Skip to main content

1.6 IT Concepts and Area of Concerns for the Risk Practitioner

1.6 IT Concepts and Area of Concerns for the Risk Practitioner

 

Environmental Controls

 

Risk practitioner should consider following aspect of environmental controls:


  • Following are four types of power failure:


Type

Description

Blackout

Complete loss of the power.

Brownout

Severely reduced voltage  which may place strain on electronic equipment or even cause permanent damage

Sags, Spikes and surges

  • Sag is a rapid decrease in voltage level. Spikes and surges are rapid increases in voltage level. These may result in data corruption in the server or the system.


  • Sags, spikes and surges may be prevented by using properly placed protectors.


  • Surge and spike device helps to protect against high voltage power bursts.


  • Most effective control to protect against short term reduction in electric power is power line conditioner. Power line conditioner is a device intended to improve the quality of power that is delivered to electric equipment. They compensate for the peak and valleys in the power supply. When electric supply is low, it provides its own power and maintains a constant voltage.

Electromagnetic Interference (EMI)

  • EMI is caused by electrical storms or noisy electrical equipment.

  • This interference may cause computer systems to hang or damage.


  • Uninterruptible power supply (UPS) can help to support the organization from interruptions, which last from a few seconds to 30 minutes. Alternate power supply (such as power generator) medium is most effective when there is long term power unavailability.


  • Following are some of the best practices for maintenance of water and smoke detectors:


  • In the computer room, water detectors should be placed under raised floors and near drain holes.

  • Smoke detectors should be installed above and below the ceiling tiles throughout the facilities and below the raised computer room floor.

  • Location of the water and smoke detector should be highlighted for easy identification and access.

  • Responsibility to be assigned to a dedicated employee for remedial action in case of alarm. Standard operating procedure should be available. 

  • Location of these devices is very important and should be placed in such a way to give early warning of a fire.

  • Power supply to these devices should be sufficient.

  • These devices should be tested at regular intervals.


  • Emergency evacuation plans should be posted throughout the facility.


  • Electrical wiring should be placed in fire-resistant panels and conduit. This conduit should ideally lie under the fire-resistant raised computer room floor.


  • Following are some of the fire suppression system:



Type

Description

Wet Sprinkler (water based)

  • In WBS, water always remains in the system piping.

  • WBS is more effective and reliable.     

  • Disadvantage of exposing the facility to water damage if pipe leaks or breaks.

Dry Pipe Sprinkler

  • DPSS do not have water in the pipes until an electronic fire alarm activates the water pump to send water into the system.

  • Comparatively less effective and reliable.

  • Advantage of not exposing the facility to water damage even if pipe leaks or breaks.

Halon System

  • Halon gas removes oxygen from air thus starving the fire.

  • They are not safe for human life.

  • There should be audible alarm and brief delay before discharge to permit time for evacuation.

  • Halon gas is banned as it adversely affects the ozone layer.

  • Popular replacements are FM-200 & Argonite.

FM 200

  • FM-200 is colorless & odorless gas.

  • FM-200 is safe to be used when people are present.

  • FM-200 is environment friendly.

  • It is commonly used as a gaseous fire suppression agent. 

Argonite

  • Argonite is a mixture of 50% Argon & 50% Nitrogen.

  • It is used as a gaseous fire suppression agent. 

  • Though environment friendly & non-toxic, people have suffocated by breathing argon by mistake.

Carbon dioxide Systems

  • CO2 Systems release pressurized CO2 gas in the area protected to replace the oxygen required for combustion.

  •  CO2 is very dangerous for human life.

  • In most countries, it is illegal for such systems to be set to automatic release if any human is present in the area.

  • CO2 installations are permitted where no humans are regularly present such as unmanned data centers.


Network Components

Cabling

Following types of cabling are used in networking

  • Twisted Pairs (shielded twisted pairs (STP) and unshielded twisted pairs (UTP))

  • Fiber-optics

  • Co-axial

 

Shielded Twisted Pair (STP)

 

  • Two insulated wires are twisted around each other, with current flowing through them in the opposite direction.

  • This reduces the opportunity for cross talk and allows for lower sensitivity for electromagnetic disturbances.

  • CAT7 cable is a shielded cable.  that protects each pair of wires and the cable itself, thereby reducing noise and cross talk for ultra-high speed Ethernet.

 

Unshielded Twisted Pair (UTP)

 

  • For unshielded twisted pairs a disadvantage is that it is not immune to the effect of electromagnetic interface (EMI).

  • Unshielded twisted pairs should be away from potential interference such as fluorescent lights.

  • Parallel runs of cable over long distances should be avoided since the signals on one cable can interfere with signals on adjacent cables (i.e. cross talk).

  • The least expensive option used for many local area networks (LANs) is UTP cable with a grade of category 5e (CAT5e) or category 6 (CAT6).

  • However, cable should not exceed the approved length of the cable runs (100 meters for CAT5e, 55 meters for CAT6).

 

Fiber Optics


  • Glass fibers are used to carry binary signals as flashes of light.

  • Fiber-optic systems have very low transmission loss.

  • Fiber-optics are not affected by electromagnetic interference (EMI).

  • Fiber-optic cables have proven to be more secure than the other media.

  • Fiber is a preferred choice for high volume and long distance calls.

Repeaters


  • Dictionary meaning of repeater is a person or thing that repeats something.

  • In telecommunications, a repeater is an electronic device that receives a signal and retransmits it. Repeaters are used to extend transmissions so that the signal can cover longer distances or be received on the other side of an obstruction.

  • They compensate for signals that are distorted due to a reduction of signal strength during transmission


Hub


  • Hub connects many devices together for exchange of data.

  • Hub broadcast message to all the connected devices.

