Security and Risk Management Domain Flashcards
What is a condition of (ISC)2 certification
Fully commit to the code of ethics
Protect society, the common good, necessary public trust and confidence and the infrastructure
First canon of ISC2 Code of Ethics
Act honorably, honestly, justly, responsibly and legally
Second canon of ISC2 Code of Ethics
Provide diligent and competent service to principals
Third canon of ISC2 Code of Ethics
Advance and protect the profession
Fourth canon of ISC2 Code of Ethics
Who can make a complaint to ISC
Only an injured party
Code of Ethics: any member of public can complain
Canon I & II
Code of Ethics: employer/contractor can complain
Canon III
Code of Ethics: certified professional can complain
Canon IV
Who reviews Ethics Complaints
ISC2 Ethics Committee
How is complaint submitted
Sworn affidavit that specifies respondent, behavior, canon breached, standing of complainant and any corroborating evidence
Who decides on discipline of members
ISC2 Board of Directors
Perform duties in accordance with existing laws, exercising the highest moral principles
C3 Unified Principles - Integrity
Perform all duties in a fair manner and without prejudice
C3 Unified Principles - Objectivity
Perform services diligently and with professionalism
C3 Unified Principles - Professional Competence and Due Care
Respect and safeguard information and exercise due care to prevent improper disclosure
C3 Unified Principles - Confidentiality
Clarifies an organization’s mission, values, and principles, linking them with standards of conduct
Organizational Code of Conduct
Number of mandatory canons in ISC2 Code of Ethics
`Four canons
Body that investigates and opines on ISC2 Code of Ethics Complaints
ISC2 Ethics Committee
Body that makes final decision regarding ISC2 Code of Ethics complaings
ISC2 Board of Directors
Extreme action that can be taken against ISC2 member
Decertification
What are the fundamental information security principles
Confidentiality, Integrity, Availability CIA
Assurance that information is not disclosed to unauthorized persons, processes, or devices
Confidentiality
Protection from unintentional, unauthorized, or accidental changes
Ìntegrity
Information is known to be good and that the information can be trusted as being complete, consistent and accurate
Data integrity
A system will work as intended
System integrity
Information, systems and supporting infrastructure are operating and acccessible when needed
Availability
The process of tracing actions to the source
Accountability
The property of bein genuine and able to be verified iand trusted
Authenticity
Protection against an individual falsely denying having performed a particular action
Non-repudiation
Measure of condidence that intended security controls are effective in their application
Assurance
Expands traditional application of information security by recognizing that we can no longer look at protecting an organization in isolation
Cybersecurity
Process by which an organization protects information, people and infrastructure
Cybersecurity
Broad primary outcome
Goal
Approach taken to achieve a goal
Strategy
Measurable step(s)_ taken to achieve a strategy
Objective
A tool used in support of an objective
Tactic
Align departmental strategies with business strategies to support organizational goals
Departmental Alignment
Mitigate risk to an acceptable level
Risk Management
Optimize investments in support of business objectives
Value Delivery
Efficient and effective use of resources
Resource Management
Achieve operational synergies and efficiencies
Process Integration
Ensure customer and stakeholder satisfaction
Satisfaction
Enhance organizaitonal reputation with stakeholders and the broader community
Reputation Enhancement
Reduce the likelihood of successful litigation by adhering to the principle of due care
Reduced Liability
Cybersecurity prerequisites for leadership, trust and commitment
Leadership, trust and commitment:
- Embraced throughout and embedded within an organization
- Cybersecurity professionals have access to C-suite and Board of Directors
- Included and recognized in organizational metrics and key performance indicators (KPIs)
Management metrics used to inform decision making
Key Performance Indicators
System by which organizations are directed and controlled
Corporate governance
State of security responsibility of leadership
- Determine and articulate the organization’s desired state of security
- Provide the strategic direction, resources, funding, and support to ensure that the desired state of security can be achieved and sustained
- Maintain responsibility and accountability through oversight
What is in the governance ecosystem
- Board of Directors
- Executive Management
- Organizational Roles
- Functional Roles
Sets the tone and direction
Board of Directors / Trustees
Board of Directors responsibilities
Oversight and authorization
Fiduciary, legal and regulatory responsibilities
Standard of due care and due diligence
Standard of care that a prudent person would have exercised under the same or similar conditions
Due care
Investigation o a business or person before entering a contract and during the lifetime of the relationship
Due diligence
The first three duties of the board
- Promoting effective governance
- Determining organizational risk tolerance
- Contributing to and authorizing strategic plans
Executive Management responsibilities
- Strategic alignment
- Risk management
- Value delivery
- Performance measurement
- Resource management
- Process assurance
Have authority to interpret the strategic direction and are held accountable for the success or failure of their area
Information Security Management
Who should Information Security Management report to?
