CompTIA Security+ SY0-601 – 5.4 Risk management processes and concepts Part 2

3. Risk Assessments

In this video, I’m going to be talking about risk assessment types. So there are two risk assessments that you’re going to need to know for your exam. One is a qualitative and one is a quantum tattoo format. So qualitative and quantitative format. So let’s talk about what exactly they are. You saw a bunch of formulas there. Yeah, you’re going to need to know some numbers in this. Don’t worry, it’s not complex. A qualitative versus quantumative analysis. So when you’re assessing risk, one of the easiest way to do it is with a qualitative analysis. Know for your exam, a qualitative analysis is a risk analysis. Where it is verbal, it is a descriptive analysis of risk. So risk is basically assessed on two things, the probability of occurrence and its impact. Take, for example, an earthquake in New York City.

A major earthquake in New York City. A major earthquake in New York City. How would you describe that? Would you say it is a high probability, low probability? I’ll say low probability. But what about the impact? Would it be high, medium or low? That would say high impact, low probability for a major earthquake in New York City. But a major earthquake in California we could say is going to be medium probability and high impact. But how about a major earthquake in the middle of the ocean? Even if it forms a tsunami, it’s not going to come there. So we’ll say low probability and maybe high, maybe low impact too. It just depends, right? So there’s different, different ways to assess risk. And this qualitative way is the easiest way. Basically, qualitative analysis uses the user or the person doing it own knowledge.

It’s very subjective because it’s based on my own experience and it’s not data driven. You don’t need to go out and gather data. Now, a quantitative analysis, that’s different, a quantum type of analysis. Remember, for your exam, a quantumative analysis is a numerical assessment of risk. Quantum tatum being numerical. Numerical analysis of risk. So in this one I’m going to say, so what’s the probability of an earthquake in New York City? You’re going to say, well, in a given year it is a 1% chance. That would be a quantum state of assessment. What would the impact be? No, the impact would be we would lose $7 million worth of data. So this is more of a numerical impact. Now, quantitative analysis is harder, it’s more objective, and it requires a lot of data.

You actually got to go out and gather data, statistical information. So remember, qualitative is quick, it’s fast, it’s based on user opinions, and it’s very subjective. Quantitative takes longer. Quantitative requires a lot of data and it’s all numerical. Now for your exam, I’m going to show you guys some risk formulas. Now, these things used to be hot on your exam. It’s a hit and miss. Now you’re probably going to get questions on it. I would say good 70% of you guys will get questions on these formulas. It’s really just two formulas, SLE and Ale. And that’s all you need to know for your exam. So I put this here. I’m going to copy this description back into the notes here. So you have the formulas also because they’re in the objective, but the formula isn’t in there.

So I’m going to copy this back into the exam, into the description of this video. So you have it also. But I want you to take some notes on this as I go through this. Let’s take a look at these formulas really quickly. They’re not hard. They’re pretty easy. So there are a couple of things. By the way, these formulas, this is applying to quantitative assessment because we’re going to be looking at a numerical assessment. What this formula does is going to tell me what is the yearly impact of our risk on our organization? So let’s do one. Let’s say you have data, okay? The asset is data, and the risk is viruses malware on our data. Now here’s how this works. Basically, you first got to look at the asset value. So what is our data worth? Don’t question this. I’m making this up. Don’t question it. Just go along.

You just need to know the formulas for your exam. Remember, they’re going to give you the numbers. You’re going to just have to calculate them. Okay? So the asset value is $1 million. Okay? So we’re talking data is the asset. This is the asset, and the threat is virus. All right? So threat, virus, asset, data. So the asset value is $1 million. So you have to now know the value of that asset. The other one is the exposure factor. And this is generally a percentage of loss that the organization would experience if the assets were violated. So ask yourself this, how much of data would be lost if we get hit with a virus? It’ll be 50%. I would think 100%. I would say 100%. In other words, if we get hit with a bad virus, we can lose all of the organization’s data.

