IT Security Management and Risk Assessment

Questions and Answers

What is the main goal of IT security management?

• To establish a customer feedback loop for IT services
• To develop a clear view of IT security objectives and risk profile (correct)
• To increase the market share of IT services
• To ensure compliance with all legal regulations

Which one of the following is NOT a component of an organization's IT asset security?

• Reliability
• Cost-effectiveness (correct)
• Authenticity
• Confidentiality

What does an IT security risk assessment primarily determine?

• Employee performance metrics related to IT
• The profitability of IT investments
• The IT budget for the next fiscal year
• The assets needing protection and their threats (correct)

What does Baseline Security Risk Analysis focus on?

Comparing current security measures to established standards (B)

What is the purpose of conducting a Baseline Security Risk Analysis?

To identify gaps in adherence to established security standards (A)

In IT security management, which term broadly describes the process of identifying, assessing, and mitigating risks?

Risk Analysis (C)

What aspect does the term 'accountability' refer to in IT security management?

Tracking actions related to IT operations (A)

Which of the following would be considered a threat to IT assets?

Outdated software (D)

What is the primary purpose of using a hybrid approach in risk analysis?

To enhance adaptability based on context and needs (C)

Which of the following is an example of a deterrent control?

Warning signs (B)

What essential factor must a security manager consider when developing a security policy?

The vulnerabilities of the system (C)

Which criteria define malicious software (malware)?

Programs inserted with intent to compromise sensitive data (A)

Which type of control is primarily used to detect unauthorized access or breaches?

Detective Controls (C)

How is a Trojan Horse classified in terms of malware?

A malicious program disguised as legitimate software (B)

What is typically stated in a formal security policy?

Guidelines for maintaining system integrity (A)

What is a key advantage of conducting a formal assessment after initial brainstorming for risk identification?

It simplifies the comparison with established standards (D)

What is the primary purpose of a formal security risk analysis?

To provide a detailed and evidence-based evaluation of risks (A)

In which scenario is an informal security risk analysis most useful?

When resources or time for detailed data are unavailable (A)

When should a combined security risk analysis be employed?

When a balance between depth and practicality is needed (D)

What defines an informal security risk analysis?

It is based on observations, brainstorming, and expert opinions (D)

What is the role of an owner in access control?

The creator or designated administrator of a resource. (B)

What type of risks does a formal security risk analysis typically evaluate?

Both qualitative and quantitative risks (B)

Which of the following describes 'world' in access control?

Users who are not classified as owner or group. (A)

What is an example of a method used in formal security risk analysis?

Conducting assessments using the FAIR method (A)

Which of the following best describes when to use a formal security risk analysis?

When there are strict regulatory requirements or complexity (D)

What does the 'execute' access right allow a user to do?

Run a program. (D)

What characterizes the informal security risk analysis approach?

It is less structured and relies on quick evaluations (A)

Which component is primarily responsible for verifying a user's identity?

Authentication mechanism. (B)

In discretionary access control (DAC), how is access managed?

Based on the individual making the request and their permissions. (C)

What function does auditing serve in access control systems?

To review and ensure compliance with policies and controls. (C)

Which access right allows a user to look through directories?

Search. (C)

What is the main challenge addressed by access control systems?

Balancing security measures with user usability. (B)

What is the primary purpose of encryption?

To ensure confidentiality and protect data from unauthorized access (B)

Which of the following describes a Distributed Denial of Service (DDoS) attack?

An attack that uses multiple devices to amplify the impact (D)

What characterizes a data breach compared to a general intrusion?

Access to sensitive data that is stolen or exposed (A)

In encryption, what is the role of a cryptographic key?

To decode the data back into plaintext (B)

What is the potential consequence of a data breach for an organization?

Legal consequences and loss of sensitive data (C)

Which mechanism is commonly used for preventing Denial of Service (DoS) attacks?

Firewalls and Traffic Monitoring Systems (B)

What distinguishes symmetric encryption from asymmetric encryption?

Symmetric encryption uses the same key for both encryption and decryption (C)

What typically happens during a Denial of Service (DoS) attack?

Normal operations are disrupted by excessive traffic (D)

Which of the following describes a Trojan Horse?

A program that necessitates user action to activate disguised malicious code. (D)

What is a key characteristic of a worm?

It exploits vulnerabilities to propagate without any user involvement. (B)

Which example best illustrates the concept of a virus?

Michelangelo Virus, activating on a specific date to delete files. (B)

How does public-key cryptography differ from symmetric encryption?

It involves a public key that is widely shared and a private key that is kept secret. (C)

Which of the following is a characteristic of passive attacks?

They involve eavesdropping on data being transmitted over a network. (D)

What differentiates APTs from other types of attacks?

They are persistent, focused, and sophisticated attacks aimed at strategic entities. (A)

What is the primary function of a rootkit?

To maintain control over an infected system while hiding the attacker's presence. (B)

What role does an infostealer Trojan play in network security threats?

