eBook
Related collections and offers
Overview
- The only guide you need for last-minute studying
- Answers the toughest questions and highlights core topics
- Can be paired with any other study guide so you are completely prepared
Product Details
| ISBN-13: | 9781597495677 |
|---|---|
| Publisher: | Elsevier Science |
| Publication date: | 12/13/2010 |
| Sold by: | Barnes & Noble |
| Format: | eBook |
| Pages: | 208 |
| File size: | 3 MB |
About the Author
Seth Misenar (CISSP®, GSE, GDSA, GDAT, GMON, GCDA, GCIH, GCIA, GCFA) is a Fellow with the SANS Institute and also serves as Principal Consultant for Jackson, Mississippi-based Context Security, LLC. His cyber security background includes research, host-based and network intrusion detection, architecture design, and general security consulting. Seth previously served as a physical and network security consultant for Fortune 100 companies and a state government agency’s HIPAA and information security officer. He has partnered with the SANS Institute for over 15 years, teaching and authoring courseware and facilitating instructor development. Seth is pursuing a Master of Science degree in Information Security Engineering from the SANS Technology Institute and holds a Bachelor of Science degree from Millsaps College.
Joshua Feldman (CISSP) is Senior Vice President for Security Technology at the Radian Group – a real estate and mortgage insurance conglomerate. His mission is focused on protecting over 10M US consumer financial records. He is the executive responsible for all aspects of Radian’s technical security program. Previous security roles included work at Moody’s Credit Ratings, Corning Inc, and the US Department of Defense and Department of State.
In 2008, Joshua was Eric's student when studying for the CISSP exam and was so impressed with Eric’s mastery of the materials that he invited Eric to work with him at the DoD. Quickly after starting work, Eric invited Seth. That project ran successfully for over eight years – a testament to the value brought for US military cyber professionals.
Joshua got his start in the cyber security field when he left his public-school science teaching position in 1997 and began working for Network Flight Recorder (NFR, Inc.), a small Washington, DC based startup making the first generation of Network Intrusion Detection Systems. He has a Bachelor’s of Science from the University of Maryland and a Master’s in Cyber Operations from National Defense University. He currently resides in Philadelphia with his little dog, Jacky-boy.
Read an Excerpt
Eleventh Hour CISSP
Study GuideBy Eric Conrad
SYNGRESS
Copyright © 2011 Elsevier Inc.All right reserved.
ISBN: 978-1-59749-567-7
Chapter One
Domain 1: Information Security Governance and Risk Management
Exam Objectives in this Chapter
* Risk analysis
* Information security governance
INTRODUCTION
Our job as information security professionals is to evaluate risks against our critical assets and deploy safeguards to mitigate them. We work in various roles as firewall engineers, penetration testers, auditors, management, and the like. The common thread is risk: It is part of our job description.
The Information Security Governance and Risk Management domain focuses on risk analysis and mitigation. It also details security governance, or the organizational structure required for a successful information security program. The difference between organizations that are successful and those that fail in this realm is usually not tied to dollars or staff size.: It is tied to the right people in the right roles. Knowledgeable and experienced information security staff and supportive and vested leadership are the keys to success.
Speaking of leadership, learning to speak the language of leaders is another key to personal success in this industry. The ability to effectively communicate information security concepts with C-level executives is a rare and needed skill. This domain also helps you speak this language by discussing risk in terms such as Total Cost of Ownership (TCO) and Return on Investment (ROI).
RISK ANALYSIS
All information security professionals assess risk: We do it so often that it becomes second nature. A patch is released on a Tuesday. Your company normally tests for two weeks before installing, but a network-based worm is spreading on the Internet that infects unpatched systems. If you install the patch now, you risk downtime due to lack of testing. If you wait to test, you risk infection by the worm. What is the bigger risk? What should you do? Risk Analysis (RA) will help you decide.
The average person does a poor job of accurately analyzing risk: If you fear the risk of dying while traveling and, to mitigate that risk, drive from New York to Florida instead of flying, you have done a poor job of analyzing risk. It is far riskier, per mile, to travel by car than by airplane when considering the risk of death while traveling.
Accurate Risk Analysis is a critical skill for an information security professional. We must hold ourselves to a higher standard when judging risk. Our risk decisions dictate which safeguards we deploy to protect our assets, and the amount of money and resources we spend doing so. Poor decisions result in wasted money or, even worse, compromised data.
Assets
Assets are the valuable resources you are trying to protect. They can be data, systems, people, buildings, property, and so forth. The value or criticality of the asset dictates the safeguards you deploy. People are your most valuable asset.
