Professional Documents
Culture Documents
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
• ARO is the likelihood, often drawn from historical data, of an event occurring
within a year: the annualized rate of occurrence.
When you compute risk assessment, remember this formula:
SLE × ARO = ALE
Likelihood
Threat Vectors The term threat vector is the way in which an attacker poses a threat.
This can be a particular tool that they can use against you (a vulnerability scanner, for
example) or the path(s) of attack that they follow. Under that broad definition, a threat
vector can be anything from a fake email that lures you into clicking a link (phishing) or an
unsecured hotspot (rouge access point) and everything in between.
Mean Time to Failure Similar to MTBF, the mean time to failure (MTTF) is the average time to failure for
a nonrepairable system. If the system can be repaired, the MTBF is the measurement to focus on, but if
it cannot, then MTTF is the number to examine. Sometimes, MTTF is improperly used in place of MTBF,
but as an administrator you should know the difference between them and when to use one
measurement or the other
Recovery Time Objective The recovery time objective (RTO) is the maximum amount of
time that a process or service is allowed to be down and the consequences still to be
considered acceptable. Beyond this time, the break in business continuity is considered to
affect the business negatively. The RTO is agreed on during BIA creation
A PTA, on the other hand, is more commonly known as an “analysis” rather than an
“assessment.” This is the compliance tool used in conjunction with the PIA. An example of
the form the DHS uses for this purpose can be found at https://www.dhs.gov/compliance.
Risk Transference
Risk Mitigation
Risk Acceptance
• Platform as a Service Among the groups focused on cloud security issues, one
worth noting is the Cloud Security Alliance
• Software as a Service (https://cloudsecurityalliance.org). They have published a
number of whitepapers on security-related issues that
• Infrastructure as a Service
can be found on their site and should be considered highly
recommended reading for security administrators.
Breaking Out of the Virtual Machine If a disgruntled employee could break out of the
virtualization layer and were able to access the other virtual machines, they could access
data that they should never be able to access
Intermingling Network and Security Controls The tools used to administer the virtual
machine may not have the same granularity as those used to manage the network. This
could lead to privilege escalation and a compromise of security.