SY0-501 Section 2.1-Explain the importance of risk related concepts.

Control types

To prepare for the certification exam, it often helps to use analogies to put topics in con- text. In light of that, consider a residential home this author owns in the middle of town. I grow prized tomato plants in the backyard, and it is very important to me that no one goes back there for fear that they might do something to harm the tomatoes. Thus, I implement the following controls:


I establish a number of policies to keep the tomatoes safe:

Preventive: I instruct every member of my family that they are not to go into thebackyard and they are not to let anyone else go back there either.

Deterrent: I tell the kids that if I ever hear of any of them—or their friends—being the backyard, I will take away their allowance for month.

Detective: As a matter of routine, I want each member of the family to look out the window on a regular basis to see if anyone has wandered into the yard.

Compensating: Every member of the family is instructed on how to call the police the minute they see anyone in the yard.

Technical: Not trusting that the administrative

Preventive: I put up a fence around the yard, and the door that leads out from the garage is locked. Deterrent: “Beware of Dog” signs are posted all over the fence (although I have no dog).

Detective: Sensors are placed on the gate to trigger an alarm if the gate is opened.

Compensating: Triggered alarms turn on the backyard sprinklers at full volume to douse any intruder who wanders in.

These controls work in conjunction with one another to help keep individuals who should not be there out of the backyard and away from the tomatoes. Naturally, as the owner/administrator, I have the ability to override all of them as needed. I can ignore the warning signs, turn off the sprinklers, and get full access to the garden when I desire. The controls are not in place to hinder my access, but only to obstruct and prevent others from accessing the yard.

False positives/False negatives

False positives are events that aren’t really incidents. Event flagging is often based on established rules of acceptance (deviations from which are known as anomalies) and things such as attack signatures. If the rules aren’t set up properly, normal traffic may set off an analyzer and generate an event. You don’t want to declare an emergency unless you’re sure that you have one. The opposite of a false positive is a false negative. With a false negative, you are not alerted to a situation when you should be alerted. In this case, you miss something crucial and it slips right by.

Many IDSs trigger false positives when reporting incidents. False positives are events that aren’t really incidents. Remember that an IDS is based on established rules of acceptance (deviations from which are known as anomalies) and attack signatures. If the rules aren’t set up properly, normal traffic may set off the analyzer and generate an event. Be sure to double-heck your results because you don’t want to declare a false emergency.

One problem that can occur with manual network monitoring is overload. Over time, a slow attack may develop that increases in intensity. Manual processes typically will adapt, and they may not notice the attack until it’s too late to stop it. Personnel tend to adapt to changing environments if the changes occur over a long period of time.

An automated monitoring system, SUCH AS IDS, will sound the alarm when a certain threshold or activity level occurs.

When a suspected incident pops up, first responders are those individuals who must ascertain whether it truly is an incident or a false alarm. Depending on your organization, the first responder may be the main security administrator or it could consist of a team of network and system administrators.

Importance of policies in reducing risk

Privacy Policies

Privacy policies define what controls are required to implement and maintain the sanctity of data privacy in the work environment. For now, however, think of the privacy policy as a legal document that outlines how data collected is secured. Google endorses a great example: It outlines exactly what information the company collects, privacy choices you have based on your account, potential information sharing of your data with other parties, security measures in place, and enforcement. The last paragraph of the policy should appear in every privacy policy and addresses the fact that the policy may change. The verbiage, as currently written, is succinct and clear: “Please note that this Privacy Policy may change from time to time. We will not reduce your rights under this Privacy Policy without your explicit consent. We will post any Privacy Policy changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Privacy Policy changes). We will also keep prior versions of this Privacy Policy in an archive for your review.”

Acceptable Use Policies

Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware. This policy should also outline the consequences for misuse. In addition, the policy (also known as a use policy) should address the installation of personal software on company computers and the use of personal hardware such as USB devices. When portable devices are plugged directly into a machine, they bypass the network security measures (such as firewalls) and allow data to be copied in what is known as pod slurping. This can also be done if employee’s start using free cloud drives instead, and that scenario should be addressed in the AUP.

Although a smartphone is a convenience for employees (they can now more easily receive and make personal calls at work), it can be a head- ache for the security administrator. Most smartphones can store files in the same way as any USB device, and they can be used to copy files to and from a workstation. Additionally, the camera feature on most phones makes it possible for a user to take pictures of things such as company documents, servers, and physical security implementation, among many other things that the company may not want to share. For this reason, most secure facilities have stringent restrictions on the presence of smartphones within the vicinity.

