Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Cybersecurity Bootcamp Study Aid > 2.2_ Risk Management and Threat Modeling > Flashcards

2.2_ Risk Management and Threat Modeling Flashcards

1
Q

What’s the difference between a vulnerability, a threat, and a risk?

A

A vulnerability is an aspect of a business that can be exploited to compromise a system’s CIA.

A threat is an actor that might exploit a vulnerability.

A risk is a possibility of losing something valuable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A _________ is an aspect of a business that can be exploited to compromise a system’s CIA.

A

Vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A _________ is an actor that might exploit a vulnerability.

A

Threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A _________ is a possibility of losing something valuable.

A

Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Using the results of risk analysis to create a plan for preventing likely risks is called what?

A

Risk Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Understanding what risks face an organization, which are most severe, and which are most likely is called what?

A

Risk Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Determining which attacks an organization is most likely to experience, who is most likely to launch them, and what actions can be done to prevent them is called what?

A

Threat Modeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a business’s primary objective?

A

Profit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

_____________ and _____________ directly contribute to business profit.

A

Risk analysis and management and threat modeling directly contribute to business profit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

_____________ helps business understand how much they’ll need to spend in the event of a given security break.

A

Risk Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

_____________ results are shared upwards to the executives who make the major business decisions.

A

Threat Modeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When possible, risks are measured ___________ in financial figures, which businesses use to prioritize threats.

A

Quantitatively

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does PASTA stand for?

A

It’s a Threat Modeling Methodology:

Process for Attack Simulation & Threat Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does OWASP stand for?

A

Spoofing, Tampering, Repudiation, Information

Disclosure, DoS (Denial of Service), Elevation of Privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the steps involved in the OWASP Threat Modeling process?

A
  1. Determine assessment scope
  2. Identify threat agents
  3. Identify potential attacks
  4. Identify exploitable vulnerabilities
  5. Prioritize identified risks
  6. Mitigate risks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is step 1 of the OWASO Threat Modeling process?

A

Determine Scope:

List the assets under consideration, determine their value, and define objectives for your threat modeling assessment.

17
Q

What is step 2 of the OWASO Threat Modeling process?

A

Identify Threat Agents:

Determine which attackers would be interested in the relevant assets.

18
Q

True or false:

Threat agents include a person or group that can produce a threat, whether or not that person or group is malicious.

A

True

19
Q

What is step 3 of the OWASO Threat Modeling process?

A

Identify Potential Attacks:

Identify the attacks each agent is likely to perform.

20
Q

_________ attackers use different modes of attacks and _________ attacks mean different risks and _________ considerations.

A

Different attackers use different modes of attacks and different attacks mean different risks and different considerations.

21
Q

If a client’s web application is taken offline by a DoS attack, the severity of the risk depends on which threat agent is responsible. What would be the difference between script kiddies and APTs?

A

Script kiddies might DoS a server simply to cause trouble.

An APT might DoS a server as a smokescreen to steal valuable data.

22
Q

___________ is the process of prioritizing threats identified in steps 1-4 based on their potential impact and likelihood.

A

Risk Analysis

23
Q

___________ is evaluating risk based on intangible, unmeasurable factors.

A

Qualitative Analysis

24
Q

Evaluating each risk based on its measured likelihood and impact is called what?

A

Quantitative Analysis

○ Likelihood: The probability of an event will take place.

○ Impact: The measure of the damage done if a risk takes place.

25
Q

When likelihood and impact cannot be accurately measured, you should do what type of analysis?

A

Quantitative Analysis

26
Q

_________ is used when a complex evaluation of cost vs. benefit is unnecessary. What’s an example?

A

Qualitative Risk Analysis

When a company is deciding between an inexpensive VPN service that logs traffic on its servers for internal use, and a more expensive service that does not keep any logs.

A bakery can use qualitative analysis to decide on an inexpensive VPN, since it shouldn’t matter much if they’re logging non-confidential information.

27
Q

You should use a ___________ when circumstances where intuitive analysis is insufficient.

A

Quantitative Risk Analysis

28
Q

To perform a ____________, analysts start by calculating how much it will cost if an asset is breached.

A

Quantitative Risk Analysis

29
Q

To perform a quantitative risk analysis, first, quantify _________ and _________.

A

First, quantify asset value and exposure factor.

30
Q

What does SLE stand for and what is?

A

Single Loss Expectancy (SLE)

SLE = AVE x EF

The estimated cost of the risk occurring on
a given asset.

31
Q

What does ARO stand for and what is it?

A

Annual Rate of Occurrence (ARO)

Estimated number of times the risk is
likely to occur in a given year.

32
Q

What does ALE stand for and what is it?

A

Annual Loss Expectancy (ALE)

Estimated cost of a risk reoccurring in a given year.

33
Q

What do AV and EF stand for

A

AV = Asset Value

EF = Exposure Factor

34
Q

The organization has the resources to respond to the breach immediately, without affecting day-to-day operations or revenue is what loss expectancy category?

A

Marginal

35
Q

The organization has the resources to respond to the breach, but may not be able to do so immediately. May experience interruptions to operations is what loss expectancy category?

A

Notable

36
Q

The organization experiences serious interruptions to operations, and doesn’t have the monetary and/or personnel resources to respond to effectively. May have to defer revenue, delay project timelines, reassign employees, and/or hire consultants to address the issue is what loss expectancy category?

A

Severe

37
Q

The organization suffers severe, lasting damage to its reputation and/or infrastructure. The future of the business is threatened by reputational damage, bankruptcy, being found in contempt of federal regulations, or other issues is what loss expectancy category?

A

Catastrophic

Cybersecurity Bootcamp Study Aid (55 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions