Security and Risk Management 16% Flashcards
What is the final step of a quantitative risk analysis?
A. Determine asset value.
B. Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost/benefit analysis.
Syb
D. The final step of a quantitative risk analysis is conducting a cost/benefit analysis to determine whether the organization should implement proposed countermeasure(s).
An evil twin attack that broadcasts a legitimate SSID for an unauthorized network is an example of what category of threat?
A.Spoofing
B. Information disclosure
C. Repudiation
D. Tampering
Syb
A. Spoofing attacks use falsified identities. Spoofing attacks may use false IP addresses, email addresses, names, or, in the case of an evil twin attack, SSIDs.
Security controls must acknowledge one or more of these three principles:
**Cyb*
Confidentiality, Integrity, Availability:
More info:
Confidentiality: The guarding of sensitive information through rigorous measures to prevent exposure or sharing of the information with unauthorized persons. Once the information is intentionally or unintentionally released, confidentiality is lost. Breaches of confidentiality include stealing files, shoulder surfing, or screen recording.
Integrity: The practice of maintaining data consistency and ensuring the information hasn’t been altered or compromised in any way. This process is applied to data in active use, data that is stored and data that’s transferred.
Availability: Allowance of data being accessed at any time by authorized persons.
Disasters of natural origin refer to:
Cyb
storms, fires, tornadoes, earthquakes or any events that occur in the environment.
More Info:
This also pertains to incidents that cause damage to a business and the internal environment. For example, an electrical malfunction that results in a fire, water damage from clogged sewage pipes or power outages. Another form of risk is equipment failure from encountering an internet virus or hackers who target the system. Situations like these can be catastrophic to a business if internal data is compromised or lost, and disruption of service which impedes or in severe cases, shuts-down the organization’s day to day processes. Internal risks are threats that exist within the organization’s personnel from detrimental actions or behavior of an employee. Internal data that’s considered highly-sensitive is a prime target for theft. An employee can steal then replicate that data for monetary gain, or, illegally download software or programs. These incidents create legal liability issues for the business such as lawsuits and loss of profit.
Risk management is composed of what three key concepts:
CYB
Threat, Vulnerability, and Controls
More info:
…threat, either natural or man-made that could cause damage to an organization; vulnerability, the existing weaknesses from flawed policies or loopholes that could be taken advantage of by a malicious entity; and controls, which are methods to improve defense against known threats, prevent disaster, and correct system weaknesses to reduce vulnerabilities.
Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she using to protect against it? A.Man-in-the-middle, VPN B. Packet injection, encryption C. Sniffing, encryption D. Sniffing, TEMPEST
C. Sniffing, encryption Encryption is often used to protect traffic like bank transactions from sniffing. While packet injection and man-in-the-middle attacks are possible, they are far less likely to occur, and if a VPN were used, it would be used to provide encryption. TEMPEST is a specification for techniques used to prevent spying using electromagnetic emissions and wouldn’t be used to stop attacks at any normal bank.
Within the realm of IT security, which of the following combinations best defines risk?
A. Threat coupled with a breach
B. Threat coupled with a vulnerability
C. Vulnerability coupled with an attack
D. Threat coupled with a breach of security
CBK
B. Threat coupled with a vulnerability
A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual. A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact.
Qualitative risk assessment is earmarked by which of the following?
A. Ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process
B. Can be completed by personnel with a limited understanding of the risk assessment process and uses detailed metrics used for calculation of risk
C. Detailed metrics used for calculation of risk and ease of implementation
D. Can be completed by personnel with a limited understanding of the risk assessment process and detailed metrics used for the calculation of risk
CBK
A. Ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process.
Qualitative risk assessments are a form of risk assessments that use stratified forms of risk such as “high, moderate and low.” This simplified approach allows for those not as familiar with risk assessments the ability to perform risk assessments, which while not as specific as quantitative assessments are still meaningful.
When determining the value of an intangible asset which is be BEST approach?
A. Determine the physical storage costs and multiply by the expected life of the company
B. With the assistance of a finance of accounting professional determine how much profit the asset has returned
C. Review the depreciation of the intangible asset over the past three years.
D. Use the historical acquisition or development cost of the intangible asset
CBK
B. With the assistance of a finance of accounting professional determine how much profit the asset has returned.
Intangible asset value is challenging to determine. While there are several ways to determine the value of an intangible asset, the best approach involves seeking assistance from finance or accounting professionals to determine the impact of the asset to the organization.