As high up ni the organization as possible to maintain visibility, limit distortion, and minimize conflict
ISM responsibilities
- Being a subject matter expert and cybersecurity champion
- Managing the cybersecurity program
- Communicating with executive management
- Coordinating the budget for cybersecurity activities
- Ensuring the development and upkeep of governance documents.
Responsible for developing, implementing, and administering all aspects of an organization’s privacy program
Privacy Officer
Responsible for identifying applicable statutory, regulatory and contractual requirements, as well as ensuring compliance thereof
Compliance Officer
Responsible for ensuring that appropriate physical security procedures have been established and physical security devices installed, commensurate with the identified risk exposures
Physical Security Officer
Responsible for ensuring that management has established a framework of specific internal controls commensurate with risk, regulation, and Board directives
Internal Audit
Documenting roles and responsibilities in policies, job descriptions, employee manuals and supported by agreements
Codification
The term used to describe the responsibility of leadership to determine, articulate, authorize and fund the desired state of cybersecurity
Security Governance
The outcome when cybersecurity decision making is tied to organizational objectives
Strategic Alignment
This group has fiduciary responsibility
Board of Directors
Legal term applied to the standard of care exercised by a prudent person
Due care
Logical structure intended to document and organize processes
Framework
International Cybersecurity Framework
ISO 27000 family.
ISO 27001 Information Security Management Systems
ISO 27002 Code of Practice for Information Security Controls
ISO 27005 Information Security Risk Management
ISO 27014 Information Security, Cybersecurity and Privacy Protection
US Framework for Cybersecurity
NIST Cybersecurity Framework (CSF)
Non-profit dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment
Cloud Security Alliance
Framework of cloud-specific security controls mapped to leading standards
Cloud Controls Matrix (CCM)
Helps an organization identify their cybersecurity capabilities and initiatives and compare those efforts to peers or competitors of the same sector or size
Information Security Benchmarks
Creates consensus-based best practices for the secure configuration of a target system
Center for Internet Security (CIS)
https://www.cisecurity.org
A logical structure to document and organize processes
Framework
This US framework consists of standards, guidelines and practices to promote the protection of critical infrastructure
NIST Cybersecurity Framework (CSF)
This framework of cloud-specific security controls is mapped to leading standards, best practices and regulations
CSA Cloud Controls Matrix (CCM)
Non-profit organization that publishes the “Top 10” web
OWASP
Acting in accordance with applicable rules, laws, policies and/or obligations
Compliance
The power or right of a legal or political agency to exercise its authority over a person, subject matter, or territory
Jurisdiction
What is important for jurisdiction in relation to cybersecurity
- Location of data and systems (processing, transmission, storage)
- Type of data
- Residence of data owners
- Residence of data subjects
Security and privacy of consumer financial records
Gramm-Leach-Bliley Act (GLBA)
Security and privacy of patient medical records for covered entities and business associates (BA)
HIPAA & HITECH
security and privacy of student educational records
Family Educational Rights and Privacy Act (FERPA)
security and privacy related to the online collection and use of data for minors under 13
Children’s Online Privacy Protection Act (COPPA)
requires federal agencies, U.S. federal agencies, to implement a program to provide security for their information and their information systems, including those provided by or managed by another agency on their behalf
Federal Information Security Management Act (FISMA)
first privacy regulation at the state level in the United States
California Consumer Privacy Act (CCPA)
Privacy regulation of the EU
General Data Protection Reglation (GDPR)
Contractual obligation for any entity that accepts, processes, transmits, or stores payment cardholder data
Payment Card Industry Data Security Standard (PCI DSS)
Power or right of a legal or politial agency to exercise its authority over a person, subject matter, or territory
Jurisdiction
US regulation that requires safeguarding consumer financial data
Gramm-Leach-Bliley Act (GLBA)
Right of an individual to control the use of their personal information
Privacy
PII
Personally Identifiable Information
PHI
Personal Health Information
OECD Privacy Principles
- Collection Limitation: Collection limitation says that collection of personal data should be obtained by lawful and fair means.
- Data Quality: personal data should be relevant for the purposes being collected
- Purpose Specification: the purpose for which personal data is collected should be specified not later than at the time of data collection.
- Use Limitation: personal data should not be disclosed, made available or otherwise used for purposes other than specified except with the consent of the data subject or by the authority of law
- Security Safeguard: personal data must be protected
Cybersecurity programs should support and compliment organizational goals
Strategic Alignment
Role of this position is primarily oversight and fiduciary
Board of Directors (or equivalent)
The reasonable care taken before entering into and during the lifetime of a contract or agreement
Due diligence
Identifies building and facility risks and mitigation
Physical security officer
Manages the information security program
Information Security Officer
Role responsible for Managing and monitoring of protection mechanisms
Custodian
Assesses the control environment
Internal Audit
Regulation for patients
HIPAA
Regulation for Federal Agencies
FISMA
Regulation for Financial services customers
GLBA
Regulation for EU citizens
GDPR
Regulation for minors
COPPA
The second three duties of the board
- Allocating funds
- Approving policies and significant projects
- Ensuring appropriate monitoring
The last three duties of the board
- Ensuring compliance with laws, regulations and contracts
- Reviewing audit and examination results
- Honoring the legal constructs of due diligence and due care
Resource intended to help an organization identify their cybersecurity capabilities and compare those efforst to peers or competitors of the same sector or size
Benchmark
Broad term given to criminal activity that involves the Internet, a computer network a computer system, or a digital device
Cybercrime
Incident in which legally protected or private data has been potentially viewed, stolen (exfiltrated) or used by an individual unauthorized to do so
Data breach
Consulting legal counsel
- There is a possibility that legally or contractually protected information has been exposed
Responsibility for damages that result from a security compromise in your business
Downstream Liability
Describes a wide variety of property created by musicians, authors, artists, designers, programmers, and inventors
Intellectual Property
gives its owner the legal right to exclude others from making, using or selling an invention for aperiod of time in exchange for publishing a public disclosure of the invention
Patent
intended to protect recognizable names, icons, shape, color, sound or any combination used to represent a brand, product, service or company
Trademark
intended to allow the creator of certain types of original works to benefit from being credited and compensated for their work
Copyright
refer to proprietary business and technical information, processes, designs, or practices that are confidential and to a business
Trade Secrets
Criteria for trade secret
- Commercially valuable
- Be known only to a limited group of persons
- Be subject to reasonable steps taken by the owner of the information to keep it secret, including the use of confidentiality agreements for business partners and employees
Copyrighted software that is available at no cost for unlimited usage. The developer retains all rights to the program and controls distribution
Freeware
copyrighted software that’s available at no cost for unlimited usage and users are encouraged to share the software to promote larger distribution and maybe add-on sales
Shareware
copyright holder grants users the rights to use, to study, to change, and to distribute the software to anyone for any purpose
Open Source
copyrighted software that a company designs and develops to sell or license, and the company retains all rights to the program and controls distribution
Commrecial Software
contract between the owner and the end user that governs the use of intellectual property, in this case software licensing
End User License Agreement (EULA)
unauthorized copying or distribution of copyrighted software
software piracy
law that makes it illegal to create products that circumvent copyright protections
Digital Millenium Copyright Act (DMCA)
the flow of data between countries inclusive of processing, storage and transmission
Transborder or cross-border data flow
EAR
Export Administration Regulations
Legally enforceable software use agreement
EULA
US law that makes it illegal to create products that circumvent copyright protections
DMCA
Proprietary business and technical information that can be legally protected
Trade Secret
Formal inquiry or systematic study
Investigation
Investigation pursued by the regulatory agency of a jurisdiction
Regulatory Investigation
Maximum fine under GDPR
4% of annual revenue
Investigation aligned with violation of contractual standards
Industry investigation
Order that suspends the modification, deletion and/or destruction of records and media
Legal Hold
any process in which electronic data is sought, located, secured and searched with the intent of using it as evidence in a civil or criminal legal case
eDiscovery
Individual who is knowledgeable about the facts of the case through direct participation or observations
Factual witness
Person who has knowledge beyond that of an ordinary lay person enabling him/her to give testimony regarding an issue that requires expertise to understand
Expert witness. Experts can give an opinion
The basis of this type of investigation is a dispute between parties
Civil investigation
The burden of proof for this type of investigation is ‘beyond a reasonable doubt’
Criminal investigation
Process of seeking electronic data for use in a civil or criminal legal case
eDiscovery
This type of trial witness can proffer an opinion
Expert witness
Examples include investigations byt he US FTC or the UK Information Commisioners Office
Regulatory investigation
Act of providing leadership and direction
Governance
Communicates and codifies management’s requirements, and provides direction
Policy
Who should approve policies
Board of Directors (or equivalent)
Specifications for the implementation of a policy that dictate mandatory requirements
Standards
Aggregate of standards for a specific category or grouping such as a platform, device type, ownership or location
Baseline
Document that helps people understand and conform to a standard
Guideline
This standard establishes security categories of information systems used by the federal government
FIPS 199
This standard lists mandatory security requirements for government systems.