It installs spyware for data theft when executed. (C)

Flashcards

IT Security Management

The formal process of maintaining computer security for an organization's assets.

IT Security Risk Assessment

Evaluating risks to assets to determine threats and countermeasures.

Baseline Security Risk Analysis

Comparing current security measures to established standards (e.g., ISO 27001).

Security Risk Analysis

Identifying, evaluating, and controlling risks to organizational assets and operations.

Asset Protection

Ensuring the confidentiality, integrity, and availability of organization assets.

Security Gaps

Areas where security measures fall short of established standards.

ISO 27001

A standard for IT security management systems.

NIST Cybersecurity Frameworks

Guidelines established by NIST for IT security.

Informal Security Risk Analysis

A less structured approach to identify risks using observations, brainstorming, and expert opinions.

Formal Security Risk Analysis

A structured approach to evaluate risks using defined techniques, potentially quantitative or qualitative, to assess risks.

Combined Security Risk Analysis

A balanced approach combining elements of different risk analysis methods.

When to use Formal Security Risk Analysis?

Use when a detailed and long-term strategy for risk management is needed, especially in complex environments with high regulatory requirements.

When to use Informal Security Risk Analysis?

Useful in early stages of risk identification or in cases where formal approaches are impractical or time-consuming(crisis).

Formal Risk Analysis Techniques

Examples include quantitative (measuring risks in numerical terms) or qualitative (categorizing risks based on impact and likelihood) methods.

Example of Informal Security Risk Analysis

Discussing potential threats during a meeting based on team experience or walking through facilities to identify security weaknesses.

Combined Risk Analysis Purpose

To achieve a balance between the depth of a formal analysis and the practicality of an informal approach.

Hybrid Risk Analysis

Combining different risk analysis methods (e.g., informal brainstorming, baseline comparisons, formal assessments) to leverage strengths and minimize weaknesses.

When to Use Hybrid Risk Analysis

When a combined approach is more efficient or better suited to the organization's context, for balanced risk identification without overcommitting to one method.

Physical Security Control Types

Measures protecting an organization's physical assets (data centers, buildings, hardware) from unauthorized access, damage, or theft.

Deterrent Controls

Measures discouraging unauthorized access or actions, such as fences and warning signs.

Preventive Controls

Measures preventing unauthorized access or actions, such as locks and security guards.

Detective Controls

Measures detecting unauthorized access or actions, such as alarms and surveillance cameras.

Security Policy

A document outlining security principles, guidelines, and requirements for an organization.

Factors for Security Policy Development

Consider the value of assets, vulnerabilities, and potential threats when developing a security policy.

Trojan Horse

A program disguised as something harmless, but actually contains malicious code that executes when the user interacts with it.

Worm

A standalone program that self-replicates and spreads across networks or devices without requiring user interaction, exploiting system vulnerabilities.

Virus

A program that attaches to files or programs, replicating and spreading when those infected files are executed; needs user action to activate.

Rootkit

A type of malware that hides its presence and gives attackers persistent control over a system.

APT

Advanced Persistent Threat – highly sophisticated and targeted attacks aiming to steal sensitive data or disrupt operations over a long period.

Public Key

One part of a key pair in public-key cryptography; freely shared and used for encrypting data.

Private Key

The other part of a key pair in public-key cryptography; kept secret and used for decrypting data.

Asymmetric Encryption

Cryptography using two separate keys (public and private) for encryption and decryption, unlike symmetric encryption which uses a single shared key.

Encryption

The process of transforming plain text into an unreadable format (ciphertext) using a cryptographic algorithm and a key to protect data from unauthorized access.

DoS Attack

A cyberattack that overwhelms a network or server with traffic to prevent legitimate users from accessing it.

DDoS Attack

A sophisticated DoS attack involving multiple devices working together to amplify the attack's impact. Often uses a botnet, a network of infected computers.

Data Breach

Unauthorized access to sensitive data within a computer system, resulting in the theft or exposure of personal information, financial records, or intellectual property.

Intrusion with Data Breach

An unauthorized entry into a system resulting in the access, theft, or exposure of sensitive data.

Impact of Data Breach

Data breaches can lead to legal consequences for the affected organization, including financial penalties and reputational damage.

Subject (in security)

A user, process, or application that attempts to access a resource. Subjects inherit permissions from the user or application they represent.

Object (in security)

A resource that can be accessed, such as a file, directory, program, or even hardware like a processor.

Access Rights

Permissions that define what actions a subject can perform on an object.

Authentication

The process of verifying a user's identity, often using passwords, biometrics, or other methods.

Authorization

Granting permissions to access specific resources based on a user's identity and their role.

Discretionary Access Control (DAC)

Access control based on who is requesting access and their granted permissions. Individuals with access can choose to allow others to use the resource.

Audit (in security)

A review of system records and activities to check if security measures are adequate, rules are followed, and to identify potential issues.

Access Control Mechanisms

Security measures that regulate who or what can access resources, including processes like authentication, authorization, and auditing.