Personnel Security and Risk Management Concepts

Question 1

What is the first step in hiring

Answer 1

Job Description

Question 2

What is the purpose of job responsibilities

Answer 2

Defines work tasks and defines what a person should be responsible for

Question 3

Process of adding new employees to the org, having them review/sign employment agreements and policies, and receive training on employee operations/logistics.

Answer 3

Onboarding

Question 4

Why is it important to have a good IAM?

Answer 4

Identity and Access Management:

• provisions account
• assigns privileges
• assigns accesses

Question 5

Describe the principle of least privilege

Answer 5

Users should have the least amount of privilege required to do their job.

Question 6

What must happen when a user leaves their job and why?

Answer 6

Review NDA - it is the one legally binding document that safeguards against disclosure.

Question 7

Why enforce mandatory vacations?

Answer 7

Used as a peer review process

• verify privileges of employees
• attempt to detect fraud and abuse..

Question 8

What is UBA

Answer 8

User Behavior Analytics: analyze the behavior of users, visoitors, customers, etc. for some specific goal.

Question 9

When would you go through offboarding processes ie remove someone from IAM

Answer 9

Hire | Fire | Transfer

Question 10

What is a risk that exists when several entities or organizations are involved in a project?

Answer 10

Multiparty Risk

Question 11

Define SLA

Answer 11

Service Level Agreement: Ensure that organizations providing services maintain an appropriate level of service agreed on by both the service provider, vendor, or contractor and the customer organization.

Question 12

What is the type of risk response option that is used in the process of outsourcing

Answer 12

assignment/transferrence

Question 13

The detailed process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost-effective solutions for mitigating risk.

Answer 13

Risk Management

Question 14

Examination of the environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of the damage it would occur.

Answer 14

Risk Assessment - probability

Question 15

Evaluating countermeasures, safeguards, and security controls using a cost/benefit analysis

Answer 15

Risk Response - implementing countermeasures

Question 16

Asset

Answer 16

Anything used in business process or task - person, place, or thing, tangible or intangible.

Question 17

Asset valuation

Answer 17

the value assigned to an asset based on actual cost, use in critical processes, and even non-monetary expense such as time

Question 18

Threats

Answer 18

any POTENTIAL OCCURENCE that may cause an undesirable or unwanted outcome

Question 19

Threat agents

Answer 19

usually people but could be programs, hardware or systems

Question 20

Threat events

Answer 20

accidental occurences and intentional exploitations of vulnerabilities:
system failures
fires
flood 
earthquake 
human error
power outage

Question 21

Threat vector

Answer 21

means by which an attack or attacker can gain access to target in order to cause harm

Question 22

Vulnerability

Answer 22

weakness in asset or weakness of a safeguard
loophole
limitation
susceptibility

Question 23

Exposure

Answer 23

Being susceptible to asset loss because of risk

Question 24

Risk (math and definition)

Answer 24

possibility or likelihood that threat will exploit a vulnerability to cause harm to an asset and severity of damage.
Risk = threat * vuln
Risk = probability of harm * severity of harm

Question 25

Safeguard

Answer 25

security control, protection mechanism, countermeasure

Question 26

Attack

Answer 26

intentionally attempted exploitation of a vulnerability

Question 27

Breach

Answer 27

successful attack - intrusion or penetration beyond a security mechanism

Question 28

Asset-Based Valuation

Answer 28

Start with inventorying all organizational assets and valuing them based on tangible and intangible issues.

Question 29

Which method is preferred? Quantitative risk analysis or Qualitative risk analysis?

Answer 29

Neither - both methods are valuable to gain a balanced view of the security concerns.

Question 30

Qualitative Risk Analysis

Answer 30

Assign subjective and intangible values to the loss of an asset. (can be SUBJECTIVE)

Question 31

Quantitative Risk Analysis

Answer 31

Assign a real dollar figure to the loss of an asset-based on math calculations. (mostly OBJECTIVE)

Question 32

An anonymous feedback and response process used to enable a group to reach an anonymous consensus.

Answer 32

Delphi Technique

Question 33

Calc EF

Answer 33

Exposure Factor/ Loss potential

% loss that org would experience if the specific assets were violated by realized risk.

Question 34

Potential loss associated with a single realized threat against a specific asset.

Answer 34

SLE - Single loss expectancy

SLE = asset value AV * exposure factor EF

Question 35

What is the SLE of an asset valued at $300,000 that has an exposure factor of 30%

Answer 35

0.3*300,000 = $90,000

Question 36

The expected frequency with which a specific threat or risk will occur within a single year

Answer 36

The annualized rate of occurrence.

Question 37

The possible yearly loss of all instances of a specific realized threat against a specific asset.

