2022 Paper Flashcards
What are the three tiers of Risk Management Hierarchy?
Tiers 1 and 2 describe systemic information security risks while tier 3 is used to support the implementation of a framework. Tier 1 is ‘Organisational’, Tier 2 is ‘Mission/Business Process Level’ and Tier 3 is ‘Information System Level’
What types of Threat Source are there?
Adversarial (Individuals, groups or organisations seeking to exploit), Accidental (Error by individuals), Structural (Failures of equipment or controls), Environmental (Natural Disasters)
In John Adams’s book, what are the three types of risk?
Risks perceived directly (e.g. climbing a tree, riding a bike), Risks perceived through science (e.g. cholera, you need a microscope to see or understand) and Virtual Risks (Scientists don’t know or don’t agree e.g. pesticide)
What is the difference between a threat source and a threat event?
A threat source is a situation that could lead to the exploitation of a vulnerability or the intent to, while a threat event is the actual situation happening
What is MDM?
Mobile Device Management, a software which, when installed on a device, allows the organisation a certain level of control over the device such as monitoring and supervision
What is MAM?
Mobile Application Management, a software which, when installed on a device, allows the organisation to control what software is on the device, allowing updates, installs, and deletion of software
What is Biographical Identity?
Education, Qualifications, Where you lived, employment, any information that can be combined to identify someone
What are the five components of Identity Management Systems?
Data Repository components, Security Components, Lifecycle Components, Consumable Value Components, Management Components
What are Data Repository Components?
Storage and Management of identity information
What are Security Components?
Authentication Providers, Authorisation Providers and Auditing Providers
What are Lifecycle Components?
Provisioning, the automation of all procedures and tools to manage the lifecycle of an identity, and Longevity, the creation of a historical record of an identity
What are Consumable Value Components?
Single Sign-On, reducing number of usernames and passwords, Personalisation, preference management, and Self Service, enable users to self register for access to business services
What are Management Components?
User Management, managing user profile and preference, Access Control Management, managing authentication and authorisation, Privacy Management, implements privacy, and Federation Management, establishment of trusted relationships
What is Federated Identity Management?
Federated Identity Management systems support multiple identity providers and a distributed storage, allows multiple organisations to use identity storage, and use certain providers
What are the issues with Federated Identity Management?
Identities can change, there could be a difference between federated identity and local identity to a company
What are the 3 Service Models for Cloud Computing?
Software as a Service (SaaS), the consumer uses an application which runs under the provider’s infrastructure, Platform as a Service (PaaS), the consumer can create their own applications on the infrastructure, and Infrastructure as a Service (IaaS), complete freedom by being given their own infrastructure to make
What are the 4 Deployment Models for Cloud Computing?
Private Cloud, exclusive use for a single organisation, Community Cloud, exclusive use for a community of users, Public Cloud, open use by the general public, and Hybrid Cloud, a mixture of previous models
What are the two key components of a supply chain?
Physical, the network of organisations, the linkages, the different processes and activities that produce value and goods, and Information, the full set of elements necessary to collect information, transform this information into data, and distribute this information
What are the three main deployment models for Identity Management Systems?
Silos, Walled Gardens, Federations
What is the Silos deployment model for Identity Management Systems?
Identity Management Environment is put in place by a single entity for a fixed user and resource community
What is the Walled Gardens deployment model for Identity Management Systems?
A closed community of organisations with a single identity management system deployed to serve the common user community of a collection of businesses.
What is the Federations deployment model for Identity Management Systems
A truly distributed model with the main difference from Walled Gardens being that there is no single entity governing the system, and instead having multiple Identity Providers (IdP)
If Remote Working is considered, what should be added?
Data Access should be more closely watched as the organisation might have legal obligations for data stored remotely; a VPN might be considered to prevent misdirected traffic; Single Sign On (SSO) should be considered to prevent laziness
What are the steps of risk assessment for cloud computing?
Identify the Asset, Evaluate the Asset, Map Assets to Deployment Methods, Evaluate Cloud Service Models, Map Out Data Flow
What does it mean to evaluate the asset in cloud computing?
Check what is required for that asset’s security; confidentiality, integrity and/or availability
What does it mean to map assets to deployment methods in cloud computing?
Determine if you are willing to make the asset public, private but internal, private but external, community, or hybrid
What does it mean to evaluate cloud service models in cloud computing?
Focus on how much control you have with which service you’ll pick and if you have any specific requirements for a service model
What does it mean to map out the data flow in cloud computing?
