Section 4: Security of Networks, Systems, Application and Data Flashcards Preview

CSX > Section 4: Security of Networks, Systems, Application and Data > Flashcards

Flashcards in Section 4: Security of Networks, Systems, Application and Data Deck (17):
1

Risk is the possibility of loss of a digital (a) ___ resulting from a (b) ___ exploiting a (c) ___.

a. asset
b. threat
c. vulnerability

2

The process of doing an analysis of the risk attributes (i.e. asset, exploit, vulnerability) to determine an organization's particular risk.

Cyberrisk assessment

3

What are the three most common inputs of a cyberrisk assessment?

1. Asset identification
2. Threat assessment
3. Vulnerability assessment

4

Select all that apply. Information used to estimate impact and likelihood usually comes from:

a. Past experience or data and records
b. Reliable practices, international standards or guidelines
c. Market research and analysis
d. Experiments and prototypes
e. Recent management analysis
f. Economic, engineering or other models
g. Specialist and expert advice
h. Industry report

1. Past experience or data and records
2. Reliable practices, international standards or guidelines
3. Market research and analysis
4. Experiments and prototypes
5. Economic, engineering or other models
6. Specialist and expert advice

5

What are the three types of risk assessment orientations?

1. Asset orientation
- Important assets are defined first, and then potential threats to those assets are analyzed. Vulnerabilities are identified that may be exploited to access the asset.

2. Threat orientation
- Potential threats are determined first, and then threat scenarios are developed. Based on the scenarios, vulnerabilities and assets of interest to the adversary are determined in relation to the threat.

3. Vulnerability
- Vulnerabilities and deficiencies are identified first, then the exposed assets, and then the threat events that could be taken advantage of are determined.

6

What are the types of risk response strategy?

1. Risk reduction
2. Risk avoidance
3. Risk transfer or sharing
4. Risk acceptance

7

Type of risk response strategy where the implementation of controls or countermeasures to reduce the likelihood or impact of a risk to a level within the organization's risk tolerance

Risk reduction

8

Type of risk response strategy through non-participation in an activity or business

Risk avoidance

9

An example of this risk response strategy is purchase of insurance or availment of a third-party's services

Risk transfer or sharing

10

Type of risk response strategy where the organization assumes the risk and absorbs the loss

Risk acceptance

11

True or False: The results of risk assessments need to be evaluated in terms of the organization's mission, risk tolerance, budgets and other resources, and cost of asset allocation.

False: The results of risk assessments need to be evaluated in terms of the organization's mission, risk tolerance, budgets and other resources, and cost of MITIGATION.

12

True or False: Risk assessment results can be used to communicate the risk decisions and expectations of management throughout the organization through policies and procedures.

True

13

Two most common techniques of identifying vulnerabilities:

1. Vulnerability scaning
2. Penetration testing

14

The process of using proprietary or open source tools to search for known vulnerabilities

Vulnerability scanning

15

An exploitable weakness that results in a loss

Vulnerability

16

The method used to take advantage of a vulnerability

Exploit

17

What are the common types of vulnerabilities?

1. Technical
- errors in design, implementation, placement, or configuration

2. Process
- errors in operation

3. Organizational
- errors in management, decision, planning or from ignorance

Emergent
- interactions between, or changes in, environments