Risk Management and Information Security Quiz

Questions and Answers

What defines the practice of records retention?

Records are destroyed immediately after creation.

Records are retained as long as necessary and destroyed after a set time. (correct)

Records are only retained for financial audits.

Records are kept permanently.

What does risk tolerance refer to in risk management?

The process of eliminating all potential risks.

The variance between different risk types.

The minimum level of risk that must be accepted.

The maximum risk a company is willing to take to achieve results. (correct)

Which of the following best describes the term risk mitigation?

Transferring the risk to an external party.

Avoiding any business function related to a specific risk.

Implementing controls to reduce potential risk impacts or likelihood. (correct)

Accepting the risk without any changes to operations.

What is the main purpose of risk assessment?

To identify and analyze risks to organizational operations and assets.

Which action describes risk acceptance?

Agreeing to proceed with a function despite its risks.

What is the role of a Request for Change (RFC) in change management?

To seek initiation of a change procedure or product.

What does risk transference involve?

Shifting the financial burden of a risk to another party.

What type of access control system is defined by Role-Based Access Control (RBAC)?

User permissions are assigned based on user's roles within the organization.

What best describes the purpose of security controls?

To protect the confidentiality, integrity, and availability of information systems.

What does segregation of duties primarily aim to reduce?

Insider threats by requiring multiple individuals to complete a process.

Which of the following is a characteristic of Software as a Service (SaaS)?

Applications are accessed through client devices without managing infrastructure.

What is the primary focus of a Security Operations Center?

Monitoring, detecting, and analyzing security events.

What defines sensitivity in the context of information security?

The importance assigned to information by its owner.

What is single-factor authentication?

An authentication process using only one of the available factors.

Which describes social engineering?

Manipulating individuals to gain unauthorized access to systems.

What is the primary goal of an Incident Response Plan (IRP)?

To document actions for detecting and responding to cyberattacks

What is spoofing in the context of information security?

Faking a sending address to gain unauthorized entry.

What does IaaS provide for organizations?

Core computing, storage, and network resources billed by usage

Which of the following best describes an Insider Threat?

Malicious actions by an individual with inside access

What is the definition of Integrity in the context of information?

Ensuring information is accurate and complete for its intended purpose

What is the role of Ingress Monitoring?

Oversight of incoming network traffic to detect issues

What type of impacts does Information Security Risk encompass?

Potential impacts on an organization's operations and reputation

Which organization develops voluntary international standards in various fields including information technology?

International Organization of Standards (ISO)

What does the Internet Control Message Protocol (ICMP) primarily do?

Determine the availability of a host or service

What is the primary role of the Internet Engineering Task Force (IETF)?

To define protocol standards through collaboration and consensus

Which protocol is primarily used for the transmission of data in packet-switched communications networks?

Internet Protocol version 4 (IPv4)

What defines an intrusion in the context of security events?

An unauthorized attempt to gain access to a system

What does the term 'Likelihood' refer to in a security context?

A subjective analysis of vulnerability exploitation probability

Which of the following best describes a logical access control system?

An automated system regulating access based on identity validation

What is meant by 'Layered Defense' in cybersecurity?

Using multiple security measures to protect assets in depth

What is a log anomaly?

An irregularity in log entries suggesting potential security events

In a Man-in-the-Middle attack, what is the goal of the attacker?

To modify or intercept data between the user and system

What is a primary feature of a private cloud?

Exclusive use by a single business entity

What does the principle of least privilege entail?

Users and programs should only have minimum necessary privileges

What is ransomware primarily designed to do?

Lock system access until payment is made

Which of the following describes Qualitative Risk Analysis?

Utilizes descriptors like low, medium, or high

What defines Protected Health Information (PHI)?

Information regarding health status and healthcare provision

In the context of risk analysis, what does 'Probability' refer to?

The chances of a threat exploiting a vulnerability

Which type of cloud infrastructure is available for general public use?

Public cloud

What is a privileged account characterized by?

Approved authorizations for privileged users

What is the primary function of symmetric encryption?

To utilize the same key for both encryption and decryption.

Which layer of the TCP/IP model is responsible for network-to-network communication?

Internet Layer

What characterizes system integrity?

Performing intended functions without unauthorized manipulation.

