Endpoint Security

Chapter 11
 OBJECTIVES COVERED

Domain 2.0: Architecture and Design

• 2.1 Explain the importance of security concepts
in an enterprise environment.
• 2.6 Explain the security implications of
embedded and specialized systems.
Domain 3.0: Implementation
• 3.2 Given a scenario, implement host or
application security solutions.
Domain 4.0
• 4.1 Given a scenario, use the appropriate tool
to assess organizational security.
PROTECTING ENDPOINTS
PRESERVING BOOT INTEGRITY
ENDPOINT SECURITY TOOLS

Antivirus and Anti-malware

Whitelisting and Blacklisting

Endpoint Detection and Response

Data Loss Prevention

Network Defenses
 ANTIVIRUS AND ANTI-MALWARE

Signature-based detection
Common Methods
Heuristic, or behavior-based detection

AI and machine learning systems

Sandboxing
NETWORK DEFENSES
HARDENING ENDPOINTS AND SYSTEMS

SERVICE
HARDENING OPERATING SYSTEM
HARDENING
 SERVICE HARDENING
Port and protocol Windows Linux
22/TCP - Secure Shell Uncommon Common
(SSH)
53/TCP and UDP - Common (servers) Common (servers)
DNS
80/TCP - HTTP Common (servers) Common (servers)
125-139/TCP and UDP Common Occasional
- NetBIOS

389/TCP and UDP – Common (servers) Common (servers)

LDAP
443/TCP – HTTPS Common (servers) Common (servers)
3389/TCP and UDP – Common Uncommon
Remote Desktop
Protocol
SERVICE HARDENING - SERVICES.MSC
 OPERATING SYSTEM HARDENING
• Configuration settings recommended by the CIS
benchmark for Windows 10 include:
– Setting the password history to remember 24 or
more passwords
– Setting maximum passwords age to “60 or
fewer days, but not 0”, preventing users from
simply changing their passwords 24 times to get
back to the same password while requiring
password changes every 2 months
– Setting the minimum password length to 14 or
more characters
– Requiring password complexity
– Disabling the storage of passwords using
reversible encryption
CONFIGURATION, STANDARDS,
AND SCHEMAS

Naming
standards and Patch
addressing management
schemas
 FILE MANIPULATION &
OTHER USEFUL COMMAND LINE TOOLS

head – shows the top 10 lines of a file by default

tail – shows the last 10 lines of a file by default

cat – used to display a file or to concatenate files

grep – searches by text or pattern

chmod – sets permissions

logger – adds data to a log file

LINUX FILE PERMISSIONS
 SCRIPTING, SECURE TRANSPORT,
AND SHELLS: 3 IMPORTANT SECURITY+
CONCEPTS

Secure Shell

OpenSSL PowerShell
SECURING EMBEDDED AND
SPECIALIZED SYSTEMS
 EMBEDDED SYSTEMS

Raspberry
Pi

Three
types of
systems

FPGA Arduinos
 ASSESSING EMBEDDED SYSTEMS

1. Identify the manufacturer or type of embedded system

and acquire documentation or other materials about it.

2. Determine how the embedded system interfaces with the

world: does it connect to a network, to other embedded
devices, or does it only have a keyboard or other physical
interface?

3. If the device does provide a network connection, identify

any services or access to it provided through that network
connection, and how you can secure those services or the
connection itself.
 ASSESSING EMBEDDED SYSTEMS

4. Learn about how the device is updated, if patches are

available, and how and when those patches should be
installed, then ensure a patching cycle is in place that
matches the device’s threat model and usage requirements.

5. Document what your organization would do in the event

that the device had a security issue or compromise. Could
you return to normal? What would happen if the device
were taken offline due to that issue? Are there critical
health, safety, or operational issues that might occur if the
device failed or needed to be removed from service?

