Risk identification Flashcards

1
Q

what is risk identification?

A

process for discovering, recognizing and documenting the risk an organization faces.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

what is risk appetite?

A

the amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

what is risk capacity?

A

the objective amount of loss an enterprise can tolerate without its continued existence being called into question

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

what is risk tolerance

A

the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

who is responsible for defining and approving risk appetite and tolerance?

A

senior management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what is risk culture?

A

management’s willingness to embrace, cautiously accept or avoid risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

what are importance of risk communications?

A
  • informed risk decisions by executive management due to an improved understanding of actual exposure and daily duties.
  • greater awareness among all stakeholders of the importance and value of integrating risk management into their duties
  • transparency to external stakeholders regarding both the actual levels of risk facing the organization and the risk management process in use.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

what are the risk components to be communicated?

A
  1. expectations from risk management (strategy, policies, procedures, awareness, training)
  2. current risk management capability ( risk management process maturity)
  3. status (risk profile, key risk indictors, loss data etc)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

what are the elements of risk?

A
  1. consequences associated with specific assets
  2. a treat to those assets, requiring both intent (motivation) and capability.
  3. vulnerability specific to the threat
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

what is an asset?

A

something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

what are common methods of destroying data?

A

overwriting, degaussing, and physical destruction of the equipment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

why should sensitive and critical data be protected?

A

sensitive data must be protected from disclosure and modification

critical data must be protected from destruction or loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

what is an NDA

A

A non-disclosure agreement is a legally binding contract that establishes a confidential relationship. The party or parties signing the agreement agree that sensitive information they may obtain will not be made available to any others. An NDA may also be referred to as a confidentiality agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

what is a statement of work?

A

A Statement of Work (SOW) is a document within a contract that describes the work requirements for a specific project along with its performance and design expectations. The main purpose of the SOW is to define the liabilities, responsibilities and work agreements between two parties, usually clients and service providers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

what is the importance of asset valuation?

A

effort should be made to determine the importance of assets in the context of organizational activities so that priority may be given to protecting the most important assets first and addressing less significant assets as time and budget allow.

effective valuation also protects the organization from paying more in protection than the net worth of the assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

what is one technique in calculating asset value?

A

base it on the impact of a loss of confidentiality, integrity and availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

define asset value

A

what the organization or another party would pay to take possession of an asset or deny access to it by others.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

what is a threat

A

anything (e.g. object, substance, human) that is capable of acting against an asset in a manner that can result in harm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

what is a threat agent?

A

methods of things used to exploit vulnerability, such as determination, capability, motive and resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

what is a threat vector?

A

the path or route used by the adversary to gain access to the target

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

what is a treat analysis?

A

an evaluation of the type, scope and nature of events or actions that can result in adverse consequences; identification of the threats that exist against enterprise assets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

what are the dimensions of threats?

A
  • external or internal

- intentional or unintentional

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

what are indicators of emerging threats?

A

unusual activity on a system, repeated alarms, slow system or network performance, or new or excessive activity in logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

what is a vulnerability?

A

weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

what is a vulnerability analysis?

A

a process of identifying and classifying vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

what is a vulnerability scanning?

A

an automated process to proactively identify security weaknesses in a network or individual system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

what is the purpose of vulnerability identification?

A

the purpose is to first find problems before they are found by an adversary and exploited. this is why the organization should conduct regular vulnerability assessments and penetration tests to identify, validate and classify its vulnerabilities. where vulnerabilities exist, there is a potential for risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

what are some causes of network vulnerability?

A

misconfiguration of equipment, poor architecture or traffic interception.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

what is misconfiguration?

A

common problem with network equipment that is not properly installed, operated or maintained. any open services are a potential attack vector that can be exploited by an attacker, so network equipment should be hardened by disabling any unneeded services, ports or protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

what are the implications of a a physical access vulnerability?

A

with access to server rooms, network cabling, information systems equipment and buildings, an attacker can circumvent passwords, install skimmers to intercept data communications and take logical ownership of systems or devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

what are the most common entry points currently used by attackers?

A

applications in general and web applications in particular.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

what are some application vulnerabilities?

