5.0 - Risk Management Flashcards

1
Q

This is a legal agreement between partners that establishes the terms of the relationship, including sharing of profits and losses and responsiblities.

A

BPA (Business Partnership Agreement)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

This document details the expectations between a customer and a service provider. It can define specific services, level of expectation, issue managment and resolution, etc. This is a legally binding document.

A

SLA (Service Level Agreement)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

This is a specialized agreement between organizations that have interconnected IT systems. It can be part of an MOU.

A

ISA (Interconnection Security Agreement)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

These documents describe the relationship between two parites in pursuit of a common goal.

A

MOU (Memorandum of Understanding)

MOA (Memorandum of Agreement)

They are not typically legally binding. MOU’s tend to be more high-level, but the lines are blurry.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why are mandatory vacations a security measure?

A

Employees who never take time off may be hiding something, such as embezzlement. Mandatory vacations are tool to detect fraud, and create the need for cross-training.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How is Job Rotation useful?

A

Job Rotation through security helps other IT employees understand the security needs of the organization.

It is also a form of cross-training.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Why is separation of duties important?

A

Separation of duties:

  • Makes it difficult for one bad actor to cause damage.
  • Keeps individuals from being indespensible, since no single person has the keys to the kingdom.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a clean desk policy?

A

A clean desk policy states to sensitive information is not left unattended.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is Roll-Based Awareness Training?

A

Roll-Based Awareness Training is security training attuned to the job role of the user. This is important even for non-IT users, such as managers.

Re-training over time is also important, as is re-assessment of training curriculum as job roles change.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Who owns the data?

A

Data Ownership should be defined. Data ownership is a business functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Should a system admin set policy?

A

A System Admin has nearly complete control over a system, but the system owner (usually the business unit) should be setting policy on how the system is used and configured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define types of users.

A

Types of users:

  • User - minimal access
  • Privlidged user - extra access, tailored to their job role
  • Executive user - access is granted for their job role, but the principle of least priviledge still applies. Even the CIO should not have full access as she will not need it on a daily basis.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How should onboarding work from a security perspective?

A

Onboarding should make personnel aware of their responsibilities regarding security. Onboard and offboarding procedures should be well-documented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

This document defines how an employee should use resources, including computers, email, internet, network access. It should also state how the organization will monitor the employee’s use of these resources.

A

AUP (Acceptable Use Policy)

This often goes hand in hand with the Internet Use Policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the two common policies for violation of company policy.

A

Common Adverse Action responses are:

  • Zero-tolerence - always terminate the employee.
  • Descretionary Action - “violations will be punished via a range of HR actions, up to and including termination.”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

This high-level document defines the over-all security attitude of the organization.

A

Security Policy or General Security Policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are challenges presented by social meda networks and applictions.

A

A social media network could be considered a third-party when it is used for marketing or communication, however no SLA or MOA will exist with them.

Social media is a possible conduit for malware.

Social media contributes to employee inefficiency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What risks does personal email represent?

A

A litigation hold on an employee’s personal email residing on a company system is problematic.

It is a channel for malware.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a defense against the issues brought by social media, web use and personal email.

A

Users should be trained to be cognizant of the risks to the organization when using these services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a BIA document?

A

A BIA (Business Impact Analysis) document addresses sources of risk and steps taken to mitigate it. It will also outline how the loss of critical functions will impact the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is RTO?

A

RTO (Recovery Time Objective) is the amount of time before normal operations resume after an incident. Shorter RTO translates to greater recovery costs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is RPO?

A

RPO (Recovery Point Objective) is the maximum time of acceptable data loss. RPO defines the cadence of data backup operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is MTBF?

A

MBTF is Mean Time Between Failures. How often a system fails.

MTBF = time in service / number of failures

10 years of service with 2 failures = MTBF of 5 years.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is MTTR?

A

MTTR (Mean Time To Recovery) is how long it will take to get a failed system back online. This may account for repairs and hardware sourcing.

