Security and Risk Management Domain Flashcards
1
Q
What is a condition of (ISC)2 certification
A
Fully commit to the code of ethics
2
Q
Protect society, the common good, necessary public trust and confidence and the infrastructure
A
First canon of ISC2 Code of Ethics
3
Q
Act honorably, honestly, justly, responsibly and legally
A
Second canon of ISC2 Code of Ethics
4
Q
Provide diligent and competent service to principals
A
Third canon of ISC2 Code of Ethics
5
Q
Advance and protect the profession
A
Fourth canon of ISC2 Code of Ethics
6
Q
Who can make a complaint to ISC
A
Only an injured party
7
Q
Code of Ethics: any member of public can complain
A
Canon I & II
8
Q
Code of Ethics: employer/contractor can complain
A
Canon III
9
Q
Code of Ethics: certified professional can complain
A
Canon IV
10
Q
Who reviews Ethics Complaints
A
ISC2 Ethics Committee
11
Q
How is complaint submitted
A
Sworn affidavit that specifies respondent, behavior, canon breached, standing of complainant and any corroborating evidence
12
Q
Who decides on discipline of members
A
ISC2 Board of Directors
13
Q
Perform duties in accordance with existing laws, exercising the highest moral principles
A
C3 Unified Principles - Integrity
14
Q
Perform all duties in a fair manner and without prejudice
A
C3 Unified Principles - Objectivity
15
Q
Perform services diligently and with professionalism
A
C3 Unified Principles - Professional Competence and Due Care
16
Q
Respect and safeguard information and exercise due care to prevent improper disclosure
A
C3 Unified Principles - Confidentiality
17
Q
Clarifies an organization’s mission, values, and principles, linking them with standards of conduct
A
Organizational Code of Conduct
18
Q
Number of mandatory canons in ISC2 Code of Ethics
A
`Four canons
19
Q
Body that investigates and opines on ISC2 Code of Ethics Complaints
A
ISC2 Ethics Committee
21
Q
Body that makes final decision regarding ISC2 Code of Ethics complaings
A
ISC2 Board of Directors
21
Q
Extreme action that can be taken against ISC2 member
A
Decertification
22
Q
What are the fundamental information security principles
A
Confidentiality, Integrity, Availability CIA
23
Q
Assurance that information is not disclosed to unauthorized persons, processes, or devices
A
Confidentiality
24
Q
Protection from unintentional, unauthorized, or accidental changes
A
Ìntegrity
25
Information is known to be good and that the information can be trusted as being complete, consistent and accurate
Data integrity
26
A system will work as intended
System integrity
27
Information, systems and supporting infrastructure are operating and acccessible when needed
Availability
28
The process of tracing actions to the source
Accountability
29
The property of bein genuine and able to be verified iand trusted
Authenticity
30
Protection against an individual falsely denying having performed a particular action
Non-repudiation
31
Measure of condidence that intended security controls are effective in their application
Assurance
32
Expands traditional application of information security by recognizing that we can no longer look at protecting an organization in isolation
Cybersecurity
33
Process by which an organization protects information, people and infrastructure
Cybersecurity
34
Broad primary outcome
Goal
35
Approach taken to achieve a goal
Strategy
36
Measurable step(s)_ taken to achieve a strategy
Objective
37
A tool used in support of an objective
Tactic
38
Align departmental strategies with business strategies to support organizational goals
Departmental Alignment
39
Mitigate risk to an acceptable level
Risk Management
40
Optimize investments in support of business objectives
Value Delivery
41
Efficient and effective use of resources
Resource Management
42
Achieve operational synergies and efficiencies
Process Integration
43
Ensure customer and stakeholder satisfaction
Satisfaction
44
Enhance organizaitonal reputation with stakeholders and the broader community
Reputation Enhancement
45
Reduce the likelihood of successful litigation by adhering to the principle of due care
Reduced Liability
46
Cybersecurity prerequisites for leadership, trust and commitment
Leadership, trust and commitment:
- Embraced throughout and embedded within an organization
- Cybersecurity professionals have access to C-suite and Board of Directors
- Included and recognized in organizational metrics and key performance indicators (KPIs)
47
Management metrics used to inform decision making
Key Performance Indicators
48
System by which organizations are directed and controlled
Corporate governance
49
State of security responsibility of leadership
- Determine and articulate the organization's desired state of security
- Provide the strategic direction, resources, funding, and support to ensure that the desired state of security can be achieved and sustained
- Maintain responsibility and accountability through oversight
50
What is in the governance ecosystem
1. Board of Directors
2. Executive Management
3. Organizational Roles
4. Functional Roles
51
Sets the tone and direction
Board of Directors / Trustees
52
Board of Directors responsibilities
Oversight and authorization
Fiduciary, legal and regulatory responsibilities
Standard of due care and due diligence
53
Standard of care that a prudent person would have exercised under the same or similar conditions
Due care
54
Investigation o a business or person before entering a contract and during the lifetime of the relationship
Due diligence
55
The first three duties of the board
1. Promoting effective governance
2. Determining organizational risk tolerance
3. Contributing to and authorizing strategic plans
56
Executive Management responsibilities
1. Strategic alignment
2. Risk management
3. Value delivery
4. Performance measurement
5. Resource management
6. Process assurance
57
Have authority to interpret the strategic direction and are held accountable for the success or failure of their area
Information Security Management
58
Who should Information Security Management report to?
