Risk Assessment Flashcards

1
Q

What is Risk Assessment

A

Process used inside of risk management to identify how much risk exists in a given network or system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Risk

A

The probability that a threat will be realized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a vulnerability

A

A controllable aspect of a system involving a weakness in the design or implementation in a system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are threats?

A

Any condition that could cause harm, loss, damage, or compromise IT systems.

External and out of control:

Hackers, Natural disasters, War

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Where does risk live?

A

Risk exists where threats overlap vulnerability. If there are no threats, but there is vulnerability, there is no risk
If there are threats and vulnerabilities, then there is risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What can be done about threats once identified

A

Risk Management is used to minimize the likelihood of a negative outcome from occurring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In what ways can risk be handled

A

Risk Avoidance
Risk Transfer
Risk Mitigation
Risk Acceptance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explain risk avoidance and transfer

A

Avoidance is a strategy that requires the stopping of an activity that has risk, or choosing a less risky alternative.
I.E moving a Windows XP machine offline, or upgrading it to Win10

Risk Transfer is transferring the risk to a third party
I.E. Insurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Explain Risk Mitigation and Risk Accecptance

A

Risk mitigation - Strategy to seek and minimize the risk to an acceptable level

Risk Acceptance - Accept current level of risk and the costs associated with it, if the risk were to be realized
- Choosing not to extend laptop warranty

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is residual risk?

A

Risk remaining after trying to avoid transfer, or mitigate risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the four steps to reduce risk

A
  1. Identify Assets
  2. Identify Vulnerabilities
  3. Identify Threats
  4. Identify impact
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe Qualitative Analysis

A

It uses intuition, experience, and other methods to assign a relative value to risk.

Based on perceived risk this falls into the red tile D4

Relative categories of risk or comparison to risk = Qualitative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

True or False: Experience is critical to Qualitative Analysis

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Describe quantitative analysis and its components

A

Uses numerical and monitoring values to calculate risk

Value of Asset
Threat Frequency
Severity of vulnerability
Impact of realized threat (money)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is Magnitude of impact

A

Used with both quantitative and qualitative analysis to estimate of the amount of damage that a negative risk may achieve

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is SLE, ARO, and ALE

A

Single Loss Expectancy - Cost associated with the realization of each individualized threat that occurs

Annualized Rate of Occurrence - The number of times a year that something happens.

Annualized Loss Expectancy - Expected annual cost of threats being realized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the EF in the SLE and ALE equations

A

EF is the Exposure factor - Amount of an asset that will be lost if a threat is realized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How is SLE caluclated

A

SLE = AV (asset Value) X EF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How is ALE calculated?

A

ALE = SLE x ARO

SLE = 4000 ARO = .5 ( once every two years)

ALE = 2000

20
Q

True or False: There is such thing as a hybrid approach to Risk Assessments

A

True: Qualitative and Quantitative analysis can be combined for a hybrid approach.

21
Q

What is a Security Assessment?

A

They verify the organizations security posture is designed and configured properly to help thwart different types of attacks.

22
Q

What is a vulnerability scan

A

A scan that occurs from within a network that seeks vulnerabilities, can use a credentialed account for an inside to out scan.

23
Q

Why might assessments be required

A

Legal, Regulatory, or contractual compliance may depend on routine assessments

24
Q

What types of assessments are there

A

Passive and active

25
Q

Describe an active scan

A

They utilize more intrusive techniques like scanning, hands on testing, and probing of the network to identify vulnerabilities.

26
Q

Describe a passive scan

A

utilize open source information, passive collection and analysis of network data and other unobtrusive methods WITHOUT MAKING DIRECT CONTACT WITH TARGETED SYSTEMS

THESE SCANS ARE LIMITED TO THE EXTENT AND DETAIL OF WHAT INFO THAT CAN BE GATHERED.

27
Q

What are security controls, and what are the three main categories

A

Methods implemented to mitigate a particular risk.

Physical
Technical
Administrative

28
Q

Describe physical controls

A

Any security measure that are designed to deter or prevent unauthorized access to sensitive information or systems.

Fences, locked doors ,and alarms

29
Q

Describe Technical Controls

A

Safeguards or countermeasures used to avoid, detect, counteract, or minimize risk to our systems and info

ACLs, Firewall, Password Policy, MFA

30
Q

Describe Administrative Controls

A

Focused on changing the BEHAVIOR of people instead of REMOVING THE ACTUAL Risk

31
Q

What are the NIST Categories of security Controls.

A

Management, Operational, and Technical

32
Q

Describe Management Controls

A

Security Controls that are focuses on decision making and management of risk.

They Control HOW SYSTEM SECURITY WILL BE MANAGED AND REVIEWED

33
Q

Describe Operational Controls

A

Focused on the THINGS DONE BY PEOPLE. It increases security of the system by increasing the control of systems and people who use it.

Configuration Management, User training, incident handling.

34
Q

Describe Technical Controls

A

Logical controls that are put in a system to help secure it

AAA, ACL, Encryption.
If performed by PC it is technical

35
Q

Describe Preventative Controls

A

Put in place before an event occurs and are designed to prevent something from happening.

RADI, UPS,DLP

36
Q

Describe Detective Controls

A

Used during an event to find out whether something bad is happening.

CCTV, IDS, Audit Logs

37
Q

Describe Corrective Controls

A

Used after an event occurs

Tape Backups, Incident response, disaster recovery, co-location.

38
Q

True or False: Security Controls can belong to multiple categories

A

True: Security controls can belong to different categories such as

CCTV > Detective and Physical Stated Password Policy: Administrative and Managerial

39
Q

Describe Compensating Controls

A

Used whenever you can’t meet the requirement for a normal control.

When the desired control is not available, but a different control can be put in place to meet the control requirement

40
Q

How is residual risk due to employing a compensating control handled

A

The residual risk is accepted

41
Q

What are the different types of Risk

A

External
Internal
Legacy Systems
Multiparty
IP Theft
Software Compliance and licensing

42
Q

Describe External Risk

A

Risk that is produced by a non-human source and are beyond human control

Wild Fires, Hurricanes, Blackouts, Hackers

43
Q

Describe Internal risk

A

Risk that are formed within the organization that arise during normal operations, and are often forecastable.

Hardware failure after warranty that had been forecasted with MTBF

44
Q

Describe Legacy Systems Risk

A

An old method, technology, computer, or application which includes an outdated computer system still in use.

ICS+ SCADA - WinXP

45
Q

Describe Multiparty Risk

A

Risk that refers to the connection of multiple systems or organizations within each bringing their own inherent risk

46
Q

IP Theft Risk

A

Risk of business assets and property being stolen from an organization in which, economic damage, loss of competitive edge, or a slow down in business growth occurs

Make sure DLP enabled.

47
Q

Software Compliance and Licensing

A

Risk with company not being aware of what software or components are installed on its network

Installing unmanage software increases vulnerabiliites that increase risk

Licensing can bring risk of companies suing for un-authorized\un-paid use. Software can be crippled once evaluation period ends.