CompTIA CySA+ Objective 3.1

Given a scenario, distinguish threat data or behavior to determine the impact of an incident.

CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0

Threat Classification

Security threats can be classified by several characteristics. First, they are classified on whether or not they are known or not. Known threats are identified and reported. Unknown threats are those which have not yet been discovered. Unknown threats can become zero day threats when they are used against systems. Zero day threats are dangerous because they are exploited before systems like antivirus and intrusion prevention systems have signatures to recognize the attack.

Advanced Persistent Threats (APT) is an organized long term attack against an organization. The Target credit card breech was an example of an APT.

Contributing Factors to Incident Severity and Prioritization

To properly prioritize incidents they must be classified by scope of the incident and what has been put at risk.

Scope of Impact

One classification for impact is how much downtime is incurred and how long will it take to recover. The following apply to this classification:

  • Maximum tolerable downtime (MTD): The maximum time that an organization can allow a resource or function to be down. This can also be referred to as the maximum period time of disruption (MPTD).
  • Mean time to repair (MTTR): The average time to repair a resource or function.
  • Mean time between failures (MTBF): The average time between failures calculated by a device manufacturer.
  • Recovery time objective (RTO): The shortest amount of time after an event which a resource can be restored.
  • Work recovery time (WRT): The difference between RTO and MTD.
  • Recovery point objective (RPO): The time when the disrupted resource must be returned to production.

Each organization must use the impact to develop its own levels of criticality for resources.

Data integrity, the correctness, completeness and soundness of data, is an important factor in incident severity and may be hard to detect.

Economics also play into the prioritization of incidents. Each asset in an organization has value to the organization. Asset value can be determined by a combination of the value to the owner, work required to obtain, maintenance cost, damage if it were lost, cost that competitors would pay for it and the penalties that would be incurred if it was lost.

The criticality of the systems involved are another part of the prioritization. Some systems will be deemed by the business as critical. The value of a system will also relate to what systems depend on that system.

Types of Data

  • Personally Identifiable Information (PII): any piece of data that can be used alone or with other pieces to identify a person. Examples: Full Name, ID Numbers, Date of Birth, Place of Birth, biometrics, account numbers, and digital monikers.
  • Personal Health Information (PHI): A subtype of PII related to Health Insurance Portability and Accountability Act (HIPAA) and healthcare. Any information in a medical record that could be used to identify a person.
  • Payment Card Information (PCI): A subtype of PII related to the Payment Card Industry – Data Security Standard (PCI-DSS) regulations. This includes cardholder information like name, number, CVV and expiration date.
  • Intellectual Property: Tangible or intangible asset which the owner has exclusive rights to. Examples: Patents, Trademarks, Copyrights, Software, Digital Rights Management, Trade Secrets
  • Corporate Confidential: Data that needs to be kept within the organization. Examples: Plans, Processes and Procedures, Profit data, Customer lists, HR information, Accounting Information