As high up ni the organization as possible to maintain visibility, limit distortion, and minimize conflict
59
ISM responsibilities
1. Being a subject matter expert and cybersecurity champion
2. Managing the cybersecurity program
3. Communicating with executive management
4. Coordinating the budget for cybersecurity activities
5. Ensuring the development and upkeep of governance documents.
60
Responsible for developing, implementing, and administering all aspects of an organization's privacy program
Privacy Officer
61
Responsible for identifying applicable statutory, regulatory and contractual requirements, as well as ensuring compliance thereof
Compliance Officer
62
Responsible for ensuring that appropriate physical security procedures have been established and physical security devices installed, commensurate with the identified risk exposures
Physical Security Officer
63
Responsible for ensuring that management has established a framework of specific internal controls commensurate with risk, regulation, and Board directives
Internal Audit
64
Documenting roles and responsibilities in policies, job descriptions, employee manuals and supported by agreements
Codification
65
The term used to describe the responsibility of leadership to determine, articulate, authorize and fund the desired state of cybersecurity
Security Governance
66
The outcome when cybersecurity decision making is tied to organizational objectives
Strategic Alignment
67
This group has fiduciary responsibility
Board of Directors
68
Legal term applied to the standard of care exercised by a prudent person
Due care
69
Logical structure intended to document and organize processes
Framework
70
International Cybersecurity Framework
ISO 27000 family.
ISO 27001 Information Security Management Systems
ISO 27002 Code of Practice for Information Security Controls
ISO 27005 Information Security Risk Management
ISO 27014 Information Security, Cybersecurity and Privacy Protection
71
US Framework for Cybersecurity
NIST Cybersecurity Framework (CSF)
72
Non-profit dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment
Cloud Security Alliance
73
Framework of cloud-specific security controls mapped to leading standards
Cloud Controls Matrix (CCM)
74
Helps an organization identify their cybersecurity capabilities and initiatives and compare those efforts to peers or competitors of the same sector or size
Information Security Benchmarks
75
Creates consensus-based best practices for the secure configuration of a target system
Center for Internet Security (CIS)
https://www.cisecurity.org
76
A logical structure to document and organize processes
Framework
77
This US framework consists of standards, guidelines and practices to promote the protection of critical infrastructure
NIST Cybersecurity Framework (CSF)
78
This framework of cloud-specific security controls is mapped to leading standards, best practices and regulations
CSA Cloud Controls Matrix (CCM)
79
Non-profit organization that publishes the "Top 10" web
OWASP
80
Acting in accordance with applicable rules, laws, policies and/or obligations
Compliance
81
The power or right of a legal or political agency to exercise its authority over a person, subject matter, or territory
Jurisdiction
82
What is important for jurisdiction in relation to cybersecurity
1. Location of data and systems (processing, transmission, storage)
2. Type of data
3. Residence of data owners
4. Residence of data subjects
83
Security and privacy of consumer financial records
Gramm-Leach-Bliley Act (GLBA)
84
Security and privacy of patient medical records for covered entities and business associates (BA)
HIPAA & HITECH
85
security and privacy of student educational records
Family Educational Rights and Privacy Act (FERPA)
86
security and privacy related to the online collection and use of data for minors under 13
Children's Online Privacy Protection Act (COPPA)
87
requires federal agencies, U.S. federal agencies, to implement a program to provide security for their information and their information systems, including those provided by or managed by another agency on their behalf
Federal Information Security Management Act (FISMA)
88
first privacy regulation at the state level in the United States
California Consumer Privacy Act (CCPA)
89
Privacy regulation of the EU
General Data Protection Reglation (GDPR)
90
Contractual obligation for any entity that accepts, processes, transmits, or stores payment cardholder data
Payment Card Industry Data Security Standard (PCI DSS)
91
Power or right of a legal or politial agency to exercise its authority over a person, subject matter, or territory
Jurisdiction
92
US regulation that requires safeguarding consumer financial data
Gramm-Leach-Bliley Act (GLBA)
93
Right of an individual to control the use of their personal information
Privacy
94
PII
Personally Identifiable Information
95
PHI
Personal Health Information
96
OECD Privacy Principles
1. Collection Limitation: Collection limitation says that collection of personal data should be obtained by lawful and fair means.