MTTR = Total Downtime / Number of breakdowns

It failed 5 times for a total of 2.5 hours downtime. 2.5 hours / 5 = MTTR of 30 minutes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

How do you calculate availability?

A

Availability = MTBF / (MTBF + MTTR)

MTBF of 6 months

MTTR of 30 minutes

6 months / (6 months / 30 minutes) = 99.9884% availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Risk vs. Impact?

A

Risk is the chance of something happening.

Impact is the cost of it happening

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is a PIA?

A

A PIA (Privacy Impact Assessment) look at how personally identifiable information (PII) is handled, and assess how secure and compliant the business practices around PII are.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is a Privacy Threshold Assessment?

A

A Privacy Threshold Assessment analysis whether PII is collected and maintained by system. This step must be performed before a PIA, Privacy Impact Assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What does a Threat Assessment encompass?

A

A Threat Assessment is a structured analysisof the threats the confront and enterprise. Each is given a likelihood. They may include:

  • Environmental
  • Manmade
  • Internal or external
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is SLE?

A

SLE (Single Loss Expectancy) is the value of a single loss event. It is the asset value times the exposure factor (a percentage of the capability of the company)

SLE = asset value x exposure factor

$2 million building that houses 1/4 of the company business = SLE of $500,000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is ARO?

A

ARO (Annualized Rate of Occurance) is the frequency of an event. If you get hit by lightening every 20 years, then your lightning strike ARO is 1/20.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is ALE?

A

ALE (Annual Loss Expectancy) is the SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurance).

SLE = $1 million ($4m buidling housing 1/4 of ops)

ARO = 1/10 (once every 10 years)

ALE = $100,000. Expec to spend that much every year for this loss.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is a Risk Register?

A

A Risk Register is a list of risks associated with a system.

34
Q

What criteria can be used to determine Impact.

A

Impact criteria can include:

  • Cost
  • Performance (in an SLA for instance)
  • Schedule (deliverables)
35
Q

Quantative vs. Qualitative risk analysis?

A

Quantative requries historical data, relies on measurable variables.

Quantative is subjective and uses expert judgement, experience and group consensus. Terms such as Low/Medium/High are common, however numbers can be assigned to the subjective judgements.

36
Q

What should Penetration and Vulnerability Testing Authorization include?

A

Testing Authorization should be in writing and include:

  • Scope of tests
  • Timeframe
  • A communication plan
  • Permission of the sytem owner
37
Q

What are the four Risk Response Techniques?

A

You cannot remote a risk, but there are Risk Responses:

  • Avoid - alter your exposure
  • Transfer - purchase insurance, credit cards
  • Mitigate - alter your response to reduce the impact
  • Accept - if the cost to avoid, transfer or mitigate is too high

The risk that remains after these responses is called the Residual Risk.

38
Q

What is a Deterrent Control?

A

A Deterrent Control discourages the attacker. Law and regulations that increase punishment.

39
Q

What is a Preventive Control?

A

A Preventive Control prevents specific actions. Mantrap, firewall.

40
Q

What is a Detective Control?

A

A Detective Control detects a security breach. Alarms, and IDS.

41
Q

What is a Corrective Control?

A

A Corrective Control is used post event to minimize damage. Backups.

42
Q

What is a Compensating Control?

A

A Compensating Control is used when no control is available to directly address the threat. A fire suppression system cannot prevent fire damange, but it will mitigate it.

43
Q

What types of controls tend to be mutually exclusive?

A

These controls tend not to overlap in definition:

  • Deterrent
  • Preventive
  • Detective
  • Corrective
  • Compensating
44
Q

What is a Technical Control?

A

A Technical Control uses technology to address a physical security issue. Biometrics for example.

45
Q

What is an Administrative Control?

A

An Administrative Control is a policy used to limit security risk.

46
Q

What is a Physical Control?

A

A Physical Control prevents specific physical actions from occurring. A Mantrap is a physical control.

47
Q

What are some common Documented Incident Types?

