Lesson 19 + 20 Summarizing Risk Management Concepts Flashcards
Risk management
Risk management is a process for identifying, assessing, and mitigating vulnerabilities and threats to the essential functions that a business must perform to serve its customers
Likelihood of occurrence
Likelihood of occurrence is the probability of the threat being realized.
Impact
Impact is the severity of the risk if realized as a security incident.
Some factors are such as the value of the asset or the cost of disruption if the asset is compromised.
External threat actors
External threat
Natural disasters, such as the COVID-19 pandemic, illustrate the need to have IT systems and workflows that are resilient to widespread dislocation.
The most critical type of impact is one that could lead to loss of life or critical injury.
Internal risks
Internal risks come from assets and workflows that are owned and managed by your organization.
Multiparty risk
Multiparty risk is where an undesirable event impacts multiple organizations.
Multiparty risk usually arises from supplier relationships. If a critical event disrupts a supplier or customer, then your own organization will suffer.
IP Theft: Intellectual property (IP)
IP Theft:
Intellectual property (IP) is data of commercial value that is owned by the organization.
This can mean copyrighted material for retail (software, written work, video, and music) and product designs and patents. If IP data is exfiltrated it will lose much of its commercial value
Quantitative risk assessment
Quantitative risk assessment aims to assign concrete values to each risk factor.
Single Loss Expectancy (SLE)
Single Loss Expectancy (SLE)
Amount that would be lost in a single occurrence of the risk factor.
Exposure Factor (EF) is the percentage of the asset value that would be lost.
Annualized Loss Expectancy (ALE)
Annualized Loss Expectancy (ALE)
Amount that would be lost over the course of a year.
Annualized Rate of Occurrence (ARO)
The probability that a risk will occur in a particular year
Qualitative risk assessment
Qualitative risk assessment - identifying significant risk factors.
Inherent risk
Inherent risk is the level of risk before any type of mitigation has been attempted.
Risk posture
Risk posture shows which risk response options can be identified and prioritized
Risk mitigation
Risk mitigation (or remediation) is the overall process of reducing exposure to or the effects of risk factors.
risk deterrence (or reduction)
risk deterrence (or reduction):
If you deploy a countermeasure that reduces exposure to a threat or vulnerability.
Risk Avoidance and Risk Transference
Avoidance means that you stop doing the activity that is risk-bearing.
Transference (or sharing) means assigning risk to a third party, such as an insurance company or a contract with a supplier that defines liabilities.
Risk Acceptance and Risk Appetite
Risk acceptance (or tolerance) means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed.
residual risk
residual risk is the likelihood and impact after specific mitigation, transference, or acceptance measures have been applied
Control risk
Control risk is a measure of how much less effective a security control has become over time.
risk register
risk register is a document showing the results of risk assessments in a clear format
Business impact analysis (BIA)
Business impact analysis (BIA) is the process of assessing what losses might occur for a range of threat scenarios.
business continuity planning (BCP)
business continuity planning (BCP) identifies controls and processes that enable an organization to maintain critical workflows in the face of some adverse event.
continuity of operations planning (COOP)
continuity of operations planning (COOP) refers to the same sorts of activities when undertaken by a government agency, rather than a business.
mission essential function (MEF)
mission essential function (MEF) is one that cannot be put off.
This means that the organization must be able to perform the function as close to continually as possible, and if there is any service disruption, the mission essential functions must be restored first.
Maximum tolerable downtime (MTD)
Maximum tolerable downtime (MTD)
longest period of time that a business function outage may occur for without causing irrecoverable business failure
Recovery time objective (RTO)
Recovery time objective (RTO)
the period following a disaster that an individual IT system may remain offline.
Work Recovery Time (WRT)
Work Recovery Time (WRT)
Following systems recovery, there may be additional work to reintegrate different systems, test overall functionality, and brief system users on any changes or different working practices so that the business function is again fully supported
Recovery Point Objective (RPO)
Recovery Point Objective (RPO)
Amount of data loss that a system can sustain. That is, if a database is destroyed by a virus, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected.
Identification of Critical Systems
Identification of Critical Systems
- People (employees, visitors, and suppliers).
- Tangible assets (buildings, furniture, equipment and machinery, ICT (information communication technology) equipment, electronic data files, and paper documents).
- Intangible assets (ideas, commercial reputation, bran, etc)
- Procedures (supply chains, critical procedures, SOP).
business process analysis (BPA). The BPA should identify the following factors:
business process analysis (BPA). The BPA should identify the following factors:
- Inputs—the sources of information for performing the function (including the impact if these are delayed or out of sequence).
- Hardware—the particular server or data center that performs the processing.
- Staff and other resources supporting the function.
- Outputs—the data or resources produced by the function.
- Process flow—a step-by-step description of how the function is performed.
MTTF
MTTF should be used for non-repairable assets.
Hard drive may be described with an MTTF, (Life Span)
While a server (which could be repaired by replacing the hard drive) would be described with an MTBF.
Mean time to repair (MTTR)
Mean time to repair (MTTR) is a measure of the time taken to correct a fault so that the system is restored to full operation.
internal disaster
An internal disaster is one that is caused by malicious activity or by accident by an employee or contractor—anyone or anything whose presence within the company or organization has been authorized.
external disaster
external disaster events are caused by threat actors who have no privileged access.
External disaster includes disasters that have an impact on the organization through wider environmental or social impacts, such as disruption of public services or impacts to the supply chain.
person-made disaster
A person-made disaster event is one where human agency is the primary cause.
Typical examples other than devastating cybersecurity incidents include terrorism, war, vandalism, pollution, and arson.
There can also be accidental person-made disasters, such as cutting through power or telecoms cabling.
Disaster recovery plans (DRPs)
Disaster recovery plans (DRPs)
specific procedures to follow to recover a system or site to a working state following a disaster-level event.
99s
Availability to downtime
- 9999% - 30 seconds downtime
- 999% - 5 min downtime
- 99% - 50 min downtime
- 9% - 9 hours downtime
- 9% - 87 hours down time
Scalability
Scalability is the capacity to increase resources to meet demand within similar cost ratios.
two types of scalability:
- To scale out is to add more resources in parallel with existing resources.
- To scale up is to increase the power of existing resources.
Elasticity
Elasticity refers to the system’s ability to handle these changes on demand in real time.
A system with high elasticity will not experience loss of service or performance if demand suddenly increases rapidly.
power distribution unit (PDU)
power distribution unit (PDU):
These come with circuitry to “clean” the power signal, provide protection against spikes, surges, and brownouts, and can integrate with uninterruptible power supplies (UPSs).
Managed PDUs support remote power monitoring functions
uninterruptible power supply (UPS)
uninterruptible power supply (UPS) will provide a temporary power source in the event of a blackout
RAID (Redundant Array of Independent Disks)
RAID 0 – striping RAID 1 – mirroring RAID 5 – striping with parity RAID 6 – striping with double parity RAID 10 – combining mirroring and striping
Disk Redundancy
Multipath
multipath is focused on the bus between the server and the storage devices or RAID array.
A storage system is accessed via some type of controller
Geographical dispersal
Geographical dispersal refers to data replicating hot and warm sites that are physically distant from one another.
This means that data is protected against a natural disaster wiping out storage at one of the sites. This is also described as a geo-redundant solution
Asynchronous and Synchronous Replication
Synchronous replication is designed to write data to all replicas simultaneously.
Asynchronous replication writes data to the primary storage first, then copies data to the replicas at scheduled intervals.
On-Premises versus Cloud
This cost is one of the big drivers of cloud services, where local and geographic redundancy are built into the system, if you trust the CSP to operate the cloud effectively.
Differential backup
Differential backup – from last FULL backup, includes all files changed since last full backup -> Only last full backup needed for restore.
Only needs two tapes sets for restoration, it is faster than incremental.
Incremental backup
Incremental backup – from last backup, includes files changed during the day -> all previous backups needed to restore.
This type of backup can save backup time but be more time consuming when restoration is needed
Nonpersistence
Nonpersistence means that any given instance is completely static in terms of processing function.
Mechanisms for ensuring nonpersistence:
- Snapshot/revert to known state—this is a saved system state that can be reapplied to the instance.
- Rollback to known configuration—a physical instance might not support snapshots but has an “internal” mechanism for restoring the baseline system configuration, such as Windows System Restore.
- Live boot media—another option is to use an instance that boots from read-only storage to memory rather than being installed on a local read/write hard disk.
change control process
change control process
Used to request and approve changes in a planned and controlled way.
Change Management
Change Management
Implementation of changes should be carefully planned, with consideration for how the change will affect dependent components.
Layered security
Layered security is typically seen as improving cybersecurity resiliency because it provides defense in depth.
The idea is that to fully compromise a system, the attacker must get past multiple security controls, providing control diversity.
Active defense
Active defense means an engagement with the enemy, deploying decoy assets to act as bait/lure.
honeypot/honeynet/honeyfile
honeypot is a computer system set up to attract threat actors,
honeynet is an entire decoy network.
honeyfile is fake data