So the single loss, single lost expectancy is the cost associated with single risk. The single loss expectancy is equal to is the SLE single loss expectancy is equal to the asset value times the exposure factor. So it’ll be 1 million times 100% is $1 million. In other words, what I’m saying is every single keyword single every single time you get hit with a virus, you’re going to lose a million dollars. Something to keep in mind, right? Because you’re losing all your data in this every single try. The other question, though, would be how many times a year would you get a virus? Now here’s the thing about the arrow. You have to do it before you implement the mitigation, because you’re trying to justify the mitigation. We spend a lot of money on malware protection, don’t we? We buy endpoint protection software.

We train our users. We have firewalls. We hire security people. We train security people. Millions of dollars is spent in organizations every year to stop malware. Is it worth it? Well, that’s what this is going to answer. So we’re basically doing this as if we have no protection. So you got to what if you had no user training? What if you have no antivirus? Nothing. Then how many times a year would you get a virus? You probably say an Andrew every day. I’ll be more conservative. So the annual rate of occurrence is the expected frequency. With bitches specific threat will occur. I’m going to say 100 times a year. Okay? I’m going to say 100 times a year. That means that if you don’t have any antivirus, you’re going to get at least two viruses a week, 100 times a year.

That brings me to the annualized loss expectancy. The yearly cost of this risk will be the Ale is equal to the SLE. So we got 1 million times the Aro, which is a hundred. So we’ll say we’re basically going to lose a hundred million dollars a year. This is the number I’m looking at. So basically you’re going to lose a hundred million dollars every single year if you don’t have any control. Because now after this assessment, it’s after this assessment, do we know how much the company is losing if we don’t respond to this risk? We know that, hey, there’s $100 million will be lost if the company doesn’t take action, if they don’t buy the antivirus, if they don’t train those users, don’t have security administrators, have firewalls, IDs systems and all the good stuff that we have today. This is how we can start to justify the expenditures that we spend millions of dollars on it. Okay, so these are the formulas.

Let me just do a quick review with them. Play this video again, watch it again, make some notes on it. So the asset value, remember, is the value of the overall asset that’s going to be given to you in a question. The exposure factor will also be given to you in the question. This is the percentage of loss. So the single loss expectancies every single time. So don’t forget it’s slee times the SL is equal to the AV times the EF. Now, the annual rate of occurrence also has to be given to you. You can’t calculate this. Something has to be given to you in the question. They’re going to tell you how many times a year this risk can occur. And then the Ale is just equal to the SLE times the arrow. Okay, I want you once more time review this section. Make sure you’re well, because don’t be surprised if you see some of these formulas on your exam.

4. Business impact analysis

In this video, I’m going to be talking about disasters and the business impact analysis. Let’s get started. So every organization at some point in its existence will face some kind of a disaster. Now, basically a disaster could be something as a snowstorm term, a hurricane, a major data breach, a debt server, denial of service. Anything that could bring the organization down would be considered some kind of major disaster. Now, we do have some terms here that we want to talk about environmental, person made internal and external disaster. So the first one up is an environmental disaster. Environmental disasters are generally major disasters that are caused by humans doing bad things such as a nuclear nuclear explosion causing nuclear toxic fumes in the air would be an example of that.

Environmental disasters generally disasters caused by human activity that’s different than natural disasters. So natural disasters is what’s going to happen when snowstorm more like natural things that occurs in your region, such as snowstorm or hurricanes or floods, would be more of a natural disaster. The other one are going to be person made. So person made disasters like terrorism would be a type of a person made disaster. Then you have for the organization, you’re going to have internal and external disaster. So internal disasters are basically disasters that you’re going to have internally to the business, such as a major server going offline. Of course, switch die in a misconfiguration or a firewall that took out Internet to the entire company would be more of an internal.

External disasters would be like natural disasters happening on the outside or even environmental Disasters that Are External To the Business but could cause Harm to the business as Part of A Business Continuity plan one of the part of business continuity, I should say plan in one Of The things that the organization should be doing is a Business Impact analysis. And what this does, the Bia, what it does is that it will outline how will the business be impacted by different disasters. Now, in theory, you’re going to do a BIA for all the disasters that are identified during your disaster identification process. And you can also go back to your risk, right? It’s very closely related to risk because a lot of risk are basically disasters. So you would go back and identify all the disasters and say, okay, this is how they’re going to impact my business.

