Chapter 1 - Measuring & Weighing Risk Flashcards Preview

Security + > Chapter 1 - Measuring & Weighing Risk > Flashcards

Flashcards in Chapter 1 - Measuring & Weighing Risk Deck (31)
Loading flashcards...
1
Q

What is a vulnerability?

1-3

A

a weakness that could be exploited by a threat

2
Q

Give the formula for “impact” and explain the terms in the formula.

1-5

A

SLE x ARO = ALE
(AV x EF) x ARO = ALE

SLE - single loss expectancy, determined by multiplying the asset value by the exposure factor
ARO - annualized rate of occurrence
ALE - annual loss expectancy
EF - exposure factor)

3
Q

True or False

SLE, ALE, and ARO are all quantitative.

1-7

A

True. All number based.

4
Q

What is a threat vector?

1-8

A

a tool or path an attacker uses to pose a threat

5
Q

What is MTBF?

1-8

A

Mean Time Between Failures. Basically it tells you the lifespan of the device.

6
Q

What is MTTF?

1-8

A

Mean Time To Failure. Tells you average time to failure for a nonrepairable system.

7
Q

What is MTTR?

1-8

A

Mean Time To Restore. Tells you how long it will take to repair a system.

8
Q

What is RTO?

1-9

A

Recovery Time Objective. This tells you how much time you’re allotted to use for restoring the system.

9
Q

What is RPO?

1-9

A

Recovery Point Objective. This is the point in time at which the system was last operational and therefore what you need to restore it to.

10
Q

Contrast Risk Avoidance, Transference, Mitigation, Deterrence, and Acceptance.

1-9,10

A

Avoidance-stop doing the stuff that causes the risk.
Transference-share the risk
Mitigation-lower the risk
Deterrence-tell the risk creator “if you do this to me, I’ll do this to you.”
Acceptance-live with the risk and don’t do anything about it because its the cheaper alternative.

11
Q

Explain PaaS, Saas, IaaS.

Tell me 2 risks associated with virtualization.

1-17,18,19

A

platform as a service
software as a service
infrastructure as a service

breaking out of the virtual machine
network and security controls can intermingle

12
Q

What is Hypervisor?

1-19

A

the software that allows virtual machines to exist

13
Q

What is the Scope Statement?

What is the Accountability Statement?

1-19

A

outlines what the policy intends to accomplish

who is responsible for ensuring that a problem gets dealt with

14
Q

5 Key Aspects of Standards Documents

1-21,22

A
Scope and Purpose
Roles and Responsibilities
Reference Documents
Performance Criteria
Maintenance and Administrative Requirements
15
Q

How are guidelines different from standards?

1-22

A

Guidelines tell you HOW to enforce standards.

16
Q

Tell me the 3 ways guidelines help an organization.

1-22

A

provide memory refreshment on how processes and routines are carried out
reduce the learning curve
help in a crisis or high-stress situation

17
Q

What is “separation of duties” for?

1-23

A

to reduce the risk of fraud

18
Q

What is collusion?

What is Pod slurping?

Least Privelage equals what?

1-23,26

A

agreement established for purposes of deception

using a portable device to bypass security to get a copy of data

minimum permissions

19
Q

What’s one of the best ways to address business continuity?

1-28

A

do a BIA and implement best practices

20
Q

What is BIA?

1-29

A

Business Impact Analysis, is the process of evaluating all of the critical systems in the organization to define impact and recovery plans

21
Q

A thorough BIA will accomplish what 3 things?

1-29

A

the true impact and damage that an outage can cause will be visible

understanding the true loss potential may help you in a fight for budget

process will document which business processes are being used, the impact they have, and how to restore them quickly

22
Q

What’s the best way to remove a Single Point of Failure?

1-30

A

add redundancy

23
Q

What is High Availability?

What is Redundancy?

What is clustering?

1-32

A

measures used to keep services and systems operational during an outage

systems that fail over to other systems

multiple systems connected together cooperatively (provides load balancing)

24
Q

Fault Tolerance = ?

1-33

A

the ability of a system to sustain operations in the event of a component failure

25
Q

What are the 4 types of RAID?

1-34

A

0 - disk striping
1 - disk mirroring
3 - disk striping with parity disk
5 - disk striping with parity

26
Q

Disaster Recovery = ?

1-36

A

the ability to recover systems after a disaster

27
Q

What is a backup?

1-36

A

duplicate copy of key information

28
Q

Give 3 examples of key paper records that should be archived.

1-37

A

Board Resolutions
Critical Contracts
Tax Records

29
Q

Give 4 examples of critical files that should be backed up.

1-38

A

Audit files
Database files
Transaction files
User files

30
Q

Tabletop Exercise = ?

1-39

A

individuals sitting at a table discussing how to deal with situations that could arise

31
Q

A good policy design includes what 4 things?

1-39

A

scope statements
overview statements
accountability expectations
exceptions