Security Engineering Principles Quiz

Questions and Answers

Which of the following is NOT a core principle of security engineering?

Integrity

Confidentiality

Availability

Efficiency (correct)

Non-repudiation ensures that data is accurate and complete.

False (B)

What is the primary goal of security engineering?

To design and build dependable systems that remain protected against malicious threats.

Verifying the identity of users and systems is known as ______.

authentication

Match the following security engineering practices with their descriptions:

Secure Software Development = Incorporating security into the software development lifecycle Network Security = Protecting network traffic using firewalls and intrusion detection systems Access Control = Restricting access based on user roles Encryption = Protecting data by converting it into unreadable code

Which objective of security engineering involves meeting regulatory requirements for security measures?

Ensuring Compliance (A)

Authorization is the process of verifying a user's identity.

False (B)

Name two techniques used in security engineering to maintain data integrity?

Checksums and Digital Signatures.

Using firewalls and intrusion detection systems to protect network traffic is part of ______ security.

network

What does encryption primary achieve in security engineering?

Protecting data confidentiality (C)

Which of the following is NOT considered a type of cyber threat?

Hardware malfunction (C)

Using default passwords is a recommended security practice.

False (B)

Which of the following best describes a cyber vulnerability?

A weakness or flaw that could be exploited. (C)

What type of vulnerability is caused by a lack of user awareness or training?

human vulnerabilities

A vulnerability alone poses a risk to an organization, even without an active threat.

False (B)

What type of cyber threat involves tricking individuals into providing sensitive information by posing as a trustworthy entity?

phishing

Implementing strong password policies and using multi-factor authentication are mitigations for ______ vulnerabilities.

human

A ___________ attack aims to overwhelm a system, network, or website, making it unavailable to users.

denial of service

Which of the following is a mitigation strategy for network vulnerabilities?

Implementing firewalls (D)

Match each vulnerability type with its description:

Software Vulnerability = Weaknesses in applications Network Vulnerability = Weaknesses in network infrastructure Configuration Vulnerability = Weaknesses from improper system setups Human Vulnerability = Weaknesses from employee actions

Match the following cyber threats with their descriptions:

Malware = Malicious software designed to disrupt or damage systems. Man-in-the-Middle = Attackers intercepts communications between two parties. Insider threat = Threats posed by individuals within an organization. APT = Prolonged and targeted cyberattacks to steal data.

Addressing vulnerabilities does not directly contribute to maintaining trust with stakeholders.

False (B)

Which of the following is NOT an example of malware?

Phishing (C)

Updating software can help mitigate software vulnerabilities.

True (A)

What tool can be used to manage system and application settings, helping to prevent configuration vulnerabilities?

configuration management tools

What is the term for a prolonged and targeted cyberattack where attackers establish a foothold within a network?

advanced persistent threat

Which of these is a recommended mitigation strategy for Man-in-the-Middle attacks?

Implementing strong authentication mechanisms. (C)

___________ are flaws or weaknesses in software code that can be exploited.

software vulnerabilities

Which of the following describes a qualitative risk assessment?

Uses expert judgment to evaluate risks subjectively (C)

Quantitative risk assessment is generally less expensive than qualitative risk assessment.

False (B)

What type of risk assessment combines both qualitative and quantitative methods?

hybrid risk assessment

The NIST RMF integrates risk management into the system development life cycle, also known as the ______.

SDLC

What is the primary goal of a risk assessment?

To identify, evaluate, and prioritize risks (C)

Match the following risk assessment methodologies with their primary characteristics:

Qualitative = Subjective, relies on expert judgment Quantitative = Objective, uses numerical data Hybrid = Combines qualitative and quantitative methods NIST RMF = Structured approach, integrates risk into SDLC

The NIST Risk Management Framework is only applicable to federal organizations.

False (B)

In a quantitative risk assessment, what is calculated for each risk?

expected monetary loss

Which of these is NOT a primary step in qualitative risk assessment?

Gather quantitative data on the likelihood and impact of each risk (B)

Prioritizing risks in a risk assessment is based on their severity and ______.

likelihood

Which of the following is NOT a typical step in implementing risk assessment methodologies?

