ITEC 5001U, Fall 2012, Unit 2 Assignment

Susanne Hall 9/18/2012 From Chapter 4

1. This question is worth 5% of the assignment. Corresponding to the 4th editions Review Question 7 on page 167. Youre inventorying your companys assets. You need to assign information attributes to each of your assets. What information attributes is often of great value for local networks that use static addressing?

IP Addresses are of great value for local networks that use static addressing.
2. This question is worth 5% of the assignment. Corresponding to the 4th editions Review Question 16 on page 168. How is an incident response plan (IRP) different from a disaster recovery plan?

The Incident Response Plan (IRP) focuses on the immediate response to an incident whereas the Disaster Recovery Plan (DRP) focuses on restoring operations at the primary site after the disaster has occurred. For example the IRP answers questions such as What do I do now?, Who should I contact?, and What should I document? The DRP includes strategies to limit losses before and during the disaster. This plan includes steps for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow once the disaster is over.
3. This question is worth 20% of the assignment. Corresponding to the 4th editions Exercise 1 on page 168. XYZ Company has three information assets to evaluate for risk management, as shown in the data below. Which vulnerability should be evaluated for additional controls first? Which one should be evaluated last? DO THE CALCULATIONS AS I DID IN CLASS AND AS DESCRIBED IN THE TEXT. SHOW YOUR RESULT AND YOUR WORK. Then make your decision. HINT while your calculated result is important, it may not be the overriding factor in your decision think through the value of each asset to the business. Calculating the four vulnerabilities is worth 4% each. Your analysis and decision (after your calculations) is worth another 4%.

Likelihood * Impact Value - % risk (controlled) + result of previous * uncertainty = risk Switch L47 (90 * .2) ((90 * .2) * 0) + ((90 * .2) * .25) = 22.5 (90 * .1) ((90 * .1) * 0) + ((90 * .1) * .25) = 11.25 WebSrv6 - (100 * .1) ((100 * .1) * .75) + ((100 * .1) * .20) = 4.5 MGMT45 (5 * .1) ((5 * .1) * 0 + ((5 * .1) * .10) = .55

ITEC 5001U, Fall 2012, Unit 2 Assignment

Asset Switch L47

Vulnerability Likelihood Hardware Failure & SNMP buffer overflow .2 .1 .1 .1

Impact Value 90 90 100 5

Control 0 0 .75 0

Un Certainty .25 .25 .20 .10

Risk 22.5 11.25 4.5 .55

WebSrv6 MGMT45

Unicode Unlogged Misuse

Which vulnerability should be evaluated for additional controls first?

Even though Switch 47 has the highest risk I would evaluate the WebSrv6 for additional controls first. The company Web site is hosted by this server and performs valuable e-commerce transactions which can be compromised if the Server is not protected. If an attack on this Server occurs much of the companys private data could be compromised which could harm the organization in many ways. Protecting the server could also keep the organization safe from other threats and attacks.
Which one should be evaluated last?

I would evaluate the MGMT45 control console that monitors operations in the server room last because the likelihood of misuse is low and it has the lowest impact value and poses the least amount of risk to the organization.
4. This question is worth 20% of the assignment: Corresponding to the 4th editions Exercise 3 on page 168-169: suppose XYZ Software Company has a new application development project, with projected revenues of $1,200,000. Using the following table calculate the ARO and ALE for each threat category that XYZ Software Company faces for this project. Note that the values below may be different from those in the text. Also note that Ive reduced the number of threat categories some of them were redundant.

ITEC 5001U, Fall 2012, Unit 2 Assignment

XYZ Software Company, major threat categories for new applications development
Programmer mistakes Loss of intellectual property Software piracy Theft of information (hacker) Theft of information (employee) Web defacement Theft of equipment Virus, worms, Trojan horses Earthquake Flood

Cost per Incident

Frequency of Occurrence

SLE

ARO

ALE

$7,500

1 per week

$7,500

52 2 26 4 2 12 1 26 .05

$390,000 $150,000 $13,000 $10,000 $10,000 $18,000 $5,000 $65,000 $12,500 $50,000

$75,000 1 per 6 months $75,000 $500 $2,500 1 every other week 1 per quarter

$500 $2,500 $5,000 $1,500 $5,000 $2,500

$5,000 1 per 6 months $1,500 $5,000 $2,500 1 per month 1 per year 1 every other week

$250,000 1 per 20 years $250,000 $250,000 1 per 5 years

$250,000 .20

5. This question is worth 25% of the assignment. Corresponding to the 4th editions Exercise 5 on page 169. Assume a year has passed and XYZ has improved security by applying a number of controls. Using the information from Exercise 3 (use revised values in the table below for Exercise 3 for Cost per Incident & Frequency of Occurrence, not the values in the textbook) and the table in Exercise 5 on page 169, calculate the post-control ARO and ALE for each threat category listed. Note: some SLEs may not have changed, and some Annual Rate of Occurrences may not have changed. Again, note that some values in the table below may be different from those in the text. Then answer the following question: why have some values changed in the columns Cost per Incident, and Frequency of Occurrence? How could a control affect one, but not the other? Answer this below the table. You need to assume that the values in the Cost of Control column presented in the table for Exercise 5 are those unique costs directly associated with protecting against that threat. In other words, dont worry about overlapping costs between controls. Calculate the CBA for the planned risk control for each threat category.