FIPS 200
This is a US guide for applying risk management
NIST SP 800-37
Instructions for how to carry out an action
Procedures
What are the four commonly used formats for procedures
- Simple step: lists sequential actions
- Hierarchical: includes both generalized instructions for experienced users and detailed instructions for novice users
- Graphic: presented in pictorial or symbol form
- Flowchart: used to communicate a process and/or when decision making is required
High-level governance documents
Policies
Mandatory implementation requirements (related to policies)
Standards
Specific instructions for carrying out a task
Procedure
This procedure format requires decision making
Flowchart
A detailed roadmap for doing or achieving something
Plan
the capability of a business to operate in adverse (disaster) conditions
business continuity
disruptive events that significantly impact an organizations capability to operate
disaster
What are the three types of disasters
Natural (flood, earthquake, fire, pandemic)
Environmental (loss of power, HVAC)
Human (workplace accidents, cyber attacks, civil disruption)
Business Continuity Planning objective
to prepare for continued operation during disruption of normal operating conditions
plan focusing on recovery and restoration of technology, physical plant and people
Disaster Recovery Plan (DRP)
plan focusing on the overall strategy for sustaining the business during a disaster and the subsequent recovery period
Business Continuity Plan (BCP)
Business Continuity Plan Workflow
- Project Initiation and Assignments
- Business Impact Analysis
- Plan Development
- Procedure Development
- Training
- Testing
- Auditing
- Maintenance Review and Update
the capability of a business to operate in adverse (disaster) conditions
business continuity
Business unit plan and procedures for operational activities
Continuity of Operations Plan (COOP)
Group responsible for approval of BCP policies and oversight of strategies
Board of Directors (or equivalent)
This type of plan describes the overall strategy for sustaining the business
Business Continuity Plan
This type of plan includes procedures for internal and external communications
Crisis Communication Plan (CCP)
This type of plan describes plans and procedures for recovering technology and facilities
Disaster Recovery Plan
This type of plan includes procedures for minimizing loss of life and property
Occupancy Emergency Plan
analysis to identify essential services, systems and infrastructure
Business Impact Analysis
Maximum time a process / service can be unavailable without causing significant harm to the business
Maximum Tolerable Downtime (MTD)
Maximum Tolerable Outage (MTO)
Amount of time allocated for system recovery
Recovery Time Objective (RTO)
Acceptable data loss: the point in time, prior to a disruption or system outage that data can be recovered
Recovery Point Objective (RPO)
Average time to repair a failed component or device
Mean Time to Repair
Measure of reliability (usage stated in hours)
Mean Time Between Failures
Business Impact Analysis Process
- Identify Essential Services & Dependencies
- Determine Maximum Tolerable Downtime
- Determine Recovery Point Objective
- Identify Infrastructure and Dependencies (including SPoF)
- Determine Current RTO & RPO
- Gap Analysis
- Report to Management
In a BIA context, this describes services that “the absence or disruption of” would cause significant harm
Essential services
Metric related to acceptable data loss
RPO
A part of a system that, if it fails, will stop the entire system from working
Single Point of Failure (SPoF)
the capability of a business to operate in adverse (disaster) conditions
business continuity
Document written for the user community containing policies and standards that specifically pertain to them
Acceptable Use Policy
What should AUP introduction do?
Set the tone of the policy, highlight leadership commitment, and emphasize user responsibility
AUP Common Elements
- Data protection: Data classifications and handling standards
- Authentication: login requirements incluiding password standars and use of tokens and/or biometrics
- Application: procurement, installation, and licensing
- Communication: Written and verbal communication use and limitations (including personal email)
- Internet: Use, activity, and engagement (including social meia)
- Mobile Device: Use, configuration, activity and device protection
- Remote Access: Use, configuration, activity, and physical security
- Incident Reporting: Instructions on how to spot and report suspicious activity
By signing this policy the user acknowledges that they understand, and agree to abide by the rules and standards including monitoring and limitations of privacy
Acceptable Use Policy
Establishes data ownership and reason data is being provided
Confidentiality / Non-disclosure agreement (NDA)
Relationships including service providers, business partners, consultants, and contractors
Non-employee relationships
Document that details user-focused policies and standards
Acceptable Use Policy (AUP)
The section of the AUP that documents login requirements including password standards and use of tokens and/or biometrics
Authentication
Agreement that should be executed prior to being granted access to information and information systems
Acceptable Use Agreement
Agreement used to establish data ownership and protect data from unauthorized use and/or disclosure
Confidentiality / Non-disclosure agreement (NDA)
Stages of the employee life cycle
- Hiring Process
- Onboarding
- Employment
- Offboarding
Process of integrating a new employee with a company and culture as well as getting the tools and information they need to be successful
Onboarding
Assigning the minimal rights and permissions needed to accomplish a task
Least Privilege
Rotating assignments (fraud deterrent and detection)
Job rotation
Requiring employees to take a set amount of vacation time (fraud deterrent and detection)
Mandatory Vacation
Breaking tasks into separate processes to that no one subject is in complete control
Separation of Duties
Requiring more than one subject or key to complete a specific task
Dual Control
Requirement to never leave confidential data (paper, monitor, whiteboard) unattended or within view of unauthorized personnel
Clean Desk
Process for transitioning employees out of an organization
Offboarding
Process of integrating a new employee
Onboarding
Primary reasons for job rotation and mandatory vacation
Fraud deterrent and detection
This process includes creating user accounts and assigning credentials
Provisioning
Requiring more than one user to complete a specific task
Dual Control
Termination that has been mutually agreed to
Friendly termination
Case where burden of proof is beyond a reasonable doubt
Criminal case
The distinguishing feature of this type of intellectual property is that it remains undisclosed
Trade Secret
These are high level statements intended to communicate rules and expectations
Policies
In which type of governance document would you most likely find the statement “password complexity must include uppercase, lower case and at least one symbol”?
Standard
This type of procedure is generally used if decision making is required
Flowchart
This plan addresses the overall strategy and plan for sustaining a business
BCP
During the BIA process, a business unit stated that they could nto afford to lose more than 30 minutes of data. Which statement best expresses this requirement?
RPO (Recovery Point Objective) = 30 minutes
This group is responsible for determining the maximum tolerable downtime (MTD)
1. Information Security department
2. Board of Directors
3. IT department
4. Business Unit
Business unit
This agreement should clearly state monitoring and limitations of privacy.
