Adrian Leal

ITS 370

Shin-Ping Tucker

CH5

 

1.       If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated first for additional controls?

·         Switch L47 connects a network to the Internet. It has two vulnerabilities: it is susceptible to hardware failure at a likelihood of 0.2, and it is subject to an SNMP buffer overflow attack at a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. You are 75 percent certain of the assumptions and data.

·         Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has a Web server version that can be attacked by sending it invalid Unicode values. The likelihood of that attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implanted that reduces the impact of the vulnerability by 75 percent. You are 80 percent certain of the assumption and data.

·         Operators use an MGMT45 control console to monitor operations in the server room. It has no password and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset; it has an impact rating of 5. You are 90 percent certain of the assumptions and data.

Based on the information provided, the vulnerability that should be evaluated first should be asset B. The device has an impact rating of 100 and 80% certainty of the stated assumptions. The device plays an important role to the business and any time down would cost a big loss for the company. Also, it has direct contact with the customers. The last risk that should be investigated would be the attack of the control console. Its impact rating is only 5%.

2.       Using the data classification scheme in this chapter, identify and classify the information in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information would be confidential, sensitive but unclassified, or for public release?

Confidential: Given the assumption that some people have “access” to my computer, confidential would be myself. I am the only one that knows the password to access the protected documents or sites (online banking, social media, etc.)

Internal: Given the assumption that some people have “access” to my computer, external would be the documents that I let other people to access giving them the password, or other sites.

External: Given the assumption that some people have “access” to my computer, external would be everything else that does not have a password, for example my documents from the documents folder, my images, etc.

 

3.       Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using the following table, calculate the ARO and ALE for each threat category the company faces for this project.

Threat Category

ARO

ALE

Programmer mistakes

52

260,000

Loss of intellectual property

1

75,000

Software piracy

52

26,000

Theft of information (hacker)

4

10,000

Theft of information (employee)

2

10,000

Web defacement

12

6,000

Theft of equipment

1

5,000

Viruses, worms, Trojan horses

52

78,000

Denial-of-service attacks

4

10,000

Earthquake

0.05

12,500

Flood

0.1

25,000

Fire

0.1

25,000

 

4.       How might XYZ Software Company arrive at the values in the table shown in Exercise 3? For each entry, describe the process of determining the cost per incident and frequency of occurrence.

Programmer mistake: They have calculated the average amount that they would have to pay a programmer per week, then the possible financial loss from the pay that they have to pay the programmer to fix the mistake, and finally the average of mistakes from programmer.

Loss of intellectual property: They have calculated the total value of their software, then the possible percentage loss per week, and multiplied that by 52 to obtain the yearly cost.

Software piracy: They calculated what revenue they might lose based on the price of their software and sales

Theft of information (hacker): They have calculated the value of the information owned, and divided in three month periods since the possibilities of an attack are too low.

Theft of information (employee): Same as the previous case. The only difference is that they estimate that an employee attack will wait twice the time of the hacker to perform an attack.

Web defacement: They calculated the value on their web page and then the estimated percentage of damage and its frequency.

Theft of equipment: This is statistic.

Viruses, worms, Trojan horses: They have calculated the time and the money that it would cost in recovery paying the programmers extra time.

Denial-of-service attacks: This is calculated based on the wage of the employees and the average number of unexpected errors since you are paying the employees to do literally “nothing”.

Earthquake: Probability of earthquake in the region.

Flood: Probability of flood in the region.

Fire: This is statistic.

 

5.       Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from Exercise 3 and the following table, calculate the post-control ARO and ALE for each threat category listed.

Why have some values changed in the Cost per Incident and Frequency of Occurrence columns? How could a control affect one but not the other? Assume that the values in the Cost of Control column are unique costs directly associated with protecting against the threat. In other words, don’t consider overlapping costs between controls. Calculate the CBA for the planned risk control approach in each threat category. For each threat category, determine whether the proposed control is worth the costs.

Threat Category

ARO

ALE

CBA

Programmer mistakes

12

60,000

180,000

Loss of intellectual property

0.5

37,500

22,500

Software piracy

12

6,000

-10,000

Theft of information (hacker)

2

5,000

-10,000

Theft of information (employee)

1

5,000

-10,000

Web defacement

4

2,000

-6,000

Theft of equipment

0.5

2,500

-12,500

Viruses, worms, Trojan horses

12

18,000

45,000

Denial-of-service attacks

2

5,000

-5,000

Earthquake

0.05

12,500

-5,000

Flood

0.1

5,000

10,000

Fire

0.1

10,000

5,000

 

Some of the values have changed because of the various control methods used. A control could affect one but not the other because is less effective.