* Cloud computing: Platform as a Service; Software as a
Service; Infrastructure as a Service

* Control types: Technical; Management; Operational

* False positives

* Importance of policies in reducing risk: Privacy policy;
Acceptable use; Security policy; Mandatory vacations;
Job rotation; Separation of duties; Least privilege

* Risk calculation; Likelihood; ALE; Impact

* Quantitative vs. Qualitative

* Risk avoidance, transference, acceptance, mitigation,
deterrence

* Risk associated to Cloud Computing and Virtualization

* Implement security controls based on risk

* Change management

* Incident management

* User rights and permission reviews

* Perform routine audits

* Risk calculations: Threat vs. likelihood

* Cloud computing

As an administrator, you know that there are risks involved inworking with data. You know that data can become corrupt,can be accessed by those who shouldn't see it, can have valueschanged, and so on. If you think that being armed with this knowledge is enough to enableyou to take the steps to keep any harm from happening, however, you'll be sadly mistaken.One of the possible actions administrators can take to potential threats is to simply accept thatthey will happen. If the cost of preventing a particular risk from becoming a reality exceedsthe value of the harm that could be caused by the event, then a cost/benefit risk calculationdictates that the risk should remain.

Most risk calculations weigh a potential threat against the likelihood of it occurring.As frustrating as it may seem, you should always be able to accept the fact that sometimessome risks must remain. This chapter focuses on risk and various ways of dealing with it,all of which you will need to understand fully for the Security+ exam.

Risk Assessment

Risk assessment is also known as risk analysis. It deals with the threats, vulnerabilities,and impacts of a loss of information-processing capabilities or information itself. Eachrisk that can be identified should be outlined, described, and evaluated for the likelihoodof it occurring. The key is to think out of the box. Conventional threats/risks are oftentoo limited when considering risk assessment.

The key components of a risk-assessment process are outlined here:

Risks to Which the Organization Is Exposed This component allows you to develop scenarios that can help you evaluate how to deal with these risks if they occur. An operating system,server, or application may have known risks in certain environments. You should create a planfor how your organization will best deal with these risks and the best way to respond.

Risks That Need Addressing The risk-assessment component also allows an organizationto provide a reality check on which risks are real and which aren't likely. This process helpsan organization focus on its resources as well as on the risks that are most likely to occur.For example, industrial espionage and theft are likely, but the risk of a pack of wild dogsstealing the entire contents of the payroll file is very low. Therefore, resources should beallocated to prevent espionage or theft as opposed to the latter possibility.

Coordination with BIA The risk-assessment component, in conjunction with the BIA(Business Impact Analysis) which is discussed in Chapter 13, provides an organizationwith an accurate picture of the situation facing it. It allows an organization to make intelligent decisions about how to respond to various scenarios.

Computing Risk Assessment

When you're doing a risk assessment, one of the most important things to do is to prioritize.Not everything should be weighed evenly because some events have a greater likelihoodof happening; in addition, a company can live with some risks, whereas others wouldbe catastrophic. One method of measurement to consider is annualized rate of occurrence(ARO). This is the likelihood, often drawn from historical data, of an event occurringwithin a year. This measure can be used in conjunction with a monetary value assigned todata to compute single loss expectancy (SLE) and annual loss expectancy (ALE) values.

When you're computing risk assessment, remember this formula:

SLE x ARO = ALE

Thus, if you can reasonably expect that every SLE, which is equal to asset value(AV) times exposure factor (EF), will be equivalent to $1,000 and that there will beseven occurrences a year (ARO), then the ALE is $7,000. Conversely, if there is onlya 10 percent chance of an event occurring in a year (ARO = .1), then the ALE dropsto $100.

In Exercise 1.1, we'll walk through some risk-assessment computations.

Key to any risk assessment is identifying both assets and threats. You first have to identifywhat you want to protect and then what possible harms could come to those assets. Youthen analyze the risks in terms of either cost or severity.

Risk assessment can be either qualitative (opinion-based and subjective) or quantitative(cost-based and objective), depending upon whether you are focusing on dollar amountsor not. The formulas for single loss expectancy (SLE), annual loss expectancy (ALE), andannualized rate of occurrence (ARO) are all based on doing assessments that lead to dollaramounts and are thus quantitative.

To understand the difference between quantitative and qualitative, it helps to use a simplisticexample. Imagine that you get an emergency call to help a small company that youhave never even heard from before. It turns out that their one and only server has crashedand their backups are useless. One of the files lost was the only copy of the company history.This file detailed the company from the day it began to the present day and had thevarious iterations of the mission statement as they changed over time. As painful a lossas this file represents to the company culture, it has nothing to do with filling orders andkeeping customers happy and its loss represents a qualitative loss.

Another loss was the customer database. This held customer contact information as well asa history of all past orders, charge numbers, and so on. The company cannot function withoutthis file and it needs to be re-created by pulling all the hard copy invoices from storage and reenteringthem into the system. This loss can be calculated by the amount of business lost andthe amount of time it takes to find/re-enter all the data, and thus it is a quantitative loss.

Acting on Your Risk Assessment

Once you've identified and assessed the risks that exist, for the purpose of the exam, youhave five possible actions you can choose to follow:

Risk Avoidance Risk avoidance involves identifying a risk and making the decision to nolonger engage in the actions associated with that risk. For example, a company could decidethat many risks are associated with email attachments and choose to forbid any emailattachments from entering the network.

