Chapter 1: Measuring and Weighing Risk Flashcards
Residual Risk
A risk that must remain for some reason
BIA
- Business Impact Analysis
- Outlines how to respond to various situations
Steps to Develop an Overview of Risk
1) Interview the department heads
2) Evaluate the network infrastructure
3) Perform a physical assessment
Annual Loss Expectancy (ALE)
A monetary measure of how much loss you could expect in a year.
Single Loss Expectancy (SLE)
How much you expect to lose at any one time.
Two components of SLE
1) Asset Value (AV)
2) Exposure Factor (EF)
Annualized Rate of Occurrence (ARO)
Likelihood of an event occurring within a year
Risk Assessment Formula
SLE x ARO = ALE
Qualitative Risk Assessment
Opinion-based and subjective
Quantitative Risk Assessment
Cost-based (money) and objective
Likelihood
A score from 1-10 assessing the likelihood of an event
Threat Vector
The way in which an attacker poses a threat.
Mean Time Between Failures (MTBF)
Lifetime of a component before it must be replaced or repaired
Mean Time To Failure (MTTF)
The average time to failure for a nonrepairable system.
Mean Time To Restore (MTTR)
How long it takes to repair something once it fails.
Recovery Time Objective (RTO)
Max time that a process is allowed to be down before negative effects begin happening.
Recovery Point Objective (RPO)
The point the system needs to be restored to
Risk Avoidance
Identifying a risk and deciding to not engage in the actions associated with that risk
Risk Transference
Share some of the burden of risk with someone else, such as an insurance company.
Risk Mitigation
Taking steps to reduce risk
Data Loss Prevention (DLP) system
Makes sure key content is not removed
MyDLP
Risk Deterrence
Telling attackers you’ll fuck em up if they attack you
Platform as a Service (PaaS)
Vendors allow apps to be created and run on their infrastructure
Software as a Service (SaaS)
Applications used over the internet, e.g. GoogleMaps
Infrastructure as a Service (IaaS)
Utilizes virtualization, and clients pay an outsourcer for resources
Scope Statement
What a policy intends to accomplish and which documents, laws, and practices the policy addresses.
Policy Overview Statement
Provides the goal of the policy, why it’s important, and how to comply with it.
Policy Statement
The actual content of the policy
Accountability Statement
Who is responsible for ensuring the policy is enforced.
Five Key Aspects to Standards Documents
1) Scope and Purpose
2) Roles and Responsibilities
3) Reference Documents
4) Performance Criteria
5) Maintenance and Administrative Requirements
Four Key Aspects to Guidelines Documents
1) Scope and Purpose
2) Roles and Responsibilities
3) Guideline Statements
4) Operational Considerations
Separation of Duties
Requiring multiple people to take part in completing a process so as to minimize errors and malpractice.
Privacy Policies
Outlines how data collected is secured.
Acceptable Use Policies (AUP)
How the employees can use company systems and resources.
Pod Slurping
Plugging directly into a machine (like with a USB) to bypass security and download or upload stuff
Mandatory Vacation Policy
Requires all users to take time away from work
Job Rotation Policy
Defines intervals at which employees must rotate through positions so that a company does not become too dependent on one person.
False Positives
Events that aren’t actually incidents
False Negatives
When you are not alerted to a situation to which you should be alerted
Clustering
Using multiple servers to load balance and create redundancy.
Which power redundancy device should be used for short-term outages? For long term?
Uninterruptible Power Supply (UPS)
Backup Generator
Redundant Array of Independent Disks
Uses multiple disks to provide fault tolerance
Tabletop Exercise
Involves individuals sitting around a table with a facilitator discussing situations that could arise and how best to respond to them.
3 Types of Controls
1) Technical
2) Management
3) Operational
RAID Level 0
- Disk Striping
- Uses multiple drives and maps them together as a single physical drive.
- One fails, unusable
RAID Level 1
- Disk Mirroring
- Two disks with exact copies of all the info
RAID Level 3
- Disk Striping with a Parity Disk
- Parity Info is kept on a separate disk for recovery
Parity Information
A value based on the arithmetic value of the data binary.
RAID Level 5
- Disk Striping with Parity
- Parity info spread across all disks instead of a single disk
Change Management
The structured approach that is followed to secure a company’s assets