Answer 37

Annualized Loss Expectancy
ALE = Single loss expectancy * Annual Rate of Occurrence

ALE = AV * EF * ARO

Question 38

What is ALE for $200,000 asset with an EF of 45% and an ARO of .67

Answer 38

$60,000

Question 39

Risk Mitigation

Answer 39

Reducing risk through the implementation of safeguards, security controls, and countermeasures. Ie deploying encryption and using firewalls.

Question 40

Risk Assignment

Answer 40

Outsourcing. Placing responsibility on outside entity or organization.

Question 41

Risk Deterrence

Answer 41

Implementing deterrents like auditing, security cameras, warning banners, security guards.

Question 42

Risk Avoidance

Answer 42

Selecting alternate options or activities that have less associated risk

Question 43

Risk Acceptance

Answer 43

After cost/benefit analysis, the decision is made to accept the risk but it must be well documented and signed by upper management

Question 44

Risk Rejection

Answer 44

Unacceptable. Ignoring risk by denying that it exists and hoping it goes away or that nothing happens. Negligence and could be illegal.

Question 45

Natural or native default risk that exists in an environment, system, or product prior to any risk management efforts. (starting risk)

Answer 45

Inherent Risk

Question 46

Risk after safeguards have been implemented.

Answer 46

Residual risk.

Total risk - controls gap = residual risk

Question 47

Amount of risk org would face without safeguards

Answer 47

Total risk.

Threats * Vulnerabilities * asset value = total risk

Question 48

Will a reduction in EF or a reduction in ARO reduce the SLE? ALE?

Answer 48

Only EF reduces SLE because SLE is the single loss expectancy whereas ARO is the annual rate of occurrence. SLE = AV * EF. Both reduce ALE because ALE = AV * EF * ARO.

Question 49

Original asset threat pair risk is ALE1 or ALE2?

Answer 49

ALE1

Question 50

Asset risk post safeguard is ALE1 or ALE2?

Answer 50

ALE2

Question 51

How do you calculate the value of the safeguard to the company?

Answer 51

ALE1 - ALE2 - ACS = value to company

ALE1: asset-threat pair without safeguard
ALE2: asset-threat pair post-safeguard
ACS: Annual cost of the safeguard

Question 52

What are the three categories of security controls in a defense-in-depth implementation

Answer 52

Physical, Logical/Technical, Administrative

Question 53

What category of security control are the policies and procedures defined by an organization’s security policy and other regulations or requirements?

Answer 53

Administrative Controls

Question 54

What category of security control involves the hardware or software mechanisms used to manage access and provide protection for IT resources and systems?

Answer 54

Technical or Logical Controls

Question 55

What category of security controls are focused on providing protection to the facility and real-world tangible objects?

Answer 55

Physical Controls

Question 56

Deployed to discourage security policy violations

Answer 56

Deterrent control

Question 57

Deployed to discover or detect unwanted or unauthorized activity

Answer 57

Detective control

Question 58

Deployed to provide various contingency options to other existing controls

Answer 58

Compensating control (ie having a backup place to go in the event of a fire or storing files in a backed-up location).

Question 59

Modification to the environment to return systems to normal after an unwanted or unauthorized activity occurs.

Answer 59

Corrective control

Question 60

Extension of corrective controls - restores resources or capabilities after a security policy violation.

Answer 60

Recovery control

Question 61

What can you perform to determine the effectiveness of the security mechanisms and evaluate the quality and thoroughness of the risk management processes of the organization and produce a report of the relative strengths and weaknesses of the deployed security infrastructure?

Answer 61

Security Controls Assessment (SCA)

Question 62

What framework assesses the key indicators and activities of a mature, sustainable, and repeatable risk management process?

Answer 62

Risk Maturity Model (RMM)

Question 63

Within the risk maturity model RMM a chaotic starting point from which all organizations initiate risk management this level is called:___________?

Answer 63

Ad hoc

Question 64

Within the risk maturity model RMM when loose attempts are made to follow risk management processes but each department performs them independently, this step is called:___________?

Answer 64

Preliminary

Question 65

Within the risk maturity model RMM when risk management operations are merged into business processes, metrics are used to gather data, and risk is considered an element in business strategy decisions this level is called:___________?

Answer 65

Integrated

Question 66

Within the risk maturity model RMM when a common or standardized risk framework is adopted organization-wide, it is called:___________?

Answer 66

Defined

Question 67

Within the risk maturity model RMM when risk management focuses on achieving objectives rather than merely reacting to external threats, increased strategic planning is geared toward business success rather than just avoiding incidents; and lessons learned are reintegrated into the risk management process, this level is called:___________?

Answer 67

Optimized

Question 68

Can you continue to use a product that is at the end of life (EOL)? Why or why not?

Answer 68

It is ok to use a product that is at the EOL but it should be scheduled for replacement before it reaches end of support (EOS) or end of service life (EOSL).

Question 69

Can you continue to use a product that is at the end of life (EOSL)? Why or why not?

Answer 69

It is not good practice because the vendor will have terminated support so the business will be liable to maintain the equipment, service, and security of it.

Question 70

What are the five steps of the Cybersecurity Framework CSF?

Answer 70

Identify, Protect, Detect, Respond, Recover

Question 71

What are the six cyclical phases of the Risk management framework RMF?

Answer 71

Prepare to execute the RMF from an org and system level
Categorize system and info processed
Select controls
Implement controls
Assess controls
Authorize system or common controls
Monitor system and associated controls on ongoing basis

Question 72

A form of attack that exploits human nature and human behavior.

Answer 72

Social engineering

Question 73

A social engineering technique where the attacker attempts to convince the target that they are in a valid position of power within the organization such as spoofing the CEOs email.

Answer 73

Authority

Question 74

A social engineering technique where the attacker attempts to use authority, confidence, or even threat of harm to motivate the target to follow orders/instructions.

Answer 74

Intimidation

Question 75

A social engineering technique where the attacker takes advantage of a person’s natural tendency to mimic what others are doing or are perceived as having done in the past - an example is an attacker claiming that an out-of-office worker promised a large discount on a purchase.

Answer 75

Consensus

Question 76

A social engineering technique where the attacker attempts to convince the target that an object has a higher value based on limited opportunities to have it. For example they could claim that only a few tickets are left for a game.

Answer 76

Scarcity

Question 77

A social engineering technique where the attacker attempts to convince the target that they have a common contact or relationship with the target such as mutual friends, experiences, or another work contact.

Answer 77

Familiarity

Question 78

A social engineering technique where the attacker works to develop a relationship with the victim that they can exploit.

Answer 78

Trust

Question 79

A social engineering technique where the attacker tries to relay a need to act quickly (usually dovetails well with scarcity). For example, an attacker may ask for an invoice to be paid immediately or else an essential business service will be shut off.

Answer 79

Urgency

Question 80

Social engineering attacks focused on stealing credentials or identity information from the target.

Answer 80

Phishing

Question 81

A more targeted form of stealing credentials or identity information from the targets by using a stole customer database or some other address book of potential victims.

Answer 81

Spearphishing

Question 82

What is a good way to defend against spearphishing

Answer 82

Establish a secondary out of band contact with the requester.

Question 83

A form of phishing that targets high value individuals such as someone from the C-suite.

Answer 83

Whaling

Question 84

What is Smishing?

Answer 84

Phishing over SMS text message

Question 85

What is Vishing?

Answer 85

Phishing over voice communication systems

Question 86

What are some risk factors to shoulder surfing?

Answer 86

Having your computer face outside
Working on sensitive data in a public space
Keeping worker groups together

Question 87

What is it called when an attacker attempts to steal funds from an organization by providing a false bill for a service?

Answer 87

Invoice Scam

Question 88

What is it called when lies are perpetuated throughout an organization about how to protect yourself from some imminent threat.

Answer 88

Hoax

Question 89

Taking on the identity of someone else is known as?

Answer 89

Impersonation/Masquerading

Question 90

When an attacker follows closely behind a worker WITHOUT THEIR KNOWLEDGE who uses valid credentials to gain entry to a locked space this is known as?

Answer 90

Tailgating
Vestibules
Security Guards/cameras
Company policy

Question 91

When an attacker follows closely behind a worker who uses valid credentials to gain entry to a locked space and asks them to hold the door this is known as?

Answer 91

Piggybacking

Access control vestibules mitigate this

Question 92

How can you mitigate dumpster diving?

Answer 92

shred information

storage media securely disposed

Question 93

What is the difference between identity fraud and identity theft

Answer 93

Theft is the act of stealing someone’s credentials and taking over their accounts.

Fraud is falsely claiming to be the individual after the information has been stolen.

Question 94

When an attacker redirects traffic by taking advantage of the fact that someone may have incorrectly typed an IP address or URL.

Answer 94

Typo Squatting

Question 95

When an attacker collects information about an individual and publically releases the data for the purpose of changing public perception of the target this is called__________?

Answer 95

Doxing

Question 96

What is the type of cyber warfare that nation-states engage in when they employ a number of offensive cyber attacks in tandem?

Answer 96

Hybrid Warfare

Question 97

What is the best way to limit exposure to risk from social media sites?

Answer 97

Block the sites or filter domain name system queries.

Question 98

What is the difference between education and training?

Answer 98

Training is internally developed with specificities to the organization whereas education is often externally coordinated and students learn much more than they actually need to know to perform work tasks. It might involve getting a certification.