Risk identification Flashcards
what is risk identification?
process for discovering, recognizing and documenting the risk an organization faces.
what is risk appetite?
the amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission.
what is risk capacity?
the objective amount of loss an enterprise can tolerate without its continued existence being called into question
what is risk tolerance
the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objective
who is responsible for defining and approving risk appetite and tolerance?
senior management
what is risk culture?
management’s willingness to embrace, cautiously accept or avoid risk
what are importance of risk communications?
- informed risk decisions by executive management due to an improved understanding of actual exposure and daily duties.
- greater awareness among all stakeholders of the importance and value of integrating risk management into their duties
- transparency to external stakeholders regarding both the actual levels of risk facing the organization and the risk management process in use.
what are the risk components to be communicated?
- expectations from risk management (strategy, policies, procedures, awareness, training)
- current risk management capability ( risk management process maturity)
- status (risk profile, key risk indictors, loss data etc)
what are the elements of risk?
- consequences associated with specific assets
- a treat to those assets, requiring both intent (motivation) and capability.
- vulnerability specific to the threat
what is an asset?
something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation
what are common methods of destroying data?
overwriting, degaussing, and physical destruction of the equipment.
why should sensitive and critical data be protected?
sensitive data must be protected from disclosure and modification
critical data must be protected from destruction or loss
what is an NDA
A non-disclosure agreement is a legally binding contract that establishes a confidential relationship. The party or parties signing the agreement agree that sensitive information they may obtain will not be made available to any others. An NDA may also be referred to as a confidentiality agreement
what is a statement of work?
A Statement of Work (SOW) is a document within a contract that describes the work requirements for a specific project along with its performance and design expectations. The main purpose of the SOW is to define the liabilities, responsibilities and work agreements between two parties, usually clients and service providers.
what is the importance of asset valuation?
effort should be made to determine the importance of assets in the context of organizational activities so that priority may be given to protecting the most important assets first and addressing less significant assets as time and budget allow.
effective valuation also protects the organization from paying more in protection than the net worth of the assets.
what is one technique in calculating asset value?
base it on the impact of a loss of confidentiality, integrity and availability
define asset value
what the organization or another party would pay to take possession of an asset or deny access to it by others.
what is a threat
anything (e.g. object, substance, human) that is capable of acting against an asset in a manner that can result in harm
what is a threat agent?
methods of things used to exploit vulnerability, such as determination, capability, motive and resource
what is a threat vector?
the path or route used by the adversary to gain access to the target
what is a treat analysis?
an evaluation of the type, scope and nature of events or actions that can result in adverse consequences; identification of the threats that exist against enterprise assets.
what are the dimensions of threats?
- external or internal
- intentional or unintentional
what are indicators of emerging threats?
unusual activity on a system, repeated alarms, slow system or network performance, or new or excessive activity in logs.
what is a vulnerability?
weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events
what is a vulnerability analysis?
a process of identifying and classifying vulnerabilities
what is a vulnerability scanning?
an automated process to proactively identify security weaknesses in a network or individual system
what is the purpose of vulnerability identification?
the purpose is to first find problems before they are found by an adversary and exploited. this is why the organization should conduct regular vulnerability assessments and penetration tests to identify, validate and classify its vulnerabilities. where vulnerabilities exist, there is a potential for risk.
what are some causes of network vulnerability?
misconfiguration of equipment, poor architecture or traffic interception.
what is misconfiguration?
common problem with network equipment that is not properly installed, operated or maintained. any open services are a potential attack vector that can be exploited by an attacker, so network equipment should be hardened by disabling any unneeded services, ports or protocols.
what are the implications of a a physical access vulnerability?
with access to server rooms, network cabling, information systems equipment and buildings, an attacker can circumvent passwords, install skimmers to intercept data communications and take logical ownership of systems or devices.
what are the most common entry points currently used by attackers?
applications in general and web applications in particular.
what are some application vulnerabilities?
- buffer overflows : A buffer overflow vulnerability occurs when you give a program too much data. The excess data corrupts nearby space in memory and may alter other data. As a result, the program might report an error or behave differently
- logic flaws :Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal. These flaws are generally the result of failing to anticipate unusual application states that may occur and, consequently, failing to handle them safely.
- injection attacks: is a malicious code injected in the network which fetches all the information from the database to the attacker
- bugs: bug is an error, flaw or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways
- incorrect control over use access
- poor architecture
what are the different kinds of cloud deployment models?
- private cloud: operated solely for an enterprise, may be managed by the enterprise or a third party, may exist on or off premise.
- public cloud: made available to the general public or a large industry group, owned by an organization selling cloud services.
- community cloud: shared by several enterprises, supports a specific community that has a shared mission or interest, may be managed by the enterprises or a third party, may reside on or off premise
- hybrid cloud: a composition of two or more clouds
what are some technical risks that are compounded when data is centralized?
- amplified technical impact: if an unauthorized user were to gain access to centralized repositories, it puts the entirety of those data in jeopardy rather than a subset of the data
- privacy ( data collection): analytics techniques can impact privacy. for example, individuals whose data are being analyzed may feel that revealed information about them is overly intrusive.
- privacy ( re-identification): when data is aggregated, semi-anonymous information or information that is not individually identifiable information might become non-anonymous or identifiable in the process.
what is a vulnerability assessment
careful examination of a target environment to discover any potential points of compromise or weakness.
vulnerability testing can be manual or automated. automated tools have the ability to filter large amounts of data from different sources, examine the functions of a program, and run test files or data against a tool such as a firewall or application. manual tests are better suited for content that is not easily quantifiable and requires judgement - such as business process reviews, physical security and source code.
what is a penetration testing
used to validate the results of a vulnerability assessment
what is an impact?
magnitude of loss resulting from a threat exploiting a vulnerability
what is an impact analysis?
a study to prioritize the criticality of information resources for the enterprise based on costs or consequence of adverse events. in an impact analysis, threats to assets are identified and potential business losses determined for different time periods. this assessment is used to justify the extent of safeguards that are required and recovery time frames. this
analysis is the basis for establishing the recovery strategy.
what is an impact assessment
a review of the possible consequences of a risk
What is likelihood
the probability of something happening