IC33M Flashcards
What are the benefits of CSET?
Repeatable and systematic approach to assess an orgs cybersecurity posture.
Evaluate and Compare to standards/regulations
Facilitates input and discussion from SMEs
Identifies potential vulnerabilities.
Offers guidelines for IACS cyber solutions and mitigations
REFIG
What is the process for a GAP Assessment?
- Identify benchmark standards
- Gather info by site visits, interviews and documentation
- Compare performance with benchmark standards
- Document and report results
What are the types of Likelihood?
Frequency:
Target Attractiveness, Attack Surface
Probability:
Capability of threat actor,
Motivation/intent,
Known Vulnerabilities,
What is the process for the Scope?
- Identify Requirements
- Specify Devices
- Select Collection Method
- Document
ISSD
What does the Scope identify?
- Assumptions
- Boundaries
- Constraints
- Deliverables
ABCD
What are some Active Assessment tools?
Nmap (network) or Nessus , Nexpose and Retina (vulnerability)
What is the CRRF?
The measure of the degree of risk reduction required to reach tolerable risk
What are the different Vulnerability Classes?
PPASCC
Physical
Policy and Procedure
Architecture and Design
Software
Config and Management
Comms and Network
What are the steps to a Vulnerability Assessment?
Pre-assessment > Kick-off Meeting > Walkthrough
Passive Data collection
Active network and vulnerability scanning
Analysis
Reporting
What are the elements of a good Project Plan?
Goal
Clearly defined scope
Budget and Resources
Stakeholders
How do you conduct a Detailed Risk Assessment?
- Identify Threats
- Identify Vulnerabilities
- Determine Consequence and Impact
- Determine the Likelihood
- Calculate Unmitaged Cyber Risk
- Determine SL-T
- Does the Unmitigated Cyber Risk exceed the Tolerable Risk?
- Consider Existing Countermeasures
- Re-evaluate the Likelihood and Impact
- Calculate Residual Risk
- All Risk Mitigated or below Tolerable Risk?
- Appy Additional Countermeasures
- Document Results section
What is the purpose of a CVA?
Defines, Identifies and Classifies vulnerabilities in an ICS
Evaluates the IACS Design, Config, Mgmt. Implementation and Operation
Evaluates Security Countermeasures
Identifies Security Deficiencies
Critical Step in Evaluating Cyber Risk
DESSC
What are the steps in the Assess phase (3-2)?
- High-level Cyber Risk Assessment
- Allocate IACS Assets to Security zones and Conduits
- Detailed Cyber Risk Assessment
What are the steps in the Develop and Implement phase (3-2/3)?
- Cyber Requirement Specification
- Design and Engineering of Cybersecurity Countermeasures
- Install, Commissioning and Validation of Cyber Countermeasures
What are the steps in the Maintain phase (2-1)?
- Cybersecurity Maintenance, Monitoring and Change Management
- Cyber Incident Response and Recovery
What does the CRS Include?
SuC Description
Zone and Conduit Drawings /Characteristics
SL-Ts
Operating Environment Assumptions
Threat Environments
Tolerable Risk
Security Policies and Regulations
Requirements: Acces control, Physical Security, Detection and Monitoring, Response Time, OS Hardening, Device Hardening
Why is the CRS created?
To document mandatory Security Countermeasures of the SuC based on the Detailed Risk Assessment as well as Security Requirements based on Policies, Standards and Regulations
What is Residual Risk?
Risk that remains after existing countermeasures are implemented
How do you Calculate the CRRF
Unmitigated Risk / Tolerable Risk
What is a Cyber Criticality Assessment?
Measure of negative Impact should the AIC of information be affected
What is the Security Lifecycle?
Assess, Develop and Implement, Maintain
A continuous process to minimize risks
What are the Limitations of CSET?
Component focus rather than System focus
Will not provide a detailed analysis or review
Not a risk analysis tool
Reports need to be treated securely
How is Unmitigated Cyber Risk Calculated?
Risk Matrix that establishes a relationship between Likelihood and Impact
What documents should be Maintained?
Gap Assessment Report
Vulnerability Assessment Report
Risk Assessment Report
Zone and Conduit Diagrams
CRS
What is in a Vulnerability Assessment Report?
Scope
“As found” System Architecture
Assessment Details
Prioritised summary of findings
Detailed findings
What is in a Cyber Risk Assessment Report?
Risk Profile
Scope
Assessment details
Detailed findings
Prioritised Recommendations