Risk Management Fundamentals

Questions and Answers

What is a common motivation for perpetrators in committing attacks?

• Desire for knowledge
• Greed (correct)
• Curiosity
• Need for security

Which of the following is NOT considered a best practice for managing IT threats?

• Use automation
• Ignore access controls (correct)
• Provide training
• Create a security policy

What occurs when a threat exploits a vulnerability?

• Security policy implementation
• Threat/vulnerability pair (correct)
• Risk control
• Mitigation technique

What is one way to reduce potential risks associated with vulnerabilities?

Reduce the rate of occurrence (D)

What is an exploit in the context of IT security?

The act of taking advantage of a vulnerability (A)

What is the term for the risk that remains after steps have been taken to reduce it?

Residual risk (C)

Which technique is primarily used in risk management?

Risk mitigation (C)

What is a significant risk associated with the User Domain in IT security?

Human error and negligence (B)

What type of threats includes natural events and human errors?

Unintentional threats (B)

Which of the following accurately describes the Workstation Domain?

It represents the end user’s computer susceptible to malware. (A)

How can businesses manage environmental threats?

Purchase insurance (C)

Which statement is true regarding threats?

Threats are always present. (B)

What distinguishes the LAN Domain from the WAN Domain?

The LAN Domain is typically controlled by a company. (A)

What is the equation that describes the relationship between risk, vulnerability, and threats?

Risk x Vulnerability = Threat (A)

What is a primary function of the Remote Access Domain?

Providing access to mobile workers for company resources. (C)

Which of the following is NOT a method to address unintentional threats?

Implementing firewalls (D)

Which domain represents an untrusted zone in the IT infrastructure?

WAN Domain (A)

Which of the following vulnerabilities is specific to the LAN Domain?

Unpatched software in connected devices (D)

What is a characteristic of intentional threats?

They have deliberate perpetrators involved. (C)

What constitutes the System/Application Domain?

Servers that host client applications. (A)

What is the role of firewalls in the LAN-to-WAN Domain?

To separate trusted and untrusted zones. (A)

What does risk primarily represent in a business context?

The potential for a threat to cause a loss (C)

Which of the following best defines a vulnerability in the context of risk management?

A weakness that can be exploited by a threat (C)

How can risks to business functions affect overall business revenue?

They can lead to reduced sales and revenue (D)

Which type of asset is characterized by its measurable value to a business?

Tangible asset (C)

What role does risk play in determining business costs?

It serves as a driver of business costs that must be managed (C)

What is the outcome of risks that lead to a compromise of business assets?

Loss of measurable value of the assets (C)

How can implementing countermeasures help a business regarding risks?

By managing identified risks effectively (B)

In risk management, what can cause a business to fail?

Severe risks that result in significant losses (D)

What does the Domain Name System (DNS) do for clients?

It translates names to IP addresses. (B)

What are the components of the security triad?

Confidentiality, Integrity, Availability (A)

Which step is crucial in identifying risks within risk management?

Identifying vulnerabilities (A)

What does residual risk refer to in risk management?

Risk that remains after applying controls (C)

Which of the following is not a step in the risk management process?

Accepting all risks (C)

How can organizations decide to handle risks?

By avoiding, transferring, mitigating, or accepting the risk (A)

What is the primary goal of risk management?

To protect the organization and ensure continued operation (B)

What is a cost-benefit analysis (CBA) used for in risk management?

To evaluate whether the benefits of implementing a specific control outweigh the costs (C)

Flashcards

Risk Management

The process of identifying, analyzing, and mitigating potential threats to an IT infrastructure.

Attacker

A person who attempts to gain unauthorized access to a computer system or network.

User Domain

The people who use a computer system, including employees, contractors, and consultants.

Workstation Domain

The end-user's computer, vulnerable to malware and security issues.

LAN Domain

The network within a company's firewall, containing all connected devices.

LAN-to-WAN Domain

The connection between a local area network (LAN) and the wider internet.

WAN Domain

The public internet, a high-risk zone for attackers.

System/Application Domain

Servers dedicated to hosting applications and databases, crucial for business operations.

Vulnerability

A weakness in an asset or environment that can be exploited by a threat.

Exploit

Any action that takes advantage of a vulnerability to cause harm.

Mitigation

A strategy to lessen the impact or frequency of vulnerabilities.

Threat/Vulnerability Pair

A combination of a threat and a vulnerability, where the threat can potentially exploit the vulnerability.

Security Policy

A set of rules and guidelines that define how an organization manages its IT security.

Threat

A circumstance or event with the potential to cause harm or loss.

Impact

The negative outcome resulting from a threat exploiting a vulnerability.

Risk Assessment

A method to evaluate the likelihood and potential impact of a risk.

Residual Risk

The risk that remains after implementing controls.

