Chapter 7 - Risk, Response and Recovery

Question 1

What is a Risk?

Answer 1

A Risk is the likelihood that a threat will exploit a vulnerability that could lead to a loss.

Question 2

What is a Threat?

Answer 2

A Threat is any activity that can be a possible danger.

A threat can be adversarial, political, environmental etc.

Question 3

What is a Vulnerability?

Answer 3

A Vulnerability is any weakness in a system/organization.

Question 4

What is a Loss?

Answer 4

A loss is any event that represents a negative impact for an organization.

Question 5

What is the Risk, Threat and Vulnerability formula?

Answer 5

Risk = Threat x Vulnerability

Question 6

What is a Threat Event?

Answer 6

A Threat Event occurs through a threat source.

A TA launches a SQL injection attack.

Threat Source = Threat Actor

Threat Event = SQL injection attack

Vulnerability = Server was susceptible to SQL injection attack

Loss = Data loss, fines etc.

Question 7

What are the different threat sources?

Answer 7

1. Adversarial Threat Source:
   - Active threat actors, internal or external to an organization
2. Accidental Threat Source:
   - Accidents in a workplace such as a user accidentally deleting a database
3. Structural Threat Source:
   - IT equipment failures or building failures
4. Environmental Threat Source:
   - Natural disasters such as earthquakes, typhoons etc.

Question 8

What are the 7 stages of the Cyber Kill Chain?

Answer 8

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Action on Objectives

Question 9

What are the different ways risks are treated by organizations?

Answer 9

Mitigate:
- Reducing vulnerabilities through the use of controls and safeguards

Avoid:
- Simply avoiding the risk by avoiding the risk activity

Share or Transfer:
- Paying for services such as insurances

Accept:
- An organization can accept a risk typically when cost of asset is less than cost of mitigating the risk

Recast:
- Risk management is constantly evolving and risks must always be reconsidered and recategorized.

Question 10

What is Residual Risk?

Answer 10

Residual Risk is the amount of risk that remains post risk mitigation and countermeasures have been put in place.

Residual Risk needs to be at an acceptable level for the organization.

Question 11

What is a Risk Register?

Answer 11

A Risk Register is central depository for known risks to an organization.

Also known as a Risk Log, this will also contain the deployed countermeasures in relation to each of the identified risks.

A Risk Score is also associated with each entry to the Risk Register

Risk Score = Probability x Impact

Question 12

What is the Risk Score formula?

Answer 12

Risk Score = Probability x Impact

Question 13

What is a Common Vulnerability Scoring System (CVSS)?

Answer 13

The CVSS is the open standard that organizations use to assess the severity of security system vulnerabilities.

Vulnerabilities are scored between 0 - 10 with 10 being the most severed.

Scores are based on several metrics, these are categorized as Base and Impact metrics.

Question 14

What are the CVSS Base Metrics?

Answer 14

Access Vector:
- How might the vulnerability be exploited

Access Complexity:
- How much technical knowledge is required to exploit the discovered vulnerability

Authentication:
- The number of times the threat actor must authenticate to exploit the vulnerability.

Question 15

What are the CVSS Impact Metrics?

Answer 15

The impact metrics are all of the CIA triad.

Question 16

What are the two different Risk Management Frameworks Frameworks?

Answer 16

NIST SP 800-37

ISO 31000:2018

Question 17

What is the difference between a Risk Assessment and Risk Management?

Answer 17

Risk Assessment is a point in time analysis

Risk Management is an ongoing practice

Question 18

What is Threat Modelling?

Answer 18

Threat Modelling attempts to predict and model an attack against a system using various tools.

Step 1: Identify and Characterize the system & data of interest
- Evaluation of the data flowing through the system

Step 2: Identify and Select the attack vectors included in the model
- What types of attack and tools are to be used in the system

Step 3: Identification of security controls to mitigate the attack
- Security controls in place to mitigate the attack is identified and evaluated

Step 4: Threat Model analysis
- The threat model is analysed holistically to evaluate the entire system along with suggestion of improvements and additional counter measures

Question 19

What is Quantitative Analysis?

Answer 19

Quantitative Analysis is the numerical analysis to identify potential costs and associated risks to an organization.

Analysis is put into monetary terms to best identify costs, and their justifications to organizations.

Question 20

What is Single Loss Expectancy (SLE)?

Answer 20

Single Loss Expectancy is the cost associated to a single occurrence of a risk event.

A total destruction of a site would cost = £x amount

Question 21

What is Exposure Factor (EF)?

Answer 21

Exposure Factor is the magnitude of a loss as a percentage of an asset value.

How much exposure is associated with a risk event.

If a building is insured for 75% of its total value, the organizations’ exposure would be 25% of the building’s total value.

Single Loss Expectancy with Exposure Factor = SLE * EF%

Question 22

What is Annual Rate of Occurrence (ARO)?

Answer 22

The Annual Rate of Occurrence is how often a SLE is expected to occur in a yearly basis.

Question 23

What is Annual Loss Expectancy (ALE)?

Answer 23

Annual Loss Expectancy is the annual cost of a risk event.

Annual Loss Expectancy = Single Loss Expectancy * Annual Rate of Occurrence.

For example:

Service Loss has a ARO = 5

Service Loss has SLE = £10,000

Annual Loss Expectancy = £50,000

Question 24

What is Cost of Control (COC)?

Answer 24

Cost of Control is the cost of implementing a control.

This can be calculated as a one off cost or continual cost to maintain the control.

Question 25

What is Qualitative Analysis?

Answer 25

Qualitative Analysis is the subjective analysis of risk management.

Often difficult to be backed up by data but provides a good way to determine which risk needs to be addressed first.

A Qualitative Risk matrix typically used where:

Y-axis = Event Likelihood

X-axis = Event Impact

Question 26

What are the 6 steps associated with the Incident Lifecycle Management?

Answer 26

1. Preparation
2. Detection, Analysis and Escalation
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned