CompTIA® Security+ Guide to Network Security Fundamentals - Chapter 14 - Risk Mitigation

incident management

The "framework" and functions required to enable incident response and incident handling within an organization.

Mean Time To Failure or MTTF

A basic measure of reliability for systems that cannot be repaired. It is the average amount of time expected until the first failure of a piece of equipment.

Acceptable Use Policy or AUP

A policy that defines the actions users may perform while accessing systems and networking equipment.

data retention policy

A policy that outlines how to maintain information in the user's possession for a predetermined length of time is known as a(n)_____.

managerial risk category

A risk category related to the management of the organization.

operational risk category

A risk category that impacts the daily business of the organization.

environmental risk category

A risk category that is related to the surroundings such as natural disasters, i.e. tornado, flood, or hurricane.

strategic risk category

A risk category where actions affect the long-term goals of the organization.

technical risk category

A risk category where events affect information technology systems.

financial risk category

A risk category where financial decisions or market factors are impacted.

compliance risk category

A risk category where following or not following a regulation or standard could cause risk.

technical risk control type

A risk control type that involves using technology to control risk.

data wiping and disposing policy

A security policy that addresses how and when data will ultimately be erased.

data policy

A security policy that addresses the different aspects of how data should be handled within an organization.

data retention policy

A security policy that outlines how long to maintain information in the user's possession.

privacy policy

A security policy that outlines how the organization uses personal information it collects.

data storage policy

A set of procedures designed to control and manage data within the organization by specifying data collection and storage.

risk

A situation that involves exposure to some type of danger.

security-related human resource policy

A statement regarding due diligence would be found in which security policy? a. disposal and destruction policy b. security-related human resource policy c. acceptable use policy d. privacy policy

standard

A collection of requirements specific to the system or procedure that must be met by everyone. For example, a it might describe how to secure a computer at home that remotely connects to the organization's network.

guideline

A collection of suggestions that should be implemented. These are not requirements to be met but are strongly recommended.

policy

A document that outlines specific requirements or rules that must be met.

change management

A methodology for making modifications to a system and keeping track of those changes.

peer-to-peer or P2P network

A network that does not have servers, so each device simultaneously functions as both a client and a server to all other devices connected to the network.

ethics policy

A policy that attempts to establish a culture of openness, trust, and integrity in business practices. They often contain such topics as executive commitment to ethics, employee commitment to ethics, how to maintain ethical practices, and penalties for unethical behavior.

vulnerability assessment

A systematic and methodical evaluation of the exposure of assets to attackers, forces of nature, or any other entity that is a potential harm.

change management team or CMT

A team created to oversee changes such as the addition, modification, relocation, removal of the technical infrastructure, or any component, hardware or software, including any interruption of service.

management risk control type

A type of risk control that is administrative and covers the laws, regulations, policies, practices, and guidelines that govern the overall requirements and controls.

security policy

A written document that states how an organization plans to protect the company's information technology assets.

privilege

A(n) ____ is a subject's access level over an object, such as a user's ability to open a payroll file.

operational

A(n) __________ risk control type would use video surveillance systems and barricades to limit access to secure sites. a. operational b. managerial c. technical d. strategic

torrent

Active Internet connections that download a specific file that is available through a tracker, which is a server program operated by the person or organization that wants to share the file.

regulatory

All of these approaches are part of the Simple Risk Model EXCEPT ______________. a. regulatory b. preventive c. detective d. corrective

quantitative risk calculation

An approach to risk calculation that attempts to create actual numbers of the risk by using historical data.

qualitative risk calculation

An approach to risk calculation that uses an "educated guess" based on observation.

Simple Risk Model

An approach to risk that has the three elements of preventive, detective, and corrective actions.

pedagogical

An approach to teaching that involves leading and is typically associated with learning as a child.

andragogical

An approach to teaching that is tailored to helping an adult learn.

risk mitigation

An attempt to address a risk by making it less serious is known as _____.

false positive

An event that appears to be a risk but turns out not to be one is called a _______________. a. false negative b. false positive c. negative-positive d. risk negative event or RNE

false negative

An event that does not appear to be a risk but actually turns out to be one.

false positive

An event that in the beginning is considered to be a risk yet turns out to not be one.

Security policy training and procedures.

An understanding of the role that security policies play in the organization, their importance, and the content of those policies as they apply to the user is critical to creating a secure work environment.

Failure In Time or FIT

Another way of reporting the Mean Time Between Failure or MTBF which reports the number of expected failures per one billion hours of operation for a device. This term is used particularly by the semiconductor industry.

security policy

At its core, a _____ is a written document that states how an organization plans to protect the company's information technology assets.

Mean Time Between Failure or MTBF

Calculating the average, or mean, amount of time until a component fails, cannot be repaired, and must be replaced. It is a reliability term used to provide the amount of failures. Calculating it involves taking the total time measured divided by the total number of failures observed.

asset identification

Determines the items that have a positive economic value, which may include data, hardware, personnel, physical assets, and software.

risk assessment

Determining the damage that would result from an attack and the likelihood that the vulnerability is a risk to the organization.

andragogical

For adult learners, a(n) ________ approach, or the art of helping an adult learn, is often preferred. a. pedagogical b. andragogical c. institutional d. proactive

social networking

Grouping individuals and organizations into clusters or groups based on a like affiliation.

social networking

Grouping individuals and organizations into clusters or groups based on some sort of affiliation is called ____.

information classification

How to differentiate between the different levels of information and to have sensitivity to critical data.

Data labeling, handling, and disposal.

Instruction regarding how to handle and protect different types of data as well as how to properly dispose of equipment that contains that data.

Compliance with laws, best practices, and standards.

Legislation that affects the organization and its use and protection of customer information. In addition, training regarding security standards and appropriate best practices also should be included.

auditory learning style

People who learn by tending to sit in the middle of the class and learn best through lectures and discussions.

kinesthetic learning style

People who learn through a lab environment or other hands-on approaches.

visual learning style

People who learn through taking notes, being at the front of the class, and watching presentations.

clean desk policy

Requiring employees to clear their workspace of all papers at the end of each business day is called ______________. a. empty workspace policy b. clean desk policy c. disposal and removal policy d. sunshine policy

mitigation

Risk _________ is the attempt to address the risk by making it less serious.

operational risk control type

Risk control type that covers the operational procedures to limit risk.

Technical risk control types

Risk control types involving enforcing technology to control risk, such as antivirus software, firewalls, and encryption.

Management risk control types

Risk control types that are administrative in their nature and are the laws, regulations, policies, practices, and guidelines that govern the overall requirements and controls.

Operational risk control types

Risk control types that cover operational procedures to limit risk. This may include using video surveillance systems and barricades to limit access to secure sites.

role-based training

Specialized training that is customized to the specific role that an employee holds in the organization.

risk control types

Specific controls that aide in reducing risk through policies, procedures, and guidelines.

due diligence

That any investigation conducted will examine all material facts.

security-related human resource

The __________ policy typically contains statements regarding actions to be taken when an employee is terminated.

Mean Time To Failure or MTTF

The average amount of time expected until the first failure of a piece of equipment.

Mean Time To Recovery or MTTR

The average amount of time that it will take a device to recover from a failure that is not a terminal failure.

swarm

The collective pieces of a file that are being downloaded simultaneously from a torrent.

incident response

The components required to identify, analyze, and contain an incident.

Single Loss Expectancy or SLE

The expected monetary loss every time a risk occurs.

Annualized Loss Expectancy or ALE

The expected monetary loss that can be anticipated for an asset due to a risk over a one-year period.

Annualized Rate of Occurrence or ARO

The likelihood of a risk occurring within a year is known as the ______.

Annualized Rate of Occurrence or ARO

The likelihood of a risk occurring within a year.

due care

The obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them. It is the care that a reasonable person would exercise under the circumstances.

privilege auditing

The periodic review of a subject's privileges over an object.

incident handling

The planning, coordination, and communications functions that are needed to resolve an incident in an efficient manner.

due process

The principle of treating all accused persons in an equal fashion, using established rules and procedures. This statement may indicate that any employee accused of a malicious action will be treated equally and not given preferential treatment.

Privilege management

The process of assigning and revoking privileges to objects; that is, it covers the procedures of managing object authorizations.

ethics

The study of what a group of people understand to be good and right behavior and how people make those judgments.

security-related human resource policy

These policies include statements regarding the necessary information about the technology resources of the organization, how they are used, and the acceptable use and security policies that are in force. The penalties for violating policies likewise are clearly outlined.

risk avoidance

This involves identifying the risk and making the decision to not engage in the activity.

transference

This makes a third party responsible for the risk

threat identification

To determine the threats from threat agents or any person or thing with the power to carry out a threat against an asset.

vulnerability appraisal

To determine what current security weaknesses might expose the assets to threats. It in effect takes a snapshot of the security of the organization as it now stands.

tracker

Used with torrents, a server program operated by the person or organization that wants to share a file.

Personally identifiable information or PII

Users should be informed regarding the importance of this information and the high risks if it is not properly protected.

Personal data can be used maliciously. Users may be too trusting. Accepting friends may have unforeseen consequences. Social networking security is lax or confusing.

What are some of the additional risks associated with social networking sites when compared to a normal website?

morals

Values that are attributed to a system of beliefs that help the individual distinguish right from wrong. These values typically derive their authority from something outside the individual, such as a higher spiritual being or an external authority such as the government or society.

social networking sites

Websites that facilitate linking individuals with common interests like hobbies, religion, politics, or school contacts.

• Contains fewer than 12 characters. • Is a word found in a dictionary either English or foreign. • Is a common usage word such as names of family, pets, friends, coworkers, fantasy characters, and so on, computer terms and names, commands, sites, companies, hardware, and software. • Contains birthdays and other personal information such as addresses and phone numbers. • Uses word or number patterns like qwerty, 123321, and so on. • Includes any of the preceding spelled backward or preceded or followed by a digit e.g., secret1, 1secret.

What are some characteristics of a weak password?

