Chapter 2: Personnel Security and Risk Management Concepts

Question 1

UBA/UEBA

Answer 1

User Behavior Analytics/User and Entity Behavior Analytics
Analyzing the behavior of users, subjects, visitors, customers, etc for some specific goal or purpose

Question 2

SLA

Answer 2

Service Level Agreement
Ensures that organizations providing services maintain an appropriate level of service agreed upon by both service provider and customer

Question 3

VMS

Answer 3

Vendor Management System

Question 4

Risk Management

Answer 4

Process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk

Question 5

What is the primary goal of risk management?

Answer 5

To reduce risk to an acceptable level

Question 6

Asset

Answer 6

Anything (person, place, or thing) used in a business process or task whether tangible or intangible

Question 7

Asset Valuation

Answer 7

Value assigned to asset based on multiple factors such as importance to organization, use in critical process, actual cost, etc

Question 8

Threats

Answer 8

Any potential occurrence that may cause undesirable/unwanted outcome for an organization or specific asset. Could cause damage, destruction, alteration, loss, disclosure

Question 9

Threat Events

Answer 9

Accidental occurrences and intentional exploitations of vulnerabilities. Can be natural or man-made

Question 10

Exposure

Answer 10

Being susceptible to asset loss because of a threat. The possibility that a vulnerability can or will be exploited by a threat agent or event

Question 11

Risk

Answer 11

Possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result

Question 12

How is risk calculated?

Answer 12

Risk = Threat x Vulnerability
or
Risk = Probability of Harm x Severity of Harm

Question 13

What is a primary goal of risk analysis?

Answer 13

To ensure that only cost-effective safeguards are deployed

Question 14

Hybrid Assessment/Analysis

Answer 14

Combines quantitative and qualitative analysis into a final assessment of organizational risk

Question 15

Delphi Technique

Answer 15

An anonymous feedback-and-response process used to arrive at a consensus. This consensus gives the responsible parties the opportunity to properly evaluate risks and implement solutions.

Question 16

Quantitative Risk

Answer 16

Focuses on hard values and percentages
Complete quantitative analysis is not always possible because of intangible aspects of risk

Question 17

EF

Answer 17

Exposure Factor
Represents the percentage of loss that an org would experience if a specific asset were violated by a realized risk. Also called loss potential.

Question 18

SLE

Answer 18

Single Loss Expectancy
Potential loss associated w/ a single realized threat against an asset. Indicates potential amount of loss org would/could experience if an asset was harmed by a specific threat.

Question 19

How is SLE calculated?

Answer 19

SLE = AV x EF
AV= Asset Value
EF= Exposure Factor

Question 20

ARO

Answer 20

Annualized Rate of Occurrence
Expected frequency with which specific threat or risk will occur

Question 21

ALE

Answer 21

Annualized Loss Expectancy
Possible yearly loss of all instances of a specific realized threat against a specific asset

Question 22

How is ALE calculated?

Answer 22

ALE = SLE x ARO
SLE = Single Loss Expectancy
ARO = Annual Rate of Occurrence

Question 23

Risk appetite

Answer 23

Total amount of risk that an org is willing to shoulder across all assets

Question 24

Risk capacity

Answer 24

Level of risk an org is ABLE to shoulder

Question 25

Risk limit

Answer 25

Max level of risk above the risk target that will be tolerated before further risk management actions are taken

Question 26

Risk mitigation

Answer 26

Risk reduction via security controls, countermeasures, etc

Question 27

Risk assignment

Answer 27

Transferring risk to another entity or org. Purchasing insurance, outsourcing, etc

Question 28

Risk deterrence

Answer 28

Goal is to convince threat agent not to attack. Auditing, security cameras, warning banners, etc

Question 29

Risk avoidance

Answer 29

Process of selecting alternate options or activities that have less risk

Question 30

Risk acceptance

Answer 30

Result of cost/benefit analysis showing countermeasure costs would outweigh possible cost of loss due to a risk

Question 31

Risk rejection

Answer 31

Ignoring the risk. Unacceptable response.