A
  1. buffer overflows : A buffer overflow vulnerability occurs when you give a program too much data. The excess data corrupts nearby space in memory and may alter other data. As a result, the program might report an error or behave differently
  2. logic flaws :Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal. These flaws are generally the result of failing to anticipate unusual application states that may occur and, consequently, failing to handle them safely.
  3. injection attacks: is a malicious code injected in the network which fetches all the information from the database to the attacker
  4. bugs: bug is an error, flaw or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways
  5. incorrect control over use access
  6. poor architecture
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

what are the different kinds of cloud deployment models?

A
  1. private cloud: operated solely for an enterprise, may be managed by the enterprise or a third party, may exist on or off premise.
  2. public cloud: made available to the general public or a large industry group, owned by an organization selling cloud services.
  3. community cloud: shared by several enterprises, supports a specific community that has a shared mission or interest, may be managed by the enterprises or a third party, may reside on or off premise
  4. hybrid cloud: a composition of two or more clouds
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

what are some technical risks that are compounded when data is centralized?

A
  1. amplified technical impact: if an unauthorized user were to gain access to centralized repositories, it puts the entirety of those data in jeopardy rather than a subset of the data
  2. privacy ( data collection): analytics techniques can impact privacy. for example, individuals whose data are being analyzed may feel that revealed information about them is overly intrusive.
  3. privacy ( re-identification): when data is aggregated, semi-anonymous information or information that is not individually identifiable information might become non-anonymous or identifiable in the process.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

what is a vulnerability assessment

A

careful examination of a target environment to discover any potential points of compromise or weakness.

vulnerability testing can be manual or automated. automated tools have the ability to filter large amounts of data from different sources, examine the functions of a program, and run test files or data against a tool such as a firewall or application. manual tests are better suited for content that is not easily quantifiable and requires judgement - such as business process reviews, physical security and source code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

what is a penetration testing

A

used to validate the results of a vulnerability assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

what is an impact?

A

magnitude of loss resulting from a threat exploiting a vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

what is an impact analysis?

A

a study to prioritize the criticality of information resources for the enterprise based on costs or consequence of adverse events. in an impact analysis, threats to assets are identified and potential business losses determined for different time periods. this assessment is used to justify the extent of safeguards that are required and recovery time frames. this
analysis is the basis for establishing the recovery strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

what is an impact assessment

A

a review of the possible consequences of a risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What is likelihood

A

the probability of something happening

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

what are some factors that can affect likelihood?

A
  1. volatility:
  2. velocity
  3. proximity
  4. interdependency
  5. motivation
  6. skill
  7. visibility
42
Q

in addition to likelihood, what are two forms of impact that the risk practitioner should consider?

A
  1. impact due to the loss or compromise of information.

2. impact due to the loss or compromise of an information system.

43
Q

describe the influencing risk factors

A
  1. Motivation and skill increases the likelihood that threat agents use threats to exploit vulnerabilities.
  2. the presence of vulnerabilities increases likelihood of risk to an asset.
44
Q

what is information security ?

A

the protection of information and information systems from risk events. info sec controls are based on risk, and risk is the primary justification used to support information security activities.

45
Q

describe confidentiality

A

refers to the secrecy and privacy of data. a breach in confidentiality means the improper disclosure of information, such as disclosing information to an internal or external resource that was not authorized to access the information.

46
Q

in identifying risks to confidentiality, the risk practitioner should look for policies or behaviors that violate 2 principles. describe these principles

A
  1. Need to know: individuals should be given access only to information that is needed in order for them to perform their job functions.
  2. least privilege: the level of data access afforded individuals or process should be the minimum needed to perform their job functions.
47
Q

describe integrity

A

integrity refers to guarding against improper modification, exclusion or destruction of information, which requires the protection of information from improper modification by unauthorized users, authorized users and processes or activities operating on the system. whenever data are changed in a manner other than that intended by the data owner, integrity is compromised.

48
Q

how would the risk practitioner maintain integrity?

A
  1. error checking and verification.

2 principle of least privilege

49
Q

describe availability

A

refers to providing timely and reliable access to information

50
Q

how would the risk practitioner identify availability risk?

A

compare current levels of availability with required levels, where there is a gap, there is a risk.

