Chapter 1 - Risk Management Fundamentals

Distribute Denial of Service (DDoS) attack

A DoS attack is an attack launched from multiple clients at the same time. A DDoS attack often includes zombies controlled in a botnet.

Audit

A check to see if an organization is following rules and guidelines. A vulnerability assessment audit checks to see if internal policies are followed.

Detective Control

A class of controls identified by their function. A detective control detects when a vulnerability is being exploited. An intrusion detection system (IDS) is an example of a detective control.

Preventive Control

A class of controls identified by their function. A preventative control attempts to prevent the risk from occurring. For example, an unneeded protocol is removed from a server to harden it so that any attacks on this protocol are now prevented on the server.

Policy

A formal statement that is issued directly by an organization's leaders, such as an acceptable use policy, which described both acceptable and unacceptable behavior when using company-owned computers and network resources.

Reasonableness

A judgement test that a company can apply to determine whether the risk should be managed. IF a reasonable person would expect the risk to be managed, it should be managed.

Standard

A mandatory rule written to support or at least provide some direction to a policy. For example, a password standard could follow an acceptable use policy.

Guideline

A principle, instruction, or direction to help achieve an action.

Cost-benefit analysis (CBA)

A process used to determine how to manage a risk. If the benefits of a control outweigh the costs, the control can be implemented to reduce the risk. If the costs are greater than the benefits, the risk can be accepted.

Risk Assessment

A process used to identify and evaluate risks based on an analysis of threats and vulnerabilities to assets. Risks are quantified based on their importance or impact severity. These risks are then prioritized.

Vulnerability

A weakness or exposure to a threat. The weakness can be in an asset or the environment. Controls mitigate risks related to vulnerabilities.

13. What can be done to manage risk? Select three: A. Accept it B. Transfer it C. Avoid it D. Migrate it

A. Accept it B. Transfer it C. Avoid it

Q4. Which of the following statements is true? A. Exploited vulnerabilities result in losses. B. All vulnerabilities result in losses. C. Vulnerability is a synonym for loss. D. The method used to take advantage of a vulnerability is known as a threat.

A. Exploited vulnerabilities result in losses.

4. Which of the following are accurate pairings of threat categories? Select two: A. External and Internal B. Natural and Supernatural C. Intentional and Accidental D. Computer and User.

A. External and Internal C. Intentional and Accidental

Q13. Which of the following is often the weakest link in IT security? A. People B. Use of passphrases C. Physical security D. Use of computer firewalls

A. People

Q3. ____ is the process of creating a list of threats. A. Threat identification B. Threat assessment C. Risk assessment S. Risk identification

A. Threat identification

Q11. A new company does not have a lot of revenue for the first year. Installing antivirus software for all of the company's computers would be very costly, so the owners decide to forgo purchasing antivirus software for the first year of the business. In what domain of a typical IT infrastructure is a vulnerability created? A. Workstation Domain B. LAN-to-WAN Domain C. WAN Domain D. Remote Access Domain

A. Workstation Domain

Q8. A(n) ___ is the likelihood that something unexpected is going to occur. A. risk B. threat C. exploit D. vulnerability

A. risk

Q20. Another term for risk mitigation is: A. risk reduction B. risk assessment C. risk management D. risk evaluation

A. risk reduction

Control

Action or change put in place to reduce weaknesses or potential losses. A control is also referred to as a countermeasure.

Residual Risk

Also referred to as acceptable risk. The risk that remains after controls have been applied. Residual risk is expressed in the following formula: Residual Risk = Total Risk - Controls.

Business Function

An activity carried out by an organization, including core and support functions.

Denial of service (DoS) attack

An attack designed to prevent a system from providing a service. A DoS attack is launched from a single client.

Risk

An uncertainty that may lead to a loss. Losses occur when a threat exploits a vulnerability. Risk is often expressed as Risk = Threat x Vulnerability.

Threat

Any activity that represents a possible danger; which includes any circumstances or events with the potential to adversely impact confidentiality, integrity, or availability of a business's assets.

