Security Risk Management Chapter 4

Questions and Answers

What is the primary goal of a threat assessment?

To assess historical risks

To identify and evaluate potential threats (correct)

To review system documentation

To perform vulnerability scans

Threat assessments are performed indefinitely over time.

False

What are the three impacts that threats can have on information systems?

Confidentiality, Integrity, Availability

A threat assessment evaluates the _____ of a threat's frequency.

estimate

Which technique helps ensure that data is not modified or destroyed?

Hashing

Match the following terms with their definitions:

Threat = An activity that represents a possible danger Vulnerability = A weakness that can be exploited Exploit = The act of taking advantage of a vulnerability Risk = The potential for loss or damage when a threat exploits a vulnerability

The success of a vulnerability assessment often relies on reviewing system logs and _____ trails.

audit

What is the primary function of an Intrusion Detection System (IDS)?

To send alerts when intrusions are detected

A host-based IDS is installed on multiple systems throughout a network.

False

What information is recorded when auditing is enabled on a folder?

User name, accessed file, time of access, server or computer used.

An automated system has the capability of examining logs from multiple __________.

sources

Match the following agents with their functions in a network-based IDS:

Agent 1 = Identifies attacks from the Internet Agent 2 = Reports attacks that get through the external firewall Agent 3 = Monitors attacks through the second firewall of the DMZ

What is a primary purpose of implementing fault tolerance strategies?

To ensure systems continue to operate during an outage

Natural threats are primarily caused by human actions.

False

Name one common threat from internal sources.

Unintentional access

A disgruntled employee could cause __________ to data if their access is not properly controlled.

corruption

Match the following threats to their categories:

Phishing = Human threat - Unintentional Flood = Natural threat Unauthorized access = Human threat - Intentional Earthquake = Natural threat

Which of the following events is categorized as a natural threat?

Tornado

Accidental access to data by employees poses no risk to organizations.

False

What should be done with a terminated employee’s user account?

It should be deleted or disabled.

External attackers can include __________ trying to launch denial of service attacks.

hackers

How frequently are automated vulnerability scans typically performed?

Weekly

Internal vulnerability assessments are conducted by personnel outside the company.

False

What type of assessment is typically conducted on an annual basis to evaluate security controls?

Audit

A successful __________ attack may indicate that the system is not being updated often enough.

buffer overflow

Match the type of assessment with its description:

Internal assessments = Conducted by in-house security personnel External assessments = Performed by outside consultants Audit = Annual evaluation of security controls Vulnerability scans = Automated checks for security weaknesses

Which of the following is NOT a source for documentation review during a vulnerability assessment?

User satisfaction surveys

External personnel are usually less effective at quickly identifying security weaknesses than in-house staff.

False

What practice is used to improve the effectiveness of vulnerability assessments?

Reviewing past assessment reports

The process of evaluating security controls includes documenting incidents and __________ reports.

outage

What is one of the steps taken during a vulnerability assessment?

Documentation review

Which of the following is NOT one of the seven domains of a typical IT infrastructure?

Physical Domain

Threat modeling requires understanding both hardware and software failures in a system.

True

What is the first step in performing threat modeling?

Identify the assets you want to evaluate.

The seven domains of a typical IT infrastructure include the User Domain, __________ Domain, LAN Domain, and System/Application Domain.

Workstation

Match the following domains with their descriptions:

User Domain = Where end-users interact with systems LAN Domain = Local area network environments WAN Domain = Wide area network connectivity Remote Access Domain = Access from external locations

What is one best practice when evaluating threats across the seven domains?

Verify that systems operate as expected

Internal users cannot misuse a system.

False

Name one question to ask when performing threat modeling.

Is the system susceptible to attacks?

Understanding data ______ is essential to perform effective threat assessments.

flow

Which of the following best describes asset management?

Identifying and evaluating important assets within an organization

What is the main issue caused by scope creep in software development?

Increased functionality without planning

Access controls testing verifies that users have more permissions than they need for their jobs.

False

What is a 'right' in the context of access controls?

A right grants the authority to perform an action on a system.

Scope creep refers to the addition of functionalities that are outside the scope of the original __________ specifications.

product

What is spear-phishing?

