Security Exam #1
Risk Assessment Process
1.Identify threats and vulnerabilities 2.Identify the likelihood that a risk will occur 3.Identify asset values 4.Determine the impact of a risk 5.Determine the usefullness of a safeguard or control
Risk Methodology
A description of how you will manage risk.
Risk Register Contents
A description of the risk Expected impact if the event occurs The probability of the event occurring Steps to mitigate the risk Steps to take shold event occur Risk Ranking.
Risk Register
A list of identified risks.
Event
A measurable occurrence that has an impact on the business.
Risk Assessment
A process used to identify, assess, prioritize, and address risks on the vasis of threats and vulnerabilities, BEFORE they lead to an incident.
Countermeasure
A targeted control, provide specific protection, put in place in repsonse to some event/attack.
Vulnerability
A weakness that allows a threat to be realized or to have an effect on an asset.
Policy Definition Phase
Decides who has access and what systems or resources they can use. -tied to the authorization
Compensating Control
Desinged to address a threat in place of a preferred control that is too expensive or difficult to implement.
What are some risk controls?
Detective Preventive Corrective Deterrent Compensating
Deterrent Controls
Deter an action that could result in a violation. They merely attempt to suggest that a subject should not take some action.
Types of Formal Models of Access Control
Discretionary AC Mandatory AC Non-Discretionary/ Role-Based AC Rule-Based AC
What is the following: The malfunction of a badge reader on the employee entrance. Employees calling in sick Probability or Impact?
Probability
Risk are ___________ based on importance or impact severity, and then prioritized.
Quantified
Risk Assessment Approaches
Quantitative Qualitative
Risk Assessment: Qualitative Approach
Ranks risks based on their probability or cocurrence and ipact on business operations.
Corrective Controls
Reduce the effects of a threat.
What are the three phases of Risk Management?
Risk Assessment Risk Mitigation Evaluation and Assurance
Risk Management Strategies
Risk Sharing Risk Control Risk Acceptance Risk avoidance
Richman Investments provides high-end smartphones to several employees. The value of each smartphone is $500, and approximately 1,000 employees have these company-owned devices. In the past year, employees have lost or damaged 75 smartphones. What is the SLE, ARO, and ALE?
SLE- 500 ARO- 75 ALE-SLE*ARO-->$500*75=$37,500
Location Authentication
SOMEWHERE you are
Characteristics Authentication
Something you ARE
Action Authentication
Something you DO
Ownership Authentication
Something you HAVE
Knowledge Authentication
Something you KNOW
What are some examples of threats?
State actor hacking, insider threats, hacktivism, accounting fraud.
What is a example of an adversarial threat?
State-sponsored hacking
Preventive Controls
Stop threats form coming in contact with a vulnerability.
Impact
The amount of harm a threat exploiting a vulnerability can cause. Negative result if a risk occurs
Recovery Time Objective (RTO)
The amount of time it takes to recover and make system, application, and data available after an outage.
Meant time for Failures (MTTF)
The average amount of time between failures for a particular system.
Mean time to repair (MTTR)
The average amount of time to repair a system, application, or components.
Information System Security
The collection of activities that protect the information system and the data stored in it.
What is the following: A workstation that fails to boot up A production system breaking down Probability or Impact?
Impact
Opportunity
Ability to carry out misappropriation of cash or organiztonal assets.
Safeguard
Addressses gaps or weaknesses in controls that could lead to a realized threat.
What are the Threat Identification?
Adversarial Accidental Structural Environmental
Zero Day
An unpatched software hole previously unknown to the software vendor and the code attackers use to take advantage of said hole.
Threat
Any action that could damage an asset. an opporunity to exploit a vulnerability.
Incident
Any event that violates or threatens to violate your security policy.
Risk Assessment: Quantitative Approach
Attempts to descibe risks in finacial terms and put a dollar value on each risk.
What are the Access Control Components?
Authorization Identification Authentication Accountability
What are the two phases that the four parts of the access control categorized in?
Policy Definition Policy Enforcement
What are some common threats in the Remote Access Domain?
Brute-forec user ID and password attacks Multiple logon retries and access control attacks Unauthorized remote access to IT system, applicaiton, and data Confidential data ompromised remotely
What are some examples of vulnerabilities?
Poor system integration, poor system configuration, open culture, lack of employee/student awareness.
Information System
Combination of hardware, software, data, processes, and people.
What is the CIA Triad?
Confidentiality Integrity Availability
Access Control List (ACL)
Contains a list of users and gourps to which the user has permitted access together with the level of access for each user or group.
Logical Access Control
Control access to a omputer system or network.
Physical Access Control
Control entry into buildings, parking lots, and protected areas
What are the Risk control tradeoff?
