After determining the potential attack concepts, the next step in threat modeling is to perform __ analysis. __ analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements.Also known as decomposing the application
Reduction analysis
Whether an application, a system, or an entire environment, it needs to be divided into smaller containers or compartments. Those might be subroutines, modules, or objects if you’re focusing on software, computers, or operating systems; they might be protocols if you’re focusing on systems or networks; or they might be departments, tasks, and networks if you’re focusing on an entire business infrastructure. Each identified sub-element should be evaluated in order to understand inputs, processing, security, data management, storage, and outputs.
Trust Boundaries, Data Flow Paths, Input Points, Privileged Operations, Details about Security Stance and Approach
The Five Key Concepts in the Decomposition process.
In the decomposition process, any location where the level of trust or security changes.
Trust Boundaries
In the decomposition process, the movement of data between locations
Data Flow Paths
In the decomposition process, locations where external input is received
Input Points
In the decomposition process, any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security
Privileged Operations
In the decomposition process, the declaration of the security policy, security foundations, and security assumptions
Details about Security Stance and Approach
The concept that most computers, devices, networks, and systems are not built by a single entity.
supply chain
T or F
When evaluating a third party for your security integration, you should consider the following processes:On-Site Assessment, Document Exchange and Review, Process/Policy Review, Third-Party Audit
True
When engaging third-party assessment and monitoring services, keep in mind that the external entity needs to show security-mindedness in their business operations. If an external organization is unable to manage their own internal operations on a secure basis, how can they provide reliable security management functions for yours?
Investigate the means by which datasets and documentation are exchanged as well as the formal processes by which they perform assessments and reviews.
Document Exchange and Review
Visit the site of the organization to interview personnel and observe their operating habits.
On-Site Assessment
Request copies of their security policies, processes/procedures, and documentation of incidents and responses for review.
Process/Policy Review
Having an independent third-party auditor, as defined by the American Institute of Certified Public Accountants (AICPA), can provide an unbiased review of an entity’s security infrastructure, based on Service Organization Control (SOC) (SOC) reports. Statement on Standards for Attestation Engagements (SSAE) is a regulation that defines how service organizations report on their compliance using the various SOC reports. The SSAE 16 version of the regulation, effective June 15, 2011, was replaced by SSAE 18 as of May 1, 2017. The SOC1 and SOC2 auditing frameworks are worth considering for the purpose of a security assessment. The SOC1 audit focuses on a description of security mechanisms to assess their suitability. The SOC2 audit focuses on implemented security controls in relation to availability, security, integrity, privacy, and confidentiality. For more on SOC audits, see AICPA.For all acquisitions, establish minimum security requirements. These should be modeled from your existing security policy. The security requirements for new hardware, software, or services should always meet or exceed the security of your existing infrastructure. When working with an external service, be sure to review any service-level agreement (SLA) to ensure that security is a prescribed component of the contracted services. This could include customization of service-level requirements for your specific needs.
Third-Party Audit
This is the collection of practices related to supporting, defining, and directing the security efforts of an organization. This is closely related to and often intertwined with corporate and IT governance.
Security governance
This is the system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. The actual method of governance may vary, but it generally involves an outside investigator or auditor. These auditors might be designated by a governing body or might be consultants hired by the target organization.
Third-party governance
The process of reading the exchanged materials and verifying them against standards and expectations. This review is typically performed before any on-site inspection takes place. If the exchanged documentation is sufficient and meets expectations (or at least requirements), then an on-site review will be able to focus on compliance with the stated documentation.
Documentation review
The process by which the goals of risk management are achieved.
Risk Analysis
An __ is anything within an environment that should be protected. It is anything used in a business process or task. It can be a computer file, a network service, a system resource, a process, a program, a product, an IT infrastructure, a database, a hardware device, furniture, product recipes/formulas, intellectual property, personnel, software, facilities, and so on.
Asset
A dollar value assigned to an asset based on actual cost and nonmonetary expenses. These can include costs to develop, maintain, administer, advertise, support, repair, and replace an asset; they can also include more elusive values, such as public confidence, industry support, productivity enhancement, knowledge equity, and ownership benefits.
Asset valuation
Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset.They are any action or inaction that could cause damage, destruction, alteration, loss, or disclosure of assets or that could block access to or prevent maintenance of assets. They can be large or small and result in large or small consequences. They can be intentional or accidental. They can originate from people, organizations, hardware, networks, structures, or nature.
Threats
The weakness in an asset or the absence or the weakness of a safeguard or countermeasure.
Vulnerability
Being susceptible to asset loss because of a threat
Exposure
The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset
Risk
T or F
Risk = threat * vulnerability
True
Security controls, or countermeasures that remove or reduce a vulnerability or protects against one or more specific threats. It can be installing a software patch, making a configuration change, hiring security guards, altering the infrastructure, modifying processes, improving the security policy, training personnel more effectively, electrifying a perimeter fence, installing lights, and so on. It is any action or product that reduces risk through the elimination or lessening of a threat or a vulnerability anywhere within an organization.
Safeguards
An _ is the exploitation of a vulnerability by a threat agent. In other words, it is any intentional attempt to exploit a vulnerability of an organization’s security infrastructure to cause damage, loss, or disclosure of assets. It can also be viewed as any violation or failure to adhere to an organization’s security policy.
Attack
A is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. When a __ is combined with an attack, a penetration, or intrusion, can result.
Breach
A _ is the condition in which a threat agent has gained access to an organization’s infrastructure through the circumvention of security controls and is able to directly imperil assets.
Penetration
A type of risk analysis that assigns real dollar figures to the loss of an asset.
Quantitative risk analysis
A type of risk analysis that assigns subjective and intangible values to the loss of an asset.
Qualitative risk analysis
Step 1. Inventory assets and assign a value
Step 2. Research each asset
Step 3. Perform a threat analysis
Step 4. Derive the overall loss
Step 5. Research countermeasures
Step 6. Perform a cost/benefit analysis
The six major steps or phases in quantitative risk analysis
A step in the quantitative risk analysis.Inventory assets, and assign a value (asset value, or AV). (Asset value is detailed further in a later section of this lesson named “Asset Valuation.”)
Step 1. Inventory assets and assign a value
A step in the quantitative risk analysis.Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure.
Step 5. Research countermeasures
A step in the quantitative risk analysis.Research each asset, and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) and single loss expectancy (SLE).
Step 2. Research each asset
A step in the quantitative risk analysis.Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat.
Step 6. Perform a cost/benefit analysis
A step in the quantitative risk analysis.Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE).
Step 4. Derive the overall loss
Perform a threat analysis to calculate the likelihood of each threat being realized within a single year—that is, the annualized rate of occurrence (ARO).
Step 3. Perform a threat analysis
The six major elements of quantitative risk analysis
- (AV) Assign Asset Value
- (EF) Caluculate Exposure Factor
- (SLE) Calculate single loss expectancy
- (ARO) Asses the annualized rate of occurance
- (ALE) Derive the annualized loss expectancy
- Perform Cost Benefit Analysis
The _ represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. The _ can also be called the loss potential. In most cases, a realized risk does not result in the total loss of an asset. The _ simply indicates the expected overall asset value loss because of a single realized risk. The _ is usually small for assets that are easily replaceable, such as hardware. It can be very large for assets that are irreplaceable or proprietary, such as product designs or a database of customers. The __ is expressed as a percentage.
Exposure Factor
The EF is needed to calculate the _. The _ is the cost associated with a single realized risk against a specific asset. It indicates the exact amount of loss an organization would experience if an asset were harmed by a specific threat occurring.
Single Loss Expectancy (SLE)
T or F
The SLE is calculated using the following formula:
SLE = asset value (AV) * exposure factor (EF)
or more simply:
SLE = AV * EF
True
For example:
The SLE is expressed in a dollar value. For example, if an asset is valued at $200,000 and it has an EF of 45 percent for a specific threat, then the SLE of the threat for that asset is $90,000.
The _ is the expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year. The _ can range from a value of 0.0 (zero), indicating that the threat or risk will never be realized, to a very large number, indicating that the threat or risk occurs often. Calculating the _ can be complicated. It can be derived from historical records, statistical analysis, or guesswork. _ calculation is also known as probability determination. The __ for some threats or risks is calculated by multiplying the likelihood of a single occurrence by the number of users who could initiate the threat.
Annualized Rate of Occurrence
For example:
The ARO of an earthquake in Tulsa may be .00001, whereas the ARO of an earthquake in San Francisco may be .03 (for a 6.7+ magnitude), or you can compare the ARO of an earthquake in Tulsa of .00001 to the ARO of an email virus in an office in Tulsa of 10,000,000.
T or F
The ALE is calculated using the following formula:
ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO)
Or more simply:
ALE = SLE * ARO
True
For example, if the SLE of an asset is $90,000 and the ARO for a specific threat (such as total power loss) is .5, then the ALE is $45,000. On the other hand, if the ARO for a specific threat (such as compromised user account) is 15, then the ALE would be $1,350,000.-
- Cost of purchase, development, and licensing
- Cost of implementation and customization
- Cost of annual operation, maintenance, administration, and so on
- Cost of annual repairs and upgrades
- Productivity improvement or loss- Changes to environment
- Cost of testing and evaluation
Factors involved in calculating the value of a countermeasure
T or F
The annual costs of safeguards should not exceed the expected annual cost of asset loss
True
ALE before safeguard – ALE after implementing the safeguard – annual cost ofsafeguard (ACS) = value of the safeguard to the company
Calculating Safeguard Cost/Benefit
__ analysis is more scenario based than it is calculator based. Rather than assigning exact dollar figures to possible losses, you rank threats on a scale to evaluate their risks, costs, and effects.
