Cybersecurity Threats and Vulnerabilities Quiz

Questions and Answers

Which type of threat involves unauthorized changes to a website?

• Loss of confidentiality
• Loss of integrity (correct)
• Loss of availability
• Accidental threat

Internal threats are always uncontrolled and cannot be managed by the organization.

False (B)

What are the two main categories of threats based on their origin?

External and internal

A threat caused by extreme weather events such as hurricanes is classified as a __________ threat.

natural

Match the following types of threats with their definitions:

Loss of confidentiality = Someone sees sensitive information Accidental threat = Employee mistakes or user error Intentional threat = Deliberate attempt to compromise data Natural threat = Weather-related risks such as hurricanes

Which of the following is considered a physical threat to an organization?

A lightning strike (D)

Vulnerabilities can exist even when no threats are present.

True (A)

Name one source that can help identify vulnerabilities in an organization.

System logs

Previous security incidents help justify __________ in an organization.

controls

Match the sources with their purposes:

System logs = Identify traffic breaches Trouble reports = Document past incidents Incident response teams = Investigate security incidents Audits = Verify compliance with rules

What type of malware involves disrupting service to users?

DoS or DDoS (C)

Incident response teams are typically a hindrance to understanding security incidents.

False (B)

What is the main purpose of analyzing trouble reports?

To identify trends and weaknesses

Which of the following is NOT considered a hidden cost associated with system/application control implementation?

Costs for advertising (C)

A threat is a circumstance that always leads to a loss.

False (B)

What are the three common security objectives for information systems?

Confidentiality, integrity, and availability

If the costs of implementing a control outweigh the benefits, the risk may be ________.

accepted

Match the type of server with its primary function:

Mail server = Send and receive email for clients Database server = Host databases accessed by users DNS server = Provide names to IP addresses for clients Web server = Host web applications and services

Which of the following practices is essential for protecting servers in the System/Application Domain?

Regularly patch and update server systems (A)

Knowledge of security issues with specific servers is generally widespread among all technicians.

False (B)

Threats, vulnerabilities, and impact are key elements in assessing the ________ of a business asset.

security

What is the primary goal of confidentiality in security?

Preventing unauthorized disclosure of information (B)

Hashing is used to ensure the confidentiality of data.

False (B)

What is a vulnerability in the context of security?

A weakness that can be exploited by an attacker.

The value of losses can sometimes be described in terms of high, medium, or _____ when monetary terms are not applicable.

low

Which of the following techniques is commonly used to protect availability?

Fault Tolerance (D)

A locked door to a server room represents an administrative vulnerability.

False (B)

What is one method used to protect the integrity of data?

Hashing

Match the security concepts with their definitions:

Confidentiality = Unauthorized access prevention Integrity = Data modification assurance Availability = Data accessibility assurance Vulnerability = Weakness that can be exploited

What is the primary focus of controls in risk management?

Reducing vulnerabilities and impact (D)

Risk management is a one-time process.

False (B)

What must management consider when making decisions on risk controls?

Costs of the risk and costs of the controls

The role of a __________ is primarily concerned with protecting IT systems and balancing security costs.

System administrator

Which role is often the first line of defense for IT support?

Tier 1 administrator (A)

Management is primarily focused on security when considering risk.

False (B)

Match the following roles with their primary concerns regarding risk management:

Management = Profitability and survivability System administrator = Protecting IT systems Tier 1 administrator = Usability over security

The process of evaluating implemented controls to ensure their effectiveness is known as __________.

evaluation

Which risk management technique involves eliminating the source of a risk?

Avoidance (B)

Risk management aims to completely eliminate all risks faced by an organization.

False (B)

What is the ultimate goal of risk management?

To protect the organization.

The technique of __________ involves shifting responsibility for a risk to another party.

transfer

Match the following risk management techniques with their descriptions:

Avoidance = Eliminating the source of risk Transfer = Shifting responsibility for risk to another party Mitigation = Reducing the impact of the risk Acceptance = Acknowledging the risk and its potential consequences

Which of the following is a method of risk transfer?

Purchasing insurance (D)

Mitigation of risk can involve moving an asset to reduce its exposure.

True (A)

Name one risk management technique that allows an organization to continue facing a known risk.

