Chapter 5

Exercise questions

1.    If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated first for additional controls? Which should be evaluated last?

a.    Switch L47 connects a network to the Internet. It has two vulnerabilities: it is susceptible to hardware failure at a likelihood of 0.2, and it is subject to an SNMP buffer overflow attack at a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. You are 75 percent certain of the assumptions and data.

b.    Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has a Web server version that can be attacked by sending it invalid Unicode values. The likelihood of that attack is estimated at 0.1. The server has been assigned an impact value of 100, and a control has been implanted that reduces the impact of the vulnerability by 75 percent. You are 80 percent certain of the assumptions and data.

c.    Operators use an MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset; it has an impact rating of 5. You are 90 percent certain of the assumptions and data.

I would start with issue number 2. Looking at the risk and the possibility of attack, this one seems the most important because it takes care of e-commerce transactions, and if it gets attacked, the damages could be very important. Customers could get their credit card information stolen and lose a lot of money, they could sue our organization and we would lose money, customers, and reputation so this is the issue I would look at first. Then, I would look at the first issue, because the likelihood of attack is similar to third one, but the damages would be greater with this issue so I would take a look at that one second and at the third one last because I believe that if the hiring process is under good control, the people hired in the company are trustworthy and therefore this issue should be the least of my worries, however, if this is a bigger company, I might need to take a look at it first since I would probably not know the operators personally and it would be harder to trace back if there was an unlogged misuse.

 

2.    Using the data classification scheme in this chapter, identify and classify the information in your personal computer or personal digital assistant. Based on the potential for misuse or embarrassment, what information would be confidential, sensitive but unclassified, or for public release?

Almost everything I have on my computer is confidential, there are mostly assignments on there. There isnít anything that has the potential for embarrassment, as I do not save this kind of files. I do not save any passwords, card numbers or anything like that so there isnít anything that a hacker could really use my files for. I guess the only thing that could have the potential for misuse is if a student was to hack my laptop and steal my assignments and use them as their own for their classes.

 

3.    Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using the following table, calculate the ARO and ALE for each threat category the company faces for this project.

To calculate the ARO and ALE for each threat, I am going to create another table below

ARO and ALE threat cost

ARO

ALE

Programmer mistakes

52

$260,000

Loss if intellectual property

1

$75,000

Software Piracy

52

$26,000

Theft of information (hacker)

4

$10,000

Theft of information (employee)

2

$10,000

Web defacement

12

$6,000

Theft of equipment

1

$5,000

Viruses, worms, Trojan Horses

52

$78,000

Denial-of-service attacks

4

$10,000

Earthquake

0.05

$12,000

Flood

0.1

$25,000

Fire

0.1

$50,000

 

4.    How might XYZ Software Company arrive at the values in the table shown in Exercise 3? For each entry, describe the process of determining the cost per incident and frequency of occurrence.

Cost per incident is the loss that takes place from an attack. This is calculated based on the total value of an asset and the % loss that occurs from an attack. There are no specific sources available to give the frequency of an attack. But, there are some threat/vulnerability assessments that the owners of the facility can get on their facilities. In case of information/data, the organization can gauge on these factors by relying on their internal information. The information is usually estimated. SLE (Cost per incident) is calculated as = asset value ◊ exposure factor (EF) Where EF is the %loss that is expected to occur. Frequency of occurrence is simply how often you expect an attack to take place. XYZ Software Company could use any method to achieve each of these entries. The company could also prefer a scale rather than estimates. The company could also use benchmarking as a means to arrive at the values in the table given. There are other best practices too. All of these methods combined could provide the values for the costs and frequency for the entries listed.

 

5.    Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from Exercise 3 and the following table, calculate the post-control ARO and ALE for each threat category listed. Why have some values changed in the Cost per Incident and Frequency of Occurrence columns? How could a control affect one but not the other? Assume that the values in the Cost of Control column are unique costs directly associated with protecting against the threat. In other words, donít consider overlapping costs between controls. Calculate the CBA for the planned risk control approach in each threat category. For each threat category, determine whether the proposed control is worth the costs.

To calculate the new ARO and ALE of the company after a year, I created another table below.

ARO and ALE threat cost

ARO

ALE

Programmer mistakes

100

$60,000

Loss if intellectual property

50

$37,000

Software Piracy

100

$6,000

Theft of information (hacker)

100

$5,000

Theft of information (employee)

100

$5,000

Web defacement

100

$2,000

Theft of equipment

50

$2,500

Viruses, worms, Trojan Horses

100

$18,000

Denial-of-service attacks

100

$5,000

Earthquake

5

$12,500

Flood

10

$5,000

Fire

10

$10,000

 

The values in the columns Cost per Incident and Frequency of Occurrence have changed because of the controls that have been implemented. An example where a control can affect one but not the other would be a control such as training your employees so that they donít make as many programming errors does not affect the Cost per Incident but it does decrease how many times mistakes are made which lowers the Frequency of Occurrence.