Identify the Likelihood Such Attacks Would Succeed
how likely a threat will attempt to be exploited, how likely the exploitation will succeed, and how likely there will be negative impact from said exploitation
250 Matching Annotations
- May 2024
-
www.thesslstore.com www.thesslstore.com
-
-
Identify Vulnerabilities and the Conditions Needed to Exploit Them
define what vulnerabilities you have and how exploitable they are
-
Identify Threat Events
come up with every threat you can think of, divided into adversarial and non-adversarial then compile them into criticality
-
You can’t prepare for threats that you didn’t anticipate
not completely true hahaha
-
Identify and Document Threat Sources
Find adversarial and non-adversarial threats assess them in terms of things that COULD happen
-
define parameters
scope and the 3 parts of context
I assume that the answers to the questions should be ones that non-industry pros could understand
-
You may want to start with a data audit
what data you're protecting, how you're protecting it, and how it's being stored
-
So this cyber risk assessment will serve as a sort of executive summary to help those parties make informed decisions about security
key is to make it relevant to BoD and Stakeholders who may not be tech-savvy
-
And you have to be careful when you’re looking for advice on performing a cyber risk analysis, because if you forget the word “cyber” you end up in a land of industrial manufacturing accidents and death & dismemberment clauses.
Indicates that CRMs are still relatively new and not as high of a concern when compared with traditional ideas of "risk"
-
-
Local file Local file
-
In simple terms, a risk management standard is the combination of adescription of the risk management process, together with the recommendedframework
What is a risk management standard?
-
four categories
I think these are the program management outcomes
-
An event with the ability to impact (inhibit, enhance or cause doubt about) the effectiveness andefficiency of the core processes of an organization
The book's definition of risk
-
-
aaahq.org aaahq.org
-
Organizations that are faced withalternative objectives seek to understand the shapeand height of a curve for a potential businessobjective
the level of risk they can tolerate for a given scenario and it's objective
-
The board of directors is responsible for providing risk oversight of enterprise risk managementculture, capabilities, and practices.
a team of senior members that oversee all tasks related to risk within their field
should contain diverse skillsets and backgrounds and have strong leadership skillz
generally has some lebel of expertise in whatever field they're "directing"
-
-
blog.netwrix.com blog.netwrix.com
-
along with the governance model that will determine who will be responsible for each area of the ISRM strategy
Falls under GRM
-
-
securityintelligence.com securityintelligence.com
-
Aligning stakeholders
Make sure the stakeholders have an understanding of what the IRM program does and how it aligns with thier goals
-
To cope with an ever-increasing number of regulations, these programs streamline security processes and workflows so that compliance is a byproduct
being healthy and happy are byproducts of brushing your teeth, working out, and eating good foods
-
Mapping policies and standards to an industry-recognized comprehensive framework is more important than adopting any particular framework
every company has different goals so the use of frameworks should be tailored to fit those goals franken-framework???
-
taxonomies
An ordered arrangement of groups or categories
-
IRM programs select roles for targeted efforts based on their level of policy compliance and the amount of harm their behavior can cause
why the sales rep is a cog in the greater cybersecurity machine
-
IRM programs also find ways to identify employees who exhibit desired behaviors and reward them with praise or tokens of appreciation
whoever has the least failed phishing tests gets a gift card
-
Campaigns based on the psychological drivers of end user behavior are much more likely to result in lasting behavior change.
Ashley Rose in the first video talks about this Remembering your first college party vs the last test they took
-
the institution of relatively modest incentives for secure behavior, even limited to praise and token rewards, will have a greater impact on behavior than additional investments in training and communication.
security-oriented company culture
-
Still, successful programs use failure modes as a systematic means to identify the relevant risks.
asset 1 is very important to us, how could it fail?
-
By analyzing close calls in addition to loss events, high-performing IRM programs dramatically increase their collection of incident data for understanding threat and vulnerability patterns.
can identify patterns of risky behavior
-
IRM programs invest in monitoring and analysis to identify emerging risks and mitigate them proactively.
proactive and preemptive response to risk as opposed to reactive
-
Innovative tactics work by finding pragmatic substitutes for actuarial data and identifying observable aspects of business operations that can serve as warning signals for likely changes in risk exposure
find ways to measure risk in a meaningful way, then use that data effectively
-
mobilizing against challenges just over the horizon.
resiliency
-
-
Local file Local file
-
Retention
comparison between the amount of risk transferred via insurance vs the amount of risk retained
risk retention is inversely related to the cost of risk insurance
-
Theyintroduce a twin‐tier approach with a first tier being the correlation of cyber risks within a firm(e.g., correlated failure of multiple systems on its internal network). The second tier refers tothe correlation at a global level meaning correlation across independent firms in an insurer'sportfolio. Local cyber loss events such as an insider attack (high internal, low global correla-tion) are easier to insure than global loss events because the necessary premium for global lossevents would be extremely high due to the lack of diversification opportunities.