Develop Marketing Strategies (C)

Risk assessments should only be performed once at the beginning of a project.

False (B)

What is a primary benefit of a risk assessment?

Proactive Risk Management

A risk assessment helps prioritize risks and allocate resources effectively based on their potential _______.

impact

Match the risk assessment methodologies with their description:

Qualitative = Uses descriptive scales for risk analysis Quantitative = Uses numerical values for risk analysis Hybrid = Combines both qualitative and quantitative methods NIST RMF = Framework published by the National Institute of Standards and Technology

Which of these is a disadvantage of using the ISO/IEC 27005 standard?

May be complex for smaller organizations. (B)

ISO/IEC 27005 is not aligned with ISO/IEC 27001.

False (B)

Besides addressing vulnerabilities, what other key benefit does risk assessment offer?

Improved decision-making

What is the primary goal of impact analysis in security engineering?

To assess the potential consequences of risks (D)

Impact analysis is solely concerned with the financial consequences of a risk event.

False (B)

What is the first step in conducting an impact analysis?

Identify critical assets and processes

Quantifying impact levels involves assigning ______ or qualitative values to the potential consequences.

quantitative

Which of the following is a benefit of conducting impact analysis?

Informed decision-making (D)

Match the following types of impacts with their descriptions:

Financial Impact = Monetary losses from a risk event Operational Impact = Disruptions to business operations Reputational Impact = Damage to an organization's trustworthiness Legal and Regulatory Impact = Consequences related to laws and regulations

Impact analysis only considers financial impacts.

False (B)

Which of the following is an example of a potential operational impact?

Network outages affecting customer service (C)

What does safety impact refer to?

The potential harm to individuals' safety and well-being resulting from a risk event.

By assessing and mitigating high-impact risks, organizations can enhance their ______ to disruptions.

resilience

Prioritizing risks based on impact helps to allocate resources efficiently.

True (A)

Which of the following is NOT a step in the impact analysis process?

Ignoring documented findings (A)

What are some indirect costs associated with financial impact?

Lost revenue and decreased productivity

Match the type of impact with its description:

Financial Impact = Loss of revenue, increased costs Operational Impact = Disruption to business processes Reputational Impact = Damage to brand image Legal and Regulatory Impact = Fines or penalties

A data breach is an example of a risk that can cause both financial and ______ impact.

reputational

Impact analysis does not contribute to compliance and regulatory adherence.

False (B)

Which step in impact analysis involves considering historical data and expert judgement?

Determine Likelihood of Impact (C)

What is the significance of prioritizing risks in impact analysis?

It allows organizations to allocate resources to areas that need the most attention.

Which risk mitigation strategy involves eliminating the activity that causes the risk?

Avoidance (D)

Accepting a risk means ignoring it completely and not monitoring its potential impact.

False (B)

What is the most common risk mitigation strategy?

Reduction

Transferring risk to a third party, like an insurance company, is known as risk ________.

sharing

Match each risk mitigation strategy with its description:

Avoidance = Eliminating activities that expose the organization to risk Reduction = Implementing measures to lessen likelihood or impact of a risk Sharing = Transferring the risk to another party Acceptance = Acknowledging the risk and not implementing control

What is the first step in implementing any risk mitigation strategy?

Assess Risks and Identify Controls (D)

Which of the following is NOT one of the listed steps for implementing risk mitigation strategies?

Ignore stakeholder concerns (A)

Risk mitigation strategies should only be reviewed and updated when a security incident occurs?

False (B)

Risk mitigation strategies should be reviewed and updated only when a security breach occurs.

False (B)

Creating detailed plans for implementing chosen mitigation strategies, including steps, responsibilities, and timelines is known as developing ______ plans.

mitigation

Which of the following is an example of a risk deterrent?

Legal warnings and visible security measures (D)

What type of controls are applied in risk reduction?

Technical, administrative, and physical

What does implementing controls primarily involve?

Deploying technical solutions and updating policies (C)

What is the purpose of fostering a security culture within an organization?

To promote security awareness and diligence among employees.

