Cybersecurity Threats and Vulnerabilities Quiz

Questions and Answers

Which type of threat involves unauthorized changes to a website?

Loss of confidentiality

Loss of integrity (correct)

Loss of availability

Accidental threat

Internal threats are always uncontrolled and cannot be managed by the organization.

False (B)

What are the two main categories of threats based on their origin?

External and internal

A threat caused by extreme weather events such as hurricanes is classified as a __________ threat.

natural

Match the following types of threats with their definitions:

Loss of confidentiality = Someone sees sensitive information Accidental threat = Employee mistakes or user error Intentional threat = Deliberate attempt to compromise data Natural threat = Weather-related risks such as hurricanes

Which of the following is considered a physical threat to an organization?

A lightning strike (D)

Vulnerabilities can exist even when no threats are present.

True (A)

Name one source that can help identify vulnerabilities in an organization.

System logs

Previous security incidents help justify __________ in an organization.

controls

Match the sources with their purposes:

System logs = Identify traffic breaches Trouble reports = Document past incidents Incident response teams = Investigate security incidents Audits = Verify compliance with rules

What type of malware involves disrupting service to users?

DoS or DDoS (C)

Incident response teams are typically a hindrance to understanding security incidents.

False (B)

What is the main purpose of analyzing trouble reports?

To identify trends and weaknesses

Which of the following is NOT considered a hidden cost associated with system/application control implementation?

Costs for advertising (C)

A threat is a circumstance that always leads to a loss.

False (B)

What are the three common security objectives for information systems?

Confidentiality, integrity, and availability

If the costs of implementing a control outweigh the benefits, the risk may be ________.

accepted

Match the type of server with its primary function:

Mail server = Send and receive email for clients Database server = Host databases accessed by users DNS server = Provide names to IP addresses for clients Web server = Host web applications and services

Which of the following practices is essential for protecting servers in the System/Application Domain?

Regularly patch and update server systems (A)

Knowledge of security issues with specific servers is generally widespread among all technicians.

False (B)

Threats, vulnerabilities, and impact are key elements in assessing the ________ of a business asset.

security

What is the primary goal of confidentiality in security?

Preventing unauthorized disclosure of information (B)

Hashing is used to ensure the confidentiality of data.

False (B)

What is a vulnerability in the context of security?

A weakness that can be exploited by an attacker.

The value of losses can sometimes be described in terms of high, medium, or _____ when monetary terms are not applicable.

low

Which of the following techniques is commonly used to protect availability?

Fault Tolerance (D)

A locked door to a server room represents an administrative vulnerability.

False (B)

What is one method used to protect the integrity of data?

Hashing

Match the security concepts with their definitions:

Confidentiality = Unauthorized access prevention Integrity = Data modification assurance Availability = Data accessibility assurance Vulnerability = Weakness that can be exploited

What is the primary focus of controls in risk management?

Reducing vulnerabilities and impact (D)

Risk management is a one-time process.

False (B)

What must management consider when making decisions on risk controls?

Costs of the risk and costs of the controls

The role of a __________ is primarily concerned with protecting IT systems and balancing security costs.

System administrator

Which role is often the first line of defense for IT support?

Tier 1 administrator (A)

Management is primarily focused on security when considering risk.

False (B)

Match the following roles with their primary concerns regarding risk management:

Management = Profitability and survivability System administrator = Protecting IT systems Tier 1 administrator = Usability over security

The process of evaluating implemented controls to ensure their effectiveness is known as __________.

evaluation

Which risk management technique involves eliminating the source of a risk?

Avoidance (B)

Risk management aims to completely eliminate all risks faced by an organization.

False (B)

What is the ultimate goal of risk management?

To protect the organization.

The technique of __________ involves shifting responsibility for a risk to another party.

transfer

Match the following risk management techniques with their descriptions:

Avoidance = Eliminating the source of risk Transfer = Shifting responsibility for risk to another party Mitigation = Reducing the impact of the risk Acceptance = Acknowledging the risk and its potential consequences

Which of the following is a method of risk transfer?

Purchasing insurance (D)

Mitigation of risk can involve moving an asset to reduce its exposure.

True (A)

Name one risk management technique that allows an organization to continue facing a known risk.

