Risk Mitigation in Cybersecurity

BCP (Business Continuity Plan)

Plan that ensures mission critical systems CONTINUE to function after a disaster.

Risk

likelihood or probability that something unexpected will occur

T/F Risk is the process of identifying, assessing, controlling, and eliminating risk.

False

Confidentiality

Keeping organizational information hidden and secured. (Can the bad guys see the stuff?) (Passwords and encryption)

Integrity

Keeping data the same and accurate. (Can the bad guys change our data?) (Hash functions)

Availability

Keeping the servers up and making sure everything is running. (Can the bad guys take our stuff down?) (Failover cluster)

User Domain

the employee using the system. Beware of human error!

Workstation Domain

The computer being used by employees. Beware of viruses.

LAN Domain

Domain that connects all devices from the switch, to the router.

LAN - WAN Domain

Infrastructure that connects the LAN to the Wide Area Network (Internet)

WAN Domain

Infrastructure where all external users exist in

Remote Access Domain

Where employees can gain access to the IT infrastructure remotely

System App. Domain

System and software applications that users have access to.

(FISMA) Federal Information Security Management Act

Federal Law that ensures federal agencies protect their systems and data, comply with elements of the law, and integrate security in all processes

(HIPAA) Health Insurance Portability and Accountability Act

Compliance law that forces any institution that has medical data to protect health information.

(GLBA) Gramm Leach Bliley Act

Banks, Brokerage companies, and Insurance companies. Financial Privacy Rule (Notify customers about privacy practices) Safeguards Rule (Security to protect customer information)

FERPA (Family Educational Rights and Privacy Act)

Applies to all educational institutions. Students younger than 18 can have parents inspect records. Protects PII for students

COPPA (Children's Online Privacy Protection Act)

Protects the privacy of students 13 and younger

NIST

promotes innovation and competitiveness among US businesses. Invokes businesses to act reasonably.

PCI DSS (Payment Card Industry Data Security Standard)

Standard for any business that accepts payment cards.

GDPR (General Data Protection Regulation)

Regulates how companies protect the personal data of EU citizens and those in the European Economic Area

Intentional Threats

Acts that are hostile to an organization on purpose

DMZ

Zone between the Internet and the Internal network. It is used as a security checkpoint for data to keep external users out of the internal network.

SOX Sarbanes Oxley Act

regulatory framework aims to enhance the accuracy and reliability of financial reporting within publicly traded companies

Residual Risk

the risk that remains after management implements internal controls or some other response to risk

Security and Usability Balance

Too much security reduces usability. Too much usability has less security.

Vulnerability

Weakness in a system that can be exploited by a threat actor

Physical Controls

Locked Doors, Security Guards, ID cards

Technical Controls

Software installed on a system to make it more secure

Procedural Controls

Policies and procedures made by management

CBA

Is the risk worth the money to reduce it?

Quantitative Risk Assessment

Using financial numbers and values to determine the objective losses that could be possible.

Qualitative Risk Assessment

Using judgment to categorize risks. it is based on impact and likelihood of occurrence. Usually conducted by experts.

Annual Loss Expectancy ALE

The single loss expectancy x the annual rate of occurance

Single Loss Expectancy SLE

The expected monetary loss every time a risk occurs.

Annual Rate of Occurrence ARO

how many times the loss will occur in a year

Safeguards

A fun and fancy way to say "controls"

Hot Site

A site that can get the organization up and running very quickly. Equipped with everything the organization needs. Very Expensive.

Cold Site

A building the organization can relocate to incase of an emergency. Has nothing in it. Bare bones. Very cheap.

Warm Site

Compromise between a cold and a hot site.

Mobile Site

A mobile vehicle that can cover a large area between business locations. Similar to a warm site in the way it functions.

Vulnerability Assessment

An assessment that will SHOW all possible vulnerabilities in the organizations.

Pen Test (Exploit Assessment)

An assessment that will discover vulnerabilities in an organization and will exploit them to see the actual damage that could be caused.

DRP (Disaster Recovery Plan)

Plan that helps identify steps needed to restore a FAILED system

BIA (Business Impact Analysis)

Analysis that sees how exploited vulnerabilities could affect the business.

Symmetrical Encryption

A shared key usually used privately between two people. The key is the same for both people. If a message is encrypted with the key, it is decrypted with the same key.

Asymmetrical Encryption

A two-pair key system using a public key and a private key. The public key is given to everyone while the private key is not shared at all. Bob gives Alice his public key. Alice uses that key to encrypt her message to Bob. Bob then uses his private key to decrypt it. Vice versa, Alice will give Bob her public key.

Historical Data

Looking at security footage, company records, or searching the internet for stories on a specific security incident that may have already happened within the organization.

Principle of Least Privilege

information security concept which maintains that a user or entity should only have access to the resources and applications needed to complete a required task. New employees should not have admin privileges

Principle of Need to Know

You want to ensure that users are granted only the permissions needed to access data required to perform their jobs. New employees do not need to see other individuals emails unless they are sent to them.

Intrusion Detection System (IDS)

Application that will flag any errors or unordinary occurrences in the system. False positives are possible and missed intrusions are also possible.

Intrusion Protection System (IPS)

Application that will try to actively deal with any detected threats.

TCP threeway-hankshake

Host sends the server a SYN packet. Server responds with a SYN-ACK packet. Host responds with an ACK packet. If the Server's port is closed it will respond with an RST packet rather than a SYN-ACK

TCP attack

Host sends the server a SYN packet. Server responds with a SYN-ACK packet. Host withholds the ACK packet, confusing the server

Threat Modeling

Thinking like a criminal to determine all vulnerabilities and possible threats for the future.
· WHAT SYSTEM NEEDS TO BE PROTECTED
· IS THE SYSTEM SUSCEPTIBLE TO ATTACKS?
· WHO ARE THE POTENTIAL ADVISARIES?
· HOW WOULD AN ADVISARY ATTACK?
· IS THE SYSTEM SUSCEPTIBLE TO HARDWARE OR SOFTWARE FAILURE?
· WHO ARE THE USERS
· HOW MIGHT AN INTERNAL USER MISUES THE SYSTEM?