Week 3 Flashcards
(21 cards)
What are the 4 stages of the risk management lifecycle?
Identify (find risks)
Analyse (assess impact & probability)
Treat (mitigate, avoid, transfer, or accept)
Monitor (keep watching for changes)
What two things determine a risk’s rating?
Impact (how bad it is)
Probability (how likely it is)
What are 3 key factors in measuring impact?
Loss of confidentiality/integrity (e.g., data leaks)
System unavailability (e.g., downtime costs)
Indirect harm (e.g., reputation damage)
What makes an attack more likely?
Easy-to-exploit vulnerabilities
High-value target (e.g., customer data)
History of similar attacks
What’s the difference between qualitative and quantitative risk analysis?
Qualitative = Uses words (Low, Medium, High)
Quantitative = Uses numbers (e.g., $10,000 loss)
What are the 4 ways to handle risks?
- Avoid
🚫 Stop the risky activity entirely.
Example: Discontinue using an insecure IoT device if the risk is too high.
- Mitigate
🛡️ Reduce the risk’s impact or likelihood.
Example: Install security patches or use firewalls to protect IoT devices.
- Transfer
📜 Shift the risk to someone else.
Example: Buy cyber insurance to cover financial losses from a breach.
- Accept
🤷 Live with the risk (if fixing it costs more than the harm).
Example: Ignoring minor risks on a low-value device.
What are the 3 types of security controls?
Preventive (stop attacks, e.g., firewalls)
Detective (find attacks, e.g., monitoring)
Reactive (respond, e.g., backups)
Name 3 important security controls from CIS.
Patch management (fix vulnerabilities)
Access control (limit who can see data)
Incident response (plan for breaches)
Why is continuous monitoring important?
To catch new threats early (e.g., malware, unpatched systems).
What makes risk management difficult?
Hard to value intangible assets (e.g., reputation)
Future attacks are unpredictable
Deciding which risks to accept is subjective
A hacker exploits weak passwords. What’s the impact, probability, and a possible control?
Impact: High (data theft)
Probability: Medium (common attack)
Control: Multi-factor authentication (MFA)
What is IoT?
A network of smart devices (like cameras, thermostats, wearables) that connect to the internet to share data.
What are the 4 main steps in IoT data flow?
Device (sensor collects data).
Network (Wi-Fi/Bluetooth sends data).
Cloud (stores/processes data).
User (views/controls via app).
Why do traditional risk assessments fail for IoT?
Because IoT devices change constantly, but old methods check risks only every few months.
Why is IoT security hard for companies?
They often don’t even know all the connected devices (e.g., third-party gadgets).
Example: British Airways hack came from a third-party vendor’s software.
How can hackers misuse IoT devices?
They hack them to launch big attacks (like DDoS), not just steal data.
Example: Mirai Botnet (2016) – Used hacked cameras to crash websites.
What’s the “glue” problem in IoT security?
Risk checks focus on devices, not how they interact (e.g., a smart lightbulb hacked to access a corporate network).
Name 3 big IoT security flaws.
Default passwords (e.g., “admin/admin”).
No encryption (easy data theft).
No updates (devices stay vulnerable).
Example: Some cameras hacked in under 2 minutes!
What’s one law improving IoT security?
UK’s 2022 IoT Law bans default passwords and forces security updates.
What’s the #1 thing users should do for IoT safety?
Change default passwords and update firmware regularly!
A smart fridge gets hacked. What’s the risk?
Could join a botnet to attack other systems.
Could leak Wi-Fi passwords to hackers.
Fix: Use strong passwords + updates.
