Chapter 1 Risk Management Flashcards
The likelihood of a threat actor taking
advantage of a vulnerability by using a threat against
an IT asset
Risk
Anyone or anything with the motive
and resources to attack another’s IT infrastructure
Threat Actor
A weakness in an asset
Vulnerability
An action that a threat actor can use
against a vulnerability to cause harm
Threat
Pathways to gain access to infrastructure
Attack Vectors
occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data.
Supply-chain attack
- Government reports
- Media
- Academic papers
OSINT (open-source intelligence)
- Tor network, Tor Web browser
- Encrypted anonymous connections
- Not indexed by search engines
- Tor encryption and anonymity
Journalists
Law enforcement
Government informants
Dark Web/dark net
Exchange of cybersecurity intelligence (CI) between
entities
Automated Indicator Sharing (AIS)
- A form of AIS
- Data exchange format for cybersecurity intelligence
Structured Threat Information eXpression (STIX)
- Like RSS feed for threats
- Consists of TAXII servers and clients
- Real-time cyber intelligence feeds
Trusted Automated eXchange of Intelligence
Information (TAXII)
- Financial statement integrity
- Internal controls
- Type I and Type II
Statement on Standards for Attestation Engagements
System and Organization Controls (SSAE SOC 2)
- “Guide for Conducting Risk Assessments“
NIST Special Publication (SP) 800-30, Rev. 1
Protects EU citizens’ private data
General Data Protection Regulation (GDPR)
Protect American patient medical information
Health Insurance Portability and Accountability Act
(HIPAA)
Protect cardholder information
Payment Card Industry Data Security Standard (PCI
DSS)
a nonprofit organization that promotes research into best practices for securing cloud computing and the use of cloud technologies to secure other forms of computing.
- Cloud Controls Matrix (CCM)
Cloud Security Alliance (CSA)
Specifies which users are allowed or denied access to a set of protected resources
Resource access policies
Defines why and how you store data, for how long, and then how you dispose of it.
Data retention policies
- Risk awareness
- Cybersecurity intelligence sources
- Evaluate security controls
- Inherent (current) and residual risk
- Implement security controls
- Periodic review
Risk Assessment Process
- Environmental
- Flood, hurricane
- Person-made
- Riots, terrorism, sabotage
- Internal
- Malicious insider, malware infections
- External
- Distributed denial of service (DDoS)
Risk Types
- Mitigation/reduction
- Transference/sharing
- Avoidance
- Acceptance
Risk Treatments
Security controls are proactively put in place before
undertaking the risk
Mitigation/reduction
- Some risk is transferred to a third party in exchange for
payment - Example: cybersecurity insurance
Transference/sharing
Avoid an activity because the risks outweigh potential
gains
Avoidance
- The current level of risk is acceptable
- The risk falls within the organization’s risk appetite
Acceptance
Strives to determine the
likelihood and impact of threats
risk assessment
- Based on numeric values
- Asset value (AV)
- Exposure factor (EF)
- Percentage of asset value loss when negative incident
occurs
Quantitative Risk Assessment
- Percentage of asset value loss when negative incident
occurs
Exposure factor (EF)
- How much loss is experienced during one negative
incident?
SLE = AV (Asset Value)x EF(Exposure Factor)
Single Loss Expectancy (SLE)
Number of incidents per year.
Annualized rate of occurrence (ARO)
- Total yearly cost of bad things happening
ALE = SLE(single Loos Expectancy) X ARO(Annual Rate of Occurrence)
Annualized loss expectancy (ALE)
Based on subjective opinions regarding:
- Threat likelihood
- Impact of realized threat
- Threats are given a severity rating
Qualitative Risk Assessment
- Centralized list of risks, severities, responsibilities,
and mitigations - Generally considered qualitative
- Example: severity or impact ratings
- Occasionally includes hard numbers (%, $)
Risk Register
- Table of risk details
- Similar to a heat map but without colors
Risk Matrix
- Prioritize mission-critical processes
- Assess risk
Business Impact Analysis (BIA)
- Payment processing systems
- Customer/patient records
Prioritize mission-critical processes
- Identify sensitive data
- Identify single points of failure
- Identify security controls and compliance
Assess risk
- Average time between repairable component failures
- Software patching
Mean time between failures (MTBF)
- Average time between NON-repairable component failures
- Hard disks, switches, routers
Mean time to failure (MTTF)
Time required to repair a failed component
Mean time to repair (MTTR)
- Maximum tolerable amount of data loss
- Directly related to backup frequency
Recovery point objective (RPO)
- Maximum tolerable amount of downtime
- Return systems and data to usable state
Recovery time objective (RTO)
- Top secret
- Secret
- Confidential
Government/military classification
- PII (personally identifiable information)
- PHI (protected health information)
- Proprietary
- Public/private
- Critical
- Financial
Standard classification
- Ensure data privacy and breach notification
- Levy fines
- Protect intellectual property (IP)
Data Privacy Standards
- Any method of applying metadata
- Example: cloud resource tagging
Data Classification Tools
- Legal data owner
- Set policies on how data will be managed
Owner
Ensure data complies with applicable regulations
Controller
Handles data in accordance with privacy guidelines
Processor
Responsible for managing data (permissions, backup) in alignment with
data owner policies
Custodian/steward
Ensures data privacy regulation compliance such as with GDPR
Data privacy officer (DPO)
Ensures data privacy regulation compliance such as with GDPR
Data privacy officer (DPO)
- Collect
- Store
- Process
- Share
- Archive/delete
Information Life Cycle
One or more pieces of sensitive information that can
be traced back to an individual
Personally Identifiable Information (PII)
One or more pieces of sensitive medical information
that can be traced back to an individual
Protected Health Information (PHI)
- Pseudo-anonymization
- Data minimization
- Tokenization
- Data masking
Anonymization Techniques
Replace PII with fake identifiers
Pseudo-anonymization
Limit stored/retained sensitive data
Data minimization
A digital token authorizes access instead of the original
credentials
Tokenization
- Hide sensitive data from unauthorized users
- Masked out credit card number digits on a receipt
Data masking
Location of data and laws that apply to it
- Where did the data originate?
- Where does the data reside?
- Which laws/regulations apply to the data?
Data Sovereignty
- Standard operating procedure (SOP)
- Mandatory vacation, job rotation
- Separation of duties (multi-person control)
Personnel Management Policies
- Reduce intentional/ unintentional sensitive data exfiltration
Data Loss Prevention (DLP) systems
- Legal review, regulatory compliance
- Linking companies, partners, agencies
- Vulnerability scan results
- Mandatory training/ certification
- Input from IT security professionals
Interconnection security agreement (ISA)
- Contractual document stating level of service
- Guarantee service uptime
- Consequences for not meeting requirements
Service level agreement (SLA)
Broad terms of agreement between parties
Memorandum of understanding (MOU)
Detailed terms between parties
Memorandum of agreement (MOA)
- Legal document
- Responsibilities, investment, decision-making
Business partnership agreement (BPA)
Prevent sensitive data disclosure to third parties
Non-disclosure agreement (NDA)
