Risk Assessment

Question 1

What is Risk Assessment

Answer 1

Process used inside of risk management to identify how much risk exists in a given network or system.

Question 2

What is Risk

Answer 2

The probability that a threat will be realized

Question 3

What is a vulnerability

Answer 3

A controllable aspect of a system involving a weakness in the design or implementation in a system

Question 4

What are threats?

Answer 4

Any condition that could cause harm, loss, damage, or compromise IT systems.

External and out of control:

Hackers, Natural disasters, War

Question 5

Where does risk live?

Answer 5

Risk exists where threats overlap vulnerability. If there are no threats, but there is vulnerability, there is no risk
If there are threats and vulnerabilities, then there is risk.

Question 6

What can be done about threats once identified

Answer 6

Risk Management is used to minimize the likelihood of a negative outcome from occurring.

Question 7

In what ways can risk be handled

Answer 7

Risk Avoidance
Risk Transfer
Risk Mitigation
Risk Acceptance

Question 8

Explain risk avoidance and transfer

Answer 8

Avoidance is a strategy that requires the stopping of an activity that has risk, or choosing a less risky alternative.
I.E moving a Windows XP machine offline, or upgrading it to Win10

Risk Transfer is transferring the risk to a third party
I.E. Insurance

Question 9

Explain Risk Mitigation and Risk Accecptance

Answer 9

Risk mitigation - Strategy to seek and minimize the risk to an acceptable level

Risk Acceptance - Accept current level of risk and the costs associated with it, if the risk were to be realized
- Choosing not to extend laptop warranty

Question 10

What is residual risk?

Answer 10

Risk remaining after trying to avoid transfer, or mitigate risk.

Question 11

What are the four steps to reduce risk

Answer 11

1. Identify Assets
2. Identify Vulnerabilities
3. Identify Threats
4. Identify impact

Question 12

Describe Qualitative Analysis

Answer 12

It uses intuition, experience, and other methods to assign a relative value to risk.

Based on perceived risk this falls into the red tile D4

Relative categories of risk or comparison to risk = Qualitative

Question 13

True or False: Experience is critical to Qualitative Analysis

Answer 13

True

Question 14

Describe quantitative analysis and its components

Answer 14

Uses numerical and monitoring values to calculate risk

Value of Asset
Threat Frequency
Severity of vulnerability
Impact of realized threat (money)

Question 15

What is Magnitude of impact

Answer 15

Used with both quantitative and qualitative analysis to estimate of the amount of damage that a negative risk may achieve

Question 16

What is SLE, ARO, and ALE

Answer 16

Single Loss Expectancy - Cost associated with the realization of each individualized threat that occurs

Annualized Rate of Occurrence - The number of times a year that something happens.

Annualized Loss Expectancy - Expected annual cost of threats being realized.

Question 17

What is the EF in the SLE and ALE equations

Answer 17

EF is the Exposure factor - Amount of an asset that will be lost if a threat is realized.

Question 18

How is SLE caluclated

Answer 18

SLE = AV (asset Value) X EF

Question 19

How is ALE calculated?

Answer 19

ALE = SLE x ARO

SLE = 4000 ARO = .5 ( once every two years)

ALE = 2000

Question 20

True or False: There is such thing as a hybrid approach to Risk Assessments

Answer 20

True: Qualitative and Quantitative analysis can be combined for a hybrid approach.

Question 21

What is a Security Assessment?

Answer 21

They verify the organizations security posture is designed and configured properly to help thwart different types of attacks.

Question 22

What is a vulnerability scan

Answer 22

A scan that occurs from within a network that seeks vulnerabilities, can use a credentialed account for an inside to out scan.

Question 23

Why might assessments be required

Answer 23

Legal, Regulatory, or contractual compliance may depend on routine assessments

Question 24

What types of assessments are there

Answer 24

Passive and active

Question 25

Describe an active scan

Answer 25

They utilize more intrusive techniques like scanning, hands on testing, and probing of the network to identify vulnerabilities.

