5.0 - Risk Management

Question 1

This is a legal agreement between partners that establishes the terms of the relationship, including sharing of profits and losses and responsiblities.

Answer 1

BPA (Business Partnership Agreement)

Question 2

This document details the expectations between a customer and a service provider. It can define specific services, level of expectation, issue managment and resolution, etc. This is a legally binding document.

Answer 2

SLA (Service Level Agreement)

Question 3

This is a specialized agreement between organizations that have interconnected IT systems. It can be part of an MOU.

Answer 3

ISA (Interconnection Security Agreement)

Question 4

These documents describe the relationship between two parites in pursuit of a common goal.

Answer 4

MOU (Memorandum of Understanding)

MOA (Memorandum of Agreement)

They are not typically legally binding. MOU’s tend to be more high-level, but the lines are blurry.

Question 5

Why are mandatory vacations a security measure?

Answer 5

Employees who never take time off may be hiding something, such as embezzlement. Mandatory vacations are tool to detect fraud, and create the need for cross-training.

Question 6

How is Job Rotation useful?

Answer 6

Job Rotation through security helps other IT employees understand the security needs of the organization.

It is also a form of cross-training.

Question 7

Why is separation of duties important?

Answer 7

Separation of duties:

• Makes it difficult for one bad actor to cause damage.
• Keeps individuals from being indespensible, since no single person has the keys to the kingdom.

Question 8

What is a clean desk policy?

Answer 8

A clean desk policy states to sensitive information is not left unattended.

Question 9

What is Roll-Based Awareness Training?

Answer 9

Roll-Based Awareness Training is security training attuned to the job role of the user. This is important even for non-IT users, such as managers.

Re-training over time is also important, as is re-assessment of training curriculum as job roles change.

Question 10

Who owns the data?

Answer 10

Data Ownership should be defined. Data ownership is a business functions.

Question 11

Should a system admin set policy?

Answer 11

A System Admin has nearly complete control over a system, but the system owner (usually the business unit) should be setting policy on how the system is used and configured.

Question 12

Define types of users.

Answer 12

Types of users:

• User - minimal access
• Privlidged user - extra access, tailored to their job role
• Executive user - access is granted for their job role, but the principle of least priviledge still applies. Even the CIO should not have full access as she will not need it on a daily basis.

Question 13

How should onboarding work from a security perspective?

Answer 13

Onboarding should make personnel aware of their responsibilities regarding security. Onboard and offboarding procedures should be well-documented.

Question 14

This document defines how an employee should use resources, including computers, email, internet, network access. It should also state how the organization will monitor the employee’s use of these resources.

Answer 14

AUP (Acceptable Use Policy)

This often goes hand in hand with the Internet Use Policy.

Question 15

What are the two common policies for violation of company policy.

Answer 15

Common Adverse Action responses are:

• Zero-tolerence - always terminate the employee.
• Descretionary Action - “violations will be punished via a range of HR actions, up to and including termination.”

Question 16

This high-level document defines the over-all security attitude of the organization.

Answer 16

Security Policy or General Security Policy.

Question 17

What are challenges presented by social meda networks and applictions.

Answer 17

A social media network could be considered a third-party when it is used for marketing or communication, however no SLA or MOA will exist with them.

Social media is a possible conduit for malware.

Social media contributes to employee inefficiency.

Question 18

What risks does personal email represent?

Answer 18

A litigation hold on an employee’s personal email residing on a company system is problematic.

It is a channel for malware.

Question 19

What is a defense against the issues brought by social media, web use and personal email.

Answer 19

Users should be trained to be cognizant of the risks to the organization when using these services.

Question 20

What is a BIA document?

Answer 20

A BIA (Business Impact Analysis) document addresses sources of risk and steps taken to mitigate it. It will also outline how the loss of critical functions will impact the organization.

Question 21

What is RTO?

Answer 21

RTO (Recovery Time Objective) is the amount of time before normal operations resume after an incident. Shorter RTO translates to greater recovery costs.

Question 22

What is RPO?

Answer 22

RPO (Recovery Point Objective) is the maximum time of acceptable data loss. RPO defines the cadence of data backup operations.

Question 23

What is MTBF?

Answer 23

MBTF is Mean Time Between Failures. How often a system fails.