Question 32

Residual Risk

Answer 32

risk that remains after safeguards, security controls, etc are implemented

Question 33

Total Risk

Answer 33

amount of risk an org would face if no safeguards implemented

Question 34

How is total risk calculated?

Answer 34

Threats x Vulnerabilities x Asset Value = Total Risk

Question 35

How is residual risk calculated?

Answer 35

Total Risk - Controls Gap = Residual Risk

Question 36

Controls Gap

Answer 36

Amount of risk reduced by implementing safeguards

Question 37

ACS

Answer 37

Annual Cost of Safeguard
Should be less than ALE otherwise not cost effective

Question 38

Cost/Benefit Analysis

Answer 38

Determining whether a safeguard actually improves security without costing too much

Question 39

What is the formula for safeguard evaluation?

Answer 39

(ALE1 - ALE2) - ACS
ALE1 = ALE Before Safeguard
ALE2 = ALE After Implementing Safeguard
ACS = Annual Cost of Safeguard

Question 40

Directive Control

Answer 40

Deployed to direct the actions of subjects to force or encourage compliance with security policies

Question 41

SCA

Answer 41

Security Controls Assessment
Formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation

Question 42

ERM

Answer 42

Enterprise Risk Management program

Question 43

RMM

Answer 43

Risk Maturity Model
Means to assess the key indicators and activities of a mature, sustainable, and repeatable risk management process

Question 44

What are the RMM levels?

Answer 44

Ad Hoc
Preliminary
Defined
Integrated
Optimized

Question 45

RMM- Ad Hoc

Answer 45

Chaotic starting point

Question 46

RMM- Preliminary

Answer 46

Loose attempts made to follow risk management process

Question 47

RMM- Defined

Answer 47

common or standardized risk framework is adopted organization-wide

Question 48

RMM- Integrated

Answer 48

Risk management operations integrated into business processes, metrics used to gather effectiveness data, risk is considered an element in business strategy decisions

Question 49

RMM- Optimized

Answer 49

Focuses on achieving objectives rather than just reacting to external threats. Increased strategic planning geared towards business success rather than just avoiding incidents. Lessons learned reintegrated into risk management process

Question 50

What are the differences between NIST RMF and CSF?

Answer 50

Both are US Gov guides for establishing and maintaining security
CSF is for critical infrastructure and commercial organizations
RMF establishes mandatory requirements for Federal agencies

Question 51

ISO 31000

Answer 51

Risk Management Guidelines
High level overview of risk management

Question 52

Authority

Answer 52

Social engineering principle; convince target the attacker is someone with valid internal or external authority

Question 53

Intimidation

Answer 53

Social engineering principle; focused on exploiting uncertainty

Question 54

Consensus

Answer 54

Social engineering principle; aka social proof. Taking advantage of a person’s natural tendency to mimic what others are doing or have done in the past

Question 55

Scarcity

Answer 55

Social engineering principle; convince someone an object has a higher value based on only a few being left or made

Question 56

Familiarity

Answer 56

Social engineering principle; impersonating a known entity

Question 57

Trust

Answer 57

Social engineering principle; attacker builds relationship with victim then exploits that relationship

Question 58

Urgency

Answer 58

Social engineering principle; claims the need to act quickly

Question 59

Pretext

Answer 59

False statement crafted to sound believable in order to convince you to act or respond in favor of the attacker

Question 60

Prepending

Answer 60

Adding a term, expression, or phrase to the beginning or header of some other communication. Using header modification to fool filters, or adding RE or INTERNAL to an email to make it look legit

Question 61

Drive-By Download

Answer 61

Type of malware that installs itself without user knowledge when they visit a website. Takes advantage of vulnerabilities in browsers or plug ins

Question 62

BEC

Answer 62

Business Email Compromise
Focused on convincing members of accounting or financial department to transfer funds or pay invoices based on instructions that claim to be from a boss, manager, or executive
AKA CEO Fraud or CEO Spoofing

Question 63

Security Champion

Answer 63

Often a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into the group’s work activities.
Security champions are often non-security employees who take up the mantle to encourage others to support and adopt more security practices and behaviors.