Question 26

Describe a passive scan

Answer 26

utilize open source information, passive collection and analysis of network data and other unobtrusive methods WITHOUT MAKING DIRECT CONTACT WITH TARGETED SYSTEMS

THESE SCANS ARE LIMITED TO THE EXTENT AND DETAIL OF WHAT INFO THAT CAN BE GATHERED.

Question 27

What are security controls, and what are the three main categories

Answer 27

Methods implemented to mitigate a particular risk.

Physical
Technical
Administrative

Question 28

Describe physical controls

Answer 28

Any security measure that are designed to deter or prevent unauthorized access to sensitive information or systems.

Fences, locked doors ,and alarms

Question 29

Describe Technical Controls

Answer 29

Safeguards or countermeasures used to avoid, detect, counteract, or minimize risk to our systems and info

ACLs, Firewall, Password Policy, MFA

Question 30

Describe Administrative Controls

Answer 30

Focused on changing the BEHAVIOR of people instead of REMOVING THE ACTUAL Risk

Question 31

What are the NIST Categories of security Controls.

Answer 31

Management, Operational, and Technical

Question 32

Describe Management Controls

Answer 32

Security Controls that are focuses on decision making and management of risk.

They Control HOW SYSTEM SECURITY WILL BE MANAGED AND REVIEWED

Question 33

Describe Operational Controls

Answer 33

Focused on the THINGS DONE BY PEOPLE. It increases security of the system by increasing the control of systems and people who use it.

Configuration Management, User training, incident handling.

Question 34

Describe Technical Controls

Answer 34

Logical controls that are put in a system to help secure it

AAA, ACL, Encryption.
If performed by PC it is technical

Question 35

Describe Preventative Controls

Answer 35

Put in place before an event occurs and are designed to prevent something from happening.

RADI, UPS,DLP

Question 36

Describe Detective Controls

Answer 36

Used during an event to find out whether something bad is happening.

CCTV, IDS, Audit Logs

Question 37

Describe Corrective Controls

Answer 37

Used after an event occurs

Tape Backups, Incident response, disaster recovery, co-location.

Question 38

True or False: Security Controls can belong to multiple categories

Answer 38

True: Security controls can belong to different categories such as

CCTV > Detective and Physical Stated Password Policy: Administrative and Managerial

Question 39

Describe Compensating Controls

Answer 39

Used whenever you can’t meet the requirement for a normal control.

When the desired control is not available, but a different control can be put in place to meet the control requirement

Question 40

How is residual risk due to employing a compensating control handled

Answer 40

The residual risk is accepted

Question 41

What are the different types of Risk

Answer 41

External
Internal
Legacy Systems
Multiparty
IP Theft
Software Compliance and licensing

Question 42

Describe External Risk

Answer 42

Risk that is produced by a non-human source and are beyond human control

Wild Fires, Hurricanes, Blackouts, Hackers

Question 43

Describe Internal risk

Answer 43

Risk that are formed within the organization that arise during normal operations, and are often forecastable.

Hardware failure after warranty that had been forecasted with MTBF

Question 44

Describe Legacy Systems Risk

Answer 44

An old method, technology, computer, or application which includes an outdated computer system still in use.

ICS+ SCADA - WinXP

Question 45

Describe Multiparty Risk

Answer 45

Risk that refers to the connection of multiple systems or organizations within each bringing their own inherent risk

Question 46

IP Theft Risk

Answer 46

Risk of business assets and property being stolen from an organization in which, economic damage, loss of competitive edge, or a slow down in business growth occurs

Make sure DLP enabled.

Question 47

Software Compliance and Licensing

Answer 47

Risk with company not being aware of what software or components are installed on its network

Installing unmanage software increases vulnerabiliites that increase risk

Licensing can bring risk of companies suing for un-authorized\un-paid use. Software can be crippled once evaluation period ends.