Acceptance

Study Notes

Security Risk Management and Ethics

• This chapter covers risk management, risk identification techniques, and risk management techniques.
• Risk management is the practice of identifying, assessing, controlling, and mitigating risks.

Chapter 2: Topics

• What risk management is and how it's important to the business.
• What risk identification techniques are.
• What risk management techniques are.

Chapter 2: Goals

• Define risk management.
• Describe risk management techniques.
• Describe risk identification techniques.
• Explain the relationship between the cost of loss and the cost of risk management.
• Explain the risk management lifecycle.

Risk Management and Its Importance to the Organization

• Risk management is the practice of identifying, assessing, controlling, and mitigating risks.
• Threats and vulnerabilities are key drivers of risk.
• Identifying relevant threats and vulnerabilities is crucial.
• Risk management aims to minimize risks, not eliminate them.

Risk Management and Its Importance to the Organization Cont.

• Risk management includes risk assessment.
• Risk assessment involves identifying IT assets, threats and vulnerabilities, likelihood of exploitation, and impact.
• Prioritize risks with higher impact first.

Risk Management and Its Importance to the Organization Cont.

• (2) Identifying risks to manage - A company can choose to avoid, transfer, mitigate, or accept risks, often based on the likelihood and impact of the risk.
• (3) Selection of controls- Control methods, also called countermeasures, are used to reduce vulnerabilities and impact.

Risk Management and Its Importance to the Organization Cont.,

• (4) Implementation and testing of controls: Controls should be implemented and tested to ensure they provide the expected protection.
• (5) Evaluation of controls: Controls should be regularly assessed to ensure continued effectiveness, often by performing vulnerability assessments.

Role-Based Perceptions of Risk

• Personnel within an organization may have different perceptions of risk, and this can impact risk management.
• Balancing security and usability is a challenge in effective risk management.
• Achieving this balance requires understanding role-specific perceptions.

Role-Based Perceptions of Risk Cont.,

• Management is primarily concerned with company profitability and survivability.
• Management needs accurate data to make sound decisions on the controls to implement.

Role-Based Perceptions of Risk Cont.,

• System administrators focus on protecting IT systems and often want strict security measures, potentially neglecting usability.

Role-Based Perceptions of Risk Cont.,

• Tier 1 administrators, the first line of IT support, may prioritize user needs and usability over security.

Role-Based Perceptions of Risk Cont.,

• Developers can sometimes view security as an afterthought in the development cycle.

Role-Based Perceptions of Risk Cont.,

• End users prioritize usability and may try to circumvent security controls, potentially leading to security vulnerabilities.

Risk Identification Techniques

• Risk is the likelihood of a loss occurring, resulting from a threat exploiting a vulnerability.
• To identify risks, threats, vulnerabilities and likelihood of attack must be determined.

Step One: Identifying Threats

• Threat identification is the process of listing all possible threats to an organisation.
• A threat is any circumstance or event potentially causing a loss.
• Threats are categorized as external/internal and natural/man-made. Also, intentional and accidental.

Step One: Identifying Threats Cont..

• External threats originate outside the organization, including external attackers.
• Internal threats originate within the organization, potentially involving employees or other personnel.
• Natural threats refer to weather-related events, while man-made threats include human actions. Intentional threats are deliberate attempts to compromise security, while accidental threats include employee errors or mistakes.

Step One: Identifying Threats Cont...

• Example threats include unauthorized employee access, malware, website defacement, DoS/DDoS attacks, data loss, service disruptions, social engineering, natural disasters, and intentional compromise attempts.

Step Two: Identifying Vulnerabilities

• A vulnerability is a weakness that can be exploited by a threat.
• System logs (such as audit logs, firewall logs, and DNS logs), trouble reports, prior security events, and incident response team reports are valuable sources of information used to identify vulnerabilities.
• Vulnerabilities are often related to a lack of access control. Often vulnerabilities are not immediately apparent, and may be hidden or difficult to identify.

Step Two: Identifying Vulnerabilities Cont..

