Principles of information security Chapter 4 1. What is risk management? Why is the identification of risks, by listing assets and their vulnerabilities, so important to the risk management process? Risk management is when an organization identifies vulnerabilities of information assets and takes steps to reduce the resulting risk. Risk identification is important because you have to know the risks and current controls (if any) before you can manage them.
2. ccording to !un "#u, $hat t$o key understandings must you achieve to be successful in battle? First, you must know yourself, in this case that would be knowing the assets and protections of your organizations and secondly you must know your enemy which is understanding what the possible threats could be to your organization’s assets.
%. Who is responsible for risk management in an organi#ation? Which community of interest usually takes the lead in information security risk management? ll communities of interest within the organization are responsible for risk management, the lead is usually taken by members of the information security community.
4. &n risk management strategies, $hy must periodic revie$ be a part of the process? !eriodic review is necessary in order to determine whether or not the risk management strategies are really working or could be improved upon.
'. Why do net$orking components need more e(amination from an information security perspective than from a systems development perspective? "hen it comes to protecting data money is no factor. #f you e$amine the network from a development perspective you’re only looking at cost%benefit whereas if you’re looking at it from a security perspective cost is an afterthought.
). What value does an automated asset inventory system have for the risk identification process? &sed to identify system elements that make up hardware, software, and network components, the automated asset inventory system becomes a valuable tool when used in the calculation of possible loss and pro'ections of cost in risk management.
*. What information attribute is often of great value for local net$orks that use static addressing? #! address is useful in identifying hardware assets.
+. Which is more important to the systems components classification scheme that the
asset identification list be comprehensive or mutually e(clusive? oth are important as depending upon the organization’s list list priority and classification.
-. Whats the difference bet$een an assets ability to generate revenue and its ability to generate profit? ll assets generate both revenue and profit whether directly or indirectly. very asset performs a role to support another asset making each asset important to the ne$t. *herefore, the only difference is the role that an asset plays pla ys within an organization.
1/. What are vulnerabilities? 0o$ do you identify them? ny weakness that can be e$ploited by accident or by an attacker that can make an asset susceptible to theft, disclosure and%or damage. y administering a +ulnerabilities +ulnerabilities ssessment udit, an organization will be able to address and manage all security vulnerability issues.
11. What is competitive disadvantage? Why has it emerged as a factor? ompetitive disadvantage means falling behind the competition, and what that means is that organizations are using emerging technologies not to get ahead but to maintain the status -uo.
12. What are the strategies for controlling risk as described in this chapter? *he strategies are /. 0efend 1. *ransfer 2. 3itigate 4. ccept
1%. escribe the defend3 strategy. ist and describe the three common methods. *he 0efend strategy tries to prevent any e$ploit of vulnerabilities by /. ppl pplic icati ation on of of poli policy cy 1. duc ducat atio ion n and tra train inin ing g 2. pplic pplicatio ation n of techno technolog logy y
14. escribe the transfer3 strategy. escribe ho$ outsourcing can be used for this purpose. *he transfer strategy is used to shift risk on to others. 5ust like how the &6 has transferred it email to 7oogle the &6 has transferred most of the risk to 7oogle.
1'. escribe the mitigate3 strategy. What three planning approaches are discussed in the te(t as opportunities to mitigate risk? 3itigation tries to reduce risk. #t does this b y
/. #nci #ncide dent nt Resp Respon onse se !la !lan n 1. 0isa 0isast ster er rec recov overy ery plan plan 2. usi usine ness ss cont contin inui uity ty plan plan
1). 0o$ is an incident response plan different from a disaster recovery plan? *he 0R plan focuses on preparations (preventative maintenance) and recovery after the incident. *he #R plan focuses on intelligence intelligence gathering, information information analysis, coordinated decision making, and urgent, concrete actions. lso, #R plans usually cover small, individual incidents, whereas a 0R plan will cover a larger scale loss
1*. What is risk appetite? 5(plain $hy risk appetite varies from organi#ation to organi#ation. *he -uantity and nature of risk the organization is willing to accept. different organizations have different levels of risk. 7overnment organizations organizations that deal with classified data have government regulated sec urity that dictates the amount of risk taken. 8ther organizations will will only have these in place to reduce bad publicity or integrity from a security breach.
