Section 4: Security of Networks, Systems, Applications and Data Flashcards

1
Q

Risk

A

The combination of the probability of an event and its consequence. Risk is mitigated through the use of controls or safeguards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Threat

A

Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. Some organizations make a further distinction between a threat source and a threat event, classifying a threat source as the actual process or agent attempting to cause harm, and a threat event as the result or outcome of a threat agent’s malicious activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Asset

A

Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Vulnerability

A

A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

three different approaches to implementing cybersecurit

A
  • Compliance-based: Also known as standards-based security, this approach relies on regulations or standards to determine security implementations. Controls are implemented regardless of their applicability or necessity, which often leads to a “checklist” attitude toward security.
  • Risk-based: Risk-based security relies on identifying the unique risk a particular organization faces and designing and implementing security controls to address that risk above and beyond the entity’s risk tolerance and business needs.
  • Ad hoc: An ad hoc approach simply implements security with no particular rationale or criteria. Ad hoc implementations may be driven by vendor marketing, or they may reflect insufficient subject matter expertise, knowledge or training when designing and implementing safeguards.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

cyberrisk assessment

A

Assets, threats and vulnerabilities must all be analyzed to determine an organization’s particular risk. The process of doing this analysis is called a cyberrisk assessment. While every risk assessment methodology has different nuances and approaches, most have three common inputs: asset identification, threat assessment and vulnerability assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Third Party Risk

A

Cybersecurity can be more difficult to control when third parties are involved, especially when different entities have different security cultures and risk tolerances. No organization exists in a vacuum, and information must be shared with other individuals or organizations, often referred to as third parties. It is important to understand third-party risk, such as information sharing and network access, as it relates to cybersecurity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Risk Analysis

A

There are many methods used to bring the data collected on assets, threats and vulnerabilities together and analyze them to determine risk. Most rely on some process to pair and prioritize likelihoods and impacts. Additionally, risk analyses can be oriented toward one of the inputs, making the risk assessment asset-oriented, threat-oriented or vulnerability-oriented.

  • Assets: Important assets are defined first, and then potential threats to those assets are analyzed. Vulnerabilities are identified that may be exploited to access the asset.
  • Threat: Potential threats are determined first, and then threat scenarios are developed. Based on the scenarios, vulnerabilities and assets of interest to the adversary are determined in relation to the threat.
  • Vulnerability: Vulnerabilities and deficiencies are identified first, then the exposed assets and potential threat events are determined.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Why we need Risk Management

A

Assessing risk is one of the most critical functions of a cybersecurity organization. Effective policies, security implementations, resource allocation and incident response preparedness are all dependent on understanding the risk and threats an organization faces. Using a risk-based approach to cybersecurity allows more informed decision-making to protect the organization and to apply limited budgets and resources effectively. If controls are not implemented based on awareness of actual risk, then valuable organizational assets will not be adequately protected while other assets will be wastefully overprotected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Control

A

The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Inherent risk

A

The risk level or exposure without taking into account the actions that management has taken or might take.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Residual Risk

A

Even after safeguards are in place, the remaining risk after management has implemented a risk response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Risk acceptance

A

If the risk is within the enterprise’s risk tolerance or if the cost of otherwise mitigating the risk is higher than the potential loss, the enterprise can assume the risk and absorb any losses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Threat source

A

Actual process or agent attempting to cause harm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Threat event

A

Result or outcome of a threat agent’s malicious activit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Attack vector

A

While risk is measured by potential activity, an attack is the actual occurrence of a threat. More specifically, an attack is an activity by a threat agent (or adversary) against an asset. From an attacker’s point of view, the asset is a target, and the path or route used to gain access to the target (asset) is known as an attack vector

17
Q

Two types of attack vectors

A

There are two types of attack vectors: ingress and egress (also known as data exfiltration). While most attack analysis concentrates on ingress, or intrusion, into systems, some attacks are designed to remove data from systems and networks. Therefore, it is important to consider both types of attack vectors!

18
Q

Adversarial threat event

A

Threat made by a human threat agent (or adversary).

19
Q

Attack mechanism

A

A method used to deliver the exploit. Unless the attacker is personally performing the attack, an attack mechanism may involve a payload, or container, that delivers the exploit to the target.

20
Q

Nonadversarial threat event

A

Usually the result of an error, malfunction or mishap of some sort.

21
Q

Payload

A

The section of fundamental data in a transmission. In malicious software this refers to the section containing the harmful data/code.

22
Q

Computer Viruses

A

A computer virus is a piece of code that can replicate itself and spread from one computer to another. It requires intervention or execution to replicate and/or cause damage.

23
Q

Network Worms

A

A variant of computer viruses is a network worm, which is essentially a piece of self-replicating code designed to spread itself across computer networks. It does not require intervention or execution to replicate.

24
Q

Trojan Horse

A

A Trojan horse (or simply Trojan) is a piece of malware that gains access to a targeted system by hiding within a genuine application. Trojan horses are often broken down into categories reflecting their purpose.