Targeted phishing attempts from within a company

Threat modeling is a straightforward process that requires minimal effort.

False

What are two techniques for identifying threats?

Review historical data and perform threat modeling.

A lack of physical control over laptops often leads to ______ of hardware and compromised data.

theft

Match each type of threat with its description:

Forwarding viruses = Infected emails being shared unknowingly Spear-phishing = Targeted email deception from known individuals Lack of laptop control = Risk of theft and data compromise Historical data review = Analyzing past incidents to identify threats

What is the final step in a threat assessment?

Providing a report of findings

What does a threat assessment report typically include?

Findings, threats, likelihood, and identified costs.

Threat modeling requires understanding the flow of data in and out of systems.

True

The seven domains of typical IT infrastructure include User Domain, Workstation Domain, LAN Domain, and __________ Domain.

WAN

Which of the following is a key question to ask when performing threat modeling?

What system are you trying to protect?

Internal users are exempt from misusing the system.

False

What is the primary purpose of asset management in threat modeling?

To identify and evaluate important assets.

Understanding how __________ flows in and out of systems is crucial for threat assessment.

data

What is the purpose of an audit in an organization?

To determine if policies are being followed

A policy should not disable user accounts when an employee leaves an organization.

False

What should be done with user accounts that have not been used for six months?

Accounts should be deleted.

The ______ analysis examines the output to determine if a vulnerability exists.

output

Match the following analysis types with their descriptions:

Process Analysis = Evaluates processes used to determine output Output Analysis = Examines the resulting output for vulnerabilities

What tool can assist an auditor in determining enabled accounts not used recently?

Script

Personnel interviews can help assess the security knowledge of employees.

True

When is it acceptable to give out passwords according to a secure organization policy?

Never.

An audit may include checking for user accounts that haven't been used in the past ______ days.

15

What is one method for determining the effectiveness of a firewall?

Using process or output analysis

What is the primary purpose of system logs in computer systems?

To log data based on system activities

Audit trails only log successful user activities.

False

Name one type of event that system logs can record.

Warnings

An audit trail attempts to log at least who, what, when, and _____ of events.

where

Which event would likely stand out immediately when reviewing system logs?

An error event

Automated systems can only review a single source of audit trails at a time.

False

What is a key element that an audit log typically captures when auditing is enabled?

User name

The _____ is used in Microsoft Windows to view system events.

Windows Event Viewer

Match the type of log with its function:

System log = Captures system start and stop events Security log = Records access attempts Network log = Tracks data transfer activities Application log = Monitors application-specific events

Which of the following threats are categorized as human threats?

Hacking attempts

Name one reason why disgruntled employees can pose a threat to data security.

They may access, modify, or corrupt the organization’s data.

Employees can accidentally delete data if they have __________ access to information they do not need.

unintentional

Match the following types of threats with their descriptions:

Internal threats = Include actions from employees that may be accidental or malicious Natural threats = Result from weather events such as floods and earthquakes External threats = Origin from outside the organization, like hackers or malware Accidental threats = Caused by unintentional actions of users

Which of the following is a proactive measure to mitigate internal threats?

Employee training and access control implementation

What should happen to an employee's user account after termination?

It should be deleted or disabled.

What type of Intrusion Detection System (IDS) is installed on a single system?

Host-based IDS

An intrusion detection system can only monitor and cannot alert users.

False

What information is included in an audit trail when file access is recorded?

user name, accessed file, time of access, and server or computer

A network-based IDS has several monitoring agents installed throughout the __________.

network

Match the agents in a network-based IDS with their respective functions:

Agent 1 = Identifies attacks launched from the Internet Agent 2 = Detects successful attacks that penetrate the external firewall Agent 3 = Shows attacks that manage to pass through the DMZ's second firewall

What is the primary focus of a vulnerability assessment?

Identifying existing vulnerabilities

Internal human threats pose no risk to data integrity.

False

What principle ensures that users have only the access they need to perform their job?

Principle of least privilege

Failure to implement access controls can make an entire network vulnerable, leading to unauthorized ______ of data.

disclosure

Match the type of threat with its example:

Natural Threat = Earthquake causing data center damage Internal Human Threat = Disgruntled employee leaking information External Human Threat = Hacker attempting to breach network Natural Disaster = Flood impacting physical infrastructure

Which of the following describes social engineering in the context of security vulnerabilities?