Cost Operational Impact (Convenience Vs Security trade off) Feasbility
Annual Loss Expectancy (ALE)
Expected loss for a year Formula: SLE x ARO SLE- Single loss Expectancy ARO- Annual rate of occurrence
What are some examples of a Corrective Control?
Forensics and Incident Responses
Availability
Formula: =Total U/(Total U + Total D) Key: -D-->Downtime -U-->Uptime
What is a example of an Structural threat?
Fraud
Policy Enforcement Phase
Grants or rejects request for access based on the authorizations defined in the first phase. - tied to identification, authrntication, and accountability.
Fraud Triangle
Has 3 elements to it: Rationalization Pressure Opportunity
Detective Controls
Identify that a threat has landed in your system.
Control
Includes both safeguards and countermeasures.
What is a examples of a Detective Control?
Intrusion Detection System (IDS)
What is a example of a Preventive Control?
Intrustion Prevention System
What is the 3 requirement for a data to have integrity?
It has not been altered. It is valid. It is accurate.
Rationalization
Justification of dishonest action.
What are some Authentication Types?
Knowledge Ownership Characteristics Location Action
What are some common threats in the User Domain?
Lack of awareness Apathy toward policies Violating security policy Inserting CD/DVD/USB with personal files Downloading photos, music, or videos Destructing systems, applications, and data Disgruntled employee attacking organization or committing sabotage Employee blackmail or extortion Fraud
Probability
Likelihood that a threat agent willl exploit a vulnerability.
Risk
Likelihood that something bad will happen to an asset. Formula: _______ Level = probaility x Impact(cost)
How is risk primarily determined, by which 3 function within Risk assessment analysis?
Liklihood of a threat to exploit a vulnerability Impact on the org. Sufficienty of contorls to either eliminate or mitigate.
Integrity
Maintain valid, uncorrupted, and accurate information.
What are some examples of a risk?
Major earthquake, tsunami, extended power outage, data loss.
Pressure
Motivation or incentive to commit fraud.
What is a example of an Environment threat?
Natural Disasters
What is a example of an Accidental threat?
Non-malicious Insiders
Annual Rate of Occurrence (ARO)
Number of times an incident is expected to occur in a year.
What is the difference between a Deterrent Control and a Preventive Control?
One control suggests that a subject should not take some action while the other control does not allow the action to occur.
What are some common threats in the WAN Domain?
Open, public, and accessible data Most of the traffic being sent as clear text Vulnerable to eacesdropping and malicious attacks Vulnerable to denial of service (DoS) and Distributed denial of services (DDoS) attacks Hackers and attackers emailing trojans, worms, and malicious software freeely and constantly.
What are some examples of confidentiality ?
Personal data and information Intellectual Property National Security
What are the two types of Access Controls?
Physical Logical
Cryptography
Practice of hiding data and keeping it away from unauthorized users.
Discretionary Access Control (DAC)
The owner of the object specifies which subjects can access the object. The access properties are stored in the ACL, Access Control List.
Access Control
The process of protecting a resource so that it is used only by those allowed to do so.
Encryption
The process of transforming data from cleartext into Ciphertext.
Ciphertext
The scrambled data that are the result of encrypting cleartext.
What is an example of a Ownership-based authentication type?
Token ID Card
Single Loss Expectancy (SLE)
Totlat loss expected from a single incident Formula: AV x EF AV- Asset Value EF- Exposure Factor
What are some common threats in the Workstation Domain?
Unauthorized access Unauthorized access to system, application and data Desktop or laptop oprating system vulnerabilites and/or patches Virusess, malicious code, and other malware User inserting CD/DVD/USB with personal files Downloading photos, music, or videos
What are some common threats in the Systems/Application Domain?
Unauthorized access to data centers, computer rooms, and wiring closets Difficult-to-manage servers that require high availability Corrupt or lost data Server operating systems software vulnerability management Security required by cloud computing virtual environments
What are some common threats in the LAN Domain?
Unauthorized physical access Unauthorized acces to systems, application, and data ______ server operating system vulnerabilities _____ server application software vulnerabilites and software patch Rogue users on WLAN Confidentialtiy of data on WLAN
What are some common threats in the LAN-to-WAN Domain?
Unauthorized probing and port scanning Unauthorized access IP router, firewall, and network appliance oprationg system vulnerability Local users downloading unknown file types from unknown sources.
What is an example of a Characteristics-based authentication type?
Unique rentinal pattern Fingerprint
What are the seven domain in a typical IT Infrastructure?
User Domain Workstation Domain LAN Domain LAN- to- WAN Domain WAN Domain Remote Access Domain System/Application Domain
What are some examples of Integrity?
User names and password Patents and Copyrights Source Codes Diplomatic Information Financial data
What is an example of a knowledge-based authentication type?
Username Password
What are you trying to balance when it comes to risk management options?
Utility and cost Ex. - a countermeasure without a corresponding risk is a solution seeking a problem, difficult to justify the cost.