• (2) Trouble reports are used to identify trends and weaknesses in a company's IT infrastructure.
• (3) Prior events, such as previous security incidents, are invaluable sources to analyze potential risks, and show trends and areas where controls are lacking.
• (4) Incident response teams investigate and document security incidents, offering a wealth of information.
• (5) Audits verify compliance with company rules, regulations and laws, often uncovering potential weaknesses.
• (6) Certification and accreditation records show how a company's systems conform to security standards which can uncover existing and potential weaknesses.

Step Three: Estimate the Likelihood of a Threat Exploiting a Vulnerability

• This involves analyzing how threats can intersect with vulnerabilities across different domains.
• Assessing vulnerabilities in user accounts, workstations, networks, and the broader network environment is critical in this process.

Step Three: Estimate the Likelihood... Cont.

• Common domains include: user, workstation, lan, lan-to-wan, wan-domain, remote access, and system/application domains.
• Example incidents involving a user account domain could be social engineering, such as an attempted phishing attack. Workstations could be impacted by viruses, and compromised networks may result in DDoS attacks.

Pairing Threats with Vulnerabilities

• Match threats to vulnerabilities to estimate risk likelihood.
• Use the formula: Risk = Threat × Vulnerability
• Examples of pairing, and their impact, are presented (e.g., unauthorized employee access coupled with lack of authentication can greatly impact confidentiality).

Risk Management Techniques

• Risk management involves deciding what to do about identified risks.
• Risk Management is not Risk Elimination.
• The ultimate goal is to protect the organization.
• Options include Avoidance, Transfer, Mitigation, and Acceptance.

(1) Avoidance

• Avoid a risk by eliminating the source of the risk or moving the susceptible asset.
• Example: Remove a wireless network if it poses significant security risk and isn't critical, or move a data centre to a safer location.

(2) Transfer

• Transfer the risk to another party.
• Example: Purchasing insurance to cover potential losses, or outsourcing an activity.

(3) Mitigation

• Reduce the risk by reducing vulnerabilities or implementing controls, and/or taking steps to reduce the risk.
• Examples include altering physical environment, changing procedures, adding fault tolerance, and employee training.

(3) Mitigation Cont.,

• This involves technical mitigation such as firewall hardening, implementing antivirus, updating systems, and other security controls.
• Important to implement measures that will not exceed the benefit of avoiding a risk. Costs need to be analyzed and quantified.

(3) Mitigation Cont.,

• Cryptography can also be used to make attacks more costly, such as encrypting data.

(4) Acceptance

• Accept a risk if the cost of controlling it outweighs the potential loss.
• Cost-benefit analysis shows if a control is justified, often used to make this decision.

Cost-Benefit Analysis

• Any organization must perform a cost-benefit analysis (CBA) to help determine which controls or countermeasures to implement.
• This compares business impacts to the costs of controls, so that the benefits outweigh the cost.

Cost-Benefit Analysis Cont..

• CBA gathers data on control costs and benefits, including operational costs
• Also considers future costs. Benefits must outweigh the cost, or risk mitigation is not justified.

(7) Risk on System/Application Domain

• Servers (like mail servers, database, and DNS) containing applications are vulnerable to various types of risks.

(7) Risk on System/Application Domain Cont..

• Protecting servers, using best practices, and regularly patching/updating them is critical.

Threats, Vulnerabilities, and Impact

• Threats are attempts to exploit vulnerabilities, often leading to loss.
• Impact refers to the severity of a loss and can be expressed in monetary or descriptive terms.

Threats, Vulnerabilities, and Impact Cont..

• Common security vulnerabilities for information systems include confidentiality, integrity and availability. These aspects of security are often examined in a triangle.

Threats, Vulnerabilities, and Impact Cont..

• High impact losses include costly asset and resource loss.
• Medium impact losses include the loss of assets impacting organizational mission, reputation and interest; human injury is possible.
• Low impact losses include any other noticeable affect on organization's mission, reputation and interest

Threats, Vulnerabilities, and Impact Cont.,

• Implementing security controls and following security best practices help protect valuable business assets and data, thus reducing the impact of threats and vulnerabilities.

Description

Test your knowledge on various types of cybersecurity threats and the vulnerabilities they exploit. This quiz covers categories of threats, physical threats, malware types, and incident response. Enhance your understanding of how to identify and manage these security risks.