1+. What is a cost benefit analysis? conomic feasibility of implementing information security controls and safeguards. *hings that affect the cost of a control or safeguard are ost of development or ac-uisition of hardware, software , and services *raining fees ost of implementation (cost of installation, configuration, testing, etc) 9ervice costs (+endor fees for maintenance and upgrades) ost of maintenance
1-. What is the definition of single loss e(pectancy? What is annual loss e(pectancy? *he calculation of the value associated with the most likely loss from an attack. : ; 9: < R8 nnualized loss e$pectancy ; single loss e$pectancy < annualized rate of occurrence
2/. What is residual risk? *he risk to the information asset that remains even after the application of controls.
Chapter 4 5(ercises 6 1. &f an organi#ation has three information assets to evaluate for risk management, as sho$n in the accompanying data, $hich vulnerability should be evaluated for additional controls first? Which one should be evaluated last?
ata for 5(ercise 1 7 !$itch 4* connects a net$ork to the &nternet. &t has t$o vulnerabilities vulnerabiliti es it is susceptible to hard$are failure at a likelihood of /.2, and it is sub8ect to an !9:P buffer overflo$ attack at a likelihood of /.1. "his s$itch has an impact rating of -/ and has no current controls in place. ;ou are *' percent certain of the assumptions and data. (0.2 x 90) - 0% + (0.25 x 18) = 22.5 Vulnerability 1 = 22.5 (0.1 x 90) - 0% + (.25 x 9) = 29.25 Vulnerability 2 = 29.25
7 !erver Web!rv) hosts a company Web site and performs e6commerce transactions. &t has a Web server version that can be attacked by sending it invalid
7 =perators use an :>:"4' control console to monitor operations in the server room. &t has no pass$ords and is susceptible to unlogged misuse by the operators. 5stimates sho$ the likelihood of misuse is /.1. "here are no controls in place on this asset it has an impact rating of '. ;ou are -/ percent certain of the assumptions and data. (0.1 x 5) - 0% + (0.5 x .90) = 0.95 Vulnerability 4 = 0.95 The !"# bu$$er &er$l' &ulnerability $ 'ith *47 hul be e&aluate $r aitinal ntrl $irt arin, t it &ulnerability ratin,. The ""T45 ntrl nle hul be e&aluate lat a it ratin, 'a the l'et.
2.
"he typical scheme has three categories 7 Confidential i.e. !ensitive or proprietary. 9eed6to6kno$ basis. 0igh level. 7 &nternal vie$ed only by those authori#ed by corporate. :id6level. 7 5(ternal basically public release.
Personal efinition of C!. onfidential
:yself and 1 person. "he person & authori#e $ill have a basic understanding of ho$ to un6 encrypt my first pass$ord APC log onB to get to my list of encrypted pass$ords. #nternal
&ndividuals & authori#e to vie$ information. $ternal eading only privilege. Die$able by general public. 9ote PC is protected by nti6DirusE!py$are and &nternet protection by :cfee professionals and is al$ays disconnected from the internet and turned off $hen not in use and is kept in a locked room. %. !uppose F;G !oft$are Company has a ne$ application development pro8ect, $ith pro8ected revenues of H1,2//,///.
"hreat eat Ca CategoryA! ryA!
Cost Pe Per &ncident A!5B
IreJuency of =ccurrence
!5
=
5
Programmer mistakes
H',///
1 per $eek
>,???
>1
1=?,?? ?
oss of intellectual property
H*',///
1 per year
@>,???
/
@>,???
!oft$are piracy
H'//
1 per $eek
>??
>1
1=,???
"heft of information AhackerB
H2,'//
1 per Juarter
1,>??
4
/?,???
"heft of information AemployeeB
H',///
1 per si( months
>,???
1
/?,???
Web defacement
H'//
1 per month
>??
/1
=,???
"heft of eJuipment
H',///
1 per year
>,???
/
>,???
Diruses, $orms, "ro8an horses
H1,'//
1 per $eek
/,>??
>1
@A,???
enial6of6service attacks
H2,'//
1 per Juarter
1,>??
4
/?,???
5arthJuake
H2'/,///
1 per 2/ years
1>?,?? ?
.?>
/1,>??
Ilood
H2'/,///
1 per 1/ years
1>?,?? ?
./
1>,???
Iire
H'//,///
1 per 1/ years
>??,?? ?
./
1>,???
