2.2_ Risk Management and Threat Modeling Flashcards
What’s the difference between a vulnerability, a threat, and a risk?
A vulnerability is an aspect of a business that can be exploited to compromise a system’s CIA.
A threat is an actor that might exploit a vulnerability.
A risk is a possibility of losing something valuable.
A _________ is an aspect of a business that can be exploited to compromise a system’s CIA.
Vulnerability
A _________ is an actor that might exploit a vulnerability.
Threat
A _________ is a possibility of losing something valuable.
Risk
Using the results of risk analysis to create a plan for preventing likely risks is called what?
Risk Management
Understanding what risks face an organization, which are most severe, and which are most likely is called what?
Risk Analysis
Determining which attacks an organization is most likely to experience, who is most likely to launch them, and what actions can be done to prevent them is called what?
Threat Modeling
What is a business’s primary objective?
Profit
_____________ and _____________ directly contribute to business profit.
Risk analysis and management and threat modeling directly contribute to business profit.
_____________ helps business understand how much they’ll need to spend in the event of a given security break.
Risk Analysis
_____________ results are shared upwards to the executives who make the major business decisions.
Threat Modeling
When possible, risks are measured ___________ in financial figures, which businesses use to prioritize threats.
Quantitatively
What does PASTA stand for?
It’s a Threat Modeling Methodology:
Process for Attack Simulation & Threat Analysis
What does OWASP stand for?
Spoofing, Tampering, Repudiation, Information
Disclosure, DoS (Denial of Service), Elevation of Privilege
What are the steps involved in the OWASP Threat Modeling process?
- Determine assessment scope
- Identify threat agents
- Identify potential attacks
- Identify exploitable vulnerabilities
- Prioritize identified risks
- Mitigate risks
What is step 1 of the OWASO Threat Modeling process?
Determine Scope:
List the assets under consideration, determine their value, and define objectives for your threat modeling assessment.
What is step 2 of the OWASO Threat Modeling process?
Identify Threat Agents:
Determine which attackers would be interested in the relevant assets.
True or false:
Threat agents include a person or group that can produce a threat, whether or not that person or group is malicious.
True
What is step 3 of the OWASO Threat Modeling process?
Identify Potential Attacks:
Identify the attacks each agent is likely to perform.
_________ attackers use different modes of attacks and _________ attacks mean different risks and _________ considerations.
Different attackers use different modes of attacks and different attacks mean different risks and different considerations.
If a client’s web application is taken offline by a DoS attack, the severity of the risk depends on which threat agent is responsible. What would be the difference between script kiddies and APTs?
Script kiddies might DoS a server simply to cause trouble.
An APT might DoS a server as a smokescreen to steal valuable data.
___________ is the process of prioritizing threats identified in steps 1-4 based on their potential impact and likelihood.
Risk Analysis
___________ is evaluating risk based on intangible, unmeasurable factors.
Qualitative Analysis
Evaluating each risk based on its measured likelihood and impact is called what?
Quantitative Analysis
○ Likelihood: The probability of an event will take place.
○ Impact: The measure of the damage done if a risk takes place.
When likelihood and impact cannot be accurately measured, you should do what type of analysis?
Quantitative Analysis
_________ is used when a complex evaluation of cost vs. benefit is unnecessary. What’s an example?
Qualitative Risk Analysis
When a company is deciding between an inexpensive VPN service that logs traffic on its servers for internal use, and a more expensive service that does not keep any logs.
A bakery can use qualitative analysis to decide on an inexpensive VPN, since it shouldn’t matter much if they’re logging non-confidential information.
You should use a ___________ when circumstances where intuitive analysis is insufficient.
Quantitative Risk Analysis
To perform a ____________, analysts start by calculating how much it will cost if an asset is breached.
Quantitative Risk Analysis
To perform a quantitative risk analysis, first, quantify _________ and _________.
First, quantify asset value and exposure factor.
What does SLE stand for and what is?
Single Loss Expectancy (SLE)
SLE = AVE x EF
The estimated cost of the risk occurring on
a given asset.
What does ARO stand for and what is it?
Annual Rate of Occurrence (ARO)
Estimated number of times the risk is
likely to occur in a given year.
What does ALE stand for and what is it?
Annual Loss Expectancy (ALE)
Estimated cost of a risk reoccurring in a given year.
What do AV and EF stand for
AV = Asset Value
EF = Exposure Factor
The organization has the resources to respond to the breach immediately, without affecting day-to-day operations or revenue is what loss expectancy category?
Marginal
The organization has the resources to respond to the breach, but may not be able to do so immediately. May experience interruptions to operations is what loss expectancy category?
Notable
The organization experiences serious interruptions to operations, and doesn’t have the monetary and/or personnel resources to respond to effectively. May have to defer revenue, delay project timelines, reassign employees, and/or hire consultants to address the issue is what loss expectancy category?
Severe
The organization suffers severe, lasting damage to its reputation and/or infrastructure. The future of the business is threatened by reputational damage, bankruptcy, being found in contempt of federal regulations, or other issues is what loss expectancy category?
Catastrophic
