L10 - Risk Analysis and Information Security Strategy

Question 1

What is risk management?

Answer 1

The main goal is to develop and implement information security strategies, which in turn reduce the risk to an acceptable level.

Question 2

What is risk analysis?

Answer 2

The process by which the goals of risk management are acheived.

Question 3

How does risk analysis work?

Answer 3

It:
* Examines an environment for risks
* evaluate how likely a threat event is to occur
* evaluate the cost to assets if the thread were to occur
* assessing the cost of various countermeasures for each risk
* Create a cost/benefit report for safeguard to present to management.

Question 4

Risk terminology

What is an asset?

Answer 4

It’s a system resource or cability of value to it’s owner which should be protected.

Question 5

Risk terminology

What is asset valuation?

Answer 5

The monetary value of an asset based on the actual cost (e.g replacement cost) and nonmonetary expense.

Question 6

Risk terminology

What is a threat?

Answer 6

a potential threat source to exploit a vulnerability in an asset, in turn if it occurs it may compromise security of said asset and cause its owner harm.

Question 7

Risk terminology

What is vulnerability?

Answer 7

A flaw or a weakness in an asset, it could be in it’s design, implementation, operation or management.

Question 8

Risk terminology

What is exposure?

Answer 8

It’s how likely it is that a vulnerability can or will be exploited by a threat agent or event.

Question 9

Risk terminology

What is risk?

Answer 9

It’s the potential loss a owner would suffer due to a threat exploiting a vulnerability. And the magnitude this consequence would have on an assets owner.

Question 10

Risk terminology

What is safeguards?

Also called countermeasure

Answer 10

is anything that would remove or reduce a vulnerability or protect against one or more specific threats.

Question 11

What is asset identification?

Answer 11

An asset is anything that needs protection, to identify such an asset drawing expertise from people in relevant areas of the organization is the way to go.

Question 12

What is thread identification?

Answer 12

It’s the creation of an exhaustive list of all possible threats, which could be:
* Viruses
* Misuse of data
* malicious hackers
* criminal activities
* disgruntled employees.
* etc.

Question 13

What is vulnerability identification?

Answer 13

It’s the process of identifying exploitable flaws or weaknesses in organizations IT-systems or processes.
It’s outcome should be a list of threats and vulnerabilities of how and why they might occur.

Question 14

What is the difference between qualitative and quantitative risk analysis?

Answer 14

• Quantitative: values from the mathematical domain like the probaility space. It can be performed by assigning monetary values and probabilities to threats and assets.
• Qualitative: values aren’t from the domain of mathematics, instead risk is calculated based on rules that capute the consolidated advice of security experts.

Question 15

How is a risk calculated?

Answer 15

the risk is calculated based on the monetary value of the asset and the probaility of the likelhood that a threat would occur.

Only applies to quantitative risk analysis.

Question 16

What are the 5 risk treatment alternatives?

Answer 16

• Risk acceptance
• Risk avoidance
• Risk tranfer
• Reduce consequence
• Reduce likelyhood

Question 17

Risk treatment alternatives

What is risk acceptance?

Answer 17

Chosing to accept a risk level greater than normal for business reasons.

Question 18

Risk treatment alternatives

What is risk avoidance?

Answer 18

Not proceeding with the activity or system that creates a specific risk.

Question 19

Risk treatment alternatives

What is risk transfer?

Answer 19

Sharing a responsibility for the risk with a 3rd party.

Question 20

Risk treatment alternatives

What is reduce consequence?

Answer 20

Altering the structure or the use of the asset at risk in order to reduce the impact on the organization should that risk occur.

Question 21

Risk treatment alternatives

What is reduce likelyhood?

Answer 21

Implement suitable controls to lower the change of the vulnerability being exploited.

Question 22

What is an attack surface?

Answer 22

It’s the reachable and exploitable vulnerabilities in a system.

Question 23

What are the 3 attack surface categories?

Answer 23

• Network attack surface
• Software attack surface
• Human attack surface

Question 24

Attack surface categories

What is the network attack surface?

Answer 24

It’s the vulnerabilities over an enterprise network, wide-are network or the internet.

Question 25

Attack surface categories

What is the software attack surface?

Answer 25

It’s the vulnerabilities in application, utility, or operating system code.

Question 26

Attack surface categories

What is the human attack surface?

Answer 26

It’s the vulnerabilities created by personell or outsiders, such as social engineering, human error and trusted insiders.

Question 27

What are the 3 control types?

Answer 27

• Physical controls
• Administrative controls
• Technical controls

Question 28

The 3 control types

What does the physical control contain?

Answer 28

• Facility protection
• Security guards
• Locks
• Monitoring
• Environmental controls
• Intrusion detection

Question 29

The 3 control types

What does the administrative control contain?

Answer 29

• Policies
• Standards
• Procedures and practice
• Personnel screening
• Awareness training

Question 30

The 3 control types

What does the technical control contain?

Answer 30

• Logical access control
• Cryptographic controls
• Security devices
• User authentication
• Intrusion detection
• Forensics

Question 31

What is defense in depth?

also layered security

Answer 31

it’s a principle that is characterized by the use of multiple different defense mechanism. With the goal of improving defensive response to an attack.

Question 32

How is defense in depth related to to attack surfaces?

Answer 32

• If the attack surface is large, and the defence is shallow the security risk is hich
• And the oposite creates a low security risk.

Question 33

What are the 3 common security strategies?

Answer 33

• Preventation
• Detection
• Reaction

Question 34

The 3 common security strategies?

What is the prevention strategy?

Answer 34

Take measures that prevent your assets from being damaged.

Question 35

The 3 common security strategies?

What is the detection strategy?

Answer 35

take measures so that you can detect, when, how and by whom an asset has been damaged.

Question 36

The 3 common security strategies?

What is the reaction strategy?

Answer 36

take measures so that you recover your assets or recover from damage to your assets.

Question 37

What are security goals?

Answer 37

it’s the goal of preventing unauthorized individuals from interfere with CIA, authenticity and accountability.

Question 38

Security goals

What are suitable controls for C in CIA?

Answer 38

• Encryption
• Access control
• Perimeter defense

Question 39

Security goals

What are suitable controls for I in CIA?

Answer 39

• Cryptographis integrity check (hashing)
• Access control
• Perimeter defense
• Audit
• Verification of systems and applications.

Question 40

Security goals

What are suitable controls for A in CIA?

Answer 40

• Redundancy of resources
• Traffic filtering
• Incident recovery
• International collaboration and policing.

Question 41

What are security control states?

Answer 41

Information is considered to be in one of three possible states.
* During storage
* During transmission
* During processing (use)

All states are considered to be in need of protection.