CIS 312 Chapter 2 - Assessing Risk
Calculate the ALE of a threat that can be expected to occur four times per year, and will cost the organization $55,000 per incident.
$220,000 ($55,000 x 4 = 220,000)
Calculate the SLE of a threat with an ARO of 4 and an ALE of $320,000.
$80,000 ($320,000 / 4 = $80,000)
What are the 4 basic options when performing Risk Management?
1. Risk Avoidance: you change your activities so that you no longer incur the risk. 2. Risk Acceptance - You acknowledge the risk but deliberately decide to take no action because costs outweigh the benefit. 3. Risk Mitigation - most common; you implement controls designed to lessen the probability and impact of risk. 4. Risk Transference - you transfer the rick to a third party (purchase insurance).
Calculate the ARO of a threat with a SLE of $5,000 and an ALE of $30,000.
6 ($30,000 / $5,000 = 6)
Intrusion Prevention System (IPS)
A combination of a firewall and an IDS. An OPS is designed to analyse network traffic patterns and react in real time to block suspicious activity,
Intrusion detection system (IDS)
A combination of hardware and software used to analyse network traffic passing through a single point on the network. It is designed to analyze traffic patterns to find suspicious activity.
Quantitative Risk Assessment
A method of risk assessment that assigns a dollar value to every data point.
Qualitative Risk Assessment
A method of risk assessment that assigns a subjective label (usually "high", "medium", or "Low) to a risk scenario.
Local Are Network (LAN)
A network connecting computers and other assets in a small, physical location such as an office, home, or school.
Wide Area Network (WAN)
A network that connects to several smaller networks. For example, a large corporation with offices in New York, Chicago, and Los Angeles might have a LAN in each local office, and then connect those three LANs via a wide area network.
Password Hash
A password that is stored in its encrypted form,
Spear Phishing
A phishing attack ttargeted at specific, usually high-level, individuals within an organization.
Threat
A potential attack on a system.
Virtual Private Network (VPN)
A system that uses a public network (usually the Internet) to transmit private data securely. Users on a VPN can exchange data and share resources as if they were directly connected via a LAN.
Control
A technical, physical, or administrative process designed to reduce risk.
What are the three primary threats to any access control system? A. Password Cracking B. Heightened access C. Social Engineering D. Forgotten Passwords
A. Password Cracking B. Heightened access C. Social Engineering
Smart Card
An ID badge or other card with an embedded RFID chip that stores basic identification and authentication information.
Vulnerability
An unintended weakness in a system's design that makes it possible for attackers to take control of a system, access resources to which they are not authorized, or damage the system in some way.
Phishing
Creating legitimate-looking Web sites or e-mails that trick a user into entering sensitive information such as passwords, Social Security Numbers, or credit card numbers.
A Strong password that would take an attacker 10 years to crack in 1990 would take 10 years to crack today. True or False?
False
A Vulnerability is a weakness purposely designed into the system. True of False?
False
As long as users choose strong, secure passwords, how those passwords are stored is irrelevant. True or False?
False
Risk assessment is the last step in designing any access control system. True or False
False
Vulnerabilities and threats are synonymous. True or False?
False
You always calculate an ALE my multiplying the SLE by 12. True or False?
False
You calculate ALE by multiplying SLE by 12. True or False>
False
You should install every patch that is released for the application running in your environment. True or False?
False
Password Cracking
Guessing or deciphering passwords.
Risk is measured in terms of ____ and impact.
Probability of Occurrence
The two types of risk assessment are qualitative and _____.
Quantitative
Calculate the ALE of a threat that can be expected to occur three times a year, and will cost the organization $50,000 per incident.
SLE X ARO = ALE $50,000 X .3 = $150,000
Heightened Access
The ability of an attacker to log into a system under one level of access and exploit a vulnerability to gain a higher level of access.
Defense in Depth Strategy
The approach of using multiple layers of security to protect against a single point of failure.
Multilayered Access Control
The combination of more than one access control method to secure a single resource.
Single Loss Expectancy (SLE)
The cost you expect to incur in one loss incident. AV (Asset Value) X EF (Exposure Factor) = SLE
Exposure Factor (EF)
The expected amount of damage that an asset would incur if a risk materialized; normally described as a percentage.
Probability of Occurrence
The likelihood that an attack will occur.
Annualized Rate of Occurrence (ARO)
The number of times per year you expect a compromise to occur. Ie. if youre risk is 2 times a year, your ARO is .2
Risk
The probability that a particular threat will exploit an IT vulnerability causing harm to an organization. Risk is measured in terms of probability and consequence.
Risk Assessment
The process of identifying and prioritizing risk.
Asset Value
The relative value, either in monetary terms or in overall impact, of the resource being protected by the access control system.You would determine: Replacement Cost - cost oto replace the asset if it were damaged or lost. Purchase Cost - what did it cost to obtain the asset in the first place. Depreciated Cost - Original cost reduced by an aging factor.
Annualized Loss Expectancy (ALE)
The total cost per year of the threat under assessment. ALE is caculaed by multiplying the SLE by the ARO. SLE X ARO = ALE
Social Engineering
The use of manipulation or trickery to convince authorized users to perform actions or divulge sensitive information to an attacker.
A vulnerability is a weakness discovered in the system. True or False?
True
Insecure applications run as the administrative user are the most common heightened access vulnerability. True or False?
True
Risk assessment is the first step in designing any access control system. True or False?
True
You should consider probability of occurrence in order to prioritize limited time and resources. True or False?
True
You should weigh the value of the assets and their relative risk level against the cost and inconvenience of the access control. True or False?
True
IP Tunneling
Used to create secure pathways for data through a public network.
Cost of Impact
What an organization would lose if an asset were unavailable. For example, a particular organization might lose $50,000 per hour in lost productivity if its internal network went down.
Cost of Replacement
What it would cost an organization to replace an asset if it were stolen or compromised.
Your are evaluating the risk of an attack on your data center. You estimate that an attack attempt will succeed three times a year. The value of the data center is $1.5 million and a successful attack will damage 10 percent of the data canter. a. What is the asset value? b. What is the Exposure Factor? c. What is the SLE? d. What is the ARO? e. What is the ALE?
a. What is the asset value? $1.5 million b. What is the Exposure Factor? 10% c. What is the SLE? $150,000 (AV X EF = SLE so $1,500,000 x 10% = $150,000) d. What is the ARO? .3 e. What is the ALE? $450,000 (SLE X ARO = ALE so $150,00 X 3 = $450,000)
Which of the following is a subjective type of risk assessment? a. Quantitative b. Qualitative c. Questioning d. Querying
b. Qualitative