Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Secret > Chapter 2: IT Risk Assessment > Flashcards

Chapter 2: IT Risk Assessment Flashcards

1
Q

How does risk identification begin?

A

By documenting the assets of the organization and determining the value of an asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk identification also includes…

A

Documenting threats that could pose a risk of damage to the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is risk assessment?

A

A process used to identify and evaluate risk and its potential effects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Statistical inference that uses prior distribution data to determine the probability of a result

A

Bayesian Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Provides a diagram to communicate risk assessment results by displaying links between possible causes, controls, and consequences. The cause of the event is depicted in the middle of the diagram and triggers, controls, mitigation strategies, and consequences branch off the knot.

A

Bow Tie Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The purpose of this is to gather a large group of types of potential risk or ideas

A

Brainstorming/ Structured Interview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The process to determine the impact of losing the support of any resource

A

Business Impact Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Combines the technique of a fault tree analysis and and even tree analysis and allows for time delays to be considered

A

Cause and Consequence Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Looks at the factors that contributed to a certain effect and groups the causes into categories which are then displayed using a diagram

A

Cause-and-effect Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

List of potential or typical threats or other considerations that should be of interest to the organization

A

Checklists

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Uses expert opinion which is often received using two or more rounds of questionnaires

A

Delphi Method

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A forward, bottom up model that uses inductive reasoning to assess the probability of different events resulting in possible outcomes

A

Event Tree Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Starts with an event and examines possible means for the event to occur and displays these results in a logical tree diagram

A

Fault Tree Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Originally developed for the food safety industry for proactively preventing risk and assuring quality, reliability, and safety of processes

A

Hazard Analysis and Critical Control Points (HACCP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A structured means of identifying and evaluating potential risk by looking at possible deviations from existing processes

A

Hazard and Operability Studies (HAZOP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Examines the effect of human error on systems and their performance

A

Human Reliability Analysis (HRA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A semiquantitative risk analysis technique that uses aspects of HAZOP data to determine risk associated with risk events. Also looks at controls and their effectiveness.

A

Layers of Protection Analysis (LOPA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Used to analyze systems that can exist in multiple states and assumes that future events are independent of past events

A

Markov Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A simulation used to establish the aggregate variation in a system resulting from variations in the system, for a number of inputs, where each input has a defined distribution and the inputs are related to the output via defined relationships

A

Monte Carlo Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Looks at what threats or hazards may harm an organization’s activities, facilities, or systems

A

Preliminary Hazard Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Analyzes the functions and potential failures of a specific asset, particularly a physical asset such as equipment

A

Reliability-centered Maintenance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Examines possible future scenarios that were identified during risk identification

A

Scenario Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Used to identidy design errors or sneak conditions- latent hardware, software, or integrated conditions that may cause an unwanted event to occur

A

Sneak Circuit Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Uses structured brainstorming to identify risk, typically within a facilitated workshop

A

Structured “What If” Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are contributing factors in risk prevention, detection, and response?

A

Structure and culture of the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

The risk management function should have an enterprise wide mandate that

A

Allows the risk management team to review and provide input into all business processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

The risk management function should participate in…

A

Incident management activities and be responsible for investigating incidents to ensure that all lessons are learned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Policies provide direction regarding…

A

Acceptable and unacceptable behavior and actions to the organization and send a clear message from senior management regarding the desired approach to the protection of assets and the culture of the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Policies give authority to the…

A

Staff of risk management, audit, and security teams of the organization to perform their job responsibilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

High level is policy is issued by

A

Senior management as a way to address the objectives of the organization’s mission and vision statement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

High level policy (aka overarching security policy) should require compliance with…

A

Laws and best practices, and state the goal of managing risk through protecting the organization’s assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

The next level of policies after the high level policy is…

A

Technical and functional

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Where policies are out of date, unenforced, or incomplete, the risk practitioner should…

A

Underline the vulnerability and the risk it poses to the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

A mandatory requirement, code of practice, or specification approved by external standards organizations

A

Standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

A document containing a detailed description of the steps necessary to perform specific operations in conformance with applicable standards

A

Procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

A lack of standards and procedures will result in…

A

Undependable, inconsistent operations and may result in risk due to not detecting a risk event, noncompliance, or difficulty preventing an attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is risk identification?