  • Collisions occur commonly in setups using Hubs.

  • Hub cannot learn or store MAC addresses.

  • Hubs are classified as Layer 1 (Physical Layer) of OSI models.

Switches

  • Switch is a more advanced /intelligent version of a Hub.

  • Switch send message to only required device.

  • No collusion occurs in the full duplex switch.

  • Switch stores MAC addresses in a lookup table.

  • Switches operate at Layer 2 (Data Link Layer) of OSI model.

Router

  • Routers are a more intelligent version of Switch.

  • Routers operate at the network layer.

  • By examining the IP address, the router can make intelligent decisions to direct the packet to its destination.

  • The network segments linked by a router, however, remain logically separate and can function as independent networks.

  • Routers can block broadcast information, block traffic to unknown addresses, and filter traffic based on network or host information.

Firewall

Firewall is a device to monitor and control the network traffic. It is generally placed between an organization's internal network and internet for protection of the system and infrastructure of the organization.

Following are types of firewall:

Packet Filtering Router


  • Simplest & earliest kind of firewall.

  • Allow or Deny action is done as per IP address and port number of source & destination of packets.

  • Works at Network Layer of OSI.

 

Stateful Inspection

  • A stateful Inspection firewall keeps track of destination of each packet that leaves the internal network.

  • It ensures that the incoming message is in response to the request that went out of the organization.

  • Works at Network Layer of OSI.

Circuit Level

  • Works on the concept of bastion host and proxy server.

  • Same Proxy for all services.

  • Works at Session Layer of OSI.

 

Application Level


  • Works on the concept of bastion host and proxy server.

  • Separate Proxy for each application.

  • Works at Application Layer of OSI.

  • Controls applications such as FTP and http.

  • Out of the above firewalls, application level firewall is the most secure type of firewall.

 

Risk practitioners should conduct the review of firewall parameter settings to ensure that firewall rules are deployed as per security policy.


Proxy


  • A proxy is a middleman. Proxy stands between internal and external networks.

  • Proxy will not allow direct communication between two networks.

  • Proxy technology can work at different layers of OSI models. A proxy based firewall that works at a lower layer (session layer) is referred to as circuit-level proxy. A proxy based firewall that works at a higher layer (application layer) is called an application level proxy.


Domain Name System


  • Domain name system (DNS) provides a simple cross-reference between domain name and related IP address.


  • For example, if the IP address for the particular website is 192.166.1.0 and the name of the website is www.criscstudy.blogspot.com.


  • User will type www.criscstudy.blogspot.com and DNS server will redirect to logical address i.e. 192.166.1.0


  • DNS can be used by hackers to gather the information about the organization for planning the attack.


  • Also, tools and techniques are available to send false DNS replies to misroute the traffic.


  • DNS replies are also used in amplification attacks to flood traffic to a particular system.


  • In pharming attack, malware changes domain name system (DNS) server settings and  redirects users to malicious sites

Demilitarized Zone


  • Demilitarized zone (DMZ) is the area which is accessible to the external network.

  • Objective of setting up a DMZ is to prevent the external traffic to have direct access to critical systems of the organization.

  • All the systems placed in DMZ should be hardened and all required functionality should be disabled.

  • Such systems are also referred to as bastion hosts.

  • The firewall ensures that traffic from the outside is routed into the DMZ.

  • Nothing valuable is kept in a DMZ because it is subject to attack and compromise from the attack.

Virtual Private Network


  • A virtual private network (VPN) is used to extend a private network through use of the internet in a secured manner. It provides a platform for remote users to get connected to the organization's private network.


  • Prime objective of VPN technology is to enable remote users and branch offices to access applications and resources available in private networks of organization. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated circuits or with tunneling protocols.


  • VPN technology, if properly configured, will reduce the risk associated with sensitive data travelling in an open public network.


Types of Network Topology

 

Network Topology

Descriptions

Bus

  • It is the simplest form of design where every device is connected by one communication path.

  • Major vulnerability of bus topology is upstream dependency i.e. dependency on single cable.

  • If this cable is damaged, all the devices beyond the point of severance will be unavailable.

  • It is also relatively easy to intercept traffic on a bus network.

Star

  • In a star network topology, each device is connected to a centralized switch.

  • Design makes it very difficult for one device to intercept the traffic meant for another device.

  • However, loss of central switch can affect all users.

Tree

  • A tree network is a connection of multiple star networks.

  • Tree networks are popular because of its scalability.

Ring

  • A ring connects every device and allows traffic to pass in one or both directions.

  • A ring network is used where reliable high-speed communications and fault tolerance is required.

Mesh

  • In mesh topology, many devices are connected to many other devices in a mesh so they can directly communicate with one another.

  • They are comparatively costly to implement.

Key aspects from CRISC exam perspective


CRISC Question

Possible Answer

What kind of devices can be placed within a demilitarized zone (DMZ)?

Devices that interacts outside the organization such  Mail relay / Email Server

What is the objective of conducting peer review of firewall configuration? 

To detect errors

Process to ensure that firewall deployments are in accordance with security policy

Review of firewall parameter settings

What is a pharming attack?

In pharming attack, malware changes domain name system (DNS) server settings and  redirects users to malicious sites

What is the most prevalent risk of virtual private networks?

Entry of malicious code into the network

What is the most secured and cost effective method for remote access?

Virtual Private Network

Most robust and secured kind of firewall

Application Level Firewall


 

Video Tutorial - 1.6A - Demilitarized Zone


Video Tutorial - 1.6B - Virtual Private Network (VPN)







Flashcards - IT Concepts and Areas of Concern for the Risk Practitioner


Practice Questions - IT Concepts and Areas of Concern for the Risk Practitioner


Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: Acceptance deviation from risk appetite

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us