Risk Management: Risk Mitigation | Saylor Academy

Instruction

Risk Mitigation

Risk mitigation involves reducing the severity of the loss or the likelihood of the loss from occurring. There are many technical controls that can be used to mitigate risk including authentication systems, file permissions and firewalls. Organization and security professionals must understand that risk mitigation can have both positive and negative impact on the organization. Good risk mitigation finds a balance between negative impact of countermeasures and controls and the benefit of risk reduction. A shorter-term strategy is to accept the risk, in the sense of accepting the necessity for creating contingency plans for that risk.

Modern software development methodologies reduce risk by developing and delivering software incrementally and providing regular updates and patches to address vulnerabilities and misconfigurations.

Outsourcing services can be an example of risk reduction. Hiring specialists to perform critical tasks to reduce risk can be a good decision and yield greater results with less long term investment. The ISO framework identifies several ways to manage risk:

Accept – periodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measures.

Reduce – design a new business process with adequate built-in risk control and containment measures from the start.

Transfer – transfer risks to an external agency (a service level agreement or insurance company).

Avoid – avoid risks altogether would include measures such as physically disconnecting from the Internet.

Figure 12 – Ways to deal with risk

These strategies are not mutually exclusive. A good risk mitigation plan can include two or more strategies.

General

Course Syllabus

Unit 1: Introduction to Information Security

1.1: The History and Evolution of Information Security

Information Security History

Timeline of the History of Information Security

1.2: Confidentiality, Integrity, and Availability – The CIA Triad

The CIA Triad

1.3: Threats, Vulnerabilities, and Risks

Threats and Vulnerabilities

The Elements of Security: Vulnerability, Threat, Risk

1.4: The Risk Management Process

NIST SP 800-39

Risk Management

More on Risk Management

1.5: The Incident Response Process

NIST SP 800-61

Incident Response

1.6: Security Control

Security Control

Security Control Types

Security Control Functions

1.7: Defense-in-Depth

Introduction to Defense-in-Depth

Defense-in-Depth Example

Defense-in-Depth

1.8: Human Behavioral Risks

The Human Factor

Humans are the Weakest Link

Security Awareness, Training, and Education

Security Threats and the Human Factor

1.9: Security Frameworks

Security Frameworks

Center for Internet Security (CIS) Controls

Payment Card Industry Data Security Standard (PCI DSS)

Unit 1 Assessment

Unit 1 Assessment

Unit 2: Threats and Attack Modes

2.1: Threat Terminology

Threat Terminology

An Overview of Threats

Privacy Threats

2.2: Types of Attacks

Types of Attacks

Classifying Threats

Birthday Attacks

What is a Botnet?

More on Botnets

Man-in-the-Middle Attacks

Teardrop Attacks

What is War Dialing?

More on War Dialing

Zero-Day Exploits

2.3: Spoofing Attacks

Spoofing Attacks

A Comprehensive Analysis of Spoofing

Email Spoofing

Caller ID Spoofing

IP Address Spoofing

2.4: Social Engineering

An Overview of Social Engineering

Dumpster Diving

One Man's Trash is Another Man's Treasure

Shoulder Surfing

Tailgating

How to Protect Against Tailgating

Phishing, Spear-phishing, and Whaling

Pretexting

2.5: Application Attacks

Application Attacks

Types of Application Attacks

The Basics of Buffer Overflows

More on Buffer Overflows

Time of Check to Time of Use

Application and Escalation of Privilege

Escalation of Privilege

2.6: Web Application Attacks

Types of Application Attacks

Cross-Site Scripting

Examples of Cross-Site Scripting