Chapter 8: Using Risk Management Tools Flashcards
What is Risk?
The likelihood that a threat will exploit a vulnerability.
What is Vulnerability?
A weakness in a system, application, or process.
What is Impact?
The magnitude of harm that can be caused if a threat exploits a vulnerability.
What is Probability?
How often we expect risk to occur, if at all.
Can you totally eliminate risk?
NOPE.
What is a Threat?
A potential danger that might take advantage of a vulnerability. It’s any circumstance or event that can compromise an organization’s CIA.
What are examples of Threats?
Malicious Human Threats, Accidental Human Threats, and Environmental Threats.
What are Malicious Human Threats?
Intentional harmful actions by a individual, such as hackers or insiders, aiming to damage or exploit systems.
What are Accidental Human Threats?
Unintentional actions by users that cause harm, like mistakes or falling for scams.
What are Environmental Threats?
Natural events (like fire, floods, or storms) that can damage IT infrastructure.
What is Threat Assessment?
The process of identifying and evaluating potential threats to determine risk.
What is Risk Identification?
The process of pinpointing potential risks that could impact an organization.
What are some Risk Types?
Internal, External, Intellectual Property Theft, Software Compliance/Licensing, Legacy Systems and Legacy Platforms.
What is an Internal Risk?
A risk that arises from within the organization, like insider threats or system errors.
What is an External Risk?
A risk that originates outside the organization, like cyberattacks or vendor failures.
What is Intellectual Property (IP) Theft?
Stealing or using someone’s protected creations, like code or trade secrets, without permission.
What is Software Compliance/Licensing?
Following legal software usage rules to avoid penalties or legal issues.
What risk do Legacy Systems/Platforms pose?
They may lack updates or support, increasing security and operational vulnerabilities.
What are some examples of Vulnerabilities?
Default Configuration, Lack of Malware Protection or Dated Definitions, Improper or Weak Patch Management, Lack of Firewalls, or Lack of Organizational Policy.
What is Risk Management?
The process of identifying, evaluating, and mitigating risks to reduce harm to the organization.
What is Risk Awareness?
Awareness of existing and potential threats within a system and the need to address and mitigate them.
What is Inherent Risk?
The risk present before applying any mitigation or controls.
What is Residual Risk?
The risk that remains after controls have been applied.
What is Control Risk?
The risk of a control failing to mitigate or detect a threat.
What is Risk Appetite?
The level of risk an organization is willing to accept.
What is Expansionary Risk Appetite?
Willingness to take more risk for potential growth.
What is Conservative Risk Appetite?
A preference for low risk and high control.
What is Neutral Risk Appetite?
A balanced approach to taking and avoiding risk.
What is Risk Tolerance?
The specific amount of risk an organization can endure.
What are some Risk Management strategies?
Avoidance, Mitigation, Acceptance, Transference, and Cybersecurity Insurance.
What is a Risk Assessment?
The evaluation of risks to determine their impact and likelihood.
What is Continuous Risk Assessment?
Ongoing identification and evaluation of risks.
What is an Asset?
Any product, system, resources, or process that an organization values?
What is Asset Value (AV)?
Identifies the value of the asset to the organization? Typically, it’s a specific monetary value.
What is Risk Control Assessment?
An evaluation of the effectiveness of controls.
What is Risk Control Self-Assessment?
A self-led evaluation of risks and control effectiveness.
What is Quantitative Risk Assessment?
A risk evaluation using measurable, numerical data (typically monetary value).
What is Exposure Factor (EF)?
The portion of an asset that we expect would be damaged if a risk materializes.
What is Single Loss Expectancy (SLE)?
The cost of any single loss of a specific asset. Formula: (SLE = AV X EF).
What is Annualized Rate of Occurrence (ARO)?
Indicates how many times the loss will occur in a year. It is measure of probability.
What is Annualized Loss Expectancy (ALE)?
Designed to help organizations prioritize risks and quantitatively assess their impact on an organization. Formula: (ALE = SLE X ARO).
What is Qualitative Risk Assessment?
Risk evaluation based on subjective ratings rather than numbers.
What is the Likelihood of Occurrence?
The probability that a threat will exploit a vulnerability.
