(1)Identify Threats Flashcards
How do organizations start their risk assessment process?
Organizations start off the risk assessment process by figuring out what threats exist in their system, environment, locations, etc.
What four categories of threats does NIST identify that an organization might face?
The four threats are
1.Adversarial Threats
2.Accidental Threats
3.Structural Threats
4.Environmental Threats
What are adversarial threats?
Adversarial Threats are people, groups, and orgs that try to intentionally bypass or damage an organizations security system.
What do adversarial threats include?
Adversarial threats include people inside the company, competing people or people groups, partners, people or components of the supply chain, and others.
What should analysts consider when reviewing an adversarial threat?
Analysts should consider skills of the actor, what their goal is, and how likely that they will target the org.
What are accidental threats?
Accidental threats happen when people doing their everyday work do something that hurts security.
When reviewing accidental threats, what should an analyst consider?
The analyst should consider all of the possible effects that could happen to the org as a result of the threat.
What are structural threats?
Structural threats happen when equipment, programs, or environmental controls don’t do their job.
What are some examples of structural threats?
Structural threats could include:
-Resources running out (no more fuel)
-The operational ability being overtaxed (such as a computer falling off a desk)
-Failing due to being too old
Where can structural threats originate?
Structural threats could originate from:
-Technology pieces (computers, network devices, etc.)
-Software (Operating systems, applications)
-Environmental components (power, heating and cooling systems)
What can environmental threats include?
Environmental threats could include disasters that are caused by humans or nature that the organization cannot foresee, such as:
-Flood
-Storm
-Power Failures
-And more
What do security analysts need to consider when investigating environmental threats?
Security Analysts should consider the events that are most likely to happen in their region (example, if they are in a desert, they probably don’t need to plan for blizzards)
What is a good comparative best practice for an organization when completing a risk assessment?
A good best practice is to get copies of risk assessments that are done by other organizations as a beginning point for their own review.