1. Service Level Agreement
2. Nondisclosure Agreement
3. Remote Access Agreement
4. Acceptable Use Policy Agreement
- Acceptable Use Policy agreement
Uncertainty of outcome, whether positive opportunity or negative threat of actions and events
Risk
Level of risk that an organization is comfortable with
Risk appetite
Risk category that relates to activities that can affect the institutions overall mission, objectives and viability
Strategic Risk
Risk category that relates to the confidence and trust of stakeholders, customers, and community
Reputational risk
Risk category that relates to overall capacity and capability to deliver products and services
Operational risk
Risk category that relates to short- and long-term impact on capital
Financial risk
Risk category that relates to conformity with policies, laws, and regulatory requirements
Compliance risk
Risk category that relates tothe capacity to withstand adverse and/or unexpected conditions
Resilience risk
Evaluation of the combination of the likelihood of something happening, and the impact if it does happen
Risk assessment
risk assessment using descriptive terminology
Qualitative risk assessment
Risk assessment assigning numeric and monetary values to all elements of the assessment
Quantitative risk assessment
Taking actions to mitigate the impact of an unfavorable outcome and/or enhance the likelihood of a positive outcome
Risk management
Risk Management steps
Risk Identification (Assessment)
Risk Treatment
Risk Monitoring
Repeat the process
Act as if the risk doesn’t exist
Ignore the risk
Acknowledge and accept the level of risk and monitor it
Accept the risk
Reduce the impact or likelihood by implementing controls or safeguards
Mitigate the risk
Spread the risk among multiple parties
Share the risk
Assign the risk to another party via insurance or contractual agreement (subject to legal and regulatory constraints)
Transfer the risk
Eliminate the cause or terminate the associated activity
Avoid the risk
Insurance to mitigate financial losses from a variety of cyber incidents
Cyber Insurance
Track known risks, evaluate treatment effectiveness, identify new risks, and schedule on-going assessments
Risk Monitoring
Uncertainty of outcome
Risk
Level of risk an organization is willing to accept
Risk Appetite
Process used to identify and measure risk
Risk Assessment
Assign risk to another party
Risk transfer
Tool used to document organizational risks
Risk register
A disciplined and structured approach used to oversee and manage risk for an enterprise
Risk Management Framework (RMF)
Risk Management components
Governance
Identification
Assessment
Mitigation
Reporting and monitoring
Who are responsible for ensuring that risk-related considerations are viewed from an organization-wide perspective
Executives (e.g., CEO) as an individual or as a group
US Risk Management Framework
NIST Risk Management Framework
International Risk Management Framework
ISO 27005 Information Security Risk Management
NIST RMF Steps
- Categorize: categorize the systems and the information processed, stored and transmitted
- Select: select an initial set of baseline security controls for the system based on the security categorization.
- Implement: implement the security controls and document how the controls are deployed within the system and environment of operation.
- Assess: assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome.
- Authorize: authorize system operation based upon a determination of residual risk.
- Monitor: monitor and assess selected security controls in the system on an ongoing basis.
model designed to assess strength and weaknesses of the risk program, set goals, and plan for improvement
Risk Maturity Model
1. Initial
2. Fragmented
3. Top-down
4. Integrated
5. Risk Intelligent
Structured and disciplined approach
Framework
United State agency tasked with developing federal government RMF
National Institute of Standards and Technology (NIST)
Measurement of continuous improvement
Maturity Model
Risk maturity stage that reflects individual actions and capabilities
Initial (Ad hoc)
Evaluation of the combination of the likelihood of something happening, and the impact if it does happen
Risk Assessment (Risk Analysis)
The level of risk before controls or safeguards have been implemented
Inherent risk
The level of risk after controls or safeguards have been implemented
Residual risk
Risk Assessment workflow
- Determine the risk assessment approach (qualitative, quantitative, hybrid)
- Identify the inherent risk based on relevant threats and related vulnerabilities
- Assess the impact if the threat source was successful
- Identify applicable controls and their effectiveness
- Assess the likelihood of occurence, taking into consideration the control environment
- Determine the level of residual risk
Risk assessment using descriptive terminology such as high, medium and low
Qualitative risk assessment
Risk assessment assigning numeric values to all elements
Quantitative risk assessment
Data visualization tool used to communicate qualitative risk levels and prioritization requirements
Risk Matrix (Heat Map)
Worth of a resource to the organization
Asset Value (AV)
Percent of asset value that would be lost
Exposure Factor (EF)
Monetary impact for a single event
Single Loss Expectancy (SLE)
How often in a single year wil the event occur
Annualized Rate of Occurrence (ARO)
The annualized monetary impact
Annualized Loss Expectancy (ALE)
Quantitative Risk Assessment workflow
- Determine Asset Value (AV)
- Determine Exposure Factor (EF)
- Calculate Single Loss Expectancy (SLE) = AV * EF
- Determine Annualized Rate of Occurrence (ARO)
- Calculate Annualized Loss Expectancy (ALE) = ARO * SLE
Level of risk after treatment
Residual Risk
Risk assessment approach that uses descriptive terminology
Qualitative
AV x EF =?
