Risk Management Fundamentals

Questions and Answers

What is a common motivation for perpetrators in committing attacks?

Desire for knowledge

Greed (correct)

Curiosity

Need for security

Which of the following is NOT considered a best practice for managing IT threats?

Use automation

Ignore access controls (correct)

Provide training

Create a security policy

What occurs when a threat exploits a vulnerability?

Security policy implementation

Threat/vulnerability pair (correct)

Risk control

Mitigation technique

What is one way to reduce potential risks associated with vulnerabilities?

Reduce the rate of occurrence

What is an exploit in the context of IT security?

The act of taking advantage of a vulnerability

What is the term for the risk that remains after steps have been taken to reduce it?

Residual risk

Which technique is primarily used in risk management?

Risk mitigation

What is a significant risk associated with the User Domain in IT security?

Human error and negligence

What type of threats includes natural events and human errors?

Unintentional threats

Which of the following accurately describes the Workstation Domain?

It represents the end user’s computer susceptible to malware.

How can businesses manage environmental threats?

Purchase insurance

Which statement is true regarding threats?

Threats are always present.

What distinguishes the LAN Domain from the WAN Domain?

The LAN Domain is typically controlled by a company.

What is the equation that describes the relationship between risk, vulnerability, and threats?

Risk x Vulnerability = Threat

What is a primary function of the Remote Access Domain?

Providing access to mobile workers for company resources.

Which of the following is NOT a method to address unintentional threats?

Implementing firewalls

Which domain represents an untrusted zone in the IT infrastructure?

WAN Domain

Which of the following vulnerabilities is specific to the LAN Domain?

Unpatched software in connected devices

What is a characteristic of intentional threats?

They have deliberate perpetrators involved.

What constitutes the System/Application Domain?

Servers that host client applications.

What is the role of firewalls in the LAN-to-WAN Domain?

To separate trusted and untrusted zones.

What does risk primarily represent in a business context?

The potential for a threat to cause a loss

Which of the following best defines a vulnerability in the context of risk management?

A weakness that can be exploited by a threat

How can risks to business functions affect overall business revenue?

They can lead to reduced sales and revenue

Which type of asset is characterized by its measurable value to a business?

Tangible asset

What role does risk play in determining business costs?

It serves as a driver of business costs that must be managed

What is the outcome of risks that lead to a compromise of business assets?

Loss of measurable value of the assets

How can implementing countermeasures help a business regarding risks?

By managing identified risks effectively

In risk management, what can cause a business to fail?

Severe risks that result in significant losses

What does the Domain Name System (DNS) do for clients?

It translates names to IP addresses.

What are the components of the security triad?

Confidentiality, Integrity, Availability

Which step is crucial in identifying risks within risk management?

Identifying vulnerabilities

What does residual risk refer to in risk management?

Risk that remains after applying controls

Which of the following is not a step in the risk management process?

Accepting all risks

How can organizations decide to handle risks?

By avoiding, transferring, mitigating, or accepting the risk

What is the primary goal of risk management?

To protect the organization and ensure continued operation

What is a cost-benefit analysis (CBA) used for in risk management?

To evaluate whether the benefits of implementing a specific control outweigh the costs

Study Notes

Risk Management Fundamentals

• Risk is the likelihood of a loss occurring, triggered when a threat exposes a vulnerability.
• Organizations of all sizes face risks, some severe enough to cause business failure, others minor enough to accept without further thought.
• Key elements of risk are threat, vulnerability, and loss.
• A threat is any activity representing a possible danger.
• A vulnerability is a weakness.
• A loss compromises business operations.
• Risks can lead to a loss negatively impacting a business.
• Types of business losses include: compromises in business functions, compromises in business assets, and drivers of business costs.
• Business function compromises affect product/service sales, leading to revenue loss.
  • Examples include reduced sales representative capabilities (phone/email) or website outages.
• Compromise of business assets occurs when an asset has the potential of losing value. Assets are tangible (cost) and intangible (e.g., client confidence).
• Risk also drives business costs, which entails measures like antivirus software implementation to reduce risk.
• A method to examine risk is through seven typical IT infrastructure domains.
• These domains can be examined separately and represent potential targets for attackers.
• IT infrastructure domains are, user, workstation, LAN, LAN-to-WAN, WAN, remote access, and system/application.
• Vulnerabilities in one domain can put the entire system at risk.
• The user domain encompasses users, employees, contractors, and consultants—frequently the weakest link in IT security.
• Workstation computers are susceptible to malicious software (malware) if not kept updated with patches.
• The LAN domain is inside the firewall, and devices must have protection to prevent risk.
• The LAN-to-WAN domain connects to the wide area network (WAN), which is treated as an untrusted zone.
• Remote access domains allow access when workers are away from the company and often involve dial-up or VPN connections.
• The WAN domain is the Internet and hosts are at high risk of attack.
• The system/application domain refers to mail, database, application, and domain name servers.
• A threat exploiting a vulnerability results in a loss. Impact identifies loss severity.
• These threats are always present, and although not eliminable, they can be controlled.
• Protection of confidentiality, integrity, and availability (CIA triad) are common security objectives
• Risk management practices involve identifying, assessing, controlling, and mitigating risks.
• Identifying relevant risk threats and vulnerabilities for an organization is an important initial step.
• Risk management includes elements: Risk assessment, identifying risks to manage, selection of controls, implementation and testing of controls, and evaluating controls.
• Identifying risks requires determining threats, identifying vulnerabilities, and estimating exploit likelihoods.
• Risk management techniques involve taking steps to avoid, transfer, mitigate, or accept risk and employing a cost-benefit analysis.
• Residual risk is the risk that remains after applying controls.
• The primary risk management technique is risk mitigation (risk reduction/treatment).

Threats, Vulnerabilities, and Impact

• Threats are attempts to exploit vulnerabilities that result in loss of confidentiality, integrity, or availability.
• Threats are always present and cannot be eliminated—mitigation can manage potential.

Understanding and Managing Threats

• Threats are part of the risk equation (Risk x Vulnerability = Threat).
• Threats can be uncontrollable (natural events, human error, and simple accidents), intentional (hostile acts), or unintentional.
• Organizational risk management plans can reduce operational impacts.

Understanding and Managing Vulnerabilities

• Vulnerabilities are weakness in assets, systems, or processes.
• Vulnerabilities can be mitigated by reducing occurrence rates/loss impact.
• Mitigation techniques should consider technique value, initial cost, and ongoing costs.

Understanding and Managing Exploits

• Exploits are the act of taking advantage of a vulnerability to gain an advantage.
• Understanding exploits is important for risk reduction.

Best Practices for Managing Threats in Your IT Infrastructure

• Best practices include establishing security policies, obtaining insurance, implementing appropriate access controls, using automation tools, providing training, and implementing antivirus software.
• Protect the boundary of your IT infrastructure, using firewalls.

Description

This quiz covers the essential concepts of risk management, focusing on the definitions and implications of risk, threat, vulnerability, and loss in business contexts. Understand how these elements can affect organizations and the types of losses they can incur. Test your knowledge on how to identify and manage risks effectively.