6. Document your findings and ensure that appropriate

practices are included in your organization’s operational
procedures.
SCADA AND ICS
SECURING THE INTERNET OF THINGS
(IOT)

Poor security practices

Common issues Short support lifespans

Vendor data handling

practice issues
 SPECIALIZED SYSTEMS

Medical
Smart meters Vehicles
systems

Drones and
autonomous VoIP systems Printers
vehicles (AVs)

Surveillance
systems
SECURITY CONSTRAINTS OF EMBEDDED
SYSTEMS

The overall computational power and capacity of

embedded systems is usually low.

Embedded systems may not connect to a

network.

Network connectivity is necessary.

Embedded systems may be very low cost, but many

are effectively very high cost.
Network Security

Chapter 12
 OBJECTIVES COVERED
Domain 1.0 Attacks, Threats, and Vulnerabilities
• 1.3 Given a scenario, analyze potential indicators
associated with application attacks.
• 1.4 Given a scenario, analyze potential indicators
associated with network attacks.
Domain 2.0 Architecture and Design
• 2.1 Explain the importance of security concepts in an
enterprise environment.

Domain 3.0: Implementation

• 3.3 Given a scenario, implement secure protocols.
• 3.3 Given a scenario, implement secure network designs.

Domain 4.0: Operations and Incident Response

• 4.1 Given a scenario, use the appropriate tool to assess
organizational security.
DESIGNING SECURE
NETWORKS
 NETWORK SEGMENTATION

• Network zones that contain

DMZs systems that are exposed to less
trusted areas

• Internal networks set up to provide

Intranets information to employees or other
members of an organization

• Networks that are set up for

external access, typically by
Extranets partners or customers rather than
the public at large
 NETWORK ACCESS CONTROL (NAC)

• NAC technologies focus on determining whether a system or

device should be allowed to connect to a network and place
it into an appropriate zone.

• Can either use an installed software agent or be

agentless (run from a browser or via another means)
• Can be an effective policy enforcement tool
• NAC checks can occur before a device is allowed on the
network (pre-admission) or after they have connected
(post-admission)
 PORT SECURITY AND PORT LEVEL
PROTECTIONS

Loop prevention

Broadcast storm prevention

Protocol level
protections
Bridge Protocol Data Unit (BPDU)
guard

Dynamic Host Configuration

Protocol (DHCP) snooping
PORT SPANNING/PORT MIRRORING

• Sends a copy of all of the traffic

sent to one switch port to
Port mirror
another switch port for
monitoring

• Can do the same thing but can

also combine traffic from
SPAN
multiple ports to a single port
for analysis
VIRTUAL PRIVATE NETWORK (VPN)

2 Major VPN 2 Implementation

Technologies Decisions

Remote access
IPSec VPNs VPNs or site-to-site
VPN

Split tunnel VPN or

SSL VPNs
a full tunnel VPN
NETWORK APPLIANCES AND SECURITY
TOOLS

Jump servers &

Load balancing Proxy servers
jump boxes

Content/URL
NAT gateways Data protection
filters

IDS & IPS HSMs Data Collection

Firewalls UTM
INLINE IPS VS. PASSIVE IDS DEPLOYMENT
NETWORK SECURITY, SERVICES, AND
MANAGEMENT
Out-of-band management

Access control lists (ACL)

Quality of service (QoS)

Route security

DNS

SSL/TLS

Monitoring services and systems

File integrity monitors

 EXAMPLE NETWORK ACLS

Rule Protocol Ports Destination Allow/Deny Notes

Number

10 TCP 22 10.0.10.0/24 ALLOW Allow

SSH

20 TCP 443 10.0.10.45 ALLOW Inbound

HTTPS to
webserver

30 ICMP ALL 0.0.0.0/0 DENY Block

ICMP
 DECEPTION AND DISRUPTION

Honeypots Honeynets Honeyfiles

• A system set up • A group of • A file intended to
to attract systems or attract attackers
attackers and devices that are so that successful
allow defenders all honeypots, exfiltration of
to document and allowing data can be
observe what observation of a detected.
they do and the broader set of
tools/techniques activities and
they use. processes.
SECURE PROTOCOLS
 SECURE AND UNSECURE PROTOCOLS
Un-secure Original port Secure Protocol Secure Port Notes
Protocol Option(s)

DNS UDP/TCP 53 DNSSEC UDP/TCP 53

FTP TCP 21 (and FTPS TCP 21 in explicit mode and 990 Using TLS
20) in implicit mode (FTPS)

FTP TCP 21 (and SFTP TCP 22 (SSH) Using SSH

20)
HTTP TCP 80 HTTPS TCP 443 Using TLS

IMAP TCP 143 IMAPS TCP 993 Using TLS

LDAP UDP and TCP LDAPS TCP 636 Using TLS

389

POP3 TCP 100 POP3 TCP 995 - Secure POP3 Using TLS

RTP UDP 16384- SRTP UDP 5004

32767
SNMP UDP 161 and SNMPv3 UDP 161 and 162
162

Telnet TCP 23 SSH TCP 22

 SECURE PROTOCOLS

Email File
related transfer IPSec
protocols protocols
ATTACKING AND ASSESSING
NETWORKS
ON-PATH ATTACKS
DOMAIN NAME SYSTEM (DNS) ATTACKS
LAYER 2 ATTACKS

Address
Media
resolution
access
protocol
control
(ARP)
(MAC)
poisoning

MAC cloning
 DDOS ATTACKS

Network-based
DDoS Operational
technology DDoS
A SYN FLOOD SHOWN IN WIRESHARK
NETWORK RECONNAISSANCE AND
DISCOVERY TOOLS AND TECHNIQUES
ROUTES, DNS INFORMATION, & PATHS

• A sample traceroute for www.wiley.com

ROUTES, DNS INFORMATION, & PATHS

• A sample pathping for www.wiley.com

SYSTEM LEVEL NETWORK INFORMATION

Ipconfig &
netstat
ifconfig

arp Route
PORT AND VULNERABILITY SCANNING

• A sample nmap scan from a system

DATA TRANSFER AND GENERAL-
PURPOSE TOOLS

netcat curl hping

 OSINT AND DATA GATHERING TOOLS

• theHarvester output for wiley.com

 OSINT AND DATA GATHERING TOOLS
• dnsenum output for wiley.com
 PACKET CAPTURE AND REPLAY
• tcpdump of a segment of nmap portscanning
 PACKET CAPTURE AND REPLAY
• A Wireshark capture of a segment of nmap
portscanning
 SANDBOXING
• A Cuckoo Sandbox analysis of a malware file
Wireless and Mobile Security

Chapter 13
 OBJECTIVES COVERED
Domain 1.0: Threats, Attacks, and Vulnerabilities
• 1.4 Given a scenario, analyze potential
indicators associated with network attacks.

Domain 3.0: Implementation

• 3.4. Given a scenario, install and configure
wireless security settings.
• 3.5 Given a scenario, implement secure mobile
solutions.
BUILDING SECURE WIRELESS
NETWORKS
 CONNECTIVITY METHODS

CELLULAR WI-FI BLUETOOTH

NFC RFID INFRARED

GPS USB
 WI-FI STANDARDS, MAXIMUM
THEORETICAL SPEED, AND FREQUENCIES
Wi-Fi Standard Maximum Speed Frequencies

802.11b 11 Mbit/s 2.4 GHz

802.11a 64 Mbit/s 5 GHz
802.11g 54 Mbit/s 2.4 GHz
801.11n 600 Mbit/s 2.4 GHz and 5 GHz

802.11ac 6933 Mbit/s 5 GHz

802.11ax 9608 Mbit/s 2.4 GHz and 5 GHz
Additional
frequency range in
the 6 GHz band
WIRELESS NETWORK MODELS
ATTACKS AGAINST WIRELESS NETWORKS