A cost-benefit analysis helps determine if a risk is _________.

acceptable

Match the following risk mitigation strategies with their descriptions:

Avoidance = Eliminating the risk by not engaging in the activity Reduction = Minimizing the likelihood or impact of the risk Sharing = Transferring risk to a third party Acceptance = Acknowledging the risk and deciding not to mitigate it actively

Which of the following is NOT considered a best practice for risk mitigation?

Avoid stakeholder engagement (B)

Continuous monitoring involves regularly reviewing mitigation strategies to address new and emerging risks.

True (A)

Which of the following is an example of a technical security control?

Firewalls (D)

Administrative controls are implemented through technology to protect systems and data.

False (B)

What does MFA stand for?

Multi-factor authentication

Implementing multiple layers of security controls is known as ______.

layered security

Match the following security control types with their descriptions:

Technical Controls = Implemented through technology Administrative Controls = Policies and procedures that govern security Physical Controls = Measures that protect the physical environment and assets

Which step is essential when implementing security controls within an organization?

Identifying the organization's security requirements (A)

Security controls should be implemented once and then require no further maintenance.

False (B)

What is the benefit of conducting regular security audits?

Identify weaknesses and vulnerabilities

An incident response plan is an example of an ______ control.

administrative

Match these security practices with a benefit:

Layered Security = Slows down potential attackers Regular Training and Awareness = Reduces human error Automation and Integration = Faster detection of threats

Automated patch management is an example of a physical control.

False (B)

What is the purpose of security information and event management (SIEM) systems?

To detect security incidents

Security policies fall under the category of _______ controls.

administrative

Match each term with its description:

Technical Controls = Implemented through technology Physical Controls = Protect the physical environment Administrative Controls = Organizational policies and procedures

Flashcards

What is Security Engineering?

The practice of building secure systems using engineering principles.

Confidentiality

Ensuring sensitive information is only accessible to authorized users.

Integrity

Maintaining data accuracy and completeness, preventing unauthorized changes.

Availability

Guaranteeing information and systems are accessible to authorized users when needed.

Authentication

Verifying the identity of users and systems.

Authorization

Controlling access to resources based on user roles and permissions.

Non-repudiation

Ensuring actions or transactions cannot be denied after they occur.

Secure Software Development

Building secure software through code reviews, secure coding practices, and security testing.

Network Security

Protecting network traffic with firewalls, intrusion detection/prevention systems (IDS/IPS), and VPNs.

Incident Response Planning

Developing plans to respond to security incidents efficiently, including communication channels and drills.

Vulnerability

A weakness or flaw in a system that could potentially be exploited by a threat.

Threat

A source of harm or danger that could potentially exploit a vulnerability.

Risk

The potential risk of a threat exploiting a vulnerability.

Malware

Malicious software designed to harm computer systems.

Phishing

A type of social engineering attack where attackers trick someone into providing sensitive information.

Denial of Service (DoS)

An attack aimed at overwhelming a system or service with traffic, making it unavailable to users.

Distributed Denial of Service (DDoS)

A type of DoS attack where attackers use multiple devices to flood a target.

Man-in-the-Middle (MitM) Attack

An attack where an attacker intercepts and possibly alters communication between two parties.

Insider Threat

Threats originating from individuals within the organization, intentionally or unintentionally causing harm.

Advanced Persistent Threats (APTs)

Prolonged and targeted cyberattacks designed to steal data or disrupt operations.

Network Vulnerability

Weaknesses in a network infrastructure that can be exploited by attackers. Examples include insecure configurations, unpatched routers, and lack of encryption.

Configuration Vulnerability

Problems caused by incorrect system or application configurations. This can include using default passwords, enabling unnecessary services, or misconfigured access controls.

Human Vulnerability

Weaknesses caused by human actions like using weak passwords, clicking phishing links, or accidentally sharing sensitive data.

Mitigation Strategies

Actions taken to protect against cyber threats and vulnerabilities, including using security tools, educating users, and conducting regular assessments.

Secure System Design

The practice of designing and building secure systems using engineering principles. It considers security throughout the development cycle to prevent security vulnerabilities.

Define Objectives & Scope

Clearly define the goals and boundaries for the risk assessment, determining which assets, systems, and processes will be evaluated.

