2nd Part Flashcards
What is Risk Management?
It is the process of identifying risks, analyzing, treating, monitoring, and reporting new risks in an organization.
What are some types of Risk Assessment frequency?
Risk Assessment frequency is how often a risk assessment is performed.
- Ad hoc Risk assessment - This kind of risk assessment is performed during some specific event or situation that can introduce new risks to the organization and change the nature of existing risks.
- Reoccurring Risk Assessment
- One-time Risk Assessment
- Continuous Risk Assessment
What is Risk Identification and how we do the business impact analysis of these risks?
It is the process of identifying all the risks that can impact an organization.
Business impact analysis of these risks is done by finding out these terms:
- Recovery time objective - It is the maximum time for which a service can remain down
- Recovery point objective - It is the maximum amount of data in time that an organization can afford to lose.
- MTTR - Mean time to repair
- MTBF - Mean time between failures
What is Risk Register and what kind of information is included in these registers?
Risk Register is file that will keep track of all the organization’s risks and the information regarding these risks.
It is a key tool in Risk Management -
It has information like following -
Risk description, its impact, likelihood, risk level/threshold, Risk KRI (Key risk indicators), Risk owner.
What is Risk appetite of an organization and what kind of risk appetite does organizations have?
Risk appetite is the maximum level of residual risk that an organization can take to maximize its profits.
Organizations have mainly 3 kinds of risk appetite -
- Neutral risk appetite
- Conservative risk appetite
- Expansionary risk appetite
What are 2 kinds of Risk analysis that we can perform in an organization?
Qualitative risk analysis- This analysis is done based on the risk impact and its likelihood.
Impact is in terms of cost and the business function that it will impact.
Quantitative risk analysis-
What is Quantitative risk analysis and how it is performed?
Quantitative risk analysis involves finding out risk in numbers.
It is performed by finding the following terms:
- Single loss Expectancy
- Exposure factor - Proportion of an asset that is lost in an event.
- Annualized rate of occurrence
- Annualized Loss Expectancy
What are different kinds of Risk management strategies?
Risk mitigation
Risk Acceptance
Risk transfer - like transferring it to insurance
Risk Avoidance
What is Risk monitoring and reporting?
It involves continuously tracking identified risks, assessing new risks, executing response plans, and evaluating their effectiveness during a project’s lifecycle.
What are 3rd party vendor risks?
These are potential security and operational challenges introduced by external entities (vendors, suppliers or service providers)
- there are hardware supply chain risks
- software supply chain risks
- MSP (Managed Service provider) risk
What are supply chain attacks and how can we protect from them?
Supply Chain attacks are attacks that are targeted on a weaker link in the supply chain.
To protect from these-
- Regularly monitor and audit
- Do vendor due diligence
- Education and collaboration with other companies
- Incorporating contractual safeguards
How can we perform a vendor assessment?
- Penetration testing
- review your contract with the vendor and make sure we have a Right To Audit clause.
- there should be internal testing by vendor
- there should also be a independent assessment
What is MD5 algorithm?
MD5 is a hashing algorithm. It creates a key digest of 128 bits.
Because the key digest value is short, that is why it is susceptible to Hashing Collision attack.
What is SHA algorithm?
SHA stands for Secure hashing
SHA1 creates a message digest of 160 bits
SHA2 has many hashing algorithms in it like following -
SHA224
SHA256
SHA348
SHA512
SHA3 also goes from 224 bit message digest to 512 but it uses 120 rounds of computation.
What is RIPEMD hashing algorithm?
RIPEMD stands for Race Integrity Primitive Evaluation Message Digest.
This is not very popular.
comes in 160, 256 and 320 message digest version
What is HMAC (Hash-Based Message Authentication code)?
It is a widely used in different protocols like IPsec, Oauth, TLS etc and can be used for providing integrity and some level of authenticity. It is also used in APIs for authentication.
It works by combining the hashing functions with a shared secret key between two parties. (Hast of meaase and the key might be sent to the recipient for integrity and authenticity)
Normally it is paired with other algorithms and has name like -
HMAC-MD5
HMAC-SHA1
HMAC-Sha256
What are digital signatures?
In Digital signatures, hash of a file is created and then it is encrypted with the private key of message sender. This Cipher text is called Digital Signature.
So a digital signature needs a hashing algorithm and a public/asymmetric algorithm.
Few algorithms used in Digital signatures -
- DSA - Digital Signature Algorithm
- RSA
- Elliptic Curve Cryptography version of either DSA or SHA
What are Birthday attack (related to hashing collision) and pass the Hash attack?
What are few ways to increase the strength of our hashes?
- Key Stretching
- Salting
- Peppering
With Salting and Peppering, we can prevent Rainbow attack
What is PKI?
Public Key Infrastructure is an entity that relates a public key to someone’s identity and creates trust within networks for exchanging the information securely.
What is certificate Authority?
It is an entity that issues digital certificates and keeps the level of trust between all of the certificated authorities around the world.
What is an key escrow?
It is a 3rd party entity with which we can keep our cryptographic keys secure.
What is a digital certificate?
It is a digitally signed document that binds a public key with a user’s identity.
The user could be a person, server or any other device.
The certificates commonly use x.509 standard.
What is a wildcard certificate?
A wildcard certificate is an certificate that is valid for more than one system that falls under the same root domain.
What is SAN (Subject Alternate name) field in a certificate?
A certificate that specifies what additional domains and IP addresses are going to be supported.
What is single sided certificate and dual sided certificate?
Dual sided certificate - when both endpoints on the connection authenticate to each other.
What is Self Signed certificate?
Digital certificate that is signed by the same entity whose identity it certifies.
It is not vouched by a 3rd party.
What is certificate signing request?
A block of encoded text that contains information about the entity requesting the certificate.
The CSR is used by the CA to create digital certificate.
What is registration authority?
This is the entity that requests identifying information from the user and forwards that certificate request up to the certificate authority to create the digital certificate.
What is certificate revocation list?
It is list that contains certificates that has been revoked by the CA.
When we connect to a website, our browser go to the CA to get the public key for the web server. Before giving the public key back to the browser, CA first checks whether the certificate associated with the public key is still valid.