Class four

Question 1

Stacked Risk

Answer 1

allowing seemingly separate potential issues with potential impact (risks) affecting the same digital landscape to accumulate. Without adequate identification and resolution, individual risks can form a toxic accumulation of issues that can be leveraged together to create a risk substantially greater than the individual components suggest. Megabreaches are the result of stacked risk in combination with a motivated attacker.

Question 2

materiality

Answer 2

To have a level of significance or magnitude to be of concern.

Question 3

risk register

Answer 3

central repo that contains entries for each potential. significant loss or damage exposure. Usually needs a minimum materiality threshold. If the risk occurs, it becomes an issue rather than a risk. Items can be tracked here until the impact has been successfully managed and the root cause(s) resolved such that it is not likely to occur again.

Question 4

risk assessment

Answer 4

systemaic process for proactive detection of potential hazards or gaps in an existing or planned activity, asset, service, application, system, or product.

Question 5

STRIDE

Answer 5

Spoofing Identity (authentication)
Tampering with data (integrity)
Repudiation, or denying performing an action (non-repudiation)
Information disclosure (confidentiality)
Denial of service (availability)
Elevation of privilege (authorization)

Question 6

FAIR

Answer 6

Factor Analysis of risk

Question 7

Asset (FAIR)

Answer 7

any data, device, or other component of the environment that supports information-related activities that can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss

Question 8

Risk (FAIR)

Answer 8

Probable frequency and magnitude of future loss

Question 9

Threat (FAIR)

Answer 9

Anything capable of acting in a manner resulting in harm to an asset and/or organization - acts of God, malicious actors, errors, failures.

Question 10

Vulnerability (FAIR)

Answer 10

Probability that an asset will be unable to resist the actions of a threat agent

Question 11

Threat event frequency estimation (FAIR)

Answer 11

frequency with which a threat agent will come into contact with an asset & probability that they will act against the asset once in contact.

Question 12

Vulnerability (FAIR)

Answer 12

Dimensions - threat capability and control strength

Question 13

Threat Capability (FAIR)

Answer 13

capability of threat community to act against an asset using a specific threat. Knowledge and experience of threat agent, skill of threat agent to perform relevant actions, and resources the threat agent can bring to bear (time, money, materials).

Question 14

Control strength (FAIR)

Answer 14

How well can the asset resist compromises? (5 levels of resistance strength) Controls increase the difficulty and complexity of causing a successful threat event.

Question 15

Primary loss (FAIR)

Answer 15

Factors: Value and volume of assets at risk. Type of threat action that can be performed, internal and external and how competent they are.
Forms of loss: productivity, response (managing the loss event), replacement.

Question 16

Secondary loss (FAIR)

Answer 16

Factors: organizational, external.
Forms of loss: competitive advantage, fines/judgements, reputation

Question 17

Control categories (FAIR)

Answer 17

Avoidance (firewalls, physical barriers, moving assets elsewhere, reducing threat pop)
Deterrent (policies, logging & monitoring, enforcement practices, asset hardening, physical obstacles)
Vulnerability (authentication, access privileges, patching, configuration settings)
Responsive (backup and restore media and processes, forensics, incident response processes, credit monitoring for those whose PII was compromised)

Question 18

Complete mediation

Answer 18

enforcement of policy that every time you access something you have a security check to see if you have rights to access it.