Principles of information security

Chapter 4
1. What is risk management? Why is the identification of risks, by listing assets and their
vulnerabilities, so important to the risk management process?
Risk management is when an organization identifies vulnerabilities of information
assets and takes steps to reduce the resulting risk. Risk identification is important
because you have to know the risks and current controls (if any) before you can
manage them.
2. According to Sun Tzu, what two key understandings must you achieve to be successful
in battle?
First, you must know yourself, in this case that would be knowing the assets and
protections of your organizations and secondly you must know your enemy which is
understanding what the possible threats could be to your organizations assets.
3. Who is responsible for risk management in an organization? Which community of
interest usually takes the lead in information security risk management?
All communities of interest within the organization are responsible for risk
management, the lead is usually taken by members of the information security
community.
4. In risk management strategies, why must periodic review be a part of the process?
Periodic review is necessary in order to determine whether or not the risk
management strategies are really working or could be improved upon.
5. Why do networking components need more examination from an information security
perspective than from a systems development perspective?
When it comes to protecting data money is no factor. If you examine the network
from a development perspective youre only looking at cost/benefit whereas if youre
looking at it from a security perspective cost is an afterthought.
6. What value does an automated asset inventory system have for the risk identification
process?
Used to identify system elements that make up hardware, software, and network
components, the automated asset inventory system becomes a valuable tool when
used in the calculation of possible loss and projections of cost in risk management.
7. What information attribute is often of great value for local networks that use static
addressing?
IP address is useful in identifying hardware assets.
8. Which is more important to the systems components classification scheme: that the

asset identification list be comprehensive or mutually exclusive?

Both are important as depending upon the organizations list priority and
classification.
9. Whats the difference between an assets ability to generate revenue and its ability to
generate profit?
All assets generate both revenue and profit whether directly or indirectly. Every asset
performs a role to support another asset making each asset important to the next.
Therefore, the only difference is the role that an asset plays within an organization.
10. What are vulnerabilities? How do you identify them?
Any weakness that can be exploited by accident or by an attacker that can make an
asset susceptible to theft, disclosure and/or damage. By administering a
Vulnerabilities Assessment Audit, an organization will be able to address and
manage all security vulnerability issues.
11. What is competitive disadvantage? Why has it emerged as a factor?
Competitive disadvantage means falling behind the competition, and what that
means is that organizations are using emerging technologies not to get ahead but to
maintain the status quo.
12. What are the strategies for controlling risk as described in this chapter?
The strategies are:
1. Defend
2. Transfer
3. Mitigate
4. Accept
13. Describe the defend strategy. List and describe the three common methods.
The Defend strategy tries to prevent any exploit of vulnerabilities by:
1. Application of policy
2. Education and training
3. Application of technology
14. Describe the transfer strategy. Describe how outsourcing can be used for this purpose.
The transfer strategy is used to shift risk on to others. Just like how the UH has
transferred it email to Google the UH has transferred most of the risk to Google.
15. Describe the mitigate strategy. What three planning approaches are discussed in the
text as opportunities to mitigate risk?
Mitigation tries to reduce risk. It does this by:

1. Incident Response Plan

2. Disaster recovery plan
3. Business continuity plan
16. How is an incident response plan different from a disaster recovery plan?
The DR plan focuses on preparations (preventative maintenance) and recovery after
the incident. The IR plan focuses on intelligence gathering, information analysis,
coordinated decision making, and urgent, concrete actions.
Also, IR plans usually cover small, individual incidents, whereas a DR plan will cover
a larger scale loss
17. What is risk appetite? Explain why risk appetite varies from organization to organization.
The quantity and nature of risk the organization is willing to accept.
different organizations have different levels of risk. Government organizations that
deal with classified data have government regulated security that dictates the
amount of risk taken. Other organizations will only have these in place to reduce bad
publicity or integrity from a security breach.
18. What is a cost benefit analysis?
Economic feasibility of implementing information security controls and safeguards.
Things that affect the cost of a control or safeguard are:
Cost of development or acquisition of hardware, software, and services
Training fees
Cost of implementation (cost of installation, configuration, testing, etc)
Service costs (Vendor fees for maintenance and upgrades)
Cost of maintenance
19. What is the definition of single loss expectancy? What is annual loss expectancy?
The calculation of the value associated with the most likely loss from an attack.
ALE = SLE X ARO
Annualized loss expectancy = single loss expectancy X annualized rate of
occurrence
20. What is residual risk?
The risk to the information asset that remains even after the application of controls.

