Lecture 19: 22nd November 2019 Flashcards
Risk and assurance
What is a risk?
Risk = the probability of a threat and the resulting impact should it occur
What is a threat?
Threat = An attack vector: a means by which an attacker may exploit system vulnerabilities.
What is risk management?
The investigation, identification, analysis, evaluation, and mitigation or addressing of cybersecurity risks facing an entity.
What are the 3 main steps of risk assessment according to NIST?
- Risk Assessment
- Risk Mitigation
- Evaluation and Assessment
What are the levels of threat impact under NIST800-30?
high: high cost; high harm to reputation or mission; human death or serious injury possible.
medium: some cost; some harm to reputation or mission; may result in injury.
low: little cost; little harm to reputation or mission
When are risks acceptable under NIST800-30?
If the cost of performing the attack to enact the risk >= the gain for the attacker or the impact of the risk is below some predefined threshold.
What is Failure on Demand?
Different classifications of the frequency of a system failure.
What is a Risk Matrix?
A table showing how risks are composed and allowing users to easily find the risk from the probability and impact of a risk.
How does a Risk Matrix work?
Columns of impact levels (low, medium, high) and rows of probability (low, medium, high). Resultant risks in cells from multiplying column by row: impact by probability.
What is a Threat Tree?
A model used to relate threats in testing and auditing that aims to find the weak points in a system and identify root causes of different threats.
How does a Threat Tree work?
Risks are joined by dependencies that build the graph from a root action. If you can remove the root node (if one) you remove all risks. If you remove the root of a subtree you remove all risks in the subtree. So removing a parent node (root cause) removes all child node risks.
What is SWOT analysis?
An analysis method that aims to find the weakest and strongest points in a system by listing its strengths, weaknesses, opportunities, and threats.
What is a failure?
An issue with a system that prevents it from functioning as required.
What is failure frequency?
The rate at which a given failure is estimated to occur, i.e. the number of times it will happen in a given time.
What is a system boundary?
An artificially defined edge of a set of information resources allocated to a computer system, including but not limited to security services, virtualization components, servers (web, application, database, DNS, etc.), and network components. Complex computer systems may have several sub-systems that are separated, with their own boundaries.