Digital attacks are becoming more sophisticated. These attacks will cause sever damage to operation and our assets. We need to protect our assets. The people, facilities and infrastructure are our assets.
The goal of information security program is to protect the assets such as digital data, people, hardware, facilities and infrastructure.
We as security engineers are the security guards for the data and other assets. The practices to protect the data and digital assets are categorized and discussed in CISSP course.
CISSP consists of 8 domains.
The very first domain starts with the Security and Risk Management. this CBK (Common Body of Knowledge) addresses the framework, policies and concepts that cover the protection of data. This CBK also covers the styles and process that IT administrators can test and asses the network and data security level.
There are some concepts explained in this section:
Asset: Any data, people, systems, services and peripherals that has a value to the business is called an asset and needs to be kept safe and secure. The Asset value (AV) is the value of the asset you are trying to protect.
Vulnerability: A weakness in a system that allows a threat to cause harm to any asset. That can be a hole in a firewall, a security issue in a server room, or a program bug. Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset.
Threat: is the potential harm that can come to an asset. This includes Dos Attack, Virus, Data theft, Data loss, Power outage, Hardware theft and ….Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.
There are several types of network Threats:
- Computer Virus
- Software security bug
- Trojan Horse
- Malware
- Worm
- Wifi-Attacks
- Adware And Spyware
- Computer Worm
- DOS and DDOS attack
- Rootkit
- Phishing
- Man-in-the-Middle Attack
- SQL Injection attack
Threat Agent: Anyone who uses a vulnerability to attack a network or an asset is called a Threat Agent. A hacker is a Threat agent who users a Threat Vector to exploit a vulnerability and attack a network.
Impact: The damage and the level of severity that is caused to a victim or asset. The Impact is expressed in dollars.
The Exposure Factor (EF): EF Is the percentage of value an asset lost due to an incident.
Risk = Threat × Vulnerability
Risk: The likelihood of a Threat Agent leveraging a threat against an asset.