Now, there are two terms that your exam loves to test on is recovery time objective and a recovery point objective. Know these two terms of your exam RTO on RPO. So the RTO recovery time objective is the maximum amount of time that the business can be without a particular server or a particular application or particular data. So take for example, the RTO would be 5 hours for this application. 5 hours would be like okay, so if this application goes down for more than 5 hours, we’re okay, we’re not going to lose any money, but if it goes down for more than that, we start to lose money. Your website, what’s the RTO on your website? It may be maybe 7 hours, let’s say, which means anything more than 7 hours, your business starts to lose money.

Amazon’s RTO zero. All right, zero. Why? Because basically they don’t want their website to ever go down, but they’re going to spend a lot of money, which they did in order to keep it up. Now, the recovery point objective is the amount of data you could lose. Now this is more of a time going backwards. The recovery point objective is how much at least data backups you should carry. So if the recovery point objective is one day, that means the organization is willing to accept one day loss of data. That means you should do backups every single day. If you’re doing backups every five days, that means your recovery point objective is every five days. That means you’re willing to lose up to five days worth of data. Remember these two terms for your exam. They love questioning it.

Okay, the other two terms we have here is going to be meantime to repair and meantime between failures. So mean time to repair, how long does it take to fix the device? Right? The other one that’s missing here is going to be MTTF. Now, this wasn’t in the exam objectives, but generally when you talk of these two terms, MTTF, generally we talk of these three terms. So meantime to failures, when the first time the device will fail, meantime to repair, how long it takes to repair it, and then after the first failure, to have the other failure, meantime between failures. So let’s talk about this for example, let’s say I have the phone and this phone meantime to failure. Now the manufacturer knows that continuous use over a certain period of time, this device would fail.

After three years, how long will it take to fix it? This device is not fixable. But let’s say you do have fixable devices. Let’s say it takes two days. So the first time it fails was three years, and it takes two days to fix meantime to repair. And then after the first failure, to every other failure, how long would that take? Well, let’s say every two years. After that it fails again. So that would be meantime between failures. Businesses and organizations must have functional recovery plans. A function is generally defined as a department within the organization. We must have plans, recovery plans, to recover entire business functions, like the entire department, how the department was laid out. Imagine your whole site, that all your accountants and your sales work into was destroyed in a fire.

When you recreate the function, do you know how to actually recreate that function? Do you know the procedures they follow, the paper they use, the applications? They have one point of a business impact and disaster recoveries is going to be this constant a single point of failure. We have to analyze and look within our environment to determine what are the single point of failures within our companies. Then we have to eliminate those single point of failures. The way to eliminate single point of failures would be to see if there’s only one piece that’s holding it up. There’s no redundancy in that. Single point of failures would be things like a server with a single power supply. And we talked about dual power supply. A server with a single hard drive.

That would be a massive single point. So put a rate system, put cluster in and load balancers, have an redundant internet connection would be fixing your single point of failure. You must have disaster recovery plans, generally per disaster. So how do we recover from an earthquake, a flood, a fire in this data center, or in that office space? Mission critical functions must be identified and plans must be made for them to have redundancy built into them. Of course we want to be able to identify those critical systems. We want to identify those essential functions that this business is doing. And then of course, every site is going to have unique risk. A site in New York City does not have the same risk as the site in California.

Why? Because we’re less prone to earthquake than they are. A site in the Midwest of the country versus a site in midtown Manhattan. There’s a lot of people in Midtown Manhattan. Midtown Manhattan is prone to earthquake, not earthquakes, floods and hurricanes and blizzards. While in the Midwest of the country they may be prone just to a tornado, but there’s not a lot of people there. So there are unique risks to each site that needs to be a self. Okay, guys, on your exam, make sure to review this section. Make sure to know your RTO, your RPO, make sure MTTR and TBF, these are very popular terms that they like testing you on your tests.

• Category: Uncategorized