How does a threat vector function in cybersecurity?

As a method for carrying out an attack by a threat actor.

What is the definition of a threat actor?

A group or individual exploiting vulnerabilities to create threats.

What is the purpose of user provisioning?

To manage the entire lifecycle of user identities on a system.

In the context of cybersecurity, what is a token?

A physical object for user authentication.

What does a Virtual Local Area Network (VLAN) achieve?

It logically groups devices regardless of geographical location.

Study Notes

Adequate Security

• Security commensurate with potential harm from information loss, misuse, or unauthorized access/modification.
• Based on OMB Circular A-130

Administrative Controls

• Implemented through policies and procedures.
• Examples include access control processes and requiring multiple personnel for operations.
• Often enforced with physical and/or technical controls, like requiring login and approval by a hiring manager for new users.

Adverse Events

• Events with negative consequences, such as system crashes (e.g., network packet floods), unauthorized system privilege use, website defacement, or malicious code execution (data destruction).

API (Application Programming Interface)

• Set of routines, standards, protocols, and tools for software applications to interact with web-based software/applications or web tools.

Application Server

• Computer hosting applications for user workstations.
• Based on NIST SP 800-82 Rev.2

Artificial Intelligence

• Computer/robot ability to simulate human intelligence and behavior

Asset

• Anything valuable owned by an organization.
• Includes tangible items (e.g., information systems, physical property) and intangible assets (e.g., intellectual property).

Asymmetric Encryption

• Algorithm using one key for encryption and a different key for decryption.

Audit

• Independent review/examination of records/activities.
• Assesses system controls and verifies operational procedures compliance (e.g., NIST SP 1800-15B)

Authentication

• Identifying/verifying a user's eligibility to access specific information.
• Typically used to prevent fraudulent transmissions and validate the originator or user.

Authorization

• Permission granted to a system entity for accessing a system resource.
• Based on, e.g., NIST 800-82 Rev.2

Availability

• Ensuring timely and reliable access to information by authorized users.

Baseline

• Documented lowest security configuration level of a standard/organization.

Biometric

• Biological characteristics unique to an individual (e.g., fingerprints, hand geometry, voice, iris patterns).

Bit

• Fundamental data representation (zero or one) at Layer 1 of the OSI Model.

Bot

• Malicious code that acts like a remotely controlled robot for attackers (e.g., Trojan, worm capabilities).

Breach

• Unauthorized disclosure, acquisition, or access of personally identifiable information (PII) by a non-authorized user, or access by an authorized user for a disallowed purpose.
• Based on NIST SP 800-53 Rev. 5

Broadcast (in context of internet traffic)

• One-to-many transmission of data.

Business Continuity

• Actions, processes, and tools for keeping an organization's operations running during a disruption. (e.g., BC plan)

Business Impact Analysis (BIA)

• Analysis of information systems to characterize system contingencies and priorities during a disruption.
• Relevant in the context, e.g., of NIST SP 800-34 Rev 1

Byte

• Unit of digital information often consisting of eight bits.

Checksum

• Digit representing the correct digits in stored/transmitted digital data used for error detection.

Ciphertext

• Hidden message format that is unreadable without decryption.

Classification

• Identifies the degree of harm associated with divulging an information asset.
• Focused on maintaining confidentiality.

Classified/Sensitive Information

• Information requiring protection from unauthorized disclosure or access.
• Marked to demonstrate its classified status and classification level.

Cloud Computing

• Model for enabling on-demand, ubiquitous network access to shared computing resources.
• Based on NIST 800-145, e.g. for Community Cloud models

Community Cloud

• Cloud infrastructure provisioned for exclusive use by a specific community (e.g., shared concerns).
• Based on NIST 800-145

Confidentiality

• Protecting data/information from unauthorized access or disclosure.
• E.g., in the context of NIST 800-66.

Configuration Management

• Process/discipline ensuring authorized and validated changes to the system.

Crime Prevention Through Environmental Design (CPTED)

• Architectural approach to design spaces/buildings emphasizing passive features for reducing opportunity for crime.

Criticality

• Extent to which an organization relies on information for a mission or business function. E.g. in the context of NIST SP 800-60 Vol. 1, Rev. 1

Cryptanalyst

• Studies mathematical techniques to analyze/break cryptographic systems to find vulnerabilities.