2. Data Quality: personal data should be relevant for the purposes being collected
3. Purpose Specification: the purpose for which personal data is collected should be specified not later than at the time of data collection.
4. Use Limitation: personal data should not be disclosed, made available or otherwise used for purposes other than specified except with the consent of the data subject or by the authority of law
5. Security Safeguard: personal data must be protected
97
Cybersecurity programs should support and compliment organizational goals
Strategic Alignment
98
Role of this position is primarily oversight and fiduciary
Board of Directors (or equivalent)
99
The reasonable care taken before entering into and during the lifetime of a contract or agreement
Due diligence
100
Identifies building and facility risks and mitigation
Physical security officer
101
Manages the information security program
Information Security Officer
102
Role responsible for Managing and monitoring of protection mechanisms
Custodian
103
Assesses the control environment
Internal Audit
104
Regulation for patients
HIPAA
105
Regulation for Federal Agencies
FISMA
106
Regulation for Financial services customers
GLBA
107
Regulation for EU citizens
GDPR
108
Regulation for minors
COPPA
109
The second three duties of the board
4. Allocating funds
5. Approving policies and significant projects
6. Ensuring appropriate monitoring
110
The last three duties of the board
7. Ensuring compliance with laws, regulations and contracts
8. Reviewing audit and examination results
9. Honoring the legal constructs of due diligence and due care
111
Resource intended to help an organization identify their cybersecurity capabilities and compare those efforst to peers or competitors of the same sector or size
Benchmark
112
Broad term given to criminal activity that involves the Internet, a computer network a computer system, or a digital device
Cybercrime
113
Incident in which legally protected or private data has been potentially viewed, stolen (exfiltrated) or used by an individual unauthorized to do so
Data breach
114
Consulting legal counsel
1. There is a possibility that legally or contractually protected information has been exposed
115
Responsibility for damages that result from a security compromise in your business
Downstream Liability
116
Describes a wide variety of property created by musicians, authors, artists, designers, programmers, and inventors
Intellectual Property
117
gives its owner the legal right to exclude others from making, using or selling an invention for aperiod of time in exchange for publishing a public disclosure of the invention
Patent
118
intended to protect recognizable names, icons, shape, color, sound or any combination used to represent a brand, product, service or company
Trademark
119
intended to allow the creator of certain types of original works to benefit from being credited and compensated for their work
Copyright
120
refer to proprietary business and technical information, processes, designs, or practices that are confidential and to a business
Trade Secrets
121
Criteria for trade secret
1. Commercially valuable
2. Be known only to a limited group of persons
3. Be subject to reasonable steps taken by the owner of the information to keep it secret, including the use of confidentiality agreements for business partners and employees
122
Copyrighted software that is available at no cost for unlimited usage. The developer retains all rights to the program and controls distribution
Freeware
123
copyrighted software that's available at no cost for unlimited usage and users are encouraged to share the software to promote larger distribution and maybe add-on sales
Shareware
124
copyright holder grants users the rights to use, to study, to change, and to distribute the software to anyone for any purpose
Open Source
125
copyrighted software that a company designs and develops to sell or license, and the company retains all rights to the program and controls distribution
Commrecial Software
126
contract between the owner and the end user that governs the use of intellectual property, in this case software licensing
End User License Agreement (EULA)
127
unauthorized copying or distribution of copyrighted software
software piracy
128
law that makes it illegal to create products that circumvent copyright protections
Digital Millenium Copyright Act (DMCA)
129
the flow of data between countries inclusive of processing, storage and transmission
Transborder or cross-border data flow
130
EAR
Export Administration Regulations
131
Legally enforceable software use agreement
EULA
132
US law that makes it illegal to create products that circumvent copyright protections
DMCA
133
Proprietary business and technical information that can be legally protected
Trade Secret
134
Formal inquiry or systematic study
Investigation
135
Investigation pursued by the regulatory agency of a jurisdiction
Regulatory Investigation
136
Maximum fine under GDPR
4% of annual revenue
137
Investigation aligned with violation of contractual standards
Industry investigation
138
Order that suspends the modification, deletion and/or destruction of records and media
Legal Hold
139
any process in which electronic data is sought, located, secured and searched with the intent of using it as evidence in a civil or criminal legal case
eDiscovery
140
Individual who is knowledgeable about the facts of the case through direct participation or observations
