CCT 141: Practice CISSP Questions - Business Impact Analysis (1.8.1)

May 16, 2024
 

Fend off cyber extortionists with cutting-edge insights from our latest cyber training podcast, where Sean Gerber and I dissect the sophisticated methods to recover data from ransomware's icy grip. Inspired by a Sophos News article, we navigate through six data retrieval strategies that could save your business in a pinch, emphasizing that while there's no magic bullet, prioritizing certain file types could make all the difference in your recovery efforts. And because we know your time is valuable, we've dedicated a segment to CISSP Question Thursday, ensuring you're armed with the knowledge to conquer the CISSP exam with confidence.

The digital battlefield is fraught with risks, but we've got your six with a deep dive into the alignment of Recovery Point Objectives with backup frequencies—get this wrong, and it could spell disaster. Calculating your Annual Loss Expectancy isn't just about crunching numbers; it's about understanding when to shield your assets and when to strategically embrace risk, striking that delicate balance that keeps costs in check. We'll unveil some hidden facets of Business Continuity Plans, including the curious role of marketing strategies, and pull back the curtain on cold sites' function in disaster recovery. As we dissect incident response, we spotlight the crucial identification phase and map out how to calculate the financial impact of security breaches, ensuring you're never left in the dark when crisis strikes.

TRANSCRIPT

Speaker 1:  

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge.

Speaker 2:  

All right, let's get started. Good morning, it's Sean Gerber with CISSP Cyber Training, and I hope you guys, as we say every day, hope you're all having a wonderful day today. Today is CISSP Question Thursday, so we're pretty excited about that to be able to provide you the CISSP questions you need to help you understand the concepts so you can pass the test. Yeah, that's the ultimate goal is that you can get this test done, passed and move on with your life. Yeah, isn't that the truth? Well, before we get started, I have an article I wanted to bring out to you all today. There is one on Sophos News and the link will be in some of the show notes that I have out there for you.

Speaker 2:  

But one of the questions that came up that I've dealt with around is this ransomware issue. Right, we all see it, we all deal with it in some form, shape or another. Well, there was an article again in the Sophos News about extracting data from encrypted virtual disks and there were a total of six different methods they had that you could actually try to get the data if it was locked up with one of the ransomware type pieces of malware. Now, again, they put this caveat out. There it may right, it may help, it may be able to help you do this, and they find this out from their various levels of incident response recovery methods that they have done in the past. But they said it's involving, like lock bit, faust, phobos, residia and some other types of akira ransomware groups, so that, as we've I personally have dealt with the lock bit ransomware group in the past, this is one of those pieces where it looks potentially interesting. Now I want to caveat this with the fact that this is not a magic button. You hit the button and it will magically work for you, and I'm not going to go into all the gory details on how to make this happen, but we're going to basically just break down real quickly what are some of the things you need to look at. I highly recommend go to the article.

Speaker 2:  

It talks in depth a little bit more around what you can do, but if you are looking for specific files, especially if they're obviously they're encrypted in a VM, there may be ways for you to be able to get the data out. Now they talk a little bit about what disk and file encryption is. Obviously, we've talked on this podcast quite a bit about what that is, so I'm not going to go into those details, but they have six different methods that they use to recover the VMs that have been encrypted. Now, if you're dealing with a hard disk drive, that's going to be different. We're focusing specifically on an encrypted Windows VM. So the techniques they have they said they're applicable to Linux recovery attempts as well, and they'll indicate what those ones are, but it's all designed primarily around the Windows VM. So, basically, the six methods they have is mounting the drive, recouper, bit bolt extractor, evt parser scalpel and then also manually carving out the NTFS partition within the overall mounted VM itself.

Speaker 2:  

The key thing they said that you want to keep in mind and I'm just going to go over a couple quick highlights of this is the fact that it's going to take you some time to do this and you need to be able to set aside the time to carve out this data. I would also recommend that what they're saying in here, and which makes total sense, is the fact that, if you are, this may not be like something you can just set it on and let it go. You may have. It's going to be a very hands-on process and you may not be able to recover all of the data. It may be parts of it, so you may want to focus specifically around if there's like just Word documents and Excel documents, if there's an ability to do that, versus try to decrypt the entire partition or the entire VM. So the ultimate goal, though, is, if you're trying to get the data out, there might be some options for you within the VM to be able to do that, utilizing some of these tools as well. They mentioned you're going to need at least one terabyte of disk to do it, so, again, you're going to have to have some space to be able to make this happen.

