Information Security Risk Management Flashcards
a combination of public and private clouds
Hybrid cloud
a cloud service reserved for only one customer or company
Private cloud
IaaS
(Infrastructure-as-a-Service)
Paas
(Platform-as-a-Service)
SaaS
(Software-as-a-Service)
a cloud-based system managed by a cloud provider and shared among multiple customers, like
Public cloud
It’s simply means that the application is running in a shared environment. Businesses must make sure that there is adequate isolation between different processes in shared environments.
Cloud Security
The sender must not be able to deny sending the data or communication.
(non-repudiation)
The recipient should be able to ______ the sender,
authenticate
Its _______ must be maintained in transit (meaning the data isn’t altered)
integrity
Information must be kept __________
confidential
are commonly used in cryptography to validate the authenticity of data.
Digital Signatures
Encrypting data in transit and data at rest helps ensure data confidentiality and integrity.
Encryption
Validates that a user has permission to access the application by comparing the user’s identity with a list of authorized users
Authorization
Software developers build procedures into an application to ensure that only authorized users gain access to it. This procedure ensure that a user is who they say they are.
Authentication
Involves using a mathematical algorithm called a hash function to convert input data into a fixed-size string of characters, known as a hash value or hash code.
Hash Function
- One key is used to only encrypt the data (the public key) and another key is used to decrypt (the private key).
Asymmetric Cryptography
The same key used to encrypt the data is used to decrypt the data. This makes sharing the key difficult, as anyone who intercepts the message and sees the key can then decrypt your data
Symmetric Cryptography
Resource owners can manage access using discretionary access control (DAC).
Discretionary Access Control (DAC):
Authorization based on preestablished rules is known as rule-based authorization.
Rule-Based Authorization:
ABAC bases choices on the user, resource, and context attributes. It makes use of rules that specify circumstances affecting these characteristics.
ABAC (Attribute-Based Authorization):
Role-Based Authorization (RBAC): RBAC grants access permissions based on the roles allocated to users.
Authorization
This authorization technique verifies the user using the authorization server’s authentication. an interoperable authentication protocol based on the OAuth 2.0 framework of specifications
OpenID Authorization
This authorization technique enables an API to authenticate and provide access (access token) to the user for the requested resource or action.
Oauth
Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (idP) and a web application
SAMlL
This authorization technique is a Single Sign-On format, also called SS0, in which the authentication information is transferred through XML documents signed digitally
SAML (Security Assertion Markup Language):
Validates that a user has permission to access the application by comparing the user�s identity with a list of authorized users
AUTHORIZATION
The best authentication method should not compromise a user�
PRIVACY
If your authentication process ask the user to follow too many instructions, or if it takes too long, or it needs repeated attempts before succeeds, there�s a risk of drop-offs and lost business, this impacts any organization, whether it�s a retailer dealing with abandoned baskets or citizens failing to return to access online government services
COMPLETION RATES
Its possible to make things too easy
REASSURANCE
Customers value convenience, and some authentication methods are better than others in this regard
CONVENIENCE
If authentication is overly complex, people find workarounds � consider who your service is aimed at but remember to be inclusive, most online services need to offer maximum inclusivity, so simplicity and effortlessness are always the aim
USABILITY
If the risk profile of the transaction is high, you�ll need a more secure method of authentication
SECURITY
Where you are
LOCATION FACTOR
What you are
INHERENCE FACTOR
What you have
POSSESSION FACTOR
What you knew
KNOWLEDGE FACTOR
The combination of the following factors
? Multi-Factor Authentication (MFA)
Security system that requires combination of distinct forms of identification in order to access something or confirm an identity
? Dual- Factor Authentication (2FA)
A process for securing access to a given system such as a network or a website, that identifies the party requesting access through only one category of credentials
? Single- Factor Authentication (SFA)
The individuality of authentication o When you claim to be someone, you need to provide further information to prove that you are who you say you are
FACTOR
Where you are
USERS LOCATION
Something who you are - Biometrics such as fingerprints
USERS CHARACTERISTICS
Something that you have - Tangible assets( smartphones, laptops, wearable devices), OTP
USERS POSSESSIONS
Something that you know; memory sharpness - Passwords/ passcodes/ pins
USERS KNOWLEDGE
Software developers build procedures to ensure that only authorized users gain access to it
AUTHENTICATION
Commonly used when logging into an account or authorizing a financial transaction remotely
AUTHENTICATION
Needed to securely identify online users
AUTHENTICATION
These vulnerabilities may be found in authentication and authorization of users, integrity of code and configurations, and mature policies and procedure.
APPLICATION SECURITY
Covers software vulnerabilities in web and mobile applications and application programming interfaces(APIs)
APPLICATION SECURITY
Risk management reporting ensures that those responsible for governance, oversight, and compliance are well-informed and can make decisions that align with the organization�s security objectives
MONITORING & REPORTING
Another critical aspect is the reporting processincludes creating detailed reports, presentations, or dashboards that convey complex information in a format understandable to non-technical stakeholders
MONITORING & REPORTING
Must monitor risk and update treatment plans regularly because new assets, vulnerabilities, threats, and controls are constantly emerging
MONITORING & REPORTING
A continuous process
MONITORING & REPORTING
Discontinuing the use of a software application
AVOIDANCE
Eliminating risk by changing processes, technologies, or practices
AVOIDANCE
For risk that are too costly or difficult to mitigate
ACCEPTANCE
A strategy appropriate for risk that are low in likelihood or impact
ACCEPTANCE
Making a conscious decision to accept the risk
ACCEPTANCE
Transferring the risk to another party
Transference
Lessen the risk by implementing a business continuity plan or educating employees on cybersecurity best practices
MITIGATION
Reducing the likelihood or impact of a risk
MITIGATION
Patching a software vulnerability or implementing a new security control
REMEDIATION
Eliminating the underlying vulnerability that is creating the risk
REMEDIATION
There is involvement
Risk
The likelihood of a hazard causing harm
Risk
something that has the potential to harm
HAZARD
No contactor involvement
HAZARD
Risk scoring is not a precise science
PRIORITIZING RISK
RISK = LIKELIHOOD x IMPACT
PRIORITIZING RISK
Not all risk are equal
PRIORITIZING RISK
Impact is the severity of the consequences if it does occur
RISK ASSESSMENT
Likelihood is the probability of the danger
RISK ASSESSMENT
Can be preventive like firewalls, or detective like security monitoring and log reviews
CONTROL
Measures that organizations implement to mitigate risk
CONTROL
Bugs are unintentional and seen on codes while malwares are intentional to harm the system
VULNERABILITY
Can be technical (software bugs, security configuration flaws) or procedural (no strong password policy, lack of training)
VULNERABILITY
Are weaknesses
VULNERABILITY
Can be internal ( malicious insiders) or external ( hackers, cyber criminals, natural disasters)
THREATS
Actors or events that could exploit vulnerabilities and harm assets
THREATS
Digital assets like data, software and intellectual property
ASSETS
Physical equipment like server, laptops, and mobile devices
ASSETS
End goal of this process is treat risk in accordance with an organizations overall risk tolerance
Information Security Risk Management
Phases, Identifying, assessing and treating risks
Information Security Risk Management
Process of managing risks associated with the use of Information Technology
Information Security Risk Management
