Chapter 1 Risk Management

Question 1

What does CASB stand for?

Answer 1

CASB stands for Cloud Access Security Broker.

Question 2

How does the speaker describe CASBs?

Answer 2

The speaker describes CASBs as security policy enforcement points that ensure the safety and security of cloud-based resources by interjecting enterprise security policies.

Question 3

What is an asset in the context of risk management?

Answer 3

An asset refers to valuable elements within an IT infrastructure, such as data, equipment, people, and services.

Question 4

How is likelihood defined in risk management?

Answer 4

Likelihood refers to the probability of an event occurring over time in relation to an IT infrastructure.

Question 5

Who are threat actors?

Answer 5

Threat actors are individuals, organizations, or entities that have the potential to engage in harmful activities or actions against an IT infrastructure.

Question 6

What are some examples of threat actors mentioned in the video?

Answer 6

Some examples of threat actors mentioned include hackers, hacktivists, script kiddies, insiders, competitors, shadow IT, criminal syndicates, and state actors.

Question 7

What is vulnerability in the context of risk management?

Answer 7

Vulnerability refers to weaknesses or flaws in the protection of an asset within an IT infrastructure.

Question 8

How is remediation related to risk management?

Answer 8

Remediation involves taking actions to reduce or eliminate threats by addressing vulnerabilities and implementing appropriate security measures.

Question 9

What does the CIA Security Triad stand for?

Answer 9

The CIA Security Triad stands for Confidentiality, Integrity, and Availability.

Question 10

How is vulnerability defined in the context of risk management?

Answer 10

Vulnerability refers to weaknesses or flaws in the protection of an asset within an IT infrastructure.

Question 11

What are some examples of attack vectors

Answer 11

weak configurations, open firewall ports, lack of security awareness among end-users, lack of multi-factor authentication (MFA), missing patches, and infected USB thumb drives.

Question 12

What is a supply-chain attack?

Answer 12

A supply-chain attack refers to an attack that targets the process or entities involved in delivering a product or service, such as third-party suppliers or contractors. Organizations may use right-to-audit clauses in contractual agreements to ensure compliance with laws, regulations, or data security standards.

Question 13

How can Microsoft Azure’s Security Center help identify vulnerabilities?

Answer 13

Microsoft Azure’s Security Center automatically monitors cloud resources and provides recommendations for addressing vulnerabilities. These recommendations can help organizations prioritize and implement security measures to protect their infrastructure.

Question 14

Why is threat intelligence important in cybersecurity?

Answer 14

Threat intelligence is important to stay informed about the latest threats, prevent attacks, and enable proactive incident response.

Question 15

What is the CIA Security Triad and what does it stand for?

Answer 15

The CIA Security Triad stands for Confidentiality, Integrity, and Availability, which are key elements in cybersecurity.

Question 16

What are some examples of threat intelligence sources?

Answer 16

Threat intelligence sources include closed or proprietary information services, open-source intelligence (OSINT), Common Vulnerabilities and Exposures (CVEs), and the Dark Web.

Question 17

How is threat intelligence shared among different software programs and enterprises?

Answer 17

Threat intelligence is shared through Automated Indicator Sharing (AIS) using the Structured Threat Information eXpression (STIX) format and the Trusted Automated eXchange of Indicator Information (TAXII) standard.

Question 18

How can graphical representations and maps help with threat intelligence?

Answer 18

Graphical representations and maps provide visualizations of threats, such as live geographical maps showing malware activity, which help in understanding the geographic scope and trends of attacks.

Question 19

What are some examples of risk vectors in IT security?

Answer 19

Examples include mission-critical systems, data, third-party access, and physical security measures.

Question 20

Name some frameworks and standards used in risk management.

Answer 20

NIST RMF, CIS, and ISO/IEC standards are commonly used in risk management.

Question 21

What is the purpose of NIST SP 800-30?

Answer 21

NIST SP 800-30 provides a guide for conducting risk assessments.

Question 22

What are some data privacy standards?

Answer 22

GDPR, HIPAA, and PCI DSS are data privacy standards that protect personal and sensitive information.

Question 23

How do security policies contribute to risk management?

Answer 23

Security policies, such as acceptable use policies and access control policies, help mitigate risks within organizations.

Question 24

What is the purpose of security controls?

Answer 24

Security controls mitigate threats and protect against vulnerabilities.

Question 25

Name different categories of security controls

Answer 25

Managerial/administrative controls, operational controls, technical controls, physical controls, detective controls, corrective controls, and compensating controls.

