OSG Chapter 2 Flashcards
What is UBA and UEBA?
User Behaviour Analytics
User & Entity Behaviour Analytics
What is a VMS?
Vendor Management System
A software solution that assists with the management and procurement of staffing services, hardware, software and other products/services.
Risk=
Risk = Threat x Vulnerability
Risk = Probably of harm X severity of harm
What is the Delphi Technique in risk assessment?
It’s a qualitative risk assessment approach.
People are in a room and provide responses/ideas/suggestions anonymously and the group goes through them together to reach a consensus - this eliminates bias, etc.
For quantitative risk analysis, what are:
AV, EF, SLE, ARO, ALE?
1) Asset value
2) Exposure factor
3) Single loss expectancy
4) Annualised rate of occurrence
5) Annual loss expectancy
What are the 8 steps of quantitative risk analysis?
1) Inventory assets and assign AV
2) Research and produce a list of all possible threats to each asset - this results in an asset-threat pairing.
3) Calculate the EF for each asset-threat pair.
4) Calculate the SLE for each asset-threat pair.
5) Perform threat analysis to calculate the likelihood of occurrence in a single year - ARO
6) Derive the overall potential loss per year by calculating ALR
7) Research countermeasures for each threat and calculate changes to ARO, EF and ALE if these were taken.
8) Perform a cost/benefit analysis of each countermeasure for each threat to each asset. Select the most appropriate response to each threat.
SLE = ?
SLE = AV x EF
ALE = ?
ALE = SLE x ARO
Or
ALE = AV x EF x ARO
What are the 6 risk responses, after performing a risk assessment?
1) Mitigation or reduction
2) Assignment or transfer
3) Deterrence
4) Avoidance
5) Acceptance
6) Reject or ignore
What is inherent risk, total risk and residual risk?
What are the formulas related to them?
Inherent risk = the natural level of risk with no controls in place
Residual risk = the remaining risk after controls/safeguards are in place.
Total risk = the amount of Rik an organisation would face if no safeguards were implemented.
Total risk = threats x vulnerabilities x asset value
Residual risk = Total risk - controls gap
(Controls gap is the difference)
What is Control Risk?
The risk introduced by a risk countermeasure. For example, they’re often technological solutions and there may be a vulnerability within that solution that provides a new risk.
What is ACS is risk/benefit analysis?
Annual cost of the safeguard
What calculation is done to determine the cost/benefit of a safeguard?
What other factor must you consider?
Value of the safeguard to the company = (ALE pre-safeguard - ALE post-safeguard) - ACS
If the result is negative, the safeguard is not financially sensible to implement. If it is positive, the organisation may save money by deploying it.
You must also consider legal or regulatory factors at play.
What are the common layers in a defence-in-depth approach for assets
Core = asset
Inner layer = Administrative controls - policies and procedures.
Middle layer = Logical/Technical controls - hardware, software, authentication, encryption, etc.
Outer layer = Physical controls - motion detectors, locks, gates, etc.
What are the 7 different categories or controls?
1) Preventative
2) Deterrent
3) Detective
4) Compensating - in addition to or instead of other controls to enhance or act as a fail over for the original control.
5) Corrective - returns the system back to normal after a breach has occurred (corrects problems, etc.). IPS, Anti-malware quarantine, backup plans, etc.
6) Recovery - extension of Corrective controls but are more advanced/complex. Attempts to repair or restore resources, function and capabilities after a security policy violation. Such as, fault tolerant arrays, hot sites, backups, etc.
7) Directive - directs, confines or controls the actions for force or encourage compliance with security policies. E.g. guidance from a security guard, posted notifications, exit signs.
