Dealing with Risk Flashcards
Control types
Technical security controls
Management security controls
Operational security controls
False Postitives
report that isn’t true - a false alarm or mistaken identity
False Negatives
A report missed identifying something - no notification
Malicious traffic got through your defenses
Security policies
A set of policies that covers many areas of security
Human resource policies
Business policies
Certificate policies
Incident-response policies
Risk Calculation
Annualized Rate of Occurrence (ARO)
SLE (Single Loss Expectancy)
ALE (Annual Loss Expectancy) = ARO x SLE
Quantitative Risk Assessment
Assign a dollar value to risk
Qualitative Risk Assessment
Identify significant risk factors
Ask opinions about the significance
Threat Assessment
Where are we vulnerable to threats?
OS, applications, 3rd-party connections, Internet
Vulnerability Assessment
Actively scan a network in search of vulnerabilities
Vulnerabilities
A flaw or weakness
Threat Vectors
The path that the threat takes to the target
Target: Your computer, mobile device, gaming system
Email: Embedded links, attached files
Web browser: Fake site, session hijack
Threat Probability
Identify actual and potential threats
Deflecting Risk
Risk-avoidance
Stop participating in high-risk activity
Risk transference
Buy some insurance
Mean time to restore (MTTR)
Mean time to repair
Mean time to failure (MTTF)
The expected lifetime of a product or system