Single Loss Expectancy (SLE)
SLExARO=?
Annualized Loss Expectancy (ALE)
Data visualization tool used to communicate risk level
Risk Matrix or Heat Map
A tactic, mechanism, or strategy that accomplishes one or more of:
- Reduces or eliminates a vulnerability
- Reduces or eliminates the likelihood that a threat agent will be able to exploit a vulnerability
- Reduces or eliminates the impact of an exploit
Control (countermeasure)
What a control does
Functionality
How well a control works
Effectiveness.
Controls applied in multiple layers
Defense-in-depth
Layered security
Statement of desired result or purpose to be achieved by implementing a control or set of controls
Control Objective
Controls relating to decision making, oversight, strategic alignment and compliance
Administrative (Management)
Controls that can have a material structure (seen, heard, touched)
Physical
Controls provided using technology
Technical (Logical)
Control that discourages a threat agent from acting
Deterrent control
Control that stops a threat agent from being successful
Preventative control
Control that identifies and reports a threat agent or action
Detective control
Control that minimizes the impact of a threat agent or modify or fix a situation (recovery)
Corrective control
Controls that are alternate measures that organizations can use to fulfill a compliance standard, policy, or contractual requirements
Compensating controls
Control category relating to oversight, decision making, strategic alignment, and compliance
Management control (administrative control)
Control that minimizes the impact of a threat agent
Corrective control
Control designed to accomplish the intent of recommended control as closely as possible
Compensating control
Control that discourages a threat agent from acting
Deterrent control
Term used to describe how well a control works
Effectiveness
Potential danger
Threat
Adversary with malicious intent
Threat actor
A weakness in a system, process or person
Vulnerability
Successfully taking advantage of a vulnerability
Exploit
Threat actor choosees a target for a specific objective
- Influence by perceived value of outcome
Targeted Attack
Threat actor takes advantage of a vulnerable target (not previously known to them - influenced by workfactor
Opportunistic Attack
Threat actor motivated by bragging rights, notoriety
Script kiddies
Threat actor motivated by financial gain
Criminal Syndicate
Threat actor motivated by political statement
Hacktivist
Threat actor motivated by grievance, perceived morality, blackmail, external pressure
Insider
Threat actor motivated by espionage, disruption, IP theft
Competitors
Threat actor motivated by surveillance, espionage, targeting critical infrastructure, tactical advantage, data collection
Nation-States
Security practitioner or hobbyist whose motivation is to identify security vulnerabilities and exploits; and responsibly disclose them to a manufacturer or client organization
Authorized “Ethical Hacker”
Individuals whose motivation is to identify security vulnerabilities and exploits for personal or financial gain
Unauthorized hacker
Individuals whose motivation is to identify security vulnerabilities and exploits for a reward or recognition
- Research is conducted without permission
- They may publicly disclose the vulnerabilities if the entity does not respond in line with their expectations
Semi-authorized hacker
Those with the most advancded, accurate, and agile tools.
Established Actors
Those with defined processes and targetted operations
Emerging Actors
Generally, those associated with low-level cybercriminal activity
Opportunistic Actors
Successfully taking advantage of a vulnerability
Exploit
Characteristic of this attack is a threat actor taking advantage of a vulnerable target not previously known to them
Opportunistic Attack
Espionage and IP theft are their motivation
Competitor
The focus of this activity is financial gain
Cybercrime
A security professional who works to identify vulnerabilities with the permission of the system owner
Ethical Hacker
a structured process by which potential threats can be identified, enumerated and prioritized
Threat modeling
What are the three threat modeling approaches
- Asset-centric (WHAT/WHY) - identifies valued assets
- Architecture-centric (HOW) - identifies system design, component strength and vulnerabilities
- Attacker-centric (WHO) - identifies adversaries
Are we aware of the latest threats, tools, and techniques
Threat Intelligence
How hard would it be for an adversary to achieve their objective
Work factor
the time, effort and resources needed for an attacker to successfully achieve their objective
Workfactor
evidence-based knowledge about an emerging threat that can be used to inform control decisions
Threat intelligence
trusted, sector=specific entity that facilitates sector-specific and/or geographic-specific information sharing about vulnerabilities, threats, and incidents
Information Sharing and Analysis Center (ISAC)
standardized language by MITRE and OASIS for describing cyber threat information