MTBF = time in service / number of failures

10 years of service with 2 failures = MTBF of 5 years.

Question 24

What is MTTR?

Answer 24

MTTR (Mean Time To Recovery) is how long it will take to get a failed system back online. This may account for repairs and hardware sourcing.

MTTR = Total Downtime / Number of breakdowns

It failed 5 times for a total of 2.5 hours downtime. 2.5 hours / 5 = MTTR of 30 minutes

Question 25

How do you calculate availability?

Answer 25

Availability = MTBF / (MTBF + MTTR)

MTBF of 6 months

MTTR of 30 minutes

6 months / (6 months / 30 minutes) = 99.9884% availability

Question 26

Risk vs. Impact?

Answer 26

Risk is the chance of something happening.

Impact is the cost of it happening

Question 27

What is a PIA?

Answer 27

A PIA (Privacy Impact Assessment) look at how personally identifiable information (PII) is handled, and assess how secure and compliant the business practices around PII are.

Question 28

What is a Privacy Threshold Assessment?

Answer 28

A Privacy Threshold Assessment analysis whether PII is collected and maintained by system. This step must be performed before a PIA, Privacy Impact Assessment.

Question 29

What does a Threat Assessment encompass?

Answer 29

A Threat Assessment is a structured analysisof the threats the confront and enterprise. Each is given a likelihood. They may include:

• Environmental
• Manmade
• Internal or external

Question 30

What is SLE?

Answer 30

SLE (Single Loss Expectancy) is the value of a single loss event. It is the asset value times the exposure factor (a percentage of the capability of the company)

SLE = asset value x exposure factor

$2 million building that houses 1/4 of the company business = SLE of $500,000

Question 31

What is ARO?

Answer 31

ARO (Annualized Rate of Occurance) is the frequency of an event. If you get hit by lightening every 20 years, then your lightning strike ARO is 1/20.

Question 32

What is ALE?

Answer 32

ALE (Annual Loss Expectancy) is the SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurance).

SLE = $1 million ($4m buidling housing 1/4 of ops)

ARO = 1/10 (once every 10 years)

ALE = $100,000. Expec to spend that much every year for this loss.

Question 33

What is a Risk Register?

Answer 33

A Risk Register is a list of risks associated with a system.

Question 34

What criteria can be used to determine Impact.

Answer 34

Impact criteria can include:

• Cost
• Performance (in an SLA for instance)
• Schedule (deliverables)

Question 35

Quantative vs. Qualitative risk analysis?

Answer 35

Quantative requries historical data, relies on measurable variables.

Quantative is subjective and uses expert judgement, experience and group consensus. Terms such as Low/Medium/High are common, however numbers can be assigned to the subjective judgements.

Question 36

What should Penetration and Vulnerability Testing Authorization include?

Answer 36

Testing Authorization should be in writing and include:

• Scope of tests
• Timeframe
• A communication plan
• Permission of the sytem owner

Question 37

What are the four Risk Response Techniques?

Answer 37

You cannot remote a risk, but there are Risk Responses:

• Avoid - alter your exposure
• Transfer - purchase insurance, credit cards
• Mitigate - alter your response to reduce the impact
• Accept - if the cost to avoid, transfer or mitigate is too high

The risk that remains after these responses is called the Residual Risk.

Question 38

What is a Deterrent Control?

Answer 38

A Deterrent Control discourages the attacker. Law and regulations that increase punishment.

Question 39

What is a Preventive Control?

Answer 39

A Preventive Control prevents specific actions. Mantrap, firewall.

Question 40

What is a Detective Control?

Answer 40

A Detective Control detects a security breach. Alarms, and IDS.

Question 41

What is a Corrective Control?

Answer 41

A Corrective Control is used post event to minimize damage. Backups.

Question 42

What is a Compensating Control?

Answer 42

A Compensating Control is used when no control is available to directly address the threat. A fire suppression system cannot prevent fire damange, but it will mitigate it.

Question 43

What types of controls tend to be mutually exclusive?

Answer 43

These controls tend not to overlap in definition:

• Deterrent
• Preventive
• Detective
• Corrective
• Compensating

Question 44

What is a Technical Control?

Answer 44

A Technical Control uses technology to address a physical security issue. Biometrics for example.

