Chapter 2: Risk Management
NIST SP 800-161
A good resource to help integrate supply chain risk into your risk management program.
Which best describes a quantitive risk analysis?
A method that assigns monetary values to components in the risk assessment.
Risk Assessment vs Risk Analysis
A risk assessment is used to gather data, a risk analysis examines the gathered data to produce results that can be acted upon.
Vulnerability assessment vs risk assessment
A vulnerability assessment just finds the vulnerabilities (the holes) and risk assessment calculates the probability of the vulnerabilities being exploited and the associated business impact.
A business impact analysis (BIA) is often the most important first step in what process?
Business continuity planning (BCP)
Administrative Controls
Commonly referred to as soft controls because they are more management oriented. *security documentation, risk management, personnel security and training*
Business Process Compromise (BPC)
Commonly targeted at the financial sector, where transaction amounts, deposit accounts, or other parameters are changed to funnel money to the attackers pockets.
Risk Analysis
Detailed examination of the components of risk that is used to ensure security is cost-effective, relevant, timely, and responsive to threats.
Third-Party Assessments
Considered best practice and may be required for compliance.
Threat Working Group (TWG)
Consist of members of all major parts of the organization, meeting regularly to review the list of risks and ensure that threats and controls remain valid.
Monitor Risk
Continuously monitor the effectiveness of our control against the risks for which we designed the,
Service Level Agreement (SLA)
Contractual agreement that states that a service provider guarantees a certain level of service. Provides a mechanism to mitigate some of the risk from service providers in the supply chain.
Which is the most valuable technique when determining if a specific security control should be implemented?
Cost/benefit analysis
Does not support the idea of calculating exploitation probability numbers or annualized loss expectancy values. Believes that trying to use mathematical formulas for the calculation of risk is too confusing and time consuming.
FRAP
Which risk assessment methodology is known for using Boolean logic expressions to help identify failures in complicated systems?
Fault tree analysis
Corrective Security Control
Fixes components or systems after an incident has occurred.
Facilitated Risk Analysis Process (FRAP)
Focus only on the systems that really need assessing, to reduce costs and time obligations. Analyzes one system, application, or business process at a time.
ISO/IEC 27031:2011
Guidelines for information and communications technology readiness for BC.
A large grocery store chain has discovered that their customers' credit card details are being stolen whenever the customer swipes their card for payment. After an investigation, it is determined that a malicious threat actor working at the factory where these point of sale (PoS) devices are assembled has been adding a component capable of skimming, storing, and exfiltrating credit card details when they are swiped. This is an example of what kind of risk?
Hardware Trojan supply chain
Detective Security Control
Helps identify an incidents activities and potentially an intruder.
Which two categories of controls should always be implemented together and should complement each other?
Preventative & Detective
Disaster Recovery (DR)
Process of minimizing the effects of a disaster or major disruption. It means taking the necessary steps to ensure that the resources personnel and business processes are sage and able to resume operation in a timely manner.
Upstream Suppliers
If they supply materials, goods or services to your company and your company uses those in return to provide whatever it is that it supplies to others.
Effects Analysis (FMEA)
Impact of that break or failure.
Business Impact Analysis (BIA)
In which a team collects data through interviews and documentary sources: documents business functions, activities and transactions: develops a hierarchy of business functions: and finally applies a classification scheme to indicate each individuals functions critically level.
Preventive Security Control
Intended to avoid an incident from occurring.
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
Intended to be used in situations where people manage and direct the risk evaluation for information security within their organization. Relies on the idea that the people working in these environments best understand what is needed and what kind of risks they are facing. Assess all systems, applications, and business processes with the organization.
Recovery Security Control
Intended to bring the environment back to regular operations.
Deterrent Security Control
Intended to discourage a potential attacker.
Risk Monitoring
Ongoing process of adding new risks, reevaluating existing ones, removing moot ones, and continuously assessing the effectiveness of our controls at mitigating all risks to tolerable risks. (effectiveness, change, compliance. )
Loss Potential
Organization could lose assets or revenues if a threat agent actually exploited a vulnerability.
Instead of being considered an outsider, BCP should be
Part of the team, final responsibility should belong to a high level executive manger.
Single point of failure (FMEA)
Represent vulnerabilities that could directly affect the productivity of the network as a whole.