A

The process of determining and documenting risk that an enterprise faces.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Some of the considerations that affect risk assessment related to technology:

A 
Age of equipment
Expertise available for maintenance
Variety of vendors/suppliers
Documentation of systems
Availability of replacement parts
Ability to test systems or equipment
Operating environment and user expertise
Ability to patch/mitigate vulnerabilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

A key factor in the maturation of the processes and practices of an organization is the development of…

A

An enterprisewide approach to risk management, architecture, and business continuity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

A lack of architecture often results in:

A 
Controls that overlap
Controls that conflict with one another
Unidentified single points of failure
Unidentified methods to bypass controls
Inadequate network isolation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Controls are implemented to…

A

Mitigate risk or comply with regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

An alternate form of control that corrects a deficiency or weakness in the control structure of the enterprise; may be considered when an entity cannot meet a requirement explicitly, as stated, due to legitimate technical or business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls

A

Compensating controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Remediate errors, omissions, and unauthorized uses and intrusions, once they are detected

A

Corrective controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Warn of violations or attempted violations of security policy and include such controls as audit trails, intrusion detection methods, and checksums

A

Detective controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Provide warnings that can deter potential compromise, such as warning banners on login screens or offering rewards for the arrest of hackers

A

Deterrent controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Mandate the behavior of an entity by specifying what actions are, or are not, permitted

A

Directive control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Inhibit attempts violate security and include such controls as access control enforcement, encryption, and authentication

A

Preventive controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

The risk is much more serious if:

A 
Controls are inadequate.
The wrong controls are being used.
Controls are ignored or bypassed.
Controls are poorly maintained.
Logs or control data are not reviewed.
Controls are not tested.
Changes to configuration of controls are not managed.
Controls can be physically accessed and altered.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

The condition of the program at a point in time

A

Current state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Used to determine the state of IT risk on a regular basis and with scheduled reporting to management

A

Regular reviews of IT risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

An excellent source of analysis data and recommendations which are often related to the improvement of managerial, technical, and operational controls

A

Audits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

The risk practitioner must test the performance of the control to ensure that it is…

A

It is properly installed, operating correctly, and providing the desired result

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Testing the control includes…

A

Testing both the technical and nontechnical aspects of the control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What are the nontechnical aspects of a control?

A

Rules governing the operation of the control
Procedures used in monitoring and operating the control
Proficiency if the staff responsible for the operation of the control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

A thorough review of an incident can identify…

A

Weak controls
Poor detection
Inappropriate or ineffective response
Lack of training of staff

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Interviewing operations staff and reviewing logs and trouble tickets may…

A

Indicate an unmitigated or recurring problem or trend within a system that may require remediation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Logs should contain a record of all important events that occur on a system such as…

A 
Changes to permissions
System start up or shut down
Login or logout
Changes to data
Errors or violations
Job failures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

A review of logs can identify…

A

Risk relevant events and can detect compliance violations, suspicious behaviors, errors, probes or scans, and abnormal activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

It is a careful, methodical review of the security controls for a system with the intent of discovering any weaknesses or potential gaps on the control framework that could allow a successful attack

A

Vulnerability assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Techniques for vulnerability assessments:

A

Social engineering
Physical security tests
Network probes and scans
Application vulnerability reviews

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Possible vulnerabilities

A

Unpatched systems
Buffer overflows
Susceptibility to injection attacks
Unlocked server rooms
Exposed cabling
Sensitive data left on unattended desks or screens
Open ports or services that are not required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Can be used to validate the results of a vulnerability assessment and prove whether the controls and countermeasures used by the organization are working correctly

A

Penetration test

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

The desired state of IT risk is closely linked to the the

A

Risk acceptance level set by management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Challenges of data analysis

A

Are all of the data available?
Have any of the data been altered or changed?
Are the data in the correct format?
Are the data based on measuring important factors?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

A predictive or diagnostic analytical tool that is used to explore the root causes or factors that contribute to positive or negative effects or outcomes and to identify potential risk

