Cybersecurity Risks and Controls Flashcards
What are the phases of an attack?
Before, During, After
What is the risk equation for managed assets?
Risk = { Threats * Vulnerabilities * Asset Value } / Strong Controls
What is the risk equation for unmanaged assets?
Risk = { Threats * Vulnerabilities * Asset Value } / Weak Controls
What are the Business Controls that NIST references?
ISO 27002 Code of Practice
What are the Technical Controls that NIST references?
CIS 20 Critical Controls
What is Critical Infrastructure?
Assets, systems and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on national security, economic security, national public health or safety, or any combination thereof.
What is EO ?
Executive Order
Who issued EO 13800?
Trump
What is EO 13800?
Strengthing Cybersecurity of Federal Networks and Critical Infrastructure
What is the purpose of EO 13800?
To improve the nation’s cyber posture and capabilities in the face of intensifying cybersecurity threats to its digital and physical security.
What are the deliverable for EO 13800 ?
- Cybersecurity
* Workforce development
What does NIAC stand for?
National Infrastructure Advisory Council
What were the NIAC Report recommendations?
- Establish separate, secure communication networks for critical cyber control system traffic and reserved spectrum for backup communications.
- Facilitate cyber threat sharing.
- Identify the best scanning tools and assessment practices.
- Strengthen the capabilities of today’s cyber workforce.
- Establish outcome based market incentives to encourge owners to upgrade cyber infrastructure.
- Streamline security clearance process for owners of the nation’s most critical cyber assets.
- Establish protocols to rapidly declassify cyber threat information.
- Pilot an operational task force of experts to respond to cyber threats.
- Perform the Gridex-IV Exercise to test Federal Authorities during a cyber incident.
- Establish a governance approach.
What are the steps to mitigate risks?
- Strategy -aligned with business strategy
- Program - establish the target profile
- Controls - should be used to establish the new current profile
- Assessment - gap analysis compares current & target profiles
- Report - detailed scorecard that identifies current capabilities and an improvement plan for cyber maturity.
What are the NIST CFW Strategic Goals?
- Protect Information Systems
- Reduce Cyber Risk
- Best-in-Class Cybersecurity Capabilities
- Enterprise Approach to Cybersecurity
- A Cyber-Secure Enterprise
What are the Objectives of NIST CFW Goal #1 ?
Objective 1.1 Safeguard Confidential Information from Compromise
Objective 1.2 Protect the Integrity of Information
Objective 1.3 Ensure the Availability of Critical information systems
Objective 1.4 Provide Cyber-Resilient Information Sytstems
Objective 1.5 Maintain a Secure Technology Infrastructure
What are the Objectives of NIST CFW Goal #2 ?
Objective 2.1 Drive cybersecurity Priorities and Initiatives Based on Effective Risk Management
Objective 2.2 Create and Nurture a Culture of Cyber-Risk Awareness
Objective 2.3 Establish Risk Ownership and effectively Communicate Risk
What are the Objectives of NIST CFW Goal #3 ?
Objective 3.1 Align information and Cyber Security Efforts with the Business Needs
Objective 3.2 Deliver Technology Solutions that are Secure
Objective 3.3 Enhance the Ability to Detect Cyber-Attacks
Objective 3.4 Respond Rapidly and Effectively to Security Incidents
Objective 3.5 Build and Maintain a Robust Cyber-Defence Capability
Objective 3.6 Develop and Sustain a capable and Competent Cybersecurity Workforce
What are the Objectives of NIST CFW Goal #4 ?
Objective 4.1 Establish Enterprise Information and Cyber security program
Objective 4.2 Embrace a Common Cyber security Framework
Objective 4.3 Enact Effective Enterprise-Wide Security Policies
Objective 4.4 Improve Cyber security through the Enterprise Technology Transformation
What are the Objectives of NIST CFW Goal #5 ?
Objective 5.1 Improve Cyber security through leadership, Partnerships and National Participation.
What is Strategic Goal #1 ?
Protect Information and Systems
What is Strategic Goal #2 ?
Reduce Cyber Risk
What is Strategic Goal #3 ?
Best-in-Class Cyber security Capabilities
What is Strategic Goal #4 ?
Enterprise Approach to Cyber security