What is Risk Reporting?
The process of sharing risk-related info with stakeholders to inform decision-making.
What is Risk Analysis?
Identifying and assessing risks to inform mitigation strategies.
What are Key Risk Indicators (KRIs)?
Metrics used to predict the likelihood or impact of risk events.
What is a Risk Register?
A log that tracks identified risks, their severity, and response strategies.
What is a Risk Matrix?
A chart used to evaluated and rank risks based on likelihood and impact.
What is a Supply Chain?
A network of organizations and processes for producing and delivering products or services.
What is a Vulnerability Assessment?
A scan to detect weaknesses in systems and applications.
What is a Network Scanner?
A tool used to identify devices and services on a network.
What is an ARP Ping Scan?
Uses ARP requests to identify live hosts on a LAN.
What is an SYN Stealth Scan?
A port scan technique that sends SYN packets to probe for open ports without completing the connection.
What is a Port Scan?
A method to identify open ports and services on a host.
What is a Service Scan?
Detects active services and their versions on open ports.
What is OS Detection?
Identifies the operating system running on a remote device.
What is a Vulnerability Scanner?
A tool that identifies known security weaknesses in systems or networks.
What is the Common Vulnerabilities and Exposure (CVE) list?
A list of publicly known cybersecurity vulnerabilities maintained by MITRE.
What is the Common Vulnerability Scoring System?
A numeric rating (0-10) used to indicate the severity of vulnerabilities.
What is the Security Content Automation Protocol (SCAP)?
A suite of protocols for automating security assessments and compliance
What are some good ways to Prioritize Vulnerabilities?
Vulnerability classification, Environmental variables, Industry/Organizational impact, Risk Tolerance/Threshold.
What is typically the output of a vulnerability scan?
A list of hosts discovered, a detailed list of apps running on each host, a detailed list of open ports and services on each host, and a list of vulnerabilities discovered.
What are Passive Testing Security Controls?
Non-intrusive security testing using logs, traffic analysis, and system behavior observation.
What is a False Positive?
When a vulnerability scanner reports a host for a vulnerability it doesn’t actually have.
What is a False Negative?
When a vulnerability scanner doesn’t report a host for a vulnerability it does actually have.
What is a True Positive?
When a vulnerability scanner correctly identifies a vulnerability.
What is a True Negative?
When a vulnerability scanner correctly identifies no vulnerability.
What is a Credentialed Scan?
A vulnerability scan using valid credentials to assess internal system risks.
What is a Non-credentialed Scan?
A scan without credentials to find vulnerabilities as an outsider would.
What is a Configuration Compliance Scanner?
A tool that ensures systems meet security configuration standards.
What is Penetration Testing?
Ethical hacking to test a system’s security by simulating real attacks.
What is Physical Penetration Testing?
Security test by trying to gain unauthorized physical access.
What is Offensive Penetration Testing?
Security testing by actively seeking and exploiting system vulnerabilities.
What is Defensive Penetration Testing?
Tests how effectively defenses detect and respond to simulated attacks.
What is Integrated Penetration Testing?
A full-scope test combining offensive, defensive, and other methods.
What are Rules of Engagement?
Predefined terms outlining how a penetration test will be conducted.
What is Reconnaissance? AKA footprinting.
Info gathering about a target before an attack.
What is Passive Reconnaissance?
Gathering data without alerting or touching the target.
What is Active Reconnaissance?
Interacting directly with a target to gather info.
What is Network Reconnaissance and Discovery?
Mapping our devices and services on a network.
What is an IP Scanner?
Tool to find active IPs in a network.
What is Nmap?
A tool to scan networks, identify hosts, and find open ports.
What is Netcat (nc)?
A network tool for data transfer, port scanning, and diagnostics.
What is Scanless?
A tool to perform port scans using external servers to avoid detection.
What is DNSenum?
A DNS recon tool that fins domains, records and transfers.
What is Nessus?
A vulnerability scanner that detects weaknesses in systems and networks.
What is Hping?
A network tool for creating custom TCP/IP packets for testing security.
What is Sn1per?
An automated tool for network reconnaissance and vulnerability scanning.
What is cURL?