Rogue access points and evil twins

Bluetooth attacks

RF and protocol attacks

EVIL TWIN PRETENDING TO BE A
LEGITIMATE ACCESS POINT
 DESIGNING A NETWORK
• A wireless heatmap showing the wireless signal available
from an access point
 WI-FI SECURITY STANDARDS

WPA2
WAP3

WPA2 WPA3
Three modes, open, pre- Three modes, open,
shared key (PSK), simultaneous
Enterprise authentication of equals
Important: Significant (SAE), Enterprise
upgrade in security from Important: Improved
WEP security in SAE mode (vs
PSK) to make brute force
attacks harder
 WIRELESS AUTHENTICATION

• Three major types of authentication in modern

Wi-Fi networks:
• Open networks, sometimes with a captive
portal to gather some information from
users
• Pre-shared keys (or SAE for WPA3)
• Enterprise authentication relies on a RADIUS
server and utilizes an EAP protocol for
authentication
WIRELESS AUTHENTICATION PROTOCOLS

PEAP

Common EAP variants EAP-FAST

EAP-TLS

EAP-TTLS
MANAGING SECURE MOBILE
DEVICES
 MOBILE DEVICE DEPLOYMENT
METHODS
Who owns the Who controls Description
device? and maintains
the device

BYOD The user The user The user brings their own
personally owned device. This
Bring your own provides more user freedom,
device lower cost to the organization,
along with greater risk since
the organization does not
control, secure, or manage the
device.

CYOD The organization The user The organization owns the

device, but allows the user to
Choose your own select and maintain it
device
COPE The organization The organization Corporate provided devices
allow reasonable personal use
Corporate while meeting enterprise
owned, security and control needs
personally
enabled
Corporate The organization The organization Greatest control, least
owned flexibility
 MOBILE DEVICE MANAGEMENT
• Application management features are important to allow
enterprise control of applications.
• Content management (sometimes called MCM, or mobile
content management) ensures secure access and control
of organizational files including documents and media on
mobile devices.
• Remote wipe capabilities are used when a device is lost,
stolen, or when the owner is no longer employed by the
organization.
• Geolocation and geofencing capabilities allow you to use
the location of the phone to make decisions about its
operation.
• Screen locks, passwords, and pins are all part of normal
device security models to prevent unauthorized access.
 MOBILE DEVICE MANAGEMENT
• Biometrics are widely available on modern devices, with
fingerprints and facial recognition being the most broadly
adopted and deployed.
• Context aware authentication goes beyond PINs,
passwords, and biometrics to understand more about user
behavior.
• Containerization is an increasingly common solution to
handling separation of work and personal use contexts on
devices.
• Storage segmentation can be used to keep personal and
business data separate as well.
• Full device encryption (FDE) remains the best way to
ensure that stolen or lost devices don’t result in a data
breach.
• Push notifications may seem like an odd inclusion here,
but sending messages to devices can be useful in a number
of scenarios.
Incident Response

Chapter 14
 OBJECTIVES COVERED

Domain 1.0 Attacks, Threats, and Vulnerabilities

• 1.7 Summarize the techniques used in security
assessments.

Domain 4.0
• 4.2 Summarize the importance of policies, process, and
procedures for incident response.
• 4.3 Given an incident, utilize appropriate data sources to
support an investigation.
• 4.4 Given an incident, apply mitigation techniques or
controls to secure an environment.
INCIDENT RESPONSE
THE INCIDENT RESPONSE PROCESS
PREPARING FOR INCIDENT RESPONSE

INCIDENT RESPONSE
TEAM

POLICIES EXERCISES

BUILDING INCIDENT
RESPONSE PLANS
CONTINUITY OF OPERATIONS
 ATTACK FRAMEWORKS AND
IDENTIFYING ATTACKS
• MITRE ATT&CK
 ATTACK FRAMEWORKS AND
IDENTIFYING ATTACKS
• The Diamond Model of Intrusion Analysis
 ATTACK FRAMEWORKS AND
IDENTIFYING ATTACKS
• The Cyber Kill Chain
INCIDENT RESPONSE DATA
AND TOOLS
SECURITY INFORMATION AND EVENT
MANAGEMENT SYSTEMS

