Question

Security Mitigation Plan discuss the following

 Research and include the following:

 Security Risk Mitigation Plan:

•  Select and document security policies and controls.

•  Create password policies.

•  Document administrator roles and responsibilities.

•  Document user roles and responsibilities.

•  Determine authentication strategy.

•  Determine intrusion detection and monitoring strategy.

•  Determine virus detection strategies and protection.

•  Create auditing policies and procedures.

•  Develop education plan for employees on security protocols and appropriate use.

•  Provide risk response.

•  Avoidance

•  Transference

•  Mitigation

•  Acceptance

•  Address change Management/Version Control.

•  Outline acceptable use of organizational assets and data.

•  Present employee policies (separation of duties/training).

•  Explain incident response.

•  Incident types/category definitions

•  Roles and responsibilities

•  Reporting requirements/escalation

•  Cyber-incident response teams

•  Discuss the incident response process.

•  Preparation

•  Identification

•  Containment

•  Eradication

•  Recovery

Answer 1

Security policies:

A security policy comprises a set of objectives for the company, rules of behavior for users and administrators, and requirements for system and management that collectively ensure the security of network and computer systems in an organization.

A security policy must identify all of a company's assets as well as all the potential threats to those assets. Company employees need to be kept updated on the company's security policies. The policies themselves should be updated regularly as well.

Determine what your assets are by asking (and answering) the following questions:

• What do you have that others want?
• What processes, data, or information systems are critical to you, your company, or your organization?
• What would stop your company or organization from doing business or fulfilling its mission?

The answers identify assets in a wide range, including critical databases, vital applications, vital company customer and employee information, classified commercial information, shared drives, email servers, and web servers.

Security controls:

Sensitive data should be protected based on the potential impact of a loss of confidentiality, integrity, or availability. Protection measures (otherwise known as security controls) tend to fall into two categories. First, security weaknesses in the system need to be resolved. For example, if a system has a known vulnerability that attackers could exploit, the system should be patched so that the vulnerability is removed or mitigated. Second, the system should offer only the required functionality to each authorized user, so that no one can use functions that are not necessary. This principle is known as least privilege. Limiting functionality and resolving security weaknesses have a common goal: give attackers as few opportunities as possible to breach a system.

There are three types of security controls, as follows:

• Management controls: The security controls that focus on the management of risk and the management of information system security.
• Operational controls: The security controls that are primarily implemented and executed by people (as opposed to systems).
• Technical controls: The security controls that are primarily implemented and executed by the system through the system's hardware, software, or firmware.

Password policies:

A password policy defines the password strength rules that are used to determine whether a new password is valid.

A password strength rule is a rule to which a password must conform. For example, password strength rules might specify that the minimum number of characters of a password must be 5. The rule might also specify that the maximum number of characters must be 10.

You can specify the following standards and other rules for passwords:

• Minimum and maximum length
• Character restrictions
• Frequency of password reuse
• Disallowed user names or user IDs
• Specify a minimum password age

Security administrator roles and responsibilities:

In Trusted Extensions, the Security Administrator role is responsible for all security attributes of a user or role. The security administrator is responsible for the following tasks:

• Assigning and modifying the security attributes of a user, role, or rights profile
• Creating and modifying rights profiles
• Assigning rights profiles to a user or role
• Assigning privileges to a user, role, or rights profile
• Assigning authorizations to a user, a role, or rights profile
• Removing privileges from a user, role, or rights profile
• Removing authorizations from a user, role, or rights profile

Typically, the Security Administrator role creates rights profiles. However, if a profile needs capabilities that the Security Administrator role cannot grant, then superuser or the Primary Administrator role can create the profile.

User roles and responsibilities:

The operator is responsible to ensure the continuous availability of all business relevant IT resources within the enterprise.

Responsibilities:

• Maintenance of IT resources. For example: apply fixes, replace defective hardware, and apply (preventive) fixes to applications.
• Identify problems and provide support. If an IT resource encounters a problem, an alert is sent to the operator. He is in charge to find the root cause of the problem and resolve it immediately.

Authentication Strategies:

Multi-factor authentication is a method of logon verification where at least two different factors of proof are required. There are generally three recognized types of authentication factors:

• Knowledge factors include all things a user must know in order to log in, such as a user name and password or personal identification number (PIN).
• Possession factors include anything a user must have in their possession to log in, such as a one- time password token or a Smartphone with an OTP app.
• Inherence factors include biometric user data that are confirmed for login, such as iris scans, fingerprint scans and voice recognition.

User location is sometimes considered a fourth factor for authentication. The ubiquity of smartphones can help ease the burden: Most smartphones have a GPS device, enabling reasonable surety confirmation of the login location. Lower surety measures might be the MAC address of the login point or physical presence verification through cards, for example

Intrusion Detection and Monitoring Strategies:

Intrusion detection is an active practice of monitoring and auditing systems for attempted and successful system breaches with an ultimate goal of preventing the activity to continue or reccur. A good intrusion detection strategy is based upon the assumption that there are weaknesses throughout your network infrastructure including:

• Security systems -- Firewall, packet filters, and user authentication services

• Network access points -- VPNs, network access servers, and perimeter routers

• Systems -- Operating systems supporting single and multi-users, print and file servers, Intranet, etc.

• Network devices -- Any network device connected or any device that can be connected to the network.

A good intrusion detection system does not necessarily lead to the “capture” of the intruder -- with any security model, the ultimate goal is to stop the breach and avoid future activity. Letting an intruder stay on your systems while you're trying to track him down can cause more damage than its worth, since identifying the attack host may be only the start of the capture. The attack host has likely been compromised and, even if the attacker is a real user on the host, the management of the organization must be contacted. The management may be less than helpful with tracking, since resources as well as legal issues of liability must be considered.

Virus detection strategies and protection:

With static analysis, a virus is detected by examining the files or records for the occurrences of virus patterns without actually running any code. Static Methods include the following methods

• String Scanning method: Searches for sequence of bytes (strings) that are typical of a specific virus but not likely to be found in other programs.

• Wildcards method: allows to skip bytes or byte ranges. For example "?" character are skipped and the wildcard % means that the scanner will try to match the next byte.

• Mismatches method: allows any given number of bytes in a string to be of arbitrary value, regardless of their position.

• Generic Detection method: This technique uses one common string to detect several or all known variants of a family of viruses.

• Bookmarks method: calculates the distance between the start of the virus body and the detection string.

• Smart Scanning: Smart scanning could skip junk instructions, such as NOPs, in the host file and also did not store them in the virus signature. To enhance the likelihood of detecting related variants of viruses, an area of the virus body was selected which had no references to data or other subroutines.

• Skeleton Detection: The scanner parses the statements of the virus line-by-line and drops all nonessential statements. What is left is the skeleton of the body that has only essential macro code common in macro virus.

• Heuristics Analysis: Heuristic analysis is an expert based analysis that determines the susceptibility of a system towards particular threat/risk using various decision rules or weighing methods. MultiCriteria analysis (MCA) is one of the means of weighing. • Virus specific detection: There are cases when the standard algorithm of the virus scanner cannot deal with a virus. In cases like this, a new detection code must be introduced to implement a virus-specific detection algorithm. This method includes Filtering, Decryptor Detection and X-Ray scanning.

Virus protection software is designed to prevent viruses, worms and Trojan horses from getting onto a computer as well as remove any malicious software code that has already infected a computer.

Most virus protection utilities now bundle anti-spyware and anti-malware capabilities to go along with anti-virus protection. Internet security suites go a step further by including additional capabilities like anti-spam, anti-phishing, firewall, file protection and PC optimization.

Auditing policies and procedures:

An IT audit can be defined as any audit that encompasses review and evaluation of automated information processing systems, related non-automated processes and the interfaces among them. Planning the IT audit involves two major steps. The first step is to gather information and do some planning the second step is to gain an understanding of the existing internal control structure. More and more organizations are moving to a risk-based audit approach which is used to assess risk and helps an IT auditor make the decision as to whether to perform compliance testing or substantive testing. In a risk-based approach, IT auditors are relying on internal and operational controls as well as the knowledge of the company or the business. This type of risk assessment decision can help relate the cost-benefit analysis of the control to the known risk. In the “Gathering Information” step the IT auditor needs to identify five items:

• Knowledge of business and industry
• Prior year’s audit results
• Recent financial information
• Regulatory statutes
• Inherent risk assessments
• Review IT organizational structure
• Review IT policies and procedures
• Review IT standards
• Review IT documentation
• Review the organization’s BIA
• Interview the appropriate personnel
• Observe the processes and employee performance
• Examination, which incorporates by necessity, the testing of controls, and therefore includes the results of the tests.

Educating employees on security protocols and appropriate use:

A security awareness program is a way to ensure that everyone at your organization has an appropriate level of know-how about security along with an appropriate sense of responsibility.

A good security awareness program should arm your third line of defense by educating them about the first and second lines and giving them the tools they need to do the right thing day in and day out.

Security awareness programs are important because they reinforce that security is the responsibility of everyone in the company (not just the security team). Below, we’ll explain how to set up a program and how to maintain it over the long haul.

There are three times when it is vital to offer security training to your employees:

1. When they join the team
2. After an incident occurs
3. At regular intervals throughout the year

Each of these moments offers a different opportunity to train employees on specific aspects of security or to offer them real-world examples of what to do and not do (e.g., in the case of phishing or W2 scams). If you can plan ahead, you can develop the right types of training for the right times.

When someone joins your team, you need to give them an overview of how your organization handles security and why you take it seriously. This means going over the people, processes, and technology that are most relevant to their job functions when it comes to security. You want to spend time focusing on general policies and on role-specific information that will help new employees do their jobs more effectively.

Risk Reponse strategies:

Avoid: Risk can be avoided by removing the cause of the risk or executing the project in a different way while still aiming to achieve project objectives. Not all risks can be avoided or eliminated, and for others, this approach maybe too expensive or time‐consuming.However, this should be the first strategy considered.

Transfer: Transferring risk involves finding another party who is willing to take responsibility for its management, and who will bear the liability of the risk should it occur. The aim is to ensure that the risk is owned and managed by the party best able to deal with it effectively. Risk transfer usually involves payment of a premium, and the cost‐effectiveness of this must be considered when deciding whether to adopt a transfer strategy.

Mitigate: Risk mitigation reduces the probability and/or impact of an adverse risk event to an acceptable threshold. Taking early action to reduce the probability and/or impact of a risk is often more effective than trying to repair the damage after the risk has occurred. Risk mitigation may require resources or time and thus presents a trade off between doing nothing versus the cost of mitigating the risk

.

Acceptance: This strategy is adopted when it is not possible or practical to respond to the risk by the other strategies, or a response is not warranted by the importance of the risk. When the project manager and the project team decide to accept a risk, they are agreeing to address the risk if and when it occurs. A contingency plan, work around plan and/or contingency reserve may be developed for that eventuality.