These notes are from the Stackskills course.
Delphi technique is used to evaluate information assets. Needs expert opinions + surveys by them.
Asset value = $100. Tangible and non-tangible. Exposure factor = .3. Loss = 30% of asset values. SLE (single loss expectancy) = AV * EF = $30 ARO (annual rate occurancy) = 1/n where n is the number of times per year. Say 0.3. ALE (annual loss expectancy) = SLE * ARO = $9
So, don't spend more than $9 for this particular risk. It's about cost-effectiveness.
Areas of vulnerability: physical, electrical, software, personnel.
Risk types: natural (fire), man-made (intentional: arson, theft), unintentional: (employee mistakes)
Risk probabiltiy and prioritization:
- Perform risk analysis
- List risks identified
- Determine probability
- Prioritize risks
Quantitative risk analysis: Estimate based on number of occurances Qualititative: best guess estimate by expert.
Safeguard selection criteria: cost effectiveness, risk reduction and practicality.
Nessus is the main one. nmap or zmap is good for mapping the network too.
Vulnerability vs exploit: former is a weakness, an exploit is a tool that can be used to exploit the vulnerability.