Domain 3 - Risk Identification, Monitoring, and Analysis

Question 1

Risk

Answer 1

A function of the likelihood of a given threat source’s exercising a potential vulnerability, and the resulting impact of that adverse event on the organization.

Question 2

NIST 800-30 R1

Answer 2

Risk Management Guide for Information Systems

Question 3

Likelihood

Answer 3

The probability that a potential vulnerability may be exercised within the construct of the associated threat environment.

Question 4

Threat Source

Answer 4

Either intent and method targeted at the intentional exploitation of a vulnerability or a situation or method that may accidentally trigger a vulnerability.

Question 5

Threat

Answer 5

The potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

Question 6

Vulnerability

Answer 6

A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised and result in a security breach or a violation of the system’s security policy.

Question 7

Impact

Answer 7

The magnitude of harm that could be caused by a threat’s exercise of a vulnerability.

Question 8

Asset

Answer 8

Anything of value that is owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property.

Question 9

Risk Management

Answer 9

Process of identifying risks, assessing their potential impacts to the organization, determining the likelihood of their occurrence, communicating findings to management and other affected parties, and developing and implementing risk mitigation strategies to reduce risks to levels that are acceptable to the organization.

Question 10

Risk Assessments

Answer 10

Assess threats to Information Systems, system vulnerabilities, and weaknesses, and the likelihood that threats will exploit these vulnerabilities and weaknesses to cause adverse effects.

Question 11

NIST Risk Assessment Process

Answer 11

Step 1: Prepare for Assessment
Step 2: Conduct Assessment
Step 3: Communicate Results
Step 4: Maintain Assessment

Question 12

Threat Statement

Answer 12

Given after the threat identification process, and lists potential threat sources that could exploit system vulnerabilities.

Question 13

NIST Risk Assessment: Conduct Assessment Step

Answer 13

1. Identify Threat Sources and Events
2. Identify Vulnerabilities and Predisposing Conditions
3. Determine Likelihood of Occurrence
4. Determine Magnitude of Impact
5. Determine Risk

Question 14

SLE

Answer 14

Single Loss Expectancy

Represents the expected monetary loss to an organization from a threat to an asset.

Question 15

ALE

Answer 15

Annualized Loss Expectancy

Expected annual loss because of a risk to a specific asset.

Question 16

ARO

Answer 16

Annualized Rate of Occurrence

Expected number of exploitations by a specific threat of a vulnerability to an asset in a given year.

Question 17

SLE Formula

Answer 17

SLE = Asset Value x Exposure Factor

Question 18

ALE Formula

Answer 18

ALE = SLE x ARO

Question 19

Quantitative Assessment vs Qualitative Assessment

Answer 19

Quantitative = Dollar Value

Qualitative = Non Dollar Value (Customer Confidence, public relations…)

Question 20

Goal of Risk Treatment

Answer 20

Reduce risk exposure to levels that are acceptable to the organization.

Question 21

Risk Treatment Strategies

Answer 21

Risk Mitigation
Risk Transference
Risk Avoidance
Risk Acceptance

Question 22

What are the 3 categories of control?

Answer 22

Technical
Managerial
Operational

Question 23

Residual Risk

Answer 23

Risk that remains after the risk reduction and mitigation efforts are complete.

Question 24

Ways to treat Residual Risk?

Answer 24

Transfer, Avoidance, Acceptance

Question 25

Most common Risk Transference?

Answer 25

3rd Party Insurance

Question 26

Risk Register

Answer 26

Location where Risk is Aggregated.

Way for an organization to know their possible exposure at a given time.

Question 27

Step the Risk Register addresses Risk Management

Answer 27

1. Identifying the Risk
2. Evaluating the severity of any identified risks
3. Applying possible solutions to those risks.
4. Monitoring and analyzing the effectiveness of any subsequent steps taken.

Question 28

Security Audit

Answer 28

Evaluation of how well the objectives of a security framework are met.

Question 29

Security Audits Serve what two purposes for the security practitioner?

Answer 29

1. Point out areas where security controls are lacking, policy isn’t being enforced, or ambiguity exists.
2. Emphasize security things that are being done right.

Question 30

OS Fingerprinting

Answer 30

Process where a scanner can determine the OS of the host by analyzing the TCP/IP stack flag settings.

Question 31

Stimulus & Response Algorithms

Answer 31

Identify application software versions and then reference these versions with known vulnerabilities.

Question 32

Privileged Logon Ability

Answer 32

The ability to automatically log onto a host or group of hosts with user credentials for a deeper look.

Question 33

Main Problems with VA Scanning?

Answer 33

1. False Positives
2. Crash Exposure
3. Temporal Information

Question 34

3 Categories of Insecure Services

Answer 34

1. Send Authentication information unencrypted.
2. Send Data unencrypted.
3. SMTP sending mail data in the clear that is NOT secured by an application.

Question 35

War Dialing

Answer 35

Attempts to locate unauthorized modems connected to computers that are connected to networks.

Question 36

War Driving

Answer 36

Wireless version of War Dialing

Question 37

5 Phases of a Pen Test

Answer 37

1. Prep
2. Information Gathering
3. Information Evaluation and Risk Analysis
4. Active Penetration.
5. Analysis and Reporting

Question 38

3 Modes of Pen Testing

Answer 38

1. White Box - Tester has complete knowledge
2. Grey Box - Hybrid between White and Black
3. Black Box - Assumes no prior knowledge.

Question 39

Zone Transfer

Answer 39

Special Type of Query directed at a DNS server that asks the server for the entire contents of its zone.