Tanner Carlson

ITS 370

CH5

10/13/2017

1.       If an organization must evaluate the following three information assets for risk management, which vulnerability should be evaluated for additional controls? Which should be evaluated last?

∑         Switch L47 connects a network to the Internet. It has two vulnerabilities: it is susceptible to hardware failure at a likelihood of 0.2, and it is subject to an SNMP buffer overflow attack at a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. You are 75% certain of the assumptions and data.

∑         Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has a Web server version that can be attacked by sending it invalid Unicode values. The likelihood of that attack is estimated at 0.1. The server has been assigned an impact value of 100 and a control has been implanted that reduces the impact of the vulnerability by 75%. You are 80% certain of the assumptions and data.

∑         Operators use an MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset; it has an impact rating of 5. You are 90 percent certain of the assumptions and data.

Server WebSrv6ís vulnerability should be evaluated first for additional controls. If the web server were to go down it would impact the whole company. Switch L47ís vulnerability should be evaluated last because the likelihood of it happening is so low.

2.       Using the data classification scheme in this chapter, identify and classify the information in your personal computer or personal digital assistant. Based on the potential for misuses or embarrassment, what information would be confidential, sensitive but unclassified, or for public release?

Since I do not use my personal computer to work for or run any business, many of the files on my personal computer are not confidential. I do have some confidential emails that I would not like the public to see, but there is not a high potential for misuses with those emails. Iím sure I would be embarrassed if the emails were somehow released.

3.       Suppose XYZ Software Company has a new application development project with projected revenues of $1.2 million. Using the following table, calculate the ARO and ALE for each threat category the company faces for this project.

The ARO for programmer mistakes is .14 which makes the ALE $714.

The ARO for Loss of intellectual property is .5 which makes the ALE $37,500.

The ARO for software piracy is .14 which makes the ALE $70.

The ARO for Theft of information by a hacker is .25 which makes the ALE $625.

The ARO of theft of information by an employee is .16 which makes the ALE $833.

The ARO for web defacement is.5 which makes the ALE $250.

The ARO for theft of equipment is .14 which makes the ALE $700.

The ARO for viruses, worms and Trojan horses is .14 which makes the ALE $210.

The ARO for denial-of-service-attacks is .25 which makes the ALE $625.

The ARO for earthquakes is .05 which makes the ALE $12,500.

The ARO for floods is .1 which makes the ALE $25000.

The ARO for fires is .1 which makes the ALE $50000.

4.       How might XYZ Software Company arrive at the values in the table shown in Exercise 3? For each entry, describe the process of determining the cost per incident and frequency of occurrence.

Threat Category

How Cost is determined

How Frequency is determined

Programmer Mistakes

Cost of labor necessary to fix

Experience + probability

Loss of intellectual property

Cost of labor necessary to fix/ recover information

Experience + probability

Software Piracy

Cost of labor necessary to fix/cost of fines

Experience + probability

Theft of information by hacker

Cost of labor necessary to fix/ recover information

Experience + probability

Theft of Information by employee

Cost of labor necessary to fix/ recover information

Experience + probability

Web Defacement

Cost of labor necessary to fix

Experience + probability

Theft of equipment

Cost of equipment

Experience + probability

Viruses, Worm, Trojan Horses

Cost of labor necessary to fix/ recover information

Experience + probability

Denial-of-service attacks

Cost of labor necessary to fix/ recover information

Experience + probability

Earthquake

Cost of building + equipment likely to be destroyed

Location

Flood

Cost of building + equipment likely to be destroyed

Location + frequency of floods

Fire

Cost of building + equipment likely to be destroyed

Location + frequency of fires

5.       Assume that a year has passed and XYZ has improved security by applying several controls. Using the information from Exercise 3 and the following table, calculate the post-control ARO and ALE for each category listed.

Why have some values changed in the cost per incident and frequency of Occurrence columns? How could a control affect one but not the other? Assume that the valies in the cost of control column are unique costs directly associtated with protecting against the threat. In other words, donít condiser overlapping costs between controls. Calculate the CBA for the planned risk control approach in each threat category. For each threat category, determine whether the proposed control is worth the costs.

Threat Category

ARO

ALE

CBA

Control Worth Costs?

Programmer Mistakes

.08

$416

-$19,702

Yes

Loss of intellectual property

.5

$37500

-$1500

No

Software Piracy

.25

$125

-$30055

No

Theft of information by hacker

.166

$416

-$14791

Yes

Theft of Information by employee

.08

$400

-$14567

Yes

Web Defacement

.25

$125

-$9875

Yes

Theft of equipment

.5

$750

-$15050

No

Viruses, Worm, Trojan Horses

.08

$125

-$14915

Yes

Denial-of-service attacks

.166

$416

-$9791

Yes

Earthquake

.05

$1250

$6250

Yes

Flood

.1

$5000

$10000

Yes

Fire

.1

$10000

$30000

Yes