In this lesson you will learn what risk assessment is and how it connects to the CompTIA Security+ Certification Exam. It mainly consitst of the following steps:
Prioritizing is important! Not everything should be weighed evenly. Some risks can be accepted by the company, while other would be catastrophic. And some risks might not even have a likelihood of happening.
From what I gathered while studying there are three major components to calculate Risks:
To calculate the ALE of a risk use this formula: SLE x ARO = ALE
Excercises about risk calculations can be found at the end of the article.
When making risk assessment you should always consider if the risk has qualitative or quantitative impact on the company.
If a company loses their customer database with contact information, history of past orders, charge numbers and so on it’s a quantitative loss, because they will lose money and business critical information. Whereas if the company loses images from a company event it might be hard for the employees etc, but they wont lose any “money” from it or lose business critical information. That’s qualitative loss.
TL;DR – quantitative: Money gets lost, qualitative: Sentimental valuables/ Reputation gets lost or damaged.
|Likelihood||Possibility of threat initiation|
|Threat Vector||Way in which an attacker poses a threat. From fake emails (phishing) to an unsecured hotspot|
|MTBF – Mean time between failures||Measure of anticipated incidence of failure for a system or component. You should be prepared to replace or rebuild the system once every MTBF|
|MTTF – Mean time to failure||Similar to MTBF, but for a nonrepairable system|
|MTTR – Mean time to restore/ repair||How long will it take to be fixed if a failure occurs|
|RTO – Recovery time objective||Maximum amount of time that a process/ system is allowed to be down with acceptable consequences|
|RPO – Recovery point objective||What point needs to be restored (System Backup from two weeks ago or Backup from yesterday)|
In the purpose of the exam you have five possible actions that you can choose to follow:
But you must know the risk exists!
|Risk Avoidance||Identifying a risk and making the decision not to engage any longer in the actions associated with that risk. Eg: Forbid any email attachments from entering the network|
|Risk Transference||Split the burden of a risk by hiring an external party (usually an insurance company or security provider)|
|Risk Mitigation||Reduce the chance of the risk happening (antivirus, user education, etc…)|
|Risk Deterrence||Letting the enemy know the harm can come their way if they cause harm to you (Warning sings, prosecution policies on websites)|
|Risk Acceptance||If the harm costs less than implementing any other option from above you do nothing about it.|
Risk mitigation might be the most important part for the CompTIA exam. Part of it are audits that address user rights, permission reviews, change management, incident management and data loss prevention.
For the purpose of the CompTIA exam, cloud computing means hoting services and data on the Internet instead of hosting it locally. And there are three different ways of implementing cloud computing:
The risks involve the following:
Most virtualization vulnerabilities focus on the hypervisor. The Solution to most of these risks is to always have an up to date version and apply the most recent patches to the hypervisor (virtualbox, VMware, etc…)