SIEM Dashboard

Sensors

Sensitivity and Thresholds

SIEM System

Trends

Alerts and Alarms

Correlation and Analysis

Rules
DASHBOARD
TRENDS
ALERTS AND ALARMS
RULES
LOG FILES
 COMMON LOGS

System logs Application logs Security logs

Network and
Vulnerability
security device Web logs
scan output
logs

Authentication
DNS logs Dump files
logs

VoIP & SIP logs

MITIGATION AND RECOVERY
MITIGATION AND RECOVERY

Playbooks Runbooks

Secure
Containment,
Orchestration,
mitigation, and
Automation,
recovery
and Response
techniques
(SOAR)
Digital Forensics

Chapter 15
 OBJECTIVES COVERED

Domain 2. 0 Architecture and Design

• 2.7 Explain the importance of physical security controls.

Domain 4.0
• 4.1 Given a scenario, use the appropriate tool to assess
organizational security.
• 4.5 Explain the key aspects of digital forensics.
DIGITAL FORENSIC
CONCEPTS
 9 STAGES IN THE EDRM MODEL

1. Information governance before the fact to assess what data exists and to
allow scoping and control of what data needs to be provided.
2. Identification of electronically stored information so that you know what you
have and where it is.
3. Preservation of the information to ensure that it isn’t changed or destroyed.
4. Collection of the information so that it can be processed and managed as
part of the collection process.
5. Processing to remove unneeded or irrelevant information, as well as
preparing it for review and analysis by formatting or collating it.
6. Reviewing the data to ensure that it only contains what it is supposed to, and
that information that should not be shared is not included.
7. Analysis of the information to identify key elements like topics, terms, and
individuals or organizations.
8. Production provides the information to third parties or those involved in legal
proceedings.
9. Presentation both for testimony in court and for further analysis with experts
or involved parties.
DIGITAL FORENSIC
CONCEPTS
ACQUIRING FORENSIC DATA
A SAMPLE CHAIN OF CUSTODY FORM
 ACQUISITION TOOLS
• Completed FTK
FTK IMAGER’S MEMORY CAPTURE
DIALOG
VALIDATING FORENSIC DATA INTEGRITY
• FTK Imager’s evidence item documentation
 FORENSIC SUITES AND A FORENSIC
CASE EXAMPLE
• Selecting the type of image or data to import
 FORENSIC SUITES AND A FORENSIC
CASE EXAMPLE
• Ingestion modules in Autopsy
 FORENSIC SUITES AND A FORENSIC
CASE EXAMPLE
• Using the Autopsy file discovery tool to identify
images in an investigation
 FORENSIC SUITES AND A FORENSIC
CASE EXAMPLE
• Timelining in Autopsy to identify events related to
the investigation
REPORTING
A TYPICAL FORENSIC REPORT

1. A summary of the forensic investigation and findings

2. An outline of the forensic process, including tools used and

any assumptions that were made about the tools or process

3. A series of sections detailing the findings for each device or

drive

4. Recommendations or conclusions in more detail than the

summary included
Security Policies, Standards, and
Compliance
Chapter 16
 OBJECTIVES COVERED

Domain 5.0: Governance, Risk, and Compliance

• 5.2: Explain the importance of applicable
regulations, standards, or frameworks that
impact organizational security posture.
• 5.3: Explain the importance of policies to
organizational security.
UNDERSTANDING POLICY
DOCUMENTS
INFORMATION SECURITY POLICY
FRAMEWORK