Question 45

What is an Administrative Control?

Answer 45

An Administrative Control is a policy used to limit security risk.

Question 46

What is a Physical Control?

Answer 46

A Physical Control prevents specific physical actions from occurring. A Mantrap is a physical control.

Question 47

What are some common Documented Incident Types?

Answer 47

Incidents are often categorized. Some are:

• Interruption of service
• Malicious communication
• Data Exfiltration
• Malware delivery
• Phishing attack

Question 48

In what order are the Incident Response Phases performed?

Answer 48

Incident Response Phases:

1. Preparation - done before an incident occurs. Correct logging and reporting in place; plans developed; teams defined.
2. Identification - Are events worthy of an IR?
3. Containment - stop the threat
4. Eradication - remove the threat
5. Recovery - return assets to production; resume normal business operations
6. Lessons Learned - Document what went wrong, corrective measures, and how the IR effort went.

Question 49

What are the types of recovery sites?

Answer 49

Recovery sites:

• Hot - fully functional, ready immediately or within a few hours. Has duplicate current data, or recent backup.
• Warm - missing some hardware. Ready in a few days. Has backup data days to weeks old.
• Cold - basic environmental controls but few computing components. Weeks from readiness. No current or backup data at site.

Question 50

What factors play in the order of restoration?

Answer 50

Order of Restoration is influenced by:

• Dependency - what system is dependent on another
• Criticality - which systems are most important to the buisiness.

Question 51

Describe a Differential Backup.

Answer 51

Differential Backup:

• Only files changed since last full backup
• Archive bit is not reset
• Each Differential backup will be larger until another full backup is taken.
• Restoration: 2 steps - Load most recent full backup, then just the most recent differential backup.

Question 52

Describe an Incremental Backup:

Answer 52

Incremental Backup:

• Only files since last full backup
• Archive bit is reset
• Smaller backup files than differential
• Restoration - more steps - first load last full backup, then each incremental backup, in chronological order.
• Faster, smaller backup but longer recovery time.

Question 53

What are backup geographic considerations?

Answer 53

Geographic considerations:

• Off-site?
• Distance - time to restore
• Location selection - security, HVAC, flooding, theft
• Legal implications - especially across borders or in the cloud
• Data Sovereignty - some countries require that data created within their shores must stay there.

Question 54

What are some considerations when planning Continuity of Operations?

Answer 54

Continuity of Operations considerations:

• Critical assets
• Critical personnel
• Interdependencies

Question 55

What are the two functions of an After-Action Report?

Answer 55

After Action Reports should:

• Document the level of operations upon transfer to the backup system.
• How the change from normal to continuity systems occured. What went well and what went wrong.

Question 56

What is the order of volatility in when handing a forensics issue?

Answer 56

Forensics order of volatility:

1. CPU, cache, register contents
2. Routing tables, ARP cache, process tables, kernal statistics
3. Live network connections and data flows
4. Memory
5. Temp file
6. Data on hard disk
7. Remotely logged data
8. Data stored in backups

Also note the system time, compared to an NTP server and calculate any offset. This must be done before the system is shut down.

Question 57

Describe the critical steps in chain of custody.

Answer 57

Chain of custody:

1. Record each item collected
2. Record who collected it and when
3. Write a description of the evidence
4. Place evidence in containers, and tag with info
5. Record all hash values
6. Securely transport evidence to a protected storage location
7. Obtain signature from person who accepts the evidence
8. Provide controls to prevent access to evidence
9. Securely transport evidence ot court

Question 58

Why use Forensic copies?

Answer 58

Never analyse evidence directly. A forensic copy, however, can be examined safely.

Question 59

Does a legal hold encompass metadata?

Answer 59

Yes. Alteration of metadata is a violation of a legal hold.

Question 60

What triggers a legal hold?

Answer 60

A legal hold is triggered when a party “reasonably anticipates” litigation. Often this is when another organization issues a legal hold.

Question 61

What are key consideration of evidence collection?

Answer 61

Evidence Collection - considerations:

• Who collected it
• How was it collected
• Where what it collected
• Who has had possession of it
• How was it protected and stored
• When was it removed from storage? Why? Who took possession?

Question 62

When should you do a memory dump?

