Chapter 1

Question 1

Different Types of Security Decisions

Answer 1

• Rule Based Decisions:
  
  • Follow pre-existing rules
• Relativistic Decisions:
  
  • Make decisions based on surrounding environment
  • My friend does it, so I do as well
• Requirements Based Decisions:
  
  • Look at risks and choose security measures accordingly
  • Reasses as part of lifecycle

Question 2

Risk Management Framework (RMF)

Answer 2

1) Establish system and security goals
2) Select Security Controls
3) Implement Security Controls
4) Asses security controls
5) Authorize the information system
6) Monitor security controls

repeat

Note: not really geared for small enterprises

Question 3

CIA Properties

Answer 3

1) Confidentiality
2) Integrity
3) Availability

Question 4

Levels of Impact

Answer 4

1) N/A
2) Low = noticeable impact
3) Moderate = significant damage
4) High = Major catastrophic damage

Question 5

Example RMF Categorization

Answer 5

Website to publish public info:

Confidentiality: N/A
Integrity: Low
Availability: Low

Question 6

Proprietor’s RMF (PRMF)

Answer 6

Shorter, requirements-based assessment

1) Establish System and Security Goals
2) Select security controls
3) Validate the information system
4) Monitor security controls

Question 7

PRMF Risk Assessment

3 major steps

Answer 7

1) Identify Risks: assets, threat agents, attacks
2) Prioritize Risks: estimate relative impacts (impact X likelihood)
3) Establish requirements: identify security goals to address the highest-priority risks

Question 8

Continuous Improvement (basic principle)

Answer 8

Identify basic goals, measure success, adjust our work to beter achieve our goals.

Question 9

Assets

Answer 9

What is valuable to an entity, what we are trying to protect. We protect them with a boundary.

Question 10

Vulnerabilities

Answer 10

Openings in the boundaries around our assets.

Question 11

Threat Agent/Attacker

Answer 11

Individual or group that can manifest a threat. Who is doing the attacking.

Question 12

Defense/Safeguard/Countermeasure

Answer 12

something protecting an asset

Question 13

Compromised System

Answer 13

An attacked system that is unsafe to use.

Question 14

Botnet

Answer 14

When you have a network of compromised systems that are all controlled by a single attacker.

Question 15

Least Privilege (Basic Principle)

Answer 15

Restrict what people may do to an asset. Provide the minimum privileges required to a person so that they may successfully do their job.

Ex: key opens my store but not yours.

Question 16

Defense in Depth (Basic Principle)

Answer 16

We improve security by providing layers of defense.. We want to have a series of defenses protecting our most valuable assets.

Question 17

Examples of threat agents

Answer 17

Cyber criminals, criminal organizations, independent pressure groups, national actors

Question 18

Profiling threat agents

Answer 18

Goals, Typical mode of operation (MO), Level of motivation, Capabilities and logistical constraints, references

Question 19

Types of attacks

Answer 19

1) Physical Theft: an availability attack
2) Denial of Service: Availability attack
3) Subversion: modify system to work for the threat agent
4) Masquerade: system works on behalf of the wrong user
5) Disclosure: attack on confidentiality
6) Forgery: Bogus messages given to computers

Question 20

Principle Risks

Answer 20

Risks with the highest impacts

Question 21

Possible cases of finding vulnerabilities

Answer 21

1) authorized search of system
2) unauthorized search of system
3) unplanned/unexpected discovery