Chapter 1 Measuring and Weighing Risk Flashcards Preview

CompTIA Security+ > Chapter 1 Measuring and Weighing Risk > Flashcards

Flashcards in Chapter 1 Measuring and Weighing Risk Deck (32)
Loading flashcards...


Single Loss Expectancy (how much one loss costs)


Annual Rate of Occurence (how likely it is to happen)


Annual Loss Expectancy (how much you will lose)


Qualitative vs. Quantitative Risk Assessment


-Opinion based and subjective

-may be valued by the business, bot not necessarily by customers


-Cost-based and subjective

-May impede money making ability


Likelihood (risk)

A score representing the possibility of an event occurring

Can be expressed in qualitative or quantitative terms


Threat Vectors (risk)

The way in which an attacker poses a threat

-May be a tool an attacker would use, the path they may follow, et cetera

-Anything from a fake email to an unsecured hotspot


MTBF (failure risk)

Mean Time Between Failure

-The life expecancy of a system or part that can be repaired


MTTF (failure risk)

Mean Time To Failure

-Average time to failure of an object that must be replaced, not repaired


MTTR (failure risk)

Mean Time To Restore/Repair

-How long it will take to repair or restore a piece of equipment


RTO (failure risk)

Recovery Time Objective

-maximum time a process or service is allowed to be down and the consequences further down time may bring to the company


RPO (failure risk)

The time allowed between recovery point and failure

-Less time is more expensive


Risk Avoidance

Identify the risk, no longer engage in the actions that cause the risk

-Suzie downloaded a virus from a weird FTP server? All right, FTP ports are now blocked.


Risk Transference

Share the burden of risk with someone else, like an insurance company or a cloud storage service


Risk Mitigation

Taking steps to reduce risk



Data Loss Prevention

-monitors systems to make sure key info isn't missing. See who's using and transmitting data.


Risk Deference

Threaten potential enemies to keep them from wanting to initiate an attack on the company


Risk Acceptance

Sometimes the cost of implementing a system outweighs the cost of an attack, or sometimes you simply don't have the budget to worry about certain attacks.

-These risks MUST be identified and quantified


Three Different Cloud Deployment Types

PaaS-Platform as a Service

-Vendors allow apps to be created and run on their infrastructure

SaaS-Software as a Service

-Applications are run remotely over the web

Iaas-Infrastructure as a service

-Virtualization that's paid for


Risks of Cloud Computing

Regulatory Compliance

-You may have to comply with regulations set by, say SOX. It can be hard to prove that you're complying with a cloud-based system.

User Privileges

-you don't have the same level of control and administration

-Recovering from issues may be limited to Service provider tech staff availability

Data Integration/Segregation

-Data may be too close to other companies'. Keep your data encrypted and set parameters.


Risks of Virtualization

Breaking out of the VM

-A skilled hacker may be able to break out of their virtual machine and wreak havoc system-wide

Network Security Controls can intermingle

-The tools to administer a VM may not be as robust

-If the hypervisor can be attacked, the whole system is compromised



Provides employees with guidance about expected behavior Scope Statement

-What the policy intends to accomplish, and which documents, laws, and practices the policy addresses

-What the policy is about and how it applies to the users

Policy Overview Statement

-Goal of the policy, why it's important, how to comply -roughly a paragraph long

Accountability Statement

-Address who (position) is responsible for ensuring the policy is enforced

-Give the user contact info for problem reports

-Consequences for poor compliance

Exception Statement

-Guidance for the procedure/process of deviation from the policy

-May include an escalation contact



Deals with specific issues and aspects of a business

Should provide enough detail that an audit may be performed

Scope and Purpose

-Explain intention. May include software, addons, etc.

Roles and Responsibilites

-Who's responsible for implementing, monitoring, and maintaining?

Reference Documents

-Explains standards to clear up confusion or uncertainty

Performance Criteria

-Baselines and technology standards

Maintenance and Administrative Requirements

-What do you need to manage and administer the systems?



Less formal policies or standards Give you step-by-step instructions for accomplishing certain tasks

Scope and Purpose

-Why it exists, to whom it applies 

Roles and Responsibilities

-Which departments are assigned which tasks

Guideline Statements

-General steps on how to do shit

Operational Considerations -What needs to happen and when


Separation of Duties

Make sure not just one person is running the show

Cuts down on chances of embezzlement and makes sure you're not dependent on one person to do a job


Privacy Policies

Essentially the privacy rights users have in general when making use of the company's equipment



Acceptable Use Policies

-What users are allowed to do and the consequences for not following the AUP


Security Policies

What controls are required to implement and maintain security systems


Job Rotation

Defines the intervals at which employees must rotate jobs Same benefits of Separation of Duties


Succession Planning

Which employees are able to fill certain positions should the positions vacate


Error Types (false positives/negatives

Type I

-False positive. There wasn't really a problem

Type II

-False negative. A problem wasn't properly reported

Type III

-You came to the right conclusion, but for the wrong reasons



Business Impact Analysis

Identify critical functions

-What is absolutely necessary to function?

Prioritize critical business functions

-What services do you need to restore first?

Calculating time frame for critical system loss

-How long can you survive without a given system?

Estimating tangible/intangible impact on the organization

-Tangible: lost production or sales

-Intangible: will customers lose faith in the company?



Systems are...


-Mirroring of systems in case of whole system failure


-Many systems working together to accomplish a certain task

Set up for failover

-If a system fails, another system will pick up where it left off

     *This can be very expensive