Embed Size (px)
DESCRIPTION
questions and answers to review question and exercises
Citation preview
Principles of information security Chapter 4
1. What is risk management? Why is the identification of risks, by listing assets and theirvulnerabilities, so important to the risk management process?
Risk management is when an organization identifies vulnerabilities of information assets and takes steps to reduce the resulting risk. Risk identification is important because you have to know the risks and current controls (if any) before you can manage them.2. According to Sun Tzu, what two key understandings must you achieve to be successfulin battle?First, you must know yourself, in this case that would be knowing the assets and protections of your organizations and secondly you must know your enemy which is understanding what the possible threats could be to your organization’s assets.
3. Who is responsible for risk management in an organization? Which community ofinterest usually takes the lead in information security risk management?
All communities of interest within the organization are responsible for risk management, the lead is usually taken by members of the information security community.4. In risk management strategies, why must periodic review be a part of the process?
Periodic review is necessary in order to determine whether or not the risk management strategies are really working or could be improved upon.5. Why do networking components need more examination from an information securityperspective than from a systems development perspective?
When it comes to protecting data money is no factor. If you examine the network from a development perspective you’re only looking at cost/benefit whereas if you’re looking at it from a security perspective cost is an afterthought.
6. What value does an automated asset inventory system have for the risk identificationprocess?
Used to identify system elements that make up hardware, software, and network components, the automated asset inventory system becomes a valuable tool when used in the calculation of possible loss and projections of cost in risk management.
7. What information attribute is often of great value for local networks that use staticaddressing?
IP address is useful in identifying hardware assets.
8. Which is more important to the systems components classification scheme: that the
asset identification list be comprehensive or mutually exclusive?
Both are important as depending upon the organization’s list priority and classification.
9. What’s the difference between an asset’s ability to generate revenue and its ability togenerate profit?
All assets generate both revenue and profit whether directly or indirectly. Every asset performs a role to support another asset making each asset important to the next. Therefore, the only difference is the role that an asset plays within an organization.
10. What are vulnerabilities? How do you identify them?
Any weakness that can be exploited by accident or by an attacker that can make an asset susceptible to theft, disclosure and/or damage. By administering a Vulnerabilities Assessment Audit, an organization will be able to address and manage all security vulnerability issues.
11. What is competitive disadvantage? Why has it emerged as a factor?
Competitive disadvantage means falling behind the competition, and what that means is that organizations are using emerging technologies not to get ahead but to maintain the status quo.
12. What are the strategies for controlling risk as described in this chapter?
The strategies are:1. Defend2. Transfer3. Mitigate 4. Accept
13. Describe the “defend” strategy. List and describe the three common methods.
The Defend strategy tries to prevent any exploit of vulnerabilities by:1. Application of policy 2. Education and training 3. Application of technology
14. Describe the “transfer” strategy. Describe how outsourcing can be used for this purpose.
The transfer strategy is used to shift risk on to others. Just like how the UH has transferred it email to Google the UH has transferred most of the risk to Google.
15. Describe the “mitigate” strategy. What three planning approaches are discussed in thetext as opportunities to mitigate risk?
Mitigation tries to reduce risk. It does this by:
1. Incident Response Plan2. Disaster recovery plan 3. Business continuity plan
16. How is an incident response plan different from a disaster recovery plan?
The DR plan focuses on preparations (preventative maintenance) and recovery after the incident. The IR plan focuses on intelligence gathering, information analysis, coordinated decision making, and urgent, concrete actions.Also, IR plans usually cover small, individual incidents, whereas a DR plan will cover a larger scale loss
17. What is risk appetite? Explain why risk appetite varies from organization to organization.
The quantity and nature of risk the organization is willing to accept.different organizations have different levels of risk. Government organizations that deal with classified data have government regulated security that dictates the amount of risk taken. Other organizations will only have these in place to reduce bad publicity or integrity from a security breach. 18. What is a cost benefit analysis?