Question 26

Give an example of a compensating control.

Answer 26

Network isolation for IoT devices that lack strong security measures.

Question 27

What is the Cloud Controls Matrix (CCM) used for?

Answer 27

The CCM provides guidelines for applying security controls in cloud computing environments.

Question 28

What is the purpose of PCI DSS controls?

Answer 28

PCI DSS controls protect cardholder information and ensure compliance with payment card industry standards.

Question 29

How can security controls mitigate the risk of online banking credential theft?

Answer 29

User security awareness, antivirus software, and spam filters are examples of security controls that can help mitigate the risk of phishing attacks and protect banking credentials.

Question 30

What is the purpose of a risk assessment?

Answer 30

The purpose of a risk assessment is to prioritize threats against assets and determine appropriate risk management strategies.

Question 31

What are examples of targets for a risk assessment?

Answer 31

Targets can include individual servers, legacy systems, theft of intellectual property, and software licensing compliance.

Question 32

What are the key steps in conducting a risk assessment?

Answer 32

The key steps include awareness of cybersecurity threats, evaluating security controls, implementing controls, and continuous monitoring of their efficacy.

Question 33

What are examples of different types of risks to consider?

Answer 33

Environmental risks, person-made risks (e.g., terrorism, sabotage), internal risks (e.g., insider threats, malware infections), and external risks (e.g., DDoS attacks).

Question 34

What are the categories of risk treatments?

Answer 34

The categories are risk mitigation/reduction, risk transference/sharing, risk avoidance, and risk acceptance.

Question 35

Explain the difference between risk acceptance and risk mitigation.

Answer 35

Risk acceptance means accepting the risk without implementing a security control, while risk mitigation involves implementing controls to reduce or control the risk.

Question 36

What is the purpose of a quantitative risk assessment?

Answer 36

The purpose of a quantitative risk assessment is to determine the financial impact of a risk and evaluate whether the cost of implementing security controls is justified.

Question 37

What are the components needed to calculate the Single Loss Expectancy (SLE)?

Answer 37

The components needed are the asset value (AV) and the exposure factor (EF). The SLE is calculated by multiplying the asset value by the exposure factor.

Question 38

What is the Annual Rate of Occurrence (ARO) in a quantitative risk assessment?

Answer 38

The ARO represents the expected number of yearly occurrences of a specific risk event, such as downtime or system failure.

Question 39

How is the Annualized Loss Expectancy (ALE) calculated?

Answer 39

The ALE is calculated by multiplying the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO).

Question 40

Why is the Annualized Loss Expectancy (ALE) important in risk assessments?

Answer 40

The ALE helps determine the financial impact of multiple occurrences of a risk event and provides a basis for comparing the cost of security controls against potential losses.

Question 41

What is a qualitative risk assessment?

Answer 41

A qualitative risk assessment is an assessment based on subjective opinion, where risks are evaluated using severity ratings, likelihood of occurrence, and impact levels rather than specific numerical values.

Question 42

What is a risk register?

Answer 42

A risk register is a centralized list of risks within an organization or project, containing information such as severity level ratings, likelihood, impact, owner, and any mitigating controls in place.

Question 43

What is a risk heat map?

Answer 43

A risk heat map is a visual representation of risks using colors to indicate the level of risk, typically based on severity levels. It helps identify high-risk areas and prioritize risk management efforts.

Question 44

How does a risk matrix differ from a risk heat map?

Answer 44

A risk matrix is similar to a risk heat map but without the use of colors. It is a graphical representation of risks based on severity levels, providing a comprehensive view of risks in a centralized location.

Question 45

What is the main difference between qualitative and quantitative risk assessments?

Answer 45

Qualitative risk assessments are subjective and based on severity ratings, while quantitative risk assessments involve numerical values and calculations. Both approaches are important for assessing and managing risks effectively.

Question 46

What is data classification?

Answer 46

Data classification is the process of categorizing data based on its nature and sensitivity.

Question 47

What are examples of data classification standards?

Answer 47

Examples include government/military classification, PII, PHI, trade secrets, public/private information, and financial information.

Question 48

Why is data classification important?

Answer 48

It helps determine data protection measures, comply with regulations, and prevent unauthorized access.

Question 49

What are data privacy standards?

Answer 49

Examples include HIPAA, PCI DSS, and GDPR.

Question 50

What are data rules and responsibilities?

Answer 50

Roles like data owner, controller, processor, custodian, and DPO have specific responsibilities in managing and protecting data.