• Communicates a consensus of judgment • Defines appropriate behavior for users • Identifies what tools and procedures are needed • Provides directives for Human Resources action in response to inappropriate behavior • May be helpful if it is necessary to prosecute violators

What are some general characteristics that a policy has?

Incident response which may be defined as the components required to identify, analyze, and contain an incident. Incident handling is the planning, coordination, and communications functions that are needed to resolve an incident in an efficient manner.

What are the components that make up the framework of incident management?

• Review proposed changes • Ensure that the risk and impact of the planned change is clearly understood • Recommend approval, disapproval, deferral, or withdrawal of a requested change • Communicate proposed and approved changes to coworkers

What are the duties of the change management team or CMT?

Be implementable and enforceable. Be concise and easy to understand. Balance protection with productivity.

What are the things that a security policy MUST do?

State reasons why the policy is necessary. Describe what is covered by the policy. Outline how violations will be handled.

What are the things that a security policy SHOULD do?

1. Trust everyone all of the time. 2. Trust no one at any time. 3. Trust some people some of the time.

What are the three approaches to trust?

Vulnerability assessment, create the security policy, and compliance monitoring and evaluation.

What are the three phases of the security policy cycle?

Top Secret Secret Confidential Unclassified

What are the typical classification designations of government documents?

Trust and control.

What are two key elements an effective security policy must carefully balance?

guideline

What is a collection of suggestions that should be implemented? a. policy b. guideline c. standard d. code

Single Loss Expectancy or SLE multiplied by the Annualized Rate of Occurrence or ARO equals the Annualized Loss Expectancy or ALE. ALE = SLE ● ARO

What is the formula for determining the Annualized Loss Expectancy or ALE?

Asset Value or AV multiplied by the Exposure Factor or EF equals the Single Loss Expectancy or SLE. SLE = AV ● EF

What is the formula for determining the Single Loss Expectancy or SLE?

A virus can be transmitted

What is the security risk of a P2P network? a. A virus can be transmitted. b. It is issued to spread spam. c. It consumes bandwidth. d. It allows law enforcement agencies to monitor the user's actions.

A numeric value of 1 to 10 or label of high, medium, or low.

What values are typically associated with qualitative risks?

resistance

Which of these is NOT a response to risk? a. transference b. resistance c. mitigation d. avoidance

representative from a hardware vendor

Which person should NOT serve on a security policy development team? a. senior-level administrator b. representative from a hardware vendor c. member of the legal staff d. member of management who can enforce the policy

acceptable use policy

Which policy defines the actions users may perform while accessing systems and networking equipment? a. end-user policy b. acceptable use policy c. Internet use policy d. user permission policy

Do not use alphabetic characters.

Which recommendation would NOT be found in a password management and complexity policy? a. Do not use the name of a pet. b. Do not use alphabetic characters. c. Do not use a password that is a word found in a dictionary. d. Do not use personally identifiable information.

Qualitative risk calculation

Which risk calculation approach uses an "educated guess" based on observation?

operational

Which risk category addresses events that impact the daily business of the organization? a. tactical b. strategic c. operational d. daily

Policies communicate a unanimous agreement of judgment.

Which statement does NOT describe a characteristic of a policy? a. Policies define appropriate user behavior. b. Policies communicate a unanimous agreement of judgment. c. Policies may be helpful if it is necessary to prosecute violators. d. Policies identify what tools and procedures are needed.

Only access a social networking site on personal time.

Which statement is NOT a general security recommendation when using social networking sites? a. Consider carefully who is accepted as a friend. b. Show "limited friends" a reduced version of your profile. c. Only access a social networking site on personal time. d. Disable options and then reopen them only as necessary.

Require all users to approve the policy before it is implemented.

Which statement is NOT a guideline for developing a security policy? a. Notify users in advance that a new security policy is being developed and explain why the policy is needed. b. Require all users to approve the policy before it is implemented. c. Provide a sample of people affected by the policy with an opportunity to review the policy and comment on it. d. Prior to deployment, give all users at least two weeks to review the policy and comment on it.

State reasons why the policy is necessary.

Which statement is NOT something that a security policy must do? a. State reasons why the policy is necessary. b. Balance protection with productivity. c. Be capable of being implemented and enforced. d. Be concise and easy to understand.

A change in system architecture and a change in classification, which primarily refers to files or documents.

Which two major types of changes regarding security need to be properly documented using change management?

• Senior-level administrator • Member of management who can enforce the policy • Member of the legal staff • Representative from the user community

Who should make up the team that develops a security policy for a company?

Visual

____ learners learn through taking notes, being at the front of the class, and watching presentations.

Acceptable use policies

_____ are generally considered to be the most important information security policies.

Ethics

__________ may be defined as the study of what people understand to be good and right behavior and how people make those judgments. a. Ethics b. Morals c. Values d. Principles

Due care

___________ is defined as the obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them. a. Due process b. Due care c. Due obligations d. Due diligence

Privilege

_____________ management covers the procedures of managing object authorizations. a. Asset b. Task c. Privilege d. Threat