Internal: stuff that goes wrong within a firm
External: stuff that goes wrong that effects a firm's clients and third parties (I think??)
-
actuarial
statistics, particularly relating to insurance
-
Transfer
This part is very heavy on the use of cyber insurance It goes into a lot insurance stuff that kinda just went over my head
-
Mitigation
Proactively mitigate risk by analyzing main security concerns and how to satisfy them
Also goes into detail on how to properly invest in information security by comparing each investment with the value of the risk (I still don't understand how this is done)
-
four security issues (“access to informationsystems, secure communication, security management, and development of secure informationsystems”) and related techniques (password and biometrical authentication; cryptographictechniques; key management, virtual private networks, and programming language security)
Technical mitigations defined by established security considerations and their associated techniques
-
Parkerian hexad
Like the CIA triad but more detailed, containing 6 pillars as opposed to the original 3
-
Avoidance
Avoiding risk wherever possible This treatment is not as relevant today because it isn't resilient-focused (I think)
They use the example of requiring security policies of IoT devices bc they're usually cheap They also say that this example could be under mitigation
-
The estimated likelihood and potential impact are used to determine the appropriate treatment,which includes avoidance, mitigation to reduce likelihood and/or potential impact, transfer, andretention.
The proper treatment for a cyber incident is determined by: the likelihood of the event the potential impact of said event
The three types of treatments are: Avoidance Mitigation to reduce likelihood/potential impacy Transfer Retention
-
One way to classify and identify cyberattacks is whether they affect the “con-fidentiality, availability or integrity of information or information systems”
The CIA triad
-
This section summarizes, in chronological order, the discussions surrounding cybersecurity issues inthe early days and how cyber risk was eventually identified as one of the major risk categories facingorganizations
gives historical account of how cyber risks have been identified
-
- Apr 2024
-
www.mitre.org www.mitre.org
-
promulgation
noun
the act of making a law or decree known, or formally putting it into effect, by public declaration: Upon adoption, signing, and promulgation of these provisions in the established procedure, they acquire the power of law.
the act of publicly teaching or setting forth an idea, doctrine, etc.: The systematic study of parasites began with the promulgation of the germ theory.
-
metric descriptor
Short phrase describing what the metric does and what it measures
-
Similarly, a few metrics in thecatalog were defined from the cyber resiliency design principles
ST-#-#
ST: structural design principle metric first number is number of said design principle
-
A few metrics in the catalog were defined from cyber resiliency techniques and approaches.These have identifiers of the form TE-AP-#
TE-AP-#
TE: technique AP: approach #: number assignment
-
metric identifier
generally formatted as: OO-S#-A#-# ex. PA-S1-A2-2
OO: any one of the cyber resiliency objectives; A for Prevent/Avoid, PR for Prepare, CN for Continue, CS for Constrain, RE for Reconstitute, UN for Understand, TR for Transform, and RA for Re-Architect.
S# and A# are the sub objective and activity, respectively
The last space is to assign a number to the objective
-
catalog entries include information about cyber resilient TTP's and accompanying information about them
-
-
Local file Local file
-
Finally,depending on how an organization has defined or articulated its risk management strategy, the selectionand tailoring of cyber resiliency design principles can be driven by that strategy.
design principles are driven by organization goals and risk management strategy
-
Representative environmental factors
determine which design principles are used, how to use them for the target environment, and how to describe said design principles
-
Re-Architect is supported by most of the strategic design principles, and (inconjunction with the organization’s risk management strategy) drives the selection of structural designprinciples
re-architect is supported by strategic design principles and drives structural design principles
-
Prepare involves creating and maintaining aset of realistic courses of action, which are based on the architecture, design, and implementation, ratherthan driving them.
Prepare comes as a result of arch, des, and impl
-
-
Local file Local file
-
Most of these frameworks provide somesubjective guidance from different angels of resilience studyand lack of clear explanation on the quantitative resiliencemetrics formulation
reason for this paper
-