Managing Risk Flashcards
An organization has purchased fire insurance to manage the risk of a potential fire. What method are they using?
A. Risk acceptance B. Risk avoidance C. Risk deterrence D. Risk mitigation E. Risk transference
E. Purchasing insurance is a common method of risk transference. Organizations often accept a risk when the cost of the control exceeds the cost of the risk. An organization can avoid a risk by not providing a service or not participating in a risky activity. Risk deterrence attempts to discourage attacks with preventative controls such as a security guard. Risk mitigation reduces risks through internal controls.
What is included in a risk assessment? (Choose three.)
A. Threats
B. Vulnerabilities
C. Asset values
D. Recommendations to eliminate risk
A, B, C. A risk assessment identifies assets, asset values, threats, and vulnerabilities. It prioritizes the results and makes recommendations on what controls to implement. Risk cannot be eliminated.
Which of the following statements are true regarding risk assessments? (Choose two.)
A. A quantitative risk assessment uses hard numbers.
B. A qualitative risk assessment uses hard numbers.
C. A qualitative risk assessment uses a subjective ranking.
D. A quantitative risk assessment uses a subjective ranking.
A, C. A quantitative risk assessment uses hard numbers (such as costs) and a qualitative risk assessment uses a subjective ranking based on judgments. A qualitative risk assessment does not use hard numbers and a quantitative risk assessment does not use subjective rankings.
A security professional is performing a qualitative risk analysis. Of the following choices, what will most likely to be used in the assessment?
A. Cost
B. Judgment
C. ALE
D. Hard numbers
B. A qualitative risk assessment uses judgment to categorize risks based on probability and impact. A quantitative risk assessment uses hard numbers such as costs and asset values. A quantitative risk assessment uses annual loss expectancy (ALE).
An organization recently completed a risk assessment. Who should be granted access to the report?
A. All employees
B. Security professionals only
C. Executive management only
D. Security professionals and executive management
Gibson, Darril (2011-11-10). CompTIA Security+:
D. Executive management needs access to the report to approve controls. and security professionals need access to the report to implement the controls. The report has sensitive data and should not be released to all employees.
A security administrator is performing a vulnerability assessment. Which of the following actions would be included?
A. Implement a password policy
B. Delete unused accounts
C. Organize data based on severity and asset value
D. Remove system rights for users that don’t need them
C. The vulnerability assessment is prioritized based on the severity of the vulnerabilities and their ability to affect the high value asset items. A vulnerability assessment checks for the existence of security controls such as a password policy and can include a user rights and access review to identify unused accounts, or accounts with unneeded permissions. However, a vulnerability assessment identifies these issues, but does not make changes.
An organization has released an application. Of the following choices, what is the most thorough way to discover vulnerabilities with the application?
A. Fuzzing
B. OVAL comparison
C. Rainbow table
D. Code review
D. A code review is a line-by-line examination of the code to discover vulnerabilities and is the most thorough of the choices. Fuzzing sends random data to an application to identify vulnerabilities, but it will generally only find simple problems and isn’t as thorough as a code review. The Open Vulnerability and Assessment Language (OVAL) is an international standard used to rate the exposure of vulnerabilities, but doesn’t discover them. A rainbow table is a lookup table used to crack weak passwords.
You are trying to determine what systems on your network are most susceptible to an attack. What tool would you use?
A. Port scanner
B. SQL injection
C. Header manipulation
D. Vulnerability scanner
D. A vulnerability scanner can scan systems for vulnerabilities and determine which ones are most susceptible to an attack. A port scanner scans a system for open ports and helps identify what services are running. SQL injection is a narrow attack on databases, but it would not check all systems. Attackers can manipulate headers in TCP packets for specific attacks, but this isn’t as useful as a vulnerability scanner.
A security administrator used a tool to discover security issues but did not exploit them. What best describes this action?
A. Penetration test
B. Vulnerability scan
C. Protocol analysis
D. Port scan
B. A vulnerability scan attempts to discover vulnerabilities but does not exploit them. A penetration test actively tests security controls by trying to exploit vulnerabilities. A protocol analyzer can capture and analyze IP packets but isn’t as useful as a vulnerability scanner to discover security issues. A port scanner will identify open ports but won’t identify security issues.
An administrator needs to test the security of a network without affecting normal operations. What can the administrator use?
A. Internal penetration test
B. External penetration test
C. Vulnerability scanner
D. Protocol analyzer
C. A vulnerability scanner will test the security of the network without affecting users. A penetration test (external or internal) is active and can affect users. A protocol analyzer can capture and analyze IP packets but won’t test the security of a network.
A security administrator wants to scan the network for a wide range of potential security and configuration issues. What tool provides this service?
A. Fuzzer
B. Protocol analyzer
C. Port scanner
D. Vulnerability scanner
D. A vulnerability scanner is a management control that can identify a wide range of security and configuration issues. A fuzzer is an active tool that sends random data to a system and can potentially result in an outage. A protocol analyzer can capture and analyze IP packets, and a port scanner can identify open ports. However, the question is asking for a tool that can scan the network for a wide range of issues, and vulnerability scanners can do more than either a protocol analyzer or a port scanner.
Which of the following tools can perform a port scan? (Choose all that apply.)
A. Nmap
B. Netcat
C. Wireshark
D. Netstat
A, B. Nmap and Netcat are two tools that can perform port scans and vulnerability scans. Wireshark is a protocol analyzer and can view headers and clear-text contents in IP packets. Netstat is a command-line tool that identifies open connections.
A security professional is performing a penetration test on a system. Of the following choices, what identifies the best description of what this will accomplish?
A. Passively detect vulnerabilities
B. Actively assess security controls
C. Identify lack of security controls
D. Identify common misconfiguration
B. A penetration test will actively assess or test security controls. A vulnerability scan is passive and detects vulnerabilities, identifies a lack of security controls, and identifies common misconfigurations but it stops there. Further, the three incorrect answers are specifically listed under vulnerability scanning in the objectives. While a penetration test starts with a passive vulnerability scan, it goes a step further to actively test the controls.
An organization is hiring a security firm to perform vulnerability testing. What should it define before the testing?
A. Rules of engagement
B. Information given to the black box testers C. Vulnerabilities
D. Existing security controls
A. A rules-of-engagement document identifies boundaries of a test and expectations of the testers, and it provides consent for the testers to perform the test. Black box testers are not given any knowledge prior to the test. The test will help identify vulnerabilities so these aren’t defined before the test. It’s not required to tell the testers what security controls are in place.
An organization wants to test how well employees can respond to a compromised system. Of the following choices, what identifies the best choice to test the response?
A. Vulnerability scan
B. White hat test
C. Black hat test
D. Penetration test
D. A penetration test will exploit vulnerabilities and will test employees’ ability to respond to a compromised system. A vulnerability scan will identify vulnerabilities but not exploit them, so employees won’t need to respond. White hat refers to a security professional working within the law, and black hat refers to a malicious attacker, but these aren’t tests. Black box testing, white box testing, and gray box testing (not included in the answers) are forms of penetration testing.