Chapter 1 Risk Management Flashcards
What is a big part of the discussion when it comes to cybersecurity today?
Business risk.
What are the foundational concepts of cybersecurity?
Assets, threats, threat actors, vulnerabilities, and the CIA triad (Confidentiality, Integrity, Availability).
What are assets in cybersecurity?
Personal information, photos, bank information, and other valuable data we want to keep secure.
What represents a threat in the analogy of cybersecurity?
A pirate sneaking up to steal the golden coins.
How is risk defined in cybersecurity terms?
The potential for a threat to exploit a vulnerability and cause harm to assets.
What is the essence of cybersecurity?
Understanding and protecting assets, recognizing risks, addressing vulnerabilities, and minimizing risks.
What is the CIA triad in cybersecurity?
Confidentiality, Integrity, and Availability.
What does confidentiality ensure in cybersecurity?
Data is only accessible to those who have the authority to view it.
What can unauthorized access lead to in terms of confidentiality?
Data breaches with legal and reputational consequences.
What does integrity ensure in cybersecurity?
Data remains unaltered and genuine.
Why is integrity important in a banking system?
It ensures that the amount deducted from one account matches the amount added to another, preventing mistrust and financial loss.
What does availability ensure in cybersecurity?
Systems, applications, and data are available and operational when needed.
Why is availability crucial in a hospital setting?
The database of patients must be available, especially during emergencies, to prevent financial losses, hindered operations, or endangering lives.
What is the role of the CIA triad in dealing with cybersecurity threats?
It serves as a trusted shield to address and manage threats effectively.
What are threat actors in cybersecurity?
Individuals or groups that pose a threat to digital assets, such as unskilled hackers, hacktivists, insider threats, and shadow IT.
What factors determine the threat level of a threat actor?
Resources, funding, sophistication, and capability.
How are threat actors categorized based on their relation to a company?
Internal or external to the company.
Describe unskilled hackers in the treasure chest analogy.
Rookie pirates in rickety boats using basic maps and readily available hacking tools.
What are the characteristics of unskilled hackers?
External, low resources, low funding, low sophistication, low capability.
Who are hacktivists in the context of cybersecurity?
Pirates that hack to promote a political or social agenda, akin to pirates trying to overthrow a tyrant.
What are the characteristics of hacktivists?
External, low resources, low funding, low sophistication, low capability.
What makes insider threats particularly dangerous?
They are part of the company’s trusted crew with intimate knowledge of the company’s secrets.
What are the characteristics of insider threats?
Internal, high resources (company’s resources), low funding, variable sophistication, high capability.
What is shadow IT in companies?
Unauthorized apps or services used by employees, creating vulnerabilities inadvertently.
What are the characteristics of shadow IT?
Internal, high resources, low funding, variable sophistication, high capability.
What is an application allow list?
A list of trusted applications allowed access through the security gate, keeping unknown or potentially dangerous ones out.
Why is an application allow list important in cybersecurity?
It ensures only known and trusted applications get access, bolstering defenses against unwanted intruders.
What analogy is used for an application allow list?
: A diligent guard at a special gate, allowing only trusted pirates (applications) to approach the treasure.
What is the importance of threat intelligence in cybersecurity?
To be aware of the latest threats, prevent them from affecting systems, and reduce incident response time.
What is TTP in cybersecurity?
Adversary Tactics, Techniques, and Procedures.
How does TTP help in cybersecurity?
By providing step-by-step methods used by attackers to gain access or crash a system, allowing for proactive security measures.
What is the benefit of tools that provide graphical representations of threats?
They offer a live geographical map showing where malware threats are currently active and additional details about affected sectors.
What is open source intelligence (OSINT)?
Publicly available information sources like government reports, media reports, academic reports, and freely available online tools.
What is closed source or proprietary intelligence?
Private threat intelligence sources that require a subscription or vendor sign-up to access the latest threat information.
What is the Google Hacking exploit database?
An example of open source intelligence that focuses on using the Google search engine to find potentially sensitive information.
