Chapter 1 Measuring and Weighing Risk

Question 1

SLExARO=ALE

Answer 1

Single Loss Expectancy (how much one loss costs)

x

Annual Rate of Occurence (how likely it is to happen)

=

Annual Loss Expectancy (how much you will lose)

Question 2

Qualitative vs. Quantitative Risk Assessment

Answer 2

Qualitative

• Opinion based and subjective
• may be valued by the business, bot not necessarily by customers

Quantitative

• Cost-based and subjective
• May impede money making ability

Question 3

Likelihood (risk)

Answer 3

A score representing the possibility of an event occurring

Can be expressed in qualitative or quantitative terms

Question 4

Threat Vectors (risk)

Answer 4

The way in which an attacker poses a threat

• May be a tool an attacker would use, the path they may follow, et cetera
• Anything from a fake email to an unsecured hotspot

Question 5

MTBF (failure risk)

Answer 5

Mean Time Between Failure

-The life expecancy of a system or part that can be repaired

Question 6

MTTF (failure risk)

Answer 6

Mean Time To Failure

-Average time to failure of an object that must be replaced, not repaired

Question 7

MTTR (failure risk)

Answer 7

Mean Time To Restore/Repair

-How long it will take to repair or restore a piece of equipment

Question 8

RTO (failure risk)

Answer 8

Recovery Time Objective

-maximum time a process or service is allowed to be down and the consequences further down time may bring to the company

Question 9

RPO (failure risk)

Answer 9

The time allowed between recovery point and failure

-Less time is more expensive

Question 10

Risk Avoidance

Answer 10

Identify the risk, no longer engage in the actions that cause the risk

-Suzie downloaded a virus from a weird FTP server? All right, FTP ports are now blocked.

Question 11

Risk Transference

Answer 11

Share the burden of risk with someone else, like an insurance company or a cloud storage service

Question 12

Risk Mitigation

Answer 12

Taking steps to reduce risk

Question 13

DLP

Answer 13

Data Loss Prevention

-monitors systems to make sure key info isn’t missing. See who’s using and transmitting data.

Question 14

Risk Deference

Answer 14

Threaten potential enemies to keep them from wanting to initiate an attack on the company

Question 15

Risk Acceptance

Answer 15

Sometimes the cost of implementing a system outweighs the cost of an attack, or sometimes you simply don’t have the budget to worry about certain attacks.

-These risks MUST be identified and quantified

Question 16

Three Different Cloud Deployment Types

Answer 16

PaaS-Platform as a Service

-Vendors allow apps to be created and run on their infrastructure

SaaS-Software as a Service

-Applications are run remotely over the web

Iaas-Infrastructure as a service

-Virtualization that’s paid for

Question 17

Risks of Cloud Computing

Answer 17

Regulatory Compliance

-You may have to comply with regulations set by, say SOX. It can be hard to prove that you’re complying with a cloud-based system.

User Privileges

• you don’t have the same level of control and administration
• Recovering from issues may be limited to Service provider tech staff availability

Data Integration/Segregation

-Data may be too close to other companies’. Keep your data encrypted and set parameters.

Question 18

Risks of Virtualization

Answer 18

Breaking out of the VM

-A skilled hacker may be able to break out of their virtual machine and wreak havoc system-wide

Network Security Controls can intermingle

• The tools to administer a VM may not be as robust
• If the hypervisor can be attacked, the whole system is compromised

Question 19

Policies

Answer 19

Provides employees with guidance about expected behavior Scope Statement

• What the policy intends to accomplish, and which documents, laws, and practices the policy addresses
• What the policy is about and how it applies to the users

Policy Overview Statement

-Goal of the policy, why it’s important, how to comply -roughly a paragraph long

Accountability Statement

• Address who (position) is responsible for ensuring the policy is enforced
• Give the user contact info for problem reports
• Consequences for poor compliance

Exception Statement

• Guidance for the procedure/process of deviation from the policy
• May include an escalation contact

Question 20

Standards

Answer 20

Deals with specific issues and aspects of a business

Should provide enough detail that an audit may be performed

Scope and Purpose

-Explain intention. May include software, addons, etc.

Roles and Responsibilites

-Who’s responsible for implementing, monitoring, and maintaining?

Reference Documents

-Explains standards to clear up confusion or uncertainty

Performance Criteria

-Baselines and technology standards

Maintenance and Administrative Requirements

-What do you need to manage and administer the systems?

Question 21

Guidelines

Answer 21

Less formal policies or standards Give you step-by-step instructions for accomplishing certain tasks

Scope and Purpose

-Why it exists, to whom it applies

Roles and Responsibilities

-Which departments are assigned which tasks

Guideline Statements

-General steps on how to do shit

Operational Considerations -What needs to happen and when

Question 22

Separation of Duties

Answer 22

Make sure not just one person is running the show

Cuts down on chances of embezzlement and makes sure you’re not dependent on one person to do a job

Question 23

Privacy Policies

Answer 23

Essentially the privacy rights users have in general when making use of the company’s equipment

Question 24

AUPs

Answer 24

Acceptable Use Policies

-What users are allowed to do and the consequences for not following the AUP

Question 25

Security Policies

Answer 25

What controls are required to implement and maintain security systems

Question 26

Job Rotation

Answer 26

Defines the intervals at which employees must rotate jobs Same benefits of Separation of Duties

Question 27

Succession Planning

Answer 27

Which employees are able to fill certain positions should the positions vacate

Question 28

Error Types (false positives/negatives

Answer 28

**Type I** -False positive. There wasn't really a problem **Type II** -False negative. A problem wasn't properly reported **Type III** -You came to the right conclusion, but for the wrong reasons

Question 29

BIA

Answer 29

**B**usiness **I**mpact **A**nalysis **I**dentify critical functions -What is absolutely necessary to function? **P**rioritize critical business functions -What services do you need to restore **first**? **C**alculating time frame for critical system loss -How long can you survive without a given system? **E**stimating tangible/intangible impact on the organization - Tangible: lost production or sales - Intangible: will customers lose faith in the company?

Question 30

Redundancy

Answer 30

Systems are... **D**uplicated -Mirroring of systems in case of whole system failure **C**lustered -Many systems working together to accomplish a certain task **S**et up for failover -If a system fails, another system will pick up where it left off \*This can be very expensive

Question 31

Fault Tolerance

Answer 31

The ability of a system to sustain operations in the event of component failure -Have spare parts and backup electrical power at the ready

Question 32

RAID

Answer 32

**RAID 0**-Disk striping -Data is written across disks simultaneously for insane speed and complete lack of fault tolerance **RAID 1**-Mirroring -Data is cloned on disks to provide for slow speeds and 100% fault tolerance **RAID 3**-Striping with Parity Disk - A parity disk keeps information so if a disk in the RAID array goes out, a new one can be plugged in and the data can be restored - If the parity disk fails, the whole system fails **RAID 5**-Striping with Parity - Parity information is written across all disks - If you lose any drive, you can plug in a new one and the data can be restored - 3-32 disks allowed