51
Q

what is non repudiation

A

refers to the positive guarantee that a given action was carried out by a given individual or process and is an important part of tracing responsibility and enforcing accountability.

52
Q

what are some controls that support nonrepudiation?

A
  • digital signatures and certificate-based authentication in a PKI

for the purpose of risk identification, the risk practitioner should look for evidence of nonrepudiation in situations in which actions may have significant impact on the organizations, such as approval of production code, deletion of records or disbursement of funds,

53
Q

what is IT risk?

A

business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.

54
Q

list and describe some business related IT risk types

A
  1. access risk: the risk that information may be divulged or made available to recipients without authorized access by the information owner, reflecting a loss of confidentiality.
  2. Availability risk: the risk that service may be lost or data are not accessible when needed
  3. Infrastructure risk: the risk that the IT infrastructure and systems may be unable to effectively support the current and future needs of the business in an efficient, cost-effective and well-controlled fashion (includes hardware, networks, software, people and processes)
  4. Integrity risk: the risk that data may be unreliable due to incompleteness or inaccuracy
  5. Investment or expense risk: the risk that the IT investment fails to provide value commensurate with its cost or is otherwise excessive or wasteful, including the overall IT investment portfolio.
  6. project ownership risk: the risk of IT projects failing to meet objectives through lack of accountability and commitment
  7. relevance risk: the risk that the right information may not get to the right recipients at the right time to allow the right action to be taken or the right decisions to be made
  8. schedule risk: the risk of IT projects taking longer than expected.
55
Q

risk management is successful when?

A
  1. there is senior management support

2. there is alignment with business goals and objectives

56
Q

what us the purpose of a RACI chart in risk management?

A

RACI can assist in outlining the roles and responsibilities of various stakeholders as well as the relationship and interaction between stakeholders and the role they play in the successful completion of the risk management effort.

57
Q

what are the areas of concern for hardware?

A
  • obsolescence
  • poor maintenance
  • misconfiguration
  • lack of documentation
  • loss or theft
  • data loss due to insecure disposal
  • sniffing (capturing data)
  • physical access
  • failure
  • use with out authorization
58
Q

what are areas of concern for software?

A
  • logic flaws or semantic errors
  • bugs
  • lack of patching
  • lack of access control
  • disclosure of sensitive information
  • improper modification of information
  • loss of source code
  • lack of version control
  • lack of input and output validation
59
Q

what are areas of concern for operating systems?

A
  • unpatched vulnerabilities
  • poorly written code (buffer overflows)
  • complexity
  • misconfiguration
  • weak access controls
  • lack of interoperability
  • uncontrolled changes
60
Q

what are areas of concern for applications?

A
  • poor or no data validation
  • exposure of sensitive information ( lack of encryption, obfuscation)
  • improper modification of data
  • logic flaws
  • software bugs
  • lack of logs
  • lack of version control
  • loss of source code
  • weak or lack of access control
  • lack of operability with other software
  • back doors
  • poor coding practices
61
Q

what are areas of concern for utilities?

A
  • use of outdated drivers
  • unavailability of drivers
  • unpatched drivers
  • use of insecure components
  • unpatched vulnerabilities
62
Q

what is a utility?

A

software programs that add functionality to your computer or help computer perform better

63
Q

what is middleware?

A

software that lies between an operating system and the applications running it

64
Q

what are some types of platforms and describe them

A
  • centralized : use of a mainframe in which each user connects to a common processor or mainframe.
  • three-tiered architecture: may use middleware to provide an interface between the user and numerous underlying systems that may be located on various servers.
65
Q

what are considerations when identifying risks of a platform?

A
  • asses the attitude and diligence displayed by the architects and IT operations staff to harden systems.
  • follow good practices in change control while performing administrative functions
  • ensure that systems are tested on a scheduled basis to ensure compliance with standards, procedures and good security practices
66
Q

why are networks important in risk management?

and what is a network?

A

because they are often targets or channels used to attack systems or applications.

a network is made up of many devices, including cabling, repeaters, switches, routers, firewalls, gateways and access points. networks are digital and communications are sent via digital signals such as bits or pulses of light.

67
Q

what are some considerations for networks?