Exposure Factor (EF)
Represents the percentage of loss a realized threat could have on a certain asset.
What is the likelihood of a threat source exploiting a vulnerability and the corresponding business impact?
Risk
Total Risk
Risk an organization faces if it chooses not to implement any type of safeguard.
A risk assessment must be supported and directed by:
Senior mamagement.
Delayed Loss
Takes place after a vulnerability is exploited. May include damage to the organizations reputation, loss of market share, accrued late penalties, civil suites, the delayed collection of funds from customers, resources required to reimage other compromised systems.
Risk Avoidance
Terminate the activity that is introducing the risk.
Defense in Depth
The coordinated use of multiple security controls in a layered approach.
Risk
The likelihood of a threat source exploiting a vulnerability and the corresponding business impact.
Maximum Tolerable Downtime (MTD)
The maximum period of time that a business process can be down before the survival of the organization is at risk.
Accept the Risk
The organization understands the level of risk it is faced with as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure.
Risk Mitigation
The risk is reduced to a level considered acceptable enough to continue conducting business.
Residual Risk
The risk that is left over to deal with even after countermeasures are implemented.
Executives and Board Members
These leaders want to know whether risks can be properly mitigated or require change to the organizational strategy. Should also be briefed on risks that have been "accepted" and what their potential impact could be. Risk *heat maps* are used rather than verbose descriptions.
Project Sizing
Understand what assets and threats should be evaluated.
Hacktivitsts
Use cyberattacks to affect political or social change. Preferred objectives are highly visible to the public or yield information that, when made public, aims to embarrass government entities or undermine public trust in them.
Quantitive Risk Analysis
Used to assign monetary and numeric values to all elements of the risk analysis process.
Qualitative Risk Analysis
User uses a softer approach to the data elements of a risk analysis. it is more opinion and scenario based and uses a rating system to relay the risk critically levels. (Red, yellow, green)
Which of the following statements is FALSE?
All threats are human individuals or groups
Delphi (qualitative risk technique)
Brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one on one meetings and interviews. A group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result of a particular threat will be.
How do you conceptually calculate residual risk?
(Threats x vulnerability x asset value) x controls gap
Annual Loss Expectancy (ALE)
ARO X SLE =
Hardware Trojan
An electronic circuit that is added to an existing device in order to compromise its security or provide unauthorized functionality.
Control Assessments
An evaluation of one or more controls to determine the extent to which they are implemented correctly, operating as intended, and are producing the desired outcome.
Business Continuity (BC)
An organizations ability to maintain business functions or quickly resume them in the event that risks are realized and result in disruptions.
SLE (equation)
Asset Value (AV) * Exposure Factor (EF) = SLE
Script-kiddies
Basic grasp of hacking (but access to someones else's scripts or tools).
Why should the teak that will perform and review the risk analysis information be made up people in different departments?
Because people in different departments understand the risks of their department. thus, it ensures data going the analysis is close to reality as possible
Respond to Risk
Becomes the matter of matching our limited resources with our prioritized set of controls.
Frame Risk
Defines the context within which all other risk activities take place.
Security Effectiveness
Deals with metrics, meeting service level agreement (SLA) requirements, achieving return on investment (ROI), meeting set baselines, and providing management with a dashboard or balanced scorecard system.
Risk Reporting
Enables organizational decision making, security governance, and day to day operations. Also important for compliance purposes.
Which best describes the purpose of the ALE calculation?
Estimates the loss potential of a threat in a span of a year.
Risk Reports should be made to?
Executives, (board members) Managers and risk owners.
Failure Mode (FMEA)
How something could break or fail.
Provides the information and direction for the organizations security risk management processes and procedure and should address all issues of information security.
ISRM policy.
Communicates information on the organizations risks to senior management and how properly execute management's decisions on risk management tasks.
ISRM team
ISO 22301:2019
International standard for BC management systems, the specification document against which organizations will seek certification.
Illogical Processing & Cascading errors
Invalid results are passed on to another process. These type of problems can lie within application code and are very hard to identify.
Risk Management (RM)
Is the process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level.
Annualized Rate of Occurrence (ARO)
Is the value that represents the estimated frequency of a specific threat taking place within a 12 month timeframe.
Physical Controls
Items put into place to protect facilities, personnel, and resources. *security guards, locks, fencing, lighting*
Failure Modes and Effect Analysis (FMEA)
Method of determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. Commonly used in product development and operational environments. *The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement control to reduce the impact of the break*
Risk assessment
Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls.
Single Loss Expectancy (SLE)
Monetary value that is assigned to a single event that represents the organizations potential loss amount if a specific threat were to take place.
Managers
More detailed reports because they are responsible for well, managing the risks. They want to know current risks and how they've been trending over time. *risk management boards*
Cybercriminals
Most common threat actors, motivated by greed or just have fun breaking things.
Risk Owners
Most detailed reporting because the staff members responsible for managing individual risks.
Describes four interrelated components that compromise the risk management process
NIST SP 800-39
Which is one of the first steps in developing a BCP?
Perform a business impact analysis.
Continuous Improvement
Practice of identifying opportunities, mitigating threats, improving quality and reducing waste as an ongoing effort. Hallmark of maturity and effective organizations.
Business Continuity Management (BCM)
Provides a framework for integrating resilience with the capability for effective responses in a manner that protects the interest of an organizations key stakeholder. The main objective is to allow the organization to continue to perform business operations under various conditions.
Compensating Security Control
Provides an alternative measure of control.
Transfer the risk
Purchase insurance, this transfers the risk to the insurance company.
Which kind of risk analysis may gather data from brainstorming, the Delphi Technique, storyboarding, focus groups, surveys, and one-on-one meetings or interviews?
Qualitative risk analysis
Why is a truly quantitative risk analysis not possible to achieve?
Quantitative measures must be applied to qualitative elements.
Quantitive vs Qualitative
Quantitive evaluation can be used for tangible assets (monetary values) and a qualitative assessment can be used for intangible assets (priority values)
Supply Chain
Sequence of suppliers involved in delivering some product.
Technical Controls
Software or hardware components *firewalls, IDS, encryption, identification, authentication*
NIST SP 800-30 Revision 1, Guide for conducting risk assessments
Specific to IS threats and hoe they relate to information security risks. 1. Prepare the assessment 2. Conduct the assessment 3. Communicate results 4. Maintain assessment
Change Advisory Board (CAB)
Standing group that reviews and approves any changes such as deployment of new policies, systems, and business processes. Measures changes through a variety of metrics that also are used to monitor risks.
Assess Risk
This is perhaps the most critical aspect of the process.
Which is the BEST term to denote a potential cause of an unwanted incident, which may result in harm to a system or organization?
Threat
Which of the following is not one of the three keys areas for risk monitoring?
Threat
total risk equation
Threat x Vulnerability x Asset Value
How do you calculate residual risk ?
Threats X vulnerability X asset value X control gap.
Maturity Models
Tools that allow us to determine the ability of our organizations for continuous improvement. A business decisions NOT a cybersecurity one.
Fault Tree Analysis (FTA)
Usually proves to be more useful approach to identifying failures that can take place within more complex environments and systems. First, an undesired effect is taken at the root or top event of the tree of logic. Then, each situation that has the potential to cause that effect is added to the tree as a series of logic expressions. This is done using computer programs that can calculate the failure of probabilities from a fault tree.
Validation
Validate that the controls are producing the desired outcomes.
Verification
Verify that the manner in which it is implemented is correct and that controls are operating as intended.
Nation State Actors (state actors)
Very selective in who they target, use advanced capabilities to compromise systems and establish a persistent presence to allow them to collect intelligence for extended periods. Main motivations are espionage and gaining access to critical infrastructure.
When is it acceptable to take no action regarding an identified risk?
When the cost of the countermeasure is greater than the value of the asset and the potential loss.
When is it acceptable to not take action on an identified risk?
When the cost of the countermeasure outweighs the value of the asset and potential loss.
NIST SP 800-34 Revision 1 (R1)
guidelines for performing business continuity and disaster recovery planning. The following list summarizes the steps in SP 800-34 R1: 1. Develop contingency planning policy. 2. Conduct business impact analysis (BIA). 3. Identify preventive controls. 4. Create recovery strategies. 5. Develop business continuity plan (BCP). 6. Test, train, and exercise. 7. Maintain the plan.
Residual risk equation
threats X vulnerability X asset value X controls gap. OR total risk - countermeasures.