What are common vulnerabilities and exposures (CVEs)?
Uniquely numbered threats known internationally, freely available as an example of OSINT
What was a known vulnerability used in the Equifax hack of 2017?
Apache Struts vulnerability CVE-2017-5638.
What is the dark web, and why is it relevant for threat intelligence?
A part of the internet not indexed by search engines, accessible through the Tor network, used for anonymous and encrypted communication.
How does the Tor network work?
By routing traffic through multiple servers worldwide to mask the origin location, ensuring anonymity.
What is automated indicator sharing (AIS)?
A method for automatically sharing threat intelligence information among different software programs and enterprises.
What is the Structured Threat Information Expression (STIX) format?
A specialized format for packaging threat intelligence information understood by many dissimilar systems.
What is the Trusted Automation Exchange of Intelligence Information (TAXII) standard?
A standard for transmitting specially formatted threat intelligence information across networks, often integrated into security monitoring tools.
How do open source and closed source threat intelligence differ?
Open source is freely available to the public, while closed source requires a subscription or vendor sign-up.
What are risk vectors in cybersecurity?
Points or factors through which threats can exploit vulnerabilities, including mission-critical IT systems, third-party access, and physical access controls.
What must be considered to manage risks related to data?
Knowing what data you have, where it resides, and third-party access to the data
What is an access control vestibule or mantrap?
A security feature where a second internal door opens only after the first external door has closed and locked.
Why is limiting booting from removable media important?
o prevent unauthorized access or actions like resetting an administrator password by booting from external media.
What is a Risk Management Framework (RMF)?
A structured approach to managing risks, including best practices and standards from organizations like CIS, NIST, and ISO/IEC.
What is NIST SP 830 revision one?
A guide for conducting risk assessments, providing step-by-step guidelines on understanding assets and related risks.
What is the General Data Protection Regulation (GDPR)?
A regulation protecting the private information of EU citizens, applicable regardless of where the data is processed or stored.
What is HIPAA?
The Health Insurance Portability and Accountability Act, designed to protect American patient medical information.
What is PCI DSS?
The Payment Card Industry Data Security Standard, applying to any organization dealing with cardholder information, providing recommendations for protecting this data.
How are security policies crafted within an organization?
By mirroring requirements from standards, laws, and regulations to manage risk effectively.
What are acceptable use policies (AUPs)?
Policies dictating how employees can use company resources, like email and internet access, for business purposes only.
What are resource access policies?
Policies determining how employees can access apps, files, and other resources within the organization.
What are account policies?
Policies specifying requirements for account security, such as multi-factor authentication and complex passwords.
What are data retention policies?
Policies that dictate how long data must be retained to comply with industry regulations.
What are change control and asset management policies?
Policies ensuring changes to IT systems are implemented in a controlled, repeatable, and definable manner.
Why is it important to manage third-party components and entities in cybersecurity?
They represent additional attack vectors that can introduce vulnerabilities into the system.
What is the purpose of a security control in cybersecurity?
To mitigate a threat, such as using a malware scanner to prevent malware infections.
How are security controls applied differently?
They vary depending on whether they are implemented at the network level, user station, or web application server.
What are the categories of security controls?
Managerial/Administrative, Operational, Technical, Physical, Detective, Corrective, Deterrent, and Compensating.
What are managerial or administrative controls?
Controls that dictate what should be done, like performing employee background checks on new hires.
What are operational controls?
Controls dictating how often something should be done, such as periodic reviews of security policies.
What are technical security controls?
Controls that solve the problem of risk, such as deploying firewall configurations and malware scanners.
What are physical security controls?
Controls like access control vestibules or mantraps to prevent unauthorized physical access.
What are detective security controls?
Controls that detect security incidents, like log files or closed-circuit television logs.
What are corrective security controls?
Controls that correct a negative incident, like patching known vulnerabilities.
What are deterrent security controls?
Controls like device logon banners that deter unauthorized access by warning users of legal consequences.
What are compensating controls?
