Risk Management and Threat Modeling

Question 1

Risk Management?

Answer 1

A detailed process of identifying potential factors that could damage or disclose data, evaluating them in light of data value and countermeasure cost, and implementing cost-effective solutions to mitigate or reduce risk.

Question 2

Primary Goal of risk managment?

Answer 2

To reduce risk to an acceptable level, acknowledging that a totally risk-free environment is impossible.

Question 3

Asset?

Answer 3

Anything valuable within an environment needing protection.

Question 4

Asset Valuation?

Answer 4

Assigning a dollar value to an asset.

Question 5

Threat?

Answer 5

Potential occurrences causing undesirable outcomes.

Question 6

Vulnerability?

Answer 6

Weakness in an asset or lack of safeguard

Question 7

Exposure?

Answer 7

Susceptibility to asset loss due to threats.

Question 8

Risk?

Answer 8

Likelihood of a threat exploiting a vulnerability to harm an asset.

Question 9

Risk formula?

Answer 9

Risk = Threat * Vulnerability

Question 10

Safeguard/Countermeasure?

Answer 10

Measures to reduce vulnerability or protect against threats.

Question 11

Attack?

Answer 11

Exploitation of a vulnerability by a threat agent.

Question 12

Breach?

Answer 12

Successful bypass of security mechanisms by a threat agent

Question 13

Risk Assessment/Analysis?

Answer 13

Quantitative Risk Analysis
Qualitative Risk Analysis

Question 13

Quantitative Risk Analysis?

Answer 13

Produces concrete probability percentages and dollar figures for risk levels, potential loss, cost of countermeasures, and value of safeguards.

Question 13

Qualitative Risk Analysis?

Answer 13

Scenario-based, ranking threats on a scale rather than exact dollar figures.

Question 14

Quantitative Risk Analysis Steps?

Answer 14

Assign Asset Value (AV)
Calculate Exposure Factor (EF)
Calculate Single Loss Expectancy (SLE) = SLE=AV×EF
Assess Annualized Rate of Occurrence (ARO)
Derive Annualized Loss Expectancy (ALE): ALE=SLE×ARO
Perform Cost/Benefit Analysis of Countermeasures

Question 15

Risk Treatment?

Answer 15

Risk Reduction/Mitigation: Actions to lessen risk probability/consequences.
Risk Retention/Acceptance: Accepting the cost of a risk.
Risk Avoidance: Avoiding situations leading to risk exposure.
Risk Transfer/Sharing: Sharing risk burden with another party.

Question 16

Attributes of Adversary Modeling and Security Analysis?

Answer 16

-Objectives: Identifying target assets requiring protection.
-Methods: Anticipated attack techniques.
-Capabilities: Resources, skills, knowledge, and opportunities of attackers.
-Funding Level: Influences attacker determination and methods.
-Outsider vs. Insider Attacks: Distinguishes between attacks from outside entities and those with internal access.

Question 17

Adversary Groups?

Answer 17

Foreign Intelligence
Cyber-terrorists
Industrial Espionage Agents
Organized Crime
Lesser Criminals and Crackers
Malicious Insiders
Non-malicious Employees

Question 18

Security Evaluation Techniques?

Answer 18

-Penetration Testing: External review to verify product/system security.
-Vulnerability Assessment: Identifying design-related vulnerabilities and overlooked threats early in product lifecycle.

Question 19

Threat Modeling?

Answer 19

Threat Modeling
Purpose: Identifies threats, threat agents, and attack vectors for the target system.
Approaches:
-Diagram-driven: Visual representation of system components and data flows.
-Attack Trees: Hierarchical diagrams showing ways to achieve attack goals.
-Checklists: Fixed lists of known attacks from past experiences, useful but potentially tedious.

Question 20

STRIDE Model?

Answer 20

Spoofing: Impersonation attacks.
Tampering: Unauthorized alterations.
Repudiation: Denying responsibility for actions.
Information Disclosure: Unauthorized data release.
Denial of Service (DoS): Impacting service availability.
Escalation of Privilege: Gaining unauthorized access levels.