Risk Management Flashcards
Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done?
A. Removed the threat
B. Reduced the threat
C. Removed the vulnerability
D. Reduced the vulnerability
Answer:
C. By applying the patch, Jen has removed the vulnerability from her server. This also has the effect of eliminating this particular risk. Jen cannot control the external threat of an attacker attempting to gain access to her server.
You notice a high number of SQL injection attacks against a web application run by your organization, and you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk?
A. Reduced the magnitude
B. Eliminated the vulnerability
C. Reduced the probability
D. Eliminated the threat
Answer:
C. Installing a web application firewall reduces the probability that an attack will reach the web server. Vulnerabilities may still exist in the web application, and the threat of an external attack is unchanged. The impact of a successful SQL injection attack is also unchanged by a web application firewall.
Background: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 in fines against his firm.
Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.
What is the asset value (AV)?
A. $5,000
B. $100,000
C. $500,000
D. $600,000
Answer:
C. The asset at risk in this case is the customer database. Losing control of the database would result in a $500,000 fine, so the asset value (AV) is $500,000.
Background: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 in fines against his firm.
Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.
What is the exposure factor (EF)?
A. 5 percent
B. 20 percent
C. 50 percent
D. 100 percent
Answer:
D. The attack would result in the total loss of customer data stored in the database, making the exposure factor (EF) 100 percent.
Background: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 in fines against his firm.
Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.
What is the single loss expectancy (SLE)?
A. $5,000
B. $100,000
C. $500,000
D. $600,000
Answer:
C. We compute the single loss expectancy (SLE) by multiplying the asset value (AV) ($500,000) and the exposure factor (EF) (100 percent) to get an SLE of $500,000.
Background: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 in fines against his firm.
Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.
What is the annualized rate of occurrence (ARO)?
A. 0.05
B. 0.20
C. 2.00
D. 5.00
Answer:
A. Aziz’s threat intelligence research determined that the threat has a 5 percent likelihood of occurrence each year. This is an ARO of 0.05.
Background: Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 in fines against his firm.
Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year.
What is the annualized loss expectancy (ALE)?
A. $5,000
B. $25,000
C. $100,000
D. $500,000
Answer:
B. We compute the annualized loss expectancy (ALE) by multiplying the SLE ($500,000) and the ARO (0.05) to get an ALE of $25,000.
Background: Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.
Grace’s first idea is to add a web application firewall to protect her organization against SQL injection attacks. What risk management strategy does this approach adopt?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
Answer:
C. Installing new controls or upgrading existing controls is an effort to reduce the probability or magnitude of a risk. This is an example of a risk mitigation activity.
Background: Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.
Business leaders are considering dropping the customer activities that collect and store sensitive personal information. What risk management strategy would this approach use?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
Answer:
B. Changing business processes or activities to eliminate a risk is an example of risk avoidance.
Background: Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.
The business decided to install the web application firewall and continue doing business. They still were worried about other risks to the information that were not addressed by the firewall and considered purchasing an insurance policy to cover those risks. What strategy does this use?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
Answer:
D. Insurance policies use a risk transference strategy by shifting some or all of the financial risk from the organization to an insurance company.
Background: Grace recently completed a risk assessment of her organization’s exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. She is considering a variety of approaches to managing this risk.
In the end, risk managers found that the insurance policy was too expensive and opted not to purchase it. They are taking no additional action. What risk management strategy is being used in this situation?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
Answer:
A. When an organization decides to take no further action to address remaining risk, they are choosing a strategy of risk acceptance.
Which one of the following U.S. government classification levels requires the highest degree of security control?
A. Secret
B. Confidential
C. Top Secret
D. Unclassified
Answer:
C. Top Secret is the highest level of classification under the U.S. system and, therefore, requires the highest level of security control.
Asa believes that her organization is taking data collected from customers for technical support and using it for marketing without their permission. What principle is most likely being violated?
A. Data minimization
B. Data retention
C. Purpose limitation
D. Data sovereignty
Answer:
C. Organizations should only use data for the purposes disclosed during the collection of that data. In this case, the organization collected data for technical support purposes and is now using it for marketing purposes. That violates the principle of purpose limitation.
A U.S. company stores data in an EU data center and finds that it is now subject to the requirements of GDPR. This is an example of __________.
A. Data minimization
B. Data retention
C. Purpose limitation
D. Data sovereignty
Answer:
D. The principle of data sovereignty says that data is subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed.
Background: Golden Dome Enterprises is conducting a cybersecurity exercise designed to test the effectiveness of its security controls. Participants have been divided into different teams to perform different functions. The team led by Ed is responsible for facilitating the exercise and arbitrating rules disputes. Barb’s team is responsible for securing the systems in the exercise environment and defending them against attacks. Sofia’s team is conducting offensive operations and attempting to break into the systems protected by Barb’s team.
What term best describes the role that Sofia’s team is playing in the exercise?
A. Black team
B. White team
C. Red team
D. Blue team
Answer:
C. Red team members are the attackers who attempt to gain access to systems. Sofia’s team is fulfilling this role.