Risk Management Fundamentals

Questions and Answers

What is one common motivation for perpetrators of cyber threats?

• Curiosity
• Technological advancement
• Greed (correct)
• Social justice

Which of the following is a best practice for managing threats within an IT infrastructure?

• Providing extensive user training (correct)
• Relying solely on antivirus software
• Removing access controls
• Limiting user access completely

What is a threat/vulnerability pair?

• A threat preventing a vulnerability from occurring
• A situation where a threat exploits a vulnerability (correct)
• A strategy to develop multiple vulnerabilities
• A vulnerability that cannot be exploited

How can vulnerabilities be mitigated according to best practices?

By reducing the impact of the loss (C)

What defines an exploit in the context of cybersecurity?

The act of exploiting a vulnerability (C)

What does a threat represent in the context of risk management?

Any circumstance with the potential to cause a loss (D)

What does the term 'security triad' refer to?

The protection of confidentiality, integrity, and availability (A)

Which of the following is NOT a step in risk management?

Monitoring employee performance (D)

Which action should be performed first when identifying risks?

Identify threats (D)

What is residual risk?

The risk that remains after applying controls (D)

Which choice is an acceptable way to handle risks?

Transfer, mitigate, avoid, or accept the risk (D)

Why is a cost-benefit analysis important in risk management?

To determine if the benefits of a control outweigh its costs (B)

What is the main goal of risk management?

To protect the organization and ensure business continuity (C)

What is defined as a weakness within an organization that can lead to potential loss?

Vulnerability (B)

Which of the following accurately defines a threat in risk management?

Any activity that represents a possible danger (C)

Which term best describes the measurable value of a company asset?

Tangible value (B)

What can be considered a consequence of compromising business functions?

Decreased sales revenue (C)

Which domain includes individuals like employees and contractors who can pose security risks?

User Domain (C)

Which of the following is NOT a component of business loss in risk management?

Increase in marketing expenses (D)

What type of malware is commonly associated with the workstation domain if not kept updated?

Malware (B)

How can organizations manage identified risks?

By implementing countermeasures or controls (B)

What type of value includes aspects that cannot be measured by cost, such as client confidence?

Intangible value (D)

Which domain serves as a connection point between the local area network and the wide area network?

LAN-to-WAN Domain (D)

What plays a role in increasing business costs according to risk management principles?

Identifying and managing risks (C)

What risk is primarily associated with the WAN domain?

Untrusted connections (B)

In a remote access domain, what technology is often used to provide secure connections for mobile workers?

Virtual private network (VPN) (D)

Which domain emphasizes the importance of protecting each individual device within a network?

LAN Domain (A)

What is the primary function of servers in the System/Application Domain?

To host and manage server-level applications (C)

Which domain could be exploited if an employee falls victim to a phishing attack?

User Domain (A)

What is the risk that remains after steps have been taken to reduce it?

Residual risk (D)

Which technique is primarily used for risk management?

Risk mitigation (A)

What type of threats are characterized by the absence of a specific perpetrator?

Unintentional threats (B)

Which category is NOT identified as a primary type of unintentional threat?

Sabotage (C)

What action can be taken to reduce the impact of environmental threats?

Purchasing insurance (C)

What equation illustrates the relationship between risk, vulnerability, and threats?

Risk x Vulnerability = Threat (C)

Which of the following is an intentional threat?

Sabotage by a disgruntled employee (C)

What is the first step in risk management?

Identifying risks that need to be reduced (C)

Flashcards

Risk

The possibility of a loss occurring due to an interaction between a threat and a vulnerability.

Threat

An activity or event that could cause harm or negative impact.

Vulnerability

A weakness or flaw that makes an asset or system susceptible to a threat.

Loss

The negative consequence of a threat exploiting a vulnerability.

Business Functions

The activities a business performs to sell products or services.

Business Assets

Anything of value to a company, including tangible and intangible aspects.

Risk Management Costs

The costs associated with managing and mitigating risks.

Seven Domains Risk Analysis

A method for assessing risks by analyzing different parts of an IT infrastructure.

LAN Domain

The area within an organization's firewall, which can host various interconnected systems (like employees' computers), and requires protection for every device to prevent vulnerability.

WAN Domain

A network of interconnected systems that extends beyond an organization's firewall, offering access to external resources, but posing a higher risk due to potential attackers.

LAN-to-WAN Domain

The gateway between a secure local network and a broader more insecure network, acting as a barrier to prevent unauthorized access.

User Domain

The part of the IT infrastructure that includes all individuals, whether they're employees, contractors, or consultants.

System/Application Domain

The collection of applications and servers within an IT infrastructure, running essential tasks like storing data, managing emails, and providing services.

Workstation Domain

The personal computer used by a user, often the initial target for malware because of its direct interface with the user.

Remote Access Domain

The method by which workers who are remotely located can access an organization's network, often utilizing VPN connections for secure access.