Threats and Vulnerabilities
A threat is a potentially harmful occurrence, such as an earthquake, a power outage, or a network-based worm like Conficker (aka Downadup or Kido; see www .microsoft.com/security/worms/Conficker.aspx), which began attacking Microsoft Windows operating systems in late 2008. A threat is a negative action that may harm a system.
A vulnerability is a weakness that allows a threat to cause harm. Examples of vulnerabilities (matching our previous threats) are buildings that are not built to withstand earthquakes, a data center without proper backup power, or a Microsoft Windows XP system that has not been patched in a few years.
A networked Microsoft Windows system is vulnerable if it lacks the patch, if it automatically runs software on a USB token when inserted, or if it has a network share with a weak password. If any of those three conditions are true, you have risk. A Linux system has no vulnerability to Conficker and therefore runs no risk from it.
Risk = Threat x Vulnerability
To have risk, a threat must connect to a vulnerability. This relationship is stated by the formula:
Risk = Threat x Vulnerability
You can choose a value to specific risks using this formula. Assign a number to both threats and vulnerabilities. A common range is 1 through 5 (the range is arbitrary; just keep it consistent when comparing different risks).
Impact
The "Risk = Threat x Vulnerability" equation sometimes uses an added variable, impact: "Risk = Threat x Vulnerability x Impact." Impact is the severity of the damage, sometimes expressed in dollars, which is why Risk = Threat x Vulnerability x Cost is sometimes used. A synonym for impact is consequences.
Risk Analysis Matrix
The Risk Analysis Matrix uses a quadrant to map the likelihood of a risk occurring against the consequences (or impact) that the risk would have. The Australia/New Zealand 4360 Standard on Risk Management (AS/NZS 4360, see www.standards .org.au) describes the Risk Analysis Matrix, which is shown in Table 1.1.
The Risk Analysis Matrix allows you to perform Qualitative Risk Analysis (see the section Qualitative and Quantitative Risk Analysis to come) based on likelihood (from rare to almost certain) and consequences, or impact, (from insignificant to catastrophic). The resulting risk scores are Low (L), Medium (M), High (H), and Extreme (E). Low risks are handled via normal processes; moderate risks require management notification; high risks require senior management notification; and extreme risks require immediate action, including a detailed mitigation plan (and senior management notification).
The goal of the matrix is to identify high-likelihood/high-consequence risks (upper right quadrant of Table 1.1) and drive them down to the low-likelihood/ low-consequence level (lower left quadrant).
Calculating Annualized Loss Expectancy
The Annualized Loss Expectancy (ALE) calculation allows you to determine the annual cost of a loss due to a given risk. Once calculated, ALE allows you to make informed decisions to mitigate the risk.
This section uses an example of risk due to lost or stolen unencrypted laptops. Assume that your company has 1000 laptops that contain Personally Identifiable Information (PII). You are the Security Officer, and your concern is the risk of exposure of PII due to the laptops' misplacement or theft.. You want to purchase and deploy a laptop encryption solution. The solution is expensive, so you need to convince management that it is worthwhile.
ASSET VALUE
The Asset Value (AV) is the value of the asset you are trying to protect. In this example, each laptop costs $2,500, but the real value is in the PII it contains. Theft of unencrypted PII occurred previously and cost the company many times the value of the laptops in regulatory fines, bad publicity, legal fees, staff hours spent investigating, and so forth. The true average Asset Value of a laptop with PII for this example is $25,000 ($2,500 for the hardware and $22,500 for the exposed PII).
EXPOSURE FACTOR
The Exposure Factor (EF) is the percentage of value lost by an asset because of an incident. In the case of a stolen laptop with unencrypted PII, the Exposure Factor is 100%: The laptop and all the data are gone.
SINGLE LOSS EXPECTANCY
The Single Loss Expectancy (SLE) is the cost of a single loss. SLE is the Asset Value (AV) times the Exposure Factor (EF). In our case, SLE is $25,000 (Asset Value) times 100% (Exposure Factor), or $25,000.
ANNUAL RATE OF OCCURRENCE
The Annual Rate of Occurrence (ARO) is the number of losses you suffer per year. Looking through past events, you discover that you have suffered 11 lost or stolen laptops per year on average, so your ARO is 11.
ANNUALIZED LOSS EXPECTANCY
The Annualized Loss Expectancy (ALE) is your yearly cost due to a risk. It is calculated by multiplying the Single Loss Expectancy (SLE) times the Annual Rate of Occurrence (ARO). In our case it is $25,000 (SLE) times 11 (ARO), or $275,000.
Table 1.2 summarizes the equations used to determine Annualized Loss Expectancy.
Total Cost of Ownership
The Total Cost of Ownership (TCO) is the total cost of a mitigating safeguard. It combines upfront costs (often one-time capital expenses) and annual cost of maintenance, including staff hours, vendor maintenance fees, software subscriptions, and so forth. These ongoing costs are usually considered operational expenses.
Using our laptop encryption example, the upfront cost of laptop encryption software is $100/laptop, or $100,000 for 1,000 laptops. The vendor charges a 10% annual support fee, or $10,000/year. You estimate that it will take 4 staff hours per laptop to install the software, or 4,000 staff hours in total. The staff that performs this work makes $50/hour plus benefits. Including benefits, the staff cost per hour is $70 times 4,000 hours, or $280,000.
Your company uses a three-year technology refresh cycle, so you calculate the Total Cost of Ownership over three years:
* Software cost: $100,000
* Three years of vendor support: $10,000 x 3 = $30,000
* Hourly staff cost: $280,000
* Total Cost of Ownership over three years: $410,000
* Total Cost of Ownership per year: $410,000/3 = $136,667/year
Your Annual Total Cost of Ownership for the laptop encryption project is $136,667 per year.
Return on Investment
The Return on Investment (ROI) is the amount of money saved by implementing a safeguard. If your annual Total Cost of Ownership (TCO) is less than your Annualized Loss Expectancy (ALE), you have a positive ROI (and have made a good choice). If your TCO is higher than your ALE, you have made a poor choice.
The annual TCO of laptop encryption is $136,667; the Annualized Loss Expectancy for lost or stolen unencrypted laptops is $275,000. The math is summarized in Table 1.3.
Implementing laptop encryption will change the Exposure Factor. The laptop hardware is worth $2,500, and the exposed PII costs an additional $22,500, for a $25,000 Asset Value. If an unencrypted laptop is lost or stolen, the EF is 100% (the hardware and all data are exposed). Laptop encryption mitigates the PII exposure risk, lowering the exposure factor from 100% (the laptop and all data) to 10% (just the laptop hardware).
The lower Exposure Factor lowers the Annualized Loss Expectancy from $275,000 to $27,500, as shown in Table 1.4.
You will save $247,500/year (the old ALE, $275,000, minus the new ALE, $27,500) by making an investment of $136,667. Your ROI is $110,833 per year ($247,500 minus $136,667). The laptop encryption project has a positive ROI and is a wise investment.
Risk Choices
Once we have assessed risk, we must decide what to do. Options include accepting the risk, mitigating or eliminating it, transferring it, and avoiding it.
ACCEPT THE RISK
Some risks may be accepted: In certain cases, it is cheaper to leave an asset unprotected from a specific risk rather than make the effort (and spend the money) required to protect it. This cannot be an ignorant decision: The risk, and all options, must be considered before you can accept it.
Risk Acceptance Criteria
Low-likelihood/low-consequence risks are candidates for risk acceptance. High and Extreme risks are not . There are cases, such as data protected by laws or regulations or risk to human life or safety, where accepting the risk is not an option.
MITIGATE THE RISK
Mitigating the risk means lowering it to an acceptable level. The laptop encryption example given previously in the Annualized Loss Expectancy section is an example of risk mitigation. The risk of lost PII due to stolen laptops was mitigated by encrypting the data on them. It was not eliminated entirely: A weak or exposed encryption password could expose the PII, but the risk was reduced to an acceptable level.
In some cases it is possible to remove the risk entirely: this is called eliminating it.
TRANSFER THE RISK
Risk transfer is the "insurance model." Most people do not assume the risk of fire to their house: They pay an insurance company to assume that risk for them.
AVOID THE RISK
A thorough Risk Analysis should be completed before taking on a new project. If it discovers high or extreme risks that cannot be easily mitigated, avoiding the risk (and the project) may be the best option.
(Continues...)
Excerpted from Eleventh Hour CISSP by Eric Conrad Copyright © 2011 by Elsevier Inc. . Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Table of Contents
Chapter 1: Domain 1: Information Security Governance and Risk Management Chapter 2: Domain 2: Access Control Chapter 3: Domain 3: Cryptography Chapter 4: Domain 4: Physical (Environmental) Security Chapter 5: Domain 5: Security Architecture and Design Chapter 6: Domain 6: Business Continuity and Disaster Recovery Planning Chapter 7: Domain 7: Telecommunications and Network Security Chapter 8: Domain 8: Application Development Security Chapter 9: Domain 9: Operations Security Chapter 10: Domain 10: Legal, Regulations, Investigations, and Compliance
What People are Saying About This
Just the essentials needed to pass your certification exam!