Acceptance

Flashcards

Risk Management

The process of identifying, assessing, and mitigating risks to protect an organization's assets.

Controls

Measures implemented to reduce vulnerabilities and minimize the impact of potential threats.

Evaluation of Controls

The evaluation of implemented controls to ensure their effectiveness in mitigating risks.

Role-Based Perceptions of Risk

The perception of risk can vary depending on the role an individual plays within an organization.

Management's Perception of Risk

Management is concerned with profitability and survivability, and are willing to invest in risk mitigation measures to protect the organization.

System Administrator's Perception of Risk

System administrators prioritize security by implementing strong controls to protect IT systems. They often lean towards stricter security measures.

Tier 1 Administrator's Perception of Risk

Tier 1 administrators, often the first point of contact for users, prioritize usability and may be less concerned with security compared to system administrators.

Balancing Security and Usability

The need to find a balance between strict security measures and user usability to ensure both effective protection and efficient operation.

Loss of Confidentiality

Accessing or viewing confidential data that is not authorized for you.

Loss of Integrity

Unauthorized modifications or changes to data, files, or systems. This can include altering or deleting data, introducing viruses, or corrupting system files.

Loss of Availability

When resources, services, or systems are unavailable or inaccessible to authorized users. This can be due to server downtime, network outages, or deliberate attacks.

External Threats

Threats that originate from outside your organization. They are risks that are beyond your control.

Internal Threats

Threats that originate from within your organization. This can include employees, contractors, or even internal processes.

Vulnerability

A weakness that can be exploited by a threat.

Threat

Any event that could potentially harm an organization's assets.

Audit logs

Logs that record user activity on a system, including login attempts, file access, and command execution.

Trouble reports

Records of events that disrupt normal system operations.

Prior events

Previous security incidents that provide valuable insights into threats and vulnerabilities.

Incident response teams

Teams responsible for investigating and responding to security incidents.

Audits

Formal reviews of systems and processes to ensure compliance with rules and regulations.

Firewall logs

Logs that record network traffic, identifying malicious activity or unauthorized connections.

Risk Avoidance

A method to manage risk by completely avoiding the activity or asset that poses the risk.

Risk Transfer

Transferring the responsibility of a risk to another party, usually through insurance or outsourcing.

Risk Mitigation

Reducing the impact of a risk by implementing controls or taking preventative measures.

Risk Acceptance

Accepting the risk and its potential consequences, often used when the cost of mitigation outweighs the potential loss.

Risk Avoidance Rationale

The primary reason for risk avoidance is that the potential loss from the risk outweighs the benefit of the asset.

Risk Avoidance: Source Elimination

A company may avoid risk by eliminating the source of the risk, such as removing a vulnerable network.

Risk Avoidance: Asset Relocation

A company may avoid risk by moving an asset to a safer location, such as moving a data center from an earthquake-prone area.

Risk Transfer: Outsourcing

Outsourcing is a form of risk transfer, as the company shifts responsibility for a specific activity to another party.

Hidden Costs of Control Implementation

Costs related to maintaining a system or application, like training employees, software updates, and hardware replacements.

System/Application Domain

Servers that host core applications, like email, databases, and name resolution.

Best Practices for System/Application Domain Security

Securing servers by removing unnecessary features, changing default passwords, updating systems regularly, and enabling local firewalls.

Specialization in System/Application Domain Security

Specialized knowledge required to secure specific types of servers, making it crucial for those with specialized skills to be involved.

Server Security Based on Hosted Application

Protecting a server based on the specific security needs of its hosted application to ensure optimal security.

Impact

The negative impact of a successful attack, measured by the severity of the resulting loss.

CIA Triad

The three core security objectives ensuring data confidentiality, integrity, and availability. If any of these objectives are compromised, overall security is weakened.

Confidentiality

Preventing unauthorized access to sensitive information. It ensures that only authorized personnel can view, modify, or use the data.

Integrity

Guaranteeing that data remains accurate and unaltered. It prevents unauthorized modification or deletion of information.

Availability

Making sure that data and systems are readily accessible to authorized users when needed. It prevents interruptions or disruptions to services.

