Kevin,
The control types you need to know for the CISSP are
only the
following three:
Preventative: used to avoid or deter occurances
Detective: used to identify occurance
Corrective: used to correct
Shon Harris created the confusion when she created
new categories that are not used by the rest of the industry:
Deterent - used to discourage
Recovery - used to restore resources and capabilities
Compensation - insurance (1st edition) other controls (2nd edition)
1) Detterent is nothing more than a "weak" preventative. But that
isn't even a useful distinction since no security
control is 100%.
2) Recovery is simply an example of a corrective
measure.
3) Compensation is a useful idea (use another
control) but this is simply the concept of defense in depth and
can't be used to categorize any one control since a compensatory
control is by defintion different from other controls - this is a
realitive defintion and requires knowledge of the other
controls.
Ignore the S. Harris "types" of deterrence,
recovery, and compensation. They make no sense, are not standard,
and are not in the CISSP.
There are also control areas (not to be confused
with control types). The control areas come from HIPAA which
defines security controls as:
administrative: policies, procedures, activities
physical : physical security controls
technical : logical security controls
These control areas are orthoganal to the control
types. I typically have my students draw a 3 x 3 matrix with control
types (preventative, detective, corrective) along the top
and control areas (administrative, physical, technical) along
the side and have them fill in one example for each of the 9 cells.
i.e., administrative / preventative = acceptable use
policies...
Regarding fire supression systems. Many of these 'systems' contain
several elements. a) fire detection (smoke, heat, flame) b) alarm
notification and c) fire suppression (water, FM-200,
etc.). The point of a fire supression system is to first detect
conditions which may lead to a fire and to notify personnel to
investigate. If the personnel get there fast enough they may be able
to find the false alarm or put out the fire prior to the fire
suppression (water dump). So fire suppression systems can prevent
(by detecting pre-combustable conditions), detect, and correct fires.
Regarding ARO. ARO is exactly what is says Annual Rate of
Occurance. NOT the probability or likelihood of occurance. The
book you quote is wrong. The ARO of a virus in an email
attachment is much higher than 1 (typically) and the ARO of a fire
is (typically) much lower.
Good Luck on the test. HOpe this clears things up.
Regards,
Doug Landoll
Veridyn
--- In CISSP-Discuss@yahoogroups.com, Kevin Stevens
<certification@p...> wrote:
On Nov 29, 2004, at 19:57, Alberto Rivai wrote:
I think we should understand the goals of each control methods --
Preventive : Avoid occurrence
Detective : Identify occurrence
Corective : Remedy circumstances, restore control
Deterrent : Discourage violations
Recovery : restore resources, capabilities
Compensating : alternative control
Fire suppression is preventive because it lessen the damage from
the
fire.
Although fire suppression takes place after the fire happened,
it fits
the objective of control as countermeasure,which is to minimize
the
risk
to an acceptable level for the organization. There are no
definitive
guides to those types of controls, because each method can be
part of
other control types.
Thanks, that's helpful - in my words, fire suppression systems
prevent/limit the extent of the loss. Got it.
For the ARO value the range can be from 0 which is never to 1
which is
always.
If a virus attacks happens all the time in a company, then the
ARO
value for a virus attacks is 1.
What does it means? It means the the value of a safeguards you
should
put in the company per year is the same as the value of the SLE
itself.
Example:
Assest value for a file server is $100,000
Exposure factor for the file server 50 %
Then the SLE : 50% * $100,000 == $50,000
To calculate ALE == ARO * SLE
If the ARO == 1 then the ALE == 1 * $50,000 == $50,000
It means you should spend $50,000 or less per year for the
countermeasure to be efficient.
This still seems wrong to me. Take your file server example, and
assume that we're talking about, say, a RAM failure. Say this
actually
occurs an average of once a year. Punching the numbers:
Value is $100,000 (pricey server!)
EF is 50%
SLE is $50,000
ARO is 1
ALE = 1 * $50,000 = $50,000
Check.
NOW say that for server B, the actual rate of incident of RAM
failure
is once every three months.
Per your perspective, the above calculation is identical. The
conclusion is that your ALE can never be greater than your SLE,
and
that replacing that RAM four times during the year (avg.) cost you
exactly the same amount in loss or mitigation as replacing it once
per
year.
My perspective is that ARO for the second scenario should be 4.
Run
the numbers again:
Value is $100,000 (too much for a server with crappy RAM!)
EF is 50%
SLE is $50,000
ARO is 4
ALE = 4 * $50,000 = $200,000
Now you have a accurate reflection of the loss expectancy - the
server
that fails four times a year is going to cost you (or is worth
paying
to avoid) four times as much as the server that fails only once.
The *probability* that each server will fail during a year is,
indeed,
1. The *frequency* expectation that the server will fail is 1 for
the
first server, and 4 for the second. I thought ARO was about
frequency
(annualized RATE of occurrence), not probability (annualized
likelihood
that ANY failure will occur)?
Ok, finally, y'all have driven me to look up the ISC2 definition
of ARO:
"This term characterizes, on an annualized basis, the frequency
with
which a threat is expected to occur. For example, a threat
occurring
once in ten years has an ARO of 1/10 or 0.1; a threat occurring 50
times in a given year has an ARO of 50.0. The possible range of
frequency values is from 0.0 (the threat is not expected to occur)
to
some whole number whose magnitude depends on the type and
population of
threat sources. For example, the upper value could exceed 100,000
events per year for minor, frequently experienced threats such as
misuse of resources..."
"It is useful to note here that many confuse ARO or frequency with
the
term and concept of probability (defined below). While the
statistical
and mathematical significance of these metrics tend to converge at
about 1/100 and become essentially indistinguishable below that
level
of frequency or probability, they become increasingly divergent
above
1/100, to the point where probability stops -- at 1.0 or
certainty --
and frequency continues to mount undeterred, by definition."
So they said it better than I did. ;) I'm gonna make the call
that
the Meyers book is wrong. Actually, so is ISC2, because there's
no
reason to think that the ARO will ever be a "whole number", but I
get
their drift.
KeS
------------------------ Yahoo! Groups Sponsor --------------------~-->
$9.95 domain names from Yahoo!. Register anything.
http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/kgFolB/TM
--------------------------------------------------------------------~->
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/CISSP-Discuss/
<*> To unsubscribe from this group, send an email to:
CISSP-Discuss-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