Factual witness
141
Person who has knowledge beyond that of an ordinary lay person enabling him/her to give testimony regarding an issue that requires expertise to understand
Expert witness. Experts can give an opinion
142
The basis of this type of investigation is a dispute between parties
Civil investigation
143
The burden of proof for this type of investigation is 'beyond a reasonable doubt'
Criminal investigation
144
Process of seeking electronic data for use in a civil or criminal legal case
eDiscovery
145
This type of trial witness can proffer an opinion
Expert witness
146
Examples include investigations byt he US FTC or the UK Information Commisioners Office
Regulatory investigation
147
Act of providing leadership and direction
Governance
148
Communicates and codifies management's requirements, and provides direction
Policy
149
Who should approve policies
Board of Directors (or equivalent)
150
Specifications for the implementation of a policy that dictate mandatory requirements
Standards
151
Aggregate of standards for a specific category or grouping such as a platform, device type, ownership or location
Baseline
152
Document that helps people understand and conform to a standard
Guideline
153
This standard establishes security categories of information systems used by the federal government
FIPS 199
154
This standard lists mandatory security requirements for government systems.
FIPS 200
155
This is a US guide for applying risk management
NIST SP 800-37
156
Instructions for how to carry out an action
Procedures
157
What are the four commonly used formats for procedures
1. Simple step: lists sequential actions
2. Hierarchical: includes both generalized instructions for experienced users and detailed instructions for novice users
3. Graphic: presented in pictorial or symbol form
4. Flowchart: used to communicate a process and/or when decision making is required
158
High-level governance documents
Policies
159
Mandatory implementation requirements (related to policies)
Standards
160
Specific instructions for carrying out a task
Procedure
161
This procedure format requires decision making
Flowchart
162
A detailed roadmap for doing or achieving something
Plan
163
the capability of a business to operate in adverse (disaster) conditions
business continuity
164
disruptive events that significantly impact an organizations capability to operate
disaster
165
What are the three types of disasters
Natural (flood, earthquake, fire, pandemic)
Environmental (loss of power, HVAC)
Human (workplace accidents, cyber attacks, civil disruption)
166
Business Continuity Planning objective
to prepare for continued operation during disruption of normal operating conditions
167
plan focusing on recovery and restoration of technology, physical plant and people
Disaster Recovery Plan (DRP)
168
plan focusing on the overall strategy for sustaining the business during a disaster and the subsequent recovery period
Business Continuity Plan (BCP)
169
Business Continuity Plan Workflow
1. Project Initiation and Assignments
2. Business Impact Analysis
3. Plan Development
4. Procedure Development
5. Training
6. Testing
7. Auditing
8. Maintenance Review and Update
170
the capability of a business to operate in adverse (disaster) conditions
business continuity
171
Business unit plan and procedures for operational activities
Continuity of Operations Plan (COOP)
172
Group responsible for approval of BCP policies and oversight of strategies
Board of Directors (or equivalent)
173
This type of plan describes the overall strategy for sustaining the business
Business Continuity Plan
174
This type of plan includes procedures for internal and external communications
Crisis Communication Plan (CCP)
175
This type of plan describes plans and procedures for recovering technology and facilities
Disaster Recovery Plan
176
This type of plan includes procedures for minimizing loss of life and property
Occupancy Emergency Plan
177
analysis to identify essential services, systems and infrastructure
Business Impact Analysis
178
Maximum time a process / service can be unavailable without causing significant harm to the business
Maximum Tolerable Downtime (MTD)
Maximum Tolerable Outage (MTO)
179
Amount of time allocated for system recovery
Recovery Time Objective (RTO)
180
Acceptable data loss: the point in time, prior to a disruption or system outage that data can be recovered
Recovery Point Objective (RPO)
181
Average time to repair a failed component or device
Mean Time to Repair
182
Measure of reliability (usage stated in hours)
Mean Time Between Failures
183
Business Impact Analysis Process
1. Identify Essential Services & Dependencies
2. Determine Maximum Tolerable Downtime
3. Determine Recovery Point Objective
4. Identify Infrastructure and Dependencies (including SPoF)
5. Determine Current RTO & RPO
6. Gap Analysis
7. Report to Management
184
In a BIA context, this describes services that "the absence or disruption of" would cause significant harm
Essential services
185
Metric related to acceptable data loss
RPO
186
A part of a system that, if it fails, will stop the entire system from working
Single Point of Failure (SPoF)
187
the capability of a business to operate in adverse (disaster) conditions
business continuity
188
Document written for the user community containing policies and standards that specifically pertain to them
Acceptable Use Policy
189
What should AUP introduction do?
