Risk Management Flashcards
Looking to define threats specific to your infrastructure
Threat Assessment
Security Control Function
Recognized an actors threat
Detective
Security Control Function
Mitigates the impact of manifested threat
Corrective
CIA
Confidentiality
Integrity
Availability
Organizing Data
-Limited to authorized viewing as agreed on by the parties involved
Confidential Data
Differential Backup
Everyday you’d make a backup of any changes since the full backup - to do a full system recovery you’d need the original backup plus the last differential backup made
Outside company checks your vulnerabilities by trying to get in but not doing anything harmful
Penetration(Pen) Testing
Security Policies
-Define the importance or nature of the data
Data Sensitivity and Classification Policy
Control actions towards IT security
- laws
- policies
- guidelines
- best practices
Administrative Controls
Security Control Function
Deters the actor from attempting the threat
Deterrent
ARO
Annualized Rate of Occurence
Data User Roles
-Set policy on data and incident response actions
Executive User
Control Actions IT systems make toward IT Security
- computer stuff
- firewalls
- password links
- authentication
- encryptions
Technical Controls
Role Based Data Controls
-Read only access but can look at all business data
Executive User
Threats x Vulnerability
Risk
Risk Response - offload some of the impact to 3rd party
Risk transference
In-house document of how they store data
Privacy Threshold Assessment (PTA)
Security Policies
-Defines what a person can or can not do when using company assets
Acceptable Use Policy
Use a variety of physical, administrative, and technical controls to have good…
Defense in Depth
Data User Roles
-Complete control over data and could delete everything - sets permissions
System Administrator
Structural threat
Physical system failure
Defense in Depth
-different types of controls
Diversity
Organizing Data
-Health Insurance Portability and Accounting Act
HIPAA
Private Health Information (PHI)
3 Security Controls
Administrative/Techincal/Physical
Initiates a threat
Threat Agent
Data Roles
-Person who is in charge of ensuring data adheres to privacy policies and procedures
Privacy Officer
Security Policies
- How you maintain equipment
- How you borrow equipment
Care and Use of Equipment Policy
Apply to infrastructure to protect and remediate current and potential problems
Security Control
Data Roles
-Maintain the accuracy and integrity of the data
Steward/Custodian
Incremental Backup
Everyday you’d make a backup of any changes since the last incremental backup - to do a full system recovery you’d need the original backup plus all the incremental backups made since
Scan that shows vulnerabilities
NESSUS
PIA
Privacy Impact Assessment
Data User Roles
-Assigned standard permissions to complete tasks
User
Accidental threat
Someone innocently corrupts or damages something
Security Policies
- How you deal with passwords
- Password recovery/retention/reuse/ect.
Password Policy
Role Based Data Controls
- Defines the security of the data
- Defines the protection of data
- Works with system owner to protect data
- Defines access to the data
Data Owner
PII
Personally Identifiable Information
Security Control Function
Deters the actor from performing the threat
Preventative
Security Policies
- How to get access to data or resources
- What kind of data do users have access to
Access Control Policy
What does this help with?
-Separation of duties?
Requires dual execution
Data User Roles
-Increased access and control relative to a user
Privileged User
Defense in Depth
-same type of control but many of them as backups
Redundancy
Agreement used by Government and Private Sector…
- Service to be provided
- Minimum up-time
- Response time
- Start and end dates
Service Level Agreement (SLA)
Threat Actors - Motivation is intelligence
Nation States/Advanced Persistent Threat(APT)
Documents that define how to do something
Policies
A Memorandum of Understanding/Agreement is a….
Notice that specifies the responsibilities of each party and defines the terms of the agreement
Qualitative likelihood
Perceived
Mandatory vacation Job rotation Multi person control Separation of duties Principals of least privilege
Interesting Security Controls
SLE(Single Loss Expectancy) x ARO(Annualized Rate of Occurence) =
ALE(Annualized Loss Expectancy)
Data Roles
-Legal responsibility for the data
Owner
Risk Response - seek to avoid hazards/risk entirely
Risk avoidance
Adversarial threat
Hacker/Malware
Threat Actors - Intent is motivation
Hacktivist
ALE
Annualized Loss Expectancy
BPA
Business Partners Agreement
Guidelines
Are optional and don’t have to be clearly defined
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
^Example of a ….
Framework
NIST
National Institute of Standards and Technology
Role Based Data Controls
- Has special access to data beyond the typical user
- Works closely with system admins to ensure data security
Privileged User
Maximum amount of data that can be lost without substantial impact
Recovery Point Objective (RPO)
Threat Actors - Motivation is money
Organized Crime
MTBF
Mean Time Between Failures
-Disable accounts(never delete)
-Return credentials
-Exit interview
^Examples of what?
