Section 1 Risk Management Flashcards
What is the CIA of security?
Confidentiality, Integrity, Availability.
Don’t forget - auditing, accountability & non-repudiation
What is non-repudiation?
It’s when a user cannot deny having done a particular action.
What are the 5 attributes of threat actors?
Internal/external Level of sophistication Resources/funding Intent Open Source Intelligence
What is OSINT?
Open Source Intelligence. It provides ample info to intrigue a threat actor.
What is a Script Kiddy threat actor?
Trivial knowledge
Uses scripts
Lock picker
Blocked by firewalls
What is a Hacktivist?
A threat actor whose Intent is powered by motivation. So consider their goal.
How is organized crime a threat actor?
Motivation is to make money!
How is a Nation State a threat actor? And what does APT stand for?
Motivation is intelligence.
They are Advanced Persistent Threats. Tonnes of resources.
How are “insiders” a threat actor?
They are anyone with access e.g. Have a userName + PW
- vendors
- contractors
- cleaning crews
Give some examples of assets that are at risk
Any part of infrastructure - computers, people, servers, company reputation
Give some examples of risk vulnerabilities
Unlocked server room, default PWs
Give some examples of threats
Threats are actions. (The person involved in the threat is a threat agent.)
E.g. - Someone able to access a server room.
- Someone critical to the team quits.
What is a threat?
A threat is a discovered action that exploits a vulnerability’s potential to do harm to an asset.
What is a threat agent?
Usually a person who initiates a threat. (But could be something like a hurricane!)
What is likelihood when related to risk and threats?
Often depicted as a % and for a year timespan.
What are the two ways risk likelihood is measured?
Quantitative and Qualitative
Give an example of quantitative likelihood risk
Router with a power supply - there’s a risk it might die. Something measurable - time, cost.
Give an example of qualitative likelihood risk
Harder to measure - customer loyalty. “Low Med, High”
What is impact?
The actual harm caused by a threat,
What is the formula to calculate risk?
threats x vulnerabilities = risk
or
threats -> vulnerabilities = risk
What is the NIST SP 800-30?
National Institute of Standards and Technologies Document that lists all possible threats and vulnerabilities to assess risks.
What are the two risk assessment steps?
- Vulnerability Assessment
- Threat Assessment
What is the “CVE” on cve.mitre.org?
“Common Vulnerabilities and Exposures” database. Used to assess risk - very detailed.
What is Nessus?
The Nessus is a program that is ran locally and generates data for any vulnerabilities it finds.
What is Pen testing?
Penetration Testing is when an outside party looks for vulnerabilities in your network. It’s the best way to find any problems.
Give an example of Adversarial threats
Hacker, malware
Give an example of Accidental threats
User mistakenly enters text and drops the db.
Give an example of Structural threats
Power supply issues, equipment failure
Give an example of Environmental threats
Fires, AC, earthquakes
What is mitigation when related to risk response?
Mitigation is effort to reduce impact of risk.
What is risk transference?
When you offload risk to a 3rd party - e.. use a cloud based web server - you no longer have to worry about power supply etc.
What is risk acceptance?
When costs to mitigate are too high, so you accept the risk - e.g. a meteor could hit your servers.
What is risk avoidance?
The decision to not store sensitive info, where you could be liable.
Name two Risk Management Frameworks
NIST Risk Management Framework Special Publication 800-37
ISACA Risk IT Framework
What are the four types of threats?
- Adversarial
- Accidental
- Structural
- Environmental
Explain the 5 security control functions
Deterrent - deters the actor from attempting
Preventative - deters the actor from performing the threat
Detective - recognizes an actor’s threat
Corrective - mitigates the impact of a manifested threat
Compensating - provides alternative fixes to any of the above!
Name the 3 types of security controls
Administrative or Management control - laws, policies
Technical controls - firewalls, passwords
Physical Controls - fences, keys, guards
List 5 curious security controls
Mandatory vacation - (detect weird things happening)
Job Rotation
Separation of Duties (administrative control - Single Resp)
Multi-person control - (2 keys for missile launch!)
Principle of least privilege (Need to know)
What is the difference between diversity and redundancy?
Redundancy is repeating the same controls at various intervals, diversity is using a variety of controls in a random pattern.
Many trenches (redundant)
or
1 trench, a fence, a catapult, moat etc (diverse)
What is “defense in depth”?
A security defense that uses all three types of controls - administrative, physical and technical controls.
What is vendor diversity?
A method of defense in depth with technical controls.
What is Security Governance?
The bunch of rules an organization operates by.
What laws/standards affect IT security?
HIPAA (law)
NIST (standard)
PCI-DSS (Credit card standards)