Week 3 - Risk and an introduction to human factors Flashcards
Define risk?
the degree of impact from a threat and the likelihood of that threat occurring.
Two terms used to quantify risk?
impact
likelihood
Quantify risk - summarise impact
measure of the degree of harm to assets by a breach
Quantify risk - summarise likelihood
considered in relation to threat and vulnerability levels. the higher the levels, the higher the likelihood.
Risk management - what are the three categories once identified and quantified?
acceptable
limited or no impact
tolerable
ALARA as low as reasonably achievable- as low as possible to meet standards.
ALARP as low as reasonably practicable - further action no worth it
intolerable
threats must be eliminated or systems abandoned.
Define the human factor
socio-technical the interaction of human and security technologies.
the individual
the job
the organisation
Define social engineering
the act of deceiving an individual into revealing information that can be us to gain confidence and trust
Principles of social engineering psych reciprocity
people tend to return favors
Principles of social engineering psych scarcity
time sensitive such as job offers or discounts
Principles of social engineering psych authority
people tend to obey authority figures
Principles of social engineering psych commitment and consistency
people don’t like to go back on their word and will continue a task even if risky
Principles of social engineering psych liking
people can be persuaded to perform a task if they like the person asking
Principles of social engineering psych consensus
people will copy behaviours especially if they see the other benefiting.
social engineering techniques phishing
untargeted attempts to solicit personal information from a victim
social engineering techniques spear-phishing
a targeted form of phishing
social engineering techniques whaling
spear-phishing aimed at senior executives in an organisation
social engineering techniques vishing
(voice phishing) is a related attack vector where the attacker solicits information from the victim in a phone call
social engineering techniques smishing
conducts the attacks using messaging services such as SMS
social engineering techniques pretexting
a scenario is created to coax valuable information
social engineering techniques impersonation
impersonating of someone else to gain access
social engineering techniques baiting
victims are enticed to compromise their security, the attack relies on greed (USB, disk, free links)
social engineering techniques quid-pro-quo
victims willingly give away information for an immediate reward.
social engineering techniques water-holing
like animals grazing around a water hole, victims tend to gather around a specific website or board. the attacker then inject malware on all visiting computers
social engineering techniques tailgating (piggybacking)
a physical attack to bypass physical security such as locked doors.
What is pen testing?
breaking into security controls to expose weaknesses as part of the auditing process.
what are the three categories of pen testing. black box
black box
with no information, a pen tester will use step 1 of the cyber kill chain (reconnaissance). this simulates external attack an may not always discover every weakness.
what are the three categories of pen testing. grey box
a partial view of the system is provided, this allows pen testers faster access. this can mimic a previous attack and simulates an insider threat.
what are the three categories of pen testing. white box
comprehensive insight is given and high level permissions. specialist cyber security tools are used. simulates insider and outsider threats.
expensive and time consuming and is within a scope so not all part of the system is tested.
