Chapter 1: Measuring and Weighing Risk

Question 1

Residual Risk

Answer 1

A risk that must remain for some reason

Question 2

BIA

Answer 2

• Business Impact Analysis

- Outlines how to respond to various situations

Question 3

Steps to Develop an Overview of Risk

Answer 3

1) Interview the department heads
2) Evaluate the network infrastructure
3) Perform a physical assessment

Question 4

Annual Loss Expectancy (ALE)

Answer 4

A monetary measure of how much loss you could expect in a year.

Question 5

Single Loss Expectancy (SLE)

Answer 5

How much you expect to lose at any one time.

Question 6

Two components of SLE

Answer 6

1) Asset Value (AV)

2) Exposure Factor (EF)

Question 7

Annualized Rate of Occurrence (ARO)

Answer 7

Likelihood of an event occurring within a year

Question 8

Risk Assessment Formula

Answer 8

SLE x ARO = ALE

Question 9

Qualitative Risk Assessment

Answer 9

Opinion-based and subjective

Question 10

Quantitative Risk Assessment

Answer 10

Cost-based (money) and objective

Question 11

Likelihood

Answer 11

A score from 1-10 assessing the likelihood of an event

Question 12

Threat Vector

Answer 12

The way in which an attacker poses a threat.

Question 13

Mean Time Between Failures (MTBF)

Answer 13

Lifetime of a component before it must be replaced or repaired

Question 14

Mean Time To Failure (MTTF)

Answer 14

The average time to failure for a nonrepairable system.

Question 15

Mean Time To Restore (MTTR)

Answer 15

How long it takes to repair something once it fails.

Question 16

Recovery Time Objective (RTO)

Answer 16

Max time that a process is allowed to be down before negative effects begin happening.

Question 17

Recovery Point Objective (RPO)

Answer 17

The point the system needs to be restored to

Question 18

Risk Avoidance

Answer 18

Identifying a risk and deciding to not engage in the actions associated with that risk

Question 19

Risk Transference

Answer 19

Share some of the burden of risk with someone else, such as an insurance company.

Question 20

Risk Mitigation

Answer 20

Taking steps to reduce risk

Question 21

Data Loss Prevention (DLP) system

Answer 21

Makes sure key content is not removed

MyDLP

Question 22

Risk Deterrence

Answer 22

Telling attackers you’ll fuck em up if they attack you

Question 23

Platform as a Service (PaaS)

Answer 23

Vendors allow apps to be created and run on their infrastructure

Question 24

Software as a Service (SaaS)

Answer 24

Applications used over the internet, e.g. GoogleMaps

Question 25

Infrastructure as a Service (IaaS)

Answer 25

Utilizes virtualization, and clients pay an outsourcer for resources

Question 26

Scope Statement

Answer 26

What a policy intends to accomplish and which documents, laws, and practices the policy addresses.

Question 27

Policy Overview Statement

Answer 27

Provides the goal of the policy, why it’s important, and how to comply with it.

Question 28

Policy Statement

Answer 28

The actual content of the policy

Question 29

Accountability Statement

Answer 29

Who is responsible for ensuring the policy is enforced.

Question 30

Five Key Aspects to Standards Documents

Answer 30

1) Scope and Purpose
2) Roles and Responsibilities
3) Reference Documents
4) Performance Criteria
5) Maintenance and Administrative Requirements

Question 31

Four Key Aspects to Guidelines Documents

Answer 31

1) Scope and Purpose
2) Roles and Responsibilities
3) Guideline Statements
4) Operational Considerations

Question 32

Separation of Duties

Answer 32

Requiring multiple people to take part in completing a process so as to minimize errors and malpractice.

Question 33

Privacy Policies

Answer 33

Outlines how data collected is secured.

Question 34

Acceptable Use Policies (AUP)

Answer 34

How the employees can use company systems and resources.

Question 35

Pod Slurping

Answer 35

Plugging directly into a machine (like with a USB) to bypass security and download or upload stuff

Question 36

Mandatory Vacation Policy

Answer 36

Requires all users to take time away from work

Question 37

Job Rotation Policy

Answer 37

Defines intervals at which employees must rotate through positions so that a company does not become too dependent on one person.

Question 38

False Positives

Answer 38

Events that aren’t actually incidents

Question 39

False Negatives

Answer 39

When you are not alerted to a situation to which you should be alerted

Question 40

Clustering

Answer 40

Using multiple servers to load balance and create redundancy.

Question 41

Which power redundancy device should be used for short-term outages? For long term?

Answer 41

Uninterruptible Power Supply (UPS)

Backup Generator

Question 42

Redundant Array of Independent Disks

Answer 42

Uses multiple disks to provide fault tolerance

Question 43

Tabletop Exercise

Answer 43

Involves individuals sitting around a table with a facilitator discussing situations that could arise and how best to respond to them.

Question 44

3 Types of Controls

Answer 44

1) Technical
2) Management
3) Operational

Question 45

RAID Level 0

Answer 45

• Disk Striping
• Uses multiple drives and maps them together as a single physical drive.
• One fails, unusable

Question 46

RAID Level 1

Answer 46

• Disk Mirroring

- Two disks with exact copies of all the info

Question 47

RAID Level 3

Answer 47

• Disk Striping with a Parity Disk

- Parity Info is kept on a separate disk for recovery

Question 48

Parity Information

Answer 48

A value based on the arithmetic value of the data binary.

Question 49

RAID Level 5

Answer 49

• Disk Striping with Parity

- Parity info spread across all disks instead of a single disk

Question 50

Change Management

Answer 50

The structured approach that is followed to secure a company’s assets