Section 21 - Risk Assessments

Question 1

What are Risk Assessments?

Answer 1

A process used inside of risk management to identify how much risk exists in a given network or system

Question 2

In every risk management program, there’s essentially only four things that you can do with risk. What are they?

Answer 2

Avoid
Transfer
Mitigate
Accept

Question 3

What is Risk Avoidance?

Answer 3

A strategy that requires stopping the activity that has risk or choosing a less risky alternative

Question 4

What is a Risk Transfer?

Answer 4

A strategy that passes the risk to a third party

Question 5

What is Risk Mitigation?

Answer 5

A strategy that seeks to minimize the risk to an acceptable level

Question 6

What is a Risk Acceptance?

Answer 6

A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized

Question 7

What is Residual Risk?

Answer 7

The risk remaining after trying to avoid, transfer, or mitigate the risk

Question 8

To conduct a risk assessment, you have only to use four steps. What are these?

Answer 8

1. Identify assets
2. Identify vulnerabilities
3. Identify threats
4. Identify the impact

Question 9

During a risk assessment, there are two different ways to measure risk. What are these?

Answer 9

Qualitatively
Quantitatively

Question 10

What is qualitative analysis?

Answer 10

This uses intuition, experience, and other methods to assign a relative value to risk

The relative categories of high, medium and low are used for this.

*** Since this measure is highly suggestive, those using it should have the proper reflected experience and education of the threat to give this analysis

Question 11

What is quantitative analysis?

Answer 11

Uses numerical and monetary values to calculate risk

Equations are used to determine the total and residual risk, as well as provide you with a cost directly associated with those risks.

*** This is going to remove much of the estimation and guesswork from a risk assessment because it’s going to turn this into a math problem instead.

Question 12

What is a magnitude of impact?

Answer 12

This is an estimation of the amount of damage that a negative risk might achieve

This is performed after a qualitative or quantitative risk assessment to see the amount of damage

*** This is also known as a risk of impact

Question 13

What are the three most common calculations used in determining the magnitude of an impact in a quantitative risk analysis?

Answer 13

Single Loss Expectancy (SLE)

Annualized Rate of Occurrence (ARO)

Annualized Loss Expectancy (ALE)

Question 14

What is SLE?

Answer 14

Single Loss Expectancy

Cost associated with the realize of each individualized threat that occurs

Asset value x Exposure factor

(Exposure factor means the amount of the asset that’s going to be lost if the threat is realized)

Question 15

What is ARO?

Answer 15

Annualized Rate of Occurrence

Number of times per year that a threat is realized

Question 16

What is ALE?

Answer 16

Annual Loss Expectancy

Expected cost of a realized threat over a given year

ALE = SLE x ARO

Question 17

___ approaches that combine quantitative and qualitative analysis are commonly used

Answer 17

hybrid

** this is often because there’s not enough data to accurately only use a quantitative method

Question 18

What is a security assessment?

Answer 18

Verify that the organization’s security posture is designed and configured properly to help thwart different types of attacks

Question 19

There are two types of methodologies when it comes to performing security assessments. What are they?

Answer 19

Active and passive

Question 20

What is an Active Assessment?

Answer 20

Utilize more intrusive techniques like scanning, hands-on testing, and probing of the network to determine vulnerabilities

Question 21

What is a Passive Assessment?

Answer 21

Utilize open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems

Question 22

What are security controls?

Answer 22

Methods implemented to mitigate a particular risk

Question 23

Security controls are broken down into seven types. What are these?

Answer 23

Physical
Technical
Administrative
Preventative
Detective
Corrective
Compensating

Question 24

What are physical controls?

Answer 24

Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it

Question 25

What are technical controls?

Answer 25

Safeguards and countermeasures used to avoid, detect, counteract or minimize security risks to our systems and information

Question 26

What are administrative controls?

Answer 26

Focused on changing the behavior of people instead of removing the actual risk involved

Question 27

The NIST has three additional categories that we organize security controls into as well. What are they?

Answer 27

Management controls
Operational controls
Technical controls

Question 28

What does NIST stand for?

Answer 28

National Institute of Standards and Technology

Question 29

What are management controls?

Answer 29

Security controls that are focused on decision-making and the management of risk

Question 30

What are operational controls?

Answer 30

Focused on the things done by people

Question 31

What are technical controls?

Answer 31

Logical controls that are put into a system to help secure it

Question 32

What are preventative controls?

Answer 32

Security controls that are installed before an event happens and are designed to prevent something from occurring

Question 33

What are detective controls?

Answer 33

Used during the event to find out whether something bad might be happening

Question 34

What are corrective controls?

Answer 34

Used after an event occurs

Question 35

A single control can be categorized into ___ types of categories

Answer 35

Multiple

For example, a TV that’s installed because serve as both a detective and a physical control.

Question 36

What is a compensating control?

Answer 36

Used whenever you can’t meet the requirement for a normal control

*** For example, if it’s your organization’s policy that every building uses a retina scan-enabled door lock but one of your offices overseas does not have access to this technology, they might install a cipher door lock instead. This would act as a compensating control.

Question 37

Any residual risk not covered by a compensating control is an ___ risk.

Answer 37

accepted

Question 38

What are the six different types of risks?

Answer 38

External
Internal
Legacy Systems
Multiparty
IP Theft
Software compliance and licensing

Question 39

What is external risk?

Answer 39

Risks that are produced outside your organization and are beyond our control

** These are often non-human like natural disasters or blackouts. However this could include hackers, since they are outside of our organization and you can’t control them attacking you.

Question 40

What is an internal risk?

Answer 40

Risks that are formed within the organization, arise during normal operations and are often forecastable

** Like a server crash

Question 41

What is a legacy system risk?

Answer 41

An old method, technology, computer system or application program which includes an outdated computer system still in use

Question 42

What is a multiparty risk?

Answer 42

A risk that refers to the connection of multiple systems or organizations with each bringing their own inherent risks

** Like connecting two businesses together

Question 43

What is IP theft?

Answer 43

Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of competitive edge, or a slowdown in business growth occurs

Question 44

What is Software Compliance and Licensing?

Answer 44

Risk associated with a company not being aware of what software or components are installed within its network