk management, there are a number of frameworks that we can use. Now, often we use a framework as a reference model. Now a framework just means that somebody has a plan about how you can manage risk and there are many different options that are out there. But it is just that as a reference model, that means that we would use that as a framework, as a starting point, rather than creating our own from the, from scratch, from the ground up. And we can adapt the ones that we have into the organization and use that information as a way of helping guide us to what our desired states are going to be. Now, there are a lot of existing models to choose from. Regardless of the models that you choose, they have a lot of things in common.
Often they deal with things like policy. Now again, policies are generally statements that are pretty brief that are talking about what our end goal is going to be and what we’re trying to achieve. We have planning and resourcing as a part of these models and that’s a very important part of it because again, overall risk management, as with any project, there is some planning that’s entailed, of course, and whether or not we have the resources or trying to deal with resources is either an advantage or a constraint. At some point when we’re done with the planning stage, the development stage, sometimes we call it, we have the implementation, the implementation program.
So a lot of these frameworks talk about methods of getting through that process. And once implemented and running, it does need to be managed, it does need to be maintained and monitored. So there are options for management review and also when we’re completely done, and in fact, not even just when we’re done, but through this entire process, we should have adequate documentation of what’s happening. And so a part of this framework might include the risk management process and the risk management documentation. I think, again, all very crucial parts, but remember, it is a guideline or a reference model that you can use in building your risk management for your organization.
17. The External Environment
Part of what we want to look at is the external environment because the external environment when it comes to risk management can really affect or even add to the definition of risk management. Things like understanding the local market if that’s at all applicable to your organization issues dealing with competition and these are big issues, right? Because competition means we don’t want what’s the same thing we say in sales, we don’t want somebody else to steal our lunch. Competition, we don’t want the other, well we hope anyway the other companies don’t pass us or do better than us or send worse off people into spire to try to copy what you’re doing.
The financial and political environment can have a lot to do with the influence on risk management. Obviously your regulatory laws are certainly a part of it, things that we can’t get around that we have to make sure that we’re following the social and cultural conditions and we’ve talked a lot about the culture internally but of course there’s also the external environment that may have a lot to say with it. There have certainly been a lot of news stories about some organizations having groups of people who are against what they do. I hear about the big blank type of company. I don’t want to pick on any industry because that’s not my game at all. But we hear some of these things about how your product is hurting this part of our world or this group of people.
And some of those might have some influence on your risk management. And obviously, your external stakeholders, those who have a vested interest in what your company does, may even have some say, even over who’s managing it in the board of directors, as well as your external stakeholders, may even be your customers. And they have some influence on what you’re doing with risk management as well.
18. The Internal Environment
Realize also the internal environment will have some impact on to the risk management. And again, especially when we’re looking at the risk assessment, we have to take a look at things like what are the business drivers like the market competitive advances that are going on. And that of course is a broad statement because there are so many different types of businesses out there. But needless to say, there may be be some things that are making this business work or the world of for example, I throw this one out here because it’s still the case. Web page Design many times there have been big problems with web page designs such as security breaches because the business drivers were such that they had to get up first and big and everybody can see them because it’s a competition.
We want to be as up to date, cutting edge, bleeding edge some people might say. And sometimes those business drivers may force us to publish information that might not be right or web pages or applications that don’t work well. In fact, while I’m thinking about it, I remember back in the days, back in the year 2000, it’s amazing that’s over ten years ago but there was this whole controversy over voting machines and the paper ballot and the hanging chads. So one company was trying to come first to the market with an electronic voting system and it was found to have so many bugs that anybody who walked up to it could probably have broken in, altered the votes.
But the business driver was to be first to the market. So we have to consider that that might have an effect on our business risk assessment. Obviously, of course, we also have to know what the existing strengths and weaknesses are as well as emerging opportunities for this business. The internal stakeholders have their culture. Again now there we are of course talking people with an invested interest in how the company works from being an employee perhaps. We also need to be aware of what available assets we have and remember that our goal still is to support the business objectives.
19. The Risk Management Context
Now there is a context for risk management. And to actually find the context means that we have to define some of the things like what is the organization’s processes or activities, the things that we need to assess. We also have to ask questions about the duration of these processes, the scope of the risk management activities, and what are the roles and responsibilities for those that are going to be involved in this entire management process. And having that in context and duration, by the way, may also really be looked at as the duration that we have to work on the risk management, right? So we have timelines, we have deadlines, and so those are going to have some effect on how we do our risk assessment. And of course, that’s a part of what we have to deal with in risk management.
20. Gap Analysis
So when we get to the term gap analysis, it’s a term you’re going to see quite frequently and the concept of gap analysis is always going to be the same. It’s just a matter of where you are and where you want to be. And it’s just applied to whether you’re creating maybe a new incident response management plan or whether you’re making a new type of control or adding a new control. But basically the context for it here in risk management is to think about it. So with risk management we’ve identified a risk, we’ve hopefully determined what’s a good countermeasure or a way to mitigate that risk. And so what we basically are saying is at this point we’re looking at the gap between the controls that we’re going to use, the controls or the countermeasures and what the control objectives are.
In other words, if you were to buy a new firewall that had all of these features, these bells and whistles of some of these next generation firewalls, you probably purchased it because you saw that there was a need, it had the ability to mitigate the risk but just installing it is not going to get you there. There’s going to be configurations and everything else and testing. So at some point then you have the control and the control objectives and so that’s what the gap is and they should be developed. The objectives here I say as a consequence of trying to create an information security, governance and strategy. And again some of the control objectives that you put out there could change based on what you’ve found on the risk management.
It could be based on the types of exposures, exposures to the potential of a threat. It might be for business objectives. Again, always thinking about business needs first. That’s always our first one. Or perhaps maybe some regulatory law has changed or been updated or added. And with new regulations you have to make sure you can get into compliance with those regulations. And you might, might be able to do that by creating these control objectives that basically help you say, okay, my control can do this, I just have to get it to that point and then we’ll be in compliance. And that would again be the gap where you are versus where you want to go.