Cryptography

• Methods or application of securing information, commonly through disguise or transformation.

Data Integrity

• Assuring data hasn't been altered in unauthorized manner (in storage, processing, transit)
• Based on NIST SP 800-27 Rev A.

Data Loss Prevention (DLP)

• System capabilities detecting/preventing unauthorized use/transmission of information.

Decryption

• Reversing encryption to recover original plaintext from ciphertext using an algorithm.

De-encapsulation

• Opposite process of encapsulation (bundling data) involves unpacking/revealing data bundles.

Defense in Depth

• Integrated security strategy using multiple layers and elements of security.
• Based on NIST SP 800-53 Rev 4

Degaussing

• Techniques for erasing data from storage devices to prevent data reconstruction (magnetic remanence).

Denial-of-Service (DoS)

• Preventing authorized access to resources or delaying time-critical operations (milliseconds to hours)
• Based on NIST SP 800-27 Rev. A

Digital Signature

• Cryptographic transformation for origin authentication, data integrity, and signer non-repudiation of a message.
• Based on NIST SP 800-12 Rev 1

Disaster Recovery

• Activities for restoring IT/communications services during and post-disruptions/outages in information systems. This includes a Disaster Recovery Plan (DRP).

Disaster Recovery Plan (DRP)

• Documents procedures for continuing mission during and after a significant disruption. Disaster is commonly used in the context of an organization experiencing a critical business disruption.

Discretionary Access Control (DAC)

• Allowing the owner or authorized entity to control access rights and privileges in a system or object.
• Based on NIST SP 800-192, e.g.

Domain Name Service (DNS)

• Application of service, physical server, and network protocol elements.

Egress Monitoring

• Monitoring outgoing network traffic.

Encapsulation

• Data hiding/code hiding technique implemented during various phases of software development and operational use e.g. bundling data/methods into one unit.

Encrypt

• Transforming data to an unreadable format (ciphertext), thus protecting its confidentiality.

Encryption

• Process of transforming plaintext data to ciphertext for confidentiality.

Encryption System

• Set of algorithms, processes, hardware, and software components for encryption and decryption tasks.

Event

• Any observable occurrence in a network or system (NIST SP 800-61 Rev 2)

Exploit

• Attack exploiting system vulnerabilities.

File Transfer Protocol (FTP)

• Protocol (and program) for transferring files between hosts.

Firewall

• System enforcing security policies by filtering incoming network traffic based on rules.

Fragment Attack

• Attacker fragments traffic in a way that prevents a system from reassembling data packets.

General Data Protection Regulation (GDPR)

• European legislation focused on personal data privacy as a human right.

Governance

• Process for managing an organization, including policies, roles, and procedures.

Impact

• Magnitude of harm possible with a vulnerability or a threat.

Incident

• Event jeopardizing confidentiality, integrity, or availability of information systems.

Incident Handling/Response (IR)

• Detecting and analyzing incidents to mitigate their impact. This includes a plan.

Incident Response Plan (IRP)

• Plan describing procedures to detect, respond to, and limit consequences of cyberattacks on information systems.

Information Security Risk

• Potential adverse effects on operations (mission/reputation), assets, and individuals due to potential threat of data/systems disruption/destruction/unauthorized access/use/disclosures.

Infrastructure as a Service (IaaS)

• Provider of foundational infrastructure (computational resources) for building/deploying apps in a data center.

Ingress Monitoring

• Monitoring incoming network traffic.

Insider Threat

• Authorized user with the potential to harm an information system.
• Based on NIST SP 800-32

Institute of Electrical and Electronics Engineers (IEEE)

• Professional organization setting standards in telecommunications, computer engineering, etc.

Integrity

• Property of data that ensures completeness and accuracy of recorded information.

International Organization of Standards (ISO)

• Organization developing voluntary international standards for information and communication technologies. (e.g. ISO/IEC 19770-2)

Internet Control Message Protocol (ICMP)

• IP network protocol for determining host/service availability (RFC 792)

Internet Engineering Task Force (IETF)

• Organization defining protocol standards through consensus and collaboration (e.g., RFC documents).

