Security+ Study Guide-08 Using Risk Management Tools

The annual loss expectancy (ALE) is $2,400. It is calculated as single loss expectancy (SLE) × annual rate of occurrence (ARO). Each failure has resulted in a 10 percent loss (meaning that it cost 10 percent of the asset value to repair it).

The SLE is 10 percent of $4,000 ($400), and the ARO is 6. 6 × $400 is $2400.

A risk register lists all known risks for an asset, such as a database server, and it typically includes a risk score (the combination of the likelihood of occurrence and the impact of the risk).

Risk assessments (including qualitative and quantitative) might use a risk register, but they are not risk registers.

Residual risk refers to the remaining risk after applying security controls to mitigate a risk.

A supply chain assessment evaluates all the elements used to create, sell, and distribute a product.

The National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) (NIST SP 800-37 r2) provides steps for reducing supply chain risks.

Risk assessments (including both quantitative and qualitative risk assessments) evaluate risks, but don’t evaluate the supply chain required to support an e-commerce website.

Threat hunting is the process of actively looking for threats within a network before an automated tool detects and reports on the threat.

Intelligence fusion and advisories and bulletins are part of threat hunting. Threat hunting is the process of actively looking for threats within a network before an automated tool detects and reports on the threat.

Vulnerability scans are used as part of a security assessment. Although a history of vulnerability scans and related logs may be part of the intelligence fusion, CompTIA objectives specifically list the following four elements: intelligence fusion, advisories and bulletins, threat feeds, and predictions of how attackers may maneuver through the network.

A configuration review verifies that systems are configured correctly.

Nmap is a network scanner, and it can detect the protocols and services running on a server.

The dnsenum command will enumerate (or list) Domain Name System (DNS) records for domains.

An IP scanner detects IPs active on a network but not the services running on the individual hosts.

Passive reconnaissance uses open source intelligence (OSINT) instead of active tools.

A port scanner identifies open ports on a system and is commonly used to determine what services are running on the system.

Vulnerability scanners often include port-scanning capabilities, and they can help identify potential weak configurations.

A penetration test attempts to exploit a vulnerability.

A protocol analyzer can analyze traffic and discover protocols in use, but this would be more difficult that using a port scanner.

A non-credentialed scan refers to a vulnerability scan, and while a vulnerability scan may reveal services running on a server, it won't be as specific as a port scan.

A false negative occurs if a vulnerability scanner does not report a known vulnerability.

A false positive occurs when a vulnerability scanner reports a vulnerability that doesn’t exist.

The scenario doesn’t indicate if the scan was run under the context of an account (credentialed) or anonymously (non-credentialed), so these answers aren’t relevant to the question.