A

Cause and effect analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

A technique that provides a systematic description of the combination of possible occurrences in a system, which can result in an undesirable outcome (top-level event) and combines hardware failures and human failure

A

Fault tree analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

A quantitative risk analysis technique that helps to determine which risk factors potentially have the most impact and examines the extent to which the uncertainty of each element affects the object under consideration when all other elements are held at their baseline values

A

Sensitivity analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Examines the nature of the threat and the potential threat scenarios

A

Threat modeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

It is done by mapping the potential method, approaches, steps, and techniques used by an adversary to perpetrate an attack

A

Threat modeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Examines how a system will function and provide “use” for users

A

Use case modeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Looks at all possible errors, mistakes, or ways a system can be misused

A

Misuse case modeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Examines ways a system can be attacked and used for a purpose for which the system was never intended

A

Threat modeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

A process of diagnosis to establish the origins of events which can be used for learning from consequences, typically from errors and problems

A

Root cause analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

A facilitated workshop where the group is told to pretend that the project has failed and then they are to discuss why it has failed

A

Pre-mortem

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Base on documenting the desire state or condition of risk that management wants to reach and then carefully analyzing and evaluating the current condition of the organization; identifies the current gap or difference between the desired and current state so that corrective action can be taken when necessary

A

Gap analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

It is a measure that determines how well the process is performing in enabling the goal to be reached; it is a good indicator of capabilities, practices, and skills

A

KPI Key Performance Indicator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

A good method of indicating a trend that may have the potential to result in a problem in the future

A

Key Risk Indicator KRI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

A measure that tells management, after the fact, whether an IT process has achieved its business requirements and is usually expressed in terms of information criteria

A

Key Goal Indicator KGI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Two main methods of analyzing risk

A

Quantitative and Qualitative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

Based on numerical calculations, such as monetary values, and is most suitable for supporting cost-benefit analysis calculations because all IT risk can be compared to the cost of a control and the value of the benefit that the control would provide

A

Quantitative risk assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Quantitative risk assessment is often based on the…

A

Calculation of the impact of a single risk event and on what the event would cost, including direct costs (lost of sales) and indirect costs (damage to reputation)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

One challenge with all risk assessment approaches is

A

The problem of forecasting the likelihood or frequency of a risk event

83
Q

To properly use data from a quantitative risk assessment

A

The cost of the risk is often calculated on an annual basis

84
Q

Based on scenarios or descriptions of situations that may have occurred or may occur

A

Qualitative Risk Assessment

85
Q

The development of scenarios may be based on

A

Threats
Vulnerabilities
Asset/impact

86
Q

Examines a risk event from the basis of what threat sources (threat agents) exist and the threats that can be launched against the organization

A

Threat - based scenario

87
Q

The threat- based scenario would

A

Identify the potential method of attack
The vulnerabilities exploited
The intent and skill of the attacker
The potential damage to the assets affected

88
Q

Examines the organization’s known vulnerabilities and attempts to determine the threats that could exploit those vulnerabilities and the impact

A

Vulnerability based scenario approach

89
Q

Based on the identification of critical and sensitive assets and the potential ways that an asset could be damaged

A

Asset/impact approach

90
Q

Combines the value of qualitative and quantitative risk assessment

A

Semiquantitative risk assessment

91
Q

In the semiquantitative approach, the risk practitioner creates

A

A range of values used to assess risk

92
Q

It is derived from a combination of all the components of risk including the recognition of the threats and the characteristics and capabilities of a threat source, likelihood, vulnerabilities, severity of the vulnerability, likelihood of attack success and level of impact of a successful attack

A

Risk ranking

93
Q

OCTAVE

A

Operationally Critical Threat Asset and Vulnerability Evaluation

94
Q

This process-driven methodology is used to identify, prioritize, and manage information security risk

A

OCTAVE

95
Q

OCTAVE helps organiztions:

A

Develop qualitative risk evaluation criteria based on operational risk tolerances
Identify assets that are critical to the mission of the organization
Identify vulnerabilities and threats to the critical assets
Determine and evaluate potential consequences to the organization if threats are realized
Initiate corrective actions to mitigate risk and create practice-based protection strategy

