Risk Management

Question 1

Looking to define threats specific to your infrastructure

Answer 1

Threat Assessment

Question 2

Security Control Function

Recognized an actors threat

Answer 2

Detective

Question 3

Security Control Function

Mitigates the impact of manifested threat

Answer 3

Corrective

Question 4

CIA

Answer 4

Confidentiality
Integrity
Availability

Question 5

Organizing Data

-Limited to authorized viewing as agreed on by the parties involved

Answer 5

Confidential Data

Question 6

Differential Backup

Answer 6

Everyday you’d make a backup of any changes since the full backup - to do a full system recovery you’d need the original backup plus the last differential backup made

Question 7

Outside company checks your vulnerabilities by trying to get in but not doing anything harmful

Answer 7

Penetration(Pen) Testing

Question 8

Security Policies

-Define the importance or nature of the data

Answer 8

Data Sensitivity and Classification Policy

Question 9

Control actions towards IT security

• laws
• policies
• guidelines
• best practices

Answer 9

Administrative Controls

Question 10

Security Control Function

Deters the actor from attempting the threat

Answer 10

Deterrent

Question 11

ARO

Answer 11

Annualized Rate of Occurence

Question 12

Data User Roles

-Set policy on data and incident response actions

Answer 12

Executive User

Question 13

Control Actions IT systems make toward IT Security

• computer stuff
• firewalls
• password links
• authentication
• encryptions

Answer 13

Technical Controls

Question 14

Role Based Data Controls

-Read only access but can look at all business data

Answer 14

Executive User

Question 15

Threats x Vulnerability

Answer 15

Risk

Question 16

Risk Response - offload some of the impact to 3rd party

Answer 16

Risk transference

Question 17

In-house document of how they store data

Answer 17

Privacy Threshold Assessment (PTA)

Question 18

Security Policies

-Defines what a person can or can not do when using company assets

Answer 18

Acceptable Use Policy

Question 19

Use a variety of physical, administrative, and technical controls to have good…

Answer 19

Defense in Depth

Question 20

Data User Roles

-Complete control over data and could delete everything - sets permissions

Answer 20

System Administrator

Question 21

Structural threat

Answer 21

Physical system failure

Question 22

Defense in Depth

-different types of controls

Answer 22

Diversity

Question 23

Organizing Data
-Health Insurance Portability and Accounting Act
HIPAA

Answer 23

Private Health Information (PHI)

Question 24

3 Security Controls

Answer 24

Administrative/Techincal/Physical

Question 25

Initiates a threat

Answer 25

Threat Agent

Question 26

Data Roles

-Person who is in charge of ensuring data adheres to privacy policies and procedures

Answer 26

Privacy Officer

Question 27

Security Policies

• How you maintain equipment
• How you borrow equipment

Answer 27

Care and Use of Equipment Policy

Question 28

Apply to infrastructure to protect and remediate current and potential problems

Answer 28

Security Control

Question 29

Data Roles

-Maintain the accuracy and integrity of the data

Answer 29

Steward/Custodian

Question 30

Incremental Backup

Answer 30

Everyday you’d make a backup of any changes since the last incremental backup - to do a full system recovery you’d need the original backup plus all the incremental backups made since

Question 31

Scan that shows vulnerabilities

Answer 31

NESSUS

Question 32

PIA

Answer 32

Privacy Impact Assessment

Question 33

Data User Roles

-Assigned standard permissions to complete tasks

Answer 33

User

Question 34

Accidental threat

Answer 34

Someone innocently corrupts or damages something

Question 35

Security Policies

• How you deal with passwords
• Password recovery/retention/reuse/ect.

Answer 35

Password Policy

Question 36

Role Based Data Controls

• Defines the security of the data
• Defines the protection of data
• Works with system owner to protect data
• Defines access to the data

Answer 36

Data Owner

Question 37

PII

Answer 37

Personally Identifiable Information

Question 38

Security Control Function

Deters the actor from performing the threat

Answer 38

Preventative

Question 39

Security Policies

• How to get access to data or resources
• What kind of data do users have access to

Answer 39

Access Control Policy

Question 40

What does this help with?

-Separation of duties?

Answer 40

Requires dual execution

Question 41

Data User Roles

-Increased access and control relative to a user

Answer 41

Privileged User

Question 42

Defense in Depth

-same type of control but many of them as backups

Answer 42

Redundancy

Question 43

Agreement used by Government and Private Sector…

• Service to be provided
• Minimum up-time
• Response time
• Start and end dates

Answer 43

Service Level Agreement (SLA)

Question 44

Threat Actors - Motivation is intelligence

Answer 44

Nation States/Advanced Persistent Threat(APT)

Question 45

Documents that define how to do something

Answer 45

Policies

Question 46

A Memorandum of Understanding/Agreement is a….

Answer 46

Notice that specifies the responsibilities of each party and defines the terms of the agreement

Question 47

Qualitative likelihood

Answer 47

Perceived

Question 48

Mandatory vacation
Job rotation
Multi person control
Separation of duties
Principals of least privilege

Answer 48

Interesting Security Controls

Question 49

SLE(Single Loss Expectancy) x ARO(Annualized Rate of Occurence) =

Answer 49

ALE(Annualized Loss Expectancy)

Question 50

Data Roles

-Legal responsibility for the data

Answer 50

Owner

Question 51

Risk Response - seek to avoid hazards/risk entirely

Answer 51

Risk avoidance

Question 52

Adversarial threat

Answer 52

Hacker/Malware

Question 53

Threat Actors - Intent is motivation

Answer 53

Hacktivist

Question 54

ALE

Answer 54

Annualized Loss Expectancy

Question 55

BPA

Answer 55

Business Partners Agreement

Question 56

Guidelines

Answer 56

Are optional and don’t have to be clearly defined

Question 57

1. Categorize
2. Select
3. Implement
4. Assess
5. Authorize
6. Monitor
   ^Example of a ….

Answer 57

Framework

Question 58

NIST

Answer 58

National Institute of Standards and Technology

Question 59

Role Based Data Controls

• Has special access to data beyond the typical user
• Works closely with system admins to ensure data security

Answer 59

Privileged User

Question 60

Maximum amount of data that can be lost without substantial impact

Answer 60

Recovery Point Objective (RPO)

Question 61

Threat Actors - Motivation is money

Answer 61

Organized Crime

Question 62

MTBF

Answer 62

Mean Time Between Failures

Question 63

-Disable accounts(never delete)
-Return credentials
-Exit interview
^Examples of what?

Answer 63

Offboarding

Question 64

Sandbox

Answer 64

The attacker thinks they’re on a real system but it’s just a virtual system designed to look like the real one

Question 65

cve.mitre.org

Answer 65

Common vulnerabilities and exposures

Question 66

Interconnections security agreement (ISA) are used in the…

Answer 66

Public Sector (Government)

Question 67

Vulnerability/Threat assesment

Answer 67

Risk Identification/Assesment

Question 68

Which type of agreement is needed when two private-sector people or organizations wish to work together?

Answer 68

Business Partners Agreement (BPA)

Question 69

• Determine mission processes
• Identify critical systems
• Single foint of failure
• Identify resources requirements
• Identify recovery priorities

Answer 69

Business Impact Analysis

Question 70

Role Based Data Controls

• Accesses and uses the assigned data responsibly
• Monitors and reports security breaches

Answer 70

User

Question 71

Security Policies

• Deals with the people dealing with the data
• Backgrounds/Clearances

Answer 71

Personnel Policies

Question 72

Asset Value x Exposure Factor =

Answer 72

Single Loss Expectancy (SLE)

Question 73

PCI-DSS

Answer 73

Payment Card Industry Data Security Standard

Question 74

Organizing Data

-Private but also specific in identifying someone

Answer 74

Personally Identifiable Information (PII)

Question 75

PTA

Answer 75

Privacy Threshold Assessment

Question 76

Organizing Data

-Limited to only the individual whom the information is shared

Answer 76

Private Data

Question 77

-Max time system can be down before you’re in trouble, or minimum amount of time necessary to restore system to operation

Answer 77

Recovery Time Objective (RTO)

Question 78

Data User Roles

-Usually corporation that has legal ownership over this data set or system

Answer 78

Data Owner/System Owner

Question 79

MTTF

Answer 79

Mean Time to Failure

Question 80

Buffer overflow attempt

Answer 80

Occurs when a program or process attempts to write more data to a fixed length block of memory (a buffer), than the buffer is allocated to hold. By sending carefully crafted input to an application, an attacker can cause the application to execute arbitrary code, possibly taking over the machine
Identified by an intrusion detection/prevention system

Question 81

Actual harm caused by a threat

Answer 81

Impact

Question 82

APT

Answer 82

Advanced Persistent Threat

Question 83

Risk Response - cost out-ways damage

Answer 83

Risk acceptance

Question 84

Organizing Data

• Like private but at corporate level
  ex: formula for coca-cola

Answer 84

Proprietary Data

Question 85

Security Policies

-These are often for customers

Answer 85

Privacy Policy

Question 86

(Blank) is key for good Defense in Depth

Answer 86

Diversity

Question 87

Things that can be Impacted

Answer 87

• Property
• People
• Finance
• Reputation

Question 88

What is the monetary loss if a single event occurs?

ex:laptop stolen

Answer 88

Single Loss Expectancy

Question 89

IOS

Answer 89

International Organization of Standardization

Question 90

Set of overarching rules that define how an organization and it’s employees conduct themselves
Influences how the organization conducts IT security

Answer 90

Governance

Question 91

Threat Actors - Trivial attack knowledge

Answer 91

Script Kiddies

Question 92

What does this help with?

-Job Rotation

Answer 92

Backup/Cross Training

Question 93

What does this help with?

-Mandatory Vacations

Answer 93

Required dependency issues

Question 94

Role Based Data Controls

• Management level
• Maintains security of system
• Defines system Admin
• Works with data owners to ensure data security

Answer 94

System Owner

Question 95

Anything in infrastructure we’re worried about getting harmed

• People
• Equipment
• Reputation
• Location/Building

Answer 95

Assets

Question 96

MTTR

Answer 96

Mean Time to Repair

Question 97

Quantitative Risk Calculations

-Percentage of an asset that’s lost as the result of an incident

Answer 97

Exposure Factor

Question 98

Organizing Data

-No restriction/public domain

Answer 98

Public Data

Question 99

Quantitative Likelihood

Answer 99

Can be measured

Question 100

Control actions in the real world

• gates
• guards
• keys

Answer 100

Physical Controls

Question 101

Discovered action that exploits a vulnerability’s potential to do harm to an asset

Answer 101

Threats

Question 102

Environmental threat

Answer 102

Fire/water/earthquake/ect.

Question 103

Step by step process of how to do something

Answer 103

Procedure

Question 104

Weakness that allows an asset to be exploited

Answer 104

Vulnerabilities

Question 105

Level of certainty that something will happen

Answer 105

Likelihood

Question 106

Workflow that helps deal with risk management

Ex: NIST / ISACA

Answer 106

Framework

Question 107

SLE

Answer 107

Single Loss Expectancy

Question 108

RPO

Answer 108

Recovery Point Objective

Question 109

Defines the acceptable level of performance of policy - more detailed than policy

Answer 109

Organizational Standard

Question 110

-Background check
-NDA non-disclosure agreement
-Standard operating procedures
-Specialized issues
-Rules of behavior(acceptable use policy)
-General security policies
^Examples of what?

Answer 110

Onboarding

Question 111

Threat Actors - Other businesses/not a big problem now a days

Answer 111

Competitors

Question 112

Assessment that tells you what the impact would be to the company if the privacy data they control gets out

Answer 112

Privacy Impact Assessment (PIA)

Question 113

RTO

Answer 113

Recovery Time Objective

Question 114

Security Control Function

Provides alternative fixes to any of the security control functions

Answer 114

Compensating

Question 115

Threat Actors - Not always an employee/Works within the infrustructure

Answer 115

Insiders

Question 116

Role Based Data Controls

• Day to day admin of system
• Implements system security controls

Answer 116

System Admininstrator

Question 117

Risk Response - effort to reduce impact of risk

Answer 117

Mitigation

Question 118

PHI

Answer 118

Private Health Information