Questions D3 Risk Identification, Monitoring and Analysis Flashcards
HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services?
A. Risk mitigation
B. Risk acceptance
C. Risk transference
D. Risk avoidance
D. Risk avoidance
Explanation
HAL Systems decided to stop offering the service because of the risk. This is an example of a risk avoidance strategy. The company altered its operations in a manner that eliminates the risk of NTP misuse.
Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system’s security settings. Where would he most likely find this information?
A. Change log
B. System log
C. Security log
D. Application log
A. Change log
Explanation
The change log contains information about approved changes and the change management process. While other logs may contain details about the change’s effect, the audit trail for change management would be found in the change log.
Alex wants to use an automated tool to fill web application forms to test for format string vulnerabilities. What type of tool should he use?
A. A black box
B. A brute‐force tool
C. A fuzzer
D. A static analysis tool
C. A fuzzer
Explanation
Fuzzers are tools that are designed to provide invalid or unexpected input to applications, testing for vulnerabilities like format string vulnerabilities, buffer overflow issues, and other problems. A static analysis relies on examining code without running the application or code and thus would not fill forms as part of a web application. Brute‐force tools attempt to bypass security by trying every possible combination for passwords or other values. A black box is a type of penetration test where the testers do not know anything about the environment.
Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.
Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.
Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing’s data center?
A. 10 percent
B. 25 percent
C. 50 percent
D. 75 percent
C. 50 percent
Explanation
EF= amount of damage 5$/asset value 10$
The exposure factor is the percentage of the facility that risk managers expect will be damaged if a risk materializes. It is calculated by dividing the amount of damage by the asset value. In this case, that is $5 million in damage divided by the $10 million facility value, or 50 percent.
Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort’s main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.
Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood’s facility lies in an area where they are likely to experience a tornado once every 200 years.
Based upon the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landing’s data center?
A. $25,000
B. $50,000
C. $250,000
D. $500,000
A. $25,000
Explanation
The annualized loss expectancy is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, the SLE is $5,000,000, and the ARO is 0.005. Multiplying these numbers together gives you the ALE of $25,000.
Which NIST special publication covers the assessment of security and privacy controls?
A. 800‐12
B. 800‐53A
C. 800‐34
D. 800‐86
B. 800‐53A
Explanation
NIST SP 800‐53A is titled “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans” and covers methods for assessing and measuring controls.
NIST 800‐12 is an introduction to computer security, 800‐34 covers contingency planning, and 800‐86 is the “Guide to Integrating Forensic Techniques into Incident Response.”
What term describes software testing that is intended to uncover new bugs introduced by patches or configuration changes?
A. Nonregression testing
B. Evolution testing
C. Smoke testing
D. Regression testing
D. Regression testing
Explanation
Regression testing, which is a type of functional or unit testing, tests to ensure that changes have not introduced new issues.
Nonregression testing checks to see whether a change has had the effect it was supposed to.
Smoke testing focuses on simple problems with impact on critical functionality.
Evolution testing is not a software testing technique.
Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
C. Risk mitigation
Explanation
Risk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation.
During a port scan, Lauren found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port?
A. zzuf
B. Nikto
C. Metasploit
D. sqlmap
B. Nikto
TCP port 443 normally indicates an HTTPS server. Nikto is useful for vulnerability scanning web servers and applications and is the best choice listed for a web server.
Metasploit includes some scanning functionality but is not a purpose‐built tool for vulnerability scanning. zzuf is a fuzzing tool and isn’t relevant for vulnerability scans, whereas sqlmap is a SQL injection testing tool.
What message logging standard is commonly used by network devices, Linux and Unix systems, and many other enterprise devices?
A. Syslog
B. Netlog
C. Eventlog
D. Remote Log Protocol (RLP)
A. Syslog
Explanation
Syslog is a widely used protocol for event and message logging. Eventlog, netlog, and Remote Log Protocol are all made‐up terms.
Which of the following is a method used to design new software tests and to ensure the quality of tests?
A. Code auditing
B. Static code analysis
C. Regression testing
D. Mutation testing
D. Mutation testing
Explanation
Mutation testing modifies a program in small ways and then tests that mutant to determine whether it behaves as it should or whether it fails. This technique is used to design and test software tests through mutation. Static code analysis and regression testing are both means of testing code, whereas code auditing is an analysis of source code rather than a means of designing and testing software tests.
D. Mutation testing
Explanation
Mutation testing modifies a program in small ways and then tests that mutant to determine whether it behaves as it should or whether it fails. This technique is used to design and test software tests through mutation. Static code analysis and regression testing are both means of testing code, whereas code auditing is an analysis of source code rather than a means of designing and testing software tests.
B. zzuf
Explanation
zzuf is the only fuzzer on the list, and zzuf is specifically designed to work with tools like web browsers, image viewers, and similar software by modifying network and file input to application. Nmap is a port scanner, Nessus is a vulnerability scanner, and Nikto is a web server scanner.
Saria wants to log and review traffic information between parts of her network. What type of network logging should she enable on her routers to allow her to perform this analysis?
A. Audit logging
B. Flow logging
C. Trace logging
D. Route logging
B. Flow logging
Explanation
Flows, also often called network flows, are captured to provide insight into network traffic for security, troubleshooting, and performance management. Audit logging provides information about events on the routers, route logging is not a common network logging function, and trace logs are used in troubleshooting specific software packages as they perform their functions.
Jim is working with a penetration testing contractor who proposes using Metasploit as part of her penetration testing effort. What should Jim expect to occur when Metasploit is used?
A. Systems will be scanned for vulnerabilities.
B. Systems will have known vulnerabilities exploited.
C. Services will be probed for buffer overflow and other unknown flaws.
D. Systems will be tested for zero‐day exploits.
B. Systems will have known vulnerabilities exploited.
Explanation
Metasploit is an exploitation package that is designed to assist penetration testers. A tester using Metasploit can exploit known vulnerabilities for which an exploit has been created or can create their own exploits using the tool. While Metasploit provides built‐in access to some vulnerability scanning functionality, a tester using Metasploit should primarily be expected to perform actual tests of exploitable vulnerabilities. Similarly, Metasploit supports creating buffer overflow attacks, but it is not a purpose‐built buffer overflow testing tool, and of course testing systems for zero‐day exploits doesn’t work unless they have been released.
What is the formula used to determine risk?
A. Risk = Threat * Vulnerability
B. Risk = Threat / Vulnerability
C. Risk = Asset * Threat
D. Risk = Asset / Threat
A. Risk = Threat * Vulnerability
Explanation
Risks exist when there is an intersection of a threat and a vulnerability. This is described using the equation Risk = Threat * Vulnerability.
What is the final step of a quantitative risk analysis?
A. Determine asset value.
B. Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost/benefit analysis.
D. Conduct a cost/benefit analysis.
Explanation
The final step of a quantitative risk analysis is conducting a cost‐benefit analysis to determine whether the organization should implement proposed countermeasure(s).
Allie is responsible for reviewing authentication logs on her organization’s network. She does not have the time to review all logs, so she decides to choose only records where there have been four or more invalid authentication attempts. What technique is Allie using to reduce the size of the pool?
A. Sampling
B. Random selection
C. Clipping
D. Statistical analysis
C. Clipping
Explanation
The two main methods of choosing records from a large pool for further analysis are sampling and clipping. Sampling uses statistical techniques to choose a sample that is representative of the entire pool, while clipping uses threshold values to select those records that exceed a predefined threshold because they may be of most interest to analysts.
Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?
A. Quantitative
B. Qualitative
C. Annualized loss expectancy
D. Reduction
B. Qualitative
Explanation
Qualitative tools are often used in business impact assessment to capture the impact on intangible factors such as customer confidence, employee morale, and reputation.
Which of the following vulnerabilities is unlikely to be found by a web vulnerability scanner?
A. Path disclosure
B. Local file inclusion
C. Race condition
D. Buffer overflow
C. Race condition
Explanation
Path disclosures, local file inclusions, and buffer overflows are all vulnerabilities that may be found by a web vulnerability scanner, but race conditions that take advantage of timing issues tend to be found either by code analysis or using automated tools that specifically test for race conditions as part of software testing.
Jim has been contracted to conduct a gray box penetration test, and his clients have provided him with the following information about their networks so that he can scan them:
Data center: 10.10.10.0/24
Sales: 10.10.11.0/24
Billing: 10.10.12.0/24
Wireless: 192.168.0.0/16
What problem will Jim encounter if he is contracted to conduct a scan from offsite?
A. The IP ranges are too large to scan efficiently.
B. The IP addresses provided cannot be scanned.
C. The IP ranges overlap and will cause scanning issues.
D. The IP addresses provided are RFC 1918 addresses.
D. The IP addresses provided are RFC 1918 addresses.
Explanation
The IP addresses that his clients have provided are RFC 1918 nonroutable IP addresses, and Jim will not be able to scan them from off‐site. To succeed in his penetration test, he will have to either first penetrate their network border or place a machine inside their network to scan from the inside. IP addresses overlapping is not a real concern for scanning, and the ranges can easily be handled by current scanning systems.
Murali wants to determine if SQL injection attacks are being attempted against his web application. Which of the following potential source systems will not be useful when identifying SQL injection?
A. Application logs
B. WAF logs
C. Network switch logs
D. Database logs
C. Network switch logs
Explanation
SQL injection attack details can typically be found in application logs like those found on a web server where the query will be logged. They can also be found in web application firewall (WAF) logs and in the logs from the database itself when actions are taken. Network switches, however, are unlikely to contain useful detail in their logs about SQL injection attacks.