Identify Risks

Identify potential threats, vulnerabilities, and risks using methods like brainstorming, threat modeling, and vulnerability assessments.

Analyze & Evaluate Risks

Assess the likelihood and impact of each identified risk.

Document Findings

Document the identified risks, likelihood and impact, and the prioritized list of risks.

Develop Risk Mitigation Strategies

Develop strategies to mitigate or manage identified risks.

Review & Update Regularly

Regularly review and update the risk assessment as the threat landscape, organizational structure, or technology environment changes.

Proactive Risk Management

Enables organizations to proactively identify and address potential risks before they materialize.

Resource Allocation

Prioritize risks and allocate resources effectively to areas with the highest potential impact.

What is risk assessment?

A systematic process of identifying potential risks, analyzing their impact and likelihood, and determining appropriate measures to mitigate or manage these risks.

Qualitative Risk Assessment

A subjective approach that evaluates risks based on their severity and likelihood using expert judgment. Risks are categorized as high, medium, or low.

Quantitative Risk Assessment

An objective approach that uses numerical data and statistical methods to quantify risks. It assigns monetary values to the potential impact and likelihood of risks.

Hybrid Risk Assessment

Combines elements of qualitative and quantitative risk assessment to leverage the strengths of both approaches.

NIST RMF (Risk Management Framework)

A structured, comprehensive approach developed by NIST that integrates risk management into the system development life cycle (SDLC).

Categorizing Information Systems in NIST RMF

The first step in the NIST RMF process, where information systems are categorized based on the sensitivity of the data they process.

Selecting Security Controls in NIST RMF

The second step in the NIST RMF process, where appropriate security controls are selected based on the categorization of the information system.

Implementing Security Controls in NIST RMF

The third step in the NIST RMF process, where the selected security controls are implemented and configured.

Assessing Security Controls in NIST RMF

The fourth step in the NIST RMF process, where the effectiveness of the implemented security controls is assessed to identify any gaps or weaknesses.

Authorizing Information Systems in NIST RMF

The fifth step in the NIST RMF process, where the information system is authorized for operation once the security controls are deemed effective.

Safety Impact

The potential harm to individuals' safety and well-being resulting from a risk event. This includes physical harm, health risks, and safety violations.

Impact Analysis

A process of analyzing the potential consequences of risks on an organization's operations, assets, and individuals.

Benefits of Impact Analysis: Informed Decision-Making & Resource Allocation

It helps prioritize risk mitigation efforts and allocate resources effectively, ensuring efforts are focused on mitigating the most significant threats.

Benefits of Impact Analysis: Improved Risk Management & Enhanced Resilience

By analyzing impacts, you can improve your overall risk management strategy, develop targeted mitigation plans, and enhance resilience to adverse events.

Benefits of Impact Analysis: Compliance and Regulatory Adherence

Impact analysis helps organizations comply with regulations by identifying risks that could lead to legal penalties and implementing measures to meet compliance standards.

Steps Involved in Impact Analysis

The process of identifying critical assets, assessing potential impacts, quantifying impact levels, determining likelihood, prioritizing risks, and documenting findings.

Types of Impacts to Consider

Financial, operational, reputational, legal and regulatory, and safety impacts.

Key Takeaways of Impact Analysis

Impact analysis helps to create a better understanding of the potential consequences of risks, enabling informed decision-making, effective resource allocation, improved risk management, regulatory adherence, and enhanced organizational resilience.

What is impact analysis?

Examining the potential effects of identified risks on an organization's operations, assets, and individuals.

What is the first step of impact analysis?

Identifying which assets and processes are crucial for an organization's smooth functioning.

What is the second step of impact analysis?

Evaluating the possible consequences of identified risks on critical assets and processes, considering financial, operational, reputational, and legal impacts.

What is the fourth step of impact analysis?

Assessing the likelihood of each risk materializing and causing the evaluated impact.

What are the different types of impact considered in an impact analysis?

Financial, operational, reputational, legal, and safety.

What is financial impact?

The potential monetary losses an organization could face due to a risk event.

What is operational impact?

The disruption to business operations caused by a risk event.

What is reputational impact?

The damage to an organization's trustworthiness and overall image caused by a risk event.