Chapter 4 Exercises 1. If an organization has three information assets to evaluate for risk management, as
shown in the accompanying data, which vulnerability should be evaluated for additional
controls first? Which one should be evaluated last?

Data for Exercise 1:

Switch L47 connects a network to the Internet. It has two vulnerabilities: it is

susceptible
to hardware failure at a likelihood of 0.2, and it is subject to an SNMP buffer overflow
attack at a likelihood of 0.1. This switch has an impact rating of 90 and has no current
controls in place. You are 75 percent certain of the assumptions and data.
(0.2 x 90) - 0% + (0.25 x 18) = 22.5
Vulnerability 1 = 22.5
(0.1 x 90) - 0% + (.25 x 9) = 29.25
Vulnerability 2 = 29.25

Server WebSrv6 hosts a company Web site and performs e-commerce transactions.
It
has a Web server version that can be attacked by sending it invalid Unicode values.
The likelihood of that attack is estimated at 0.1. The server has been assigned an
impact value of 100, and a control has been implanted that reduces the impact of the
vulnerability by 75 percent. You are 80 percent certain of the assumptions and data.
(0.1 x 100) - (0.75 x 10) + (0.2 x 10) = 4.5
Vulnerability 3 = 4.5

Operators use an MGMT45 control console to monitor operations in the server room.
It
has no passwords and is susceptible to unlogged misuse by the operators. Estimates
show the likelihood of misuse is 0.1. There are no controls in place on this asset; it has
an impact rating of 5. You are 90 percent certain of the assumptions and data.
(0.1 x 5) - 0% + (0.5 x .90) = 0.95
Vulnerability 4 = 0.95
The SNMP buffer overflow vulnerability of switch L47 should be evaluated for
additional controls first according to its vulnerability rating. The MGMT45 control
console should be evaluated last as its rating was the lowest.
2. Using the data classification scheme presented in this chapter, identify and classify the
information contained in your personal computer or personal digital assistant. Based
on the potential for misuse or embarrassment, what information would be confidential,
sensitive but unclassified, or for public release?
Data Classification Scheme (pg. 126).
Purpose/Objective: To help secure the confidentiality and integrity of information.
The typical scheme has three categories:
Confidential: i.e. Sensitive or proprietary. Need-to-know basis. High level.
Internal: viewed only by those authorized by corporate. Mid-level.
External: basically public release.

Personal Definition of DCS.

Confidential:
Myself and 1 person. The person I authorize will have a basic understanding of how to unencrypt my first password (PC log on) to get to my list of encrypted passwords.
Internal:
Individuals I authorize to view information.
External: Reading only privilege. Viewable by general public.
Note: PC is protected by Anti-Virus/Spyware and Internet protection by McAfee
professionals and is always disconnected from the internet and turned off when not in use
and is kept in a locked room.
3. Suppose XYZ Software Company has a new application development project,
with projected revenues of $1,200,000. Using the following table, calculate the ARO and
ALE for each threat category that XYZ Software Company faces for this
project.

Threat Category(SL

Cost Per
Incident (SLE)

Frequency of
Occurrence

SLE

AR
O

ALE

Programmer
mistakes

$5,000

1 per week

5,000

52

260,00
0

Loss of intellectual
property

$75,000

1 per year

75,000

75,000

Software piracy

$500

1 per week

500

52

26,000

Theft of information
(hacker)

$2,500

1 per quarter

2,500

10,000

Theft of information
(employee)

$5,000

1 per six months

5,000

10,000

Web defacement

$500

1 per month

500

12

6,000

Theft of equipment

$5,000

1 per year

5,000

5,000

Viruses, worms,
Trojan horses

$1,500

1 per week

1,500

52

78,000

Denial-of-service
attacks

$2,500

1 per quarter

2,500

10,000

Earthquake

$250,000

1 per 20 years

250,00
0

.05

12,500

Flood

$250,000

1 per 10 years

250,00
0

.1

25,000

Fire

$500,000

1 per 10 years

500,00
0

.1

25,000

4. How might XYZ Software Company arrive at the values in the above table? For each
entry, describe the process of determining the cost per incident and frequency of
occurrence.