Cost-Benefit Analysis (CBA)

The practice of analyzing the costs and benefits of implementing a control.

Security Triad

Protecting the confidentiality, integrity, and availability of data and systems.

Risk

The possibility of a loss occurring when a threat exploits a weakness.

Loss

The negative consequence that occurs when a threat exploits a vulnerability, resulting in damage or disruption.

Business Functions

The activities a business performs to sell products or services, such as sales, marketing, and customer support.

Business Assets

Anything that holds measurable value for a company, including tangible assets like equipment and intangible assets like brand reputation.

Risk Management Costs

The cost incurred to mitigate or manage risks, such as implementing security measures.

Domain-Based Risk Assessment

A method of examining potential risks within different areas of an IT infrastructure, such as network security, data storage, and application security.

Risk mitigation

A strategy used to reduce the likelihood or impact of a threat.

Unintentional Threats

Threats that are unintentional, such as natural disasters or human errors.

Intentional Threats

Threats that are deliberate and malicious, such as cyberattacks or physical attacks.

Study Notes

Risk Management Fundamentals

• Risk is the likelihood of a loss occurring, triggered when a threat exposes a vulnerability.
• Organizations of all sizes face risks, some severe enough to cause business failure, others minor enough to accept without further thought.
• Key elements of risk are threat, vulnerability, and loss.
• A threat is any activity representing a possible danger.
• A vulnerability is a weakness.
• A loss compromises business operations.
• Risks can lead to a loss negatively impacting a business.
• Types of business losses include: compromises in business functions, compromises in business assets, and drivers of business costs.
• Business function compromises affect product/service sales, leading to revenue loss.
  • Examples include reduced sales representative capabilities (phone/email) or website outages.
• Compromise of business assets occurs when an asset has the potential of losing value. Assets are tangible (cost) and intangible (e.g., client confidence).
• Risk also drives business costs, which entails measures like antivirus software implementation to reduce risk.
• A method to examine risk is through seven typical IT infrastructure domains.
• These domains can be examined separately and represent potential targets for attackers.
• IT infrastructure domains are, user, workstation, LAN, LAN-to-WAN, WAN, remote access, and system/application.
• Vulnerabilities in one domain can put the entire system at risk.
• The user domain encompasses users, employees, contractors, and consultants—frequently the weakest link in IT security.
• Workstation computers are susceptible to malicious software (malware) if not kept updated with patches.
• The LAN domain is inside the firewall, and devices must have protection to prevent risk.
• The LAN-to-WAN domain connects to the wide area network (WAN), which is treated as an untrusted zone.
• Remote access domains allow access when workers are away from the company and often involve dial-up or VPN connections.
• The WAN domain is the Internet and hosts are at high risk of attack.
• The system/application domain refers to mail, database, application, and domain name servers.
• A threat exploiting a vulnerability results in a loss. Impact identifies loss severity.
• These threats are always present, and although not eliminable, they can be controlled.
• Protection of confidentiality, integrity, and availability (CIA triad) are common security objectives
• Risk management practices involve identifying, assessing, controlling, and mitigating risks.
• Identifying relevant risk threats and vulnerabilities for an organization is an important initial step.
• Risk management includes elements: Risk assessment, identifying risks to manage, selection of controls, implementation and testing of controls, and evaluating controls.
• Identifying risks requires determining threats, identifying vulnerabilities, and estimating exploit likelihoods.
• Risk management techniques involve taking steps to avoid, transfer, mitigate, or accept risk and employing a cost-benefit analysis.
• Residual risk is the risk that remains after applying controls.
• The primary risk management technique is risk mitigation (risk reduction/treatment).

Threats, Vulnerabilities, and Impact

• Threats are attempts to exploit vulnerabilities that result in loss of confidentiality, integrity, or availability.
• Threats are always present and cannot be eliminated—mitigation can manage potential.

Understanding and Managing Threats

• Threats are part of the risk equation (Risk x Vulnerability = Threat).
• Threats can be uncontrollable (natural events, human error, and simple accidents), intentional (hostile acts), or unintentional.
• Organizational risk management plans can reduce operational impacts.

Understanding and Managing Vulnerabilities

• Vulnerabilities are weakness in assets, systems, or processes.
• Vulnerabilities can be mitigated by reducing occurrence rates/loss impact.
• Mitigation techniques should consider technique value, initial cost, and ongoing costs.

Understanding and Managing Exploits

• Exploits are the act of taking advantage of a vulnerability to gain an advantage.
• Understanding exploits is important for risk reduction.

Best Practices for Managing Threats in Your IT Infrastructure

• Best practices include establishing security policies, obtaining insurance, implementing appropriate access controls, using automation tools, providing training, and implementing antivirus software.
• Protect the boundary of your IT infrastructure, using firewalls.