What is legal and regulatory impact?

The legal and regulatory consequences of a risk event, including fines, penalties, and legal actions.

What is safety impact?

The potential threat to the safety of individuals or assets due to a risk event.

What is Risk Mitigation?

The process of implementing actions to reduce the likelihood and impact of identified cyber risks.

Risk Mitigation: Avoidance

This strategy completely avoids activities or conditions that expose the organization to risk. It's used when a risk is unacceptable.

Risk Mitigation: Reduction

This strategy reduces the likelihood or impact of a risk event. It's the most common approach.

Risk Mitigation: Sharing

Shifting the risk to another party, like by purchasing insurance or outsourcing.

Risk Mitigation: Acceptance

Accepting the risk and choosing not to implement additional controls when the cost outweighs the potential impact.

Risk Mitigation: Deterrence

This strategy discourages attackers from trying to exploit vulnerabilities.

Steps for Implementing Risk Mitigation Strategies

This involves identifying controls, creating plans, implementing them, and then monitoring their effectiveness over time.

What is the first step in implementing risk mitigation strategies?

Evaluating risks, identifying relevant controls, and implementing these controls to reduce risk levels.

What is the second step in implementing risk mitigation strategies?

Creating detailed plans for implementing mitigation strategies, including timelines, resources, and responsibilities.

What is the third step in implementing risk mitigation strategies?

Putting the controls into action, which can involve technical solutions, policy updates, and awareness programs.

Risk Assessment and Control Identification

Evaluating identified risks and determining the most effective ways to reduce their impact. It involves identifying specific controls and measures to minimize the likelihood and effects of each risk.

Developing Mitigation Plans

Creating comprehensive plans for implementing chosen risk mitigation strategies. These plans outline steps, responsibilities, and timelines for each action, ensuring alignment with organizational goals and resources.

Implementing Controls

Putting the identified controls into action. This can involve deploying technical solutions, updating policies, and conducting training programs.

Monitoring and Reviewing Mitigation Strategies

Continuously checking the effectiveness of implemented controls and updating mitigation strategies regularly. It involves periodic assessments to ensure ongoing protection against new threats.

Communicating and Educating Stakeholders

Communicating risk mitigation strategies to all stakeholders and providing resources to ensure employees understand their roles in risk management. It fosters a culture of security awareness and vigilance.

Regularly Updating Controls

Ensuring security controls are regularly updated to address new threats and vulnerabilities. This involves keeping software, hardware, and policies up-to-date to stay ahead of evolving risks.

Continuous Monitoring

Utilizing tools and technologies to continuously monitor for security incidents in real-time. It enables proactive detection and response to potential threats.

Engaging Stakeholders

Involving all relevant stakeholders in the risk mitigation process, ensuring everyone understands their roles and responsibilities in managing risks.

What are security controls?

Safeguards implemented to protect information systems and reduce the risk of security breaches.

What are technical controls?

Security controls implemented through technology to protect systems and data.

What are administrative controls?

Policies, procedures, and practices that guide how security measures are implemented and managed.

What are physical controls?

Security measures that protect physical assets and environments.

What is layered security (defense in depth)?

Implementing multiple layers of security controls for comprehensive protection against attacks.

What is regular training and awareness?

Providing ongoing training and awareness programs to educate employees about security policies and threats.

What is automation and integration?

Using automated tools to streamline security processes and reduce human error.

What are audits and assessments?

Regularly assessing security controls to identify weaknesses and vulnerabilities.

What are the steps for implementing security controls?

Implementing controls based on the organization's needs, effectiveness, costs, and regulations.

What is identifying security requirements?

Determining the organization's security requirements and identifying assets that need protection.

What is selecting appropriate controls?

Choosing security controls that address identified risks and meet the organization's requirements.

What is developing and documenting policies?

Creating detailed policies and procedures for implementing and managing security controls.

What is deploying technical controls?

Implementing technical controls, like firewalls and encryption, to secure information systems.

What is enforcing administrative controls?

Establishing and enforcing administrative controls, like security policies and incident response plans.

What is implementing physical controls?

Installing physical security measures, such as surveillance cameras and security guards, to protect critical assets.