Tutorial

(a) Given values as below:

 cost of individual asset is RM25,000,000
 Percentage of destruction that could occur is 35%
 Estimated frequency that a threat is expected to occur is 3

Calculate the following on the flood threat in Malaysia:

i. Single Loss Expectancy (SLE)
ii. Annualized Loss Expectancy (ALE)

(b) You are the network security consultant and requested to design new
security policy for an organization. Identify and discuss five (5) types
of policies to protect the organization assets.
(c) As a network administrator, explain any SEVEN (7) guidelines you are
following while configuring Access Control Lists.
(d) Identify expanded address, prefix , ip range and number of /64
allotted for the IPv6 addresses

(i) 2001:db8::/32
(ii) 2001:db8:1234:abcd::/40
 Flood threat

Exposure Factor (EF) is: 35 percent

AV of the enterprise is: RM25,000,000

ARO is: 3

i. SLE is: AV * EF
RM25,000,000 * .35

SLE is equal to: RM8,750,000

ii. ALE is SLE * ARO

RM8,750,000 * 3

ALE is equal to: RM26,250,000

A security policy may include the following:

1. Identification and Authentication Policies - Specifies authorized persons that can have access to
network resources and verification procedures.
2. Password Policies - Ensures passwords meet minimum requirements and are changed regularly.
3. Acceptable Use Policies - Identifies network applications and usages that are acceptable to the
organization. It may also identify ramifications if this policy is violated.
4. Remote Access Policies - Identifies how remote users can access a network and what is accessible
via remote connectivity.
5. Network Maintenance Policies - Specifies network device operating systems and end user
application update procedures.
6. Incident Handling Procedures - Describes how security incidents are handled.

1. You can assign only one access list per interface per protocol per direction. This means that
when creating IP access lists, you can have only one inbound access list and one out-bound
access list per interface

2. Organize your access lists so that the more specific tests are at the top of the access list.
 3. Any time a new entry is added to the access list, it will be placed at the bottom of the list.
Using a text editor for access lists is highly suggested.

4. You cannot remove one line from an access list. If you try to do this, you will remove the entire
list. It is best to copy the access list to a text editor before trying to edit the list. The only
exception is when using named access lists.

5. Unless your access list ends with a permit any command, all packets will be discarded if they
do not meet any of the list’s tests. Every list should have at least one permit statement or it
will deny all traffic.

6. Create access lists and then apply them to an interface. Any access list applied to an interface
without an access list present will not filter traffic.

7. Access lists are designed to filter traffic going through the router. They will not filter traffic
that has originated from the router.

8. Place IP standard access lists as close to the destination as possible. This is the reason we
don’t really want to use standard access lists in our networks. You cannot put a standard
access list close to the source host or network because you can only filter based on source
address and nothing would be forwarded.

Expanded Address: 2001:0db8:0000:0000:0000:0000:0000:0000/32

Prefix: ffff:ffff:0000:0000:0000:0000:0000:0000

Range: 2001:db8:0:0:0:0:0:0

2001:db8:ffff:ffff:ffff:ffff:ffff:ffff

Number of /64s: 4294967296

Expanded Address: 2001:0db8:1234:abcd:0000:0000:0000:0000/40

Prefix: ffff:ffff:ff00:0000:0000:0000:0000:0000

Range: 2001:db8:1200:0:0:0:0:0

2001:db8:12ff:ffff:ffff:ffff:ffff:ffff

Number of /64s: 16777216