Single loss expectancy (SLE) is calculated by using:
A. Asset value and annualized rate of occurrence (ARO)
B.Asset value, local annual frequency estimate (LAFE), and standard annual frequency estimate (SAFE)
C.Asset value and exposure factor
D.Local annual frequency estimate and annualized rate of occurrence
CBK
C.Asset value and exposure factor
The formula for calculating SLE is SLE = asset value (in $) × exposure factor (loss in successful threat exploit, as %).
Consideration for which type of risk assessment to perform includes all of the following:
A.Culture of the organization, likelihood of exposure and budget
B. Budget, capabilities of resources and likelihood of exposure
C.Capabilities of resources, likelihood of exposure and budget
D. Culture of the organization, budget, capabilities and resources
D. Culture of the organization, budget, capabilities and resources
It is expected that an organization will make a selection of the risk assessment methodology, tools, and resources (including people) that best fit its culture, personnel capabilities, budget, and timeline.
Security awareness training includes:
A.Legislated security compliance objectives
B.Security roles and responsibilities for staff
C.The high-level outcome of vulnerability assessments
D.Specialized curriculum assignments, coursework and an accredited institution
B.Security roles and responsibilities for staff
Security awareness training is a method by which organizations can inform employees about their roles, and expectations surrounding their roles, in the observance of information security requirements. Additionally, training provides guidance surrounding the performance of particular security or risk management functions, as well as providing information surrounding the security and risk management functions in general.
What is the minimum and customary practice of responsible protection of assets that affects a community or societal norm? A. Due diligence B. Risk mitigation C. Asset protection D. Due care
D. Due care
Due diligence is the act of investigating and understanding the risks the company faces. A company practices due care by developing security policies, procedures, and standards. Due care shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees from possible risks. So due diligence is understanding the current threats and risks and due care is implementing countermeasures to provide protection from those threats. If a company does not practice due care and due diligence pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence.
Effective security management: A. Achieves security at the lowest cost b. Reduces risk to an acceptable level c. Prioritizes security for new products d. Installs patches in a timely manner
b. Reduces risk to an acceptable level
There will always be residual risk accepted by an organization, and effective security management will minimize this risk to a level that fits within the organization’s risk tolerance or risk profile.
Availability makes information accessible by protecting from:
a. Denial of services, fires, floods, hurricanes, and unauthorized transactions
b. Fires, floods, hurricanes, unauthorized transactions and unreadable backup tapes
c. Unauthorized transactions, fires, floods, hurricanes and unreadable backup tapes
d. Denial of services, fires, floods, and hurricanes and unreadable backup tapes
d. Denial of services, fires, floods, and hurricanes and unreadable backup tapes
Availability is the principle that information is available and accessible by users when needed. The two primary areas affecting the availability of systems are (1) denial of service attacks and (2) loss of service due to a disaster, which could be man-made or natural.
Which phrase best defines a business continuity/disaster recovery plan?
a. A set of plans for preventing a disaster.
b. An approved set of preparations and sufficient procedures for responding to a disaster.
c. A set of preparations and procedures for responding to a disaster without management approval.
d. The adequate preparations and procedures for the continuation of all organization functions.
d. The adequate preparations and procedures for the continuation of all organization functions.
Business continuity planning (BCP) and Disaster recovery planning (DRP) address the preparation, processes, and practices required to ensure the preservation of the business in the face of major disruptions to normal business operations.
Which of the following steps should be performed first in a business impact analysis (BIA)?
a. Identify all business units within an organization
b. Evaluate the impact of disruptive events
c. Estimate the Recovery Time Objectives (RTO)
d. Evaluate the criticality of business functions
a. Identify all business units within an organization
The four cyclical steps in the BIA process are:
1-Gathering information;
2-Performing a vulnerability assessment;
3-Analyzing the information; and
4-Documenting the results and presenting the recommendations.
The initial step of the BIA is identifying which business units are critical to continuing an acceptable level of operations.
