2.2 Risk Management and Threat Modeling

Question 1

vulnerability

Answer 1

the aspect of a business that can be exploited to compromise a system’s CIA (confidentiality, integrity, or availability).

Question 2

threat

Answer 2

an actor that might exploit a vulnerability.
-can be intentional (a malicious hacker steals data), unintentional (an incompetent sysadmin destroys the network), or due to a natural disaster.

Question 3

risk

Answer 3

the possibility of losing something valuable.

Question 4

Risk analysis:

Answer 4

Understanding what risks an organization faces, which are most severe, and which are most likely.

Question 5

Risk management:

Answer 5

Using the results of such an analysis to determine how to deploy personnel and spend budget.

Question 6

Threat modeling:

Answer 6

Determining which attacks an organization is most likely to experience, who is most likely to launch them, and what can be done to stop them.

Question 7

Threat Modeling Methodologies

PASTA (Process for Attack Simulation and Threat Analysis)

Answer 7

Aims to align consideration of business objectives with technical requirements.

Question 8

Threat Modeling Methodologies

STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, DoS (Denial of Service), Elevation of Privilege)

Answer 8

Focuses on identifying what can fail in the system being modeled.

Question 9

Threat Modeling Methodologies

OWASP (Open Web Application Security Project)

Answer 9

Focuses on identifying possible threats, prioritizing risks, and planning mitigation strategies. It is mainly applied to the analysis of applications, such as web or desktop apps.

Question 10

OWASP process consists of six steps:

Answer 10

1. Determine Assessment Scope
2. Identify Threat Agents
3. Identify Possible Attacks
4. Identify Exploitable Vulnerabilities
5. Rank/Prioritize Risks
6. Mitigate Risks

Question 11

Determine Assessment Scope

Answer 11

Listing the assets under consideration, determining their value, and defining objectives for your threat modeling assessment.

Question 12

Identify Possible Attacks:

Answer 12

Identify the attacks that each threat agent is likely to perform, based on how much skill and funding they have.

Question 13

Identify Exploitable Vulnerabilities:

Answer 13

Identify ways for data to enter and exit the system.

Question 14

Asset inventory

Answer 14

the process of identifying and assigning an asset value (financial worth of an asset) to all of an organization’s assets.

Question 15

exposure factor

Answer 15

measuring “how much” of an asset will be affected in the event of a breach.

Question 16

Loss expectancy

Answer 16

a measure of how much money an organization will lose in the event of a given breach.

Question 17

Single loss expectancy (SLE)

Answer 17

as the estimated cost of the occurrence of a risk on a given asset; the estimated cost each time the risk occurs.
calculated as: SLE = AV x EF,

Question 18

Annual loss expectancy (ALE)

Answer 18

the metric determining the cost of a risk reoccurring.
calculated as: ALE = ARO x SLE, where ALE is annual loss expectancy, ARO is annual rate of occurrence, and SLE is single loss expectancy.

Question 19

Annual rate of occurrence (ARO)

Answer 19

as an estimate of how many times a risk is likely to occur in a given year.
ARO = X / years, ARO is annual rate of occurrence, X occurrence(s), and years is per number of years.

Question 20

Marginal (loss expectancy)

Answer 20

The organization has sufficient resources to respond to the breach immediately, without affecting day-to-day operations or revenue.

Question 21

Notable (loss expectancy)

Answer 21

The organization has sufficient resources to respond to the breach, but may not be able to do so immediately. It may experience interruptions to operations.

Question 22

Severe (loss expectancy)

Answer 22

The organization experiences serious interruptions to operations, and does not have sufficient monetary and/or personnel resources to respond to the breach effectively. It may have to defer revenue, delay project timelines, reassign employees, and/or hire consultants to address the issue.

Question 23

Catastrophic (loss expectancy)

Answer 23

The organization suffers severe, lasting damage to its reputation and/or infrastructure. The future of the business is threatened by reputational damage, bankruptcy, being found in contempt of federal regulations, etc.

Question 24

risk matrix

Answer 24

used to compare how many of the risks an organization faces are mild versus how many are severe.

Question 25

heat map

Answer 25

a visual representation of the probability and likelihood of risks to an organization.
Heat maps provide organizations with the capability to make strategic decisions designed to protect the company.