PCS 3 all versions - Copy

moderate (Likelihood: 2), it's more likely to be exploited compared to the vulnerability in Switch 147.  Switch 147: Finally, assess the vulnerability concerning susceptibility to an SNMP buffer overflow attack last, as it has the lowest likelihood (Likelihood: 1) among the three vulnerabilities. Question Number 3 Version 1: In Chapter 6, the list of threats to InfoSec was outlined, but there are additional threats worth considering. Firstly, we have the threat of "Insider Espionage." While the chapter discussed insider threats, it didn't delve into the specific danger of employees or contractors intentionally spying for external entities. This threat can be particularly damaging, as insiders have access to sensitive data and may misuse it for financial gain or espionage purposes. Secondly, we have the threat of "Supply Chain Compromises." Although the chapter touched on third-party risks, it didn't emphasize the potential dangers of compromised suppliers. An attacker infiltrating a supplier's systems could inject malicious code into products or services, leading to widespread vulnerabilities in the supply chain. Lastly, the chapter didn't address the threat of "Emerging Technologies." With the rapid evolution of technology, new threats are constantly emerging. For example, the rise of quantum computing poses a threat to encryption methods used to secure data today. This evolving landscape requires InfoSec professionals to stay vigilant and adapt to emerging threats proactively. Version 2: While Chapter 6 highlighted several InfoSec threats, it missed some crucial ones that merit attention. One such threat is "Social Engineering through Social Media." Although social engineering was discussed, the chapter didn't explore how attackers leverage information from social media platforms to manipulate individuals or organizations. Hackers can use seemingly innocuous details shared on social media to craft convincing phishing attacks or gain unauthorized access. Another underemphasized threat is "Physical Security Breaches." While the chapter mainly focused on digital threats, physical security is equally important. Unauthorized access to data centers or offices can lead to data theft or infrastructure damage, and this wasn't covered extensively in the chapter. Lastly, "Disaster-Related Threats" were not thoroughly addressed. Natural disasters, such as earthquakes or floods, can disrupt InfoSec systems. Additionally, the potential for cyberattacks during or after such events wasn't explored in detail. Organizations need to have robust disaster recovery plans that encompass InfoSec to mitigate these risks effectively. Version 3:

Chapter 7 Question Number 1 Version 1: Threat Category SLE ARO ALE Programmer Mistakes $5,000 1 per week $5,000 x 52 weeks = $260,000 Loss of Intellectual Property $75,000 1 per year $75,000 x 1 = $75,000 Software Piracy $500 1 per week $500 x 52 weeks = $26,000 Theft of Information (Hacker) $2,500 1 per quarter $2,500 x 4 = $10,000 Theft of Information (Employee) $5,000 1 per 6 months $5,000 x 2 = $10,000 Web Defacement $500 1 per month $500 x 12 months = $6,000 Theft of Equipment $5,000 1 per year $5,000 x 1 = $5,000 Virus, Worms, Trojan Horses $1,500 1 per week $1,500 x 52 weeks = $78,000 Denial-of-Service Attacks $2,500 1 per quarter $2,500 x 4 = $10,000 Earthquake $250,000 1 per 20 years $250,000 x 0.05 = $12,500 Flood $250,000 1 per 10 years $250,000 x 0.1 = $25,000 Fire $500,000 1 per 10 years $500,000 x 0.1 = $50,000 Version 2 (Explanation with Calculations): Programmer Mistakes:  SLE = $5,000 (Cost per Incident)  ARO = 1 per week  ALE = SLE x ARO  ALE = $5,000 x 52 weeks = $260,000 per year Loss of Intellectual Property:  SLE = $75,000  ARO = 1 per year  ALE = SLE x ARO  ALE = $75,000 x 1 = $75,000 per year Software Piracy:  SLE = $500

Threat Category SLE ARO ALE Denial-of-Service Attacks $2,500 1 per quarter $10,000 Earthquake $250,000 1 per 20 years $12,500 Flood $250,000 1 per 10 years $25,000 Fire $500,000 1 per 10 years $50,000 Question Number 3 Version 1: When there's no specific percentage provided to determine Exposure Factor (EF), you can use a qualitative approach. Let's consider a scenario in financial services. If a cyberattack could lead to a high impact, you might assign an EF of 1.0, signifying a 100% loss of sensitive financial data and customer trust. For a medium impact, such as a temporary disruption of online services, an EF of 0.5 could be appropriate, indicating a 50% loss of service availability and customer confidence. This qualitative method allows you to estimate EF without relying on percentages. Now, in terms of the easier method for determining Single Loss Expectancy (SLE), it depends on your available data and context. If you have precise information about the value of the asset at risk, like a unique piece of artwork, using a percentage of value lost is straightforward. However, if you're dealing with a less tangible asset, such as customer goodwill, it might be more practical to calculate SLE using cost per incident. For instance, this could include expenses related to public relations efforts, legal actions, and customer compensation. Version 2: In cases where there's no specified percentage for determining Exposure Factor (EF), a qualitative approach can be employed. Let's take the healthcare sector as an example. If a data breach could lead to a high impact, you might assign an EF of 1.0, indicating a 100% loss of patient records and trust. For a medium impact, like a temporary disruption of medical services, an EF of 0.5 could be used, suggesting a 50% loss of service availability and patient confidence. This qualitative method allows you to estimate EF without relying on specific percentages. Now, when deciding the easier method for determining Single Loss Expectancy (SLE), it hinges on data availability and context. If you have precise information about the value of the asset at risk, such as a specialized medical device, using a percentage of value lost is straightforward. However, if the asset's value is challenging to ascertain, as in the case of critical research data, it may be more practical to calculate SLE using cost per incident. This might involve expenses related to data recovery, regulatory fines, and potential lawsuits. Version 3: When no specific percentage is provided for determining Exposure Factor (EF), you can turn to a qualitative approach. Consider a manufacturing scenario. If a cyberattack could lead to a high impact, like the disruption of production lines, you might assign an EF of 1.0, signifying a 100% loss of production capacity and revenue. For a medium impact, such

 ALE = $5,000 x 0.5 = $2,500 per year Virus, Worms, Trojan Horses:  SLE = $1,500  ARO = 1 per month  ALE = SLE x ARO  ALE = $1,500 x 12 = $18,000 per year Denial-of-Service Attacks:  SLE = $2,500  ARO = 1 per 6 months  ALE = SLE x ARO  ALE = $2,500 x 2 = $5,000 per year Earthquake:  SLE = $250,000  ARO = 1 per 20 years  ALE = SLE x ARO  ALE = $250,000 x 0.05 = $12,500 per year Flood:  SLE = $50,000  ARO = 1 per 10 years  ALE = SLE x ARO  ALE = $50,000 x 0.1 = $5,000 per year Fire:  SLE = $100,000  ARO = 1 per 10 years  ALE = SLE x ARO  ALE = $100,000 x 0.1 = $10,000 per year Version 3 (Table with Calculations):