Section 2: Cybersecurity Concepts Flashcards
Residuals Risk measure criteria
- Risk tolerance
- Size and scope of the environment in question
- Amount of data available
Inherent Risk
The risk level or exposure without taking into account the actions that management has taken or might take.
Attack
While risk is measured by potential activity, an attack is the actual occurrence of a threat.
More specifically, an attack is an activity by a threat agent (or adversary) against an asset.
attack vector
The path or route used to gain access to the target (asset) is known as an attack vector.
attack mechanism
the method used to deliver the exploit. Unless the attacker is personally performing the attack, the attack mechanism may involve a payload, or container, that delivers the exploit to the target.
Exploit and compromise
The adversary takes advantage of information and systems in order to compromise them, which may involve the following actions:
• Split tunneling or gaining physical access to organizational facilities
• Exfiltrating data or sensitive information
• Exploiting multitenancy in a cloud environment
• Launching zero-day exploits
Risk
The combination of the probability of an event and its consequence. Risk is mitigated through the use of controls or safeguards.
Threat
Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. Some organizations make a further distinction between a threat source and a threat event, classifying a threat source as the actual process or agent attempting to cause harm, and a threat event as the result or outcome of a threat agent’s malicious activity.
Threat source
the actual process or agent attempting to cause harm
Threat event
the result or outcome of a threat agent’s malicious activity
Asset
Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation.
Vulnerability
A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events.
Three different approaches to implementing cybersecurity
- Compliance-based: Also known as standards-based security, this approach relies on regulations or standards to determine security implementations. Controls are implemented regardless of their applicability or necessity, which often leads to a “checklist” attitude toward security.
- Risk-based: Risk-based security relies on identifying the unique risk a particular organization faces and designing and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business needs.
- Ad hoc: An ad hoc approach simply implements security with no particular rationale or criteria. Ad hoc implementations may be driven by vendor marketing, or they may reflect insufficient subject matter expertise, knowledge or training when designing and implementing safeguards.
cyberrisk assessment
Assets, threats and vulnerabilities must all be analyzed to determine an organization’s particular risk. The process of doing this analysis is called a cyberrisk assessment. While every risk assessment methodology has different nuances and approaches, most have three common inputs:
- asset identification
- threat assessment
- vulnerability assessment
Third-party Risk
Cybersecurity can be more difficult to control when third parties are involved, especially when different entities have different security cultures and risk tolerances. No organization exists in a vacuum, and information must be shared with other individuals or organizations, often referred to as third parties. It is important to understand third party risk, such as information sharing and network access, as it relates to cybersecurity.