< All CompTIA Security+ Notes

ltwilliams | CompTIA Security+ | Module 2

By: ltwilliams | Related Course: CompTIA Security+ | Published: September 30, 2017 | Modified: October 2, 2017
Join Cybrary

NotepadRisk related concepts

A control – hard ware or software to implement and enforce a policy.

+Technical control – passwords and encryption

+Management – policies and practices (management procedures)

+Operational – procedures/standards and best practices

All to implement and enforce the directives of management.

If the controls are too strict or too slack then this can cause false positives and false negatives.

False positive – user is trying to connect and is authorised but system says there is a problem. Shouldn’t be alerted but is being alerted

False negative – system doesn’t show a problem but in reality there is a problem

Importance of policies to reduce risk of unauthorised disclosure of information

-Privacy policy. Dictate how privacy should be carried out in the organisation. If we collect credit card info then how to store

-Acceptable use policy. Dictate acceptable use of equipment and resources 

-Security policy – one or a group of policies that dictates how the security is ran within the organisation e.g. how accounts are maintained, password generation and complexity.

-Mandatory vacation – dictates that users should go on periodic vacation. If someone takes over their spot then the replacement could do something malicious

– Job rotation – staff is rotated across jobs to learn new roles. So that the absence of 1 member can be covered by any member of staff. So someone is always available.

-Separation of duties – critical job functions must be broken down into multiple different roles so to prevent and limit the risk of fraud and abuse of power

-Least privilege – so they only have the exact permissions required to do their job. If too much is given then they could abuse their role. So there is no room for abuse


NotepadRisk related concepts pt 2

MTTR – Mean time to repair – how soon it will take to fix the device. A measure of the downtime that is tolerated by the organisation. Include fixing and testing

MTBF – Mean time between failure – how long you can use the device before it failes. A measure for devices that can fail and be repaired. Only given by manufacturer

MTTF – Mean time to failure – Devices that you don’t plan to return. How long you can use that device before it needs to be replaced. Only given by manufacturer


ALE – Annualised loss expectancy – What loss do you expect annually iuf something were to happen

SLE – Single loss expectancy – if that loss is experienced what do you expect in dollars

ARO – Annualised rate of occurrence – how many times does this happen annually

Risk Calculations

Quantitative analysis – based on numeric values

Qualitative analysis – down to experience and subjective. Different people could have different experiences and outcomes.

A vulnerability is defined as the absence of weakness of a control. E.g. a lock on a door but random keys could compromise the lock, therefore it is a control but a weak control. May be down to people not following correct procedures like not logging off.

Threat factors – are anything that could exploit vulnerabilities

Risk – the likelihood that anything negative could happen


Risk response

Mitigate – put controls in place

Transfer – buy insurance

Avoidance – back out

Deterence – deter threats

Acceptance – accept risks

< All CompTIA Security+ Notes
Join Cybrary

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?