Policies Standards

Procedures Guidelines
 POLICIES

Common broad statements about cybersecurity

objectives in policies:
• A statement of the importance of cybersecurity to the
organization
• Requirements that all staff and contracts take measures to
protect the confidentiality, integrity, and availability of
information and information systems
• Statement on the ownership of information created and/or
possessed by the organization
• Designation of the chief information security officer (CISO) or
other individual as the executive responsible for cybersecurity
issues
• Delegation of authority granting the CISO the ability to create
standards, procedures, and guidelines that implement the
policy
EXCERPT FROM CMS ROLES AND
RESPONSIBILITIES CHART
COMMON DOCUMENTS IN INFO
SECURITY POLICY LIBRARY

Information security policy

Acceptable use policy (AUP)
Data governance policy
Data classification policy
Data retention policy
Credential management policy
Password policy
Continuous monitoring policy
Code of conduct/ethics
Change management and change control policies
Asset management
 STANDARDS

• Excerpt from UC Berkeley Minimum Security

Standards for Electronic Information
 STANDARDS

Well- Devices must have secure configurations in place

managed prior to deployment.

Any deviations from defined security

configurations must be approved through a
change management process and documented.
A process must exist to annually review
deviations from the defined security
configurations for continued relevance.

A process must exist to regularly check

configurations of devices and alert the Resource
Custodian of any changes.
 PROCEDURES

Monitoring
procedures

Evidence
Patching
production
procedures
procedures
 GUIDELINES

1. Help agencies determine if, and to what extent,

their agency will implement and rely on electronic
Three goals of guidelines: records and electronic signatures.

2. Provide agencies with information they can use

to establish policy or rule governing their use and
acceptance of digital signatures.

3. Provide direction to agencies for sharing of their

policies with the Office of the Chief Information
Officer (OCIO) pursuant to state law.
 EXCEPTIONS AND COMPENSATING
CONTROLS
Three criteria that must be met for a compensating control
to be satisfactory:

1
The control must meet the intent and rigor of the
original requirement.

2
The control must provide a similar level of defense as the
original requirement.

3
The control must be “above and beyond” other PCI DSS
requirements.
PERSONNEL MANAGEMENT
 PERSONNEL MANAGEMENT

Job Rotation and

Separation of
Least Privilege Mandatory
Duties
Vacations

Non-disclosure
Onboarding and
Clean Desk Space Agreements
Offboarding
(NDAs)

Social Media User Training

THIRD-PARTY RISK
MANAGEMENT
COMMON STANDARD AGREEMENTS

Master Service Agreements (MSA)

Service Level Agreements (SLA)

A Memorandum of Understanding

Business Partnership Agreements

COMPLYING WITH LAWS
AND REGULATIONS
 MAJOR INFORMATION SECURITY
REGULATIONS

• The Health Insurance Portability and

Accountability Act (HIPAA)
• The Payment Card Industry Data Security
Standard (PCI DSS)
• The Gramm-Leach-Bliley Act (GLBA)
• The Sarbanes-Oxley (SOX) Act
• The General Data Protection Regulation (GDPR)
• The Family Educational Rights and Privacy Act
(FERPA)
• Data breach notification laws
ADOPTING STANDARD
FRAMEWORKS
NIST CYBERSECURITY FRAMEWORK
- FIVE OBJECTIVES

Describe their current

cybersecurity posture.

Communicate among
Describe their target
internal and external
state for
stakeholders about
cybersecurity.
cybersecurity risk.

Identify and prioritize

opportunities for
Assess progress
improvement within
toward the target
the context of a
state.
continuous and
repeatable process.
NIST CYBERSECURITY FRAMEWORK
- THREE COMPONENTS

The
Framework
Core

The
Framework Framework
Profiles Implementa
tion
NIST CYBERSECURITY FRAMEWORK
CORE STRUCTURE
ASSET MANAGEMENT CYBERSECURITY
FRAMEWORK
 NIST CYBERSECURITY FRAMEWORK
IMPLEMENTATION TIERS
Tier Risk Management Integrated Risk Management External Participation
Process Program
Tier 1: Partial Organizational There is limited awareness of The organization does not
cybersecurity risk cybersecurity risk at the understand its role in the larger
management practices organizational level. The ecosystem with respect to either
are not formalized, and organization implements its dependencies or dependents.
risk is managed in an cybersecurity risk
ad hoc and sometimes management on an irregular,
reactive manner. case-by-case basis due to
varied experience or
information gained from
outside sources.

