2.2_ Risk Management and Threat Modeling Flashcards
(37 cards)
What’s the difference between a vulnerability, a threat, and a risk?
A vulnerability is an aspect of a business that can be exploited to compromise a system’s CIA.
A threat is an actor that might exploit a vulnerability.
A risk is a possibility of losing something valuable.
A _________ is an aspect of a business that can be exploited to compromise a system’s CIA.
Vulnerability
A _________ is an actor that might exploit a vulnerability.
Threat
A _________ is a possibility of losing something valuable.
Risk
Using the results of risk analysis to create a plan for preventing likely risks is called what?
Risk Management
Understanding what risks face an organization, which are most severe, and which are most likely is called what?
Risk Analysis
Determining which attacks an organization is most likely to experience, who is most likely to launch them, and what actions can be done to prevent them is called what?
Threat Modeling
What is a business’s primary objective?
Profit
_____________ and _____________ directly contribute to business profit.
Risk analysis and management and threat modeling directly contribute to business profit.
_____________ helps business understand how much they’ll need to spend in the event of a given security break.
Risk Analysis
_____________ results are shared upwards to the executives who make the major business decisions.
Threat Modeling
When possible, risks are measured ___________ in financial figures, which businesses use to prioritize threats.
Quantitatively
What does PASTA stand for?
It’s a Threat Modeling Methodology:
Process for Attack Simulation & Threat Analysis
What does OWASP stand for?
Spoofing, Tampering, Repudiation, Information
Disclosure, DoS (Denial of Service), Elevation of Privilege
What are the steps involved in the OWASP Threat Modeling process?
- Determine assessment scope
- Identify threat agents
- Identify potential attacks
- Identify exploitable vulnerabilities
- Prioritize identified risks
- Mitigate risks
What is step 1 of the OWASO Threat Modeling process?
Determine Scope:
List the assets under consideration, determine their value, and define objectives for your threat modeling assessment.
What is step 2 of the OWASO Threat Modeling process?
Identify Threat Agents:
Determine which attackers would be interested in the relevant assets.
True or false:
Threat agents include a person or group that can produce a threat, whether or not that person or group is malicious.
True
What is step 3 of the OWASO Threat Modeling process?
Identify Potential Attacks:
Identify the attacks each agent is likely to perform.
_________ attackers use different modes of attacks and _________ attacks mean different risks and _________ considerations.
Different attackers use different modes of attacks and different attacks mean different risks and different considerations.
If a client’s web application is taken offline by a DoS attack, the severity of the risk depends on which threat agent is responsible. What would be the difference between script kiddies and APTs?
Script kiddies might DoS a server simply to cause trouble.
An APT might DoS a server as a smokescreen to steal valuable data.
___________ is the process of prioritizing threats identified in steps 1-4 based on their potential impact and likelihood.
Risk Analysis
___________ is evaluating risk based on intangible, unmeasurable factors.
Qualitative Analysis
Evaluating each risk based on its measured likelihood and impact is called what?
Quantitative Analysis
○ Likelihood: The probability of an event will take place.
○ Impact: The measure of the damage done if a risk takes place.
