Multifactor authentication is the process of proving an identity, confirming a user is who they say they are. In the computer world, authentication is achieved by providing some piece of information that only the actual user can provide. Five categories of computer system authentication include:
Something you are, such as biometric information (e.g., finger print or retina scan).
Something you have, such as smart cards, RSA tokens, or security key fobs.
Something you know, such as passwords and PINs.
Somewhere you are, such as a geographical location.
Something you do, such as how you type a sentence on a keyboard.
should include not only deactivating or deleting unused accounts, but also destroying data that might remain on storage media to prevent sensitive data from being accessible to unauthorized users.
For media intended for reuse in the same security environment, perform a cleaning by deleting or overwriting the data media. For magnetic media, methods might include:
Applying a magnetic field to render the data unreadable (known as degaussing). This is the least reliable means to clean or purge media.
Overwriting the data with zeros, such as with a tool like Microsoft's Cipher command. Simply deleting the files will not remove the data from the disk.
For media intended for use in a different security environment, perform a drive wipe, purge, or sanitization by overwriting the media a minimum of 7 times with random data.
For media that has reached the end of its useful life, destroy the media. Media destruction can be accomplished through:
Crushing (useful for CDs, DVDs, and hard drives)
Incineration (for paper and many other types of media)
Shredding using an approved shredding process (straight-cut shredders offer little protection, cross-cut shredders provide greater security)
Because optical media (CDs and DVDs) do not have a magnetic field, they must be physically destroyed.
When identifying threats, consider the various sources of threats:
• External threats are those events originating outside of the organization that typically focus on compromising the organization's information assets. Examples are hackers, fraud perpetrators, and viruses.
• Internal threats are intentional or accidental acts by employees, including:
o Malicious acts such as theft, fraud, or sabotage
o Intentional or unintentional actions that destroy or alter data
o Disclosing sensitive information through snooping or espionage
• Natural events are those events that may reasonably be expected to occur over time. Examples are a fire or a broken water pipe.
• Disasters are major events that have significant impact on an organization. Disasters can disrupt production, damage assets, and compromise security. Examples of disasters are tornadoes, hurricanes, and floods.
The quantitative value of risk can be determined with the following calculation: SLE x ARO = ALE. This tells you how much a potential threat costs each year. For example, if the asset loses $1,000 for each incident and you expect an incident every four years, the annual cost for that asset would be $250.
As you attempt to quantify and assess risks, consider creating a risk register early in the risk management process. A risk register provides details of each known risk, including a risk category, description, unique identification number, projected impact, likelihood of occurring, and risk response plan. This information can be used to create a scatter plot that represents the possible impact of each risk in relation to its overall probability. Having a visual representation of risks can help stakeholders better assess them
After you have identified the risks and their associated costs, you can determine how best to respond to the risk. Responses include:
• Taking measures to reduce (or mitigate) the likelihood of the threat by deploying security controls or other protections. When deploying countermeasures, the annual cost of the countermeasures should not exceed the ALE. If it does, you are paying more to protect the asset than it is worth. Security control types include:
Consider the following factors when implementing security controls to reduce risk:
o Compatibility with the existing infrastructure
o Regulatory compliance
o Organizational policies
o Operational (performance) impact
o Feasibility (technical requirements or usability)
o Safety and reliability
• Transferring (or assigning) risk by purchasing insurance to protect the asset. When the incident occurs, the cost of replacing or reparing the asset is covered by insurance. When deciding to transfer the risk, be sure to compare the cost of insurance with the ALE. Purchase the insurance only if its cost is less than the ALE.
• Accepting the risk and choosing to do nothing. For example, you might decide that the cost associated with a threat is acceptable or that the cost of protecting the asset from the threat is unacceptable. In this case, you would plan for how to recover from the threat, but not implement any measures to avoid it.
• Risk rejection (or denial) is choosing not to respond to the risk even though the risk is not at an acceptable level. Risk rejection introduces the possibility of negligence and may lead to liability. Risk rejection is not an appropriate response.
• Risk deterrence is letting threat agents know of the consequences they face if they choose to attack the asset. This could include posting warnings on login pages to indicate prosecution policies.
• Distributive Allocation responds to the risk by spreading it through redundancy and high availability techniques such as clustering, load balancing, and redundant storage arrays.
It is not possible to eliminate all risk. Taking actions reduces risk to acceptable levels. Risk that remains after reducing or transferring risk is called residual risk.
*Plans for resumption of applications, data, hardware, communications, and other IT infrastructure in case of disaster.
*Attempts to take into consideration every failure possible.
*Plans for converting operations to alternate processing sites in case of disaster.
*Plans for converting back to the original site after the disaster has concluded.
*Disaster recovery exercises (such as fire drills) that simulate a possible disaster.
Decisions about alternate site locations need to be guided by the following requirements:
*Maintain adequate geographic distance between primary and secondary sites. Such geographic diversity can minimize the possibility of a disaster bringing down both sites.
*Site locations can have legal implications, especially when data is stored in multiple countries. Data sovereignty refers to the fact that every country has its own laws and regulations regarding digital data storage. Data safety and privacy concerns may need to be reassessed for each location.
*Decide whether the backup site will be hot or cold. A hot site is set up with servers and workstations that have almost immediate access to data that is continuously replicated from the main site. If this is too expensive, a cold site, such as an empty warehouse, can be used. The disadvantage of a cold site is that it will take much longer to install the necessary hardware and software necessary to resume business operations.
Whether a hot or a cold site is chosen as a backup, alternate business practices and processes need to be defined and stored in each location. Critical tasks should be described in sufficient detail to allow business staff to carry them out with minimal training.
Keep in mind the following when creating the disaster recovery and business continuity plans:
A good plan documents all important decisions before the disaster strikes. When a disaster occurs, staff members simply need to follow the documented procedures.