csrm Flashcards
Give recommendations for the market
.1Integrate cyber security in the company’s risk framework
2. Monitor if management and employees take cybersecurity seriously
3. Develop a data breach action plan
4. Monitor data classification and security policies
5. Terminate or reduce/restructure reward of board members and management in case of
cyber impact
6. Increase board cyber savviness
What is cyber security
the protection of cyber systems against cyber threats
what is a cyber threat
a threat that exploits a cyberspace. A system does no longer meets its critical functionality and it needs time to recover and adapt.
Why are there not always benefits for the costs invested in cyber security systems?
To some extended there are clear benefits but after a certain amount there are not as much returns as investments.
what are the 4 opponents of the cyber security framework?
- Spooks: governments using tools to protect national interest – including the risk of ending up in the hands of crooks.
- Crooks: Botnet herders, malware writers, spam senders, bulk account compromise, targeted attackers, and cash-out operators.
- Geeks: Experts and researchers that repot vulnerabilities – to enable fixing the vulnerability
- The swamp: Focus on person rather than on property, e.g., hacktivism and hate campaigns.
What is risk en what does risk management mean?
Risk is an uncertain event which may occur in the future. Risk management comprises coordinated activities to direct and control an organization/set of efforts about risk, based on spending less resources to achieve more goals.
which viewpoints on riskmanagement are there and what do they mean?
- Classical viewpoint: risks will be converted into an expected loss
- Modern viewpoint: The effect of uncertainty on an organizations’ ability to meet its
objectives.
what are the biggest cyber impacts
Operational disruption
- Intellectual property theft
- Drop in share price
- Loss of customer trust
- Regulatory fines
There are all kinds of security management mechanisms, but why do the organization’s cyber budget need to be invested?
to mitigate risks.
what is ISO27001
a protocol for cyber protection. It is updated in 2022 in adaption to new risks. Some new controls were added. There are four theme clauses: Organizational, people, physical and technology.
what are the 4 theme clauses of ISO27001
Organizational, people, physical and technology.
what is cyber insurance
Cyber insurance allows organizations to transfer some of the financial risks associated with cyber incidents to an insurer. The financial losses might cost associated with remediation, investigators, and crisis communication. Most cyber insurance companies are typically insurance companies offering a broader range of insurance services. Companies are AIG, Chubb, Hiscox, Liberty Mutual, HSB.
what is first party coverage
First party coverage is on the financial impact on the insured organization. It covers data breaches and cyberattacks at the insurer’s business.
what is third party coverage
Third party coverage provides liability protection in case the insured organization makes a mistake that results in a client suffering
ISO 31000 for risk management. This standard comprises three main elements. what are these?
- The risk management process: Feedback on the performance of the process is used for monitoring and reviews.
- The risk management framework: Defines the risk management process.
- A set of principles which guide risk management activities: Guide the creation of the
framework.
What steps are taken in the Risk management process (ISO 31000 standard)?
Risk assessment: Risk identification – risk analysis – risk evaluation – risk treatment. before it is important to establish the context. Define the scope for the risk management process, define organization’s objectives, establish the risk evaluation criteria.
Monitoring and review are also an important aspect: measure the risk management performance against indicators, which are periodically reviewed for appropriateness. Check for deviations from the risk management plan. Check if the risk management framework, policy, and plan is still appropriate.
Communication and consultation: Early on it helps stakeholder’s interests and concerns, to check that the risk management process is focusing on the right elements. Later, it helps explain the rationale for decisions and for particular risk treatment options.
what is the external context in the Risk management process (ISO 31000 standard)
regulatory environment, market conditions, stakeholder expectations
what is the internal context in the Risk management process (ISO 31000 standard)
organization’s governance, culture, standards and rules, capabilities,
existing contracts, worker expectations, information systems etc.
explain the Risk management cycle
- Establish the context: strategic- and organizational context, stakeholders, scope
- Identify the risks: Types of risks. Use techniques; events trees, Bayesian networks, CORAS
diagram. - Analyze the risks: Likelihood x frequency. What would be the impact?
- Evaluate the risks: Rank risks according to management priorities and risk/likelihood
- Treat the risks: consider priorities, resources, and risk acceptance
- Monitoring and review: ensure that controls are effective and efficient, detect changes. Risk
management polices and decisions must be regularly reviewed. - Communication & consolidation
- Again…
what are the Four main options for risk management?
- Risk reduction
- Risk retention
- Risk avoidance
- Risk sharing
Risk management framework
Determines
how risk management is integrated with the organization’s management system.
what should the risk management framework include
- Risk architecture: Roles and responsibilities of individuals and committees that support the risk management process
- Strategy: Objectives of the risk management activity in the organization
- Protocols: How the strategy will be implemented, and risks managed.
Risk management principles (ISO 31000)
They should influence the design and implementation of organization’s risk management framework and process.
- Creates and protects value
- Is tailored
- Part of decision making
- Transparent and inclusive
- Dynamic, iterative, and responsive to change
- Etc.
Role-based access control (RBAC)
A policy-neutral access-control mechanism defined around roles and privileges. The components of RBAC such as role-permission, user-role and role-role relationships make it simple to perform user assignments. RBAC addresses many needs of commercial and government organizations.
- Users are associated with roles
- Roles are associated with permissions
- A user has a permission only if the user has an authorized role which is associated with that
permission.
Encryption
conversion of data from a readable format into an encoded format, using an algorithm (cipher). Encrypted data can be only read or processed after it’s been decrypted. Encryption is the basic building block of data security. It involves converting human-readable plaintext into incomprehensible text, which is known as ciphertext. Encryption involves using a cryptographic key, a set of mathematical values both the sender and recipient agree on. The recipient uses the key to decrypt the data, turning it back into readable plaintext.
ciphertext
Essentially, this means taking readable data and changing it so that it appears random.
Benefits of encryption:
Maintains data integrity, helps organizations adhere to regulations, protects data across devices, helps when moving data to cloud storage, secure offices, protects IP.
Information security objectives
- Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
- Integrity: Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
- Availability: Ensuring timely and reliable access to and use of information
- Auditability: Ensuring that evidence of all crucial transactions is stored reliably for auditing
purposes.
Elements of access control
- Identification: Unique way of identifying an entity
- Authentication: proof of entity
- Authorization: rights of person in role
- Nonrepudiation: receiver can’t deny receipt of message.
what are the several types of attacks
Interruption, interception, modification, and fabrication.
Cryptography components
- Basics: message m is a sequence of numbers (ASCII, a=1, b=2, c=3)
- Hash function: generate unique numbers
Hash(‘hello’) = mod(8 5 12 12 15, 127) = 100 - Symmetric key algorithms: parties have the same key
- Public key algorithms: parties have complementary key values. This are public key ciphers
(like RSA); digital signatures. - Procedures for key distribution and management
Key management
Refers to mechanisms to bind a key to a person. Key distribution is an issue, make sure only authorized people have a key.
RSA algorithm
Uses an RSA algorithm (Rivest-Shamir-Adleman). This algorithm will generate a public and private key that are mathematically linked. Public keys can be used to encrypt data and the private keys to decrypt it. Example: mailbox address is public key; the owner of the mailbox is the only one who has the private key. It is important to keep the private keys protected! Encryption is based on the numbers N and F so the public key is a pair (f, n). Their statements say, use these numbers to encrypt the lock and I will be a able to decipher.
