Section 4: Security of Networks, Systems, Application and Data

Question 1

Risk is the possibility of loss of a digital (a) ___ resulting from a (b) ___ exploiting a (c) ___.

Answer 1

a. asset
b. threat
c. vulnerability

Question 2

The process of doing an analysis of the risk attributes (i.e. asset, exploit, vulnerability) to determine an organization’s particular risk.

Answer 2

Cyberrisk assessment

Question 3

What are the three most common inputs of a cyberrisk assessment?

Answer 3

1. Asset identification
2. Threat assessment
3. Vulnerability assessment

Question 4

Select all that apply. Information used to estimate impact and likelihood usually comes from:

a. Past experience or data and records
b. Reliable practices, international standards or guidelines
c. Market research and analysis
d. Experiments and prototypes
e. Recent management analysis
f. Economic, engineering or other models
g. Specialist and expert advice
h. Industry report

Answer 4

1. Past experience or data and records
2. Reliable practices, international standards or guidelines
3. Market research and analysis
4. Experiments and prototypes
5. Economic, engineering or other models
6. Specialist and expert advice

Question 5

What are the three types of risk assessment orientations?

Answer 5

1. Asset orientation
   - Important assets are defined first, and then potential threats to those assets are analyzed. Vulnerabilities are identified that may be exploited to access the asset.
2. Threat orientation
   - Potential threats are determined first, and then threat scenarios are developed. Based on the scenarios, vulnerabilities and assets of interest to the adversary are determined in relation to the threat.
3. Vulnerability
   - Vulnerabilities and deficiencies are identified first, then the exposed assets, and then the threat events that could be taken advantage of are determined.

Question 6

What are the types of risk response strategy?

Answer 6

1. Risk reduction
2. Risk avoidance
3. Risk transfer or sharing
4. Risk acceptance

Question 7

Type of risk response strategy where the implementation of controls or countermeasures to reduce the likelihood or impact of a risk to a level within the organization’s risk tolerance

Answer 7

Risk reduction

Question 8

Type of risk response strategy through non-participation in an activity or business

Answer 8

Risk avoidance

Question 9

An example of this risk response strategy is purchase of insurance or availment of a third-party’s services

Answer 9

Risk transfer or sharing

Question 10

Type of risk response strategy where the organization assumes the risk and absorbs the loss

Answer 10

Risk acceptance

Question 11

True or False: The results of risk assessments need to be evaluated in terms of the organization’s mission, risk tolerance, budgets and other resources, and cost of asset allocation.

Answer 11

False: The results of risk assessments need to be evaluated in terms of the organization’s mission, risk tolerance, budgets and other resources, and cost of MITIGATION.

Question 12

True or False: Risk assessment results can be used to communicate the risk decisions and expectations of management throughout the organization through policies and procedures.

Answer 12

True

Question 13

Two most common techniques of identifying vulnerabilities:

Answer 13

1. Vulnerability scaning

2. Penetration testing

Question 14

The process of using proprietary or open source tools to search for known vulnerabilities

Answer 14

Vulnerability scanning

Question 15

An exploitable weakness that results in a loss

Answer 15

Vulnerability

Question 16

The method used to take advantage of a vulnerability

Answer 16

Exploit

Question 17

What are the common types of vulnerabilities?

Answer 17

1. Technical
   - errors in design, implementation, placement, or configuration
2. Process
   - errors in operation
3. Organizational
   - errors in management, decision, planning or from ignorance

Emergent
- interactions between, or changes in, environments