5.0 - Risk Management

Question 1

What are the steps in the Incident Response Process?

Answer 1

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

Question 2

What happens in the Preparation stage?

Answer 2

• this phase occurs before an incident and provides guidance to personnel on how to respond to an incident
• includes establishing and maintaining an incident response plan and incident response procedures
• includes implementing security controls to prevent malware infections

Question 3

What happens in the Identification stage?

Answer 3

• all events aren’t incidents so when a potential incident is reported, personnel take the time to verify it’s an actual incident
• if the incident is verified, personnel might try to isolate the system based on established procedures

Question 4

What happens in the Containment stage?

Answer 4

• after positively identifying an incident, security personnel attempt to isolate or contain it
• this might include quarantining a device or removing it from the network
• the goal of isolation is to prevent the problem from spreading to other areas or other computers in your network, or to simply stop the attack

Question 5

What happens in the Eradication stage?

Answer 5

• after containing the incident, it’s often necessary to remove components from the attack
• it’s important to remove all remnants of malware on all hosts within the organization and to delete or disable all affected accounts

Question 6

What happens in the Recovery stage?

Answer 6

• during the recovery process, administrators return all affected systems to normal operations and verify they are operating normally
• could include rebuilding systems from images, restoring data from backups, and installing updates
• if administrators identify vulnerabilities, steps are taken to remove the vulnerabilities

Question 7

What happens in the Lessons Learned stage?

Answer 7

• after handling an incident, security personnel perform a lessons learned review
• the organization might modify procedures, or add additional controls to prevent a re-occurrence of the incident
• review might indicate a need to provide additional training to users or indicate a need to update the incident response policy

Question 8

What is the order of volatility?

Answer 8

1. Data in cache memory, including the processor cache and hard drive cache
2. Data in RAM, including system and network processes
3. A paging file (sometimes called a swap file) on the system disk drive
4. Data stored on local disk drives
5. Logs stored on remote systems
6. Archive media

Question 9

What is a BPA?

Answer 9

• business partners agreement
• a written agreement that details the relationship between business partners, including their obligations toward the partnership
• typically identifies the shares of profits or losses each partner will take, their responsibilities to each other, and what to do if a partner chooses to leave the partnership
• can help settle conflicts when they arise

Question 10

What is an SLA?

Answer 10

• service level agreement
• an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels
• organizations use SLAs when contracting services from service providers such as ISPs
• many SLAs include a monetary penalty if the vendor is unable to meet the agreed-upon expectations

Question 11

What is an ISA?

Answer 11

• interconnection security agreement
• specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities
• may stipulate certain types of encryption for all data-in-transit

Question 12

What is an MOU/MOA?

Answer 12

• memorandum of understanding or memorandum of agreement
• expresses an understanding between two or more parties indicating their intention to work together toward a common goal
• often used to support an ISA by defining the purpose of the ISA and the responsibilities of both parties but doesn’t include any technical details or monetary penalties

Question 13

What is an RTO?

Answer 13

• recovery time objective
• identifies the maximum amount of time it should take to restore a system after an outage, typically for mission-essential functions and critical systems
• derived from the maximum allowable outage time identified in the BIA

Question 14

What is a BIA?

Answer 14

• business impact analysis
• a process that helps an organization identify critical systems and components that are essential to the organizations success

Question 15

What is an RPO?

Answer 15

• recovery point objective
• identifies a point in time where data loss is acceptable
• refers to the amount of data you can afford to lose
• an RPO of one week means administrators would ensure they have at least weekly backups

Question 16

What is an SLE?

Answer 16

• single loss expectancy
• the monetary value of any single loss
• it is used to measure risk with ALE and ARO in a quantitative risk assessment
• calculation is SLE = ALE / ARO

Question 17

What is an ALE?

Answer 17

• annual loss expectancy
• the expected loss for a year
• it is used to measure risk with ARO and SLE in a quantitative risk assessment
• the calculation is ALE = SLE x ARO

Question 18

What is an ARO?

Answer 18

• annual rate of occurrence
• the number of times a loss is expected to occur in a year
• it is used to measure risk with ALE and SLE in a quantitative risk assessment
• the calculation is ARO = ALE / SLE

Question 19

What are the risk response techniques?

Answer 19

1. Avoid
2. Transfer
3. Mitigate
4. Accept

Question 20

What is risk Avoidance?

Answer 20

• an organization could avoid a risk by not providing a service or not participating in a risky activity
• an organization can avoid a risky application by purchasing a difference application that doesn’t require opening any additional firewall ports

Question 21

What is risk Transfer?

Answer 21

• an organization transfers the risk to another entity, or at least shares the risk with another entity
• the most common method is by purchasing insurance
• another method is by outsourcing, or contracting a third party

Question 22

What is risk Mitigation?

Answer 22

• an organization implements controls to reduce risks
• these controls either reduce the vulnerabilities or reduce the impact of the threat
• up-to-date antivirus software mitigates the risks of malware
• a security guard can reduce the risk of an attacker accessing a secure area

Question 23

What is risk Acceptance?

Answer 23

• when the cost of a control outweighs the risk, an organization will accept the risk
• spending $100 to protect a $15 mouse doesn’t make sense so the organization accepts the risk of someone stealing a mouse

Question 24

What is a privacy impact assessment?

Answer 24

• attempts to identify potential risks related to the PII be reviewing how the information is handled
• helps identify and reduce risks related to potential loss of the PII

Question 25

What is a privacy threshold assessment?

Answer 25

- primary purpose is to help the organization identify PII within a system - typically completed by the system owner or data owner by answering a simple questionnaire