96
Q

It is a comprehensive, systematic, context-driven and self-directed evaluation approach

A

OCTAVE

97
Q

The OCTAVE process is based on three primary phases:

A
  1. Build asset-based threat profiles (organizational evaluation)
  2. Identify infrastructure vulnerabilities (technological evaluation)
  3. Develop security strategy and mitigation plans (strategy and plan development)
98
Q

When assessing risk, it is important to measure…

A

The capability and maturity of the risk management processes of the organization

99
Q

Key elements used to measure IT risk management capability:

A

Support of senior management
Regular communication between stakeholders
Existence of policy, procedures, and standards
Completion of a current BIA
Logging and monitoring of system activity
Regular review of logs
Scheduled risk assessments and reviews
Testing of BCPs and DRPs
Training of staff
Involvement of risk principles and personnel in IT projects
Gathering feedback from users and stakeholders
Validating the risk appetite and risk acceptance levels
Tome to detect/resolve a security incident

100
Q

The impact of risk is a measure of the

A

Impact on the business

101
Q

The risk response would have to be chosen based on

A

Business-related considerations more than on IT factors

102
Q

IT management must play an active role in

A

Mitigating risk and supporting risk management activities

103
Q

It focuses on producing a view of the current state of IT, establishing a vision for a future state and generating a strategy to get there

A

Enterprise Architecture (EA)

104
Q

What should the Enterprise Architecture answer? (4 questions)

A
  1. Are we doing the right things?
  2. Are we doing them the right way?
  3. Are we getting the benefits?
  4. Are we getting them well done?
105
Q

The risk associated with an IT system is a combination of

A

the risk associated with each element that makes up an IT system

106
Q

Examples of hardware

A 
CPU
Motherboards
RAM
ROM
Networking components
Firewalls and gateways
Keyboards
Monitors
107
Q

Examples of risk associated with hardware

A 
Outdated hardware
Poorly maintained hardware
Misconfigured hardware
Poor architecture
Lack of documentation
Lost, misplaced, or stolen hardware
Hardware that is not discarded in a secure manner
Sniffing or capturing traffic
Physical access
Hardware failure
Unauthorized hardware
108
Q

Software includes

A

applications, operating systems, utilities, drivers, middleware, application program interfaces (APIs), database management systems (DBMS) and network operating systems that manage data, interface between systems, provide a user interface to hardware, and process transactions on behalf of the user

109
Q

Risk associated with software

A 
Logic flaws or semantic errors
Bugs (semantic errors)
Lack of patching
Lack of access control
Disclosure of sensitive information
Improper modification of information
Loss of source code
Lack of version control
Lack of input and output validation
110
Q

What is an operating system?

A

It is the core software that allows the user to interface with hardware and manages all system operations

111
Q

Risk associated with operating systems

A 
Unpatched vulnerabilities
Poorly written code (buffer overflows, etc.)
Complexity
Misconfiguration
Weak access controls
Lack of interoperability
Uncontrolled changes
112
Q

IT management must play an active role in

A

Mitigating risk and supporting risk management activities

113
Q

It focuses on producing a view of the current state of IT, establishing a vision for a future state and generating a strategy to get there

A

Enterprise Architecture (EA)

114
Q

What should the Enterprise Architecture answer? (4 questions)

A
  1. Are we doing the right things?
  2. Are we doing them the right way?
  3. Are we getting the benefits?
  4. Are we getting them well done?
115
Q

The risk associated with an IT system is a combination of

A

the risk associated with each element that makes up an IT system

116
Q

Examples of hardware

A 
CPU
Motherboards
RAM
ROM
Networking components
Firewalls and gateways
Keyboards
Monitors
117
Q

Examples of risk associated with hardware

A 
Outdated hardware
Poorly maintained hardware
Misconfigured hardware
Poor architecture
Lack of documentation
Lost, misplaced, or stolen hardware
Hardware that is not discarded in a secure manner
Sniffing or capturing traffic
Physical access
Hardware failure
Unauthorized hardware
118
Q

Software includes

A

applications, operating systems, utilities, drivers, middleware, application program interfaces (APIs), database management systems (DBMS) and network operating systems that manage data, interface between systems, provide a user interface to hardware, and process transactions on behalf of the user

119
Q

Risk associated with software

A 
Logic flaws or semantic errors
Bugs (semantic errors)
Lack of patching
Lack of access control
Disclosure of sensitive information
Improper modification of information
Loss of source code
Lack of version control
Lack of input and output validation
120
Q

What is an operating system?

