Chapter 1

Question 1

AAA

Answer 1

Identification
Authentication
Authorization
Auditing
Accounting

Question 2

Security Management Planning

Answer 2

Strategic plan - long term 5 years
Tactical plan - 1 year
Operational plan - detailed short-term to support strategic and tactical plans

Question 3

Most important to do for organization, hardware, software, service acquisition

Answer 3

Identify risks

Question 4

Security roles (CISSP)

Answer 4

Senior management (approve policy)
Security professional (write policy and implement)
Asset owner (responsible for protection; security classifications)
Custodian (day to day protection activities)
User
Auditor

Question 5

COBIT
- security framework reference
- used for auditing

Answer 5

6 Principles:
1. Provide Stakeholder Value
2. Holistic Approach
3. Dynamic Governance System
4. Governance Distinct from Management
5. Tailored to Enterprise Needs
6. End-to-End Governance System

4 Domains:
1. Plan and organize
2. Acquire and implement
3. Deliver and support
4. Monitor and evaluate

Question 6

SABSA
(Sherwood Applied Business Security Architecture)

Answer 6

Risk-driven and business focused security architecture; often used by large orgs

• Risk focused
• Business driven
• Layered approach: business context, information domain, systems, technology, physical security
• is a Framework and Methodology
• offers Certification

Question 7

PCI DSS

Answer 7

Key components:
- Data security
- Network security
- Access control
- Regular monitoring & testing
- Info security policies
- Vulnerability mgmt
- Physical security
- Incident response planning
- Compliance audits - thru Qualified Security Assessors (QSA) or internal security assessors (ISA)

Question 8

FedRAMP
(Federal Risk and Authorization Mgmt Program)

Answer 8

• For cloud services used by fed agencies
• To standardize security assessment, authorization and continuous monitoring of cloud products and services

Key elements:
- Security standardization
- Authorization process
- Continuous monitoring
- Reuse authorizations - from one agency to another
- Collaboration - agency, CSP, 3rd party assessor
- 3 impact levels
- Provides a Compliance framework

Question 9

Due Diligence - planning
Due Care - implementing

Answer 9

Senior management - show due diligence and due care

Due diligence - Do detect
Due care - Do correct

Question 10

Documentation review

Answer 10

For gov’t agencies
ATO

Question 11

Security Management Plan:
Policy, Standards, Procedures, Guidelines

Answer 11

Policy - scope
Standards - support policy
Baseline - minimum level of security for all assets, systems, etc. must meet
Procedures - satisfy standards
Guidelines - recommendations only

Question 12

Threat Modeling
- Identify
- Categorize
- Analyze

Answer 12

STRIDE - Microsoft, s/w development, threat categorization
PASTA - risk centric around value of assets
VAL - for agile development

Question 13

STRIDE

Answer 13

Spoof
Tampering
Repudiation
Info disclosure
Denial of service
Elevation of privilege

Question 14

PASTA
(Threat modeling)

Answer 14

7 stages:
Stage I: Definition of the Objectives (DO) for the Analysis of Risks
Stage II: Definition of the Technical Scope (DTS)
Stage III: Application Decomposition and Analysis (ADA)
Stage IV: Threat Analysis (TA)
Stage V: Weakness and Vulnerability Analysis (WVA)
Stage VI: Attack Modeling & Simulation (AMS)
Stage VII: Risk Analysis & Management (RAM)

Question 15

Reduction analysis or decomposition of system

Answer 15

Diagram that shows:
Trust boundaries
Data flow
Input points
Privilege operations
Security policy

Question 16

Threat modeling - Focus on threats
Risk assessment - Focus on assets

Question 17

Rank threats (Threat modeling)

Answer 17

Probability x Damage
High/Med/Low Matrix
DREAD

Question 18

DREAD
(Rank threats)

Answer 18

Damage potential
Reproducibility
Exploitability
Affected users
Discoverability

Question 19

Security must be cost-effective

Answer 19

Select controls that provide most protection with lowest cost

Question 20

Defense in breadth
Diversity of defense

Answer 20

Use range of security products from different vendors

Question 21

Supply Chain Risk Mgmt
(SCRM)

Answer 21

SLR - requirements
SLA - agreement to satisfy requirements

Each link should be responsible and accountable to the next

SCRM should incorporate:
- silicon RoT
- PUF
- SBOM

Incorporate Silicon Root of Trust (RoT) - collection of sw and hw to ensure CIA of system’s boot process and software
- Tamper resistant
- Secure boot
- Crypto operations
- Remote attestation - allow remote entities to verify trustworthiness

PUF - physically unclonable function; hw component that creates unique signature for the electronic device or IC

SBOM - Software Bill of Materials