Qualitative Risk Analysis
The process of performing qualitative risk analysis involves judgment, intuition, and experience. You can use many techniques to perform qualitative risk analysis:
Brainstorming
Delphi technique
Storyboarding
Focus groups
Surveys
Questionnaires
Checklists
One-on-one meetings
Interviews
A _ is a written description of a single major threat. The description focuses on how a threat would be instigated and what effects its occurrence could have on the organization, the IT infrastructure, and specific assets. Generally, the _ are limited to one page of text to keep them manageable.
Scenario
The __ is simply an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Its primary purpose is to elicit honest and uninfluenced responses from all participants.
Delphi Technique
Reduce or mitigateAssign or transferAcceptDeterAvoidReject or ignore
Responses to risk
The implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats. Picking the most cost-effective or beneficial countermeasure is part of risk management, but it is not an element of risk assessment.
Risk Mitigation
The placement of the cost of loss a risk represents onto another entity or organization. Purchasing insurance and outsourcing are common forms of _.
Risk Assignment
a.k.a Risk Transferring
The result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk. It also means that management has agreed to accept the consequences and the loss if the risk is realized.
Risk Acceptance
The process of implementing deterrents to would-be violators of security and policy. Some examples include implementation of auditing, security cameras, security guards, instructional signage, warning banners, motion detectors, strong authentication, and making it known that the organization is willing to cooperate with authorities and prosecute those who participate in cybercrime.
Risk Deterrence
The process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. For example, choosing to fly to a destination instead of driving to it is a form of . Another example is to locate a business in Arizona instead of Florida to avoid hurricanes.
Risk Avoidance
A final but unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk.
Risk Rejection
Once countermeasures are implemented, the risk that remains is known as _. The risk that management has chosen to accept rather than mitigate.
Residual risk
total risk – controls gap = residual risk
The amount of risk an organization would face if no safeguards were implemented.
threats vulnerabilities asset value = total risk
Total risk
A security control that involves the hardware or software mechanisms used to manage access and to provide protection for resources and systems.
Examples include authentication methods (such as usernames, passwords, smartcards, and biometrics), encryption, constrained interfaces, access control lists, protocols, firewalls, routers, intrusion detection systems (IDSs), and clipping levels.
Technical control
a.k.a logical control
A security control that involves policies and procedures defined by an organization’s security policy and other regulations or requirements.
Examples include policies, procedures, hiring practices, background checks, data classifications and labeling, security awareness and training efforts, vacation history, reports and reviews, work supervision, personnel controls, and testing.
Administrative controls
a.k.a. Management controls
A security control that involves physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility.
Examples include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs, video cameras, mantraps, and alarms
Physical controls
A security control that is deployed to discourage violation of security policies. They often depend on individuals deciding not to take an unwanted action.
deterrent control
A security control that is deployed to thwart or stop unwanted or unauthorized activity from occurring.
preventive control
A security control that is deployed to discover or detect unwanted or unauthorized activity. operate after the fact and can discover the activity only after it has occurred.
detective control
A security control that is deployed to provide various options to other existing controls to aid in enforcement and support of security policies.
compensation control
A security control that modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. It attempts to correct any problems that occurred as a result of a security incident. can be simple, such as terminating malicious activity or rebooting a system.
corrective control
A security control that is an extension of corrective controls but have more advanced or complex abilities.Examples of include backups and restores, fault-tolerant drive systems, system imaging, server clustering, antivirus software, and database or virtual machine shadowing.
Recovery controls
A security control that is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.Examples of include security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures.
directive control
The formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation.
security control assessment (SCA)
A key task to perform at the conclusion of a risk analysis.
Risk reporting
A guideline or recipe for how risk is to be assessed, resolved, and monitored.
risk framework
T or F
The six-step RMF includes security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring.
True
The RMF promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes, provides senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions, and integrates information security into the enterprise architecture and systems development lifecycle (SDLC).
Which of the following choices is not part of a security policy?
A. A definition of overall steps of information security and the importance of security
B. A statement of management intent, supporting the goals and principles of information security
C. A definition of general and specific responsibilities for information security management
D. A description of specific technologies used in the field of information security regulations
D. A description of specific technologies used in the field of information security regulations
Policies are the most crucial element in a corporate information security infrastructure and must be considered long before security technology is acquired and deployed.
T or F
Computer security policies come in four types.
True
This policy is used for creating a management-sponsored computer security program. This policy, at the highest level, might prescribe the need for information security and can delegate the creation and management of the program to a role within the IT department. Think of this as the mission statement for the IT security program.