Speaker 2:  

And they mentioned file types, and their priorities are there. You need to pick on which ones you want to go after and which ones are probably more accessible to you. Again, if you can run the automated media recovery tool and that'll work, that'll be great, but you may have to be able to go and go dig deeper into those specific files. Now, again, this is if your backup and recovery that you have put in place, you know, the ultimate goal when you're dealing with these types of events and we talk about this in CISSP, cyber training is the fact that you have a disaster recovery or business continuity type plan set up so that you can maintain operations in the event that you have a massive situation like this.

Speaker 2:  

Massive situation like this and this is what they're talking about is, if you have specific data that you want to try to pull off of systems, then this will may be able to give you some level of help in that regard. Again, there's no guarantee, but it could potentially do that. Where you know you have critical systems that are sitting on this VM, in this farm, at this location, then these types of tools may be available to you. So I'm not going to go into all the different details around it, just because we're going to get into some of the questions for today. But it's a really good article just around how you could potentially get the data out of your specific VM, especially if that one is encrypted with one of the different various ransomware type malware that's out there and available. But again, this is through Sophos News Again, extracting data from encrypted virtual disks seven methods, or six, seven, six methods. So extracting data from encrypted virtual disks, six methods, and it's on Sophos News. So go check it out. I think you'll really, really like it. At least it'll give you another little tool to add to your tool chest Maybe. If anything, give it to your incident response folks and just say, hey, here's something to look at if you all get bored, which you know they're probably working very hard and therefore they're not bored, but something to consider.

Speaker 2:  

All right, so let's get into today's questions. Okay, so, like we always do on CISSP Cyber Training, we have various questions and this question is going to be over domain one and domain 1.4 to be precise, and we're going to be getting into the business impact assessments and some of the different nuances to that. This will follow in again suit to what happened in the podcast. Now, not all the questions that we go through were potentially tied to the podcast. There's some new ones in there as well. That we go through were potentially tied to the podcast. There's some new ones in there as well, but the goal is that this is to use the training that happened on Monday to then therefore have this as a refresher and as the ability to build upon that. Okay, question one. Also, real quick disclaimer like we say it every time, this is not a question that you will see on the CISSP test, it just does not. Maybe, if it is, it might be a version of it of some kind, but odds are high it is not a version of the CISSP, you will see. The goal of these questions are to help guide you and direct you in how to answer a question for the CISSP exam.

Speaker 2:  

Question one which of the following best describes the primary purpose of conducting a business impact assessment? A to identify and prioritize critical business functions and processes. B to calculate the organization's total risk exposure. C to develop a technical recovery strategy for IT systems or D to assess the performance of an incident response team. Again, which of the following best describes the primary purpose of conducting a BIA, a business impact assessment? And the answer is A to identify and prioritize critical business functions and processes. Again, this helps the organization understand which processes are essential to its survival and how disruptions can impact their ops, allowing for, again, effective continuity planning.

Speaker 2:  

Question two if a process has a recovery time objective of four hours and a work recovery time of two hours, what is the maximum tolerable downtime, mtd? We didn't really talk about this in the podcast, so something new. Again, if a process has a recovery time objective, time objective rto of four hours and a work time, a work recovery time of two hours, rwrt. What is the maximum tolerable downtime? A two hours. B four hours. C six hours. D eight hours. Okay, so we're talking about a work recovery time. How much time is needed before they can get back to work? And the answer is C Six hours. Again, the MTD is a total time of process or service can be down before causing significant harm to the business. This includes the RTO, but any additional time required to catch up on the works, which we didn't really talk about. Right, we said that would happen, but we didn't say give it an acronym. This is what they call a WRT. So therefore the MTD equals the RTO plus the WRT. In this case it would be six hours, because you have four plus two, it's six hours.

Speaker 2:  

Question three an organization's RPO for critical system is set at one hour. During an audit, it is found that the backups were taken every four hours. What should be the auditor's recommendation? Again, if an organization's RPO for critical systems is one hour and during an audit was found the backups are taken every four hours, what should the auditor's recommendations be? A increase the frequency of the backups to every hour. B Decrease the RPO to match the backup frequency. C no action is needed as the RPO is within the acceptable limits. Or D, perform a risk assessment to determine the impact of the data loss. And the answer is, as you guys would expect, a, increase the frequency of the backups to every hour. So if it's saying that they're all happening only every four and your RPO is every hour, you better increase your backups. Now you need to work through that with leadership to know how much that's going to cost them more, but just make sure that they understand the gap that was discovered and what you're doing to remediate it.

