# Sec+ preparation #12 (Risk Management, Data Leakage)

## Intro

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at [Hackers-Arise](https://www.hackers-arise.com/). I really enjoy how he describes concepts of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp [here](https://hackersarise.thinkific.com/courses/security-training)

## Risk Management

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1749469313795/bc8e8b69-fdbe-43c9-930d-c329920e7b51.jpeg align="center")

### Threat and risk analysis (TaR)

* Minimizing risks
    
* What are the steps
    
* Likelihood versus impact
    
* SLE, ALE, ARO
    
* Managing risks
    
* Delphi method
    
* Methodologies
    

#### Governance

* Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives.
    
* Information security is not only a technical issue .
    
* For information security to be effective, **it requires the active engagement of executive management. (could be a question)**
    

#### Risk & Risk management

* Risk is the probability of something happening. If you ever gambled, you know what is a probability.
    
* What is acceptable level of probability?
    
* Information Security (IS)
    

#### Categories of Risk

* Man Made
    
* Weather related
    
* Physical damage
    
* Human error
    
* Inside and outside attacks
    
* Power Failure
    
* Application error
    

#### Asset & Information Value

* Establishing asset value
    
* Assign Quantitative value
    
    * Real and meaningful values
        
* Assign Qualitative value
    
    * Subjective rating
        
    * Can be low, medium, high
        

#### Techniques to Minimize Risks (will be in exam)

* Mandatory Vacation - workers must go on vacation regularly
    
    * A detective mechanism
        
    * The new person might found out about anomalies such as:
        
        * Scripts being schedule to run at regular intervals
            
        * Illegal usage of company resources
            
        * Script extracting data from the database
            
* Job Rotation
    
    * New employee may see something is wrong
        
    * Mostly done in DoD and government agencies
        
    * Not very common in commercial companies
        
    * Should be combined with mandatory vacation
        
* Separation of Duties (SoD)
    
    * A method of enforcing security
        
    * One person cannot complete a critical task
        
* Least Privilege
    
    * Applies to processes and users
        

#### Qualitative Approach

* Scenario based technique, it includes:
    
    * Brainstorming
        
        * Invite greatest minds in your company and just let them talk and brainstorm
            
    * Story boarding
        
    * Focus groups
        
    * Surveys
        
    * Questionnaires & Checklist
        

#### Quantitative Approach

Steps:

* Assign value to information and assets
    
* Estimate potential loss per risk
    
* Perform a threat analysis
    
* Derive the overall loss potential per threat
    
* Reduce, assign, or accept the risk
    

### Main risk management concepts

* Exposure Factor (EF)
    
    * Based on likelihood (PERCENTAGE) and impact (DOLLARS/EURO)
        
* Single Loss Expectancy (SLE)
    
    * Formula - Asset Value (AV) x Exposure Factor (EF)
        
* Annualized Rate of Occurrence (ARO) - **hard to count**
    
    * Estimated frequency a threat will occur within a year
        
* Annualized Loss Expectancy (ALE)
    
    * Formula is - SLE x ARO
        

#### Handling Risks

* Risks **CAN NEVER BE TOTALLY ELIMINATED**
    
    * There’s no risk free environment
        
* There are always some residual risks
    
* What can you do about the risks you have?
    
    * Transfer the risk (Buy insurance)
        
    * Reduce the risk
        
    * Reject/Ignore the risk
        
    * Accept the risk
        

#### Risk mitigation Strategies

* Implement controls based on risks
    
* Change Management
    
* Incident Management
    
* User rights and permission review
    
    * Do it periodically. Make sure that people doesn’t have more permissions than they need.
        
* Perform routine audits
    

## Data Leakage & Fraud

### Data leakage Protection (DLP)

Tools to prevent unauthorized persons from being able to take away confidential information

Real world examples of occurrences:

* The Swedish military forgot a USB drive in a library
    
* UK military forgot a laptop in a taxi
    
* Barack Obama got his campaign idea stolen
    

**Do not send Credit card number in clear text!!! Any sensitive information.**

#### How does DLP work?

* A user send an email with sensitive data
    
    * DLP analyzes it. If there’s a sensitive data it warns the user.
        
* User tries to save a file to a USB Flash Drive
    
    * DLP identifies that it is intellectual property and blocks it. Of course there are ways to bypass that.
        

#### Fraud Detection

* Look for obvious sign something is wrong
    
    * Governance is non existent
        
    * There is a lack of separation of duties
        
    * Management override internal controls
        
    * Environment is corrupted
        

#### What can i do?

* Develop strong policies and enforce them
    
* Develop a code of conduct for employees
    
* Have a mechanism to report suspicious activity
    
* Protect people who talk. Make them anonymous.