Answer 62

Considerations with a memory dump:

• Important if it may be a rootkit.
• Check with legal counci before doing a memory dump it you plan on litigation. Memory dumps tend not to be used in court proceedings.

Question 63

This is a bit-by-bit copy of data on a storage device.

Answer 63

Forensic copy. It will have hash functions to prove the data integrity, and use a write filter to keep anyone from chaning the data.

Question 64

What are the sources of network traffic and logs for an investigation?

Answer 64

A live collection process is best, but not usually possible. Firewall logs, IDS logs and event logs are another source.

Question 65

Why is it important to capture video and photos during and forensics event?

Answer 65

Video and photos can answer questions that were not considered during the initial event. CCTV is also a good source of information after the fact.

Question 66

What is Time Record Offset?

Answer 66

Time Record Offset is the difference in time between a system clock and the true time. It is important to capture this during a forensics investigation.

Question 67

Why should you take hashes during an investigation?

Answer 67

Taking hashes will verify that files collected as evidence have not been altered. MD5 and SHA are depriciate, so SHA-2 or SHA-3 are best (but MD5 is still in use).

It is best to write the hashes to a read-only medium such as a CD-R.

Question 68

How should you take screenshots during a forensics incident?

Answer 68

Do not use the subject system’s screenshot utility. Instead use a digital camera.

Question 69

What are the best practices for witness interviews during a forensics event?

Answer 69

Witness Interviews:

• Do them as soon as possible.
• Have them write down what they remember

Question 70

What are some data preservation best practices during a forensics investigation?

Answer 70

Data Preservation:

• Do not power the system on once it is off.
• Copy data with a write-blocker in place
• Capture hashes for the copied data
• Maintain the chain of custody
• Never analyze the original data; only the forensic copy

Question 71

What is Recovery in a digital forensics sense?

Answer 71

In forensics, Recover is finding the digital evidence you need. This can be daunting with how much data is in storege.

Filtering through logs, using keywords and phrases, can make recovery more efficient.

Question 72

In forensics, what is Strategic Intelligence and Counterintelligence?

Answer 72

Strategic Intelligence Gathering is a defined effort to gather data. For instance setting data logs to capture events that may help forensics investigations in the future.

Counterintelligence is looking at what information others are obtaining to get an idea of their motives and future actions.

Question 73

What is Active Logging?

Answer 73

Active Logging is the initial process of determining what events will and will not be recorded with an eye to possible future forensics events.

Question 74

Why should you track man hours during a forensics event?

Answer 74

Courts may want a record of who did what and when a verification.

Question 75

What are the types of evidence?

Answer 75

Type of evidence:

• Direct - first hand
• Real - physical, objects
• Documentary - records, printouts
• Demonstrative - a model or chart used to aid the jury

Question 76

What are common rules of evidence?

Answer 76

Rules of evidence:

• Best Evidence - orginal over copy
• Esclusionary Rule - illegally obtained evidence is excluded
• Hearsay Rule - second hand evidence is not admitted

Question 77

What are types of data destruction and media sanitization?

Answer 77

Types of data destruction and media sanitization:

• Burning - including shredded discs and SSDs
• Shredding
• Pulping - paper only
• Pulverizing - HDDs
• Degaussing
• Purging - a circular buffer
• Wiping - HDD and SDD need different tools

Question 78

What are levels of data sensitivity?

Answer 78

Levels of data sensitivity:

• Confidential - policy defines when it can be disclosed and by whom. Trade secrets, software code, product designs.
• Private - disclosure would not be as damaging as with confidential, but still disruptive. Passwords.
• Public
• Proprietary - restricted due to potential comptetive use. Can be shared with a third party if labeled and under correct conditions.
• PII - Personably Identifiable Information - subject to privacy laws.
• PHI - HIPAA

Question 79

What are the common data roles?

Answer 79

Data Roles:

• Owner - defines security, privacy, retention and other business functions for the data
• Steward/Custodian - day-to-day caretaker of the data. Does not set policy.
• Privacy Officer - C-level executive - establishes policy, handles legal issues. Spearheads data minimization efforts

Question 80

What are some red flags for PII theft?

Answer 80

PII theft red flags:

• Change of address request
• Use of a long-inactive account
• Radical changes to an account
• Suspicious address or phone
• Request for credit when there is a freeze on the credit report.