Section 21 - Risk Assessments Flashcards

1
Q

What are Risk Assessments?

A

A process used inside of risk management to identify how much risk exists in a given network or system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In every risk management program, there’s essentially only four things that you can do with risk. What are they?

A

Avoid
Transfer
Mitigate
Accept

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Risk Avoidance?

A

A strategy that requires stopping the activity that has risk or choosing a less risky alternative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a Risk Transfer?

A

A strategy that passes the risk to a third party

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Risk Mitigation?

A

A strategy that seeks to minimize the risk to an acceptable level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a Risk Acceptance?

A

A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is Residual Risk?

A

The risk remaining after trying to avoid, transfer, or mitigate the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

To conduct a risk assessment, you have only to use four steps. What are these?

A
  1. Identify assets
  2. Identify vulnerabilities
  3. Identify threats
  4. Identify the impact
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

During a risk assessment, there are two different ways to measure risk. What are these?

A

Qualitatively
Quantitatively

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is qualitative analysis?

A

This uses intuition, experience, and other methods to assign a relative value to risk

The relative categories of high, medium and low are used for this.

*** Since this measure is highly suggestive, those using it should have the proper reflected experience and education of the threat to give this analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is quantitative analysis?

A

Uses numerical and monetary values to calculate risk

Equations are used to determine the total and residual risk, as well as provide you with a cost directly associated with those risks.

*** This is going to remove much of the estimation and guesswork from a risk assessment because it’s going to turn this into a math problem instead.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a magnitude of impact?

A

This is an estimation of the amount of damage that a negative risk might achieve

This is performed after a qualitative or quantitative risk assessment to see the amount of damage

*** This is also known as a risk of impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the three most common calculations used in determining the magnitude of an impact in a quantitative risk analysis?

A

Single Loss Expectancy (SLE)

Annualized Rate of Occurrence (ARO)

Annualized Loss Expectancy (ALE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is SLE?

A

Single Loss Expectancy

Cost associated with the realize of each individualized threat that occurs

Asset value x Exposure factor

(Exposure factor means the amount of the asset that’s going to be lost if the threat is realized)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is ARO?

A

Annualized Rate of Occurrence

Number of times per year that a threat is realized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is ALE?

A

Annual Loss Expectancy

Expected cost of a realized threat over a given year

ALE = SLE x ARO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

___ approaches that combine quantitative and qualitative analysis are commonly used

A

hybrid

** this is often because there’s not enough data to accurately only use a quantitative method

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a security assessment?

A

Verify that the organization’s security posture is designed and configured properly to help thwart different types of attacks

19
Q

There are two types of methodologies when it comes to performing security assessments. What are they?

A

Active and passive

20
Q

What is an Active Assessment?

A

Utilize more intrusive techniques like scanning, hands-on testing, and probing of the network to determine vulnerabilities

21
Q

What is a Passive Assessment?

A

Utilize open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems

22
Q

What are security controls?

A

Methods implemented to mitigate a particular risk

23
Q

Security controls are broken down into seven types. What are these?

A

Physical
Technical
Administrative
Preventative
Detective
Corrective
Compensating

24
Q

What are physical controls?

A

Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it

25
What are technical controls?
Safeguards and countermeasures used to avoid, detect, counteract or minimize security risks to our systems and information
26
What are administrative controls?
Focused on changing the behavior of people instead of removing the actual risk involved
27
The NIST has three additional categories that we organize security controls into as well. What are they?
Management controls Operational controls Technical controls
28
What does NIST stand for?
National Institute of Standards and Technology
29
What are management controls?
Security controls that are focused on decision-making and the management of risk
30
What are operational controls?
Focused on the things done by people
31
What are technical controls?
Logical controls that are put into a system to help secure it
32
What are preventative controls?
Security controls that are installed before an event happens and are designed to prevent something from occurring
33
What are detective controls?
Used during the event to find out whether something bad might be happening
34
What are corrective controls?
Used after an event occurs
35
A single control can be categorized into ___ types of categories
Multiple For example, a TV that's installed because serve as both a detective and a physical control.
36
What is a compensating control?
Used whenever you can't meet the requirement for a normal control *** For example, if it's your organization's policy that every building uses a retina scan-enabled door lock but one of your offices overseas does not have access to this technology, they might install a cipher door lock instead. This would act as a compensating control.
37
Any residual risk not covered by a compensating control is an ___ risk.
accepted
38
What are the six different types of risks?
External Internal Legacy Systems Multiparty IP Theft Software compliance and licensing
39
What is external risk?
Risks that are produced outside your organization and are beyond our control ** These are often non-human like natural disasters or blackouts. However this could include hackers, since they are outside of our organization and you can't control them attacking you.
40
What is an internal risk?
Risks that are formed within the organization, arise during normal operations and are often forecastable ** Like a server crash
41
What is a legacy system risk?
An old method, technology, computer system or application program which includes an outdated computer system still in use
42
What is a multiparty risk?
A risk that refers to the connection of multiple systems or organizations with each bringing their own inherent risks ** Like connecting two businesses together
43
What is IP theft?
Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of competitive edge, or a slowdown in business growth occurs
44
What is Software Compliance and Licensing?
Risk associated with a company not being aware of what software or components are installed within its network