4.0 - Vulnerability Assessment and Risk Management

Question 1

What three elements need to exist in order for there to be risk?

Answer 1

An asset, a vulnerability, and a threat

Question 2

What is risk?

Answer 2

Potential loss of CIA

Question 3

What do tools like Nessus or Open VAS do?

Answer 3

They’re vulnerability scanners

Question 4

CVSS stands for…

Answer 4

Common Vulnerability Scoring System

Question 5

In CVSS, a higher number means ____.

Answer 5

riskier

Question 6

Define “true positive.”

Answer 6

A vulnerability exists and was detected.

Question 7

Define “true negative.”

Answer 7

No vulnerability exists and none were detected.

Question 8

Define “false positive.”

Answer 8

No vulnerability exists yet one was mistakenly detected.

Question 9

Define “false negative.”

Answer 9

A vulnerability exists but was not detected.

Question 10

Qualitative risk analysis matches _____ to ______.

Answer 10

Likelihood to impact

Question 11

What is SLE?

Answer 11

Single Loss Expectancy - the financial cost of a risk being realized

P. 230

Question 12

What is ARO?

Answer 12

Annualized Rate of Occurrence - how many losses are expected this year

Question 13

What is ALE?

Answer 13

Annualized Loss Expectancy - financial impact over a year

Question 14

What is the basic quantitative analysis equation?

Answer 14

SLE x ARO = ALE

Question 15

What are the three data states?

Answer 15

Data at rest, data in motion, data in use

Question 16

What are the four risk management strategies?

Answer 16

Mitigation, Avoidance, Transference, Acceptance

Question 17

What are the four controls in risk mitigation?

Answer 17

Preventive, detective, corrective, deterrent

Question 18

What are the three categories of threat intelligence?

Answer 18

Tactical, Operational, and Strategic Intelligence

Question 19

Name two vulnerability databases.

Answer 19

Common Vulnerabilities and Exposures (CVE)
National Vulnerability Database (NVD)

Question 20

What are the four CVSS exploitability metrics?

Answer 20

Attack Vector
Attack Complexity
Privileges Required
User Interaction

Question 21

What are the three CVSS impact metrics?

Answer 21

Data disclosure (Confidentiality)
Data alteration (Integrity)
Downtime or data loss (Availability)

Question 22

What is SCAP?

Answer 22

Security Content Automation Protocol, a vulnerability assessment tool.

Question 23

What is STIX?

Answer 23

Structured Threat Information Expression - threat intelligence expressed in JSON format

Question 24

What is TAXII?

Answer 24

Trusted Automated eXchange of Intelligence Information - the HTTPS-based method for transferring STIX information.

Question 25

What is an ISAC?

Answer 25

Information Sharing and Analysis Center, industry-specific groups which share threat information

Question 26

What are three categories of disaster recovery controls?

Answer 26

Detective, preventive, and corrective

Question 27

What is the 3-2-1 rule?

Answer 27

Three copies of data, on two types of media, one stored off-site

Question 28

What are the three phases of business impact analysis?

Answer 28

1) Identify critical business processes and the resources they rely on 2) Determine impact and maximum acceptable disruption for each critical resource 3) Proritize the recovery order

Question 29

What is the recovery time objective (RTO)?

Answer 29

The maximum time that business can be disrupted

Question 30

What is the recovery point objective (RPO)?

Answer 30

The amount of data loss that can be acceptable to the business

Question 31

DRP stands for...

Answer 31

Disaster Recovery Plan

Question 32

BCP stands for...

Answer 32

Business Continuity Plan

Question 33

BIA stands for...

Answer 33

Business Impact Analysis

Question 34

What are the three phases of BCP?

Answer 34

1) perform BIA 2) develop BCP 3) test and maintain BCP

Question 35

What is a checklist exercise?

Answer 35

Where stakeholders go through the BCP and look for any glaring omissions.

Question 36

What is a tabletop exercise?

Answer 36

Team members are presented with a fictional scenario and talk through how they would handle it.

Question 37

What is a partial simulation?

Answer 37

A fictional scenario involving a subset of an org's systems and personnel

Question 38

What is a full simulation?

Answer 38

Testing the BCP with all systems and personnel.