Set the tone of the policy, highlight leadership commitment, and emphasize user responsibility
190
AUP Common Elements
1. Data protection: Data classifications and handling standards
2. Authentication: login requirements incluiding password standars and use of tokens and/or biometrics
3. Application: procurement, installation, and licensing
4. Communication: Written and verbal communication use and limitations (including personal email)
5. Internet: Use, activity, and engagement (including social meia)
6. Mobile Device: Use, configuration, activity and device protection
7. Remote Access: Use, configuration, activity, and physical security
8. Incident Reporting: Instructions on how to spot and report suspicious activity
191
By signing this policy the user acknowledges that they understand, and agree to abide by the rules and standards including monitoring and limitations of privacy
Acceptable Use Policy
192
Establishes data ownership and reason data is being provided
Confidentiality / Non-disclosure agreement (NDA)
193
Relationships including service providers, business partners, consultants, and contractors
Non-employee relationships
194
Document that details user-focused policies and standards
Acceptable Use Policy (AUP)
195
The section of the AUP that documents login requirements including password standards and use of tokens and/or biometrics
Authentication
196
Agreement that should be executed prior to being granted access to information and information systems
Acceptable Use Agreement
197
Agreement used to establish data ownership and protect data from unauthorized use and/or disclosure
Confidentiality / Non-disclosure agreement (NDA)
198
Stages of the employee life cycle
1. Hiring Process
2. Onboarding
3. Employment
4. Offboarding
199
Process of integrating a new employee with a company and culture as well as getting the tools and information they need to be successful
Onboarding
200
Assigning the minimal rights and permissions needed to accomplish a task
Least Privilege
201
Rotating assignments (fraud deterrent and detection)
Job rotation
202
Requiring employees to take a set amount of vacation time (fraud deterrent and detection)
Mandatory Vacation
203
Breaking tasks into separate processes to that no one subject is in complete control
Separation of Duties
204
Requiring more than one subject or key to complete a specific task
Dual Control
205
Requirement to never leave confidential data (paper, monitor, whiteboard) unattended or within view of unauthorized personnel
Clean Desk
206
Process for transitioning employees out of an organization
Offboarding
207
Process of integrating a new employee
Onboarding
208
Primary reasons for job rotation and mandatory vacation
Fraud deterrent and detection
209
This process includes creating user accounts and assigning credentials
Provisioning
210
Requiring more than one user to complete a specific task
Dual Control
211
Termination that has been mutually agreed to
Friendly termination
212
Case where burden of proof is beyond a reasonable doubt
Criminal case
213
The distinguishing feature of this type of intellectual property is that it remains undisclosed
Trade Secret
214
These are high level statements intended to communicate rules and expectations
Policies
215
In which type of governance document would you most likely find the statement "password complexity must include uppercase, lower case and at least one symbol"?
Standard
216
This type of procedure is generally used if decision making is required
Flowchart
217
This plan addresses the overall strategy and plan for sustaining a business
BCP
218
During the BIA process, a business unit stated that they could nto afford to lose more than 30 minutes of data. Which statement best expresses this requirement?
RPO (Recovery Point Objective) = 30 minutes
219
This group is responsible for determining the maximum tolerable downtime (MTD)
1. Information Security department
2. Board of Directors
3. IT department
4. Business Unit
Business unit
220
This agreement should clearly state monitoring and limitations of privacy.
