ch 15 Flashcards
A situation that involves exposure to some type of danger
Risk
To create a level of protection that mitigates the vulnerabilities to the threats and reduces the potential consequences
Managing risk
A formal process of examining the seriousness of a potential threat as well as the likelihood that it will be carried out
Threat assessment
what classification of threat is the action that affects the long term goal of the organization
strategic
what classification of threat is the following (or not following) a regulation or standard
compliance
what classification of threat is the action of impact of financial decisions or market factors
financial
what classification of threat is the following events that impact the daily business of the organisation
operational
what classification of threat is the events that affect information technology systems
technical
what classification of threat is the following actions related to the management of the organisation
managerial
a network that moves a product from the supplier to the customer
Should be viewed as assets to the enterprise and their threats should be cataloged
Supply chain
Involves an automated software vulnerability scan through a system
• Testing
Attempts to actually penetrate the system to perform a simulated attack
Intrusive vulnerability scan
Uses only available information to hypothesize the status of the vulnerability
Non-intrusive vulnerability scan
Designed to exploit any weaknesses in systems that are vulnerable
Penetration testing authorization should be obtained
Penetration test (pentest)
Methodology for making modifications and keeping track of changes
Ensures proper documentation of changes so future changes have less chance of creating a vulnerability
Change management
Two major types of changes that need proper documentation
Changes to system architecture
Changes to file or document classification
(C M T)
Change management team
Subject’s access level over an object, such as a file
Privilege
Body responsible for overseeing the changes
Change management team (C M T)
Process of assigning and revoking privileges to objects
Privilege management
Periodically reviewing a subject’s privileges over an object
Objective: determine if subject has the correct privileges
Privilege auditing
Components required to identify, analyze, and contain an incident
Incident response
Planning, coordination, communications, and planning functions needed to resolve incident
Incident handling
The “framework” and functions required to enable incident response and incident handling within an organization
Incident management
uses an “educated guess” based on observation
Typically assigns a numeric value (1-10) or label (High, Medium, or Low) that represents the risk
Qualitative risk calculation
attempts to create “hard” numbers associated with the risk of an element in a system by using historical data
Can be divided into the likelihood of a risk and the impact of a risk being successful
Quantitative risk calculation
(M T B F)
Mean Time Between Failure
(M T T R)
Mean Time To Recovery
(M T T F)
Mean Time To Failure
(F I T)
Failure In Time
(A R O)
Annualized Rate of Occurrence
Historical data can be used to determine the likelihood of a risk occurring within a year
Annualized Rate of Occurrence (A R O)
Comparing the monetary loss associated with an asset in order to determine the amount of money that would be list if the risk occurred
Risk Impact
expected monetary loss every time a risk occurs
Single Loss Expectancy (S L E)
expected monetary loss that can be expected for an asset due to risk over a one-year period
Annualized Loss Expectancy (A L E)
(S L E)
Single Loss Expectancy
(A L E)
Annualized Loss Expectancy
SLE=AV x EF
Single Loss Expectancy (S L E)
ALE=SLE x ARO
Annualized Loss Expectancy (A L E)
Any device or process that is used to reduce risk
Security control
– processes for developing and ensuring that policies and procedures are carried out
Administrative controls
– security controls carried out or managed by devices
Technical controls
makes a third party responsible for the risk
Transference
- involves identifying the risk and making the decision to not engage in the activity
Risk avoidance
the attempt to address the risk by making it less serious
Mitigation
Can be defined as that which replaces human physical activity
Automation
the ability to continue to function as the size or volume of the enterprise data center expands to meet the growing demands
Scalability
– the ability to revert to its former size after expanding
Elasticity
– sustained and continual surveillance
Continuous monitoring
available to help I T security personnel configure hardware devices and software to repel attacks
Secure configuration guides
useful for configuring web servers, O S s, application servers, and network infrastructure devices
Vendor-specific guides
Reviewing the configuration of systems to determine if security settings are correct
Configuration validation
A copy of a properly configured and secured computer software system that can be replicated to other computers
Eliminates the need for configuring individualized security settings
Master image
A type of document in which the standardized content has already been created
The user needs only to enter specialized and variable components
Reduces the amount of data to be entered and helps minimize errors that could introduce a risk
Template
used to ensure that unwanted data is not carried forward (clean image is used)
Non-persistence tools
what is a “lighweight” bootable image on a USB flash drive or optical media
live boot media
what is restoring a device to previous secure condition
revert to unknown state
what is undoing recent changes that cause errors or weaken security
rollback to unknown configuration
what is an instance (image) of a virtual machine
snapshot
Practices for reducing risk:
Security policies
Awareness and training
Agreements
Personnel management
Communicates a consensus of judgment
Defines appropriate behavior for users
Identifies what tools and procedures are needed
Definition of a Policy
A written document that states how an organization plans to protect the company‘s information technology assets
• Security Policy
An overall intention and direction, formally expressed by the organization’s management
Details specific risks and how to address them
Provides controls to direct employee behavior
Helps create a security-aware organizational culture
Security policy functions
Three approaches to trust
Trust everyone all of the time
Trust no one at any time
Trust some people some of the time
(A U P)
Acceptable Use Policy
Policy that defines actions users may perform while accessing systems
Users include employees, vendors, contractors, and visitors
Typically covers all computer use, including mobile devices
Acceptable Use Policy (A U P)
grouping individuals and organizations into clusters or groups based on some sort of affiliation
Social media network
outlines acceptable employee use of social media be enforced
Social media policy
training styles
Visual
Auditory
Kinesthetic
Formal contractual relationships as they related to security policy and procedures
Part of the standard operating procedures, or those actions and conduct that are considered normal
Interoperability agreements
(S L A)
Service Level Agreement
specifies what services will be provided and the responsibilities of each party
Service Level Agreement (S L A)
(B P A)
Blanket Purchase Agreement
a prearranged purchase or sale agreement between a government agency and a business
Blanket Purchase Agreement (B P A
(M O U)
Memorandum of Understanding
describes an agreement between two or more parties
Memorandum of Understanding (M O U)
(I S A)
Interconnection Security Agreement
an agreement that is intended to minimize security risks for data transmitted across a network
Interconnection Security Agreement (I S A)
(N D A)
Non-disclosure agreement
– a legal contract that specifies how confidential material will be shared between parties but restricted to others
Non-disclosure agreement (N D A)
The process of authenticating the information supplied to a potential employer by a job applicant in the applicant’s resume, application, and interviews
background check
A “wrap-up” meeting between management representatives and the person leaving an organization either voluntarily or through termination
exit interview