Risk assessment

The process of identifying and assessing potential threats, vulnerabilities, and the impact they could have on a specific area or system.

Mitigation

An action taken to reduce or eliminate a vulnerability, thereby reducing potential risks.

Risk Mitigation

A method for reducing risk by either lowering the likelihood of a threat occurring or minimizing the impact of an attack.

Exploit

The use of a vulnerability to compromise a system or steal data.

Threat/Vulnerability Pair

A combination of a threat and a vulnerability that creates a potential for harm or loss.

Residual Risk

Risks that remain after risk mitigation efforts have been implemented.

Risk Management

The process of identifying, assessing, and controlling risks.

Unintentional Threats

Events or occurrences that are not intentionally caused by a human.

Intentional Threats

Threats that are deliberately planned and carried out by a person or group.

Controls

Actions taken to reduce or eliminate vulnerabilities.

Cost-benefit analysis (CBA)

A method for deciding whether to implement controls by comparing the cost of the controls against the potential benefits of reducing risk.

Study Notes

Risk Management Fundamentals

• Risk is the likelihood of a loss occurring when a threat exposes a vulnerability
• Organizations of all sizes face risks, some severe enough to cause business failure, others minor and easily accepted
• Key components of risk are threat, vulnerability, and loss
  • Threat: Any activity representing a possible danger
  • Vulnerability: A weakness in a system
  • Loss: A compromise to business operations
• Risks to a business result in negative effects that can compromise business functions, assets, and overall costs
• Business function compromise examples: Sales capabilities reduced (e.g., phone or email), website attack resulting in lost sales
• Business asset compromise examples: Tangible assets (e.g., physical equipment) or intangible assets (e.g., client confidence), with potential value loss
• Driver of business costs examples: Implementing countermeasures or controls to manage risk (e.g., antivirus software)

IT Infrastructure Risk Components

• Examining typical IT infrastructure domains—seven domains

  • User domain: Users, employees, contractors, consultants
  • Workstation domain: End-user computers; susceptible to malware
  • LAN domain (within firewall): Local area network; individual devices must be protected or all are at risk
  • LAN-to-WAN domain: Connects LAN and WAN; LAN is trusted zone, WAN is untrusted
  • Remote access domain: Access for remote workers; protected area between trusted zone and untrusted zone
  • WAN domain (Internet): Untrusted zone with significant risk to public IP hosts
  • System/application domain: Servers hosting applications like email and databases

• Attackers only need to exploit vulnerabilities in one domain to cause significant impact

Threats, Vulnerabilities, and Impact

• Threats exploit vulnerabilities resulting in loss; impact assesses severity of loss
• A threat is any circumstance or event with potential to cause loss; always present but can be controlled
• Threats are attempts to exploit vulnerabilities, resulting in loss of confidentiality, integrity, or availability of an asset
• Confidentiality, integrity, and availability (CIA) are key security objectives for information systems

Risk Management and Importance

• Risk management involves identifying, assessing, controlling, and mitigating risks
• Identifying relevant threats and vulnerabilities to the organization is crucial for reducing losses
• Risk management aims to identify risks and implement controls to minimize them

Risk Management Elements

• Risk assessment
• Identifying risks to manage
• Selecting controls
• Implementing and testing controls
• Evaluating controls

Identifying Risks

• To identify risks, identify threats and vulnerabilities
• Estimate the likelihood of threats exploiting vulnerabilities

Risk Management Techniques

• Choosing how to handle a risk: avoid, transfer, mitigate, or accept
• Cost-benefit analysis (CBA): Helps determine the best controls for implementation

Residual Risk

• Residual risk is the risk that remains after applying controls

Summary

• Risks occur when threats exploit vulnerabilities, impacting business functions, assets, and costs; risk management helps identify and reduce these risks
• Initial steps for risk management: Identify threats and vulnerabilities and pair to identify risk severity

Managing Risks

• Risk can be managed by avoiding, transferring, mitigating, or accepting the risk
• Risk mitigation is also known as risk reduction or risk treatment; vulnerabilities are reduced by implementing controls

Managing Threats

• Threats are part of the risk equation (Risk x Vulnerability = Threat)
• This section includes types of threats (unintentional, intentional)
• Unintentional threats (environmental, human errors, accidents) can be managed through insurance, error reduction, prevention, and avoidance.
• Intentional threats (greed, anger, desire to damage) are often motivated by these factors

Managing Vulnerabilities

• A vulnerability is a weakness in an asset or environment; can be a flaw in any system/business process.
• Vulnerabilities can be mitigated by reducing their occurrences/injuries or the resulting impact from them
• Mitigation techniques must consider their initial and ongoing costs

Exploits

• Exploits occur when threats leverage vulnerabilities
• An exploit is the act of exploiting a vulnerability by leveraging a vulnerability against a system