Risk identification

Question 1

what is risk identification?

Answer 1

process for discovering, recognizing and documenting the risk an organization faces.

Question 2

what is risk appetite?

Answer 2

the amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission.

Question 3

what is risk capacity?

Answer 3

the objective amount of loss an enterprise can tolerate without its continued existence being called into question

Question 4

what is risk tolerance

Answer 4

the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objective

Question 5

who is responsible for defining and approving risk appetite and tolerance?

Answer 5

senior management

Question 6

what is risk culture?

Answer 6

management’s willingness to embrace, cautiously accept or avoid risk

Question 7

what are importance of risk communications?

Answer 7

• informed risk decisions by executive management due to an improved understanding of actual exposure and daily duties.
• greater awareness among all stakeholders of the importance and value of integrating risk management into their duties
• transparency to external stakeholders regarding both the actual levels of risk facing the organization and the risk management process in use.

Question 8

what are the risk components to be communicated?

Answer 8

1. expectations from risk management (strategy, policies, procedures, awareness, training)
2. current risk management capability ( risk management process maturity)
3. status (risk profile, key risk indictors, loss data etc)

Question 9

what are the elements of risk?

Answer 9

1. consequences associated with specific assets
2. a treat to those assets, requiring both intent (motivation) and capability.
3. vulnerability specific to the threat

Question 10

what is an asset?

Answer 10

something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation

Question 11

what are common methods of destroying data?

Answer 11

overwriting, degaussing, and physical destruction of the equipment.

Question 12

why should sensitive and critical data be protected?

Answer 12

sensitive data must be protected from disclosure and modification

critical data must be protected from destruction or loss

Question 13

what is an NDA

Answer 13

A non-disclosure agreement is a legally binding contract that establishes a confidential relationship. The party or parties signing the agreement agree that sensitive information they may obtain will not be made available to any others. An NDA may also be referred to as a confidentiality agreement

Question 14

what is a statement of work?

Answer 14

A Statement of Work (SOW) is a document within a contract that describes the work requirements for a specific project along with its performance and design expectations. The main purpose of the SOW is to define the liabilities, responsibilities and work agreements between two parties, usually clients and service providers.

Question 15

what is the importance of asset valuation?

Answer 15

effort should be made to determine the importance of assets in the context of organizational activities so that priority may be given to protecting the most important assets first and addressing less significant assets as time and budget allow.

effective valuation also protects the organization from paying more in protection than the net worth of the assets.

Question 16

what is one technique in calculating asset value?

Answer 16

base it on the impact of a loss of confidentiality, integrity and availability

Question 17

define asset value

Answer 17

what the organization or another party would pay to take possession of an asset or deny access to it by others.

Question 18

what is a threat

Answer 18

anything (e.g. object, substance, human) that is capable of acting against an asset in a manner that can result in harm

Question 19

what is a threat agent?

Answer 19

methods of things used to exploit vulnerability, such as determination, capability, motive and resource

Question 20

what is a threat vector?

Answer 20

the path or route used by the adversary to gain access to the target

Question 21

what is a treat analysis?

Answer 21

an evaluation of the type, scope and nature of events or actions that can result in adverse consequences; identification of the threats that exist against enterprise assets.

Question 22

what are the dimensions of threats?

Answer 22

• external or internal

- intentional or unintentional

Question 23

what are indicators of emerging threats?

Answer 23

unusual activity on a system, repeated alarms, slow system or network performance, or new or excessive activity in logs.

Question 24

what is a vulnerability?

Answer 24

weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events

Question 25

what is a vulnerability analysis?

Answer 25

a process of identifying and classifying vulnerabilities

Question 26

what is a vulnerability scanning?

Answer 26

an automated process to proactively identify security weaknesses in a network or individual system

Question 27

what is the purpose of vulnerability identification?

Answer 27

the purpose is to first find problems before they are found by an adversary and exploited. this is why the organization should conduct regular vulnerability assessments and penetration tests to identify, validate and classify its vulnerabilities. where vulnerabilities exist, there is a potential for risk.

Question 28

what are some causes of network vulnerability?

Answer 28

misconfiguration of equipment, poor architecture or traffic interception.

Question 29

what is misconfiguration?

Answer 29

common problem with network equipment that is not properly installed, operated or maintained. any open services are a potential attack vector that can be exploited by an attacker, so network equipment should be hardened by disabling any unneeded services, ports or protocols.

Question 30

what are the implications of a a physical access vulnerability?

Answer 30

with access to server rooms, network cabling, information systems equipment and buildings, an attacker can circumvent passwords, install skimmers to intercept data communications and take logical ownership of systems or devices.

Question 31

what are the most common entry points currently used by attackers?

Answer 31

applications in general and web applications in particular.

Question 32

what are some application vulnerabilities?

Answer 32

1. buffer overflows : A buffer overflow vulnerability occurs when you give a program too much data. The excess data corrupts nearby space in memory and may alter other data. As a result, the program might report an error or behave differently
2. logic flaws :Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal. These flaws are generally the result of failing to anticipate unusual application states that may occur and, consequently, failing to handle them safely.
3. injection attacks: is a malicious code injected in the network which fetches all the information from the database to the attacker
4. bugs: bug is an error, flaw or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways
5. incorrect control over use access
6. poor architecture

Question 33

what are the different kinds of cloud deployment models?

Answer 33

1. private cloud: operated solely for an enterprise, may be managed by the enterprise or a third party, may exist on or off premise.
2. public cloud: made available to the general public or a large industry group, owned by an organization selling cloud services.
3. community cloud: shared by several enterprises, supports a specific community that has a shared mission or interest, may be managed by the enterprises or a third party, may reside on or off premise
4. hybrid cloud: a composition of two or more clouds

Question 34

what are some technical risks that are compounded when data is centralized?

Answer 34

1. amplified technical impact: if an unauthorized user were to gain access to centralized repositories, it puts the entirety of those data in jeopardy rather than a subset of the data
2. privacy ( data collection): analytics techniques can impact privacy. for example, individuals whose data are being analyzed may feel that revealed information about them is overly intrusive.
3. privacy ( re-identification): when data is aggregated, semi-anonymous information or information that is not individually identifiable information might become non-anonymous or identifiable in the process.

Question 35

what is a vulnerability assessment

Answer 35

careful examination of a target environment to discover any potential points of compromise or weakness.

vulnerability testing can be manual or automated. automated tools have the ability to filter large amounts of data from different sources, examine the functions of a program, and run test files or data against a tool such as a firewall or application. manual tests are better suited for content that is not easily quantifiable and requires judgement - such as business process reviews, physical security and source code.

Question 36

what is a penetration testing

Answer 36

used to validate the results of a vulnerability assessment

Question 37

what is an impact?

Answer 37

magnitude of loss resulting from a threat exploiting a vulnerability

Question 38

what is an impact analysis?

Answer 38

a study to prioritize the criticality of information resources for the enterprise based on costs or consequence of adverse events. in an impact analysis, threats to assets are identified and potential business losses determined for different time periods. this assessment is used to justify the extent of safeguards that are required and recovery time frames. this
analysis is the basis for establishing the recovery strategy.

Question 39

what is an impact assessment

Answer 39

a review of the possible consequences of a risk

Question 40

What is likelihood

Answer 40

the probability of something happening

Question 41

what are some factors that can affect likelihood?

Answer 41

1. volatility:
2. velocity
3. proximity
4. interdependency
5. motivation
6. skill
7. visibility

Question 42

in addition to likelihood, what are two forms of impact that the risk practitioner should consider?

Answer 42

1. impact due to the loss or compromise of information.

2. impact due to the loss or compromise of an information system.

Question 43

describe the influencing risk factors

Answer 43

1. Motivation and skill increases the likelihood that threat agents use threats to exploit vulnerabilities.
2. the presence of vulnerabilities increases likelihood of risk to an asset.

Question 44

what is information security ?

Answer 44

the protection of information and information systems from risk events. info sec controls are based on risk, and risk is the primary justification used to support information security activities.

Question 45

describe confidentiality

Answer 45

refers to the secrecy and privacy of data. a breach in confidentiality means the improper disclosure of information, such as disclosing information to an internal or external resource that was not authorized to access the information.

Question 46

in identifying risks to confidentiality, the risk practitioner should look for policies or behaviors that violate 2 principles. describe these principles

Answer 46

1. Need to know: individuals should be given access only to information that is needed in order for them to perform their job functions.
2. least privilege: the level of data access afforded individuals or process should be the minimum needed to perform their job functions.

Question 47

describe integrity

Answer 47

integrity refers to guarding against improper modification, exclusion or destruction of information, which requires the protection of information from improper modification by unauthorized users, authorized users and processes or activities operating on the system. whenever data are changed in a manner other than that intended by the data owner, integrity is compromised.

