Risk management life cycle and treatment [CISMP]
Agent Smith: Benefits of risk management

In this course, you'll be examining the risk management life cycle and treatment, you'll learn about qualitative and quantitative methods as well as risk register and asset classification.


Voiceover: Agent Smith is an opportunist. As they wander the offices of their target, they search for a vulnerability, and before long, find one: an unattended computer still logged in. This is the perfect asset for someone like Smith. They look around, and most of the office is either on calls or at lunch. Confidently, Smith starts having a look through the files on the computer. They manage to access the individual's personal data, a person called Tanner Holmes, including what their job title is, their bank details, and more, but this person isn't really Smith's target, they're just a stepping stone. With this data in hand, Smith can disguise themselves as Tanner, using Tanner's data to con their way into the target's sensitive systems. 

Mark: So, this is quite a common occurrence unfortunately in businesses. People leave their laptop or computer unattended and walk away, either get coffee or make a quick phone call. They've been distracted by something, which could be intentional because sometimes people use a technique called diversion, where they'll try and divert someone's attention away from their machine so then someone can access it. So, he's an opportunist. He's come into the situation and he's an opportunist, he's taken advantage of it. So, he's obviously come onto the computer, the person's laptop is open, probably accessing their HR data probably on there, left open, and this person could then browse it, maybe taking photographs of it, but memorising what they are seeing, obviously with the intention probably to-, so, we've got a user, so the user-, any hacker wants to escalate their privileges or escalate access to the system, so they'll start with one person, as they're doing on this occasion, and they want to get to someone more senior. There are-, there are different techniques they could use in this. They could obviously install malware on the system, which is what they could do, or they could use a technique called clone phishing. Now, clone phishing is where someone sends an email within a company to another person that they know, so this person receives the email thinking it's from a person that they know and it's not, so it's like a man in the middle attack. That's what we refer to it as that type of attack. So, they could also implant malware, maybe using, like, a Rubber Ducky, which is a malicious device which can key log-, put keylogger, so it can install software directly into the laptop itself because it's open. They could install programmes which then later could be exploited, and that's what's happened. 

So, we can apply different types of security techniques to help defend against this type of attack. There are soft controls and hard controls. The soft controls will be policies, processes, and procedures. So, the policy is you do not leave your laptop unattended under any circumstances, and that could also be enforced through disciplinary, so that's something that people would be aware of, but also it happens many times when people have fire alerts, for example. The building gets evacuated and people are told, 'you have to leave the building immediately.' That, that is-, can be a vulnerability. Now, a hacker could have caused that fire alert by triggering, and that's a diversion-, another diversion attack by triggering an attack which is a simulated attack, and that's left people leaving the building, so they then come into the building and get access to these unattended laptops. Now, some companies can set up a technical solution, if this happens, that the laptop will lock itself immediately if there's a fire alert. Also, we can set up timing so the laptop will lock by itself. Some people, if you-, if you move away from a laptop and the camera's looking at you, it automatically will close itself as well. So, these are different solutions. Sometimes that can be difficult for some people because obviously, you know, you're looking around and suddenly you're talking to your colleague, and it doesn't see you, it can lock down, but these are, are potential solutions we can look at. 

Training and awareness is obviously a key one as well, and also we should be doing penetration testing. Now, penetration testing is simulated, a simulation where people go round the office and they'll try to get access to people's laptops or computers if they leave them unattended, maybe leaving messages, and this could also be documented to show if people are leaving the company vulnerable or not through these different types of techniques. So, by doing the penetration testing you're simulating what could happen and how to defend against it and you're bringing the training and awareness to their thoughts and minds in relation to it, so it's now physically they know what's happening, and that's it. 

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.