Speaker 2:  

Question four given the following data, calculate the annual loss expectancy, ale, the, the single loss expectancy, or you're supposed to calculate the a, le, and now we're going to give you some details. Single loss expectancy is 50,000. The annual rate of occurrence a ro is 0. Okay, so what is the ALE? The ALE is $10,000. When you multiply SLE, which is your $50,000 times 0.2, that is $10,000, and that is your ALE. Question five if an asset is valued at $200,000 and the exposure factor due to a certain threat is 25%, what is the single loss expectancy? Okay, so when you're dealing with single loss expectancy, it's asset value times EF, which is your exposure factor. So if you're dealing with that A is $50,000, b $150,000, c $200,000, or D $250, c $200,000, or D $250,000. Again, if an asset is valued at $200,000 and the exposure factor due to a certain threat is 25%, what is the single loss expectancy expected? Basically, 25% times $200,000 is a $50,000.

Speaker 2:  

Question six what is the most appropriate action when a risk annualized loss annualized? Let me repeat what is the most appropriate action when a risk's annualized loss expectancy is significantly lower than the cost to mitigate the risk? So what is it? What should you do? What is the action to take when the ALD is significantly lower than the cost to mitigate the risk? A accept the risk. B transfer the risk. A accept the risk. B transfer the risk. C avoid the risk or D mitigate the risk regardless of cost. So the most appropriate action when the ALE is significantly lower than the cost of mitigating it is that you should accept the risk right. A. So when the cost is higher, it's often more cost effective to just accept the risk. The decision should be made by your organization's leadership to decide what they want to do.

Speaker 2:  

Question seven which of the following is not a typical element of a business continuity plan or a BCP? Okay, again, which of the following is not a typical element of the BCP A Succession planning. B Insurance contracts. C Technical recovery strategies or D marketing strategies. So which of the following is not a typical element of the BCP? A success I already just said them, right? Sorry, and the answer is D marketing strategies. Right, you really don't care about marketing when you're dealing with the BCP. Bcp is focused on maintaining business functions and quickly resuming them in the event of a disruption, so you don't really care too much about marketing. Now you wanted to deal with the after effects of that and your reputation. Then you may need a marketing strategy to deal with that, but during it, no Question.

Speaker 2:  

Eight in a discovery or disaster recovery planning, which of the following best describes a cold site? So, in DR planning, which of the following best describes a cold site? So, in DR planning, which of the following best describes a cold site? A a fully operational off-site data center with real-time synchronization. B a facility with infrastructure but no computing equipment or personnel. C a duplicate or production site with a full data mirroring. Or. D a location equipped with hardware and software configured for rapid deployment. Now you're probably asking yourself well, we didn't talk about this. Well, but this is all part of the BIA. So you want to know this when you're dealing with the BIA. And the answer is B, in a facility with infrastructure but no computing equipment or personnel. So you basically have the site set up, you're ready to go, but there's nothing going right. But I should say you have the site ready to go, you bought the site, you rented the site, you rented the location. You may have actually even got some of the contracts in place for the disaster recovery, but you haven't done anything with it.

Speaker 2:  

Question nine which step of the incident response process involves determining the scope and impact of a potential security incident? A identification, b containment, c eradication or D recovery. So which step of the incident response process involves determining the scope and impact of potential security incident? And the answer is A. Right, you want to use identification. Identification involves detecting and determining the scope and the potential security incident. So therefore, that is the first thing you should do when you're dealing with an incident response process.

Speaker 2:  

Question 10. During a BIA, the analyst determines that the failure of a critical system would result in the loss of $100,000 per hour. If the system has an MTD of eight hours, what is the minimum financial impact the business could suffer if the system fails? A $100, b 400,000. C 800,000. Or D 1.2 million. So again, the loss is 100,000 per hour. What is the maximum tolerable downtime? And that's eight hours. So what that is. So what is the financial impact you could suffer? Well, if you figure that out, that's eight times $100,000, and that equals $800,000. The answer is C, when you're dealing with an hourly loss by MTD, so $800,000.

Speaker 2:  

Question 11, would a company primary data center located in a region known or prone to natural disasters? The RTO for a critical system is two hours, but due to recent events, the management wants to reduce the MTD to one hour. What should the primary focus be? To achieve a new MTD. So again, your RTO is two hours. You want to bring your MTD to one hour. What should be the primary focus? A increase the frequency of backups. C implement more robust disaster recovery plan. Increase the frequency of backups. C implement more robust disaster recovery plan. D relocate the data center to a less risky area. D invest in faster restoration services. Okay, so again, the RTO for the critical systems is two hours. So that's the recovery time objective for these critical systems is two hours, but the management wants to reduce the maximum tolerable downtime to one hour. So what should be the primary focus? We talked about a increasing backups, b implementing robust disaster recovery plan, c relocate the data center to a less risky area or d invest in faster restoration services. And the answer B implement a more robust disaster recovery plan. So, again, to reduce the MTD, a company should focus on implementing a much faster recovery plan that allows for quicker restoration of these critical systems. Now, again, we talked about here, they want to talk about reducing the MTD, which didn't mean they wanted the recovery time to two hours. They wanted to actually have the maximum tolerable downtime to one hour. So basically, what it means, then, is they may include strategies such as having a hot site or redundant systems to take over immediately in the case of a disaster. Now you could potentially reduce your overall RTO to one hour. Then that would change things as well. But the bottom line is, is you want to get a more robust disaster recovery plan so that you have different scenarios in place to reduce your maximum tolerable downtime? Again, that's because the site is what's focused on on the MTD, it's not necessarily recovery time, it's the actual site itself with your maximum tolerable downtime.

