Section 4 - Cybersecurity Risk Work Flashcards
What is Cybersecurity Risk?
The attitude of the org towards Information Security.
Exposure an org has from technology and operational vulnerabilities being exploited.
A calculation made by insurance companies on how much an insurance policy will cost an org.
The collection of Threat Actors that could compromise an orgs Technology.
Exposure an org has from technology and operational vulnerabilities being exploited.
What is Cybersecurity Risk Analysis?
The Process of calculating the likelihood and impact of a Vulnerability being exploited at an organization by a threat.
The Process of accepting Risk by the board of directors.
The Process of discovering potential Threats to an org.
The Process of determining whether to mitigate or transfer risk.
The Process of calculating the likelihood and impact of a Vulnerability being exploited at an organization by a threat.
What GRC Role and Function does Risk Analysis naturing evolve from?
Security Awareness Content Delivery
Audit
Policy Creation
IT
Audit
What is Threat Modeling?
Striking a pose like a boss wearing your best threat outfit.
Ingesting Threat Intelligence feeds into your Security Tools.
Researching and staying informed on the Threat Landscape germane to your industry and organizational size.
The output of Cybersecurity Risk Analysis.
Researching and staying informed on the Threat Landscape germane to your industry and organizational size.
What are 2 Techniques for Analyzing Cybersecurity Risk? (Select All that Apply)
Identifying all missing controls in an environment and calculating likely Risk from exploitation by likely Threat Actors.
Identifying a specific Threat (Like Ransomware) and assessing the likelihood and impact of the threat being realized in your org.
Purchasing an industry report on common Risk scores for business in your industry.
Attending a Conference with other Cybersecurity Practitioners and discussing Risks in your Industry and assuming your orgs Risk based on that.
Identifying all missing controls in an environment and calculating likely Risk from exploitation by likely Threat Actors.
Identifying a specific Threat (Like Ransomware) and assessing the likelihood and impact of the threat being realized in your org.
4 Strategies to Reducing Risk?
Mitigate Risk - Do something about it. Tools, Education Awareness Training, MFA.
Accept the Risk - Some Risks are “LOW”, and at the cost to Protect against it may not be worth doing anything about it, you accept the Risk.
Remediate - Upgrading, Patching, Preventing total threats on the Risk entering your Org. EX: Like disallowing ALL Email.
Transfer the Risk - Getting Cybersecurity Insurance, Consulting/Contracting those Needs out to a 3rd Party.
NIST Risk Management - SP 800-37?
Categorize System - SP 800-60, Look at the Org, System, maybe a new app, tool.
Select Controls - SP 800-53, are you needing to be Complaint? The Compliance Requirements give you the Controls to follow. If not, and you’re just improving Security Posture, go through each Control in a Framework and Select the Controls you want to Implement.
Implement Controls - SP 800-34, 800-61, 800-128, Adoption from IT, the Business, Ops, Rollout, Communicated to End Users, Purchasing Hardware. This phase can take a long time.
Access Controls - SP 800-53A, Identify Gaps in Execution, Identify Gaps in Implementation, make sure the Controls are in place. - The Audit.
Authorize System - SP 800-37
Monitor Controls - SP 800-137, 800-37, 800-53A, Making sure the Controls are Working, Tabletop Exercises and Simulations. Phishing Awareness Simulation. Server Goes Down Simulation. Etc.
NIST Assessment Process?
Step 1 - Prep for Assessment
Step 2 - Conduct Assessment
Step 3 - Communicate Results
Step 4 - Maintain Assessment
2 basic factors to consider for Threat Modeling?
- What Industry do you work in?
2. How big are you as an Enterprise?
What is Likelihood (When Calculating Risk)?
The Impact of an Adverse event occurring.
The selection of a threat actor that would cause an adverse event.
A random seed to introduce chaos into Risk Calculations.
The probability of an adverse event occurring.
The probability of an adverse event occurring.
What is Impact (When calculating Risk)?
The severity to an organization if an adverse event were to occur.
The quality of an adverse event occurring.
The probability of an adverse event occurring.
The level of depth a successful attack were to penetrate your org technology stack.
The severity to an organization if an adverse event were to occur.
What NIST SP provides guidance on Risk Assessments?
NIST SP 800-53
NIST SP 800-37
NIST SP 800-30
NIST SP 800-18
NIST SP 800-30
According to the NIST SP 800-39 and NIST SP 800-37, what are the Phases of Org-Wide RISK Management (Select All that Apply)?
Categorize the System Penetration Test the System Select Controls Implement Controls Protect the Controls Externally Audit the Controls Access the Controls Authorize the System Monitor Controls Report to the Board State of the Controls
Categorize the System Select Controls Implement Controls Access the Controls Authorize the System Monitor Controls
It is appropriate to provide Risk Mitigation recommendations as part of the Risk Analyst work?
True or False
TRUE - As a Practitioner, you may have seen implementation options and can suggest them to help guide the org.