Alternative controls used when the desired control is too expensive, complicated, or takes too long to implement, such as network isolation for insecure IoT devices.
What is Shodan.io and its relevance to security controls?
A website that allows searching for vulnerable devices on the internet, illustrating the lack of proper security controls.
What is the Cloud Security Alliance (CSA) Cloud Controls Matrix (CM)?
A framework providing guidelines for applying security controls in cloud environments.
What is PCI DSS and its relevance to security controls?
The Payment Card Industry Data Security Standard, which includes requirements for protecting cardholder information through specific security controls.
What are some examples of security controls in PCI DSS?
Change management, removing test data, and ensuring no sensitive data artifacts remain.
What is an example of a risk, attack vector, and security control related to online banking credentials?
Risk: Theft of banking credentials. Attack Vector: Phishing campaigns. Security Controls: User security awareness, antivirus software, spam filters.
What is the first step in managing risk in an enterprise?
Conducting a risk assessment to prioritize threats against assets and determine actions to mitigate those threats.
Can risk assessments be conducted for smaller units within an enterprise?
Yes, risk assessments can be done for specific projects, departments, systems, or company mergers/acquisitions.
What are some targets of risk assessments?
Individual servers, legacy systems, theft of intellectual property, and software licensing compliance.
Why is awareness of cybersecurity threats important for those conducting risk assessments?
It ensures that they can identify and evaluate potential risks and implement appropriate security controls.
What is residual risk?
The remaining risk after security controls have been implemented.
Why is continuous monitoring of security controls important?
Because a security control effective today may no longer be effective in the future, necessitating periodic reviews.
What are some types of risks to consider in a risk assessment?
Environmental risks, person-made risks, internal risks, and external risks.
What is risk treatment?
The process of deciding how to address or manage identified risks.
What is risk mitigation or reduction?
Implementing security controls proactively to minimize the impact of potential threats.
What is risk transference or sharing?
Transferring some risk to another party, such as through insurance.
What is risk avoidance?
Choosing not to partake in an activity because the potential benefits do not outweigh the risks.
What is risk acceptance?
Accepting the risk as it is, without implementing any additional security controls, because it falls within the organization’s risk appetite.
How does risk acceptance differ from risk mitigation?
Risk acceptance involves taking on the risk without additional controls, while risk mitigation involves implementing controls to reduce the risk.
: Give an example of risk avoidance.
Not partaking in swimming in a lake to avoid the risk of drowning.
What is a practical example of risk mitigation?
Wearing a life jacket while swimming to reduce the risk of drowning.
What should be considered when managing risk in an organization?
Conducting risk assessments, understanding different types of risks, and determining appropriate risk treatments.
What is a qualitative risk assessment?
A risk assessment based on subjective opinions, considering factors like the likelihood of a threat occurring and the impact of that threat on an asset.
What factors are considered in a qualitative risk assessment?
Likelihood of a threat occurring, impact of the threat, and severity level rating.
Why might severity ratings differ in qualitative risk assessments?
Because they are subjective and can vary depending on who is conducting the assessment.
What is a risk register?
A centralized list of risks with severity level ratings, responsible parties for incident response, and mitigating controls in place.
What information is typically included in a risk register?
Risk number, date, title, likelihood (high/low/medium), impact (high/low/medium), risk owner, and mitigation measures.
How are risks typically rated in a qualitative risk assessment?
Using qualitative numbers like high, low, and medium for likelihood and impact.
What is a risk heat map?
A visual representation of risks from a risk register, using colors to imply the level of risk
How are risks identified in a risk heat map?
By referencing the risk numbers from the risk register within colored blocks on the heat map.
What does a red block on a risk heat map indicate?
A high level of risk or high impact.
What is a risk matrix?
A centralized location for all risk details, similar to a risk heat map but without using colors.
How do qualitative and quantitative risk assessments differ?
Qualitative assessments are subjective and based on severity levels, while quantitative assessments are based on hard numbers.
Can a risk register contain dollar values?
Yes, but it is usually qualitative in nature.