Threat Mitigation

Actions taken to reduce the likelihood of a threat exploiting a vulnerability. It involves implementing controls such as strong passwords, encryption, and access restrictions.

Risk Assessment

The process of identifying, analyzing, and prioritizing risks associated with vulnerabilities and threats. It helps organizations determine which risks require the most attention and resources.

Study Notes

Security Risk Management and Ethics

• This chapter covers risk management, risk identification techniques, and risk management techniques.
• Risk management is the practice of identifying, assessing, controlling, and mitigating risks.

Chapter 2: Topics

• What risk management is and how it's important to the business.
• What risk identification techniques are.
• What risk management techniques are.

Chapter 2: Goals

• Define risk management.
• Describe risk management techniques.
• Describe risk identification techniques.
• Explain the relationship between the cost of loss and the cost of risk management.
• Explain the risk management lifecycle.

Risk Management and Its Importance to the Organization

• Risk management is the practice of identifying, assessing, controlling, and mitigating risks.
• Threats and vulnerabilities are key drivers of risk.
• Identifying relevant threats and vulnerabilities is crucial.
• Risk management aims to minimize risks, not eliminate them.

Risk Management and Its Importance to the Organization Cont.

• Risk management includes risk assessment.
• Risk assessment involves identifying IT assets, threats and vulnerabilities, likelihood of exploitation, and impact.
• Prioritize risks with higher impact first.

Risk Management and Its Importance to the Organization Cont.

• (2) Identifying risks to manage - A company can choose to avoid, transfer, mitigate, or accept risks, often based on the likelihood and impact of the risk.
• (3) Selection of controls- Control methods, also called countermeasures, are used to reduce vulnerabilities and impact.

Risk Management and Its Importance to the Organization Cont.,

• (4) Implementation and testing of controls: Controls should be implemented and tested to ensure they provide the expected protection.
• (5) Evaluation of controls: Controls should be regularly assessed to ensure continued effectiveness, often by performing vulnerability assessments.

Role-Based Perceptions of Risk

• Personnel within an organization may have different perceptions of risk, and this can impact risk management.
• Balancing security and usability is a challenge in effective risk management.
• Achieving this balance requires understanding role-specific perceptions.

Role-Based Perceptions of Risk Cont.,

• Management is primarily concerned with company profitability and survivability.
• Management needs accurate data to make sound decisions on the controls to implement.

Role-Based Perceptions of Risk Cont.,

• System administrators focus on protecting IT systems and often want strict security measures, potentially neglecting usability.

Role-Based Perceptions of Risk Cont.,

• Tier 1 administrators, the first line of IT support, may prioritize user needs and usability over security.

Role-Based Perceptions of Risk Cont.,

• Developers can sometimes view security as an afterthought in the development cycle.

Role-Based Perceptions of Risk Cont.,

• End users prioritize usability and may try to circumvent security controls, potentially leading to security vulnerabilities.

Risk Identification Techniques

• Risk is the likelihood of a loss occurring, resulting from a threat exploiting a vulnerability.
• To identify risks, threats, vulnerabilities and likelihood of attack must be determined.

Step One: Identifying Threats

• Threat identification is the process of listing all possible threats to an organisation.
• A threat is any circumstance or event potentially causing a loss.
• Threats are categorized as external/internal and natural/man-made. Also, intentional and accidental.

Step One: Identifying Threats Cont..

• External threats originate outside the organization, including external attackers.
• Internal threats originate within the organization, potentially involving employees or other personnel.
• Natural threats refer to weather-related events, while man-made threats include human actions. Intentional threats are deliberate attempts to compromise security, while accidental threats include employee errors or mistakes.

Step One: Identifying Threats Cont...

• Example threats include unauthorized employee access, malware, website defacement, DoS/DDoS attacks, data loss, service disruptions, social engineering, natural disasters, and intentional compromise attempts.

Step Two: Identifying Vulnerabilities

• A vulnerability is a weakness that can be exploited by a threat.
• System logs (such as audit logs, firewall logs, and DNS logs), trouble reports, prior security events, and incident response team reports are valuable sources of information used to identify vulnerabilities.
• Vulnerabilities are often related to a lack of access control. Often vulnerabilities are not immediately apparent, and may be hidden or difficult to identify.