A

Incidents are often categorized. Some are:

  • Interruption of service
  • Malicious communication
  • Data Exfiltration
  • Malware delivery
  • Phishing attack
48
Q

In what order are the Incident Response Phases performed?

A

Incident Response Phases:

  1. Preparation - done before an incident occurs. Correct logging and reporting in place; plans developed; teams defined.
  2. Identification - Are events worthy of an IR?
  3. Containment - stop the threat
  4. Eradication - remove the threat
  5. Recovery - return assets to production; resume normal business operations
  6. Lessons Learned - Document what went wrong, corrective measures, and how the IR effort went.
49
Q

What are the types of recovery sites?

A

Recovery sites:

  • Hot - fully functional, ready immediately or within a few hours. Has duplicate current data, or recent backup.
  • Warm - missing some hardware. Ready in a few days. Has backup data days to weeks old.
  • Cold - basic environmental controls but few computing components. Weeks from readiness. No current or backup data at site.
50
Q

What factors play in the order of restoration?

A

Order of Restoration is influenced by:

  • Dependency - what system is dependent on another
  • Criticality - which systems are most important to the buisiness.
51
Q

Describe a Differential Backup.

A

Differential Backup:

  • Only files changed since last full backup
  • Archive bit is not reset
  • Each Differential backup will be larger until another full backup is taken.
  • Restoration: 2 steps - Load most recent full backup, then just the most recent differential backup.
52
Q

Describe an Incremental Backup:

A

Incremental Backup:

  • Only files since last full backup
  • Archive bit is reset
  • Smaller backup files than differential
  • Restoration - more steps - first load last full backup, then each incremental backup, in chronological order.
  • Faster, smaller backup but longer recovery time.
53
Q

What are backup geographic considerations?

A

Geographic considerations:

  • Off-site?
  • Distance - time to restore
  • Location selection - security, HVAC, flooding, theft
  • Legal implications - especially across borders or in the cloud
  • Data Sovereignty - some countries require that data created within their shores must stay there.
54
Q

What are some considerations when planning Continuity of Operations?

A

Continuity of Operations considerations:

  • Critical assets
  • Critical personnel
  • Interdependencies
55
Q

What are the two functions of an After-Action Report?

A

After Action Reports should:

  • Document the level of operations upon transfer to the backup system.
  • How the change from normal to continuity systems occured. What went well and what went wrong.
56
Q

What is the order of volatility in when handing a forensics issue?

A

Forensics order of volatility:

  1. CPU, cache, register contents
  2. Routing tables, ARP cache, process tables, kernal statistics
  3. Live network connections and data flows
  4. Memory
  5. Temp file
  6. Data on hard disk
  7. Remotely logged data
  8. Data stored in backups

Also note the system time, compared to an NTP server and calculate any offset. This must be done before the system is shut down.

57
Q

Describe the critical steps in chain of custody.

A

Chain of custody:

  1. Record each item collected
  2. Record who collected it and when
  3. Write a description of the evidence
  4. Place evidence in containers, and tag with info
  5. Record all hash values
  6. Securely transport evidence to a protected storage location
  7. Obtain signature from person who accepts the evidence
  8. Provide controls to prevent access to evidence
  9. Securely transport evidence ot court
58
Q

Why use Forensic copies?

A

Never analyse evidence directly. A forensic copy, however, can be examined safely.

59
Q

Does a legal hold encompass metadata?

A

Yes. Alteration of metadata is a violation of a legal hold.

60
Q

What triggers a legal hold?

A

A legal hold is triggered when a party “reasonably anticipates” litigation. Often this is when another organization issues a legal hold.

61
Q

What are key consideration of evidence collection?

A

Evidence Collection - considerations:

  • Who collected it
  • How was it collected
  • Where what it collected
  • Who has had possession of it
  • How was it protected and stored
  • When was it removed from storage? Why? Who took possession?
62
Q

When should you do a memory dump?

A

Considerations with a memory dump:

  • Important if it may be a rootkit.
  • Check with legal counci before doing a memory dump it you plan on litigation. Memory dumps tend not to be used in court proceedings.
63
Q

This is a bit-by-bit copy of data on a storage device.

A

Forensic copy. It will have hash functions to prove the data integrity, and use a write filter to keep anyone from chaning the data.

64
Q

What are the sources of network traffic and logs for an investigation?

A

A live collection process is best, but not usually possible. Firewall logs, IDS logs and event logs are another source.

65
Q

Why is it important to capture video and photos during and forensics event?

A

Video and photos can answer questions that were not considered during the initial event. CCTV is also a good source of information after the fact.

66
Q

What is Time Record Offset?

A

Time Record Offset is the difference in time between a system clock and the true time. It is important to capture this during a forensics investigation.

67
Q

Why should you take hashes during an investigation?

A

Taking hashes will verify that files collected as evidence have not been altered. MD5 and SHA are depriciate, so SHA-2 or SHA-3 are best (but MD5 is still in use).

It is best to write the hashes to a read-only medium such as a CD-R.

68
Q

How should you take screenshots during a forensics incident?

A

Do not use the subject system’s screenshot utility. Instead use a digital camera.

69
Q

What are the best practices for witness interviews during a forensics event?

A

Witness Interviews:

  • Do them as soon as possible.
  • Have them write down what they remember
70
Q

What are some data preservation best practices during a forensics investigation?

A

Data Preservation:

  • Do not power the system on once it is off.
  • Copy data with a write-blocker in place
  • Capture hashes for the copied data
  • Maintain the chain of custody
  • Never analyze the original data; only the forensic copy
71
Q

What is Recovery in a digital forensics sense?

A

In forensics, Recover is finding the digital evidence you need. This can be daunting with how much data is in storege.

Filtering through logs, using keywords and phrases, can make recovery more efficient.

72
Q

In forensics, what is Strategic Intelligence and Counterintelligence?

A

Strategic Intelligence Gathering is a defined effort to gather data. For instance setting data logs to capture events that may help forensics investigations in the future.

Counterintelligence is looking at what information others are obtaining to get an idea of their motives and future actions.

73
Q

What is Active Logging?

A

Active Logging is the initial process of determining what events will and will not be recorded with an eye to possible future forensics events.

74
Q

Why should you track man hours during a forensics event?

A

Courts may want a record of who did what and when a verification.

75
Q

What are the types of evidence?

A

Type of evidence:

  • Direct - first hand
  • Real - physical, objects
  • Documentary - records, printouts
  • Demonstrative - a model or chart used to aid the jury
76
Q

What are common rules of evidence?

A

Rules of evidence:

  • Best Evidence - orginal over copy
  • Esclusionary Rule - illegally obtained evidence is excluded
  • Hearsay Rule - second hand evidence is not admitted
77
Q

What are types of data destruction and media sanitization?

A

Types of data destruction and media sanitization:

  • Burning - including shredded discs and SSDs
  • Shredding
  • Pulping - paper only
  • Pulverizing - HDDs
  • Degaussing
  • Purging - a circular buffer
  • Wiping - HDD and SDD need different tools
78
Q

What are levels of data sensitivity?

A

Levels of data sensitivity:

  • Confidential - policy defines when it can be disclosed and by whom. Trade secrets, software code, product designs.
  • Private - disclosure would not be as damaging as with confidential, but still disruptive. Passwords.
  • Public
  • Proprietary - restricted due to potential comptetive use. Can be shared with a third party if labeled and under correct conditions.
  • PII - Personably Identifiable Information - subject to privacy laws.
  • PHI - HIPAA
79
Q

What are the common data roles?

A

Data Roles:

  • Owner - defines security, privacy, retention and other business functions for the data
  • Steward/Custodian - day-to-day caretaker of the data. Does not set policy.
  • Privacy Officer - C-level executive - establishes policy, handles legal issues. Spearheads data minimization efforts
80
Q

What are some red flags for PII theft?

A

PII theft red flags:

  • Change of address request
  • Use of a long-inactive account
  • Radical changes to an account
  • Suspicious address or phone
  • Request for credit when there is a freeze on the credit report.