Terminology
General Terms
Assets
In the context of ORNA, assets are business items and even stakeholders that a cyber threat can negatively impact. This broad definition is intentional, as any given incident can affect or disable hardware (such as servers, laptops, or even doors), software (such as CRM, ERP, or email), processes (for example, shipping or customer onboarding), persons (typically, someone rather important, such as C-suite executives, directors, lead engineers, and so on), data (such as Protected Health Information or PHI), and other (just in case nothing else fits). The resulting inability of any of these processes can be extremely damaging to an organization, including catastrophic impacts on financial stability, ability to conduct business, or the company’s reputation.
Registering all relevant or in-scope assets within the platform is an essential first step to understanding the organization's estate and its exposure to cyber risk, allowing relevant teams to identify mission-critical assets (also called Crown Jewels), employ appropriate security measures to protect them proactively, and monitor all potentially malicious events associated with these resources.
CIRT
CIRT stands for Cyber Incident Response Team, a team of individuals responding to security breaches, malware, and other damaging cyber incidents within an organization. As cyber incidents and data breaches can take a variety of forms affecting a broad array of business functions, a well-organized CIRT usually includes not only IT or cybersecurity professionals but subject matter experts from within legal, human resources, communications, financial, regulatory compliance, executive, and other extended business areas of competence.
Criticality
Criticality measures the importance or significance of a given asset to the organization's operations, reputation, and overall ability to conduct business. Criticality assessments help prioritize efforts regarding resource allocation, risk management, and cybersecurity measures. Assets deemed mission-critical (also called Crown Jewels) typically have a higher level of incident response urgency and require more robust protection and monitoring and much more proactive risk management; in many industries, such measures may be mandated by various regulatory bodies. ORNA employs 3 distinct, consistently color-coded criticality levels (Low, Medium, High) that can be assigned to any asset.
Severity
In cybersecurity, severity measures how damaging a particular cyber threat is, whereas an incident or an alert is or can be. Similarly, it is also used to track the potential negative impact that a vulnerability can have on a particular asset if exploited by a malicious actor. ORNA uses a collection of deep machine learning algorithms, security event cross-correlation, anomaly and signature-based malware analysis, and other combined methods (a total of over 20) to determine incident severity based on a large combination of factors, with key resulting ratings being the urgency and impact of a particular incident, consistent with the SANS Incident Response framework.
Urgency measures how quickly the resolution of the Incident is required to limit the impact to the minimum. In contrast, impact measures the extent of the Incident and the potential damage caused before it is resolved. ORNA’s incident severity rating has five distinct, consistently color-coded levels: Very Low, Low, Medium, High, and Critical.
Vulnerability severity has four consistently color-coded levels: Low, Medium, High, and Critical. Each vulnerability severity level is assigned based on the CVSS score defined in the National Vulnerability Database (NVD).
Cybersecurity Terms
Denial of Service
Denial of Service, as well as its’ more complex distributed version (DDoS), is an attack on an asset that disrupts its normal function and prevents other users from accessing it. The most common targets of DoS attacks are online resources, such as websites, servers, and networks.
Insider Threat
Insider Threat is a typically malicious threat to an organization from people within itself, such as employees, former employees, contractors, or business associates possessing inside information about the company's assets, access to sensitive data, and such, and therefore able to inflict significant damage to the organization’s finances, reputation, or the ability to conduct business as usual. Some insider threats can be non-malicious, amounting to a costly human error.
NIST Cybersecurity Framework (CSF)
NIST Cybersecurity Framework is a robust guideline for assessing, scoring, and mitigating organizational cybersecurity risks published by the US National Institute of Standards and Technology based on highly defined standards, procedures, and practices. The current version of NIST CSF includes 5 domains that, in turn, include 23 categories.
Network IoT
Network IoT attacks include disruptions or leverage of network-connected devices that communicate with other devices without human involvement, such as autonomous cars, smart appliances, and wearable tech.
Phishing
Phishing is an attack delivered via email, phone, or text by someone posing as a legitimate entity to lure individuals into providing sensitive data or unauthorized access. Often, it is an entry point for other types of attacks, such as ransomware.
Ransomware
Ransomware is malware that employs encryption to prevent access to a certain asset, preventing its ability to conduct business or be otherwise accessed by users until a set ransom amount is paid to the threat actor responsible for the attack. A typical example of a ransomware attack is the encryption of mission-critical data or software, so the user cannot access the affected files, databases, or applications until the ransom is paid and a specific decryption key is provided to the victim.
On more than a few occasions, ransomware attacks are combined with the exfiltration of sensitive or valuable data to a remote server, making it a dual threat.
Updated 8 months ago