Information Security Risk Management Quiz

Questions and Answers

What is the primary difference between risk assessment and risk analysis?

Risk analysis focuses on long-term risk management.

Risk assessment is conducted at a higher organizational level. (correct)

Risk assessment is conducted at a granular level.

Risk analysis is typically more strategic than risk assessment.

Which of the following best describes the end goal of both risk assessment and risk analysis?

To identify and manage the most relevant information security risks. (correct)

To conduct a one-time evaluation of potential threats.

To create a risk management framework for IT risks only.

To eliminate all potential information security risks.

Which model element is NOT part of the common risk management lifecycle?

Identify a risk

Measure a risk

Continuous monitoring

Transfer ownership of a risk (correct)

At which levels can the Information Security Risk Management (ISRM) process be implemented?

At various levels, including business unit and system/application levels

What is the primary focus of the TARA approach in risk assessment?

Understanding threat agents and their motivations

What determines the frequency of conducting threat modeling?

Regularly, such as annually, with a well-defined scope.

Which library is essential in the TARA approach for defining potential adversaries?

Threat Agent Library

What is the first step in the basic elements of risk assessment frameworks?

Identifying the most critical assets

In a risk assessment, which term describes the level of risk present after implementing security controls?

Residual Risk

Which component of the TARA approach focuses on known security vulnerabilities?

Common Exposure Library

What should a valid link between a threat agent and a vulnerability indicate in risk assessment?

A risk has been identified

Why is it important not to confuse different risk assessment models?

The basic elements are fundamentally similar

What is assessed after linking threat agents with vulnerabilities?

The potential damage from exploitation

What is the main purpose of threat modeling in an organization?

To identify information security risks

Which of the following factors contribute to the complexity of managing information security risks?

Constantly changing threats and vulnerabilities

What is not considered a common vulnerability in the context of threat modeling?

Insufficient technical documentation

Which category of threat includes crime organizations and nation states?

Advanced Persistent Threats

What is implied by the term 'moving targets' in the context of threats and vulnerabilities?

Evolving threats that require continuous monitoring

What does a lack of established processes in managing security risks often lead to?

Ineffective risk management efforts

Which of the following is NOT a common data container mentioned in threat modeling?

Network Routers

Which factor is a significant contributor to insider threats according to the model?

Poor security governance

What is a primary challenge related to the introduction of new software or hardware?

Potential for new vulnerabilities

Which of the following vulnerabilities relates to a failure in verifying inputs and outputs?

Lack of validation

What is the primary goal of a security risk assessment analysis?

To understand the level of residual risk

Which application processing sensitive user data is specifically mentioned as home-grown?

Application C

What kind of deployment does Application C have?

Non-distributed deployment

Which threat scenario is associated with deliberate external attackers and lacks validation of input/output data?

Disclosure of Information

What is a significant characteristic of the Oracle Database as an information asset?

Considered critical and sits behind firewalls

Which action is specifically stated as not being performed regularly for the database access profiles?

Review of database access profiles

Which scenario involves a lack of control due to third-party vendor access?

3rd Party Misconduct

Which type of server is categorized as very critical due to its role in supporting the DB2 database?

Server Y

What is identified as the service interruption tolerance level for the Oracle Database?

Cannot be tolerated

Which statement regarding security patches is made about the Oracle Database?

Security patches are ignored

What aspect of Server Y's maintenance is stated?

It is executed by a third-party

Which factor contributes to the increasing risk of disclosure of information regarding internal users?

Inadequate segregation of duties

What is highlighted as a failure in regular practices in the context of Server Y's security?

Review of security logs

Which aspect of vulnerability management is emphasized as being poorly managed?

Timely patch installations

Study Notes

Threat Modeling Necessity

• Identifies information security risks within organizations.
• Managing security risk is complex due to diverse and dynamic threats and vulnerabilities.
• New software, hardware, and employee changes contribute to evolving risk landscapes.
• Lack of established, cost-effective processes hampers risk management efforts.

Comprehensive View of Threats and Vulnerabilities

• Threat sources include crime organizations, nation states, external attackers, political activists, insiders, and natural disasters.
• Common vulnerabilities encompass inadequate logging, insecure code, lack of data encryption, poor security practices, and weak user security awareness.
• Types of data containers at risk include servers, workstations, portable devices, applications, databases, and security devices.

Key Questions in Threat Modeling

• Determine the starting point for threat modeling, assessing at organization, system, or intermediate levels.
• Difference between risk assessment (higher-level) and risk analysis (granular-level).
• Decide on a regular schedule for threat modeling versus ad-hoc assessments based on specific systems.

Understanding the Risk Management Lifecycle

• Four common elements in all risk management models: identify, measure, respond, and continuously monitor risks.
• Cybersecurity risk management should integrate with existing organizational frameworks.

Multiple Frameworks for Threat Modeling

• OCTAVE: Developed by Carnegie Mellon University, focuses on operationally critical threats and asset evaluation.
• TARA: Aimed at understanding threat agents, their motivations, and how they impact existing controls.
• Key components to maintain include a threat agent library, common exposure library, and methods and objectives library.

Basic Elements Across Different Models

• Identify critical assets, which can range from high-level processes to infrastructure systems.
• Connect threat agents to relevant vulnerabilities to assess potential damage from exploitation.
• Establishing a link between a threat agent and vulnerability indicates inherent risk; effective controls can lower residual risk.### Security Risk Assessment Goals
• End goal is to understand the level of residual risk after analysis.
• Involves identifying potential threats and vulnerabilities.

Attributes for Application "C"

• A home-grown web application, non-distributed deployment.
• Hosted on a web server in the DMZ, requiring HTTPS client authentication.
• Processes sensitive user data, including financial and personal information.
• Service interruptions are tolerated for one to two days.

Threat Scenarios for Application "C"

• High probability of deliberate external attacks, specifically:
  • Lack of validation leading to information disclosure (Tampering with assets).
  • Inadequate password management resulting in unauthorized access.
  • Poor vulnerability management practices causing threats such as espionage.

Attributes for Oracle Database

• Considered a critical information asset.
• Positioned behind firewalls and interacts only with specified applications.
• Unacceptable service interruption, although redundancy is integrated into the design.
• Security patches are not implemented promptly; access profiles are seldom reviewed.
• Maintenance is managed by a third-party service.

Threat Scenarios for Oracle Database

• High probability of attacks from intentional internal users:
  • Inadequate segregation of duties leading to information disclosure (Abuse of user privileges).
  • Third-party vendor misconduct due to lack of security controls.
  • Inadequate security logging causing risks for fraud.

Attributes for Server "Y"

• Critical IT asset supporting the DB2 database.
• Follows company firewalls and standard hardening procedures.
• Minimum tolerance for service interruptions; security patches are updated monthly.
• Third-party manages server maintenance; regular reviews of access profiles are missing.
• Anti-virus software is timely updated; but, security logs are not regularly reviewed.

Threat Scenarios for Server "Y"

• Similar threats as the Oracle Database:
  • Inadequate segregation of duties posing risks for abuse of user privileges.
  • Lack of security controls leading to third-party misconduct.
  • Inadequate security logging raising the potential for unauthorized access to information systems.

Description

Test your knowledge on information security concepts such as risk assessment and risk analysis. Explore topics like the risk management lifecycle, threat modeling frequency, and the TARA approach in risk assessment. Perfect for professionals and students in the field of information security.