Section 21 - Risk Assessments Flashcards
What are Risk Assessments?
A process used inside of risk management to identify how much risk exists in a given network or system
In every risk management program, there’s essentially only four things that you can do with risk. What are they?
Avoid
Transfer
Mitigate
Accept
What is Risk Avoidance?
A strategy that requires stopping the activity that has risk or choosing a less risky alternative
What is a Risk Transfer?
A strategy that passes the risk to a third party
What is Risk Mitigation?
A strategy that seeks to minimize the risk to an acceptable level
What is a Risk Acceptance?
A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized
What is Residual Risk?
The risk remaining after trying to avoid, transfer, or mitigate the risk
To conduct a risk assessment, you have only to use four steps. What are these?
- Identify assets
- Identify vulnerabilities
- Identify threats
- Identify the impact
During a risk assessment, there are two different ways to measure risk. What are these?
Qualitatively
Quantitatively
What is qualitative analysis?
This uses intuition, experience, and other methods to assign a relative value to risk
The relative categories of high, medium and low are used for this.
*** Since this measure is highly suggestive, those using it should have the proper reflected experience and education of the threat to give this analysis
What is quantitative analysis?
Uses numerical and monetary values to calculate risk
Equations are used to determine the total and residual risk, as well as provide you with a cost directly associated with those risks.
*** This is going to remove much of the estimation and guesswork from a risk assessment because it’s going to turn this into a math problem instead.
What is a magnitude of impact?
This is an estimation of the amount of damage that a negative risk might achieve
This is performed after a qualitative or quantitative risk assessment to see the amount of damage
*** This is also known as a risk of impact
What are the three most common calculations used in determining the magnitude of an impact in a quantitative risk analysis?
Single Loss Expectancy (SLE)
Annualized Rate of Occurrence (ARO)
Annualized Loss Expectancy (ALE)
What is SLE?
Single Loss Expectancy
Cost associated with the realize of each individualized threat that occurs
Asset value x Exposure factor
(Exposure factor means the amount of the asset that’s going to be lost if the threat is realized)
What is ARO?
Annualized Rate of Occurrence
Number of times per year that a threat is realized
What is ALE?
Annual Loss Expectancy
Expected cost of a realized threat over a given year
ALE = SLE x ARO
___ approaches that combine quantitative and qualitative analysis are commonly used
hybrid
** this is often because there’s not enough data to accurately only use a quantitative method
What is a security assessment?
Verify that the organization’s security posture is designed and configured properly to help thwart different types of attacks
There are two types of methodologies when it comes to performing security assessments. What are they?
Active and passive
What is an Active Assessment?
Utilize more intrusive techniques like scanning, hands-on testing, and probing of the network to determine vulnerabilities
What is a Passive Assessment?
Utilize open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems
What are security controls?
Methods implemented to mitigate a particular risk
Security controls are broken down into seven types. What are these?
Physical
Technical
Administrative
Preventative
Detective
Corrective
Compensating
What are physical controls?
Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it
What are technical controls?
Safeguards and countermeasures used to avoid, detect, counteract or minimize security risks to our systems and information
What are administrative controls?
Focused on changing the behavior of people instead of removing the actual risk involved
The NIST has three additional categories that we organize security controls into as well. What are they?
Management controls
Operational controls
Technical controls
What does NIST stand for?
National Institute of Standards and Technology
What are management controls?
Security controls that are focused on decision-making and the management of risk
What are operational controls?
Focused on the things done by people
What are technical controls?
Logical controls that are put into a system to help secure it
What are preventative controls?
Security controls that are installed before an event happens and are designed to prevent something from occurring
What are detective controls?
Used during the event to find out whether something bad might be happening
What are corrective controls?
Used after an event occurs
A single control can be categorized into ___ types of categories
Multiple
For example, a TV that’s installed because serve as both a detective and a physical control.
What is a compensating control?
Used whenever you can’t meet the requirement for a normal control
*** For example, if it’s your organization’s policy that every building uses a retina scan-enabled door lock but one of your offices overseas does not have access to this technology, they might install a cipher door lock instead. This would act as a compensating control.
Any residual risk not covered by a compensating control is an ___ risk.
accepted
What are the six different types of risks?
External
Internal
Legacy Systems
Multiparty
IP Theft
Software compliance and licensing
What is external risk?
Risks that are produced outside your organization and are beyond our control
** These are often non-human like natural disasters or blackouts. However this could include hackers, since they are outside of our organization and you can’t control them attacking you.
What is an internal risk?
Risks that are formed within the organization, arise during normal operations and are often forecastable
** Like a server crash
What is a legacy system risk?
An old method, technology, computer system or application program which includes an outdated computer system still in use
What is a multiparty risk?
A risk that refers to the connection of multiple systems or organizations with each bringing their own inherent risks
** Like connecting two businesses together
What is IP theft?
Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of competitive edge, or a slowdown in business growth occurs
What is Software Compliance and Licensing?
Risk associated with a company not being aware of what software or components are installed within its network