Chapter 1 - Measuring & Weighing Risk Flashcards Preview

Security + > Chapter 1 - Measuring & Weighing Risk > Flashcards

Flashcards in Chapter 1 - Measuring & Weighing Risk Deck (31)
Loading flashcards...
1

What is a vulnerability?

1-3

a weakness that could be exploited by a threat

2

Give the formula for "impact" and explain the terms in the formula.

1-5

SLE x ARO = ALE
(AV x EF) x ARO = ALE

SLE - single loss expectancy, determined by multiplying the asset value by the exposure factor
ARO - annualized rate of occurrence
ALE - annual loss expectancy
EF - exposure factor)

3

True or False

SLE, ALE, and ARO are all quantitative.

1-7

True. All number based.

4

What is a threat vector?

1-8

a tool or path an attacker uses to pose a threat

5

What is MTBF?

1-8

Mean Time Between Failures. Basically it tells you the lifespan of the device.

6

What is MTTF?

1-8

Mean Time To Failure. Tells you average time to failure for a nonrepairable system.

7

What is MTTR?

1-8

Mean Time To Restore. Tells you how long it will take to repair a system.

8

What is RTO?

1-9

Recovery Time Objective. This tells you how much time you're allotted to use for restoring the system.

9

What is RPO?

1-9

Recovery Point Objective. This is the point in time at which the system was last operational and therefore what you need to restore it to.

10

Contrast Risk Avoidance, Transference, Mitigation, Deterrence, and Acceptance.

1-9,10

Avoidance-stop doing the stuff that causes the risk.
Transference-share the risk
Mitigation-lower the risk
Deterrence-tell the risk creator "if you do this to me, I'll do this to you."
Acceptance-live with the risk and don't do anything about it because its the cheaper alternative.

11

Explain PaaS, Saas, IaaS.

Tell me 2 risks associated with virtualization.

1-17,18,19

platform as a service
software as a service
infrastructure as a service

breaking out of the virtual machine
network and security controls can intermingle

12

What is Hypervisor?

1-19

the software that allows virtual machines to exist

13

What is the Scope Statement?

What is the Accountability Statement?

1-19

outlines what the policy intends to accomplish

who is responsible for ensuring that a problem gets dealt with

14

5 Key Aspects of Standards Documents

1-21,22

Scope and Purpose
Roles and Responsibilities
Reference Documents
Performance Criteria
Maintenance and Administrative Requirements

15

How are guidelines different from standards?

1-22

Guidelines tell you HOW to enforce standards.

16

Tell me the 3 ways guidelines help an organization.

1-22

provide memory refreshment on how processes and routines are carried out
reduce the learning curve
help in a crisis or high-stress situation

17

What is "separation of duties" for?

1-23

to reduce the risk of fraud

18

What is collusion?

What is Pod slurping?

Least Privelage equals what?

1-23,26

agreement established for purposes of deception

using a portable device to bypass security to get a copy of data

minimum permissions

19

What's one of the best ways to address business continuity?

1-28

do a BIA and implement best practices

20

What is BIA?

1-29

Business Impact Analysis, is the process of evaluating all of the critical systems in the organization to define impact and recovery plans

21

A thorough BIA will accomplish what 3 things?

1-29

the true impact and damage that an outage can cause will be visible

understanding the true loss potential may help you in a fight for budget

process will document which business processes are being used, the impact they have, and how to restore them quickly

22

What's the best way to remove a Single Point of Failure?

1-30

add redundancy

23

What is High Availability?

What is Redundancy?

What is clustering?

1-32

measures used to keep services and systems operational during an outage

systems that fail over to other systems

multiple systems connected together cooperatively (provides load balancing)

24

Fault Tolerance = ?

1-33

the ability of a system to sustain operations in the event of a component failure

25

What are the 4 types of RAID?

1-34

0 - disk striping
1 - disk mirroring
3 - disk striping with parity disk
5 - disk striping with parity

26

Disaster Recovery = ?

1-36

the ability to recover systems after a disaster

27

What is a backup?

1-36

duplicate copy of key information

28

Give 3 examples of key paper records that should be archived.

1-37

Board Resolutions
Critical Contracts
Tax Records

29

Give 4 examples of critical files that should be backed up.

1-38

Audit files
Database files
Transaction files
User files

30

Tabletop Exercise = ?

1-39

individuals sitting at a table discussing how to deal with situations that could arise