Information Risks Flashcards
A Threat
A threat is something that could damage, disrupt or compromise any of your
assets, tangible or intangible, data being an obvious target. If the threat is realised, it will cause a level of harm.
Threats come in 3 main categories:
Accidental, Deliberate and Natural (Further broken down into external and internal
Accidental, Internal threat: User
spilling tea on laptop
Deliberate, Internal threat: Disgruntled
employee turning off power
Natural - External threat: Flood,
Earthquake, Natural disaster
Deliberate, External threat: Hacker
gaining unauthorised access to IT
System from the Internet
Threat Management
- Threats can always exist regardless of measures taken
- Threat management is important to deal with types of threats and their sources
- Threat management should cover various areas to minimize threats
- Threat intelligence is about taking in vast amounts of raw information from various sources to see if there is a new or emerging threat
- Threat intelligence is complex and looks at the threat actors, their motivation and intent to establish where to focus cyber defence efforts
- Certain areas of business are more prone to threats and should be considered.
Challenges and Threats of the Internet of Things (IoT)
- The Internet of Things (IoT) refers to the connection of billions of devices to the internet, including cars, building management systems, wearable fitness technologies, medical devices, and domestic devices.
- IoT devices present security problems, such as little configuration and no built-in security, generating vast quantities of data, and no upgrade paths.
- Many IoT devices lack security and have hard-coded credentials, making them vulnerable to new threats such as someone taking over your car or controlling your cooker.
- IoT is mainly a consumer problem, but it has entered the workplace, and external protective measures should be applied to ensure security if the device cannot be secured.
The potential risks of social media use in the workplace
- Social media is a powerful marketing and communication tool for businesses.
- However, social media also presents risks, especially in terms of control of the message being conveyed and the potential for inadvertently revealing sensitive information.
- Open-Source Intelligence Gathering (OSINT) can be used for reconnaissance purposes, which can be both good and bad.
- LinkedIn is a specific area of concern because it is a recruiter’s paradise and contains personal and professional information that can be exploited by malicious actors using social engineering tactics.
- Workplace social media use should be controlled to manage official output regarding the business.
- Staff security awareness training should include social media guidelines to prevent company information from being propagated through personal social media accounts and to make staff aware of the risks of social engineering attacks.
Vulnerabilities
- A vulnerability is an identified weakness in a system, process, or person
- People inside an organization can be the biggest threat, intentionally or unintentionally
- Vulnerabilities can be classified into three groups: technical, physical, and administrative/procedural
- Identified vulnerabilities can be varied, including unpatched systems, lack of background checks on employees, and no anti-virus software
- Vulnerability landscape changes constantly and remediation is needed once a vulnerability is identified, but new vulnerabilities will arise quickly.
Asset Management
- Assets can be people, facilities, information/data, or reputation and are of value to the organization.
- If assets suffer damage or loss, it could affect the future viability of the business.
- Assets need to be identified, classified based on their value and sensitivity, and categorized based on their impact if any element of confidentiality, integrity, or availability (CIA) is lost.
- Loss of confidentiality has a high impact, while the unavailability of an information webpage has low impact.
Impact
- Information Risk is the likelihood of the threat actor launching the threat that exploits the vulnerability, resulting in an adverse impact to the business.
- A vulnerability being exploited leads to an impact that can range from minimal to catastrophic, affecting an individual or the entire organization.
- Impact can be tangible (monetary loss) or intangible (reputational damage).
- It is important to consider the impact of a vulnerability being exploited when assessing risk.
Likelihood and Probability
- Likelihood/probability measures how often something adverse may occur
- Historical data is used to produce reliability figures for equipment and systems
- The more often it occurs, the greater the effect on the business
- Likelihood calculations may drive business decisions
- The frequency of occurrence may vary seasonally due to weather conditions
- Situations like instances of Internet fraud are higher during times of high activity
- War and civil unrest would also affect likelihood
Risk Assessment and Business Impact Analysis
- Business impact analysis (BIA) is conducted when considering business continuity activities and is usually an initial part of the risk assessment process.
- Asset identification is crucial in the risk assessment process.
- Assets can be tangible or intangible, and reputation is also an asset.
- BIA helps in identifying critical assets and quantifying risks associated with them.
- The losses associated with each asset can be assigned impact levels and monetary figures.
- Risks are associated with assets, and BIA can assist in identifying appropriate protective measures.
- BIA helps in identifying the most critical parts of the business.
- Critical assets need protective measures to prevent disruption and failure.
- The BIA should assess the losses that would occur in the event of failure of an asset.
Risk Management Processes
- The risk management process is composed of four stages: Identification, Analysis, Treatment, and Monitoring.
- The basic risk treatment options are Accept, Mitigate, Transfer, and Avoid.
- The choice of treatment option depends on various factors.
- The implementation of controls is crucial for the success of the chosen treatment.
- There are several standards available to assist with risk management, such as ISO 27005:2018, ISO 31000 series, and NIST SP800-30.
- The risk management process is iterative and requires continuous monitoring to ensure its effectiveness.
Risk Management Terminology
The context of risk assessment is driven by the business’s view on risk.
Key business risk terminologies include: Risk Capacity, Risk Appetite, Risk Acceptance, Risk Tolerance
Risk Capacity
Risk capacity refers to the maximum amount of risk a business can sustain without being adversely impacted in its viability.
Risk Appetite
Risk appetite refers to the amount of risk that a business is willing to take in order to achieve its goals and objectives. This level of risk is typically lower than the business’s risk capacity, as it represents the maximum level of risk the business is able to tolerate without compromising its viability.
Risk Acceptance
Risk Acceptance: the minimum level of risk that a business is willing to tolerate on a daily basis after implementing risk treatments. Controls are applied to reduce risk to an economically feasible level, and the business accepts what remains.