Chapter 1 Risk Management Flashcards

1
Q

What does CASB stand for?

A

CASB stands for Cloud Access Security Broker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How does the speaker describe CASBs?

A

The speaker describes CASBs as security policy enforcement points that ensure the safety and security of cloud-based resources by interjecting enterprise security policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is an asset in the context of risk management?

A

An asset refers to valuable elements within an IT infrastructure, such as data, equipment, people, and services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How is likelihood defined in risk management?

A

Likelihood refers to the probability of an event occurring over time in relation to an IT infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Who are threat actors?

A

Threat actors are individuals, organizations, or entities that have the potential to engage in harmful activities or actions against an IT infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are some examples of threat actors mentioned in the video?

A

Some examples of threat actors mentioned include hackers, hacktivists, script kiddies, insiders, competitors, shadow IT, criminal syndicates, and state actors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is vulnerability in the context of risk management?

A

Vulnerability refers to weaknesses or flaws in the protection of an asset within an IT infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How is remediation related to risk management?

A

Remediation involves taking actions to reduce or eliminate threats by addressing vulnerabilities and implementing appropriate security measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does the CIA Security Triad stand for?

A

The CIA Security Triad stands for Confidentiality, Integrity, and Availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How is vulnerability defined in the context of risk management?

A

Vulnerability refers to weaknesses or flaws in the protection of an asset within an IT infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are some examples of attack vectors

A

weak configurations, open firewall ports, lack of security awareness among end-users, lack of multi-factor authentication (MFA), missing patches, and infected USB thumb drives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a supply-chain attack?

A

A supply-chain attack refers to an attack that targets the process or entities involved in delivering a product or service, such as third-party suppliers or contractors. Organizations may use right-to-audit clauses in contractual agreements to ensure compliance with laws, regulations, or data security standards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How can Microsoft Azure’s Security Center help identify vulnerabilities?

A

Microsoft Azure’s Security Center automatically monitors cloud resources and provides recommendations for addressing vulnerabilities. These recommendations can help organizations prioritize and implement security measures to protect their infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Why is threat intelligence important in cybersecurity?

A

Threat intelligence is important to stay informed about the latest threats, prevent attacks, and enable proactive incident response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the CIA Security Triad and what does it stand for?

A

The CIA Security Triad stands for Confidentiality, Integrity, and Availability, which are key elements in cybersecurity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are some examples of threat intelligence sources?

A

Threat intelligence sources include closed or proprietary information services, open-source intelligence (OSINT), Common Vulnerabilities and Exposures (CVEs), and the Dark Web.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How is threat intelligence shared among different software programs and enterprises?

A

Threat intelligence is shared through Automated Indicator Sharing (AIS) using the Structured Threat Information eXpression (STIX) format and the Trusted Automated eXchange of Indicator Information (TAXII) standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How can graphical representations and maps help with threat intelligence?

A

Graphical representations and maps provide visualizations of threats, such as live geographical maps showing malware activity, which help in understanding the geographic scope and trends of attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are some examples of risk vectors in IT security?

A

Examples include mission-critical systems, data, third-party access, and physical security measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Name some frameworks and standards used in risk management.

A

NIST RMF, CIS, and ISO/IEC standards are commonly used in risk management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the purpose of NIST SP 800-30?

A

NIST SP 800-30 provides a guide for conducting risk assessments.

22
Q

What are some data privacy standards?

A

GDPR, HIPAA, and PCI DSS are data privacy standards that protect personal and sensitive information.

23
Q

How do security policies contribute to risk management?

A

Security policies, such as acceptable use policies and access control policies, help mitigate risks within organizations.

24
Q

What is the purpose of security controls?

A

Security controls mitigate threats and protect against vulnerabilities.

25
Q

Name different categories of security controls

A

Managerial/administrative controls, operational controls, technical controls, physical controls, detective controls, corrective controls, and compensating controls.

26
Q

Give an example of a compensating control.

A

Network isolation for IoT devices that lack strong security measures.

27
Q

What is the Cloud Controls Matrix (CCM) used for?