Programmer mistakes: They figure the average amount they might have to pay a
programmer per week, then they determine a value for the possible financial loss
incurred from single mistake because theyre going to have to pay time to have the
programmers write a patch or fix the mistake. Then they average how many mistakes
the programmers might make per week.
Loss of intellectual property: They estimate the overall value of their intellectual
property then they determine a figure (that could be based on similar occurrences in
similar companies) for the possible percentage loss per week, then they multiply by 52
to determine the yearly cost.
Software piracy: They determine how much revenue they could possibly lose on
pirated software per week based on the price of their software, projected sales and
statistics of loss in other similar companies.
Theft of information (hacker): They set a value for the overall information owned then
based on statistics they project what percentage of that will likely be stolen within a 3
month period. The reason they set it to a quarter period is likely because otherwise the
percentage would be too low to be considered a necessary budget adjustment.
Theft of information (employee): They just double the stats of the above hacker theft
probably assuming an employee will wait awhile before attempting any theft.
Web defacement: They place a value on their web page that is likely based on cost of
development, then they project the estimated percentage of damage a defacement will
cost them. Frequency of occurrence is probably based on statistical information.
Theft of equipment: This one is all statistical, an estimated 5,000 dollars worth of
equipment is probably stolen once a year from similar companies.
Viruses, worms, Trojan horses: They probably base this on their projected network/
application implementations and known patterns of current exploitations and the time
and cost that could be required in recovery (paying IT staff and programmers the extra
time).
Denial-of-service attacks: If you have server downtime youre losing money paying
employees to sit and drink coffee. Average downtime multiplied by the number of
employees multiplied by the average wage for each employee plus the average for any
unexpected factors.
Earthquake: Based on the type of structure the organization inhabits and the
organizations locale. Regional earthquake occurrence and prediction statistics are
public information.

Flood: Regional flood likelihood statistics are available for reference.

Fire: The type of structure and the likelihood of a fire are all researched statistics that
can be looked up.
5. Assume a year has passed and XYZ has improved security by applying a number of
controls. Using the information from Exercise 3 and the following table, calculate the
post-control ARO and ALE for each threat category listed.

Threat Category

Cost Per
Incident

Frequency of
Occurrence

Cost Of
Control
ACS

Type Of Control

SLE

AR
O

ALE

CBA

Programmer
mistakes

$5,000

1 per month

$20,000

Training

5,000

12

60,00
0

180,00
0

Loss of
intellectual
property

$75,000

1 per 2 years

$15,000

Firewall/IDS

75,000

.5

37500

22,500

Software piracy

$500

1 per month

$30,000

Firewall/IDS

500

12

6000

-10,000

Theft of
information
(hacker)

$2,500

1 per 6
months

$15,000

Firewall/IDS

2,500

5,000

-10,000

Theft of
information
(employee)

$5,000

1 per year

$15,000

Physical security

5,000

5,000

-10,000

Web defacement

$500

1 per quarter

$10,000

Firewall

500

2,000

-6,000

Theft of
equipment

$5,000

1 per 2 years

$15,000

Physical security

5,000

.5

2,500

-12,500

Viruses, worms,
Trojan horses

$1,500

1 per month

$15,000

Antivirus

1,500

12

18,00
0

45,000

Denial-of-service
attacks

$2,500

1 per 6
months

$10,000

Firewall

2,500

5,000

-5,000

Earthquake

$250,000

1 per 20 years

$5,000

Insurance/backup
s

250,00
0

.05

12,50
0

-5,000

Flood

$50,000

1 per 10 years

$10,000

Insurance/backup
s

50,000

.1

5,000

10,000

Fire

$100,000

1 per 10 years

$10,000

Insurance/backup
s

100,00
0

.1

10,00
0

5,000

Why have some values changed in the columns Cost per Incident and Frequency of
Occurrence?
Because of the various control methods used
How could a control affect one but not the other?

Less effective
Assume the values in the Cost of Control column presented in the table are those unique
costs directly associated with protecting against that threat. In other words, dont worry
about overlapping costs between controls. Calculate the CBA for the planned risk
control approach for each threat category. For each threat category, determine if the
proposed control is worth the costs.