Tier 2: Risk Informed Risk management There is an awareness of Generally, the organization
practices are approved cybersecurity risk at the understands its role in the larger
by management but organizational level but an ecosystem with respect to either
may not be established organization-wide approach to its own dependencies or
as organizational-wide managing cybersecurity risk dependents, but not both.
policy. has not been established.

Tier 3: Repeatable The organization’s risk There is an organization-wide The organization understands its
management practices approach to manage role, dependencies, and
are formally approved cybersecurity risk. dependents in the larger
and expressed as ecosystem and may contribute to
policy. the community’s broader
understanding of risks.

Tier 4: Adaptive The organization There is an organization-wide The organization understands its
adapts its approach to managing role, dependencies, and
cybersecurity practices cybersecurity risk that uses dependents in the larger
based on previous and risk-informed policies, ecosystem and contributes to the
current cybersecurity processes, and procedures to community’s broader
activities, including address potential understanding of risks.
lessons learned and cybersecurity events.
predictive indicators.
NIST RISK MANAGEMENT FRAMEWORK
 ISO STANDARDS

ISO ISO ISO ISO

27001 27002 27701 31000
BENCHMARKS AND SECURE
CONFIGURATION GUIDES
SECURITY CONTROL VERIFICATION
AND QUALITY CONTROL
SECURITY CONTROL VERIFICATION AND
QUALITY CONTROL
• Two forms of evaluations:

Audits Assessments

• Three categories of SOC assessment:

SOC 1 SOC 2 SOC 3

• Two types of SOC report:

Type I Type II
Risk Management and Privacy

Chapter 17
 OBJECTIVES COVERED

Domain 5.0: Governance, Risk, and Compliance

• 5.4: Summarize risk management processes
and concepts.
• 5.5: Explain privacy and sensitive data concepts
in relation to security.
ANALYZING RISK
THREATS, VULNERABILITIES, AND RISKS
 RISK IDENTIFICATION

External risks

Internal risks

Multi-party risks

Legacy systems

Intellectual property (IP) theft risks

Software compliance/licensing risks

 RISK CALCULATION

Likelihood

Risk
Severity

Impact
 RISK ASSESSMENT

Quantitative risk
assessments Qualitative risk
assessments
 QUANTITATIVE RISK ASSESSMENT

Determine the asset value (AV) of the

asset affected by the risk

Determine the likelihood that the risk

will occur

Determine the amount of damage that

will occur to the asset if the risk
materializes

Calculate the single loss expectancy

Calculate the annualized loss

expectancy
QUALITATIVE RISK ASSESSMENT
MANAGING RISK
 MANAGING RISKS

Risk Risk
Mitigation Avoidance

Risk Risk
Transference Acceptance
RISK MITIGATION – STOP TAG
RISK ANALYSIS
 RISK ANALYSIS

Inherent Risk

Residual Risk
Risk Appetite
RISK REGISTER EXCERPT
RISK MATRIX
DISASTER RECOVERY
PLANNING
BUSINESS IMPACT ANALYSIS

Mean Time
Mean Time
Between
to Repair
Failures
(MTTR)
(MTBF)

Recovery Recovery
Time Point
Objective Objective
(RTO) (RPO)
PRIVACY
SENSITIVE INFORMATION INVENTORY

Personally identifiable information (PII)

Protected health information (PHI)

Financial information

Government information
INFORMATION CLASSIFICATION

Top
Secret

Secret

Confidential

Unclassified
DATA ROLES AND RESPONSIBILITIES

Data controllers Data stewards

Data custodians Data processors

 INFORMATION LIFECYCLE

Data Purpose Data

minimization limitation retention
PRIVACY ENHANCING TECHNOLOGIES

Hashing

Data obfuscation Tokenization

Data masking