Professional Documents
Culture Documents
1. Risk Management
- Three main objectives of cybersecurity, CIA: Confidentiality, Integrity & Availability. Also,
important to consider Auditing (keeping records of what occurs) and non-repudiation (not
allowing denial or covering up of actions taken by user/device)
- Two main ways of measuring risk, quantitative (% based likelihood) and qualitative (more
intangible, can be ranked in terms of low, medium, high etc. Deals with impacts that are
harder to quantify.)
- Impact is the actual harm caused by a threat and can be measured both quantitatively and
qualitatively.
- Threats -> Vulnerability = Risk
- SP 800-30/37 document contains a long list of various potential threats that can be used for
risk assessment.
- OSINT = Open-source intelligence, the knowledge of vulnerabilities, potential threats/threat
actors etc spread throughout open communication platforms
- Script kiddies = trivial knowledge, often use pre-made scripts made by other people.
- Hacktivist = political/social intent
- Organised crime = profit motivation
- Nation state = motivation/intent is intelligence and sabotage.
- Advanced Persistent Threat (APT) = a persistent threat that remains in place and continues
to work.
- Insiders = acting from within an organisation, not always an employee (contractors, vendors
etc)
- Risk assessment involves the assessment of both threats and vulnerabilities, often at the
same time.
- Common Vulnerabilities and Exposures (CVE) database cve.mitre.org
- Nessus – a program that runs within a LAN that goes out into the network and generates a
document with various vulnerabilities that it finds.
- Four main types of threats: Adversarial (intentional and malicious), Accidental (incorrect
user input, accidental deletion etc), Structural (failure of hardware/software etc) and
Environmental (fires, building damage etc).
- Risk Transference is shifting some of the likelihood/risk/impact onto a third party (e.g. using
a cloud-based web server instead of hosting your own physical server).
- Risk Acceptance is when potential cost of a risk is lower than what it would take to mitigate
the risk, therefore is accepted as a potential cost.
- Risk Avoidance where the likelihood and potential impact of a risk is great enough to
warrant completely avoiding the risk entirely (e.g. simply not storing private information at
all if there is no reliably safe way to store it).
- Risk Mitigation: reducing the likelihood or potential impact of a risk
- Framework = workflow/methodology
- NIST Risk Management Framework (SP 800-30) + ISACA Risk IT Framework
- Use benchmarking to establish baseline/expected behaviour and compare it with current
activity.
- Hardware and software vendors often have secure configuration guides/documentation to
assist with maintaining security on their respective products. NIST also provides guides for
securing various devices, networks, and software etc.
- Security Controls are actions/mechanisms put into place to either protect IT infrastructure
or remediate problems that have already occurred.
- Administrative/Management controls: controls actions towards IT security (e.g. Laws,
Policies, Guidelines and Best practices).
- Technical Control: Control actions within IT systems towards IT Security (e.g.
hardware/software, firewalls, authentication, encryption etc).
- Physical Control: Control actions in the physical world (e.g. Gates, guards, keys etc)
- Security Control Functions:
1. Deterrent: deters the actor from attempting the threat in the first place.
2. Preventative: deters the actor from performing the threat.
3. Detective: recognising an actor’s threat.
4. Corrective: Mitigates the impact of a manifested/realised threat.
5. Compensating: Provides alternative fixes to any of the above functions if they are unable
to function the way we want them to.
1. Determine mission critical functions: What are the things that happen within IT systems
that are required/critical to fulfill the business’ objectives/purpose.
2. Identify critical systems/assets: Identify what systems/assets serve critical roles within
the function of the organisation.
3. Identify any single-points-of-failure.
4. Identify resource requirements: What systems/assets are required to access necessary
resources (files, software etc)
5. Identify recovery priorities: What systems are the most important for the operation of
the organisation and in what order of importance.
- Privacy Impact Assessment (PIA): What will be the impact be to the organisation if the
privacy information that it holds were to be compromised/leaked.
- Privacy Threshold Assessment (PTA): Assessing what data the organisation holds, how are
they kept and their sensitivity etc.
- Recovery Time Objective (RTO): Minimum time necessary to restore a critical system or the
maximum time a critical system can be down without substantial impact.
- Recovery Point Objective (RPO): The amount of data that can be lost by an organisation
without substantial impact.
- Data Sensitivity/Labelling:
- Public: Publicly available information with no restrictions on it
- Confidential: Limited to authorised viewing as agreed on by the parties involved.
- Private: Limited to only the individual to whom the information is shared with, includes
Personally Identifiable Information (PII).
- Proprietary: Very similar to Private information but regarding companies/corporations,
e.g., trade secrets.
- Protected Health Information (PHI): Any form of information that relates to the health of
an individual.
- Data Roles:
- Owner: The person who has the legal responsibility for the data (usually the
company/corporation that creates it.)
- Steward/Custodian: The individual/s whose responsibility is to maintain the accuracy and
integrity of the data.
- Privacy Officer: Ensures that data adheres to privacy policies and procedures.
- User Roles:
- Users: Assigned standard permissions needed to complete their tasks.
- Privileged Users: Increased access and control relative to a user.
- Executive User: Set policy on data and incident response actions.
- System Administrators: Has complete control over data/systems.
- Data/System Owner: Has legal ownership of a particular data set or system.