Q17. You are a top-level executive at your own company. You are worried that your employees may steal confidential data by downloading data onto thumb drives. What is the best way to prevent this from happening? A. Install a technical control on the computers to prevent the use of thumb drives. B. Create and enforce a written company policy against the use of thumb drives and install a technical control on the computers to prevent the use of thumb drives. C. Instruct higher-level employees to inform their employees that the use of a thumb drive is a fire-able offense. D. Hold a seminar that explains to employees why the use of thumb drives in the workplace is a security hazard.

B. Create and enforce a written company policy against the use of thumb drives and install a technical control on the computers to prevent the use of thumb drives.

Q18. What is the practice of identifying, assessing, controlling, and mitigating risks? A. Social Engineering B. Risk Management D. Risk mitigation D. Vulnerability scanning

B. Risk Management

Q2. What is the primary reason to avoid risk? A. Risks create vulnerabilities and threats B. The impact of the risk outweighs the benefit of the asset C. Risks are easily exploited D. Risks can destroy a business.

B. The impact of the risk outweighs the benefit of the asset.

2. Which one of the following properly defines total risk? A. Threat - Mitigation B. Threat x Vulnerability x Asset Value C. Vulnerability - Controls D. Vulnerability x Controls

B. Threat x Vulnerability x Asset Value

Q6. Total risk equals: A. Threat x vulnerability B. Threat x vulnerability x asset value C. benefit - cost D. (benefit - cost) x asset value

B. Threat x vulnerability x asset value

Q15. A ___ to an asset occurs only when an attacker can exploit a vulnerability. A. threat B. loss C. mitigation D. risk

B. loss

Q9. Which of the following statements is not true of cost-benefit analysis? A. Organizations should never spend more on controls than the value of the asset. B. The amount spent on controls should be proportional to the risk, which is known as the principle of proportionality. C. A control always eliminates the loss. D. Although the immediate costs of a control are often available, the ongoing costs are sometimes hidden.

C. A control always eliminates the loss.

Q16. Which of the following is most likely to be warez? A. A cyberattack B. A hardware control C. A file on your computer of a new TV episode you downloaded for free D. An MP3 file of a song you brought from an online music service

C. A file on your computer of a new TV episode you downloaded for free

Q10. What are the elements of the security triad? A. Confidence, intelligence, and assessment B. Cooperation, installation, and acquisition C. Confidentiality, integrity, and availability D. Coordination, implementation, and authorization

C. Confidentiality, integrity, and availability

Q14. Isabella works as a risk specialist for her company. She wants to determine which risks should be managed and which should not by applying a test to each risk. Risks that don't meet the test are accepted. What type of test does she apply. A. Control test B. Vulnerability test C. Reasonableness test D. Cost assessment

C. Reasonableness test

15. Who is ultimately responsible for losses resulting from residual risk? A. End users B. Technical staff C. Senior managers D. Security personnel

C. Senior managers

Q12. Which of the following is not an example of an intangible value? A. Future lost revenue B. Cost of gaining a consumer C. Software application D. Customer influence

C. Software application

10. Which of the following is a goal of risk management? A. To identify the correct cost balance between risk and controls B. To eliminate risk by implementing controls C. To eliminate the loss associated with risk D. To calculate value associated with residual risk

C. To eliminate the loss associated with risk

9. The ____ is an industry-recognized standard list of common vulnerabilites.

Common Vulnerabilities and Exposures (CVE)

11. If the benefits outweigh the cost, a control is implemented. Costs and benefits are identified by completing a ________.

Cost Benefit Analysis (CBA)

Q5. Which of the following is not a risk management step? A. Taking steps to reduce risk to an acceptable level B. Identifying risks C. Assessing risks D. Eliminating all risks

D. Eliminating all risks

Q7. In which of the following domains does the IT infrastructure link to a wide area network (WAN) and the Internet? A. WAN Domain B. Systems/Applications Domain C. LAN Domain D. LAN-to-WAN Domain

D. LAN-to-WAN Domain

14. After controls to minimize risk in the environment have been applied, what is the remaining risk called? A. Remaining risk B. Mitigated risk C. Managed risk D. Residual risk

D. Residual risk

Q19. What is a major type of vulnerability for the User Domain? A. Zombies B. Malware D. Social engineering D. Natural disasters

D. Social engineering

1. Which one of the following properly defines risk? A. Threat x Mitigation B. Vulnerability x Controls C. Controls - Residual Risk D. Threat x Vulnerability

D. Threat x Vulnerability

8. What is the primary goal of an information security program? A. To eliminate losses related to employee actions. B. To eliminate losses related to risk C. To reduce losses related to residual risk D. To reduce losses related to loss of confidentiality, integrity, and availability.