Program-level policy
This policy establishes the overall approach to computer security (as a computer security framework). This policy adds detail to the program by describing the elements and organization of the program and department that will carry out the security mission.
Program-framework policy
This policy addresses specific issues of concern to the organization. These issues could be regulatory in nature—for example, the Payment Card Industry (PCI) data security standard, Sarbanes-Oxley (SOX), or the Gramm-Leach-Bliley Act (GLBA), to name a few.
Issue-specific policy
This policy focuses on policy issues that management has decided for a specific system.
System-specific policy
Which of the following statements best describes IT security measures?
A. IT security measures should be complex.
B. IT security measures should be tailored to meet organizational security goals.
C. IT security measures should make sure that every asset of the organization is well protected.
D. IT security measures should not be developed in a layered fashion.
B. IT security measures should be tailored to meet organizational security goals.
Explanation:
IT Security Measures (Controls) are risk reducing acts (goals) that detect, prevent, or minimize loss associated with the occurrence of a specified threat or category of threats.
Laws passed by regulators and lawmakers
Regulations
Topic-specific (standards) and system-specific (baselines) documents that describe overall requirements for security
Standards and baselines
Step-by-step instructions on how to perform a specific security activity (configure a firewall, install an operating system, and others)Regulations
Procedures
Businesses and agencies need this standard to help determine how much security is needed for appropriate protection. A rule of thumb states that one should never spend more on security than the value of the asset being protected.
Benefits to this standard:
Data confidentiality, integrity, and availability are improved because appropriate controls are used throughout the enterprise.
Protection mechanisms are maximized.
A process exists to review the values of company business data.
Decision quality increases because the quality of the data upon which the decision is being made has been improved.
Asset and Data Classification
T or F
Common taxonomy for commercial businesses might provide for the following classes:Public information, Business sensitive or business confidential, Customer confidential, Trade secret
True
A common taxonomy classification for commercial businesses that is intended for public dissemination. This might include marketing content on a website, direct mail inserts, directories of contact information, published annual reports, and so forth.
Public information
A common taxonomy classification for commercial businesses in which can be described as information employees and other insiders need to perform their duties.
This can include company directories (address books, email addresses, and so forth), invoice information, department budget information, internal policies, and so forth.
Business sensitive or business confidential
A common taxonomy classification for commercial businesses in which information that identifies individual customers of the business or institution and can include their purchase activity, account-specific information, credit card numbers, social security numbers (when needed), grades or course information (in the case of a university), or any other information considered personally identifiable information (PII) that dictates need-to-know or least privilege controls to ensure confidentiality and integrity.
Customer confidential
A common taxonomy classification for commercial businesses in which information that is severely restricted and protected through more strict need-to-know controls than customer confidential information. Some examples of this type of information include the recipe for Coca-Cola, employee disciplinary actions, pre-released financial statement information, or proprietary secrets that offer a competitive advantage to the business.
Trade secret
T or F
Two basic types of risk analysis exist: quantitative and qualitative.
True
T or F
Most qualitative risk analysis methodologies make use of interrelated elements:
Threats
Vulnerabilities
Controls
True
A risk analysis answers what three fundamental questions?
What am I trying to protect?
What is threatening my system?
How much time, effort, and money am I willing to spend?
Which of the following would be defined as an absence or weakness of a safeguard that could be exploited?
A. A threat
B. A vulnerability
C. A risk
D. An exposure
B. A vulnerability
Which of the following should not be addressed by employee termination practices?
A. Removal of the employee from active payroll files
B .Return of access badges
C .Employee bonding to protect against losses due to theft
D .Deletion of assigned logon ID and passwords to prohibit system access
C .Employee bonding to protect against losses due to theft
Explanation:
Policies, standards, procedures and practices issued by human resources should address internal information security processes and functions. These documents should address pre-employment screening and background checks, processes for handling employee termination, creation and revocation of employee accounts, email and voice mail forwarding after departure, lock keys and safe combination changes, system password changes, and company property collections upon departure (for badges, credit cards, and so forth).
A job title: Establishes and maintains security and risk-management programs for information resources.
Chief information security officer (CISO)
A job title: Maintains policies and procedures that provide for security and risk management of information resources.
Information resources manager
A job title: Directs policies and procedures designed to protect information resources (identifies vulnerabilities, develops security awareness program, and so forth).
Information resources security officer
A job title: Have the responsibility of carrying out the program that uses the resources. This does not imply personal ownership. These individuals might be regarded as program managers or delegates for the owner.
Owners of information resources
A job title: Provide technical facilities, data processing, and other support services to owners and users of information resources.
Custodians of information resources
A job title: Provide technical support for security of information resources.
Technical managers (network and system administrators)
A job title: Conduct periodic risk-based reviews of information resources security policies and procedures.
Internal auditors