Security Policies

Security policies define what controls are required to implement and maintain the security of systems, users, and networks. This policy should be used as a guide in system implementations and evaluations.

Mandatory Vacations

A mandatory vacation policy requires all users to take time away from work to refresh. As contradictory as it may seem, an employee who doesn’t take their vacation time can be detrimental to the health, not only of the employee, but to the company’s health as well. If the company becomes too dependent on one person, they can end up in a real bind if some- thing should happen to that person. Not only does mandatory vacation give the employee a chance to refresh, but it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfies the need to have replication or duplication at all levels. Mandatory vacations also provide an opportunity to discover fraud.

Job Rotation

A job rotation policy defines intervals at which employees must rotate through positions. Similar in purpose to mandatory vacations, it helps to ensure that the company does not become too dependent on one person (who then has the ability to do enormous harm). Rotate jobs on a frequent enough basis so that you are not putting yourself—and your data—at the mercy of any one administrator. Just as you want redundancy in hardware, you want redundancy in abilities. When one person fills in for another, such as for mandatory vacations, it provides an opportunity to see what the person is doing and potentially uncover any fraud.

Least Privilege

A least privilege policy should be used when assigning permissions. Give users only the permissions that they need to do their work and no more. For example, a temporary employee should never have the right to install software, a receptionist does not need the right to make backups, and so on. Every operating system includes the ability to limit users based on groups and individual permissions, and your company should adhere to the policy of always applying only those permissions users need and blocking those that they do not.

Succession Planning

Succession planning outlines those internal to the organization who have the ability to step into positions when they open up. By identifying key roles that cannot be left unfilled and associating internal employees who can step into those roles, you can groom those employees to make sure that they are up to speed when it comes time for them to fill those positions.

Risk calculation

For purposes of risk assessment, both in the real world and for the exam, you should familiarize yourself with a number of terms to determine the impact an event could have:

ALE is the annual loss expectancy value. This is a monetary measure of how much loss you could expect in a year.

SLE is another monetary value, and it represents how much you expect to lose at any one time: the single loss expectancy. SLE can be divided into two components:

o AV (asset value)

o EF (exposure factor)

ARO is the likelihood, often drawn from historical data, of an event occurring within a year” the annualized rate of occurrence

When you compute risk assessment, remember this formula:


As an example, if you can reasonably expect that every SLE, which is equal to asset value (AV) times exposure factor (EF), will be the equivalent of $1,000 and that there will be seven such occurrences a year (ARO), then the ALE is $7,000. Conversely, if there is only a 10 percent chance of an event occurring within a year time period (ARO = 0.1), then the ALE drops to $100.

Quantitative vs. qualitative

Risk assessment can be either qualitative (opinion-based and subjective) or quantitative (costbased and objective), depending on whether you are focusing on dollar amounts. The formulas for single loss expectancy (SLE), annual loss expectancy (ALE), and annualized rate of occurrence (ARO) are all based on doing assessments that lead to dollar amounts and are thus quantitative.

To understand the difference between quantitative and qualitative, it helps to use a simple example. Imagine that you get an emergency call to help a small company that you have never heard from before. It turns out that their one and only server has crashed and that their backups are useless. One of the lost files was the only copy of the company’s his- tory. This file detailed the company from the day it began to the present day and had the various iterations of the mission statement as it changed over time. As painful a loss as this file represents to the company’s culture, it has nothing to do with filling orders and keeping customers happy, and thus its loss is qualitative in nature.

Another loss was the customer database. This held customer contact information as well as the history of all past orders, charge numbers, and so on. The company cannot function without this file, and it needs to be re-created by pulling all of the hard copy invoices from storage and re-entering them into the system. This loss can be calculated by the amount of business lost and the amount of time it takes to find/re-enter all the data, and thus it is a quantitative loss.


Many security experts view vulnerability scanning as separate from penetration testing. However, it should be either part of the penetration test or done alongside it. Vulnerability scanning allows you to identify specific vulnerabilities in your network, and most penetration testers will start with this procedure so that they can identify likely targets to attack. A penetration test is essentially an attempt to exploit these vulnerabilities.

Once you have identified the vulnerabilities, it is time to attempt to exploit them. Of course the most egregious vulnerability is any aspect of your system where vulnerability scanning reveals a lack of security controls. Some of the more common vulnerabilities involve misconfiguration. In fact, popular vulnerability scanners, such as Nessus will help identify common misconfigurations.