Structured Threat Information Expression (STIX)
defines how cyber threat information can be shared via services and message exchanges
TAXII
TIme, effort and talent needed to achieve an objective
Workfactor
Threat model that focuses on system design
Architecture-centric
Sector-specific member-driven information sharing organizations
Information Sharing and Analysis Center (ISAC)
a method or pathway used by an attacker to access or penetrate the target system or environment
attack vector
Disruption, manipulation, or compromise of Information Technology (IT) or operational technology (OT) systems or software
Digital Infrastructure attack
Disruption, manipulation, or compromise of people
Human attack
Disruption or destruction of physical structures and facilities
Physical Infrastructure attack
Attacker chooses a target for a specific objective
Targeted attack
Attacker takes advantage of a vulnerable target (not previously known to them)
Opportunistic attack
Attacker uses an amplification factor to multiply its power
Amplification attack
Attack on a previously unknown vulnerability for which a fix is not yet available
Zero-day attack
Impersonating an address, system, or person
Spoofing:
- IP address spoofing
- MAC address spoofing
Manipulating a trusted source of data
Poisoning:
- ARP cache poisoning
- DNS poisoning
Intercepting communication between two systems
Hijacking:
- Man-in-the-Middle (MitM) - Spoofing and/or poisoning exploiting real-time processing of transactions, conversations or data transfer
- Man-in-the-Browser (MitB) - Manipulating the browser to control a session including what is displayed
- Session Hijacking: stealing session cookies to “take over” a user’s active session
- Domain Hijacking: unauthorized modification of domain name registration
- URL Squatting: registering or using an Internet domain name belonging to someone else
- Typo squatting: taking advantage of common typos (in domains) to create fraudulent websites
Overwhelming system resources
Denial of Service:
- DoS: Transmitting malformed packets or unusual requests
- DDoS: massive volume of service requests from multiple sources, often “bots” configured in a botnet
Exploiting weaknesses in server- or client-side code or applications
Code attack:
- Injection: tricking an application into including unintended commands
- Buffer Overflow: writing excess data into system memory that overruns the buffers boundary and overwrites adjacent memory locations
- Refactoring: restructuring code without changing external behavior, manipulating code with malicious intent
- Cross-site scripting (XSS) - injection of malicious code that executes in a browser
- Cross-site Request Forgery (CSRF) - Exploiting the trust relationship between a website and a browser
Impersonating an address, system or person
Spoofing
Manipulating a trusted source of data
Poisoning
Intercepting communications between two or more systems
Hijacking
Attack designed to overwhelm system resources
Denial of Services
Tricking an application into including unintended commands
Injection
evidence-based knowledge about emerging threats that can be used to inform control decisions
Threat intelligence
Four properties of useful threat intelligence
- Aggregated from reliable sources and cross-correlated for accuracy
- Analyzed by trained specialists
- Assessed for relevancy
- Actionable. Often includes context, mechanisms, indicator of compromise (IOC), implications and response / remediation advice
Artifacts that identify potentially malicious activity on a system or network
Indicators of Compromise (IOC) - clue about an event that has already happened
Real-time behaviors and artifacts relating to something that is happening or has happened
Indicators of Attack (IOA)
term used to refer to the data collected from publicly available soiurces to be used in an intelligence context
Open Source Intelligence (OSINT)
Structured collection of OSINT tools
OSINT framework
Intelligence data collected from publicly available sources
Open Source Intelligence (OSINT)
Accessing this “area” requires an anonymizing browser
Dark Web
Visualization of Cyber Attacks
Cyber Threat Map
ecosystem of organizations, processes, people and resources involved in providing a product or service
Supply Chain
the reliance on a source to provide a product or service
Supply chain dependency
a disturbance of the normal flow of goods, materials and services in a supply chain
Supply Chain disruption
attack that occurs when a system is infiltrated through a supply chain partner or provider with access to the systems and data
Supply chain attack
the implementation of strategies to manage uncertainty, identify vulnerabilities, and ensure continuity in the supply chain
Supply chain risk management
Term used to describe reliance on a source to provide a product or service
Supply chain dependency
Term used to describe the disruption of the normal flow of goods, material and services
Supply chain disruption
When a system is infiltrated through a supply chain partner
Supply chain attack
