2.2 Risk Management and Threat Modeling Flashcards
vulnerability
the aspect of a business that can be exploited to compromise a system’s CIA (confidentiality, integrity, or availability).
threat
an actor that might exploit a vulnerability.
-can be intentional (a malicious hacker steals data), unintentional (an incompetent sysadmin destroys the network), or due to a natural disaster.
risk
the possibility of losing something valuable.
Risk analysis:
Understanding what risks an organization faces, which are most severe, and which are most likely.
Risk management:
Using the results of such an analysis to determine how to deploy personnel and spend budget.
Threat modeling:
Determining which attacks an organization is most likely to experience, who is most likely to launch them, and what can be done to stop them.
Threat Modeling Methodologies
PASTA (Process for Attack Simulation and Threat Analysis)
Aims to align consideration of business objectives with technical requirements.
Threat Modeling Methodologies
STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, DoS (Denial of Service), Elevation of Privilege)
Focuses on identifying what can fail in the system being modeled.
Threat Modeling Methodologies
OWASP (Open Web Application Security Project)
Focuses on identifying possible threats, prioritizing risks, and planning mitigation strategies. It is mainly applied to the analysis of applications, such as web or desktop apps.
OWASP process consists of six steps:
- Determine Assessment Scope
- Identify Threat Agents
- Identify Possible Attacks
- Identify Exploitable Vulnerabilities
- Rank/Prioritize Risks
- Mitigate Risks
Determine Assessment Scope
Listing the assets under consideration, determining their value, and defining objectives for your threat modeling assessment.
Identify Possible Attacks:
Identify the attacks that each threat agent is likely to perform, based on how much skill and funding they have.
Identify Exploitable Vulnerabilities:
Identify ways for data to enter and exit the system.
Asset inventory
the process of identifying and assigning an asset value (financial worth of an asset) to all of an organization’s assets.
exposure factor
measuring “how much” of an asset will be affected in the event of a breach.
Loss expectancy
a measure of how much money an organization will lose in the event of a given breach.
Single loss expectancy (SLE)
as the estimated cost of the occurrence of a risk on a given asset; the estimated cost each time the risk occurs.
calculated as: SLE = AV x EF,
Annual loss expectancy (ALE)
the metric determining the cost of a risk reoccurring.
calculated as: ALE = ARO x SLE, where ALE is annual loss expectancy, ARO is annual rate of occurrence, and SLE is single loss expectancy.
Annual rate of occurrence (ARO)
as an estimate of how many times a risk is likely to occur in a given year.
ARO = X / years, ARO is annual rate of occurrence, X occurrence(s), and years is per number of years.
Marginal (loss expectancy)
The organization has sufficient resources to respond to the breach immediately, without affecting day-to-day operations or revenue.
Notable (loss expectancy)
The organization has sufficient resources to respond to the breach, but may not be able to do so immediately. It may experience interruptions to operations.
Severe (loss expectancy)
The organization experiences serious interruptions to operations, and does not have sufficient monetary and/or personnel resources to respond to the breach effectively. It may have to defer revenue, delay project timelines, reassign employees, and/or hire consultants to address the issue.
Catastrophic (loss expectancy)
The organization suffers severe, lasting damage to its reputation and/or infrastructure. The future of the business is threatened by reputational damage, bankruptcy, being found in contempt of federal regulations, etc.
risk matrix
used to compare how many of the risks an organization faces are mild versus how many are severe.
heat map
a visual representation of the probability and likelihood of risks to an organization.
Heat maps provide organizations with the capability to make strategic decisions designed to protect the company.
