Chapter 2 Flashcards
Risk
Vulnerability x Threat
Qualitative risk analysis
Scenarios - 1 pagers
Delphi technique - anonymous feedback/response
Quantitative risk analysis
SLE (singe loss expectancy) = AV x EF (Exposure factor)
ALE = SLE x ARO (annual rate of occurence)
Risk appetite - total across all assets; WILLING to shoulder
Risk capacity - total that CAN be shouldered
Risk tolerance - single threat-asset
Risk limit - max tolerable over target level
Risk responses
Mitigation
Assign/Transfer
Deterrence
Avoidance
Acceptance
Reject/Ignore - NO NO
Total risk - controls gap = residual risk
Controls gap is amount of risk reduced by implemented security controls
Cost/benefit analysis:
ALE1 - ALE2 - ACS = value of safeguard
ACS - Annual Cost of Safeguard
Defense in depth layers of control
Asset
Administrative controls
Logical/technical controls
Physical controls
Control types
Preventive controls
Deterrent controls
Detective controls
Corrective controls
Compensating controls
Recovery controls
Directive controls
Risk Maturity Model (RMM)
Ad-hoc
Preliminary - risk mgmt process but by diff departments
Defined - Standard organization-wide
Integrated - risk mgmt integrated with business processes; metrics
Optimized - Not reactive, but strategic
Risk mgmt framework
Identify
Analyze/Prioritize
Respond
Monitor
RMF (NIST)
- For gov’t
Prepare
Categorize - assets and risk
Select - controls
Implement
Assess - implemented and operating correctly
Authorize
Monitor - ongoing re-assessment, change mgmt, reporting
CSF (Cyber security framework)
Identify
Protect
Detect
Respond
Monitor
Social Engineering
Authority
Intimidation
Urgency
Scarcity
Consensus
Familiarity
Trust
Prepending - prepend with APPROVED, AUTHORIZED, RE, FWD, etc.
Phishing
Spear phishing - targeted
Whaling - high value target phishing
Smishing - SMS phishing
Vishing - phishing over VoIP
Typo squatting
take advantage of mistyping in URL’s