Risk Transference Risk transference, contrary to what the name may imply, does notmean that you shift the risk completely to another entity. What you do instead is sharesome of the burden of the risk with someone else, such as an insurance company. A typicalpolicy would pay you a cash amount if all the steps were in place to reduce risk and yoursystem still was harmed.

Risk Mitigation Risk mitigation is accomplished anytime you take steps to reduce therisk. This category includes installing antivirus software, educating users about possiblethreats, monitoring the network traffic, adding a firewall, and so on. In Microsoft's SecurityIntelligence Report, Volume 9, they list the following suggestions for mitigating risk:

* Keep security messages fresh and in circulation.

* Target new employees and current staff members.

* Set goals to ensure a high percentage of the staff is trained on security best practices.

* Repeat the information to raise awareness.

Risk Deterrence Risk deterrence involves understanding something about the enemy andletting them know the harm that can come their way if they cause harm to you. This can beas simple as posting prosecution policies on your login pages and convincing them that youhave steps in place to identify intrusions and act on them.

Risk Acceptance Risk acceptance is often the choice you must make when the cost ofimplementing any of the other four choices exceeds the value of the harm that would occurif the risk came to fruition. To truly qualify as acceptance, it cannot be a risk that theadministrator/management does not know exists; it has to be an identified risk for whichthose involved understand the potential cost/damage and agree to accept.

It can often be helpful to create sagacious examples to help in understanding or memorizingvarious lists, and this works well for the five possible risk actions. Imagine that youare a junior administrator for a large IT department and you believe that one of the olderservers should be replaced with a new one. There are no signs of failure now, but it wouldbe prudent to upgrade before anything disastrous happens. The problem, however, is thatall spending requires approval from your superior, who is focused on saving the companyas much money as possible in order to be considered for a promotion, and he does not wantanyone finding ways to spend money. You know him well enough to fear that if a problemdoes occur, he will not hesitate to put all the blame on you in order to save his own career.Table 1.1 shows how you would apply each of the possible risk actions to this scenario.

Risks Associated with Cloud Computing

The term cloud computing has grown in popularity recently, but few agree on what it trulymeans. For the purpose of the Security+ exam, cloud computing means using the Internet tohost services and data instead of hosting it locally. Some examples of this include runningOffice-like applications from the Web (such as Google Docs) instead of having the applicationsinstalled on each workstation, storing data on server space rented from Amazon, using sitessuch as Salesforce.com, and so on.

From an exam standpoint, there are three ways of implementing cloud computing:

Platform as a Service The Platform as a Service (PaaS) model is also known as cloudplatform services. In this model, vendors allow apps to be created and run on their infrastructure.Two well-known models of this implementation are Amazon Web Services andGoogle Code.

Software as a Service The Software as a Service (SaaS) model is the one often thought ofwhen users generically think of cloud computing. In this model, applications are remotelyrun over the Web. The big advantage is that no local hardware is required (other than toobtain web access) and no software applications need be installed on the machine accessingthe site. The best known model of this is Salesforce.com. Costs are usually computed on asubscription basis.

Infrastructure as a Service The Infrastructure as a Service (IaaS) model utilizes virtualization,and clients pay an outsourcer for resources used. Because of this, this model closelyresembles the traditional utility model used by electric, gas, and water providers. GoGrid isa well-known example of this implementation.

A number of organizations have examined risk-related issues that can be associated withcloud computing. These issues include the following:

Regulatory Compliance Depending upon the type and size of your organization, there areany number of regulatory agency's rules with which you must comply. If your organizationis publically traded, for example, then you must adhere to Sarbanes-Oxley's demanding andexacting rules—which can be difficult to do when the data is not located on your servers.Make sure whoever hosts your data takes privacy and security as seriously as you do.

User Privileges Enforcing user privileges can be fairly taxing. If the user does not have leastprivilege (addressed later in this chapter), then their escalated privileges could allow them toaccess data they otherwise would not be able to and cause harm to it, whether intentional ornot. Be cognizant of the fact that you won't have the same control over user accounts in thecloud as you did locally, and when someone locks their account by giving the wrong passwordtoo many times in a row, you/they could be at the mercy of the hours the technical staff isavailable at the provider.

Data Integration/Segregation Just as web-hosting companies usually put more than onecompany's website on a server in order to be profitable, data-hosting companies can putmore than one company's data on a server. In order to keep this from being problematic,you should use encryption to protect your data. Be cognizant of the fact that your data isonly as safe as the data it is integrated with. As an overly simplistic example, assume thatyour client database is hosted on a server that another company is also using to test anapplication they are creating. If their application obtains root level at some point (such asto change passwords) and crashes at that point, then the user running the application couldbe left with root permissions and conceivably be able to see data on the server beyond whatthey should see (such as your client database). Data segregation is crucial; keep your dataon secure servers.

Data integration is equally important—making certain your data is not comingled beyondyour expectations. It is not uncommon in an extranet to pull information from a numberof databases in order to create a report. Those databases can be owned by anyone connectedto the extranet, and it is important to make certain the permissions on your databasesare set properly to keep other members from accessing more information that youintended to share.

NOTE

Among the groups focused on cloud security issues, one worth paying attentionto is the Cloud Security Alliance (http://www.cloudsecurityalliance.org).

Continues...

Excerpted from CompTIA Security+ Deluxe Study Guideby Emmett Dulaney Copyright © 2011 by John Wiley & Sons, Ltd. Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.