Economic feasibility of implementing information security controls and safeguards. Things that affect the cost of a control or safeguard are:
Cost of development or acquisition of hardware, software, and services Training fees Cost of implementation (cost of installation, configuration, testing, etc) Service costs (Vendor fees for maintenance and upgrades) Cost of maintenance
19. What is the definition of single loss expectancy? What is annual loss expectancy?
The calculation of the value associated with the most likely loss from an attack.ALE = SLE X ARO Annualized loss expectancy = single loss expectancy X annualized rate of occurrence
20. What is residual risk?
The risk to the information asset that remains even after the application of controls.
Chapter 4 Exercises -1. If an organization has three information assets to evaluate for risk management, asshown in the accompanying data, which vulnerability should be evaluated for additionalcontrols first? Which one should be evaluated last?
Data for Exercise 1:
· Switch L47 connects a network to the Internet. It has two vulnerabilities: it is susceptibleto hardware failure at a likelihood of 0.2, and it is subject to an SNMP buffer overflowattack at a likelihood of 0.1. This switch has an impact rating of 90 and has no currentcontrols in place. You are 75 percent certain of the assumptions and data.
(0.2 x 90) - 0% + (0.25 x 18) = 22.5Vulnerability 1 = 22.5
(0.1 x 90) - 0% + (.25 x 9) = 29.25Vulnerability 2 = 29.25· Server WebSrv6 hosts a company Web site and performs e-commerce transactions. Ithas a Web server version that can be attacked by sending it invalid Unicode values.The likelihood of that attack is estimated at 0.1. The server has been assigned animpact value of 100, and a control has been implanted that reduces the impact of thevulnerability by 75 percent. You are 80 percent certain of the assumptions and data.
(0.1 x 100) - (0.75 x 10) + (0.2 x 10) = 4.5Vulnerability 3 = 4.5· Operators use an MGMT45 control console to monitor operations in the server room. Ithas no passwords and is susceptible to unlogged misuse by the operators. Estimatesshow the likelihood of misuse is 0.1. There are no controls in place on this asset; it hasan impact rating of 5. You are 90 percent certain of the assumptions and data.
(0.1 x 5) - 0% + (0.5 x .90) = 0.95Vulnerability 4 = 0.95
The SNMP buffer overflow vulnerability of switch L47 should be evaluated for additional controls first according to its vulnerability rating. The MGMT45 control console should be evaluated last as its rating was the lowest.
2. Using the data classification scheme presented in this chapter, identify and classify the information contained in your personal computer or personal digital assistant. Basedon the potential for misuse or embarrassment, what information would be confidential,sensitive but unclassified, or for public release?
Data Classification Scheme (pg. 126).Purpose/Objective: To help secure the confidentiality and integrity of information.The typical scheme has three categories:· Confidential: i.e. Sensitive or proprietary. Need-to-know basis. High level.· Internal: viewed only by those authorized by corporate. Mid-level.· External: basically public release.Personal Definition of DCS.
Confidential:Myself and 1 person. The person I authorize will have a basic understanding of how to un-encrypt my first password (PC log on) to get to my list of encrypted passwords.Internal:Individuals I authorize to view information.External: Reading only privilege. Viewable by general public.
Note: PC is protected by Anti-Virus/Spyware and Internet protection by McAfee professionals and is always disconnected from the internet and turned off when not in use and is kept in a locked room.
3. Suppose XYZ Software Company has a new application development project,with projected revenues of $1,200,000. Using the following table, calculate the ARO and ALE for each threat category that XYZ Software Company faces for thisproject.
Threat Category(SL Cost Per Incident (SLE)
Frequency of Occurrence
SLE ARO ALE
Programmer mistakes
$5,000 1 per week 5,000 52 260,000
Loss of intellectual property
$75,000 1 per year 75,000 1 75,000
Software piracy $500 1 per week 500 52 26,000
Theft of information (hacker)
$2,500 1 per quarter 2,500 4 10,000
Theft of information (employee)
$5,000 1 per six months 5,000 2 10,000
Web defacement $500 1 per month 500 12 6,000
Theft of equipment $5,000 1 per year 5,000 1 5,000
Viruses, worms, Trojan horses
$1,500 1 per week 1,500 52 78,000
Denial-of-service attacks
$2,500 1 per quarter 2,500 4 10,000
Earthquake $250,000 1 per 20 years 250,000 .05 12,500
Flood $250,000 1 per 10 years 250,000 .1 25,000
Fire $500,000 1 per 10 years 500,000 .1 25,000
4. How might XYZ Software Company arrive at the values in the above table? For each
entry, describe the process of determining the cost per incident and frequency ofoccurrence.