Speaker 2:  

Question 12. An organization's e -commerce platform has an RTO of four hours. It's a recovery time objective of four hours During the peak sales. A platform experiences an outage. The IT team estimates the recovery time of six hours.

Speaker 2:  

What is the potential consequences of not meeting the RTO? So the RTO is designed for four, but they say it's going to take six. So what's going to happen? A loss of customer trust and potential revenue. C data corruption and loss, or that's B, c increased recovery costs or D all of the above Okay. So when the organization is at four but it actually is going to take six, how does that impact the overall question? And it is A loss of customer trust and potential revenue, right? Not meeting the RTO, especially during a peak sales, can lead to cost, customer trust and potential revenue loss, right? And one of these things is you say, well, it's increasing your recovery costs, it's your data corruption and loss, not so much that. So it's definitely not all of the above, but it could be increased recovery costs because you have to basically get this done faster, right, your RTO has to. You want it at four hours, but it's actually at six. So because you're having to get it done, you're probably going to cost yourself more money potentially, but the bigger the right. More correct question or answer is a loss of customer trust and potential revenue.

Speaker 2:  

Question 13. A financial institution has an RPO of 15 minutes for a transactional database. After a cyber attack, it was discovered that the last successful backup was performed 30 minutes before the attack. What is the likely impact? Okay, again, the financial institution has an RPO of 15 minutes for its transactional database. After a cyber attack, it was discovered that the last successful backup was performed 30 minutes before the attack. What is the likely impact? A no impact, as the RPO is within acceptable range. B the transactions may need to be reprocessed. C all transactions since the last backup are lost. Or D the institution will face regulatory fines. Okay, so the regulatory fines is possible, but we don't know that from the question. The answer is B Some transactions may need to be reprocessed. Why? Because the RPO is 15 minutes, but it took 30 minutes is when the last successful backup was taken, so you may have to reprocess around 15 minutes of transactions.

Speaker 2:  

Question 14,. The risk assessment identifies that a server has a vulnerability that could potentially cause a loss of $50,000. The annual rate of occurrence, aro, for this risk is estimated at 0.1. What is the ALE for this risk? Okay, we know ALE, right is. You got to figure all that out times your is your basic, your single loss expectancy times your ARO. So that comes out to be we'll see A is 5,000. B is 50,000. C is 500,000. D is 5 million. And what is the ALE risk? It is a 5,000, right, 50,000 times 0.1 is 10%, that is $5,000. Question 15. A company's server is valued at $120, 0.1 is ten percent, that is five thousand dollars.

Speaker 2:  

Question 15 a company's servers valued at 120 000. It is critical for daily operations. The the service exposure ef is due to a specific threat estimated to be 40. If the annual rate of occurrence aro for this threat is 0.5, what is the annual loss expectancy for this risk? Well, the first thing we have to do is determine the sle and you multiply the assets value by the EF. Okay. And then, once you do that, then you have to figure out what is the ALE, and the ALE is the SLE times the ARO. So the answers are 2400, b 4800, c 24,000 or D 48,000. Okay, so if you add all that up again, the the first thing you gotta figure out is your SLE and that equals AV times EF. Then from there you go for your ALE equals your SLE times your ARO, and that comes out to be C $48,000, right? So basically it comes down to is your EF. You figure out that and you move on.

Speaker 2:  

All right, that's all I have for you today on CISSP Cyber Training Podcast. Head on over to CISSP Cyber Training and check it out. I've got some really great stuff over there. A lot of the content that I have is available for you for free. Just go check it out. There's also some great stuff you can purchase for your studying purposes and your CISSP exam. Again, I wanted to make the comment that all sales that go to CISSP Cyber Training are going to be given to a non-profit. We're still developing the name I got to get my wife she's just taking her time on that but we're getting that developed. So, again, all sales will be going to a non-profit. For adopting children If you're looking to adopt a kid, they are going to be goals that have funds available to parents who want to adopt children. It's just going to be a really good deal. We're pretty excited about that. All right, I hope you guys have a wonderful, wonderful day and we will catch you on the flip side, see ya.

CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!

LEARN MORE | START TODAY!