Domain 5:Explain elements of the risk management process Flashcards
Threat
A threat is someone or something that wants to inflict loss on a company by exploiting vulnerabilities. In the preceding example, it’s the person who takes the gold. In IT security, it could be a hacker that wants to steal a company’s data.
Risk
The risk is the probability that an event will occur that results in financial loss or loss of service. In the preceding example, the probability that the trash or gold would be taken. In IT security, it is the probability your system could be hacked or data stolen.
Vulnerability
This is a weakness that helps an attacker exploit a system. In the preceding example, it is the fact that outside your front door is not a secured area. In IT security, it could be a weakness in a software package or a misconfiguration of a firewall.
Ad hoc risk assessment:
Ad hoc assessments are sporadic and arise in response to specific events or perceived threats. This type of assessment is tailored to focus on the immediate dangers and is characterized by its flexibility and swift implementation.
Risk assesment
Risk assessment is a systematic and structured process where the organization identifies, analyzes, and evaluates risks associated with potential threats and vulnerabilities in order to make informed decisions and prioritize resource allocation effectively
Recurring Assesments
Recurring assessments are routine and scheduled to occur at predetermined intervals. This approach ensures that the organization’s security posture is regularly monitored, evolving threats are detected, and changes in the environment or operations are addressed. Regularly scheduled assessments enable organizations to stay vigilant and maintain an updated understanding of their risk profile, fostering a proactive security culture.
One-Time assessments
One-time assessments are conducted for specific scenarios or projects, often at the inception of a new venture, system implementation, or organizational change. This approach provides a detailed one-time view of the risks associated with a particular endeavor
Continuous risk assessment
Continuous risk assessment goes above and beyond the periodic nature of recurring assessments, characterized by real-time monitoring and the analysis of risks. This dynamic approach integrates risk assessment seamlessly into the organization’s daily operations, allowing for instantaneous detection and response to threats as they arise. Continuous assessment is vital in today’s fast-paced and dynamic threat landscape as it empowers organizations to stay a step ahead of potential security breaches
Risk analysis
Risk analysis is a pivotal process for identifying and managing potential risks that could impact an organization adversely.
Qualitative Analysis
Qualitative risk analysis uses subjective judgment to categorize risks as high, medium, or low, focusing on the potential impact, such as the likelihood of occurrence
Quantitative risk analysis,
Quantitative risk analysis, on the other hand, assigns numerical values to risks identified as high in qualitative analysis. It quantifies and creates a precise measurement of the probability and the impact of risks, helping to determine the potential cost and formulate data-driven mitigation strategies
Single Loss Expectancy (SLE):
SLE represents the monetary value of the loss of a single item. Losing a laptop worth $1,000 while traveling, for instance, implies an SLE of $1,000.
Annualized Rate of Occurrence (ARO)
ARO refers to the number of items lost annually. For example, if an IT team experiences the loss of six laptops in a year, the ARO is 6.
Annualized Loss Expectancy (ALE):
This is calculated by taking the SLE and multiplying it by the ARO and represents the total expected loss per year, providing a foundation for insurance and risk management decisions.
Probability
Probability is a fundamental concept in risk analysis that describes the chance of a specific event occurring. It is quantified as a number between 0 and 10; the closer the number is to 10, the higher the probability that the event will occur.
Likelihood
: Likelihood is synonymous with probability in risk analysis, representing the possibility of a risk materializing. It is often expressed in qualitative terms, such as high, medium, or low, providing an intuitive grasp of the risk’s occurrence.
Exposure Factor
): EF is a measure of the magnitude of loss or damage that can be expected if a risk event occurs. It is represented as a percentage, reflecting the portion of an asset’s value likely to be affected. By determining the EF, organizations can assess the extent of damage a specific risk can inflict to produce more accurate risk valuations.
Impact
Impact is the consequence or the effect that a risk event has on an organization or a specific asset
Effective impact
Impact x Probability x Exposure factor
Risk register
A risk register is a crucial document in risk management processes that provides a detailed log of risks identified during a risk assessment
Risk owners
A risk owner is an individual or team assigned the task of risk management.
key risk indicator (KRI)
is a metric for measuring the likelihood that the combined probability of an event and its consequences will exceed the organization’s risk appetite and have a profoundly negative impact on an organization’s ability to be successful.
Risk threshold
The risk threshold represents the level of risk that an organization is willing to accept or tolerate
Risk tolerance
Risk tolerance is the organization’s personalized threshold for embracing the unknown.
