Risk Assessment – CompTIA Security+ Lesson 1

----------------------------------

Risk Assessment is also known as risk analysis or risk calculation. Learn how to estimate a realistic risk for an environement. Join this lesson today!

In this lesson you will learn what risk assessment is and how it connects to the CompTIA Security+ Certification Exam. It mainly consitst of the following steps:

• Risks to which the organization is exposed: Every System has known (and also unknown) risks and vulnerabilities. Create a plan for how your organization will best handle this issues.
• Risks that need addressing: Not all risks are equally likely to happen. Industrial espionage and theft are more likely than a tsunami damaging the server room in most regions.
• Coordination with BIA: To make an intelligent decision about how to handle with risks you should conjunct the risks with the business impact analysis.

Computing Risk Assessment

Prioritizing is important! Not everything should be weighed evenly. Some risks can be accepted by the company, while other would be catastrophic. And some risks might not even have a likelihood of happening.

Risk Calculations

From what I gathered while studying there are three major components to calculate Risks:

• ALE (annual loss expectancy) – How much money loss can you expect per year
• SLE (single loss expectancy) – How much money loss can you expect from a “event”
• ARO (annualized rate of occurence) – How often does an “event” occur per year (mostly intel gained from statistics and company history)

To calculate the ALE of a risk use this formula: SLE x ARO = ALE

Excercises about risk calculations can be found at the end of the article.

Quantitative vs. Qualitative Risk Assessment

When making risk assessment you should always consider if the risk has qualitative or quantitative impact on the company.

If a company loses their customer database with contact information, history of past orders, charge numbers and so on it’s a quantitative loss, because they will lose money and business critical information. Whereas if the company loses images from a company event it might be hard for the employees etc, but they wont lose any “money” from it or lose business critical information. That’s qualitative loss.

TL;DR – quantitative: Money gets lost, qualitative: Sentimental valuables/ Reputation gets lost or damaged.

Term Meaning
Likelihood Possibility of threat initiation
Threat Vector Way in which an attacker poses a threat. From fake emails (phishing) to an unsecured hotspot
MTBF – Mean time between failures Measure of anticipated incidence of failure for a system or component. You should be prepared to replace or rebuild the system once every MTBF
MTTF – Mean time to failure Similar to MTBF, but for a nonrepairable system
MTTR – Mean time to restore/ repair How long will it take to be fixed if a failure occurs
RTO – Recovery time objective Maximum amount of time that a process/ system is allowed to be down with acceptable consequences
RPO – Recovery point objective What point needs to be restored (System Backup from two weeks ago or Backup from yesterday)

In the purpose of the exam you have five possible actions that you can choose to follow:

But you must know the risk exists!

Action Meaning
Risk Avoidance Identifying a risk and making the decision not to engage any longer in the actions associated with that risk. Eg: Forbid any email attachments from entering the network
Risk Transference Split the burden of a risk by hiring an external party (usually an insurance company or security provider)
Risk Mitigation Reduce the chance of the risk happening (antivirus, user education, etc…)
Risk Deterrence Letting the enemy know the harm can come their way if they cause harm to you (Warning sings, prosecution policies on websites)
Risk Acceptance If the harm costs less than implementing any other option from above you do nothing about it.

Risk mitigation might be the most important part for the CompTIA exam. Part of it are audits that address user rights, permission reviews, change management, incident management and data loss prevention.

Risks Associated with Cloud Computing

For the purpose of the CompTIA exam, cloud computing means hoting services and data on the Internet instead of hosting it locally. And there are three different ways of implementing cloud computing:

The risks involve the following:

• Regulatory Compliance: Make sure that whoever hosts your data takes privacy and security as seriously as you do
• User privileges: You won’t have the same contrl over user accounts in the cloud as you do locally.
• Data Integrations/ Segregations: Sometimes multiple companies are using the same server. You should use encryption and set the right user permissions on your databases to prevent other companies to steal information.

Risks Associated with Virtualization

• Breaking out of the virtual machine
• Network and security controls can intermingle, which could lead to privilege escalation

Most virtualization vulnerabilities focus on the hypervisor. The Solution to most of these risks is to always have an up to date version and apply the most recent patches to the hypervisor (virtualbox, VMware, etc…)