Managing Risk Flashcards
Risk Calculations
Weigh the potential threat against the likelihood of it occurring
Residual Risk
Risk that will and must remain
Annual Loss Expectancy (ALE)
A calculation used to identify risks and calculate the expected loss each year
ALE
Annual Loss Expectancy
Annualized Rate of Occurrence (ARO)
A calculation of how often a threat will occur
ARO
Annualized Rate of Occurrence
Asset Value (AV)
The assessed value of an item
AV
Asset Value
Exposure Factor (EF)
The potential percentage of loss to an asset if a threat is realized
MTD
Maximum Tolerable Downtime
MTBF
mean time between failure
MTTF
mean time to failure
MTTR
mean time to restore
Recovery point objective (RPO)
The point last known good data prior to an outage that is used to recover systems
RPO
Recovery point objective
Recovery time objective (RTO)
The max amount of time that a process or service is allowed to be down and the consequences still be considered acceptable
RTO
recovery time objective
Redundant Array of Independent Disks (RAID)
A configuration of multiple hard disks used to provide fault tolerance should a disk fail
RAID
Redundant Array of Independent Disks
single loss expectancy (SLE)
The cost of a single loss when it occurs
SLE
single loss expectancy
SLA
service level agreement
SPOF
single point of failure
Risk calculation formula
SLE x ARO = ALE
threat
anything that can harm your resources
Types of threats
Environmental
Manmade
Internal vs External
vulnerability
a weakness that could be exploited by a threat
Chief components of a risk assessment process
- Risks to which the organization is exposed
- Risks that need addressing
- Coordination with the business impact analysis (BIA)
BIA
business impact analysis
Threat Vector
the way in which an attacker poses a threat (particular tool or means of exploiting)
A privacy impact assessment (PIA) requires what three things?
- To ensure conformance with applicable legal, regulatory, and policy requirements for privacy
- Determine risks and effects
- Evaluate protections and alternative processes to mitigate potential privacy risks
The four possible responses to identifying and assessing the risks that exist
Risk Avoidance
Risk Transference
Risk Mitigation
Risk Acceptance
Audits used in risk mitigation
- user rights
- permission reviews
- change management
- incident management
cloud computing
hosting services and data on the Internet instead of hosting it locally
Three ways of implementing cloud computing
- Platform as a Service
- Software as a Service
- Infrastructure as a Service
Platform as a Service (PaaS)
Vendors allow apps to be created and run on their infrastructure.
Known as ‘cloud platform service’
PaaS
Platform as a Service
Software as a Service (SaaS)
Applications are remotely run over the web
Costs are usually computed on a subscription basis
SaaS
Software as a Service
Infrastructure as a Service (IaaS)
Clients pay a cloud service provider for the resources used
Resembles the traditional utility model
Risks associated with virtualization
- Breaking out of the virtual machine
- Intermingling network and security controls
- Hypervisor exploits
Hypervisor
the virtual machine monitor; the software that allows virtual machines to exist
SOP
Standard Operating Procedure
Mandatory Vacation Policy
Personnel policy
Requires employees to take time away from work to refresh. It also allows the company to ensure it can fill skill gaps and can help to detect fraud
Job Rotation Policy
Personnel policy
Defines intervals at which employees must rotate through positions. It prevents a company from being too dependent on a single person for a job.
Separation of Duties Policies
Personnel policy
Requires more than one person to complete key processes. Requires employees committing fraud to collude with others, thus reducing the possibility of it happening. This policy also reduces overall errors of processes.
collusion
an agreement between two or more parties established for the purpose of committing deception or fraud
Clean Desk Policy
Personnel Policy
Limits employees to only having current work on their desk. This increases overall security.
Background Check Policy
Personnel Policy
Since all employees will handle data that is sensitive, they must have reason to be trusted
Nondisclosure Agreements Policy
Personnel Policy
NDA policy is used to allow employees to work with sensitive public or proprietary data
Onboarding Policies
Personnel Policy
The onboarding policies used allow for well-trained employees who feel they are of value to the company
Continuing Education Policies
Personnel Policy
Continuing education policies are important as they allow employees to rise in value and is required to allow for the maintenance of necessary certifications
Exit Interview Policies
Personnel Policy
Allow the company to learn and gain honest feedback
Role-Based Awareness Training Policy
Personnel Policy
Training employees to the level of their privilege adheres to the ‘least privilege principle’
Acceptable Use Policies (AUP)
Personnel Policy
Describe how the employees in an organization can use company systems and resources
pod slurping
When portable devices are plugged directly into a machine, they bypass the network security measures (such as a firewall) and allow data to be copied
Adverse Actions Policy
Personnel Policy
Details what must be done in the event of termination, administrative leave, or any other reprimanding of employees. Includes suspending accounts, revoking privileges, etc
General Security Policies
Personnel Policy
Define what controls are required to implement and maintain the security of systems, users, and networks
False Positive
Type I error;
Alert to an event which is not an incident
False Negative
Type II error;
Lack of an alert for an event which is an incident or any other event which should require an alert
Type I error
False Positive
Type II error
False Negative
Type III error
An error in which you came to the correct conclusion but for all the wrong reasons
Leading ways to address business continuity
Do a BIA and implement ‘best practices’
Business impact analysis (BIA)
Business Continuity Best Practice
The process of evaluating all of the critical systems in an organization to define impact and recovery plans. Focuses on the impact a loss would have on the company.
NOT concerned with external threats or vulnerabilities
Key components of a BIA
- Identifying critical functions
- Prioritizing critical business functions
- Calculating a timeframe for critical systems loss
- Estimating the tangible and intangible impact on the organization
Variables that affect ‘impact’
- Life
- Property
- Saftey
- Finance
- Reputation
Identifying Critical Systems and Components
Business Continuity Best Practice
Involves identifying points of failure and maintaining contingency plans
Automation/Scripting
Business Continuity Best Practice
Automate courses of action for a range of scenarios that do not require human detection and reaction
Frameworks and Templates
Business Continuity Best Practice
Includes scales for evaluating threats and deciding the best responses to them
Master Image
Business Continuity Best Practice
Allows the administrator to more easily restore a system if a failure occurs
Nonpersistence
- Business Continuity Best Practice*
- Allows for a ‘snapshot’ of an operating system in an exploited stat to inspect it
- Allows for rolling back to a known configuration
- Allows for booting a system with ‘live boot media’
Elasticity
Business Continuity Best Practice
Ability to scale up (and scale down) resources as needed. Includes ability to pool resources
Scalability
Business Continuity Best Practice
Allows for elasticity and only utilizing the resources required
Distributive Allocation
Business Continuity Best Practice
Distributing the load (file requests, data routing, etc) so that no device is overly burdened
High Availability (HA)
Business Continuity Best Practice
Refers to measures such as redundancy, failover, and mirroring, used to keep services and systems operational during an outage.
Planning for Resiliency
Business Continuity Best Practice
Capacity to recover quickly from difficulties
Redundancy
Business Continuity Best Practice
Refers to systems that either are duplicated or ‘fail over’ to other systems in the event of a malfunction
Clustering
involves multiples systems connected together in such a way that if any of the systems fail, the others take up the slack
The major cost of failover systems
They can become prohibitively expensive
Fault Tolerance
Business Continuity Best Practice
The ability of a system to sustain operation even though a critical component has failed
Two key components of fault tolerance
- Spare parts
- Electrical power
UPS
uninterruptible power supply
Redundant Array of Independent Disks (RAID)
A technology that uses multiples disks to provide fault tolerance
RAID
Redundant Array of Independent Disks
RAID Level 0
disk striping; does not include any fault tolerance
RAID Level 1
disk mirroring; can be implemented as mirroring or duplexing
RAID Level 3
disk striping with a parity disk
RAID Level 5
disk striping with parity
The focus of ‘change management’
How to document and control for a change
PIA
privacy impact assessment