Offboarding
Sandbox
The attacker thinks they’re on a real system but it’s just a virtual system designed to look like the real one
cve.mitre.org
Common vulnerabilities and exposures
Interconnections security agreement (ISA) are used in the…
Public Sector (Government)
Vulnerability/Threat assesment
Risk Identification/Assesment
Which type of agreement is needed when two private-sector people or organizations wish to work together?
Business Partners Agreement (BPA)
- Determine mission processes
- Identify critical systems
- Single foint of failure
- Identify resources requirements
- Identify recovery priorities
Business Impact Analysis
Role Based Data Controls
- Accesses and uses the assigned data responsibly
- Monitors and reports security breaches
User
Security Policies
- Deals with the people dealing with the data
- Backgrounds/Clearances
Personnel Policies
Asset Value x Exposure Factor =
Single Loss Expectancy (SLE)
PCI-DSS
Payment Card Industry Data Security Standard
Organizing Data
-Private but also specific in identifying someone
Personally Identifiable Information (PII)
PTA
Privacy Threshold Assessment
Organizing Data
-Limited to only the individual whom the information is shared
Private Data
-Max time system can be down before you’re in trouble, or minimum amount of time necessary to restore system to operation
Recovery Time Objective (RTO)
Data User Roles
-Usually corporation that has legal ownership over this data set or system
Data Owner/System Owner
MTTF
Mean Time to Failure
Buffer overflow attempt
Occurs when a program or process attempts to write more data to a fixed length block of memory (a buffer), than the buffer is allocated to hold. By sending carefully crafted input to an application, an attacker can cause the application to execute arbitrary code, possibly taking over the machine
Identified by an intrusion detection/prevention system
Actual harm caused by a threat
Impact
APT
Advanced Persistent Threat
Risk Response - cost out-ways damage
Risk acceptance
Organizing Data
- Like private but at corporate level
ex: formula for coca-cola
Proprietary Data
Security Policies
-These are often for customers
Privacy Policy
(Blank) is key for good Defense in Depth
Diversity
Things that can be Impacted
- Property
- People
- Finance
- Reputation
What is the monetary loss if a single event occurs?
ex:laptop stolen
Single Loss Expectancy
IOS
International Organization of Standardization
Set of overarching rules that define how an organization and it’s employees conduct themselves
Influences how the organization conducts IT security
Governance
Threat Actors - Trivial attack knowledge
Script Kiddies
What does this help with?
-Job Rotation
Backup/Cross Training
What does this help with?
-Mandatory Vacations
Required dependency issues
Role Based Data Controls
- Management level
- Maintains security of system
- Defines system Admin
- Works with data owners to ensure data security
System Owner
Anything in infrastructure we’re worried about getting harmed
- People
- Equipment
- Reputation
- Location/Building
Assets
MTTR
Mean Time to Repair
Quantitative Risk Calculations
-Percentage of an asset that’s lost as the result of an incident
Exposure Factor
Organizing Data
-No restriction/public domain
Public Data
Quantitative Likelihood
Can be measured
Control actions in the real world
- gates
- guards
- keys
Physical Controls
Discovered action that exploits a vulnerability’s potential to do harm to an asset
Threats
Environmental threat
Fire/water/earthquake/ect.
Step by step process of how to do something
Procedure
Weakness that allows an asset to be exploited
Vulnerabilities
Level of certainty that something will happen
Likelihood
Workflow that helps deal with risk management
Ex: NIST / ISACA
Framework
SLE
Single Loss Expectancy
RPO
Recovery Point Objective
Defines the acceptable level of performance of policy - more detailed than policy
Organizational Standard
-Background check
-NDA non-disclosure agreement
-Standard operating procedures
-Specialized issues
-Rules of behavior(acceptable use policy)
-General security policies
^Examples of what?
Onboarding
Threat Actors - Other businesses/not a big problem now a days
Competitors
Assessment that tells you what the impact would be to the company if the privacy data they control gets out
Privacy Impact Assessment (PIA)
RTO
Recovery Time Objective
Security Control Function
Provides alternative fixes to any of the security control functions
Compensating
Threat Actors - Not always an employee/Works within the infrustructure
Insiders
Role Based Data Controls
- Day to day admin of system
- Implements system security controls
System Admininstrator
Risk Response - effort to reduce impact of risk
Mitigation
PHI
Private Health Information