A
  • network configuration and management, including the recognition of criticality of network operations
  • network equipment protection
  • the use of layered defense (defense in depth)
  • suitable levels of redundancy
  • availability of bandwidth
  • use of encryption for transmission of sensitive data
  • encryption key management
  • use of certificates to support pki
  • damage to cabling and network equipment
  • tapping network connections and eavesdropping on communications
  • choice of network architecture
  • documentation of network architecture
68
Q

what is a repeater and what is an advantage?

A

used to extend the length of a signal being transmitted over cable or wireless networks.

an advantage of a repeater is that it can filter out some noise or error that may be affecting traffic.

69
Q

what are switches? and areas of concerns?

A

switches are used to connect devices together. they can also be used to connect networks but also segment and divide networks through configurations such as a virtual lan.

areas of concern

  • physical protection of the switch
  • ensuring proper configuration
  • being a single point of failure
  • documentation
70
Q

what is a router and areas of concerns?

A

to connect multiple networks together and forward incoming packets in the direction of the destination internet protocol IP address that is in the packet header.

areas of concern

  • improper configuration
  • use of weak protocols
  • software bugs
  • unpatched systems
  • physical security
  • unintentional support for IPv6
71
Q

what is a firewall? and some considerations

A

a system or combination of system that enforces a boundary between two or more networks, typically forming a barrier between a secure and an open environment.

considerations

  • backed up on a regular basis, reviewed to ensure hat all rules are in the correct order and are documented, and tested on a scheduled basis.
  • changes made to firewall configurations and rules should be subject to change management process of the organization.
  • firewall staff members are knowledgeable, trained and supervised.
  • firewall logs should be reviewed on a regular basis to detect any suspicious activities.
72
Q

what is a proxy

A

proxy is a device that acts as an intermediary between two communicating parties. proxy allows the deice to filter and examine suspicious activity, protect internal resources and take action if unacceptable activity is occurring.

a gateway is a type of proxy that controls traffic through a gate or security perimeter.

73
Q

list and describe the types of network topologies

A
  1. bus network: Connects every device by means of one communication path. The design is simple and cost effective, which is why it has been used for cable television signals for decades. The key vulnerability lies in upstream dependency; a cut cable results in failure for every user connected downstream of the cut. It is also easy to intercept traffic on a bus network ( a point of particular concern for users of cable-based internet access)
  2. star network: Every device is connected to a central switch, which is more efficient than a bus on account of shorter paths from any end point to the switch. The switch design also makes it more difficult for one user to intercept traffic intended for another. Star topologies are even more vulnerable to interruption than bus topologies, because loss of the central switch affects all users. However, the switch can generally be more easily protected than a bus cable
  3. tree network: Series of star networks arranged with branches to other star networks in a tree type structure. A cut link between branches of the tree causes isolation of that branch. Popular because they are scalable.
  4. ring network: Used in backbones and areas where reliable high-speed communication and fault tolerance is desired. A ring connects every device and allows traffic to pass in one or both directions. If the ring is bidirectional, a single cut does not affect the network at all. Ring topologies are great for busy networks where switching will introduce too much delay due to processing overhead, but they are considerably more expensive than the bus, star or tree topologies.
  5. Mesh network: Used where high availability is required. Many devices are connected to many other devices in a mesh so that traffic can route around a failure in any part of the network. The internet itself is a partial mesh and was built to service massive failures of one part of the network and still allow communications over the rest of the internet. Mesh networks are costly, and they do not scale with physical lines due to the need to connect each device to many other devices. Wireless links make locally oriented mesh architectures considerably easier to architect and maintain.
74
Q

what is a DMZ

A

areas of the network that is accessible to outsiders through the internet is isolated into a DMZ. this prevents an attacker from having direct access into internal systems. all devices in the DMZ are hardened with all unnecessary functionality disabled.

75
Q

Hardened devices with all unnecessary functionality disabled are also called?

A

Bastian hosts

76
Q

what do intrusion detection systems and prevention systems do?

A

they monitor, record and may block suspicious activity.

77
Q

what are some concerns with respect to encryption?

A
  • how keys are generated and stored
  • the training of users
  • ensuring that the algorithms adhere to current standards
78
Q

what is WAN and list the different types

A
  • WAN : computer network connecting different remote locations that may range from short distances to extremely long transmissions.
  • several different types of WAN when it must connect networks over large geographic areas
    - leased line, packet switching networks, microwave, optical, satellite
79
Q

what is a LAN

A

communication network that serves several users within a specified geographic area, such as a building or a department.

80
Q

what is a VPN

A

secure private network that uses the public telecommunications infrastructure to transmit data

vpns work by digitally constructing tunnels so that content traffic within the tunnel is logically separated from other traffic.

81
Q

in risk identification what are some historical or evidence based methods?

A
  • audit and incident reports
  • public media
  • annual reports and press releases
82
Q

in risk identification what are some systematic approaches? ( determine potential points of failure)

A
  • vulnerability assessments
  • review of business continuity and disaster recovery plans
  • interviews and workshops
83
Q

in risk identification what are some inductive approaches? (determine potential points of attacks)

A
  • penetration testing
84
Q

describe the risk identification process

A
  1. identify assets
  2. identify threats
  3. identify existing controls
  4. identify vulnerabilities
  5. identify consequences this feeds into the risk estimation process
85
Q

outline the information security risk management process

A
  1. establish the context
  2. risk assessment ( identification, analysis and evaluation)
  3. risk treatment ( risk modification, retention, avoidance, risk sharing)
  4. risk monitoring and review
  5. risk communication and consultation
86
Q

what is risk assessment

A

risk assessment determines the value of information assets , identifies the applicable threats and vulnerabilities that exists or could exists, identifies the existing controls and their effect on the risk identified, determines the consequences and finally prioritizes the derived risk and ranks it against the risk evaluation criteria set in the context establishment.

87
Q

what is a risk scenario

A

description of possible event whose occurrence will have an uncertain impact on the achievement of the enterprises objectives, which may be positive or negative.

88
Q

uses of risk scenario

A
  1. can help conceptualize risk that can aid in the process of risk identification
  2. also used to document risk in relation to business objectives or operations impacted by events, making them useful as the basis for quantitative risk assessment.
89
Q

types of risk scenarios

A
  1. top down perspective driven by business goals and how a risk event could affect the achievement of goals.
  2. bottom up perspective originating from hypothetical scenarios. and is based on describing risk events that are specific to individual enterprise situations. useful way to identify scenarios that are highly dependent on specific technical workings of a process or system
90
Q

list elements in a risk scenario

A
  1. actor ( internal or external)
  2. threat type ( malicious or accidental)
  3. event ( theft or inappropriate use)
  4. asset/resource (process, people and skills, infrastructure)
  5. time (duration, detection)
91
Q

what are the responsibilities of a risk owner

A

risk owner is accountable for accepting risk based on the organizational risk appetite and should be someone with budget, authority and mandate to select the appropriate risk response based on analysis and guidance provided by the risk practitioner.

the risk owner also owns any controls associated with he risk and is accountable for monitoring their effectiveness,.

92
Q

why is the purpose of a risk register

A

organizations maintain risk registers in order to consolidate all information about risk into one central repository. it also allows senior management and the managers of each department to obtain the status of the risk management process from a single source, which in turn makes it possible to better manage and report on risk and coordinate risk response activities

93
Q

Awareness program for management should?

A

highlight the need for management to play a supervisory role in protective systems and applications from attacks. a manager has the responsibility to oversee the actions of his/her staff and direct compliance with the policies and practices of the organization

94
Q

awareness program for senior management should?

A

highlight the liability, need for compliance, due care and due diligence and the need to create the tone and culture of the organization through policy and good practice. senior management owns the risk and bear the responsibility for determining risk acceptance levels.

95
Q

The primary reason for developing an enterprise security architecture is to

A

align security strategies among the functional areas of an enterprise and external entities

96
Q

what is the best safeguard against a data breach?

A

security awareness training

97
Q

what is a data classification policy?

A

describes the data classification categories, level of protection to be provided for each category of data and the roles and responsibilities of potential users, including data owners.

98
Q

what is a prevalent risk in the development of end user computing applications?

A

failure to subject applications to testing and IT general controls

99
Q

what document does an organization refer to determine the intellectual property ownership of an application built by a third party service manager in the course of its work for the organization

A

statement of work

100
Q

who is accountable for business risk related to IT

A

users of IT services or the business.