Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [CISSP-D] Control types?

from [Jerry Patterson] Network Security [Permanent Link]
Subject: RE: [CISSP-D] Control types?
Date: Mon, 29 Nov 2004 13:12:17 -0800 (PST) 


ARO is a percentage scale.  0 means 0%, or it will
never happen.  1 means 100%, or it will be happening
all of the time.  Likewise, .5 means 50% of the time. 


So, for example, on your ISP circuit, you will
probably have port scans and such hitting your border
routers around the clock.  This means it is happening
all of the time, so the ARO would be 1.

If you work in a location that has hurricanes rarely,
say once every ten years, then the ARO would be .001,
or .1%.  (Don't forget, ARO is ANNUAL Rate of
Occurrence, so something that happens less often is
still calculated, but it is less than 1%.)

As for the different answers you're getting regarding
control types, remember that the different study
guides are all trying to categorize things that may
fall into overlapping categories, and they are trying
to guess at which way the ISC2 will choose to
categorize them.  Fences are a great example of this. 
Personally, I think they meet the criteria for
deterrent (if someone sees one, it may dissuade them
from trying to access), AND it can also be
preventative (if you have a high fence with barbed
wire on top it can definitely keep some people out).  

My advice would be to follow the ISC2 book in the
event of a conflict.  Since they are the ones issuing
the test, they would know best which way they would
categorize it.  At the same time, remember, just like
a lot of other things covered by this type of test, it
is trying to take real world examples and categorize
them into black and white, which is often not
possible.  Take some of this stuff with a grain of
salt.

Hopefully that helps.

Jerry Patterson



                
__________________________________ 
Do you Yahoo!? 
All your favorites on one personal page ? Try My Yahoo!
http://my.yahoo.com 





------------------------ Yahoo! Groups Sponsor --------------------~--> 
Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
Now with Pop-Up Blocker. Get it for free!
http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/kgFolB/TM
--------------------------------------------------------------------~-> 

 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [CISSP-D] BS7799 ppt presentation, WAJAHAT IQBAL
Next by Date:  RE: [CISSP-D] Control types?, Kevin Stevens
Previous by Thread:  Re: [CISSP-D] BS7799 ppt presentation, WAJAHAT IQBAL
Next by Thread:  RE: [CISSP-D] Control types?, Kevin Stevens
Indexes:  [Date] [Thread] [Top] [All Lists]