Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Network Security Concepts: Identifying and Mitigating Risks, Lecture notes of Accounting

An overview of key network security concepts, including the calculation of annual loss expectancy (ale) using the formula sle x aro = ale, where sle is single loss expectancy and aro is annualized rate of occurrence. It also discusses various strategies for risk reduction, such as early identification of risks, communication about risks, considering both negative and positive risks, prioritizing risks, and thoroughly understanding risk causes and impacts. Potential risks associated with cloud computing and virtualization, as well as alternatives like containerization. Additionally, it touches on the importance of policies like privacy and hr policies, as well as the role of positive and negative reinforcement in promoting reliability. Overall, this document provides a comprehensive overview of network security concepts and risk management practices that could be valuable for students studying information technology, cybersecurity, or related fields.

Typology: Lecture notes

2023/2024

Available from 06/28/2024

helperatsof-1
helperatsof-1 🇺🇸

4

(4)

11K documents

1 / 11

Toggle sidebar

Related documents


Partial preview of the text

Download Network Security Concepts: Identifying and Mitigating Risks and more Lecture notes Accounting in PDF only on Docsity!

Unit 1 Assignment Purdue University Global IT286 – Network Security Concepts

Unit 1 Assignment Part 1 – Section 1 SLE x ARO = ALE According to Medium.com, SLE stands for Single Loss Expectancy, ARO stands for Annualized Rate of Occurrence, and ALE stands for Annual Loss Expectancy. Single Loss Expectancy (SLE) is a monetary value that you can expect to lose with a genuine risk at any time. Annualized Rate of Occurrence (ARO) is a percentage calculated by the chance of real risk. Annual Loss Expectancy (ALE) is the numerical value measured that the substantial risk turns in one year.This means that the Single Loss Expectancy multiplied by the Annualized Rate of Occurrence equals the Annual Loss Expectancy, or the monetary value you can expect to lose at any time multiplied by the percentage calculated by the chance of risk equals the numerical value that the risk turns within one year. SLE has to be calculated first before you can complete the above calculation. Single Loss Expectancy is obtained by SLE = AV x EF. We already know that SLE stands for Single Loss Expectancy, AV is the asset's value, and EF is the exposure factor. Exposure Factor is the loss that will happen to the asset when exposed to a threat in a percentage. So this means that to calculate the Single Loss Expectancy, we must first multiply the exposure factor's asset value. If an asset's value, such as a production machine, is $100,000, and the exposure factor is 30% (essentially a machine failure), this would be 100,000 x 0.3, and this means our Single Loss Expectancy is $30,000. Therefore, getting back to the initial formula of ALE = SLE x ARO, $30,000 x 0.5(once in two years) equals $15,000. So, our Annualized Loss Expectancy means a loss of $15,000.

Part 1 – Section 2 Once a risk assessment has been completed, there are several ways to reduce risk. The first way to minimize risks is to identify any possible risks early on in your project. This means reviewing potential dangers along with your team's experiences and existing knowledge, brainstorming any possible dangers, brainstorming missed opportunities for projects not completed, and identifying who is responsible for each potential threat. The second way is to communicate concerning risks. This includes sharing and gaining input from your team members concerning risk management for your projects. Focusing on threats and communicating back with bosses or customers. Allowing your sponsors to make the most critical decisions regarding significant risks as some risks may be beyond the project manager's permissions. The third way would be to imagine every opportunity as a possible threat when assessing risks. This means while there are bad risks that can hurt your projects, there are also beneficial risks that can pay-off without a considerable investment of time or money. These positive risks can help complete your project faster and cheaper than without them. The fourth way is to prioritize your risks. This means that some risks are more common and more disastrous than others, so you should focus your energies on the dangers that can hurt the most, along with developing contingencies for these same higher profile risks. The fifth way is to comprehend the reason and impact of the risks entirely. This means that routine problem solving involves moving from identifying the problem to creating a solution for the said problem, while risk management identifies potential risk causes first. Risks have different levels, from small risks with little to no impact up to huge risks that can cause the plan to fail or exceed budgets, and you need to evaluate every possible risk and causes to plan and