Expansionary risk appetite
Organizations with an expansionary risk appetite typically embrace higher levels of risk in an effort to foster innovation and gain a competitive edge. These organizations often prioritize growth and expansion and seek higher returns and market shares over stringent security protocols, potentially exposing them to a spectrum of threats
Conservative risk appetite
In contrast to those with expansionary appetites, organizations with a conservative risk appetite prioritize security and risk mitigation over aggressive growth strategies. They have a carefully planned security control approach to risk management and often reject opportunities that are deemed too risky.
Neutral risk appetite:
Organizations with a neutral risk appetite strike a balance between expansionary and conservative approaches. They assess each opportunity on a case-by-case basis, accepting only risks that are manageable and align with their strategic objectives
Risk transference
: In this approach, significant risks are allocated to a third party, often through insurance or outsourcing your IT systems. For example, companies recognizing the potential damages from a road traffic accident will purchase car insurance to transfer the financial risk to the insurer. Similarly, businesses are increasingly adopting cybersecurity insurance to cover potential financial losses, legal fees, and investigation costs stemming from
Risk acceptance:
Risk acceptance is the acknowledgment of a specific risk and the deliberate decision not to act to mitigate against the risk as it is deemed too low.
Risk avoidance
When the identified risk is too substantial, a decision may be made to abstain from the risky activity altogether. A practical example is an individual deciding not to jump from a considerable height without safety measures, due to the extreme risk involved.
Risk Mitigation
Risk mitigation is a comprehensive strategy wherein identified risks are analyzed to determine their potential impacts, and suitable measures are employed to reduce the risk levels
Risk Reporting
Risk reporting is the process of systematically gathering, analyzing, and presenting information about risks within an organization.
Informed decision-making
Risk reports provide decision-makers with timely and relevant information about potential risks. Armed with this knowledge, they can make informed decisions that minimize negative impacts and maximize opportunities.
Stakeholder confidence
Effective risk reporting enhances stakeholder confidence. Investors, customers, and partners are more likely to trust organizations that transparently disclose their risk management strategies and outcomes.
Business Impact Analysis
BIA is carried out by an auditor with the objective of identifying a single point of failure. The auditor checks for any component whose failure would significantly impair or halt a company’s operations.
Recovery Point Objective (RPO):
the Recovery Point Objective (RPO) as closely as possible. The RPO is the amount of time a company can operate without its systems.
Recovery Time Objective
The RTO is the time when a business aims to restore its operations to an operational level after a disruption
Mean time to repair
MTTR signifies the average duration needed to restore a malfunctioned system to its optimal operating condition. For instance, if a vehicle experiences a breakdown at 2:00 P.M. and its repair is completed by 4:00 P.M., this yields an MTTR of two hours, denoting a relatively swift resolution.
Mean Time Between Failures (MTBF)
: MTBF stands as a paramount metric in evaluating and enhancing the reliability of systems and components. It provides insights into the average time a system or component operates without failure. It acts as a critical indicator of the inherent reliability and endurance of equipment or systems, providing a foundational basis for predictive maintenance and system optimization.
Raid 0
• Description: Splits (stripes) data evenly across two or more disks without redundancy.
• Advantages:
• High read and write performance.
• Disadvantages:
• No fault tolerance. If one disk fails, all data is lost.
• Use Case: High-performance applications where data loss is not critical.
Evidence must be captured in following order
Evidence must be captured in the following order:
CPU cache: This fast but volatile memory is used by the CPU and can provide critical insights.
Random Access Memory (RAM): Volatile memory running applications holds valuable information.
Swap/page file/virtual memory: This is when RAM is exhausted, these are areas of a hard drive used instead of RAM, but much slower.
Hard drive: Data at rest is the least volatile and is captured after volatile memory. This is where data is saved to the hard drive.
Stages of the Cyber Kill Chain
Stages of the Cyber Kill Chain
Reconnaissance
Calling employees, sending emails, social engineering, dumpster diving
Weaponization
Create malware payload
Delivery
Delivery medium, such as USB, email, web page
Exploitation
Executing code via a vulnerability
Installation
Installing malware on the asset
Command and Control
Infected system sends back information to the attacker
Action on Objectives
Hands-on keyboard—attack complete
Diamond Model
Adversary: This is the threat actor group. The MITRE ATT&CK framework can be used to identify who they are and what attacks they use.
Capabilities: This refers to the exploit an adversary develops to carry out their attack. These are also laid out in the MITRE ATT&CK model.
Infrastructure: This is the path or means by which the attacker can get to the victim. This could be via USB, email, IP address, or remote access.
Victim: This is the person targeted by the adversary.
Effectivie Impact
Effective impact = Impact x Probability x Exposure factor
