Risk Management Flashcards

1
Q

What is the definition risk in regards to cybersecurity?

A

A probability that a threat will be realized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a vulnerability in regards to cybersecurity

A

Weakness in design or implementation of a system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a threat in regards to cybersecurity?

A

A condition that could cause harm, loss, damage or compromise IT systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

where does risk fit in with threat and vulnerability

A

Risk lives between threat and vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is risk avoidance? Give an example….

A

Stopping the activity that has the risk or choosing an alternative

Example: your office computers run on outdated Windows XP. You either take those computers offline or upgrade to a current (more secure) OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is risk transfer? Give an example…

A

Passing the risk to a third party.
Example: Getting insurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is risk mitigation? Give an example…

A

Seeking to minimize the risk to an acceptable level
Example: Regularly scan and take inventory of your network devices and software. Remove unnecessary or unexpected hardware and software from the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is risk acceptance? Give an example…

A

Accepting the current level of risk and the costs associated with it
Example: Keeping legacy systems active if they are not connected to sensitive data environments. Allowing employees to connect their own devices to an organization’s networks if traffic from these devices is segmented from sensitive networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is usually the deciding factor in risk acceptance

A

Cost

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is residual risk ?

A

What is leftover after avoiding, transferring and mitigating the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the risk assessment steps?

A
  1. Identify assets
  2. Identify vulnerabilities
  3. Identify threats
  4. Identify the impact of the risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is qualitative risk?

A

Using intuition, experience, judgement and other non-numerical and non-monetary methods to assign a relative value to risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the critical factor in qualitative analysis?

A

Experience since it is highly subjective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is quantitative risk?

A

Using numerical and monetary values to calculate risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the magnitude of impact?

A

An estimate of the amount of damage that a negative risk might achieve

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What methods are used in calculating magnitude of impact?

A

SLE, ARO, ALE

17
Q

What is SLE? How do you calculate it?

A

Single Loss Expectancy - cost associated with the realization of each individual threat that occurs.

Asset Value x Exposure Factor = SLE

18
Q

What is ARO?

A

Annualized Rate of Occurrence - number of times per year that a threat is realized

19
Q

What is ALE? How do you calculate it?

A

Annualized Loss Expectancy - expected cost of a realized threat over a year

ALE = SLE x ARO

20
Q

What is a security assesment?

A

A process to verify that an organization’s security posture is designed properly to help thwart different types of attacks

21
Q

What is an active assessment?

A

Utilizing more intrusive techniques to determine vulnerabilities such as scans, probing the network, hands on testing

22
Q

What is a passive assessment?

A

Utilizing non intrusive techniques such as open source information, passive collection and analysis of network data, identifying open ports etc

23
Q

What are physical controls?

A

Controls designed to prevent/deter unauthorized access

24
Q

What are technical controls?

A

Controls used to avoid, detect, counteract or minimize security risks to our systems and info

25
Q

What are administrative controls?

A

Controls that are focused on changing the behavior of people instead of removing the actual risk

26
Q

What are the NIST categories of controls?

A

management, operational and technical

27
Q

What are management controls?

A

Controls that are focused on things done by people

28
Q

What are NIST technical controls?

A

Logical controls that are put into a system in order to secure it

29
Q

What are operational controls?

A

Controls focused on things done by people

30
Q

What are preventative controls?

A

Controls that are installed before an event happens

31
Q

What are detective controls?

A

Controls that are used during the event to find out whether something happened

32
Q

What are corrective controls?

A

Controls that are used after an event occurs

33
Q

What is external risk?

A

Risk produced by non human source and beyond human control.
Example: natural disaster, blackout, hackers

34
Q

What is internal risk?

A

Risk formed within the organization often forecastable
Example: server crash, disgruntled employees

35
Q

What are legacy systems?

A

Old tech, methods or systems that are past their service life and usually not secure due to lack of patching and discovered vulnerabilities

36
Q

What is multiparty risk?

A

Risk involving the connection of multiple systems or organizations with each bringing risks
Example: two companies merging systems

37
Q

What is IP theft?

A

Business assets and property being stolen

38
Q

What is a good way to mitigate IP theft

A

DLP (Data Loss Prevention)

39
Q

What acronym refers to the maximum tolerable length of time that a computer, system, network or application can be down after a failure or disaster occurs.

A

RTO - Recovery Time Objective