Week 3 - Risk and an introduction to human factors Flashcards

1
Q

Define risk?

A

the degree of impact from a threat and the likelihood of that threat occurring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Two terms used to quantify risk?

A

impact
likelihood

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Quantify risk - summarise impact

A

measure of the degree of harm to assets by a breach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Quantify risk - summarise likelihood

A

considered in relation to threat and vulnerability levels. the higher the levels, the higher the likelihood.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Risk management - what are the three categories once identified and quantified?

A

acceptable
limited or no impact

tolerable
ALARA as low as reasonably achievable- as low as possible to meet standards.

ALARP as low as reasonably practicable - further action no worth it

intolerable
threats must be eliminated or systems abandoned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define the human factor

A

socio-technical the interaction of human and security technologies.

the individual
the job
the organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define social engineering

A

the act of deceiving an individual into revealing information that can be us to gain confidence and trust

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Principles of social engineering psych reciprocity

A

people tend to return favors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Principles of social engineering psych scarcity

A

time sensitive such as job offers or discounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Principles of social engineering psych authority

A

people tend to obey authority figures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Principles of social engineering psych commitment and consistency

A

people don’t like to go back on their word and will continue a task even if risky

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Principles of social engineering psych liking

A

people can be persuaded to perform a task if they like the person asking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Principles of social engineering psych consensus

A

people will copy behaviours especially if they see the other benefiting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

social engineering techniques phishing

A

untargeted attempts to solicit personal information from a victim

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

social engineering techniques spear-phishing

A

a targeted form of phishing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

social engineering techniques whaling

A

spear-phishing aimed at senior executives in an organisation

17
Q

social engineering techniques vishing

A

(voice phishing) is a related attack vector where the attacker solicits information from the victim in a phone call

18
Q

social engineering techniques smishing

A

conducts the attacks using messaging services such as SMS

19
Q

social engineering techniques pretexting

A

a scenario is created to coax valuable information

20
Q

social engineering techniques impersonation

A

impersonating of someone else to gain access

21
Q

social engineering techniques baiting

A

victims are enticed to compromise their security, the attack relies on greed (USB, disk, free links)

22
Q

social engineering techniques quid-pro-quo

A

victims willingly give away information for an immediate reward.

23
Q

social engineering techniques water-holing

A

like animals grazing around a water hole, victims tend to gather around a specific website or board. the attacker then inject malware on all visiting computers

24
Q

social engineering techniques tailgating (piggybacking)

A

a physical attack to bypass physical security such as locked doors.

25
Q

What is pen testing?

A

breaking into security controls to expose weaknesses as part of the auditing process.

26
Q

what are the three categories of pen testing. black box

A

black box
with no information, a pen tester will use step 1 of the cyber kill chain (reconnaissance). this simulates external attack an may not always discover every weakness.

27
Q

what are the three categories of pen testing. grey box

A

a partial view of the system is provided, this allows pen testers faster access. this can mimic a previous attack and simulates an insider threat.

28
Q

what are the three categories of pen testing. white box

A

comprehensive insight is given and high level permissions. specialist cyber security tools are used. simulates insider and outsider threats.

expensive and time consuming and is within a scope so not all part of the system is tested.