OSG Chapter 2 Flashcards
What is UBA and UEBA?
User Behaviour Analytics
User & Entity Behaviour Analytics
What is a VMS?
Vendor Management System
A software solution that assists with the management and procurement of staffing services, hardware, software and other products/services.
Risk=
Risk = Threat x Vulnerability
Risk = Probably of harm X severity of harm
What is the Delphi Technique in risk assessment?
It’s a qualitative risk assessment approach.
People are in a room and provide responses/ideas/suggestions anonymously and the group goes through them together to reach a consensus - this eliminates bias, etc.
For quantitative risk analysis, what are:
AV, EF, SLE, ARO, ALE?
1) Asset value
2) Exposure factor
3) Single loss expectancy
4) Annualised rate of occurrence
5) Annual loss expectancy
What are the 8 steps of quantitative risk analysis?
1) Inventory assets and assign AV
2) Research and produce a list of all possible threats to each asset - this results in an asset-threat pairing.
3) Calculate the EF for each asset-threat pair.
4) Calculate the SLE for each asset-threat pair.
5) Perform threat analysis to calculate the likelihood of occurrence in a single year - ARO
6) Derive the overall potential loss per year by calculating ALR
7) Research countermeasures for each threat and calculate changes to ARO, EF and ALE if these were taken.
8) Perform a cost/benefit analysis of each countermeasure for each threat to each asset. Select the most appropriate response to each threat.
SLE = ?
SLE = AV x EF
ALE = ?
ALE = SLE x ARO
Or
ALE = AV x EF x ARO
What are the 6 risk responses, after performing a risk assessment?
1) Mitigation or reduction
2) Assignment or transfer
3) Deterrence
4) Avoidance
5) Acceptance
6) Reject or ignore
What is inherent risk, total risk and residual risk?
What are the formulas related to them?
Inherent risk = the natural level of risk with no controls in place
Residual risk = the remaining risk after controls/safeguards are in place.
Total risk = the amount of Rik an organisation would face if no safeguards were implemented.
Total risk = threats x vulnerabilities x asset value
Residual risk = Total risk - controls gap
(Controls gap is the difference)
What is Control Risk?
The risk introduced by a risk countermeasure. For example, they’re often technological solutions and there may be a vulnerability within that solution that provides a new risk.
What is ACS is risk/benefit analysis?
Annual cost of the safeguard
What calculation is done to determine the cost/benefit of a safeguard?
What other factor must you consider?
Value of the safeguard to the company = (ALE pre-safeguard - ALE post-safeguard) - ACS
If the result is negative, the safeguard is not financially sensible to implement. If it is positive, the organisation may save money by deploying it.
You must also consider legal or regulatory factors at play.
What are the common layers in a defence-in-depth approach for assets
Core = asset
Inner layer = Administrative controls - policies and procedures.
Middle layer = Logical/Technical controls - hardware, software, authentication, encryption, etc.
Outer layer = Physical controls - motion detectors, locks, gates, etc.
What are the 7 different categories or controls?
1) Preventative
2) Deterrent
3) Detective
4) Compensating - in addition to or instead of other controls to enhance or act as a fail over for the original control.
5) Corrective - returns the system back to normal after a breach has occurred (corrects problems, etc.). IPS, Anti-malware quarantine, backup plans, etc.
6) Recovery - extension of Corrective controls but are more advanced/complex. Attempts to repair or restore resources, function and capabilities after a security policy violation. Such as, fault tolerant arrays, hot sites, backups, etc.
7) Directive - directs, confines or controls the actions for force or encourage compliance with security policies. E.g. guidance from a security guard, posted notifications, exit signs.
What are the 5 levels of the RMM?
Risk Maturity Model
1) Ad-hoc - a chaotic starting point where all organisations start.
2) Preliminary - Loose attempts are made to follow risk management processes, but each department may perform risk assessments uniquely.
3) Defined - a common or standardised risk framework is adopted organisation-wide.
4) Integrated - risk management operations are integrated into business processes, metrics are gathered and risk is considered in business strategy decisions.
5) Optimised - risk management focussed on achieving objectives rather than just reacting to external threats. Strategic planning is geared towards business success rather than just avoiding incidents. Lessons learned are reintegrated into the risk management process.
EOL vs EOS/EOSL
End of Life is where the product is no longer manufactured/sold, but is still supported.
End of Service (Life) is where the product is no longer supported (updates, patches, etc.)
What is NIST SP 800-37 and what are the 6 cyclical phases?
NIST Risk Management Framework (RMF)
Core = Prepare
1) Categorise - systems & information.
2) Select - initial set of controls.
3) Implement - the controls.
4) Assess - if the controls are working as expected with desired outcomes.
5) Authorise - the controls, if there is no impact to ops/business.
6) Monitor - the controls, their effectiveness and if any changes are needed. Report posture of the system.
What are the 9 social engineering principles?
1) Authority
2) Intimidation
3) Consensus
4) Scarcity
5) Familiarity
6) Trust
7) Urgency
8) Eliciting Information
9) Prepending - adding a term or expression to the start of a communication. E.g. using FW: or RE: in an email header can make it look like a chain, or INTERNAL couple bypass spam filters, etc.
4 types of phishing
1) Spear Phishing - targeting a group of individuals
2) Whaling - targeting high value individuals, such as a CEO or admins.
3) Smishing - SMS phishing
4) Vishing - voice based phishing
What is piggybacking?
Trucking the victim into consent and letting them in. For example, holding the door open if they’re carrying a large box, distracting them for noticing they have not provided credentials.
What is Typosquatting, URL hijacking and click jacking?
Typosquatting - Having a similar but misspelt URL for a malicious site, so when people mistype, they’re redirected to the malicious site, that often is skimmed and looks the same.
URL hijacking - displaying a link or advert for a legitimate product but takes you to the incorrect/malicious webpage once clicked.
Click jacking - changes the URL once clicked (e.g. via a script on the webpage, URL redirects, invisible overlays, etc.)
