Risk Management and Access Control

Business Continuity Plan (A. Edris)

how an organization will recover and restore partially or completely interrupted critical function(s) after a disaster or extended disruption

Risk mitigation plans (A. Edris)

Identify, assess and prioritize risks and plan responses to deal with the impact of these risks on the operation of the business

Risk (N. Juaneza)

The chance a vulnerability will be exploited by a threat actor.

Improper Access Control (N. Juaneza)

weak defenses that an attacker can easily compromise.

Quantitative risk: ALE (T. Singh)

Expected yearly cost of a specific risk. Formula: Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO)

Compensative (K.Zhuang)

talks about how an different action is done to offset the risks when the primary control is not able to be used or not being fully effective.

MTTR (T. Singh)

measuring the average time it takes for a security team to clean up a incident, from when the alert is triggered to when the threat is fully mitigated and the system is restored.

Formula: Total time spent on repairs ÷ Number of repairs.

Corrective (K.Zhuang)

Talks about the actions that they do after something has happened to fix or mitigate the problem to operate how they were before the incident.

MTD(Maximum Tolerable Downtime) - (M.Patel)

The longest time a business can be down before it causes harm to the business

Risk Transfer (Konrad M.)

Risk management strategy where you pay another party to take responsibility of mitigating the risk.

Ex: Purchasing Insurance.

Impact (B. Concepcion)

damage done to an organization as a result of an attack

AIS (Automated Indicator Sharing) (B. Concepcion)

a CISA service that allows the sharing of attack indicators between government organizations and private organizations

DR site risk assessment (Konrad M.)

The process of identifying, evaluating and prioritizing potential hazards and vulnerabilities that could disrupt business operations.

What is a Dial up modem (K. Simon)

Converts digital data into analog audio data that can be transfered over the phone and vise versa

External Risk (Hussain A.)

Cyber threat actors who have no authorized access or natural/human made disasters

SLE (eli smith)

single loss expectancy.

SLE = AV x EF (asset value times exposure factor)

IOA (eli smith)

indicators of attack

Risk Avoidance (C.Harrison)

avoiding any exposure to risk by getting rid of the activity. example is getting rid of Wi-fi when there is a threat to your Wi-fi getting hacked.

What is a War dialer? (K. Simon)

A tool that dials many numbers to find numbers that connect to modems, fax machines, or others.

MEF (Bradley S.)

a global industry association that defines service standards, frameworks, and certification programs for network, cloud, and technology providers. Strong focus on automated digital systems.

Cybersecurity Infrastructure and Security Agency (CISA) (Hussain A.)

Leading efforts to automate the sharing of cybersecurity information for free

Disaster Recovery: functional exercises (T. Kashyap)

Essentially a drill of the recovery processes required when there is a disaster.

Detective Control(T. Kashyap)

Will not prevent an attack, but will record any attempts and alert someone.

Quantitative Risk Assessment: Exposure Factor (Manas Nagelia)

The percent of the value of an asset that would be lost in a single threat

Risk Acceptance(Dominic Downey)

Deciding it costs more to try and mitigate an attack than to allow the potential risk

Internal Risk Example (Yubraj G.)

Example: Students, Teachers, Administrators, Staff, Contractors

Risk Management (A. Corn)

How someone responds to a risk.

Ex. Accepting the risk, Hiring a 3rd party, Mitigating the risk.

IOC indactors of Compromise (C.Hickman)

An weird file transfer late at night to an address you dont remember.

MTTF (I. Swain)

the average amount of time it takes for a network to stop functioning under normal conditions

exploit (C. Harrison)

a method used to take advantage of a vulnerability to endanger an asset.

DR plans (I. Swain)

a series of steps used to correct a system after an inference- Cisco Talos creates these

Security Control: Deterrent (Preston L.)

The use of prevention measures to restrict behaviors; these could include security cameras or active security guards.

Security Control: Recovery (Preston L.)

Built-in measures to recover losses after a security breach or error. Examples:

-Data back-ups in the event of data corruption or a threat actor transferring/withholding data

-Fault tolerance drive systems

quantitative risk: ARO (Victoria O.)

annualized rate of occurrence, ARO = ALE/SLE

What is RPO (Recovery point objective)

the amount of data or time loss a company can take after a data loss disaster

Vulnerability (A. Corn)

A weakness in a system that can be exploited.

Environmental Disaster (Manas Nagelia)

Damages coming from nature, like earthquakes, storms, floods, etc that damage business operations

External Risk Examples (Hussain A.)

- Black Hat Hackers

- Grey Hat Hackers

- Tsunami

DR (Disaster Recovery): Person Made (Elias C.)

Deals with the recovery of man-made disasters such as a cyberattacks or human error.

Internal Risk (Yubraj G.)

Potential threats from within an organization that can lead to legal or financial problems

NCSA (National Cyber Security Alliance) (Kevin W.)

Organization which spreads cybersecurity to the public. Promotes NCASM with CISA each each October.

RTO (Recovery Time Objective) (Kevin W.)

The target time by organizations/companies to restore system function. More critical objectives have a lower time.

Risk Mitigation (C.Hickman)

Ways to reduce the risk of an attack happening by making your network safer. Ex. Adding better passwords or encrypting messages

Devices used for hacking in 1980's? (K. Simon)

Blue box, red box, Dial up modems, War dialers

Business Continuity Planning (Yubraj G.)

Identifying threats and making a plan to maintain functions and services after the disruption

Countermeasure (David A.)

Things that an organization may do in order to protect assets

MTBF ( Hannan H.)

The average amount of time a device is expected to work before it fails.

First Hacking Attacks (Kevin W.)

-War dialing: Using automated systems to dial numbers to find lines with connected devices.

-Brute forcing: Trying default and common usernames and passwords to get into systems.

-Phreaking: Using tools and methods to manipulate telephone communications (e.g using a bluebox to mimic certain tones)

DR: table top excercises (Bradley S.)

A organization's key personnel work through a simulation of possible cyberattack or disaster scenarios. They develop a disaster recovery plan.

Threat

Possible danger to an "asset" which could be data or the network itself

Attack Surface(Dominic Downey)

All the points a hacker could try to get unauthorized access into the network

Attack Vector ( Hannan H. )

The method or path that a hacker uses to gain unauthorized access to a system.

Functional Security Controls: Preventive (T. Kashyap)

Security measures that are designed to prevent unauthorized/unwanted activities from happening.

DR (Disaster Recovery): Full Scale Exercises (Elias C.)

Realistic simulations/tests of the ability of an organization to recover from major cyberattacks.

MTD (Maximum Tolerable Downtime) (M.Patel)

The longest time a business can be disrupted before it is harmful to the business.

Business Impact Analysis (J.Oppong)

Calculating the impact of loss that may occur for multiple threat scenarios.