Manipulating individuals to reveal confidential information

A buffer overflow attack can be reported as an internal human threat.

False

What is one method to minimize human-related vulnerabilities?

User training and awareness

A ______ is a process conducted to evaluate the effectiveness of an organization's security controls.

vulnerability assessment

All users having the same rights and permissions for a network enhances security.

False

Understanding how data flows in and out of systems is essential for effective threat assessments.

True

List one of the seven domains of a typical IT infrastructure.

User Domain

When performing threat assessments, it’s important to understand the system or application you’re ______.

evaluating

Match the following best practices to their descriptions:

Verify system operations = Ensure the system is functioning as intended Limit the scope of assessment = Focus on one domain at a time Interview experts = Gain insights from knowledgeable individuals Review documentation = Understand system configuration and data flow

Who could be potential adversaries when performing threat modeling?

Both internal and external parties

A successful threat assessment does not require an understanding of hardware or software failures.

False

An excellent starting point for threat modeling is to use the _____ of a typical IT infrastructure.

seven domains

What is one key question to ask when performing threat modeling?

Is the system susceptible to attacks?

An audit trail can only be recorded in security logs.

False

What information does an automated system have the capability of examining in audit trails?

Logs from multiple sources

Windows systems use the Event Viewer to view the _____ log.

System

Match the following types of logs with their functions:

System Log = Records system events such as errors and warnings Security Log = Tracks auditable events like user access Firewall Log = Monitors network traffic and access attempts Application Log = Logs application-specific events and errors

What type of information is typically recorded in an audit log?

Who accessed what, when, and where

System logs are primarily concerned with monitoring user behavior.

False

What is one advantage of using automated systems for reviewing audit trails?

Efficiency in analyzing multiple logs

An audit trail attempts to log at least _____ elements: who, what, when, and where.

four

Which of the following statements about audit trails is true?

They can help identify unauthorized access to data.

Study Notes

Security Risk Management and Ethics

• Chapter Four focuses on identifying and analyzing threats, vulnerabilities, and exploits.
• The chapter covers threat assessments, vulnerability assessments, and exploit assessments.
• The goals of the chapter include describing threat identification techniques, listing best practices for threat assessments across seven IT infrastructure domains, explaining the value of reviewing documentation and system logs for vulnerability assessment.
• Identifying tools for vulnerability scans, best practices for vulnerability assessments, and identifying exploits throughout the seven domains of a typical IT infrastructure are also goals.

Threat Assessments

• A threat assessment identifies and evaluates potential threats.
• The goal is to identify as many potential threats as possible and then evaluate each threat to determine likelihood of occurrence.
• The frequency of a threat is important.
• A threat assessment is conducted at a specific point in time, as risks can change.
• The assessment considers existing threats in the current environment.

Threat Assessments (Continued)

• Threats represent potential dangers (human actions, environmental factors, and external threats).
• Impacts on confidentiality (unauthorized disclosure), integrity (modification or destruction of data), and availability (service or system unavailability) are considered.
• Human threats can be internal (e.g., disgruntled employees) or external (e.g., hackers, malware writers, terrorists).
• Natural threats include various weather events (floods, earthquakes, tornados, storms), and fires.
• Employee actions (malicious or accidental) can compromise data.
• Unintentional access, data deletion, and forwarding of viruses are internal threats.
• Lack of laptop security control (theft and data compromise) is an internal threat.
• External actors can launch denial-of-service (DoS) attacks, create malware, and attempt to access, modify, or corrupt organizational data. Terrorists can also launch attacks.

The Top Threats are Internal

• Internal threats can be unintentional (e.g., accidental access or data deletion) or malicious (e.g., disgruntled employee actions).
• Access controls, authentication processes, and least-privilege and need-to-know policies are crucial components to minimize the threat of unintentional or malicious user activity.
• Ex-employee access accounts should be disabled or deleted post-termination to prevent unauthorized access.
• Phishing attempts, often sophisticated, can target specific companies and trick users, appearing as if they originate from within the company.
• Virus forwarding (inadvertent sharing of malicious emails), and lack of laptop security (theft and data compromise) are internal threats.

Threat Assessments (Continued)

• Historical data analysis and threat modeling are fundamental to identifying potential threats.
• Historical data analysis includes reviewing previous incidents in an organization, similar organizations, and the local area (including weather events) to determine threats from various sources.
• Different types of historical/organizational data can be examined, including security records, insurance claims, troubleshooting records, and employee interviews.

Threat Modeling

• Threat modeling is a method for evaluating and documenting security risks within applications or systems.
• This process should ideally occur before application development or system deployment to avoid scope creep.

Threat Modeling (Continued)

• It's essential during the initial stages of a system's life-cycle to identify valuable assets, which helps to develop appropriate security measures.
• The seven domains of IT infrastructure (User, Workstation, LAN, LAN-to-WAN, WAN, Remote Access, and System/Application) are important in threat modeling analysis.

Vulnerability Assessments

• A vulnerability assessment (VA) is performed to identify weaknesses within an IT infrastructure, or the personnel involved, or the network itself.
• These weaknesses may lead to security violations.
• Vulnerabilities can exist at the personnel, network, or specific server level.

Vulnerability Assessments (Continued)

• Vulnerabilities exist if access controls are not properly implemented or security awareness is lacking in personnel or processes.
• Social engineering tactics (misinformation or manipulation to gain access to sensitive data) also create vulnerabilities.
• Regular assessments are recommended to detect emerging or recurring vulnerabilities.

Vulnerability Assessment (Continued)

• Automated scans (e.g., Nmap, Nessus, SATAN, SAINT) are important to quickly identify vulnerabilities.
• Audits and personnel interviews help to check for policy compliance and security knowledge.
• Policies related to employee departures (disabling/deleting user accounts after they leave) are also checked as part of the audit processes.
• Process and output analysis are used to identify inherent vulnerabilities.
• System testing is important to discover vulnerabilities related to patches and updates of operational systems or programs.
• Functionality testing will evaluate the adherence to the initial specifications.
• Access controls testing verifies that user permissions and privileges are in accordance with the organization's policies. This will also include access restrictions (by grouping employees) based on their department.

Vulnerability Assessment (Continued)

• Penetration testing is another method to test and uncover vulnerabilities.
• The goal is to evaluate the effectiveness of security controls against specific known vulnerabilities. A penetration test can detect the effectiveness of controls implemented against certain vulnerabilities, which include checking for vulnerabilities from inside or outside a network, and using a DMZ.
• Appropriate and detailed documentation of results must occur for compliance and improvement.

Best Practices: Vulnerability Assessments

• Maintaining up-to-date vulnerability scanners enhances the success of assessments.
• Performing internal and external checks helps in detecting vulnerabilities from various locations (within a network or outside), and from a DMZ.
• Documenting vulnerability assessment results is crucial for tracking progress, compliance, reporting, and security improvements.

Documentation Review

• Documentation review includes reviewing incident reports, outage reports, and past assessment reports.
• It helps identify vulnerabilities, common problems, and areas needing improvements and correction.

Review of System Logs, Audit Trails, and Intrusion Detection System Outputs

• System logs, audit trails, and intrusion detection system (IDS) outputs provide information for vulnerability discovery.
• Auditing of events (actions) provides detailed information on who accessed, what was accessed, when, and where. This may include who attempted to log in to a resource or what files were accessed.
• An IDS detects intrusions and alerts administrators to security issues.
• Events from an intrusion detection system (IDS) can detail attack patterns launched against a network. Attacks from a DMZ, the Internet, and internal networks can be identified.
• IDS's usually consist of multiple agents, often one outside a firewall, one within a DMZ, and one within the internal network.

Other Assessment Tools

• Review historical data, perform threat modeling, and analyze tools (including Nmap, Nessus, SATAN, and SAINT) to identify and respond to threats and vulnerabilities.

Description

This quiz covers Chapter Four of Security Risk Management, which focuses on identifying and analyzing threats, vulnerabilities, and exploits. It discusses assessment techniques, best practices, and the importance of documentation and system logs in the assessment process. Test your knowledge on threat assessments across various IT infrastructure domains.