The most commonly mixed up security terms are Threat, vulnerability, and Risk.

An asset is what we’re trying to protect.

A threat is what we’re trying to protect against.

A vulnerability is a weakness or gap in our protection efforts.

Risk is the intersection of assets, threats, and vulnerabilities.

A + T + V = R

That is, Asset + Threat + Vulnerability = Risk.

Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets.

It mainly consitst of the following steps:

Risks to which the organization is exposed : Every System has known (and also unknown) risks and vulnerabilities. Create a plan for how your organization will best handle this issues.

to which the organization is : Every System has known (and also unknown) risks and vulnerabilities. Create a plan for how your organization will best handle this issues. Risks that need addressing : Not all risks are equally likely to happen. Industrial espionage and theft are more likely than a tsunami damaging the server room in most regions.

that need : Not all risks are equally likely to happen. Industrial espionage and theft are more likely than a tsunami damaging the server room in most regions. Coordination with BIA: To make an intelligent decision about how to handle with risks you should conjunct the risks with the business impact analysis.

Computing Risk Assessment

Prioritizing is important! Not everything should be weighed evenly. Some risks can be accepted by the company, while other would be catastrophic. And some risks might not even have a likelihood of happening.

Risk Calculations

From what I gathered while studying there are three major components to calculate Risks:

ALE (annual loss expectancy) – How much money loss can you expect per year

(annual loss expectancy) – How much money loss can you expect per year SLE (single loss expectancy) – How much money loss can you expect from a “event”

(single loss expectancy) – How much money loss can you expect from a “event” ARO (annualized rate of occurence) – How often does an “event” occur per year (mostly intel gained from statistics and company history)

To calculate the ALE of a risk use this formula: SLE x ARO = ALE

Quantitative vs. Qualitative Risk Assessment

When making risk assessment you should always consider if the risk has qualitative or quantitative impact on the company.

If a company loses their customer database with contact information, history of past orders, charge numbers and so on it’s a quantitative loss, because they will lose money and business critical information. Whereas if the company loses images from a company event it might be hard for the employees etc, but they wont lose any “money” from it or lose business critical information. That’s qualitative loss.

quantitative: Money gets lost, qualitative: Sentimental valuables/ Reputation gets lost or damaged

Additional Risk Terminology

Term Meaning Likelihood Possibility of threat initiation Threat Vector Way in which an attacker poses a threat. From fake emails (phishing) to an unsecured hotspot MTBF – Mean time between failures Measure of anticipated incidence of failure for a system or component. You should be prepared to replace or rebuild the system once every MTBF MTTF – Mean time to failure Similar to MTBF, but for a nonrepairable system MTTR – Mean time to restore/ repair How long will it take to be fixed if a failure occurs RTO – Recovery time objective Maximum amount of time that a process/ system is allowed to be down with acceptable consequences RPO – Recovery point objective What point needs to be restored (System Backup from two weeks ago or Backup from yesterday)

Acting on Your Risk Assessment

We have five possible actions that you can choose to follow:

But you must know the risk exists!

Action Meaning Risk Avoidance Identifying a risk and making the decision not to engage any longer in the actions associated with that risk. Eg: Forbid any email attachments from entering the network Risk Transference Split the burden of a risk by hiring an external party (usually an insurance company or security provider) Risk Mitigation Reduce the chance of the risk happening (antivirus, user education, etc…) Risk Deterrence Letting the enemy know the harm can come their way if they cause harm to you (Warning sings, prosecution policies on websites) Risk Acceptance If the harm costs less than implementing any other option from above you do nothing about it.

Risks Associated with Cloud Computing

For the purpose of the CompTIA exam, cloud computing means hoting services and data on the Internet instead of hosting it locally. And there are three different ways of implementing cloud computing:

The risks involve the following:

Regulatory Compliance: Make sure that whoever hosts your data takes privacy and security as seriously as you do

User privileges: You won’t have the same contrl over user accounts in the cloud as you do locally.

Data Integrations/ Segregations: Sometimes multiple companies are using the same server. You should use encryption and set the right user permissions on your databases to prevent other companies to steal information.

Risks Associated with Virtualization

Breaking out of the virtual machine

Network and security controls can intermingle, which could lead to privilege escalation

Most virtualization vulnerabilities focus on the hypervisor. The Solution to most of these risks is to always have an up to date version and apply the most recent patches to the hypervisor (virtualbox, VMware, etc…)

Sawan Bhan

Cyber Wizard