1. Service Level Agreement
2. Nondisclosure Agreement
3. Remote Access Agreement
4. Acceptable Use Policy Agreement
4. Acceptable Use Policy agreement
221
Uncertainty of outcome, whether positive opportunity or negative threat of actions and events
Risk
222
Level of risk that an organization is comfortable with
Risk appetite
223
Risk category that relates to activities that can affect the institutions overall mission, objectives and viability
Strategic Risk
224
Risk category that relates to the confidence and trust of stakeholders, customers, and community
Reputational risk
225
Risk category that relates to overall capacity and capability to deliver products and services
Operational risk
226
Risk category that relates to short- and long-term impact on capital
Financial risk
227
Risk category that relates to conformity with policies, laws, and regulatory requirements
Compliance risk
228
Risk category that relates tothe capacity to withstand adverse and/or unexpected conditions
Resilience risk
229
Evaluation of the combination of the likelihood of something happening, and the impact if it does happen
Risk assessment
230
risk assessment using descriptive terminology
Qualitative risk assessment
231
Risk assessment assigning numeric and monetary values to all elements of the assessment
Quantitative risk assessment
232
Taking actions to mitigate the impact of an unfavorable outcome and/or enhance the likelihood of a positive outcome
Risk management
233
Risk Management steps
Risk Identification (Assessment)
Risk Treatment
Risk Monitoring
Repeat the process
234
Act as if the risk doesn't exist
Ignore the risk
235
Acknowledge and accept the level of risk and monitor it
Accept the risk
236
Reduce the impact or likelihood by implementing controls or safeguards
Mitigate the risk
237
Spread the risk among multiple parties
Share the risk
238
Assign the risk to another party via insurance or contractual agreement (subject to legal and regulatory constraints)
Transfer the risk
239
Eliminate the cause or terminate the associated activity
Avoid the risk
240
Insurance to mitigate financial losses from a variety of cyber incidents
Cyber Insurance
241
Track known risks, evaluate treatment effectiveness, identify new risks, and schedule on-going assessments
Risk Monitoring
242
Uncertainty of outcome
Risk
243
Level of risk an organization is willing to accept
Risk Appetite
244
Process used to identify and measure risk
Risk Assessment
245
Assign risk to another party
Risk transfer
246
Tool used to document organizational risks
Risk register
247
A disciplined and structured approach used to oversee and manage risk for an enterprise
Risk Management Framework (RMF)
248
Risk Management components
Governance
Identification
Assessment
Mitigation
Reporting and monitoring
249
Who are responsible for ensuring that risk-related considerations are viewed from an organization-wide perspective
Executives (e.g., CEO) as an individual or as a group
250
US Risk Management Framework
NIST Risk Management Framework
251
International Risk Management Framework
ISO 27005 Information Security Risk Management
252
NIST RMF Steps
1. Categorize: categorize the systems and the information processed, stored and transmitted
2. Select: select an initial set of baseline security controls for the system based on the security categorization.
3. Implement: implement the security controls and document how the controls are deployed within the system and environment of operation.
4. Assess: assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome.
5. Authorize: authorize system operation based upon a determination of residual risk.
6. Monitor: monitor and assess selected security controls in the system on an ongoing basis.
253
model designed to assess strength and weaknesses of the risk program, set goals, and plan for improvement
Risk Maturity Model
1. Initial
2. Fragmented
3. Top-down
4. Integrated
5. Risk Intelligent
254
Structured and disciplined approach
Framework
255
United State agency tasked with developing federal government RMF
National Institute of Standards and Technology (NIST)
256
Measurement of continuous improvement
Maturity Model
257
Risk maturity stage that reflects individual actions and capabilities
Initial (Ad hoc)
258
Evaluation of the combination of the likelihood of something happening, and the impact if it does happen
Risk Assessment (Risk Analysis)
259
The level of risk before controls or safeguards have been implemented
Inherent risk
260
The level of risk after controls or safeguards have been implemented
Residual risk
261
Risk Assessment workflow
1. Determine the risk assessment approach (qualitative, quantitative, hybrid)
2. Identify the inherent risk based on relevant threats and related vulnerabilities
3. Assess the impact if the threat source was successful
4. Identify applicable controls and their effectiveness
5. Assess the likelihood of occurence, taking into consideration the control environment
6. Determine the level of residual risk
262
Risk assessment using descriptive terminology such as high, medium and low
Qualitative risk assessment
263
Risk assessment assigning numeric values to all elements
Quantitative risk assessment
264
Data visualization tool used to communicate qualitative risk levels and prioritization requirements
Risk Matrix (Heat Map)
265
Worth of a resource to the organization
Asset Value (AV)
266
Percent of asset value that would be lost
Exposure Factor (EF)
267
Monetary impact for a single event
Single Loss Expectancy (SLE)
268
How often in a single year wil the event occur
Annualized Rate of Occurrence (ARO)
269
The annualized monetary impact
Annualized Loss Expectancy (ALE)
270
Quantitative Risk Assessment workflow
1. Determine Asset Value (AV)
2. Determine Exposure Factor (EF)
3. Calculate Single Loss Expectancy (SLE) = AV * EF
4. Determine Annualized Rate of Occurrence (ARO)
5. Calculate Annualized Loss Expectancy (ALE) = ARO * SLE
271
Level of risk after treatment
Residual Risk
272
Risk assessment approach that uses descriptive terminology
Qualitative
273
AV x EF =?