Internet Protocol (IPv4)

• Standard protocol transmitting data in packet-switched communication networks. (CNSSI 4009-2015)

Intrusion

• Security incident, with or without authorization, causing or attempting to cause unauthorized access to systems/resources. (e.g., Based on RFC 4949 Ver 2)

iOS

• Mobile operating system by Apple Inc.

Layered Defense

• Security strategy using multiple sequential security controls to mitigate risks.

Likelihood of Occurrence

• Probability of a given threat successfully exploiting a vulnerability

Likelihood

• Probability of occurrence of a threat. (in the context of risk analysis)

Linux (in context)

• Open-source operating system.

Log Anomaly

• System irregularity in log data, potentially indicating malicious activities.

Logging

• Collecting and storing user activity records in a log. This includes records of the events occurring within an organization's systems and networks. NIST SP 1800-25B is given as a reference.

Logical Access Control Systems

• Automated systems controlling individual access to computer system resources (workstations, applications, networks, etc.) through mechanisms such as PIN, card, biometric, or token.

Man-in-the-Middle (MitM)

• Adversary intercepts and potentially alters communication between user/system.

Mandatory Access Control (MAC)

• Systems managing access controls based on security policies, requiring the system to manage the access controls.

Mantrap

• Entrance requiring people to pass through two doors sequentially.

Message Digest

• Uniquely identifying data; changing a single bit in the data leads to a different digest.

Microsegmentation

• Separating local area networks into multiple, highly localized zones, using firewalls or similar technologies.

Multi-Factor Authentication

• Authentication using two or more factors

National Institutes of Standards and Technology (NIST)

• US agency developing standards, including security standards (e.g., SP 800 series).

Non-repudiation

• Inability to deny actions, like creating information or sending messages.

Object (in the context of information systems)

• Passive system entities (devices, files, records, programs) containing or receiving Information. Accessing an object implies access to the contained information.

Operating System, (OS)

• Software controlling computer functionalities (e.g., manages applications, users).

Operating System (OS) - (in context)

• Software controlling computer functionalities, managing applications, users, etc.

Oversized Packet Attack

• Attack involves sending packets that exceed expected sizes, likely causing disruption in a receiving system.

Packet

• Block of data at Layer 3 according to OSI model

Patch Management

• Establishing, notifying, implementing, and verifying updates for operating/application software code.

Payload

• Main function of a malicious code attack.

Payment Card Industry Data Security Standard (PCI DSS)

• Information security standard applied to merchants and service providers handling credit/debit cards.

Personally Identifiable Information (PII)

• Information identifying or tracing an individual (e.g., name, SSN, biometric data).
• Based on NIST SP 800-122

Physical Controls

• Security safeguards using physical components (e.g., walls, security guards, locks).

Plaintext

• Original, readable form of data before its encryption.

Platform as a Service (PaaS)

• Cloud environment enabling application development/deployment.

Privacy

• Individual's control over distribution of personal data/information.

Private Cloud

• Cloud computing platform implementing within a corporate firewall, offering enterprise-level control over data.

Principle of Least Privilege

• Principle that users/programs are given only necessary access rights/privileges for tasks.

Privileged Account

• Account with approved authorizations used by a privileged user to access information systems.

Probability

• Likelihood of a threat successfully exploiting a vulnerability. (in the context of risk analysis)

Protected Health Information (PHI)

• Healthcare patient data categorized by HIPAA standards for protection.

Protocol

• Set of standardized communication rules and procedures between systems/processes.

Public Cloud

• Cloud infrastructure/services available to the general public.

Qualitative Risk Analysis

• Risk analysis method assigning descriptive descriptors (low, medium, high) to risks. (e.g., NISTIR 8286)

Quantitative Risk Analysis

• Risk analysis method assigning numerical values to risk impact and likelihood. (e.g., based on NISTIR 8286)

Ransomware

• Malicious software locking user access to system until payment made.

Records

• Recorded evidence of activities/outcomes (e.g., reports, forms) to verify organization's operations.

Records Retention

• Following rules for how long records are kept before destruction.

Remanence

• Residual data remaining on media after erasure/clearing.

Request for Change (RFC)

• Formal request for modification to a procedure/product/process.

Risk

• Measure of harm a potential circumstance/event can cause an entity.

Risk Acceptance

• Choosing to proceed with a risky activity when benefits outweigh costs based on potential risk.

Risk Assessment

• Process evaluating risks in organization's operations, assets, etc.

Risk Avoidance

• Prevent/eliminate a risk based on its potential impact or likelihood when the potential benefits don't outweigh it.

Risk Management, (framework)

• Structured approach to oversight and management of risk within an organization.

Risk Management Framework

• Structured approach to overseeing and managing risks in an organization, including phases of risk context, risk assessment, risk treatment, and risk monitoring.

Risk Mitigation

• Reducing risk impact/likelihood through implementing controls and procedures.

Risk Tolerance

• Organization's willingness to accept risk to achieve its goals. This also relates to risk threshold and acceptable risk.

Risk Transference

• Shifting risk impact to an outside party.

Risk Treatment

• Choosing the best options for handling a specific risk identified in an organization or system.

Role-Based Access Control (RBAC)

• Access control system granting user permissions based on their assigned roles.

Rule

• Instructions in an access control list for determining access privileges

Security Controls

• Management, operational, and technical controls to mitigate the impact/likelihood/consequence of threats or vulnerabilities affecting confidentiality, integrity, and availability of information systems.

Security Governance

• Policies, roles, and processes used for security decisions within an organization.

Security Operations Center (SOC)

• Centralized function for detecting/analyzing security events to prevent business disruptions.

Segregation of Duties

• Process ensuring that no single person can complete a critical task/process, and thus reducing possibility of insider threat activity.

Sensitivity

• Importance of information as deemed by its owner for protecting systems/data/operations.
• Based on NIST SP 800-60 Vol. 1 Rev 1

Simple Mail Transport Protocol (SMTP)

• Standard for sending and receiving emails.

Single-Factor Authentication

• Authentication using only one factor (e.g., password, PIN).

Social Engineering

• Manipulating people to gain unauthorized access to information systems (e.g., impersonating someone/offer).

Software

• Computer programs and associated data that may change dynamically during execution.

Software as a Service (SaaS)

• Cloud computing model where users use cloud provider's applications via a client/browser interface.

Spoofing

• Faking the sender address in a transmission to gain entry.

State

• Condition of an entity at a given point in time.

Subject

• Individual/process/device initiating information actions within a system.

Symmetric Encryption

• Algorithm using the same key for encryption and decryption.

System Integrity

• System performs functions as intended without unauthorized manipulation (intentional or accidental).

Technical Controls

• Components/measures in hardware/software preventing unauthorized access to/manipulation of a system.

Threat

• Circumstances/events jeopardizing organizational operations, assets, individuals, or the nation via information systems (unauth access, destruction, disclose, modify, or denial of service).
• Based on NIST SP 800-30 Rev1

Threat Actor

• Individual/group attempting to exploit vulnerabilities to cause/force a threat.

Threat Vector

• Method of a threat actor to execute their intended objectives. (means)

Token

• Physical object used to authenticate user identity.

Transport Control Protocol/Internet Protocol (TCP/IP) Model

• Protocol model for specifying four layers of internet working functionality

Turnstile

• One-way entry control, allowing only one person at a time (entrance control)

Unix

• Operating system commonly used in software development.

User Provisioning

• Defining, managing, and removing user identities

Virtual Local Area Network (VLAN)

• Logical group of network devices appearing as one despite being physically separated.

Virtual Private Network (VPN)

• Secure communication network on top of existing networks.

Vulnerability

• Weakness in information/systems, procedures, or implementation, exploitable by threats.
• Source: NIST SP 800-128

Web Server

• Computer providing web services, potentially accessible internally or publicly.

Whaling Attack

• Phishing attack targeted at highly placed officials/high-value individuals via large fund transfer requests.

Wireless Area Network (WLAN)

• Radio-based networks connecting devices/computers in a proximity.

Zenmap

• GUI for network scanner (e.g., Nmap) for network reconnaissance activities

Description

Test your knowledge on key concepts in risk management and information security. This quiz covers various aspects, including risk assessment, security controls, and change management. Challenge yourself with questions about records retention, access control systems, and more.