Risk Management Flashcards
What is the primary reason most companies haven’t fixed their vulnerabilities?
look for people to realize that companies don’t actually care as much about security as they claim to—otherwise we’d have a very good remediation percentage. Instead, we have a ton of unfixed things and more tests being performed. A variation of this is something like:
What’s the goal of information security within an organization?
This is a big one. What I look for is one of two approaches; the first is the über-lockdown approach, i.e. “To control access to information as much as possible, sir!” While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what I’m looking for. A much better answer in my view is something along the lines of, “To help the organization succeed.”
This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding—-a realization that security is there for the company and not the other way around.
What’s the difference between a threat, vulnerability,
and a risk?
As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional. Ask as many of these as you’d like, but keep in mind that there are a few different schools on this. Just look for solid answers that are self-consistent.
If you were to start a job as head engineer or CSO at a
Fortune 500 company due to the previous guy being fired for incompetence,
what would your priorities be? Imagine you start on day one with no knowledge of the environment.
We don’t need a list here; we’re looking for the basics. Where is the important data? Who interacts with it? Network diagrams. Visibility touch points. Ingress and egress filtering. Previous vulnerability assessments. What’s being logged an audited? Etc. The key is to see that they could quickly prioritize, in just a few seconds, what would be the most important things to learn in an unknown situation.
As a corporate Information Security professional,
what’s more important to focus on: threats or vulnerabilities?
This one is opinion-based, and we all have opinions. Focus on the quality of the argument put forth rather than whether or not they chose the same as you, necessarily. My answer to this is that vulnerabilities should usually be the main focus since we in the corporate world usually have little control over the threats.
Another way to take that, however, is to say that the threats (in terms of vectors) will always remain the same, and that the vulnerabilities we are fixing are only the known ones. Therefore we should be applying defense-in-depth based on threat modeling in addition to just keeping ourselves up to date.