Single Loss Expectancy (SLE)
274
SLExARO=?
Annualized Loss Expectancy (ALE)
275
Data visualization tool used to communicate risk level
Risk Matrix or Heat Map
276
A tactic, mechanism, or strategy that accomplishes one or more of:
- Reduces or eliminates a vulnerability
- Reduces or eliminates the likelihood that a threat agent will be able to exploit a vulnerability
- Reduces or eliminates the impact of an exploit
Control (countermeasure)
277
What a control does
Functionality
278
How well a control works
Effectiveness.
279
Controls applied in multiple layers
Defense-in-depth
Layered security
280
Statement of desired result or purpose to be achieved by implementing a control or set of controls
Control Objective
281
Controls relating to decision making, oversight, strategic alignment and compliance
Administrative (Management)
282
Controls that can have a material structure (seen, heard, touched)
Physical
283
Controls provided using technology
Technical (Logical)
284
Control that discourages a threat agent from acting
Deterrent control
285
Control that stops a threat agent from being successful
Preventative control
286
Control that identifies and reports a threat agent or action
Detective control
287
Control that minimizes the impact of a threat agent or modify or fix a situation (recovery)
Corrective control
288
Controls that are alternate measures that organizations can use to fulfill a compliance standard, policy, or contractual requirements
Compensating controls
289
Control category relating to oversight, decision making, strategic alignment, and compliance
Management control (administrative control)
290
Control that minimizes the impact of a threat agent
Corrective control
291
Control designed to accomplish the intent of recommended control as closely as possible
Compensating control
292
Control that discourages a threat agent from acting
Deterrent control
293
Term used to describe how well a control works
Effectiveness
294
Potential danger
Threat
295
Adversary with malicious intent
Threat actor
296
A weakness in a system, process or person
Vulnerability
297
Successfully taking advantage of a vulnerability
Exploit
298
Threat actor choosees a target for a specific objective
- Influence by perceived value of outcome
Targeted Attack
299
Threat actor takes advantage of a vulnerable target (not previously known to them - influenced by workfactor
Opportunistic Attack
300
Threat actor motivated by bragging rights, notoriety
Script kiddies
301
Threat actor motivated by financial gain
Criminal Syndicate
302
Threat actor motivated by political statement
Hacktivist
303
Threat actor motivated by grievance, perceived morality, blackmail, external pressure
Insider
304
Threat actor motivated by espionage, disruption, IP theft
Competitors
305
Threat actor motivated by surveillance, espionage, targeting critical infrastructure, tactical advantage, data collection
Nation-States
306
Security practitioner or hobbyist whose motivation is to identify security vulnerabilities and exploits; and responsibly disclose them to a manufacturer or client organization
Authorized "Ethical Hacker"
307
Individuals whose motivation is to identify security vulnerabilities and exploits for personal or financial gain
Unauthorized hacker
308
Individuals whose motivation is to identify security vulnerabilities and exploits for a reward or recognition
- Research is conducted without permission
- They may publicly disclose the vulnerabilities if the entity does not respond in line with their expectations
Semi-authorized hacker
309
Those with the most advancded, accurate, and agile tools.
Established Actors
310
Those with defined processes and targetted operations
Emerging Actors
311
Generally, those associated with low-level cybercriminal activity
Opportunistic Actors
312
Successfully taking advantage of a vulnerability
Exploit
313
Characteristic of this attack is a threat actor taking advantage of a vulnerable target not previously known to them
Opportunistic Attack
314
Espionage and IP theft are their motivation
Competitor
315
The focus of this activity is financial gain
Cybercrime
316
A security professional who works to identify vulnerabilities with the permission of the system owner
Ethical Hacker
317
a structured process by which potential threats can be identified, enumerated and prioritized
Threat modeling
318
What are the three threat modeling approaches
1. Asset-centric (WHAT/WHY) - identifies valued assets
2. Architecture-centric (HOW) - identifies system design, component strength and vulnerabilities
3. Attacker-centric (WHO) - identifies adversaries
319
Are we aware of the latest threats, tools, and techniques
Threat Intelligence
320
How hard would it be for an adversary to achieve their objective
Work factor
321
the time, effort and resources needed for an attacker to successfully achieve their objective
Workfactor
322
evidence-based knowledge about an emerging threat that can be used to inform control decisions
Threat intelligence
323
trusted, sector=specific entity that facilitates sector-specific and/or geographic-specific information sharing about vulnerabilities, threats, and incidents
Information Sharing and Analysis Center (ISAC)
324
standardized language by MITRE and OASIS for describing cyber threat information
Structured Threat Information Expression (STIX)
325
defines how cyber threat information can be shared via services and message exchanges
TAXII
326
TIme, effort and talent needed to achieve an objective
Workfactor
327
Threat model that focuses on system design
Architecture-centric
328
Sector-specific member-driven information sharing organizations
Information Sharing and Analysis Center (ISAC)
329
a method or pathway used by an attacker to access or penetrate the target system or environment
attack vector
330
Disruption, manipulation, or compromise of Information Technology (IT) or operational technology (OT) systems or software
Digital Infrastructure attack
331
Disruption, manipulation, or compromise of people
Human attack
332
Disruption or destruction of physical structures and facilities
Physical Infrastructure attack
333
Attacker chooses a target for a specific objective
Targeted attack
334
Attacker takes advantage of a vulnerable target (not previously known to them)
Opportunistic attack
335
Attacker uses an amplification factor to multiply its power
Amplification attack
336
Attack on a previously unknown vulnerability for which a fix is not yet available
Zero-day attack
337
Impersonating an address, system, or person
Spoofing:
- IP address spoofing
- MAC address spoofing
338
Manipulating a trusted source of data
Poisoning:
- ARP cache poisoning
- DNS poisoning
339
Intercepting communication between two systems
Hijacking:
- Man-in-the-Middle (MitM) - Spoofing and/or poisoning exploiting real-time processing of transactions, conversations or data transfer
- Man-in-the-Browser (MitB) - Manipulating the browser to control a session including what is displayed
- Session Hijacking: stealing session cookies to "take over" a user's active session
- Domain Hijacking: unauthorized modification of domain name registration
- URL Squatting: registering or using an Internet domain name belonging to someone else
- Typo squatting: taking advantage of common typos (in domains) to create fraudulent websites
340
Overwhelming system resources
Denial of Service:
- DoS: Transmitting malformed packets or unusual requests
- DDoS: massive volume of service requests from multiple sources, often "bots" configured in a botnet
341
Exploiting weaknesses in server- or client-side code or applications
Code attack:
- Injection: tricking an application into including unintended commands
- Buffer Overflow: writing excess data into system memory that overruns the buffers boundary and overwrites adjacent memory locations
- Refactoring: restructuring code without changing external behavior, manipulating code with malicious intent
- Cross-site scripting (XSS) - injection of malicious code that executes in a browser
- Cross-site Request Forgery (CSRF) - Exploiting the trust relationship between a website and a browser
342
Impersonating an address, system or person
Spoofing
343
Manipulating a trusted source of data
Poisoning
344
Intercepting communications between two or more systems
Hijacking
345
Attack designed to overwhelm system resources
Denial of Services
346
Tricking an application into including unintended commands
Injection
347
evidence-based knowledge about emerging threats that can be used to inform control decisions
Threat intelligence
348
Four properties of useful threat intelligence
1. Aggregated from reliable sources and cross-correlated for accuracy
2. Analyzed by trained specialists
3. Assessed for relevancy
4. Actionable. Often includes context, mechanisms, indicator of compromise (IOC), implications and response / remediation advice
349
Artifacts that identify potentially malicious activity on a system or network
Indicators of Compromise (IOC) - clue about an event that has already happened
350
Real-time behaviors and artifacts relating to something that is happening or has happened
Indicators of Attack (IOA)
351
term used to refer to the data collected from publicly available soiurces to be used in an intelligence context
Open Source Intelligence (OSINT)
352
Structured collection of OSINT tools
OSINT framework
353
Intelligence data collected from publicly available sources
Open Source Intelligence (OSINT)
354
Accessing this "area" requires an anonymizing browser
Dark Web
355
Visualization of Cyber Attacks
Cyber Threat Map
356
ecosystem of organizations, processes, people and resources involved in providing a product or service
Supply Chain
357
the reliance on a source to provide a product or service
Supply chain dependency
358
a disturbance of the normal flow of goods, materials and services in a supply chain
Supply Chain disruption
359
attack that occurs when a system is infiltrated through a supply chain partner or provider with access to the systems and data
Supply chain attack
360
the implementation of strategies to manage uncertainty, identify vulnerabilities, and ensure continuity in the supply chain
Supply chain risk management
361
Term used to describe reliance on a source to provide a product or service
Supply chain dependency
362
Term used to describe the disruption of the normal flow of goods, material and services
Supply chain disruption
363
When a system is infiltrated through a supply chain partner
Supply chain attack