4. 0o$ might F;G !oft$are Company arrive at the values in the above table? Ior each entry, describe the process of determining the cost per incident and freJuency of occurrence. #r,raer ita/e They figure the average amount they might have to pay a programmer per week, then they determine a value for the possible financial loss loss incurred from single mistake because they’re going to have to pay time to have the programmers write a patch or fix the mistake. Then they average how many mistakes mistakes the programmers might make per week. * $ intelletual rerty They estimate the overall value of their intellectual property then they determine a figure (that could be based on similar occurrences in similar companies) for the possible percentage loss per week, then they multiply by 5 to determine the yearly cost. $t'are iray They iray They determine how much revenue they could possibly lose on pirated software per week based on the price of their software, pro!ected sales and statistics of loss in other similar companies. The$t $ in$ratin (ha/er) They set a value for the overall information owned then based on statistics they pro!ect what percentage of that will likely be stolen within a " month period. The reason they set it to a #uarter period is likely because otherwise the percentage would be too low to be considered a necessary budget ad!ustment. The$t $ in$ratin (elyee) They !ust double the stats of the above hacker theft probably assuming an employee will wait awhile before before attempting any theft. eb e$aeent They place a value on their web page that is likely based on cost of development, then they pro!ect the estimated percentage of damage a defacement will cost them. $re#uency of occurrence is probably based on statistical statistical information. The$t $ euient This euient This one is all statistical, an estimated 5,%%% dollars worth of e#uipment is probably stolen once a year from similar companies. Virue 'r Tran hre They hre They probably base this on their pro!ected network& application implementations and known patterns of current exploitations and the time and cost that could be re#uired in recovery (paying 'T staff and programmers the extra time). 6enial-$-er&ie atta/ 'f you have server downtime you’re losing money paying employees to sit and drink coffee. verage downtime multiplied by the number o f employees multiplied by the average wage for each employee plus the average for any unexpected factors. arthua/e ased on the type of structure the organi*ation inhabits and the organi*ation’s locale. +egional earth#uake occurrence and prediction statistics are public information.
l +egional flood likelihood statistics are available for reference. ire The type of structure and the likelihood of a fire are all researched statistics that can be looked up.
'. ssume a year has passed and F;G has improved security by applying a number of controls.
"hre "hreat at Cate Catego gory ry
Cost Cost Per Per &ncident
IreJuency of =ccurrence
Cost =f Control
"ype =f Control
9:
R 8
:
9
Programmer mistakes
H',///
1 per month
H2/,///
"raining
>,???
/1
=?,?? ?
/A?,?? ?
oss of intellectual property
H*',///
1 per 2 years
H1',///
Iire$allE&!
@>,???
.>
2@>??
11,>??
!oft$are piracy
H'//
1 per month
H%/,///
Iire$allE&!
>??
/1
=???
B/?,???
"heft of information AhackerB
H2,'//
1 per ) months
H1',///
Iire$allE&!
1,>??
1
>,???
B/?,???
"heft of information AemployeeB
H',///
1 per year
H1',///
Physical security
>,???
/
>,???
B/?,???
Web defacement
H'//
1 per Juarter
H1/,///
Iire$all
>??
4
1,???
B=,???
"heft of eJuipment
H',///
1 per 2 years
H1',///
Physical security
>,???
.>
1,>??
B/1,>??
Diruses, $orms, "ro8an horses
H1,'//
1 per month
H1',///
ntivirus
/,>??
/1
/A,?? ?
4>,???
enial6of6service attacks
H2,'//
1 per ) months
H1/,///
Iire$all
1,>??
1
>,???
B>,???
5arthJuake
H2'/,///
1 per 2/ years
H',///
&nsuranceEbackup s
1>?,?? ?
.?>
/1,>? ?
B>,???
Ilood
H'/,///
1 per 1/ years
H1/,///
&nsuranceEbackup s
>?,???
./
>,???
/?,???
Iire
H1//,///
1 per 1/ years
H1/,///
&nsuranceEbackup s
/??,?? ?
./
/?,?? ?
>,???
Why have some values changed in the columns Cost per &ncident and IreJuency of =ccurrence? ecause of the various control methods used
0o$ could a control affect one but not the other?
:ess effective
ssume the the values in the Cost Cost of Control Control column presented presented in the table are those uniJue uniJue costs directly associated $ith protecting against that threat. &n other $ords, dont $orry about overlapping costs bet$een controls. Calculate the C@ for the planned risk control approach for each threat category. Ior each threat category, determine if the proposed control is $orth the costs.