A

It is the core software that allows the user to interface with hardware and manages all system operations

121
Q

Risk associated with operating systems

A 
Unpatched vulnerabilities
Poorly written code (buffer overflows, etc.)
Complexity
Misconfiguration
Weak access controls
Lack of interoperability
Uncontrolled changes
122
Q

What is an application?

A

The face of the information system and is the mechanism by which users can access information, perform transactions and use system features

123
Q

Risk associated with applications

A 
Poor or no data validation
Exposure of sensitive data
Improper modification of data
Logic flaws
Lack of version control
Loss of source code
Weak or lack of access control
Lack of operability with other software
Back doors
Poor coding practices
124
Q

Utilities can include two separate areas of concern:

A
  1. environmental control

2. those that support the use of system resources

125
Q

Environmental controls include:

A

power

heating, ventilation, and air conditioning systems (HVAC)

126
Q

Risks associated with environmental control utilities

A 
Power interruptions
- Loss of power
- Surge
- Spikes
- Sags
- Brownouts
- Faults
- Generators are poorly maintained and outdated
HVAC
- Overheating
- Humidity problems
- Corrosion and condensation (high humidity)
- Static (low humidity)
- Clogged filters
- Lack of maintenance
Water
- Loss of water (needed for cooling systems)
- Health and safety issues
Secure operational areas
- Restricted access to server rooms
- Secure access to power supplies, generators, elevator shafts
127
Q

Risk associated with software utilities

A 
Use of outdated drivers
Unavailability of drivers
Unpatched drivers
Use of insecure components
Unpatched vulnerabilities
128
Q

Samples of network devices

A 
cablings
repeaters
switches
routers
firewalls
gateways
wireless access points
129
Q

What is a network?

A

A system of interconnected computers and the communication equipment used to connect them

130
Q

Uses of a network

A 
transferring data between individuals
transferring data between applications
controlling and monitoring of remote equipment
backing up data 
enabling communication between devices
131
Q

When assessing network-based risk, risk associated with the following must be examined

A 
network configuration and management
network equipment protection
the use of layered definition
suitable levels of redundancy
availability of bandwidth
use of encryption for transmitting data
encryption key management
use of certificates to support PKI
damage to cabling and network equipment
tapping network communications and eavesdropping on communications
choice of network architecture
documentation of network architecture
132
Q

Types of cabling

A

UTP
coaxial
fiber

133
Q

Concerns with regards to cabling

A

Physical security of cabling
Cable exceeded approved length of the cable runs
Protection from damage to cabling (conduit)
Use in an area of high radio frequency interference (may require shielding)
Use of cable that is not of suitable standard
Ensuring use of plenum-rated cable where required
Improper terminations of cable on connectors
Lack of cabling records

134
Q

What are repeaters?

A

Devices used to extend the length of a signal being transmitted over cable or wireless networks

135
Q

Advantage of a repeater

A

it can filter out some noise or errors that may be affecting traffic

136
Q

Risk with repeaters

A

ensuring that there are enough repeaters in use to provide a clean, error-free signal
a wireless repeater providing a strong signal into areas outside the perimeter of the organization’s facilities could allow unauthorized access

137
Q

What are switches?

A

they are used to connect devices together

138
Q

What can switches do?

A 
forward packets to a destination
divide networks through configuration
perform routing functions
address translation and balancing
perform load balancing
139
Q

Risks associated with switches

A

Physical protection of the switch
Ensuring proper configuration of the switch
Documentation
Being a single point of failure

140
Q

What is the purpose of a router?

A

To connect multiple networks together and forward incoming packets in the direction of the destination IP address that is in the packet header

141
Q

What is the delay in processing called?

A

Latency

142
Q

What are the risks associated with routers?