ITEC 5001U, Fall 2012, Unit 2 Assignment

CBA = Starting ALE Ending ALE Cost of Control

Starting ALE
Programmer mistakes Loss of intellectual property Software piracy Theft of information (hacker) Theft of information (employee) Web defacement Theft of equipment Virus, worms, Trojan horses Earthquake 12,500 Flood 50,000 75,000 390,000

New SLE
6,000 75,000

New Frequency
1 every other week 1 per year

NEW ARO
26 1

Ending ALE $156,000 $75,000

Cost of Control
40,000 20,000

CBA

Control
Training Firewall/ IDS Firewall/ IDS Firewall/ IDS Physical Security Firewall Physical Security Antivirus

Worth it?
Yes Yes

$194,000 $55,000

150,000 500 2,500 10,000 5,000 10,000 1,500 5,000 2,500 65,000 1 per quarter 1 per 2 years 1 per month 4 .5 12 1 per month 1 per 6 months 1 per year 12 2

13,000

$6,000 $5,000

15,000 15,000

-$8,000 -$10,000

No No

$5,000

12,000

-$7,000

No

18,000 5,000

$6,000 $2,500 $30,000

10,000 12,000 20,000

$2,000 -$9,500 $15,000

Yes No Yes

250,000

1 per 20 years 1 per 10 years

.05

$12,500

5,000

-$5,000

Insuranc e and backups Insuranc e and backups

No

.1

$7,500

10,000

$32,500

Yes

For each threat category, determine if the proposed control is worth the costs list the threats whose control is worth the cost below the table.

I added a column in my chart that said if the proposed control was worth the cost or not.

ITEC 5001U, Fall 2012, Unit 2 Assignment

Threats whose control is worth the cost Training for Programmer mistakes Firewall / IDS to protect the loss of intellectual property Antivirus Software to protect against viruses, worms, and Trojan horses Insurance and Backups in case of Earthquakes Insurance and Backups in case of Floods
1) Why have some values changed in the columns Cost per Incident, and Frequency of Occurrence?

The values in the columns Cost per Incident and Frequency of Occurrence have changed because of the controls that have been implemented.
2) How could a control affect one, but not the other?

An example where a control can affect one but not the other would be a control such as training your employees so that they dont make as many programming errors does not affect the Cost per Incident but it does decrease how many times mistakes are made which lowers the Frequency of Occurrence. From Chapter 5
6. This question is worth 6% of the assignment. Corresponding to the 4th editions Review Question 6 on page 241: What benefit can a private, for-profit agency derive from best practices designed for federal agencies?

Federal Agency Security Practices (FASP) is a government agency that shares best practices in the area of information security with other agencies. This site contains agency policies, procedures, and practices. They provide examples of key policies and planning documents, implementation strategies for key technologies, describe positions for security personnel, and explain program management. Best Security Practices (BSP) tries to identify, evaluate, and disseminate best practices for computer information protection and security. A private, For-profit agency can benefit greatly from best practices designed for federal agencies because the federal agencies have used these best practices themselves and have most likely weeded out the good from the bad. These practices are publicly displayed and include quite a bit of valuable information. For-profit agencies can use awareness policies that federal agencies follow to plan documentation and implement key technologies. The Federal Agencies use best business practices which can also be adapted to the private sector. These practices are designed by people that set the standards and know their stuff.

ITEC 5001U, Fall 2012, Unit 2 Assignment

7. This question is worth 9% of the assignment (3% for each type of control). Corresponding to the 4th editions Review Question 8 on page 241: Briefly describe management, operational, and technical controls, and explain when each would be applied as part of a security framework.

Management controls are security processes that are designed by strategic planners and implemented by the security administration of the organization. These controls address risk management and security control reviews, describe the necessity and scope of legal compliance, and set guidelines for the maintenance of the entire security life cycle. Management controls would be applied as part of the security framework by applying detailed instructions for its conduct, as well as address and design and implement the security planning process and security program management. Operational controls are management and lower-level planning a function that deals with the operational functionality of security in the organization, such as disaster recovery and incidence response planning. These controls address personnel security, physical security, and the protection of production inputs and outputs. They also address hardware and software systems maintenance and the integrity of data. Operational controls would be applied as part of a security framework to address security methods that focus on mechanisms that are implemented and executed by people as opposed to systems. Technical Controls are the tactical and technical implementations of security in the organization. They address specific operational issues, such as developing and integrating controls into the business functions. Technical controls are the components put in place to protect an organizations information assets. Example: logical access controls, such as identification, authentication, authorization, accountability, cryptography etc. Technical controls would be applied as part of a security framework and could involve installing automated and other tools routinely to monitor security.
8. This question is worth 10% of the assignment (2% for each). Corresponding to the 4th editions Exercise 5 on page 242: Classify each of the following occurrences as an incident or a disaster. If an occurrence is a disaster, determine whether or not business continuity plans would be called into play. a. A hacker gets into the network and deletes files from a server.

Incident Law Enforcement should be involved IR plan should be called into play to restore files from backup

ITEC 5001U, Fall 2012, Unit 2 Assignment

b. A fire breaks out in the storeroom and sets off sprinklers on that floor. Some computers are damaged, but the fire is contained before it moves out of the area.

Incident Law Enforcement may be called to investigate possible arson

c. A tornado hits a local power company, and the company will be without power for three to five days.

Disaster Law enforcement should not be involved A BC plan should and must be used here in order to restore operations. The business could establish a hot site in a remote location.
d. Employees go on strike, and the company could be without critical workers for weeks.

Incident Law Enforcement may or may not be needed depending on the actions of the Employees during the strike
e. A disgruntled employee takes a critical server home, sneaking it out after hours.

Disaster Involve Law Enforcement to get back the companys assets and to investigate if the employee took the server home to attempt to disrupt the organization in a malicious way BC plan should be called into play to re-route network traffic and a backup server would be needed