Question 48

how would the risk practitioner maintain integrity?

Answer 48

1. error checking and verification.

2 principle of least privilege

Question 49

describe availability

Answer 49

refers to providing timely and reliable access to information

Question 50

how would the risk practitioner identify availability risk?

Answer 50

compare current levels of availability with required levels, where there is a gap, there is a risk.

Question 51

what is non repudiation

Answer 51

refers to the positive guarantee that a given action was carried out by a given individual or process and is an important part of tracing responsibility and enforcing accountability.

Question 52

what are some controls that support nonrepudiation?

Answer 52

• digital signatures and certificate-based authentication in a PKI

for the purpose of risk identification, the risk practitioner should look for evidence of nonrepudiation in situations in which actions may have significant impact on the organizations, such as approval of production code, deletion of records or disbursement of funds,

Question 53

what is IT risk?

Answer 53

business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.

Question 54

list and describe some business related IT risk types

Answer 54

1. access risk: the risk that information may be divulged or made available to recipients without authorized access by the information owner, reflecting a loss of confidentiality.
2. Availability risk: the risk that service may be lost or data are not accessible when needed
3. Infrastructure risk: the risk that the IT infrastructure and systems may be unable to effectively support the current and future needs of the business in an efficient, cost-effective and well-controlled fashion (includes hardware, networks, software, people and processes)
4. Integrity risk: the risk that data may be unreliable due to incompleteness or inaccuracy
5. Investment or expense risk: the risk that the IT investment fails to provide value commensurate with its cost or is otherwise excessive or wasteful, including the overall IT investment portfolio.
6. project ownership risk: the risk of IT projects failing to meet objectives through lack of accountability and commitment
7. relevance risk: the risk that the right information may not get to the right recipients at the right time to allow the right action to be taken or the right decisions to be made
8. schedule risk: the risk of IT projects taking longer than expected.

Question 55

risk management is successful when?

Answer 55

1. there is senior management support

2. there is alignment with business goals and objectives

Question 56

what us the purpose of a RACI chart in risk management?

Answer 56

RACI can assist in outlining the roles and responsibilities of various stakeholders as well as the relationship and interaction between stakeholders and the role they play in the successful completion of the risk management effort.

Question 57

what are the areas of concern for hardware?

Answer 57

• obsolescence
• poor maintenance
• misconfiguration
• lack of documentation
• loss or theft
• data loss due to insecure disposal
• sniffing (capturing data)
• physical access
• failure
• use with out authorization

Question 58

what are areas of concern for software?

Answer 58

• logic flaws or semantic errors
• bugs
• lack of patching
• lack of access control
• disclosure of sensitive information
• improper modification of information
• loss of source code
• lack of version control
• lack of input and output validation

Question 59

what are areas of concern for operating systems?

Answer 59

• unpatched vulnerabilities
• poorly written code (buffer overflows)
• complexity
• misconfiguration
• weak access controls
• lack of interoperability
• uncontrolled changes

Question 60

what are areas of concern for applications?

Answer 60

• poor or no data validation
• exposure of sensitive information ( lack of encryption, obfuscation)
• improper modification of data
• logic flaws
• software bugs
• lack of logs
• lack of version control
• loss of source code
• weak or lack of access control
• lack of operability with other software
• back doors
• poor coding practices

Question 61

what are areas of concern for utilities?

Answer 61

• use of outdated drivers
• unavailability of drivers
• unpatched drivers
• use of insecure components
• unpatched vulnerabilities

Question 62

what is a utility?

Answer 62

software programs that add functionality to your computer or help computer perform better

Question 63

what is middleware?

Answer 63

software that lies between an operating system and the applications running it

Question 64

what are some types of platforms and describe them

Answer 64

• centralized : use of a mainframe in which each user connects to a common processor or mainframe.
• three-tiered architecture: may use middleware to provide an interface between the user and numerous underlying systems that may be located on various servers.

Question 65

what are considerations when identifying risks of a platform?

Answer 65

• asses the attitude and diligence displayed by the architects and IT operations staff to harden systems.
• follow good practices in change control while performing administrative functions
• ensure that systems are tested on a scheduled basis to ensure compliance with standards, procedures and good security practices

Question 66

why are networks important in risk management?

and what is a network?

Answer 66

because they are often targets or channels used to attack systems or applications.

a network is made up of many devices, including cabling, repeaters, switches, routers, firewalls, gateways and access points. networks are digital and communications are sent via digital signals such as bits or pulses of light.

Question 67

what are some considerations for networks?

Answer 67

• network configuration and management, including the recognition of criticality of network operations
• network equipment protection
• the use of layered defense (defense in depth)
• suitable levels of redundancy
• availability of bandwidth
• use of encryption for transmission of sensitive data
• encryption key management
• use of certificates to support pki
• damage to cabling and network equipment
• tapping network connections and eavesdropping on communications
• choice of network architecture
• documentation of network architecture

Question 68

what is a repeater and what is an advantage?

Answer 68

used to extend the length of a signal being transmitted over cable or wireless networks.

an advantage of a repeater is that it can filter out some noise or error that may be affecting traffic.

Question 69

what are switches? and areas of concerns?

Answer 69

switches are used to connect devices together. they can also be used to connect networks but also segment and divide networks through configurations such as a virtual lan.

areas of concern

• physical protection of the switch
• ensuring proper configuration
• being a single point of failure
• documentation

Question 70

what is a router and areas of concerns?

Answer 70

to connect multiple networks together and forward incoming packets in the direction of the destination internet protocol IP address that is in the packet header.

areas of concern

• improper configuration
• use of weak protocols
• software bugs
• unpatched systems
• physical security
• unintentional support for IPv6

Question 71

what is a firewall? and some considerations

Answer 71

a system or combination of system that enforces a boundary between two or more networks, typically forming a barrier between a secure and an open environment.

considerations

• backed up on a regular basis, reviewed to ensure hat all rules are in the correct order and are documented, and tested on a scheduled basis.
• changes made to firewall configurations and rules should be subject to change management process of the organization.
• firewall staff members are knowledgeable, trained and supervised.
• firewall logs should be reviewed on a regular basis to detect any suspicious activities.

Question 72

what is a proxy

Answer 72

proxy is a device that acts as an intermediary between two communicating parties. proxy allows the deice to filter and examine suspicious activity, protect internal resources and take action if unacceptable activity is occurring.

a gateway is a type of proxy that controls traffic through a gate or security perimeter.

Question 73

list and describe the types of network topologies

Answer 73

1. bus network: Connects every device by means of one communication path. The design is simple and cost effective, which is why it has been used for cable television signals for decades. The key vulnerability lies in upstream dependency; a cut cable results in failure for every user connected downstream of the cut. It is also easy to intercept traffic on a bus network ( a point of particular concern for users of cable-based internet access)
2. star network: Every device is connected to a central switch, which is more efficient than a bus on account of shorter paths from any end point to the switch. The switch design also makes it more difficult for one user to intercept traffic intended for another. Star topologies are even more vulnerable to interruption than bus topologies, because loss of the central switch affects all users. However, the switch can generally be more easily protected than a bus cable
3. tree network: Series of star networks arranged with branches to other star networks in a tree type structure. A cut link between branches of the tree causes isolation of that branch. Popular because they are scalable.
4. ring network: Used in backbones and areas where reliable high-speed communication and fault tolerance is desired. A ring connects every device and allows traffic to pass in one or both directions. If the ring is bidirectional, a single cut does not affect the network at all. Ring topologies are great for busy networks where switching will introduce too much delay due to processing overhead, but they are considerably more expensive than the bus, star or tree topologies.
5. Mesh network: Used where high availability is required. Many devices are connected to many other devices in a mesh so that traffic can route around a failure in any part of the network. The internet itself is a partial mesh and was built to service massive failures of one part of the network and still allow communications over the rest of the internet. Mesh networks are costly, and they do not scale with physical lines due to the need to connect each device to many other devices. Wireless links make locally oriented mesh architectures considerably easier to architect and maintain.

Question 74

what is a DMZ

Answer 74

areas of the network that is accessible to outsiders through the internet is isolated into a DMZ. this prevents an attacker from having direct access into internal systems. all devices in the DMZ are hardened with all unnecessary functionality disabled.

Question 75

Hardened devices with all unnecessary functionality disabled are also called?

Answer 75

Bastian hosts

Question 76

what do intrusion detection systems and prevention systems do?

Answer 76

they monitor, record and may block suspicious activity.

Question 77

what are some concerns with respect to encryption?

Answer 77

• how keys are generated and stored
• the training of users
• ensuring that the algorithms adhere to current standards

Question 78

what is WAN and list the different types

Answer 78

• WAN : computer network connecting different remote locations that may range from short distances to extremely long transmissions.
• several different types of WAN when it must connect networks over large geographic areas
  - leased line, packet switching networks, microwave, optical, satellite

Question 79

what is a LAN

Answer 79

communication network that serves several users within a specified geographic area, such as a building or a department.

Question 80

what is a VPN

Answer 80

secure private network that uses the public telecommunications infrastructure to transmit data

vpns work by digitally constructing tunnels so that content traffic within the tunnel is logically separated from other traffic.

Question 81

in risk identification what are some historical or evidence based methods?

Answer 81

• audit and incident reports
• public media
• annual reports and press releases

Question 82

in risk identification what are some systematic approaches? ( determine potential points of failure)

Answer 82

• vulnerability assessments
• review of business continuity and disaster recovery plans
• interviews and workshops

Question 83

in risk identification what are some inductive approaches? (determine potential points of attacks)

Answer 83

• penetration testing

Question 84

describe the risk identification process

Answer 84

1. identify assets
2. identify threats
3. identify existing controls
4. identify vulnerabilities
5. identify consequences this feeds into the risk estimation process

Question 85

outline the information security risk management process

Answer 85

1. establish the context
2. risk assessment ( identification, analysis and evaluation)
3. risk treatment ( risk modification, retention, avoidance, risk sharing)
4. risk monitoring and review
5. risk communication and consultation

Question 86

what is risk assessment

Answer 86

risk assessment determines the value of information assets , identifies the applicable threats and vulnerabilities that exists or could exists, identifies the existing controls and their effect on the risk identified, determines the consequences and finally prioritizes the derived risk and ranks it against the risk evaluation criteria set in the context establishment.

Question 87

what is a risk scenario

Answer 87

description of possible event whose occurrence will have an uncertain impact on the achievement of the enterprises objectives, which may be positive or negative.

Question 88

uses of risk scenario

Answer 88

1. can help conceptualize risk that can aid in the process of risk identification
2. also used to document risk in relation to business objectives or operations impacted by events, making them useful as the basis for quantitative risk assessment.

Question 89

types of risk scenarios

Answer 89

1. top down perspective driven by business goals and how a risk event could affect the achievement of goals.
2. bottom up perspective originating from hypothetical scenarios. and is based on describing risk events that are specific to individual enterprise situations. useful way to identify scenarios that are highly dependent on specific technical workings of a process or system

Question 90

list elements in a risk scenario

Answer 90

1. actor ( internal or external)
2. threat type ( malicious or accidental)
3. event ( theft or inappropriate use)
4. asset/resource (process, people and skills, infrastructure)
5. time (duration, detection)

Question 91

what are the responsibilities of a risk owner

Answer 91

risk owner is accountable for accepting risk based on the organizational risk appetite and should be someone with budget, authority and mandate to select the appropriate risk response based on analysis and guidance provided by the risk practitioner.

the risk owner also owns any controls associated with he risk and is accountable for monitoring their effectiveness,.

Question 92

why is the purpose of a risk register

Answer 92

organizations maintain risk registers in order to consolidate all information about risk into one central repository. it also allows senior management and the managers of each department to obtain the status of the risk management process from a single source, which in turn makes it possible to better manage and report on risk and coordinate risk response activities

Question 93

Awareness program for management should?

Answer 93

highlight the need for management to play a supervisory role in protective systems and applications from attacks. a manager has the responsibility to oversee the actions of his/her staff and direct compliance with the policies and practices of the organization

Question 94

awareness program for senior management should?

Answer 94

highlight the liability, need for compliance, due care and due diligence and the need to create the tone and culture of the organization through policy and good practice. senior management owns the risk and bear the responsibility for determining risk acceptance levels.

Question 95

The primary reason for developing an enterprise security architecture is to

Answer 95

align security strategies among the functional areas of an enterprise and external entities

Question 96

what is the best safeguard against a data breach?

Answer 96

security awareness training

Question 97

what is a data classification policy?

Answer 97

describes the data classification categories, level of protection to be provided for each category of data and the roles and responsibilities of potential users, including data owners.

Question 98

what is a prevalent risk in the development of end user computing applications?

Answer 98

failure to subject applications to testing and IT general controls

Question 99

what document does an organization refer to determine the intellectual property ownership of an application built by a third party service manager in the course of its work for the organization

Answer 99

statement of work

Question 100

who is accountable for business risk related to IT

Answer 100

users of IT services or the business.