Risk assessments are used to identify potential threats and vulnerabilities and prioritize steps designed to minimize or mitigate those risks. There are two basic types of risk assessment: qualitative and quantitative. Qualitative risk assessments are the more subjective of the two types. In a qualitative risk assessment, you assign a label of high, medium, or low, based on a number of factors including overall impact of a perceived threat, its probability of occurrence, and the value of the assets being threatened. In a quantitative risk assessment, you would assign a dollar value to each element of risk, making it easy to prioritize mitigation projects.
Case studies are a good place to start when considering a risk assessment project. Rather than reinventing the wheel, you can learn from what others have done and apply those lessons to your own situation. Assessment models are another useful tool. They help ensure that you analyze risks logically and do not overestimate the true risk.
Risk assessment is the first step in designing any access control system.
True
False
The two types of risk assessments are qualitative and ________.
Vulnerabilities and threats are synonymous.
True
False
A vulnerability is a weakness purposely designed into the system.
True
False
You should consider probability of occurrence in order to prioritize limited time and resources.
True
False
What are the three primary threats to any access control system?
Password cracking
Heightened access
Social engineering
Forgotten passwords
A strong password that would take an attacker 10 years to crack in 2010 would take 10 years to crack today.
True
False
As long as users choose strong, secure passwords, how those passwords are stored is irrelevant.
True
False
Insecure applications run as the administrative user is the most common heightened access vulnerability.
True
False
You should weigh the value of the assets and their relative risk level against the cost and inconvenience of the access control.
True
False
You calculate ALE by multiplying SLE by 12.
True
False
You should install every patch that is released for the applications running in your environment.
True
False
Calculate the ALE of a threat that can be expected to occur three times per year and will cost the organization $50,000 per incident.
You are evaluating the risk of an attack on your data center. You estimate that an attack attempt will succeed three times per year. The value of the data center is $1.5 million and a successful attack will damage 10% of the data center.