Step Two: Identifying Vulnerabilities Cont..

• (2) Trouble reports are used to identify trends and weaknesses in a company's IT infrastructure.
• (3) Prior events, such as previous security incidents, are invaluable sources to analyze potential risks, and show trends and areas where controls are lacking.
• (4) Incident response teams investigate and document security incidents, offering a wealth of information.
• (5) Audits verify compliance with company rules, regulations and laws, often uncovering potential weaknesses.
• (6) Certification and accreditation records show how a company's systems conform to security standards which can uncover existing and potential weaknesses.

Step Three: Estimate the Likelihood of a Threat Exploiting a Vulnerability

• This involves analyzing how threats can intersect with vulnerabilities across different domains.
• Assessing vulnerabilities in user accounts, workstations, networks, and the broader network environment is critical in this process.

Step Three: Estimate the Likelihood... Cont.

• Common domains include: user, workstation, lan, lan-to-wan, wan-domain, remote access, and system/application domains.
• Example incidents involving a user account domain could be social engineering, such as an attempted phishing attack. Workstations could be impacted by viruses, and compromised networks may result in DDoS attacks.

Pairing Threats with Vulnerabilities

• Match threats to vulnerabilities to estimate risk likelihood.
• Use the formula: Risk = Threat × Vulnerability
• Examples of pairing, and their impact, are presented (e.g., unauthorized employee access coupled with lack of authentication can greatly impact confidentiality).

Risk Management Techniques

• Risk management involves deciding what to do about identified risks.
• Risk Management is not Risk Elimination.
• The ultimate goal is to protect the organization.
• Options include Avoidance, Transfer, Mitigation, and Acceptance.

(1) Avoidance

• Avoid a risk by eliminating the source of the risk or moving the susceptible asset.
• Example: Remove a wireless network if it poses significant security risk and isn't critical, or move a data centre to a safer location.

(2) Transfer

• Transfer the risk to another party.
• Example: Purchasing insurance to cover potential losses, or outsourcing an activity.

(3) Mitigation

• Reduce the risk by reducing vulnerabilities or implementing controls, and/or taking steps to reduce the risk.
• Examples include altering physical environment, changing procedures, adding fault tolerance, and employee training.

(3) Mitigation Cont.,

• This involves technical mitigation such as firewall hardening, implementing antivirus, updating systems, and other security controls.
• Important to implement measures that will not exceed the benefit of avoiding a risk. Costs need to be analyzed and quantified.

(3) Mitigation Cont.,

• Cryptography can also be used to make attacks more costly, such as encrypting data.

(4) Acceptance

• Accept a risk if the cost of controlling it outweighs the potential loss.
• Cost-benefit analysis shows if a control is justified, often used to make this decision.

Cost-Benefit Analysis

• Any organization must perform a cost-benefit analysis (CBA) to help determine which controls or countermeasures to implement.
• This compares business impacts to the costs of controls, so that the benefits outweigh the cost.

Cost-Benefit Analysis Cont..

• CBA gathers data on control costs and benefits, including operational costs
• Also considers future costs. Benefits must outweigh the cost, or risk mitigation is not justified.

(7) Risk on System/Application Domain

• Servers (like mail servers, database, and DNS) containing applications are vulnerable to various types of risks.

(7) Risk on System/Application Domain Cont..

• Protecting servers, using best practices, and regularly patching/updating them is critical.

Threats, Vulnerabilities, and Impact

• Threats are attempts to exploit vulnerabilities, often leading to loss.
• Impact refers to the severity of a loss and can be expressed in monetary or descriptive terms.

Threats, Vulnerabilities, and Impact Cont..

• Common security vulnerabilities for information systems include confidentiality, integrity and availability. These aspects of security are often examined in a triangle.

Threats, Vulnerabilities, and Impact Cont..

• High impact losses include costly asset and resource loss.
• Medium impact losses include the loss of assets impacting organizational mission, reputation and interest; human injury is possible.
• Low impact losses include any other noticeable affect on organization's mission, reputation and interest

Threats, Vulnerabilities, and Impact Cont.,

• Implementing security controls and following security best practices help protect valuable business assets and data, thus reducing the impact of threats and vulnerabilities.