Ch15 - 15.01 - Intro to Risk Analysis Flashcards Preview

CompTIA Security+ SY0-501 by Glen E. Clarke > Ch15 - 15.01 - Intro to Risk Analysis > Flashcards

Flashcards in Ch15 - 15.01 - Intro to Risk Analysis Deck (22)
Loading flashcards...
1
Q

Asset

A

A resource that your organization needs to function

2
Q

Vulnerability

A

A weakness in the configuration of hardware or software

3
Q

Threat

A

An event that can cause harm to the asset

4
Q

Threat Vector

A

A tool, or mechanism, the hacker uses to exploit a weakness on a system

5
Q

Threat Actor

A

The person (hacker) using the threat vector to compromise the system

6
Q

Threat Target

A

The system or device being attacked

7
Q

Risk

A

When the threat to an asset can cause harm to the organization—typically resulting in a financial loss

8
Q

Risk analysis

A

The identification and planning of mitigation

techniques to reduce and manage the risks to your organization

9
Q

Risk Analysis Process

A
  1. Identify Assets (Asset Identification)
  2. Identify Threats to Each Asset (Threat Assessment)
  3. Analyze Impact (Impact Analysis)
  4. Prioritize Threats
  5. Identify Mitigation Techniques
  6. Evaluate Residual Risks
10
Q

Risk Analysis Process - 1. Identify Assets

A

The first phase of performing a risk analysis, also known as a risk assessment, is to identify the assets within the organization and the value of those assets. This phase is also known as asset identification. For example, if a company earns revenue by selling products online, the web server hosting the e-commerce web site would be considered an asset to the company.

11
Q

Risk Analysis Process - 2. Identify Threats to Each Asset (Threat Assessment)

A

Once you have identified the assets in the organization, you then turn your focus to threat assessment, which involves identifying the threats to each of the assets identified in the first phase. Continuing the example of a company e-commerce web site, it has a number of potential threats; for example, the system could be hacked via a buffer-overflow exploit or an SQL injection attack. The web server could also experience a hard drive failure, which could cause the system to be down for a long time, resulting in lost revenue.

12
Q

Types of Threats

A
  1. Environmental Threats (Floods, Earthquakes, …)
  2. Manmade Threats (Worm, Virus, Theft, …)
  3. Internal and External Threats (Disgruntled Employees, …)
  4. Weaknesses, or Vulnerabilities, Exist in the Assets of the Organization
    4a. No system hardening
    4b. No physical security
    4c. No security controls on data
    4d. No administrative controls
13
Q

Risk Analysis Process - 3. Analyze Impact (Impact Analysis)

A

The next phase in risk analysis is the impact analysis. The goal of impact analysis is to identify what the result of the threat occurring would be on the business. For example, if the company’s e-commerce web site has a denial of service attack performed against it, then the impact is that the server could be down for days, resulting in lost revenue.

14
Q

Tangible vs. Intangible Impacts

A

Tangible Impacts
A tangible impact involves a visible loss to the company
E.g:
1. Loss of revenue or business opportunity
2. Loss of money due to cost to fix
3. Loss of production
4. Employee safety

Intangible Impacts
The impact of all threats is not always so visible, and sometimes the effect
of the threat occurring is not seen for some time after the threat occurs. These
types of impacts are known as intangible impacts.
E.g:
1. Company reputation
2. Failure to follow regulations
3. Loss of customers’ confidence

15
Q

Risk Analysis Process - 4. Prioritize Threats

Qualitative vs. Quantitative Analysis

A

Once you have identified all of the threats that could occur against each asset, you must prioritize the threats based on their impact and probability of occurring (also known as the likelihood of occurrence) so that you can deal with the more serious threats first.

16
Q

Risk Analysis Process - 5. Identify Mitigation Techniques

A

Once you have identified the threats and prioritized them, you know which threat solutions to focus on, or at least how to reduce the risk of the threat occurring. This is known as mitigating the threat. Mitigating the threat typically involves spending money on a solution that implements a security control to protect the asset from the risk. You can implement fault-tolerant technologies, firewalls, encryption, or access control systems, to name a few.

17
Q

Risk Analysis Process - 6. Evaluate Residual Risks

A

Once you have implemented solutions to mitigate the threats, reevaluate the asset and identify any threats that may still exist. The remaining threats are known as residual risk. It is critical to express this residual risk to management so that they can decide if they are willing to accept that residual risk, or need to implement additional security solutions.

18
Q

Interoperability agreements

A

Ensure that you have defined operation

agreements with the cloud provider or third-party company.

19
Q

Service Level Agreement (SLA)

A

Agreements such as a service level agreement (SLA) specify guaranteed
uptime

20
Q

Blanket Purchase Agreement (BPA)

A

Check to see if a blanket purchase agreement (BPA) is needed, which is used to cover repetitive needs for a product or service.

21
Q

Memorandum of Understanding (MOU), sometimes referred to as Memorandum of Agreement (MOA)

A

Ensure that a memorandum of understanding (MOU), sometimes referred to as memorandum of agreement (MOA), exists. A MOU/MOA is a document that establishes an agreement between the two parties and specifies their relationship to one another

22
Q

Internet Service Agreement (ISA)

A

Also, ensure that you are familiar with your Internet service agreement (ISA) and ensure that you are comfortable with any data limits and the guaranteed uptime of the Internet connection. This is critical if you are taking advantage of cloud services, as you need Internet connectivity to access any services or data in the cloud.

Decks in CompTIA Security+ SY0-501 by Glen E. Clarke Class (48):