budget for these potential concerns. This information can be gathered in a risk analysis that will better help you prepare for these eventualities. Staying on task, meeting deadlines, and utilizing feedback can positively impact reducing risk and promoting positive results. By staying on task, you are knocking down your to-do list and focusing on each step along the way, which will assist you in meeting deadlines throughout your projects. By utilizing feedback from your team members, customers, and sponsors, you consider alternate views and opportunities that you may have missed that may help complete the project quicker, safer, and cheaper than initially scoped out. Each of these items are used positively to help reduce potential risks and better plan for contingencies. In these circumstances, multiple heads are always better than one. Part 1 – Section 3 Risks associated with state-of-the-art technologies should be carefully assessed. According to Professor Messer, one of the dangers of cloud computing is that the data could potentially be accessed by anyone that can create access. Another is that security is controlled or managed by others. The cloud servers can be unavailable, or you could get locked out while they are maintained offsite by alternate sources. One of the risks associated with virtualization is that the virtualization layer can put all systems at risk. Another is that there is minimal control over VM to VM communication and not a great deal of support for "virtual firewalls."A single physical server typically contains VMs that all have separate security profiles, while physical separation used to be so easy. There is also a possible loss of separation of duties, meaning that a system administrator typically controls many servers on a single physical piece of hardware.

According to TechRepublic, if there is too much concern over cloud computing, there are several excellent alternatives. The first would be mesh networks. This could enable equal bandwidth to all, as opposed to cloud servers hogging the bandwidth. The second is Project Solid, which Tim Berners-Lee created and proposed that every user control their own information, and once you opt-out, your information is deleted. The third alternate is Resilio, which was created by the same makers of BitTorrent. Resilio shares pieces of data with every member securely, eliminating servers. The fourth option is LBRY, which combines torrent-like file sharing with blockchain. This means that you have no central servers yet control who sees your information without RDM schemes. The fifth alternate is customer demand. While you can try to force specific options onto the people, they can always create an entirely new option that fills the same need in an even better way. According to Gerenser and Calvanese (2020), Containerization is a solid alternate contender for virtualization. Containerization can allow for running many separate applications on a single machine or cloud instance. Containerization involves encapsulating one or more applications and supporting files into containers that can run on one operating system, such as Linux. The administration is much easier with a single piece of hardware than virtualization, and communication between all VMs is faster and more efficient. Part 1 – Section 4 The policy matches a few critical areas for sound policies, including the policy overview, the scope statement, and a partial accountability statement. However, this policy lacks the remainder of the accountability statement (the contact details), along with the exception and policy

statements. The accountability statement needs to be expanded, and the other two statements need to be added entirely. Policy Overview Statement This means that the policy states its purpose. Scope Statement The policy states the scope of items to accomplish. Accountability Statement The policy states who is accountable for any issues encountered, though no contact details. Exception Statement This is missing and would need to be added. Policy Statement There is none. Part 1 – Section 5 "High Availability (HA) is the ability of a system or system component to be continuously operational for a desirably long length of time"(Rouse, 2019). According to Merriam-Webster, redundancy is the state or quality of being redundant, a profusion or abundance, a superfluous repetition or act or instance of needless repetition, or a part of a message that could be removed with any loss of essential information. Imperva (2019) states that fault tolerance is a system's ability (could be a computer, network, or cloud cluster) to continue operating without interruption when one or more of its components fail. All three of these items correlate to how a system can functionally run during a high-risk threat or event. High availability infers how well a system can run during an outage or loss of power. Redundancy is the ability to have a backup contingency in place, such as a power generator to retain power during an outage. Fault tolerance is the ability to continue running the

system with a portion of it down or broken. These items can help ensure a system runs smoothly and effortlessly, no matter the risks or threats encountered. Part 1 – Section 6 One of the policies that I would institute as CIO (Chief Information Officer) would be a Privacy Policy. LabSIM states that privacy policies state how the organization will secure private information for employees, clients, and customers. This would include no pictures of proprietary information, along with no copying or exporting of customer and client databases and information. The second policy that I would institute as CIO would be a Human Resources (or HR) Policy. LabSIM states that HR policies are utilized by Human Resources that define hiring and termination processes, job rotation requirements, and personal time off procedures. As a CIO, I would promote reliability with positive reinforcement, including free lunches, occasional afternoons off, or small company trinkets such as keychains, mugs, or tee shirts. If reliability was not enforced well enough positively, negative reinforcements might be required, including mandatory overtime and loss of the above privileges. Accountability would be on a strike system. The first "strike" for not completing work by the deadline would be a verbal warning, and all work checked daily by management. The second "strike" would be a write-up included in your employee file and shadowing by your supervisor or team leader, along with the daily checks. The final "strike" would be both actions previously along with a demotion or re-assignment to a more menial and more manageable task load.

Timeliness falls under reliability in my mind, so the same objects play into this option. Part 2 – Section 1 Part 2 – Section 2 According to JOINT TASK FORCE TRANSFORMATION INITIATIVE (2012),a threat is any circumstance or event with the potential to impact organizational operations adversely, organizational assets, individuals, other organizations, or the Nation through an information

system via unauthorized access, destruction, disclosure, or modification of information, and denial of service. According to JOINT TASK FORCE TRANSFORMATION INITIATIVE (2012), a vulnerability is a weakness in an information system, system security procedure, internal controls, or implementation that could be exploited by a threat source. Threatanalysis (2020) states that a threat is anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. In contrast, vulnerability is any weakness or gaps in security programs that can be exploited by threats to gain unauthorized access to an asset. Part 2 – Section 3 Installation of malware by allowing any removable media, such as USB keys or memory cards. Identifying a threat. Removeable media in external locations granting access into the system by malware by an employee. Sources and events. Organizational Information Systems Identifying vulnerabilities. Removable media security standards in place. Predisposing conditions.

References 3.1 Security Policies. (2020). Retrieved November 17, 2020, from https://labsimapp.testout.com/v6_0_417/index.html/productviewer/225/3.1/65dd43e9-aff7- 495c-802b-09be009a5aa Czagan, D. (2020, October 30). Quantitative Risk Analysis. Retrieved November 16, 2020, from https://resources.infosecinstitute.com/topic/quantitative-risk-analysis/ Initiative, J. (2012, September 17). Guide for Conducting Risk Assessments. Retrieved November 17, 2020, from https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final Merritt, T. (2017, October 05). Top 5: Alternatives to centralized cloud services. Retrieved November 17, 2020, from https://www.techrepublic.com/article/top-5-alternatives-to- centralized-cloud-services/ Redundancy. (n.d.). Retrieved November 17, 2020, from https://www.merriam-webster.com/dictionary/redundancy Risks with Cloud Computing and Virtualization - CompTIA Security+ SY0-401: 2.1. (2014, September 26). Retrieved November 17, 2020, from https://www.professormesser.com/security-plus/sy0-401/risks-with-cloud-computing-and- virtualization/ Rouse, M. (2019, March 27). What is High Availability? - Definition from WhatIs.com. Retrieved November 17, 2020, from https://searchdatacenter.techtarget.com/definition/high-availability Scott Gerenser& Andy Calvanese⋅ Published: May 15, 2. (2020, May 15). Containerization as an Alternative to Virtualization. Retrieved November 17, 2020, from https://www.radioworld.com/tech-and-gear/radio-it-management/containerization-as-an- alternative-to-virtualization Secse. (2015, May 30). Computing Risk Assessment. Retrieved November 16, 2020, from https://medium.com/@secse/computing-risk-assessment-5d5814a118ff Stanleigh, M. (2016, March 03). Michael Stanleigh. Retrieved November 16, 2020, from https://bia.ca/10-easy-rules-to-reduce-risks-on-projects/ Threat, vulnerability, risk - commonly mixed up terms. (2010, May 03). Retrieved November 17, 2020, from https://www.threatanalysis.com/2010/05/03/threat-vulnerability-risk- commonly-mixed-up-terms/

What is Fault Tolerance?: Creating a Fault Tolerant System: Imperva. (2019, December 30). Retrieved November 17, 2020, from https://www.imperva.com/learn/availability/fault- tolerance/