Programmer mistakes: They figure the average amount they might have to pay a programmer per week, then they determine a value for the possible financial loss incurred from single mistake because they’re going to have to pay time to have the programmers write a patch or fix the mistake. Then they average how many mistakes the programmers might make per week.
Loss of intellectual property: They estimate the overall value of their intellectual property then they determine a figure (that could be based on similar occurrences in similar companies) for the possible percentage loss per week, then they multiply by 52 to determine the yearly cost.
Software piracy: They determine how much revenue they could possibly lose on pirated software per week based on the price of their software, projected sales and statistics of loss in other similar companies.
Theft of information (hacker): They set a value for the overall information owned then based on statistics they project what percentage of that will likely be stolen within a 3 month period. The reason they set it to a quarter period is likely because otherwise the percentage would be too low to be considered a necessary budget adjustment.
Theft of information (employee): They just double the stats of the above hacker theft probably assuming an employee will wait awhile before attempting any theft.
Web defacement: They place a value on their web page that is likely based on cost of development, then they project the estimated percentage of damage a defacement will cost them. Frequency of occurrence is probably based on statistical information.
Theft of equipment: This one is all statistical, an estimated 5,000 dollars worth of equipment is probably stolen once a year from similar companies.
Viruses, worms, Trojan horses: They probably base this on their projected network/ application implementations and known patterns of current exploitations and the time and cost that could be required in recovery (paying IT staff and programmers the extra time).
Denial-of-service attacks: If you have server downtime you’re losing money paying employees to sit and drink coffee. Average downtime multiplied by the number of employees multiplied by the average wage for each employee plus the average for any unexpected factors.
Earthquake: Based on the type of structure the organization inhabits and the organization’s locale. Regional earthquake occurrence and prediction statistics are public information.
Flood: Regional flood likelihood statistics are available for reference.
Fire: The type of structure and the likelihood of a fire are all researched statistics that can be looked up.
5. Assume a year has passed and XYZ has improved security by applying a number ofcontrols. Using the information from Exercise 3 and the following table, calculate thepost-control ARO and ALE for each threat category listed.
Threat Category Cost Per Incident
Frequency of Occurrence
Cost Of ControlACS
Type Of Control SLE ARO
ALE CBA
Programmer mistakes
$5,000 1 per month $20,000 Training 5,000 12 60,000 180,000
Loss of intellectual property
$75,000 1 per 2 years $15,000 Firewall/IDS 75,000 .5 37500 22,500
Software piracy $500 1 per month $30,000 Firewall/IDS 500 12 6000 -10,000
Theft of information (hacker)
$2,500 1 per 6 months $15,000 Firewall/IDS 2,500 2 5,000 -10,000
Theft of information (employee)
$5,000 1 per year $15,000 Physical security 5,000 1 5,000 -10,000
Web defacement $500 1 per quarter $10,000 Firewall 500 4 2,000 -6,000
Theft of equipment
$5,000 1 per 2 years $15,000 Physical security 5,000 .5 2,500 -12,500
Viruses, worms, Trojan horses
$1,500 1 per month $15,000 Antivirus 1,500 12 18,000 45,000
Denial-of-service attacks
$2,500 1 per 6 months $10,000 Firewall 2,500 2 5,000 -5,000
Earthquake $250,000 1 per 20 years $5,000 Insurance/backups 250,000 .05 12,500 -5,000
Flood $50,000 1 per 10 years $10,000 Insurance/backups 50,000 .1 5,000 10,000
Fire $100,000 1 per 10 years $10,000 Insurance/backups 100,000 .1 10,000 5,000
Why have some values changed in the columns Cost per Incident and Frequency ofOccurrence? Because of the various control methods used
How could a control affect one but not the other?Less effective
Assume the values in the Cost of Control column presented in the table are those uniquecosts directly associated with protecting against that threat. In other words, don’t worryabout overlapping costs between controls. Calculate the CBA for the planned riskcontrol approach for each threat category. For each threat category, determine if theproposed control is worth the costs.
