Risk Management Flashcards

1
Q

Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done?

A. Removed the threat

B. Reduced the threat

C. Removed the vulnerability

D. Reduced the vulnerability

A

Answer:

C. By applying the patch, Jen has removed the vulnerability from her server. This also has the effect of eliminating this particular risk. Jen cannot control the external threat of an attacker attempting to gain access to her server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You notice a high number of SQL injection attacks against a web application run by your organization, and you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk?

A. Reduced the magnitude

B. Eliminated the vulnerability

C. Reduced the probability

D. Eliminated the threat

A

Answer:

C. Installing a web application firewall reduces the probability that an attack will reach the web server. Vulnerabilities may still exist in the web application, and the threat of an external attack is unchanged. The impact of a successful SQL injection attack is also unchanged by a web application firewall.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Background: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 in fines against his firm.

Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.

What is the asset value (AV)?

A. $5,000

B. $100,000

C. $500,000

D. $600,000

A

Answer:

C. The asset at risk in this case is the customer database. Losing control of the database would result in a $500,000 fine, so the asset value (AV) is $500,000.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Background: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 in fines against his firm.

Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.

What is the exposure factor (EF)?

A. 5 percent

B. 20 percent

C. 50 percent

D. 100 percent

A

Answer:

D. The attack would result in the total loss of customer data stored in the database, making the exposure factor (EF) 100 percent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Background: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 in fines against his firm.

Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.

What is the single loss expectancy (SLE)?

A. $5,000

B. $100,000

C. $500,000

D. $600,000

A

Answer:

C. We compute the single loss expectancy (SLE) by multiplying the asset value (AV) ($500,000) and the exposure factor (EF) (100 percent) to get an SLE of $500,000.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Background: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 in fines against his firm.

Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.

What is the annualized rate of occurrence (ARO)?

A. 0.05

B. 0.20

C. 2.00

D. 5.00

A

Answer:

A. Aziz’s threat intelligence research determined that the threat has a 5 percent likelihood of occurrence each year. This is an ARO of 0.05.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Background: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 in fines against his firm.

Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.

What is the annualized loss expectancy (ALE)?

A. $5,000

B. $25,000

C. $100,000

D. $500,000

A

Answer:

B. We compute the annualized loss expectancy (ALE) by multiplying the SLE ($500,000) and the ARO (0.05) to get an ALE of $25,000.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Background: Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.

Grace’s first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt?

A. Risk acceptance

B. Risk avoidance

C. Risk mitigation

D. Risk transference

A

Answer:

C. Installing new controls or upgrading existing controls is an effort to reduce the probability or magnitude of a risk. This is an example of a risk mitigation activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Background: Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.

Business leaders are considering dropping the customer activities that collect and store sensitive personal information. What risk management strategy would this approach use?

A. Risk acceptance

B. Risk avoidance

C. Risk mitigation

D. Risk transference

A

Answer:

B. Changing business processes or activities to eliminate a risk is an example of risk avoidance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Background: Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.

The business decided to install the web application firewall and continue doing business. They still were worried about other risks to the information that were not addressed by the firewall and considered purchasing an insurance policy to cover those risks. What strategy does this use?

A. Risk acceptance

B. Risk avoidance

C. Risk mitigation

D. Risk transference

A

Answer:

D. Insurance policies use a risk transference strategy by shifting some or all of the financial risk from the organization to an insurance company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Background: Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.

In the end, risk managers found that the insurance policy was too expensive and opted not to purchase it. They are taking no additional action. What risk management strategy is being used in this situation?

A. Risk acceptance

B. Risk avoidance

C. Risk mitigation

D. Risk transference

A

Answer:

A. When an organization decides to take no further action to address remaining risk, they are choosing a strategy of risk acceptance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which one of the following U.S. government classification levels requires the highest degree of security control?

A. Secret

B. Confidential

C. Top Secret

D. Unclassified

A

Answer:

C. Top Secret is the highest level of classification under the U.S. system and, therefore, requires the highest level of security control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Asa believes that her organization is taking data collected from customers for technical support and using it for marketing without their permission. What principle is most likely being violated?

A. Data minimization

B. Data retention

C. Purpose limitation

D. Data sovereignty

A

Answer:

C. Organizations should only use data for the purposes disclosed during the collection of that data. In this case, the organization collected data for technical support purposes and is now using it for marketing purposes. That violates the principle of purpose limitation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A U.S. company stores data in an EU data center and finds that it is now subject to the requirements of GDPR. This is an example of __________.

A. Data minimization

B. Data retention

C. Purpose limitation

D. Data sovereignty

A

Answer:

D. The principle of data sovereignty says that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Background: Golden Dome Enterprises is conducting a cybersecurity exercise designed to test the effectiveness of its security controls. Participants have been divided into different teams to perform different functions. The team led by Ed is responsible for facilitating the exercise and arbitrating rules disputes. Barb’s team is responsible for securing the systems in the exercise environment and defending them against attacks. Sofia’s team is conducting offensive operations and attempting to break into the systems protected by Barb’s team.

What term best describes the role that Sofia’s team is playing in the exercise?

A. Black team

B. White team

C. Red team

D. Blue team

A

Answer:

C. Red team members are the attackers who attempt to gain access to systems. Sofia’s team is fulfilling this role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Background: Golden Dome Enterprises is conducting a cybersecurity exercise designed to test the effectiveness of its security controls. Participants have been divided into different teams to perform different functions. The team led by Ed is responsible for facilitating the exercise and arbitrating rules disputes. Barb’s team is responsible for securing the systems in the exercise environment and defending them against attacks. Sofia’s team is conducting offensive operations and attempting to break into the systems protected by Barb’s team.

What term best describes the role that Ed’s team is playing in the exercise?

A. Black team

B. White team

C. Red team

D. Blue team

A

Answer:

B. White team members are the observers and judges. They serve as referees to settle disputes over the rules and watch the exercise to document lessons learned from the test.

17
Q

Background: Golden Dome Enterprises is conducting a cybersecurity exercise designed to test the effectiveness of its security controls. Participants have been divided into different teams to perform different functions. The team led by Ed is responsible for facilitating the exercise and arbitrating rules disputes. Barb’s team is responsible for securing the systems in the exercise environment and defending them against attacks. Sofia’s team is conducting offensive operations and attempting to break into the systems protected by Barb’s team.

What term best describes the role that Barb’s team is playing in the exercise?

A. Black team

B. White team

C. Red team

D. Blue team

A

Answer:

D. Blue team members are the defenders who must secure systems and networks from attack. The blue team also monitors the environment during the exercise, conducting active defense techniques.

18
Q

Which one of the following data protection techniques is reversible when conducted properly?

A. Tokenization

B. Masking

C. Hashing

D. Shredding

A

Answer:

A. Tokenization techniques use a lookup table and are designed to be reversible. Masking and hashing techniques replace the data with values that can’t be reversed back to the original data if performed properly. Shredding, when conducted properly, physically destroys data so that it may not be recovered.

19
Q

What security control can be used to clearly communicate to users the level of protection required for different data types?

A. Classification policies

B. Retention standards

C. Life cycle practices

D. Confidentiality controls

A

Answer:

A. Classification policies create different categories of data used within an organization and then specify the level of security control required for each classification level. Using classifications helps users understand the type of protection necessary for each data type they encounter.

20
Q

Alfonso is concerned that users might leave his organization and then share sensitive information that they retained with future employers. What security control would best protect against this risk?

A. IPS

B. DRM

C. DLP

D. NDA

A

Answer:

D. Once an employee leaves the organization, they would no longer be subject to any of the technical controls that Alfonso might implement. These include intrusion prevention systems (IPSs), data loss prevention (DLP) systems, and digital rights management (DRM) systems. The best way to protect against unauthorized sharing of information by former employees is through the use of nondisclosure agreements (NDAs).