What might an incident response plan (IRP) number in a risk register refer to?
A specific plan in place to respond to a particular risk.
Why is a risk heat map useful?
It provides a visually compelling way to understand the relative severity of different risks.
What is the main advantage of using a qualitative risk assessment?
It helps manage risks based on subjective evaluations when quantitative data is not available or sufficient.
Why is it important to consider security at all phases of the information lifecycle?
Because adding Band-Aid solutions at the end is more costly, takes more time, and is less effective than integrating security throughout the lifecycle.
What is a crucial aspect to consider when collecting data under regulations like GDPR?
Obtaining clear and explicit consent from European Union citizens for collecting and using their data.
What are the phases of the information lifecycle?
Collection, storage, processing, sharing, archival, and deletion of data.
What is personally identifiable information (PII)?
Information that can uniquely identify an individual, such as social security numbers, email addresses, credit card numbers, and home addresses.
What is protected health information (PHI)?
Medical information that can be tracked back to a person, including health insurance numbers, blood type, and patient medical conditions.
What is anonymization in data privacy?
The process of removing or replacing sensitive information that can tie data back to an individual while retaining the rest for analysis.
How does GDPR treat anonymized data collection and use?
GDPR allows anonymized data collection and use without user consent.
What is pseudo-anonymization?
Replacing unique identifiers in data with other identifiers or removing them to anonymize the data while keeping other non-identifiable information.
What is data minimization?
Limiting the amount of data stored or retained to only what is necessary and legally allowed.
What is tokenization in data privacy?
Using a unique token to represent sensitive information, such as credit card numbers, to ensure the actual data is not transmitted or exposed.
What is data masking?
Anonymization technique where sensitive information is hidden, like masking credit card numbers or passwords.
What is data sovereignty?
The concept of where data is physically stored, as different laws and regulations may apply based on its location.
Why is it important to know where data is stored in the cloud?
Because data replication to other countries might subject the data to different laws and regulations.
What is geo-replication in cloud storage?
The process of storing data in multiple locations, often in different geographical regions, to ensure redundancy and compliance with data sovereignty requirements.
What does the GDPR require regarding data deletion for EU citizens?
EU citizens have the right to access, correct, and request the removal of their data.
Why must security be considered throughout the entire information lifecycle?
To ensure data privacy and compliance with regulations from the point of collection to its archival and deletion.
What is the primary purpose of network scanners?
To identify devices on a network and the services they are running, helping to detect rogue devices or unnecessary services.
Why are network scanners considered “loud” on a network?
Because they generate significant network traffic by scanning and probing each machine incrementally, which can trigger alarms on intrusion detection systems.
What kind of information can network scanners return?
IP addresses, MAC addresses, operating system types, and lists of open ports.
What is OS fingerprinting in the context of network scanning?
It is the process of identifying the operating system of a device based on network traffic patterns and responses to probes.
How can a completely locked-down host with a firewall affect network scanning results?
Most scanning tools won’t be able to detect that the host is up and running if it doesn’t allow any incoming connections.
What is a baseline in network scanning?
: A baseline is an initial scan of the network when everything is known to be in its correct state, used for comparison with future scans to identify changes.
Why is it important to conduct periodic network scans?
To continuously monitor and manage risk by detecting unauthorized devices or changes in network configuration.
What is Nmap?
Nmap (Network Mapper) is a free and open-source network scanning utility used to discover hosts and services on a network.
What is Zenmap?
Zenmap is the graphical user interface (GUI) for Nmap, providing a front-end interface to the Nmap command-line tool.
: How can Nmap be used to scan a network?
By using the Nmap command-line tool or Zenmap GUI to specify a target host or subnet and retrieve information about discovered hosts and open ports.
What kind of output does Zenmap provide?
Zenmap provides a list of discovered hosts, their operating systems, and any open ports in a graphical interface.
How can network scanning help in identifying unauthorized devices?
By comparing current scan results to the baseline to identify new devices or changes, such as the presence of unexpected Linux hosts on a Windows-dominated network.