Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CyberSecurity > Week 2 > Flashcards

Week 2 Flashcards

1
Q

The Importance of Project Risk Management

A

Security risk management deals with identifying, analyzing, and responding to risks (Threats) in an organization.
Involves identifying, assessing, and prioritizing risks.
Mitigating and monitoring of those risks.
Also known as information assurance (IA).
Preceded by Vulnerability Assessment
Assess the vulnerability of computer systems and network devices using common network assessment tools like
Network mappers, vulnerability scanners, protocol analyzers, packet sniffers, and password crackers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Important Terms

A

Asset
Valuables that need to be protected
Could be IT systems, data, buildings, paper files, etc.
The value and criticality of the asset will determine what safeguards or countermeasures must be put in place.
Threats
A potential harmful event like power outage, virus attack, etc that can harm a system.
Something that causes harm
Vulnerability
A weakness within a system that can allow a threat to cause harm.
Ex: A data center without a backup.
Gap/ Weakness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Important Terms

A

Risk
Likelihood that the vulnerability in a system can be exploited to cause harm.
Potential harm or outcome of the threat exploiting the vulnerability
Exposure
Instance of being exposed to losses when a risk materializes.
Control
Safeguard or countermeasure put in place to address the risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Identify the following as threat/ vulnerability/ risk. Misconfigured Firewall

A

Vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Identify the following as threat/ vulnerability/ risk.

Loss of credit card data

A

Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Identify the following as threat/ vulnerability/ risk.

Hacker

A

Threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Identify the following as threat/ vulnerability/ risk.

Virus

A

Threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Identify the following as threat/ vulnerability/ risk. Fire

A

Threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Identify the following as threat/ vulnerability/ risk. Virus infection

A

Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Identify the following as threat/ vulnerability/ risk. Loss of data integrity

A

Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Identify the following as threat/ vulnerability/ risk. Outdated anti-virus software

A

Vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Review Slide 6 in week 2

A

Review Slide 6 in week 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Negative Risk

A

A dictionary definition of risk is “the possibility of loss or injury”
Negative risk involves understanding potential problems that might occur in the project and how they might impede project success
Negative risk management is like a form of insurance; it is an investment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Risk Can Be Positive

A

Positive risks are risks that result in good things happening; sometimes called opportunities.
The goal of risk management is to minimize potential negative risks while maximizing potential positive risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Risk Classification

A

External
Regulatory, Environmental, Market Conditions.
Internal
Disgruntled employees, poor separation of duties
Technical
Backdoors, Trapdoors.
Unforeseeable
DOS attacks, Natural disasters
Risks can also be:
Business risks – Loss or gain
Pure risk – Loss only (Insurable, fire, theft).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Identifying Risks

A

Identifying risks is the process of understanding what potential events might hurt or enhance a particular project
Another consideration is the likelihood of advanced discovery
Risk identification tools and techniques include:
Brainstorming Focus Groups
The Delphi Technique Storyboarding
Interviewing Surveys, Checklists
SWOT analysis Interviews

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Conducting Risk Assessments

A

Risk assessment:

The goal is to determine the amount of threats or harm that could possibly occur in a given timeframe to computers and networks

Generally, risk assessments follow this order:

  1. Identify the organization’s assets.
  2. Identify vulnerabilities.
  3. Identify threats and threat likelihood.
  4. Identify the potential monetary impact.

Risk register:

Also known as a risk log
Helps to track issues and address problems as they occur

18
Q

Risk Assessment

A

Single most important step in developing a secure infrastructure in an organization.
Identify and assigns risk levels to identified threats/ risks
By comparing the nature of threats to the safeguards/ controls designed to minimize them
Use a control spreadsheet/ Risk Register
List down assets on the side
List threats across the top
List the controls that are currently in use to address each threat in the corresponding cells
Allows optimization of controls based on risk

19
Q

Risk Assessment

A

Identify the assets critical to an organization and its infrastructure
Organization’s data files most important
Mission-critical applications also very important
Programs critical to survival of business
Hardware, software components
Important, but easily replaceable
Evaluate assets based on their importance
Prioritizing assets is a business decision, not a technology decision
Value of an asset is a function of:
Its replacement cost
Personnel time to replace the asset
Lost revenue due to the absence of the asset

20
Q

Risk Register/ Control Spreadsheet

A

The main output of the risk identification process is a list of identified risks and other information needed to begin creating a risk register
A risk register is:
A document that contains the results of various risk management processes and that is often displayed in a table or spreadsheet format
A tool for documenting potential risk events and related information
Risk events refer to specific, uncertain events that may occur to the detriment or enhancement of the project

21
Q

Performing Qualitative Risk Analysis

A

Assess the likelihood and impact of identified risks to determine their magnitude and priority.
Subjective Analysis
The probability of each risk occurring, using a standard scale - High, Medium, or Low (or a scale of 1 to 10).
The impact of each risk using a standard scale as above.
Probability/impact matrixes
An assessment that assigns numeric values to the probability of a risk and the impact it can have on the system or network

22
Q

Probability/Impact Matrix

A

A probability/impact matrix or chart lists the relative probability of a risk occurring on one side of a matrix or axis on a chart and the relative impact of the risk occurring on the other
List the risks and then label each one as high, medium, or low in terms of its probability of occurrence and its impact if it did occur