A 
Improper configuration
Use of weak protocols
Software bugs
Unpatched systems
Physical security
143
Q

What is a firewall?

A

A system or combination of systems that enforces a boundary between two or more networks

144
Q

A simple packet filtering router that examines individual packets and enforces rules based on addresses, protocols, and ports

A

First generation

145
Q

Keeps track of all connections in a state table. this allows it to enforce rules based on packets in the context of the communications session

A

Second generation

146
Q

Operates at layer seven and is able to examine the actual protocol being used for communications. This is much more sensitive to suspicious activity related to the content of the message itself

A

Third generation

147
Q

Sometimes called deep packet inspection and is an enhancement to the third generation firewalls and brings in the functionality of an intrusion prevention system

A

Next generation

148
Q

Firewall logs must be

A

reviewed regularly to detect any suspicious activity

149
Q

What is a proxy?

A

A proxy is a device that acts as intermediary between two communicating parties.

150
Q

What is a Domain Name System?

A

It is a mechanism that makes the Internet work. It is a simple cross-reference used to associate a normal name with an IP address used by network devices

151
Q

Risks with DNS

A

False DNS replies
Cybersquatting
Exploiting the DNS

152
Q

What is the risk with wireless access points?

A

Unauthorized people are able to login

Installation of rogue or unauthorized wireless access points

153
Q

How to address risks with wireless access points?

A

Segmenting the wireless access points in a location that us not subject to interference from other devices or near a window
Strong password requirements

154
Q

This topology connects every device onto one bus or communication path

A

bus network topology

155
Q

what is the risk with a bus network topology?

A

A cut cable may result in total network failure and it is relatively easy to sniff a bus network

156
Q

What control can be used for a bus network topology?

A

Encrypted VPN must be used on cable modem Internet access

157
Q

In this topology, every device is connected to a central switch

A

Star topology

158
Q

What is the risk with the star topology?

A

The central switch is a single point of failure

159
Q

In this topology, it is a series of star networks arranged with branches to other star networks in a tree type structure

A

Tree network topology

160
Q

What is the risk with the tree network topology?

A

A cut link between the branches of the tree can cause isolation of that branch

161
Q

What is a ring network topology?

A

A ring connect every device into one ring and passes traffic from device to device around the ring

162
Q

What is a mesh network topology?

A

Many devices are connected to many other devices in a mesh, so that traffic can route around a failure in any part of the network

163
Q

What is a LAN?

A

A communication network that serves several users within a specified geographical area, such as a building or a department

164
Q

What is a WAN?

A

A computer network connecting different remote locations that may range from short distances, such as a floor or a building, to extremely long transmissions that encompass a large region or several countries

165
Q

What is a leased line?

A

A leased or rented line from a supplier provided for the sole use of the organization that leases the line. It is a private network.

166
Q

What is a packet-switching network?

A

This allows a communications network to be shared by multiple organizations, thereby reducing the cost considerably

167
Q

What is a microwave?

A

A line-of-sight technology where the sending and receiving stations need a clear line of sight between each other

168
Q

What is optical?

A

Similar to the microwave but built on laser technology. Optical communications and is also line of sight

169
Q

What is satellite communications?

A

It has enabled communications from remote areas where it was not previously possible to provide other forms of communications

170
Q

What is VPN?

A

It is secure private network that uses the public telecommunications.

171
Q

What are the risks in network implementation?

A

risks on the:
suitability of the network architecture
the proper configuration and management of the network devices
the ongoing monitoring of network performance

172
Q

What is the DMZ?

A

The area of the network that is accessible to outsiders through the Internet

173
Q

What is the extranet?

A

A network that is accessible to outsiders and used for trusted communications such as communicating with business partners

174
Q

What is UI (user interface)?

A

The way a user interfaces with an application or a system.

175
Q

What are risks to data management?

A

Lack of clear ownership
Improper data management/ data leakage
Compliance with data management policies and procedures

176
Q

What must the risk practitioner do regarding new threats and vulnerabilities?

