Domain 3 - Risk Identification, Monitoring, and Analysis

---

Goals

• Identify appropriate security risk management processes.
• Perform security risk mitigation assessment activities.
• Evaluate security risk mitigation monitoring systems to identify, evaluate, prioritize, and prevent potential security threats.
• Analyze security mitigation process monitoring results.

Risk Management

• Risk Assessment
• Threats, Vulnerabilities, Risk, and Impact
• Threat Vectors
• Quantitative Analysis
• MTTF, MTBF, and MTTR
• Risk Management Strategies
• NIST SP 800-37 Risk Management Framework
• ISO 31000 Risk Management
• Risk Register
• Threat Intelligence
• Risk Heat Map

Threat Modeling

• Threat Modeling
• Threat Intelligence
  • Threat Indicator Frameworks
• Identifying Threats
• Threat Hunting
• MITRE ATT&CK Framework

Vulnerability Types

• vulnerability impacts
  • include attacks on CIA triad
• Risk Types
• Supply Chain Vulnerabilities
  • patch management
  • Legacy and End-of-Life (EOL) Systems
  • lack of adequate support
  • vendors may not disclose use of embedded systems
• Configuration Vulnerabilities
  • default configurations
  • misconfigurations
  • unsecure configurations
  • cryptographic vulnerabilities
    • weak cryptographic cipher suites
    • weak cryptographic protocol implementations
    • poor key management
    • poor certificate management
  • patch management
    • operating systems
    • applications
    • firmware
  • account management
    • carefully manage permissions
    • principle of least privilege
• Architectural Vulnerabilities
  • arise when a complex system is improperly designed
  • flaws are very difficult to resolve
  • IT architecture is processes and practice used to design systems
  • avoid security weaknesses:
    • incorporate security early
    • avoid bolt-on security requirements
  • system sprawl
    • new devices are connected to a network, but old devices are not promptly disconnected, leading to security vulnerabilities
    • even more risky if assets are undocumented

Vulnerability Scanning

• Vulnerability Scan Types
  • Network vulnerability scans
  • application scans
  • web application scans
• Vulnerability Assessment
• Scan perspective
  • network location affects scan results
    • DMZ vs internal network vs external network
    • inside vs outside firewall
  • credentialed vs uncredentialed scans
• Security Content Automation Protocol (SCAP)
  • know the components:
    • OVAL
    • XCCDF
    • CVSS
    • CCE
    • CPE
    • CVE
• Common Vulnerability Scoring System (CVSS)
• Analyzing scan reports
  • prioritization factors:
    • vulnerability severity
    • system criticality
    • information sensitivity
    • remediation difficulty
    • system exposure
• Correlate scan results
  • consult industry standards, best practices, and compliance requirements
  • correlate technical information sources
    • configuration management systems
    • log repositories
    • other data sources
  • correlate trend analysis with historic results
• Security Acceptance Testing
• Regression Testing

Legal and Regulatory Concerns

• Legal definitions
  • Jurisdiction
  • Preemption
  • Private Right of Action
  • Persons
    • can be a human or non-human entity that can sue and be sued, can own property, and can take part in contracts.
• Data privacy
  • Personally Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Generally Accepted Privacy Principles (GAPP)
  • Privacy Impact Assessment (PIA)
• Data breaches
  • Privacy Breaches and Data Breaches
  • Breach Notification Laws
    • most breach notification laws include exemptions for encrypted information

Security Monitoring

• Log and Data Sources
  • Network Data Sources
  • Log Data
  • Application Logs
  • Host Operating System Logs
  • Log Collectors and Syslog
• Security Information and Event Management (SIEM)
• SOAR
  • playbook
  • runbook
    • completely automated
• Continuous Security Monitoring
• Compliance Monitoring