23
Q

Review Slide 18 Week 2

A

Review Slide 18 Week 2

24
Q

Security Threats

A

Identify threats
Any potentially adverse occurrence that can
Harm or interrupt the systems in an organization, or
Cause a monetary loss to an organization
Rank threats according to
Their probability of occurrence
Likely cost if the threat occurs
Take the nature of business into account
Example: Internet banking vs. a restaurant
Bank’s web site: has a higher probability of attack and much bigger loss if happens
Restaurant web site: much less likely and small loss

25
Review Slide 21 Week 2
Review Slide 21 Week 2
26
Review Slide 20 Week 2
Review Slide 20 Week 2
27
Watch List
A watch list is a list of risks that are low priority, but are still identified as potential risks Qualitative analysis can also identify risks that should be evaluated on a quantitative basis
28
Performing Quantitative Risk Analysis
Often follows qualitative risk analysis, but both can be done together Measures risk by using exact monetary values Attempts to give an expected yearly loss in dollars for any given risk Three values used when making quantitative risk calculations: Single loss expectancy (SLE) Annualized rate of occurrence (ARO) Annualized loss expectancy (ALE)
29
Quantitative Risk Analysis
SLE – Single Loss Expectancy Cost of a single loss SLE = Asset Value (AV) * Exposure Factor (EF) The Exposure Factor (EF) is the percentage of value an asset is lost due to an incident. i.e. The amount of damage - Ex: 70% of the building will be lost. Annualized Loss Expectancy (ALE) The Annualized Loss Expectancy (ALE) is your yearly cost due to a risk. ALE = SLE * ARO (Annualized Rate of Occurrence) This is the maximum amount you must be spending annually on countermeasures.
30
Review Slide 25 Week 2
Review Slide 25 Week 2
31
Example – Tie things together
Let us say your company has 1000 laptops that contain credit card numbers and other personal customer information that is classified as confidential and identifiable. The information can potentially be stolen. This is the: Threat If you do not encrypt the information it can lead to the threat to be exploited. This is the: Vulnerability If you deploy an encryption technology and also access control mechanisms that will prevent anyone and everyone from accessing the information, this becomes a: Countermeasure or Safeguard
32
Example – Tie things together
Let us say your company has 1000 laptops that contain credit card numbers and other personal customer information that is classified as confidential and identifiable. The information can potentially be stolen. This is the: Threat If you do not encrypt the information it can lead to the threat to be exploited. This is the: Vulnerability If you deploy an encryption technology and also access control mechanisms that will prevent anyone and everyone from accessing the information, this becomes a: Countermeasure or Safeguard
33
Example – Tie things together
Let us say, each laptop in this example costs $2500. Let us say the company, based on its past incidents, estimates the value of the PII stored in each laptop to $22500 (regulatory fines, legal fees, staff hours spent in investigations, etc if a laptop is stolen). The true asset value (AV) of each laptop is ? $2500 + $22500 = $25000 = AV. Tangible assets are easy to calculate. Intangible assets like brand value? How do we define these in terms of $. Market Approach, Income Approach and Cost Approach
34
Example – Tie things together
``` Exposure Factor (EF) – In this case of a stolen laptop, let us assume exposure factor is 100%. Let us calculate SLE (Single Loss Expectancy). We know SLE = AV * EF In this example, AV = ? AV = $25,000 In this example, EF = ? EF = 100% SLE = ? 25000 * 100% = $25,000 ```
35
Example – Tie things together
Let us calculate ALE (Annual Loss Expectancy). We know AV = $25,000 We know EF = 100% SLE = 25,000 * 100% = $25,000 ARO - # of times you suffer this loss per year. Let us assume ARO = 11 incidents over the course of an year. ALE = SLE * ARO = ? $25000 * 11 = $275,000
36
Example – Tie things together
Let us say, after applying an encryption technology to protect laptops, the following apply to our laptop example: AV = $25,000 EF = 10% (After putting our safeguard (encryption), the EF is reduced to 10%) Calculate SLE. SLE = AV * EF 25,000*10% = $2500 ARO = 11 NEW ALE = SLE * ARO = 2500 * 11 = $27,500
37
Total Cost of Ownership/ Return on Investment (ROI)
TCO = Total cost of mitigating a safeguard. Upfront costs + annual cost of maintenance + staff hours + vendor maintenance fees + software subscription + ongoing maintenance costs, etc. In our laptop theft example, let us assume we decide to encrypt the laptop and the cost to do this as follows: Encryption software - $100/ laptop onetime = $100,000 for 1000 laptops. Annual support fee = $10,000 per year. Labor charges - 4 staff hours (@ the rate of $70 per hour) per laptop to install the software on one laptop  4000 staff hours for all the laptops  $280,000 total labor charges only for the first year.
38
Total Cost of Ownership
TCO in year 1. Encryption software - $100/ laptop = $100,000 for 1000 laptops. Annual support fee = $10,000 per year Labor charges - $280,000 Total Cost of Ownership per year = Sum of all the costs above = $390,000
39
Return on Investment
ROI (Value of safeguard) Amount of money saved by implementing a safeguard. ALE before safeguard was implemented – ALE after safeguard was implemented (New ALE) – TCO $275,000 - $27,500 - $136,667 = $110,833 If ROI is negative  the safeguard is not financially viable. Else, it is a good choice. ROI = ALE before safeguard – ALE after safeguard – Annual TCO.
40
Countermeasure Selection/ Assessment
Cost of the countermeasure should be : Less than the value of the asset. Less than the benefit of the countermeasure. Should make the cost of the attack greater than the value the attacker will get out of it. The countermeasure should be testable and difficult to tamper with.

CyberSecurity (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions