1.     If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated first for additional controls? Which should be evaluated last?

a.     Switch L47 connects a network to the internet. It has two vulnerabilities: it is susceptible to hardware failure at a likelihood of 0.2, and it is subject to an SNMP buffer overflow attack at a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. You are 75 percent certain of the assumptions and data.

                                               i.     The possibility of hardware failure should be evaluated first then the SNMP Buffer overflow attack

b.     Server Websrv6 host a company Web site and preforms e-commerce transactions. It has a Web server version that can be attacked by sending it invalid Unicode values. The likelihood of the attack is estimated at 0.1. The server has been assigned an impact value of 100, and control has been implanted that reduces the impact of the vulnerability by 75 percent. You are 80 percent certain of the assumptions and data.

                                               i.     The Invalid Unicode values should be evaluated thirdly

c.     Operators use MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset; it has an impact rating of 5. You are 90 percent certain of the assumptions and data.

                                               i.     The MGMT45 control console needs to be evaluated last

2.     Using the data classification scheme in this chapter, identify and classify the information in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information would be confidential, sensitive but unclassified, or for public release?

a.     Personal files on my laptop would be considered confidential/sensitive. Photos of me and friends and personal ideas I have written down would fall under this category.

3.     Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using the following table, calculate the ARO and ALE for each threat category the company faces for this project.

a.     Programmer Mistakes: ARO: 52, ALE: $260,000

b.     Loss of intellectual property: ARO: 1, ALE: $75,000

c.     Software piracy: ARO: 52, ALE: $26,000

d.     Theft of information (hacker): ARO: 1, ALE: $2,500

e.     Theft of information (employee): ARO: 2, ALE: $10,000

f.      Web defacement: ARO: 12, ALE: $6,000

g.     Theft of equipment: ARO: 1, ALE: $5,000

h.     Viruses, worms, Trojan horses: ARO: 52, ALE: $78,000

i.      Denial-of-service attacks: ARO: 4, ALE: $10,000

j.      Earthquake: ARO: .05, ALE: $12,500

k.     Flood: ARO: .1, ALE: $25,000

l.      Fire: ARO: .1, ALE: $50,000

 

4.     How might XYZ Software Company arrive at the values in the table shown in Exercise 3? For each entry, describe the process of determining the cost per incident and frequency of occurrence.

a.     Programmer Mistakes: Software development isn’t always going to flow as smoothly as possible. Small bugs generated from human error or not enough thought going into the project could be detrimental to the software.

b.     Loss of intellectual property: Ideas could be stolen and patented by some other entity.

c.     Software piracy: Software costs money and people don’t want to pay for software which causes loss of revenue.

d.     Theft of information (Hacker): Hackers could steal valuable information from servers which requires backups to be called into place for recovery of lost information

e.     Theft of information (employee): Employees and hackers are all people with the possibility of having bad intentions

f.      Web defacement: hackers could hack into the web sites server and edit the homepage’s layout.

g.     Theft of equipment: People have the intention of selling equipment for personal gain.

h.     Viruses, worms, Trojan horses: All of these cause harm to data in companies

i.      Denial-of-service attacks: DOS is preventing companies from letting normal customers from accessing their content which results in downtime and loss of revenue.

j.      Earthquake: Not as frequent as other natural disasters but a costly one

k.     Flood: Costly disaster

l.      Fire: Most common out of the natural disasters listed.

5.     Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from Exercise 3 and the following table, calculate the post-control ARO and ALE for each threat category listed.


Why have some values changed in the Cost per incident and Frequency of Occurrence column? How could a control affect one but not the other? Assume that the values in the Cost of Control column are unique costs directly associated with protecting against the threat. In other words, don’t consider overlapping cost between controls. Calculate the CBA for the planned risk control approach in each threat category. For each threat category, determine whether the proposed control is worth the costs.

a.     Programmer Mistakes: ARO: 12, ALE: $60,000

b.     Loss of intellectual property: ARO: .5, ALE: $37,500

c.     Software piracy: ARO: 12, ALE: $6,000

d.     Theft of information (hacker): ARO: 2, ALE: $5,000

e.     Theft of information (employee): ARO: 1, ALE: $5,000

f.      Web defacement: ARO: 4, ALE: $2000

g.     Theft of equipment: ARO: .5, ALE: $2,500

h.     Viruses, worms, Trojan horses: ARO: 12, ALE: $18,000

i.      Denial-of-service attacks: ARO: 2, ALE: $5,000

j.      Earthquake: ARO: .05, ALE: $12,500

k.     Flood: ARO: .1, ALE: $5,000

l.      Fire: ARO: .1, ALE: $10,000