Map out the data flow between your organisation, the cloud service, and any customers or clients. It also important you understand whether and how data can move in and out of the cloud
Name 5 of the Egregious 11 from the Cloud Security Alliance
Any 5 from:
Insufficient Identity, Credential, Access Control
Insecure Interfaces and API
Misconfiguration and Inadequate Change Control
Lack of Cloud Security Architecture and Strategy
Insecure Software Development
Unsecure Third-Party Resources
System Vulnerabilities
Accidental Cloud Data Disclosure
Misconfiguration and Exploitation of Serverless and Container Workloads
Organised Crime, Hackers and APT
Cloud Storage Data Exfiltration
What are the 3 types of risk in the supply chain?
Supplier Focused, Internal Focused, Customer Focused
What is included in Supplier Focused Risk?
Relationship, HR, Market Dynamics, Disaster
What is included in Internal Focused Risk?
Operational, Technical and Financial risks
What is included in Customer Focused Risk
Distribution, Market, Brand/Reputation
What does the Cloud Security Alliance break risk management into?
The Cloud Security Alliance breaks down risk management into 14 different domains
Name 5 of the 14 different domains from the Cloud Security Alliance
Any 5 from:
Cloud Computing Concepts and Architectures
Governance and Enterprise Risk Management
Legal Issues, Contracts and Electronic Discovery
Compliance and Audit Management
Information Governance
Management Plane and Business Continuity
Infrastructure Security
Virtualisation and Containers
Incident Response
Application Security
Data Security and Encryption
Identity, Entitlement and Access Management
Security as a Service
Related Technologies
Name 5 Security Challenges for BYOD
Any 5 from:
Lost Devices
Personal use = Riskier Use
Multiple Device Types and OSes
Jailbroken/Modded Devices
Applications, Social Media
Lack of control over device, data and security
Network Attacks
Malware Intrusions
Phishing Attacks
Ineffective Management
Employee Privacy
What are the 7 steps to a BYOD security plan?
Identify the risks; form a committee to understand the risks; decide how to enforce policies; build a project plan; evaluate solutions; implement solutions; periodically reassess solutions
What are the 2 key categories of BYOD risks?
Device Risks, technology with no control, and App Risks, employees installing third party apps
What are the 10 steps to a BYOD security policy?
Review current policy; determine which devices are supported; set expectations; write policies; make a PIN mandatory; enforce encryption at rest; determine apps allowed; provide training; look for apps that allow things like reporting; consider MDM
What is Requirements Analysis in the Secure Software Development Lifecycle (SSDLC)?
Determine what security measures need to be put in place
What is Specification in the Secure Software Development Lifecycle (SSDLC)?
Determine the main objectives of the system (Not security)
What is Implementation in the Secure Software Development Lifecycle (SSDLC)?
Getting the necessary components to implement the system
What does an ineffective Identity Management System cause?
Increased costs; inability to carry out function; reduced security; placement of liability; inability to charge for services
Where are the feedback loops in the Secure Software Development Lifecycle?
They always return to just after Scope and Policy. The first is after Requirement Analysis, then after Specification, then after Implementation, and finally after Management and Audit
What are three security benefits of Cloud Computing?
Any 3 from:
Cheaper when implemented at a larger scale
Security puts the cloud provider further in the market and is a motivator
Standardised interfaces for managed security structures
Rapid, smart scaling of resources for security purposes
On demand audit and evidence gathering
More timely, effective and efficient updates
Audits force better risk management
Resources are concentrated
When is an organisation forced to comply with the Payment Card Industry Data Security Standard (PCIDSS)?
Any entity that uses payment card processing is required to comply with PCIDSS
What is the scope of assessment for PCIDSS?
The PCI DSS security requirements apply to all system components, including all systems that provide security services, and virtualisation components such as virtual machines
What does the Cardholder Data Environment comprise of?
Technology that stores, processes or transmits cardholder data, network components, server types such as the web, and applications such as purchased ones
How do you determine the scope of review for assessment for PCIDSS?
Identify all locations and flows of cardholder data
What is network segmentation for PCIDSS?
Isolating the cardholder data environment from the remainder of the network. This can limit the scope of assessment
If using third parties, what do you need to do for PCIDSS?
The Report on Compliance must document the role of every service provider
What are the six key parts to the PCIDSS Report on Compliance?
Executive Summary
Description of Scope
Details about Reviewed Environment
Contact Information and Report Date
Quarterly Scan Results
Findings and Observations
What is De-Identification?
Removing or altering data that could be used to identify a patient
Give 3 reasons why De-Identification is hard
Any 3 from:
Personal Identifiers Removed
Record Order Scrambling
Dates Reduced
Not Restricted to Medical Data
Why should there be different roles when doing the Secure Software Development Lifecycle?
Auditing and Operation is separate so that there is separation of duties, not giving too much power to one person to prevent a break if that person is unable to do their job or they seek harm
