please no body coby my answer.. plaese write by computer and solve all question.
ID: 3605235 • Letter: P
Question
please no body coby my answer..
plaese write by computer and solve all question.. thanks
Q1-
i. Define each of the following terms: inherent risk, threat, threat source, vulnerability, likelihood of occurrence, impact, and residual risk.
ii. Consider the threat of obtaining unauthorized access to protected customer data, identify the resulting impact of the threat.
Q2-
A law enforcement organization managing extremely sensitive investigative information determines that the potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and a low potential impact from a loss of availability.
i. How is the information categorized according to Federal Information Processing Standards - 199(FIPS-199)?
ii. Write down the resulting SC for this type of information as per FIPS-199 standard.
Explanation / Answer
Question Number 1:
i)Define each of the following terms: inherent risk, threat, threat source, vulnerability, likelihood of occurrence, impact, and residual risk.
Inherent risk:
Inherent risk is a category of threat that arises from the organization's human activity or physical environment.
There are four basic ways of dealing with risk: reduce it, avoid it, accept it or transfer it. Inherent risk, which addresses the possibility that some human mistake or natural event will adversely affect an organization's assets, cannot be avoided or transferred away. If controls are not introduced to reduce inherent risk, it must be accepted.
Threat:
A threat, in the context of computer security, refers to anything that has the potential to cause serious harm to a computer system. A threat is something that may or may not happen, but has the potential to cause serious damage. Threats can lead to attacks on computer systems, networks and more.
A threat source is either intent and method targeted at the intentional exploitation of a vulnerability, such as criminal groups, terrorists, bot-net operators, and disgruntled employees, or a situation and method that may accidentally trigger a vulnerability such as an undocumented process, severe storm, and accidental or unintentional behavior.
A vulnerability is a weakness that could be exploited by a threat source. Vulnerabilities can be physical (for example, unlocked door, insufficient fire suppression), natural (for example, facility located in a flood zone or in a hurricane belt), technical (for example, misconfigured systems, poorly written code), or human (for example, untrained or distracted employee).
Impact is the magnitude of harm.
The likelihood of occurrence is a weighted factor or probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities).
Residual risk is the level of risk after security measures are applied. In its most simple form, residual risk can be defined as the likelihood of occurrence after controls are applied, multiplied by the expected loss. Residual risk is a reflection of the actual state. As such, the risk level can run the gamut from severe to nonexistent.
ii. Consider the threat of obtaining unauthorized access to protected customer data, identify the resulting impact of the threat.
Once the intruders gain access to the internal network, they can approach, trespass within, communicate with, store data in or retrieve data from, interfere with, or otherwise intercept and change the system.
They can:
· Obstruct computer services by placing malicious programs to overload computer resources. This could result in filling up hard drive storage space, sending messages to reset a host’s subnet mask, using up all of the computer resources to accept network connections. Common techniques include SYN attack, and teardrop attack.
· Use the system as a stepping-stone to invade other systems (distributed denial of services, DDoS), or relay of viruses, worms, or SPAM.
· Install malicious programs (such as viruses) to destroy or modify files.
· Insert an undetectable program (such as Trojan horse) into an authorized application used to transfer money (theft of money) or send trade secrets/credit card numbers to remote servers (theft of information).
· Place a backdoor that enables attackers to come back to the system at a later date, bypassing the usual security authentication and authorization steps.
Risks
Risks from these threats include:
1. Unauthorized disclosure of information: disclosure of confidential, sensitive or embarrassing information can result in loss of credibility, reputation, market share, and competitive edge.
2. Disruption of computer services: be unable to access resources when they are needed can cause a loss of productivity. Disruption of services during critical processing time may be disastrous.
3. Loss of productivity: misuse of IT resources such as network bandwidth may cause slow response times, delaying legitimate computer activities that, in time-critical applications such as stock trading, can be very costly.
4. Financial loss: the losses can be directly from the theft of money or indirectly from the recovery of security incidents such as corruption of information or disruption of services.
5. Legal implications: security or privacy breaches can expose a company to lawsuits from investors, customers, or the public.
6. Blackmail: intruders can extort money from the company by threatening to exploit the security breach.
Q2-
A law enforcement organization managing extremely sensitive investigative information determines that the potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and a low potential impact from a loss of availability.
i. How is the information categorized according to Federal Information Processing Standards - 199(FIPS-199)?
FIPS-199:
FIPS Publication 199 provides a standard to categorize all information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels.
Basically, according to FIPS-199, security categorization categorizes an information type and an information system based on the business impact of the loss of confidentiality, integrity, and availability of the information type or information system.
Security Categorization of an Information Type
The security categorization (SC) of an information type is specified by combining the impact from loss of confidentiality, integrity, and availability for this information type. The following is taken from FIP-PUB-199:
The generalized format for expressing the security category, SC, of an information type is:
SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are LOW, MODERATE, HIGH,
The potential impact is HIGH if
The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
The potential impact is MODERATE if
The loss of confidentiality, integrity, or availability could be expected to have a serious adverse
effect on organizational operations, organizational assets, or individuals.
The potential impact is LOW if
The loss of confidentiality, integrity, or availability could be expected to have a limited adverse
effect on organizational operations, organizational assets, or individuals.
ii)The resulting SC for this type of information as per FIPS-199 standard.
Security Categorization of an Information System
The security categorization (SC) of an information system is specified by
1) identifying the different information types, it processes
2) identifying the SC of the information types
3) taking the highest value for each impact area.
The following is taken from FIP-PUB-199 with my highlights of the key words:
The generalized format for expressing the security category, SC, of an information system is:
SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are LOW, MODERATE, or HIGH.
EXAMPLE: An information system used for large acquisitions in a contracting organization contains both sensitive, pre-solicitation phase contract information and routine administrative information. The management within the contracting organization determines that:
for the sensitive contract information, the potential impact from a loss of confidentiality is moderate, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is low; and
for the routine administrative information (non-privacy-related information), the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low.
The resulting security categories, SC, of these information types are expressed as:
SC contract information = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)},
SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}.
The resulting security category of the information system is expressed as:
SC acquisition system = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)},
representing the high water mark or maximum potential impact values for each security objective from the information types resident on the acquisition system.
EXAMPLE: A power plant contains a SCADA (supervisory control and data acquisition) system controlling the distribution of electric power for a large military installation. The SCADA system contains both real-time sensor data and routine administrative information. The management at the power plant determines that:
for the sensor data being acquired by the SCADA system, there is no potential impact from a loss of confidentiality, a high potential impact from a loss of integrity, and a high potential impact from a loss of availability; and
for the administrative information being processed by the system, there is a low potential impact from a loss of confidentiality, a low potential impact from a loss of integrity, and a low potential impact from a loss of availability.
The resulting security categories, SC, of these information types are expressed as:
SC sensor data = {(confidentiality, NA), (integrity, HIGH), (availability, HIGH)},
SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}.
The resulting security category of the information system is initially expressed as:
SC SCADA system = {(confidentiality, LOW), (integrity, HIGH), (availability, HIGH)},
representing the high water mark or maximum potential impact values for each security objective from the information types resident on the SCADA system.
The management at the power plant chooses to increase the potential impact from a loss of confidentiality from low to moderate reflecting a more realistic view of the potential impact on the information system should there be a security breach due to the unauthorized disclosure of system-level information or processing functions. The final security category of the information system is expressed as:
SC SCADA system = {(confidentiality, MODERATE), (integrity, HIGH), (availability, HIGH)}.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.