Risk Control Types:
Access control, audit and accountability, identification and authentication, system and communications protection. Technical security controls Management security controls Operational security controls. Risk Control Types:
Security assessment and authorization, planning, risk assessment, system and services acquisition, program management. Technical security controls Management security controls Operational security controls. Risk Control Types:
Awareness and training, configuration management, contingency planning, incident response, maintenance, media protection, physical and environmental protection, personnel security, system and information integrity. Technical security controls Management security controls Operational security controls. You think you have a specific vulnerability in your program but in fact you don't. What is this called?. Term used to describe a network intrusion device's inability to detect true security events under certain circumstances. Risk Reduction Policies:
Ensures a transaction cannot be processed from initiation to reporting without the involvement of others. Separation of Duties Acceptable Use Least Priviledge Job Rotation. Risk Reduction Policies:
Limiting access rights for users to the bare minimum permissions they need to perform their work. Acceptable Use Separation of Duties Least Privilege Job Rotation. 7 laptops stolen a year (ARO) x $1,000 (SLE) = $7,000. What does the $7,000 represent?. Risk Calculations
Risk that you assign a dollar value to (ALE): Quantitative Qualitative. Risk Calculations
Risk that is based on opinions of overall significance. Quantitative Qualitative. Threats vs. Vulnerabilities
• A door with a broken lock
• An operating system library that grants administrative access Threats Vulnerabilities. Threats vs. Vulnerabilities
Circumstances or events with the potential to cause harm. Threat Vulnerability. Threats vs. Vulnerabilities
Weaknesses in a system. Threat Vulnerability. What is a path a threat takes to the target called? Examples:
• Email: Embedded links, attached files
• Web browser: Fake site, session hijack
• Wireless hotspot: Rogue access point
• Telephone: Social engineering
• USB flash drive: Auto-executing malware. What is the top risk in cloud computing?. Cloud computing guarantees system availability. True False. The expected lifetime of a product or system: MTTF MTTR MTBF. Interoperability Agreements: Service Level Agreement (SLA) Business Partners Agreement (BPA) Interconnection Security Agreement (ISA). The most important asset in an organization:. What policy covers this stuff:
• Series of events that negatively affects the organization
• Database hack, stolen laptop, water pipe burst
• Who will be contacted when an incident occurs?
• Who’s responsible for managing the incident response?
• Technical steps for handling systems and preserving evidence
• What goes on the report?. What policy covers this stuff:
• Upgrade software, change firewall configuration, modify switch ports
• Occurs very frequently
• Often overlooked or ignored
• Clear policies are needed
• Frequency, duration, installation process, fallback procedures. In mitigating risk, what function answers the following questions?
• Does everyone have the correct permissions?
• How are your resources used?
• Are your systems and applications secure?
• Are your disaster recovery plans going to work?
• Can you contact the right people at the right time?. Events that are mistakenly flagged and are not really events to be concerned about. False positives False negatives.
