Principles of Information Security, 4th Edition. Chapter 4 Review Questions
10. What are vulnerabilities and how do you identify them?
Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset. They are chinks in the armor of the information asset—a flaw or weakness in an information asset, security procedure, design, or control that could be exploited accidentally or on purpose to breach security. Analyzing all components of an Information System and evaluating the risk to each component should identify any vulnerabilities.
12. What are the strategies from controlling risk as described in this chapter?
1. Defend - The defend control strategy attempts to prevent the exploitation of the vulnerability. 2. Transfer - The transfer control strategy attempts to shift risk to other assets, other processes, or other organizations. 3. Mitigate - The mitigate control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. 4. Accept - The accept control strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation. 5. Terminate - The terminate control strategy directs the organization to avoid those business activities that introduce uncontrollable risks.
11. What is competitive disadvantage? Why has it emerged as a factor?
A competitive disadvantage occurs when a company falls behind the competition in its ability to maintain the highly responsive services required in today's marketplaces. This is a factor because almost all organizations have an IT system in this day and time. Therefore, organizations need to obtain or improve their IT systems to avoid falling behind all others.
19. What is the definition of single loss expectancy? What is annual loss expectancy?
A single loss expectancy is the value associated with the most likely loss from an attack. It is a calculation based on the value of the asset and the expected percentage of loss that would occur from a single occurrence of a particular attack. Annual loss expectancy is the expected loss from exploitation of a vulnerability for a specific information asset over the course of a year. It is calculated by multiplying the single loss expectancy for a particular information asset by the annualized rate of occurrence.
2. According to Sun Tzu, what two key understandings must you achieve to be successful?
An observation made by Chinese General Sun Tzu Wu stated, "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. In short, know yourself and know the enemy.
6. What value does an automated asset inventory system have for the risk identification process?
Automated tools can sometimes identify the system elements that make up hardware, software, and network components. The inventory listing is usually available in a database, or can be exported to a database for custom information on security assets. Once stored, the inventory listing must be kept current, often by means of a tool that periodically refreshes the data. When you move to the later steps of risk management, which involve calculations of loss and projections of costs, the case for the use of automated risk management tools for tracking information assets becomes stronger.
4. In risk management strategies, why must periodic review be a part of the process?
Frequently, organizations implement control mechanisms, but then neglect the necessary periodic review, revision, and maintenance. The policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they are still effective.
18. What is a Cost Benefit Analysis?
Cost benefit analysis is the formal decision-making process used by an organization to evaluate whether or not the benefit gained from a given project is worth the expense its undertaking incurs.
20. What is residual risk?
Even when vulnerabilities have been controlled as much as possible, there is often still some risk that has not been completely removed, shifted, or planned for. This remainder is called residual risk.
3. Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management?
In an organization, it is the responsibility of each community of interest to manage the risks that organization encounters. Each community of interest has a role to play. Since the members of the information security community best understand the threats and attacks that introduce risk into the organization, they often take a leadership role in addressing risk.
8. Which is more important to the systems components classification scheme, that the list be comprehensive or mutually exclusive?
It is more important that the list be comprehensive than mutually exclusive. It would be far better to have a component assessed in an incorrect category rather than to have it go completely unrecognized during a risk assessment.
9. What's the difference between an asset's ability to generate revenue and its ability to generate profit?
Revenue is the recognition of income from an activity supported by the system. Profit is the amount of revenue that exceeds operating costs. Some systems may cost more to operate than they contribute to revenue.
17. What is risk appetite? Explain why risk appetite varies from organization to organization?
Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade offs between perfect security and unlimited accessibility. Risk appetite varies from organization to organization because different organizations maintain different balances between the expense of controlling vulnerabilities and the losses possible if these vulnerabilities were exploited. The key for each organization is to find the balance in its decision-making processes and in its feasibility analyses, therefore assuring that an organization's risk appetite is based on experience and facts and not on ignorance or wishful thinking.
1. What is risk management? Why is identification of risks, by listing assets and their vulnerabilities, so important to the risk management process?
Risk management is the process of identifying vulnerabilities in an organization's information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all the components in the organization's information system. Risk management is the process of identifying vulnerabilities in an organization's information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all the components in the organization's information system.
5. Why do networking components need more examination from an information security perspective than from a systems development perspective?
Since networking subsystems are often the focal point of attacks against the system, they should be considered as special cases rather than combined with general hardware and software components. Additionally, some networking components require examination from an information security perspective due to the fact that they must be reconfigured from their default settings to both serve their required purpose and maintain security requirements. From the systems development perspective, the networking component may function perfectly, as is, right out of the box. However, without information security oversight, potential vulnerabilities could go unnoticed.
16. How is an incident response plan different from a disaster recovery plan?
The DR plan focuses more on preparations completed before and actions taken for disasters - often escalated incidents; to reestablish operations at the primary site. The IR plan focuses on Incident Response: intelligence gathering, information analysis, coordinated decision making, and urgent, concrete actions taken while an incident is occurring.
7. What information attribute is often of great value for networking equipment when DHCP is not used?
The IP address is a useful attribute for networking equipment. Note that many organizations use the dynamic host control protocol (DHCP) within TCP/IP that reassigns IP numbers to devices as needed, making the use of IP numbers as part of the asset identification process problematic. As a result, IP address use in inventory is usually limited to those devices that use static IP addresses.
13. Describe the "defend" strategy. List and describe the three common methods.
The defend control strategy attempts to prevent the exploitation of the vulnerability. This Is the preferred approach, and is accomplished by means of countering threats, removing vulnerabilities from assets, limiting access to assets, and adding protective safeguards. There are three common methods used to defend: - Application of policy - Education and training - Application of technology
15. Describe the "mitigate" strategy. What three planning approaches are discussed in the text as opportunities to mitigate risk?
The mitigate strategy is the control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. Mitigation begins with the early detection that an attack is in progress and the ability of the organization to respond quickly, efficiently, and effectively. This approach requires the creation of three types of plans: the incident response plan, the disaster recovery plan, and the business continuity plan. Each of these plans depends on the ability to detect and respond to an attack as quickly as possible and relies on the existence and quality of the other plans. Incident Response Plan (IRP) - Defines the actions an organization can and perhaps should take while an incident is in progress. The IR plan focuses on intelligence gathering, information analysis, coordinated decision making, and urgent, concrete actions. Disaster recovery plan (DRP) - Includes the entire spectrum of activities used to prepare for and recover from an incident. The DR plan focuses more on preparations completed before and actions taken after the incident. Business Continuity Plan (BCP) - Encompasses the continuation of business activities if a catastrophic event occurs. The BC plan includes planning the steps necessary to ensure the continuation of the organization when the scope or scale of a disaster exceeds the ability of the DR plan to restore operations.
14. Describe the "transfer" strategy. Describe how outsourcing can be used for this purpose.
The transfer strategy is the control approach that attempts to shift risk to other assets, other processes, or other organizations. This may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers. Outsourcing allows an organization to transfer the risk associated with the management of complex systems to another organization that has experience in dealing with those risks. One of the benefits of outsourcing is that the service provider is responsible for disaster recovery when recovery efforts are needed.