Section 4: Security of Networks, Systems, Applications and Data

Question 1

Risk

Answer 1

The combination of the probability of an event and its consequence. Risk is mitigated through the use of controls or safeguards.

Question 2

Threat

Answer 2

Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. Some organizations make a further distinction between a threat source and a threat event, classifying a threat source as the actual process or agent attempting to cause harm, and a threat event as the result or outcome of a threat agent’s malicious activity.

Question 3

Asset

Answer 3

Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation

Question 4

Vulnerability

Answer 4

A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events.

Question 5

three different approaches to implementing cybersecurit

Answer 5

• Compliance-based: Also known as standards-based security, this approach relies on regulations or standards to determine security implementations. Controls are implemented regardless of their applicability or necessity, which often leads to a “checklist” attitude toward security.
• Risk-based: Risk-based security relies on identifying the unique risk a particular organization faces and designing and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business needs.
• Ad hoc: An ad hoc approach simply implements security with no particular rationale or criteria. Ad hoc implementations may be driven by vendor marketing, or they may reflect insufficient subject matter expertise, knowledge or training when designing and implementing safeguards.

Question 6

cyberrisk assessment

Answer 6

Assets, threats and vulnerabilities must all be analyzed to determine an organization’s particular risk. The process of doing this analysis is called a cyberrisk assessment. While every risk assessment methodology has different nuances and approaches, most have three common inputs: asset identification, threat assessment and vulnerability assessment

Question 7

Third Party Risk

Answer 7

Cybersecurity can be more difficult to control when third parties are involved, especially when different entities have different security cultures and risk tolerances. No organization exists in a vacuum, and information must be shared with other individuals or organizations, often referred to as third parties. It is important to understand third-party risk, such as information sharing and network access, as it relates to cybersecurity.

Question 8

Risk Analysis

Answer 8

There are many methods used to bring the data collected on assets, threats and vulnerabilities together and analyze them to determine risk. Most rely on some process to pair and prioritize likelihoods and impacts. Additionally, risk analyses can be oriented toward one of the inputs, making the risk assessment asset-oriented, threat-oriented or vulnerability-oriented.

• Assets: Important assets are defined first, and then potential threats to those assets are analyzed. Vulnerabilities are identified that may be exploited to access the asset.
• Threat: Potential threats are determined first, and then threat scenarios are developed. Based on the scenarios, vulnerabilities and assets of interest to the adversary are determined in relation to the threat.
• Vulnerability: Vulnerabilities and deficiencies are identified first, then the exposed assets and potential threat events are determined.

Question 9

Why we need Risk Management

Answer 9

Assessing risk is one of the most critical functions of a cybersecurity organization. Effective policies, security implementations, resource allocation and incident response preparedness are all dependent on understanding the risk and threats an organization faces. Using a risk-based approach to cybersecurity allows more informed decision-making to protect the organization and to apply limited budgets and resources effectively. If controls are not implemented based on awareness of actual risk, then valuable organizational assets will not be adequately protected while other assets will be wastefully overprotected.

Question 10

Control

Answer 10

The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature.

Question 11

Inherent risk

Answer 11

The risk level or exposure without taking into account the actions that management has taken or might take.

Question 12

Residual Risk

Answer 12

Even after safeguards are in place, the remaining risk after management has implemented a risk response

Question 13

Risk acceptance

Answer 13

If the risk is within the enterprise’s risk tolerance or if the cost of otherwise mitigating the risk is higher than the potential loss, the enterprise can assume the risk and absorb any losses

Question 14

Threat source

Answer 14

Actual process or agent attempting to cause harm

Question 15

Threat event

Answer 15

Result or outcome of a threat agent’s malicious activit

Question 16

Attack vector

Answer 16

While risk is measured by potential activity, an attack is the actual occurrence of a threat. More specifically, an attack is an activity by a threat agent (or adversary) against an asset. From an attacker’s point of view, the asset is a target, and the path or route used to gain access to the target (asset) is known as an attack vector

Question 17

Two types of attack vectors

Answer 17

There are two types of attack vectors: ingress and egress (also known as data exfiltration). While most attack analysis concentrates on ingress, or intrusion, into systems, some attacks are designed to remove data from systems and networks. Therefore, it is important to consider both types of attack vectors!

Question 18

Adversarial threat event

Answer 18

Threat made by a human threat agent (or adversary).

Question 19

Attack mechanism

Answer 19

A method used to deliver the exploit. Unless the attacker is personally performing the attack, an attack mechanism may involve a payload, or container, that delivers the exploit to the target.

Question 20

Nonadversarial threat event

Answer 20

Usually the result of an error, malfunction or mishap of some sort.

Question 21

Payload

Answer 21

The section of fundamental data in a transmission. In malicious software this refers to the section containing the harmful data/code.

Question 22

Computer Viruses

Answer 22

A computer virus is a piece of code that can replicate itself and spread from one computer to another. It requires intervention or execution to replicate and/or cause damage.

Question 23

Network Worms

Answer 23

A variant of computer viruses is a network worm, which is essentially a piece of self-replicating code designed to spread itself across computer networks. It does not require intervention or execution to replicate.

Question 24

Trojan Horse

Answer 24

A Trojan horse (or simply Trojan) is a piece of malware that gains access to a targeted system by hiding within a genuine application. Trojan horses are often broken down into categories reflecting their purpose.