CHAPTER SUMMARY

Risk assessments are used to identify potential threats and vulnerabilities and prioritize steps designed to minimize or mitigate those risks. There are two basic types of risk assessment: qualitative and quantitative. Qualitative risk assessments are the more subjective of the two types. In a qualitative risk assessment, you assign a label of high, medium, or low, based on a number of factors including overall impact of a perceived threat, its probability of occurrence, and the value of the assets being threatened. In a quantitative risk assessment, you would assign a dollar value to each element of risk, making it easy to prioritize mitigation projects.

Case studies are a good place to start when considering a risk assessment project. Rather than reinventing the wheel, you can learn from what others have done and apply those lessons to your own situation. Assessment models are another useful tool. They help ensure that you analyze risks logically and do not overestimate the true risk.

KEY CONCEPTS AND TERMS

Algorithm

Annualized loss expectancy (ALE)

Annualized rate of occurrence (ARO)

Asset value (AV)

Control

Cost of impact

Cost of replacement

Exposure factor (EF)

Heightened access

Intrusion detection system (IDS)

Intrusion prevention system (IPS)

Multilayered approach

Password cracking

Password hash

Phishing

Probability of occurrence

Qualitative risk assessment

Quantitative risk assessment

Risk assessment

Single loss expectancy (SLE)

Spear phishing

Tailgating

Threat

Vulnerability

CHAPTER 4 ASSESSMENT

  1. Risk is measured in terms of ________ and impact.
  2. Risk assessment is the first step in designing any access control system.
    1. True
    2. False
  3. The two types of risk assessments are qualitative and ________.
  4. Vulnerabilities and threats are synonymous.
    1. True
    2. False
  5. A vulnerability is a weakness purposely designed into the system.
    1. True
    2. False
  6. You should consider probability of occurrence in order to prioritize limited time and resources.
    1. True
    2. False
  7. What are the three primary threats to any access control system?
    1. Password cracking
    2. Heightened access
    3. Social engineering
    4. Forgotten passwords
  8. A strong password that would take an attacker 10 years to crack in 2010 would take 10 years to crack today.
    1. True
    2. False
  9. As long as users choose strong, secure passwords, how those passwords are stored is irrelevant.
    1. True
    2. False
  10. Insecure applications run as the administrative user is the most common heightened access vulnerability.
    1. True
    2. False
  11. You should weigh the value of the assets and their relative risk level against the cost and inconvenience of the access control.
    1. True
    2. False
  12. You calculate ALE by multiplying SLE by 12.
    1. True
    2. False
  13. You should install every patch that is released for the applications running in your environment.
    1. True
    2. False
  14. Calculate the ALE of a threat that can be expected to occur three times per year and will cost the organization $50,000 per incident.
  15. You are evaluating the risk of an attack on your data center. You estimate that an attack attempt will succeed three times per year. The value of the data center is $1.5 million and a successful attack will damage 10% of the data center.
    1. What is the asset value?
    2. What is the exposure factor?
    3. What is the SLE?
    4. What is the ARO?
    5. What is the ALE?
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.142.146