D. To reduce losses related to loss of confidentiality, integrity, and availability.

Q1 Companies use risk assessment strategies to differentiate ___ from ____. A. Vulnerabilities, weaknesses B. Vulnerabilities , threats C. Risks, threats D. severe risks, minor risks

D. severe risks, minor risks

Common Vulnerabilities and Exposures (CVE)

Database of vulnerabilities maintained by the MITRE Corporation. MITRE works in conjunction with the U.S. Department of Homeland Security to maintain the CVE. The list includes over 40,000 items.

Integrity

Ensuring data or IT systems are not modified or destroyed. Hashing is often used to ensure integrity.

Availability

Ensuring that data or a service is available when needed. Data and services are protected using fault tolerance and redundancy techniques.

7. As long as a company is profitable, it does not need to consider survivability. True or False?

False

Goodwill

Helpful and collaborative attitude.

5. A loss of client confidence or public trust is an example of a loss of __________

Intangible value

Avoiding

One of the techniques used to manage risk. A risk can be avoided by eliminating the source of the risk or the exposure of assets to the risk.

Mitigating

One of the techniques used to manage risk. Mitigation is also known as risk reduction. Vulnerabilities are reduced by implementing controls, or countermeasures.

Transferring

One of the techniques used to manage risk. The risk is transferred by shifting responsibility to another party. Risk can be completely shifted by transferring the risk or shared by partially transferring the risk. This can be done by purchasing insurance or outsourcing the activity.

Accepting

One of the techniques used to manage risk. When the cost to reduce the risk is greater than the potential loss, the risk is accepted. A risk is also accepted if management considers the rick necessary and tolerable for business.

Confidentiality

Protecting data from unauthorized disclosure. Data is protected using access controls and encryption technologies.

6. A _______ is used to reduce a vulnerability.

Risk Assessment

Asset

Something that represents data, device, or infrastructure of value to an organization.

Social Engineering

Tactics used to trick people into revealing sensitive information or taking unsafe actions. Social engineering tactics include conning people over the phone or in person and phishing and other technical tactics.

Profitability

The ability of a company to make a profit. It is calculated as revenues minus costs. Risk management considers both profitability and survivability.

Survivability

The ability of a company to survive loss from a risk. Some losses can be so severe that they will cause the business to fail if they are not managed.

Exploit

The act of initiating a vulnerability. It occurs when a command or program is executed to take advantage of a weakness. Examples include buffer overflows, DoS attacks, and DDoS attacks.

Tangible value

The actual cost of an asset. Compare to Intangible value.

Impact

The amount of a loss resulting from a threat exploiting a vulnerability. The loss can be expressed in monetary terms or as a relative value. The impact identifies severity of the loss. Impact is derived from the opinion of experts.

Risk Management

The practice of identifying, assessing, controlling, and mitigating risks. Techniques to manage risk include avoiding, sharing or transferring, mitigating, and accepting the risk.

Disaster Recovery

The procedures to bring a system back into service after it has failed. Disaster recovery occurs after a disaster; Disaster recovery steps are documented in a disaster recovery plan that is part of a business continuity plan.

Principle of Proportionality

This principle simply states that the amount spent on controls should be proportional to the risk.

12. A company decided to reduce losses of a threat by purchasing insurance, which is known as risk ______.

Transferrence

3. The best bet is to reduce risk to a level that can be accepted. True or False?

True

Intangible value

Value that isn't directed related to the actual cost of a physical asset. Intangibles can include future lost revenue, client confidence, and customer influence. Compared to Tangible value.