A

Must ensure that new and emerging risk is identified and evaluated and that the organization is aware of and watching new for emerging threats and vulnerabilities. The risk practitioner should work with the business and system owner to perform a threat analysis and determine if and how the organization should respond

177
Q

What must the risk practitioner do regarding emerging technologies?

A

To consider potential risk and controls for the application of these technologies that may present value to the organization to accepting new technologies that may present value to the organization

Assess and evaluate the approach of the organization to accepting new technologies and the attitude of the security team and IT operations toward reviewing and securing new technologies as they become available

178
Q

What must the risk practitioner do regarding industry trends?

A

Assess the maturity of the IT department and the organization as a whole toward monitoring and adapting to new market trends

179
Q

What are relevant contractual requirements for outsourcing?

A 
right to audit clauses
security and bcp/drp reviews
staffing reviews
regulatory reviews
outsourcers and third party affiliate reviews
right for early termination
security and continuity requirements
service level agreements
180
Q

What are the reasons for failure of IT projects?

A 
Unclear or changing requirements
Scope creep
Lack of budget
Lack of skilled resources
Problems with technology
Delays in delivery of supporting elements/ equipment
Unrealistic timelines
Lack of progress reporting
181
Q

Lack of good project management can lead to:

A

Loss of business
Loss of competitive advantage
Low morale among staff members
Inefficient processes
Lack of testing of new systems or changes to existing systems
Impact on other business operations
Failure to meet SLAs or contractual requirements
Failure to comply with laws and regulations

182
Q

What are the key tasks to be performed during the SDLC?

A

Security categorization of the system
BIA
Privacy impact assessment
Use of a secure information systems development policy
Awareness of vulnerabilities with selected technology or operational environment

183
Q

What is the purpose of BCPs and DRPs?

A

To enable a business to continue offering critical services in the event of a disruption and to survive a disastrous interruption to activities

184
Q

What is the first step in preparing a new BCP?

A

To identify business processes of strategic importance

185
Q

Based on the key processes, the risk assessment should identify the following:

A

The human resources, data and infrastructure elements, and other resources that support the key processes
A list of potential vulnerabilities - dangers and threats
The estimated probability of the occurrence of these threats
The efficiency and effectiveness of existing risk mitigation controls

186
Q

Business continuity planning is primarily the responsibility of

A

the senior management, because they are entrusted with safeguarding the assets and the viability of the organization

187
Q

Business continuity planning takes into consideration:

A

those critical operations that are necessary to the survival of the organization
the human/material resources supporting them

188
Q

Besides the plan for the continuity of operations, the BCP should also include

A

the DRP that is used to recover a facility rendered inoperable, including relocating operations
the restoration plan that is used to return operations to normality

189
Q

A single integrated plan ensures that:

A

there is proper coordination among various plan components
resources committed are used in the most effective way and there is reasonable confidence that the organization will survive a disruption

190
Q

Incident management starts with

A

the preparation and planning that build an incident response plan (IRP)

191
Q

The primary focus of incident management is

A

to get the organization’s affected systems and operations back into normal service as quickly as possible

192
Q

RTO

A

recovery time objective

193
Q

RPO

A

recovery point objective

194
Q

The recovery of critical business processes may be through an alternate process, including

A

manual process or outsourced support
having sufficient inventory on hand
using facilities available at another office or location
displacing less critical work with more critical functions

195
Q

The core source of data used in business continuity planning is a

A

BIA

196
Q

The BIA examines the

A

impact of an outage on the business over the length of time of the outage

197
Q

Disaster recovery planning is

A

the recovery of business and IT services following a disaster or incident within a predefined schedule and budget

198
Q

The risk practitioner should review the BCP/DRP to ensure that

A

they are up to date, reflect risk scenarios and business priorities, and have been tested

199
Q

Exceptions should only be allowed through a

A

documented, formal process that requires approval of the exception from a senior manager

200
Q

After an exception is no longer needed

A

the exception should be removed

201
Q

Who is tasked with making the decision of what the best response is to the identified risk?

A

Risk owner

202
Q

To ensure accountability, the ownership of risk must be

A

with an individual, not with a department or the organization as a whole

203
Q

The results of the risk assessment should be compiled into a

A

risk assessment report for submission to senior management

Secret (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions