Section 1 Risk Management

Question 1

What is the CIA of security?

Answer 1

Confidentiality, Integrity, Availability.

Don’t forget - auditing, accountability & non-repudiation

Question 2

What is non-repudiation?

Answer 2

It’s when a user cannot deny having done a particular action.

Question 3

What are the 5 attributes of threat actors?

Answer 3

Internal/external
Level of sophistication
Resources/funding
Intent
Open Source Intelligence

Question 4

What is OSINT?

Answer 4

Open Source Intelligence. It provides ample info to intrigue a threat actor.

Question 5

What is a Script Kiddy threat actor?

Answer 5

Trivial knowledge
Uses scripts
Lock picker
Blocked by firewalls

Question 6

What is a Hacktivist?

Answer 6

A threat actor whose Intent is powered by motivation. So consider their goal.

Question 7

How is organized crime a threat actor?

Answer 7

Motivation is to make money!

Question 8

How is a Nation State a threat actor? And what does APT stand for?

Answer 8

Motivation is intelligence.

They are Advanced Persistent Threats. Tonnes of resources.

Question 9

How are “insiders” a threat actor?

Answer 9

They are anyone with access e.g. Have a userName + PW

• vendors
• contractors
• cleaning crews

Question 10

Give some examples of assets that are at risk

Answer 10

Any part of infrastructure - computers, people, servers, company reputation

Question 11

Give some examples of risk vulnerabilities

Answer 11

Unlocked server room, default PWs

Question 12

Give some examples of threats

Answer 12

Threats are actions. (The person involved in the threat is a threat agent.)

E.g. - Someone able to access a server room.
- Someone critical to the team quits.

Question 13

What is a threat?

Answer 13

A threat is a discovered action that exploits a vulnerability’s potential to do harm to an asset.

Question 14

What is a threat agent?

Answer 14

Usually a person who initiates a threat. (But could be something like a hurricane!)

Question 15

What is likelihood when related to risk and threats?

Answer 15

Often depicted as a % and for a year timespan.

Question 16

What are the two ways risk likelihood is measured?

Answer 16

Quantitative and Qualitative

Question 17

Give an example of quantitative likelihood risk

Answer 17

Router with a power supply - there’s a risk it might die. Something measurable - time, cost.

Question 18

Give an example of qualitative likelihood risk

Answer 18

Harder to measure - customer loyalty. “Low Med, High”

Question 19

What is impact?

Answer 19

The actual harm caused by a threat,

Question 20

What is the formula to calculate risk?

Answer 20

threats x vulnerabilities = risk

or

threats -> vulnerabilities = risk

Question 21

What is the NIST SP 800-30?

Answer 21

National Institute of Standards and Technologies Document that lists all possible threats and vulnerabilities to assess risks.

Question 22

What are the two risk assessment steps?

Answer 22

• Vulnerability Assessment

- Threat Assessment

Question 23

What is the “CVE” on cve.mitre.org?

Answer 23

“Common Vulnerabilities and Exposures” database. Used to assess risk - very detailed.

Question 24

What is Nessus?

Answer 24

The Nessus is a program that is ran locally and generates data for any vulnerabilities it finds.

Question 25

What is Pen testing?

Answer 25

Penetration Testing is when an outside party looks for vulnerabilities in your network. It’s the best way to find any problems.

Question 26

Give an example of Adversarial threats

Answer 26

Hacker, malware

Question 27

Give an example of Accidental threats

Answer 27

User mistakenly enters text and drops the db.

Question 28

Give an example of Structural threats

Answer 28

Power supply issues, equipment failure

Question 29

Give an example of Environmental threats

Answer 29

Fires, AC, earthquakes

Question 30

What is mitigation when related to risk response?

Answer 30

Mitigation is effort to reduce impact of risk.

Question 31

What is risk transference?

Answer 31

When you offload risk to a 3rd party - e.. use a cloud based web server - you no longer have to worry about power supply etc.

Question 32

What is risk acceptance?

Answer 32

When costs to mitigate are too high, so you accept the risk - e.g. a meteor could hit your servers.

Question 33

What is risk avoidance?

Answer 33

The decision to not store sensitive info, where you could be liable.

Question 34

Name two Risk Management Frameworks

Answer 34

NIST Risk Management Framework Special Publication 800-37

ISACA Risk IT Framework

Question 35

What are the four types of threats?

Answer 35

• Adversarial
• Accidental
• Structural
• Environmental

Question 36

Explain the 5 security control functions

Answer 36

Deterrent - deters the actor from attempting
Preventative - deters the actor from performing the threat
Detective - recognizes an actor’s threat
Corrective - mitigates the impact of a manifested threat
Compensating - provides alternative fixes to any of the above!

Question 37

Name the 3 types of security controls

Answer 37

Administrative or Management control - laws, policies
Technical controls - firewalls, passwords
Physical Controls - fences, keys, guards

Question 38

List 5 curious security controls

Answer 38

Mandatory vacation - (detect weird things happening)
Job Rotation
Separation of Duties (administrative control - Single Resp)
Multi-person control - (2 keys for missile launch!)
Principle of least privilege (Need to know)

Question 39

What is the difference between diversity and redundancy?

Answer 39

Redundancy is repeating the same controls at various intervals, diversity is using a variety of controls in a random pattern.

Many trenches (redundant)
or
1 trench, a fence, a catapult, moat etc (diverse)

Question 40

What is “defense in depth”?

Answer 40

A security defense that uses all three types of controls - administrative, physical and technical controls.

Question 41

What is vendor diversity?

Answer 41

A method of defense in depth with technical controls.

Question 42

What is Security Governance?

Answer 42

The bunch of rules an organization operates by.

Question 43

What laws/standards affect IT security?

Answer 43

HIPAA (law)
NIST (standard)
PCI-DSS (Credit card standards)