A tool used to transfer data between servers, often used in penetration testing.
What is Network Footprinting?
The process of gathering detailed info about a network for security assessments.
What is Operating System (OS) Fingerprinting?
Gathering info about the operating system used in a network to identify vulnerabilies.
What is Persistence?
The ability to maintain access to a compromised system over time.
What is Lateral Movement?
The process of moving within a network to expand access or escalate privileges.
What is Privilege Escalation?
Gaining higher access privileges on a system through exploits or misconfigurations.
What is Pivoting?
Using a compromised system to attack other systems on the same network.
What is Unknown Environment Testing?
Security testing done without prior knowledge of the system or infrastructure.
What is Known Environment Testing?
Security testing conducted with full knowledge of the system and infrastructure.
What is Partially Known Environment Testing?
Security testing with partial knowledge of the system or infrastructure.
What is Cleanup?
The last step of a penetration test which includes removing all traces of the penetration tester’s activities from affected systems.
What is a Responsible Disclosure (RD)?
Reporting vulnerabilities to organizations before making them public to allow time for fixes.
What is a Bug Bounty?
A program that rewards individuals for identifying and reporting vulnerabilities in systems or software.
What are System/Process Audits?
Evaluation of systems or processes for compliance with security standards and best practices.
What is Intrusive Testing?
Testing where attacks are intentionally executed on a system to identify and exploit vulnerabilities.
What is Non-Intrusive Testing?
Testing that does not interfere with or harm the system, often involving passive or scanning methods.
What is Packet Capture?
Intercepting and recording network traffic to analyze data packets for security or troubleshooting.
What is a Protocol Analyzer? AKA sniffer.
A tool that captures and analyzes network protocols to assess and troubleshoot network traffic.
What is TCPreplay?
A tool that replays and manipulates network traffic for testing and vulnerability assessment.
What is TCPdump?
A command-line tool used to capture and display network packet data.
What is Netflow?
A network protocol for monitoring and analyzing traffic flow data to assess network performance.
What is a Framework?
A structure used to provide a foundation.
What is the International Organization for Standardization (ISO)?
An international organization that creates standards to ensure quality, safety, and efficiency.
What is ISO 27001?
An international standard for information security management systems (ISMS).
What is ISO 27002?
A set of best practice guidelines for implementing information security controls.
What is ISO 27701?
An extension to ISO 27001 & 27002 focusing on privacy and personal data management.
What is ISO 31000?
A standard for risk management, providing guidelines for systematic and structured risk management.
What is the National Institute of Standards and Technology (NIST)?
A U.S federal agency that develop standards and guidelines, especially for cybersecurity.
What is the Risk Management Framework (RMF)?
A structured NIST approach for managing cybersecurity risks throughout the system life cycle using defined steps.
What is RMF’s seven-step process to identify and mitigate risk?
Prepare, Categorize, Select, Implement, Access, Authorize, and Monitor.
What is the NIST Cybersecurity Framework (CSF)?
A voluntary framework for managing and reducing cybersecurity risks using industry best practices.
What are the three components of NIST’s CSF?
Core, Tiers, and Profile.
In regards to NIST’s CSF, what is a Core?
A set of cybersecurity activities organized under Identify, Protect, Detect, Respond, and Recover.
In regards to NIST’s CSF, what is Tiers?
Levels that indicate how well an organization manages cybersecurity risk, from Partial (Tier 1) to Adaptive (Tier 4).
In regards to NIST’s CSF, what is a Profile?
A tailored alignment of the CSF Core to match an organization’s unique risk tolerance and goals.
What is Reference Architecture?
A standardized template or blueprint for designing and integrating systems securely.
What are Audits?
A formal evaluation of a system to verify compliance with policies, standards, or regulations.
What are External Audits?
A third-party evaluation of an organization’s compliance with standards or regulations.
What are Internal Audits?
A self-conducted audit to monitor compliance and identify gaps internally.
What is a Gap Analysis?
A comparison of current security practices to desired ones to identify missing controls.
What are Assessments?
An informal evaluation to identify vulnerabilities and weaknesses in an organization’s security.
What is Attestation?
A formal statement declaring that an organization meets specific security standards or requirements.