A

The CCM provides guidelines for applying security controls in cloud computing environments.

28
Q

What is the purpose of PCI DSS controls?

A

PCI DSS controls protect cardholder information and ensure compliance with payment card industry standards.

29
Q

How can security controls mitigate the risk of online banking credential theft?

A

User security awareness, antivirus software, and spam filters are examples of security controls that can help mitigate the risk of phishing attacks and protect banking credentials.

30
Q

What is the purpose of a risk assessment?

A

The purpose of a risk assessment is to prioritize threats against assets and determine appropriate risk management strategies.

31
Q

What are examples of targets for a risk assessment?

A

Targets can include individual servers, legacy systems, theft of intellectual property, and software licensing compliance.

32
Q

What are the key steps in conducting a risk assessment?

A

The key steps include awareness of cybersecurity threats, evaluating security controls, implementing controls, and continuous monitoring of their efficacy.

33
Q

What are examples of different types of risks to consider?

A

Environmental risks, person-made risks (e.g., terrorism, sabotage), internal risks (e.g., insider threats, malware infections), and external risks (e.g., DDoS attacks).

34
Q

What are the categories of risk treatments?

A

The categories are risk mitigation/reduction, risk transference/sharing, risk avoidance, and risk acceptance.

35
Q

Explain the difference between risk acceptance and risk mitigation.

A

Risk acceptance means accepting the risk without implementing a security control, while risk mitigation involves implementing controls to reduce or control the risk.

36
Q

What is the purpose of a quantitative risk assessment?

A

The purpose of a quantitative risk assessment is to determine the financial impact of a risk and evaluate whether the cost of implementing security controls is justified.

37
Q

What are the components needed to calculate the Single Loss Expectancy (SLE)?

A

The components needed are the asset value (AV) and the exposure factor (EF). The SLE is calculated by multiplying the asset value by the exposure factor.

38
Q

What is the Annual Rate of Occurrence (ARO) in a quantitative risk assessment?

A

The ARO represents the expected number of yearly occurrences of a specific risk event, such as downtime or system failure.

39
Q

How is the Annualized Loss Expectancy (ALE) calculated?

A

The ALE is calculated by multiplying the Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO).

40
Q

Why is the Annualized Loss Expectancy (ALE) important in risk assessments?

A

The ALE helps determine the financial impact of multiple occurrences of a risk event and provides a basis for comparing the cost of security controls against potential losses.

41
Q

What is a qualitative risk assessment?

A

A qualitative risk assessment is an assessment based on subjective opinion, where risks are evaluated using severity ratings, likelihood of occurrence, and impact levels rather than specific numerical values.

42
Q

What is a risk register?

A

A risk register is a centralized list of risks within an organization or project, containing information such as severity level ratings, likelihood, impact, owner, and any mitigating controls in place.

43
Q

What is a risk heat map?

A

A risk heat map is a visual representation of risks using colors to indicate the level of risk, typically based on severity levels. It helps identify high-risk areas and prioritize risk management efforts.

44
Q

How does a risk matrix differ from a risk heat map?

A

A risk matrix is similar to a risk heat map but without the use of colors. It is a graphical representation of risks based on severity levels, providing a comprehensive view of risks in a centralized location.

45
Q

What is the main difference between qualitative and quantitative risk assessments?

A

Qualitative risk assessments are subjective and based on severity ratings, while quantitative risk assessments involve numerical values and calculations. Both approaches are important for assessing and managing risks effectively.

46
Q

What is data classification?

A

Data classification is the process of categorizing data based on its nature and sensitivity.

47
Q

What are examples of data classification standards?

A

Examples include government/military classification, PII, PHI, trade secrets, public/private information, and financial information.

48
Q

Why is data classification important?

A

It helps determine data protection measures, comply with regulations, and prevent unauthorized access.

49
Q

What are data privacy standards?

A

Examples include HIPAA, PCI DSS, and GDPR.

50
Q

What are data rules and responsibilities?

A

Roles like data owner, controller, processor, custodian, and DPO have specific responsibilities in managing and protecting data.