Conducting Cyber Risk Assessments Flashcards
Identify Threats
Requeriment
A list of the threats that could affect the assets contained within the zone or conduit shall be developed
Include
* A description of the threat source
* A description of the capability or skill-level of the threat source
* A description of possible threat vectors
* Identfication of the potentially affected asset(s)
Threat Source
The threat source is the entity that can manifest a threat.
- Unauthorized internal personnel
- Authorized internal personnel
- Unauthorized external person (hacker)
- Authorized 3rd party
- Malware
- Equipment
- Environment
Threat Vector
The Threat Vector is the means the threat source may utilize to compromise the zone or conduit
Identify Vulnerabilities
Requirement
The zone or conduit shall be analized in order to identify and document the known vulnerabilities in the zone or conduit assets contained within the zone or conduit including the access points.
Vulnerability
A vulnerability is any flaw or wakness in a system’s design, implementation or operation that could be exploited to compromise the system
Determine Consequence & Impact
Each thrat identified in 5.1 and 5.2 shall be evaluated to determine the consequence and the impact of the consequence should the threat be realized. Document impact in terms of the worst case impact on risk areas such as personnel safety, financial loss, business interruption, and environment.
Determine Consequence & Impact
Each thrat identified in 5.1 and 5.2 shall be evaluated to determine the consequence and the impact of the consequence should the threat be realized. Document impact in terms of the worst case impact on risk areas such as personnel safety, financial loss, business interruption, and environment.
Determine Likelihood
Factors:
* Frequency
- Target attractiveness
- Attack sufrace
* Probability
- Capability of the threat actor
- Known vulnerabilites
- Motivation/intent of the threat actor
Determine Likelihood
Factors:
Frequency
- Target attractiveness
- Attack sufrace
Probability
- Capability of the threat actor
- Known vulnerabilites
- Motivation/intent of the threat actor
Likelihood Scale
Unmitigated Threat Likelihood (UTL)
Is the likelihood of the threat occurring and leading to the final consequence without any cybersecurity countermeasures in place.
Calculate Risk
Requirement
The initial risk for each threat shall be calculated by combining the unmitigated likelihood measure and the impact measure.
Determine Security Level Target
Requirement
A SL-T shall be established for each security zone or conduit. The SL-T is related to the Cyber Risk Reduction Factor (CRRF) which is a measure of the degree of risk reduction required to achieve tolarable risk.
CRRF = Unimitagated Risk / Tolarable Risk
Types of Security Levels (SLs)
Target
SL-T: are the desired level of security for a particular system. This is usually determined by performing a risk assessment on a system and determining that it needs a particular level of security to ensure correct operation.
Achieved
SL-A: are the actual level of security for a particular system. These are measured after a syhstem design is available or when a system is in place. They are used to establish that a security system is meeting goals that were originally set out in the target SLs.
Capability
SL-C: are the security levels that componentes or systems can provide when properly configured. These levels state that a particular component or system is capable of meeting the target SLs natively, without additional compensating countermeasures when properly configured and integrated.
Security Levels Defined
SL-T Example
Consider Existing Countermeasures
Requirement
Identify and evaluate the effectiveness of existing countermeasures to reduce the likelihood of threats or to mitigate vulnerabilities.
Mitigated Threat Likelihood (MTL)
The MTL is the likelihood of the threat scenario occurring and leading to the final consequence. It takes into account all protection measures and cybersecurity countermeasures in place.
Calculate the Residual Risk
Requirement
The residual risk for each threat shall be determined by combining the mitigated likelihood and impact measures.
Calculating residual risk provides a measure of the effectiveness of existing countermeasures. It is an essential step in determining whether the level of unmitigated risk is at or below the tolerable risk.
Compare Residual Risk with Tolarable Risk
The residual risk calculated for each threat shall be compared to the organization’s tolerable risk. The organization must determine if the residual risk will be mitigated, transferred or accepted based upon the organization’s policy.
Apply additional Security Countermeasures
Requirement
Appropiate security countermeasures shall be applied to mitigate the risk where the residual risk exceeds the organization’s tolerable risk unless the organization has accepted or transferred the risk.
Document and Communicate Results
Requirement
The results of the cyber risk assessment shall be documented and shall include the date each session was conducted as well as the names and titles of the participants. Documentation that was instrumental in performing the cyber risk assessment (e.g. system architecture diagrams, PHAs, vulnerability assessments, gap assessments, sources of threat information, etc.) shall be recorded and archived along with the cyver risk assessment.
Which Security Level is defined as “Protection against intentional violation using simple means with low resources, generic skills and low motivation”?
SL-2
Which of the following is the term for the undesirable result of an inicident?
Consequence
What is known as any flaw or weakness in a system’s design, implementation or operation that could be exploited to compromise the system?
Vulnerability
Which type of Security Level is the desired level of security for a particular system?
Target (SL-T)
What is the measure of the degree of risk reduction required to achieve tolerable risk?
CRRF