Threat vectors

The term threat vector is the way in which an attacker poses a threat. This can be a particular tool that they can use against you (a vulnerability scanner, for example) or the path(s) of attack that they follow. Under that broad definition, a threat vector can be anything from a fake email that lures you into clicking a link (phishing) or an unsecured hotspot (rouge access point) and everything in between.

Probability / threat likelihood

The meaning of the word likelihood is usually self-explanatory; however, there are actual values that can be assigned to likelihood. The National Institute of Standards and Technology (NIST) recommends viewing likelihood as a score representing the possibility of threat initiation. In this way, it can be expressed either in qualitative or quantitative terms.

Risk-avoidance, transference, acceptance, mitigation, deterrence

Once you’ve identified and assessed the risks that exist, for the purpose of the exam you have five possible actions that you can choose to follow:

Risk Avoidance Risk avoidance involves identifying a risk and making the decision not to engage any longer in the actions associated with that risk. For example, a company may decide that many risks are associated with email attachments and choose to forbid any email attachments from entering the network.

Risk Transference Risk transference, contrary to what the name may imply, does not mean that you shift the risk completely to another entity. What you do instead is share some of the burden of the risk with someone else, such as an insurance company. A typical policy would pay you a cash amount if all of the steps were in place to reduce risk and your system was still harmed.

Risk Mitigation Risk mitigation is accomplished any time you take steps to reduce risk. This category includes installing antivirus software, educating users about possible threats, monitoring network traffic, adding a firewall, and so on. In Microsoft’s SecurityIntelligence Report, Volume 13, the following suggestions for mitigating risk through user awareness training are listed:

Keep security messages fresh and in circulation.

– Target new employees and current staff members.

– Set goals to ensure that a high percentage of the staff is trained on security best practices.

– Repeat the information to raise awareness.

CompTIA is fond of risk mitigation and confronting it through the use of routine audits that address user rights and permission reviews, change management—the structured approach that is followed to secure a company’s assets—and incident management—the steps followed when events occur (making sure controls are in place to prevent unauthorized access to, and changes of, all IT assets). Policies addressing data loss or theft need to be in place, and technology controls should be enforced.

Risks associated with Cloud Computing and Virtualization

The term cloud computing has grown in popularity recently, but few agree on what it truly means. For the purpose of the Security+ exam, cloud computing means hosting services and data on the Internet instead of hosting it locally. Some examples of this include running office suite applications such as Office 365 or Google Docs from the Web instead of having similar applications installed on each workstation; storing data on server space, suchas Google Drive, Sky Drive, or Amazon Web Services; and using cloud-based sites such as

If cloud computing has grown in popularity, virtualization has become the technology du jour. Virtualization consists of allowing one set of hardware to host multiple virtual machines. It is in use at most large corporations, and it is also becoming more common at smaller businesses.

Some of the possible security risks associated with virtualization include the following:

Breaking Out of the Virtual Machine If a disgruntled employee could break out of the virtualization layer and were able to access the other virtual machines, they could access data that they should never be able to access.

Network and Security Controls Can Intermingle The tools used to administer the virtual machine may not have the same granularity as those used to manage the network. This could lead to privilege escalation and a compromise of security.

Most virtualization-specific threats focus on the hypervisor. Hypervisor is the virtual machine monitor; that is, the software that allows the virtual machines to exist. If the hypervisor can be successfully attacked, the attacker can gain root-level access to all virtual systems. Although this is a legitimate issue, and one that has been demonstrated as possible in most systems (including VMware, Xen, and Microsoft Virtual Machine), it is one that has been patched each time it has arisen. The solution to most virtualization threats is always to apply the most recent patches and keep the system(s) up to date. Be sure to look for and implement suggestions that the vendor of your virtualization system may have published in a hardening guide.

Recovery time objective and recovery point objective

The recovery time objective (RTO) is the maximum amount of time that a process or service is allowed to be down and the consequences still be considered acceptable. Beyond this time, the break in business continuity is considered to affect the business negatively. The RTO is agreed on during BIA creation.

The recovery point objective (RPO) is similar to RTO, but it defines the point at which the system needs to be restored. This could be where the system was two days before it crashed (whip out the old backup tapes) or five minutes before it crashed (requiring complete redundancy). As a general rule, the closer the RPO matches the item of the crash, the more expensive it is to obtain. Most SLAs that relate to risk management stipulate the definitions of these terms and how they apply to the agreement.