Chapter 1 - Security Governance Through Principles and Policies Flashcards
Define Confidentiality
Protection of secrecy of the data/Prevention of unauthorized access to data.
Encryption would prevent a violation of which area of the CIA triad.
Confidentiality
Define Integrity
Protecting reliability and correctness of data/prevention of unauthorized alteration of data.
Intrusion detection systems and strict access control are countermeasures to ensure which area of the CIA triad?
Integrity
Availability
Timely and uninterrupted access to data/prevention of DDoS attacks.
Implementing redundancy, installing firewalls, and maintaining backup systems are countermeasures that ensure which are of the CIA triad?
Availability
In the DAD triad, what is the opposite of Confidentiality
A failure in confidentiality results in Disclosure
In the DAD triad, what is the opposite of Integrity
A failure in integrity results in Alteration
In the DAD triad, what is the opposite of Availability
A failure in availability results in Destruction
Authenticity
Users have a high level of confidence that data was sent from the alleged source without being manipulated in transit.
Non-Repudiation
Users are not able to take actions on the network without the action being attributed to them.
How many services are aligned to the AAA security mechanism?
5
Identification
The mechanism for presenting who the user is to the system (username, smart card, facial presentation).
Authentication
Proof that identity is accurate - password or pin.
Authorization
Defining permissions and assigning them to the user for resources.
Auditing
recording logs of events and activities related to system and subjects
Accounting
reviewing the log files to check for compliance and violations in order to hold users accountable for their actions.
The use of multiple controls in series is known as…?
Defense in Depth
Is defense-in-depth done in parallel or in series?
In series - if one layer of the defense fails, the system is uncompromised. If done in parallel, one failure could expose the whole system compromise.
Name other terms often used in relation to defense-in-depth besides layering.
Classifications, zones, realms, compartments, silos, segmentations, lattice structure, protection rings.
Abstraction
Used for efficiency - used when classifying objects or assigning roles.
Data Hiding
Users cannot see or access data in a higher classification than they are able to see
Encryption
Hiding the meaning of communication from unintended recipients.
What is the line of intersection between any two areas, subnets, or environments that have different security needs?
Security Boundary
The system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligations, or licensing requirements
Third-Party Governance
An example of auditing protocols that have a specific checklist of requirements to investigate:
COBIT - Control Objectives for Information and Related Technology
What is COBIT?
Control Objectives for Information and Related Technology - An example of auditing protocols that have a specific checklist of requirements to investigate.
If an organization fails to provide sufficient documentation to meet the requirements of third-party governance, what are the repercussions?
Loss or void of ATO - ATO cannot be reestablished without an on-site review showing full compliance.
What is a business case?
Documented need within the organization that conveys the purpose of the security approach.
Should security management planning be led by the IT staff in a bottom-up approach or from the management in a top-down approach?
Top-down approach.
Should security management planning be led by the IT staff in a bottom-up approach or from the management in a top-down approach?
Top-down approach.
What is a strategic plan
Fairly stable
long term
5-year lifespan maintained annually
includes risk assessment
What is a tactical plan
Provides more details on accomplishing the goals of the strategic plan
Can be crafted ad hoc due to unpredicted events
midterm
1-year lifespan
What is an operational plan
Highly detailed
short term
useful for a month or a quarter and updated often
Who is the person ultimately responsible for the security maintained by the organization and who should be most concerned about the protection of its assets?
Security Manager
Who implements and writes security policies but does not have the authority to make final decisions or sign the security policies?
Security Professional
What is the asset owner responsible for?
Classifying information for placement and protection within the security solution.
What is the custodian responsible for?
All activities necessary to provide adequate protection for the CIA triad of data and to fulfill the requirements established by senior management.
What do you call any person who has access to the secured system? What is their responsibility?
User - responsible for understanding and upholding the security policy of the organization.
What is an auditor responsible for?
reviewing and verifying that security policy is properly implemented and derived security solutions are adequate.
Who produces compliance and effectiveness reports that are reviewed by senior management?
Auditor
Six key principles of Cobit
Provide Stakeholder Value Holistic Approach Dynamic Governance System Governance Distinct from Management Tailored to Enterprise Needs End-to-end governance system
NIST 800-53 Rev. 5 Security and privacy controls for information systems and organizations
US government sourced general recommendations for organization security.
Center for Internet Security
OS, application, and hardware security configuration guides
NIST Risk Management framework
establishes mandatory requirements for federal agencies. Six phases Categorize Select Implement Assess Authorize Monitor
NIST Cybersecurity Framework
critical infrastructure, commercial organizations Five Functions Identify, Protect Detect Respond Recover
International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC)
International Standard that is the basis of implementing organizational security and related management practices
Information Technology Infrastructure Library (ITIL)
set of recommended best practices for optimization of IT services to support business growth, transformation, and change.
How IT and security are best integrated with and aligned to the objectives of an organization
Due Diligence
Establishing the plan, policy, and process to protect the interests of the organization.
Due Care
Practicing individual activities that maintain due diligence effort. Actual execution.
Security Policies
The document that defines the scope of security required by the organization and defines which assets require protection.
Objectives
Visions
Goals
Organizational Security Policy
Issues relevant to the aspects of the organization
Issue Specific Security Policy
focuses on specific network, function, department, service of the org that is separate from the organization
System-specific Security Policy
Focuses on prescribing hardware/software specific to the individual systems or system types.
Standards
Compulsory requirements for the homogeneous use of hardware, software, technology, security control
Baseline
The minimum level of security every system throughout the organization must meet.
If the system does not meet the baseline it should be taken out of production until it can be brought up to the baseline.
Guideline
Recommendations on how standards and baselines are implemented. Operational guide for security professionals and users.
Procedure
A detailed step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.
What does the threat categorization scheme STRIDE stand for?
Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of privilege
Spoofing
Falsifying identity to gain unauthorized access to the system.
Tampering
Any action that changes or manipulates data in transit or in storage.
Repudiation
The ability of users to deny taking action on the network by maintaining plausible deniability.
Information Disclosure
The release of private, confidential, or controlled information.
Denial of Service
Attack that attempts to prevent authorized use of a resource.
Elevation of privilege
A limited user account is transformed into an account with many more privileges and accesses with power that the account should not have.
What are the stages of PASTA
Process for Attack Simulation and Threat Analysis
I. Definition of the objectives (DO)
II. Definition of the technical scope (DTS)
III. Application decomposition and analysis (ADA)
IV. Threat Analysis (TA)
V. Weakness and Vulnerability Analysis (WVA)
VI. Attack Modeling & Simulation (AMS)
VII. Risk Analysis & Management (RAM)
In the decomposition process, there are five key concepts - what are they?
Trust Boundaries Dataflow paths Input points Privileged Operations Details about Security Stance and Approach
In the decomposition process, what is any location where the level of trust or security changes?
Trust Boundary
In the decomposition process, what is described by the movement of data between locations?
Dataflow path
In the decomposition process, what is any location where external input is received?
Input Location
In the decomposition process, what describes an activity that requires greater privileges than that of a standard user account/process.
Privileged Operation
In the decomposition process, what encompasses the declaration of the security policy, security foundations, and security assumptions?
Details about security stance and approach
What are three systems used to prioritize threats
Probability (1-10) x Damage potential ranking (1-10): Overall score of 1-100
High Medium Low Heat Map of probability/damage
DREAD (damage potential | reproducibility | exploitability | affected users | discoverability)
Goals of a secure supply chain
sufficient quality
meets performance/operational goals
provides stated security mechanisms
What agreement exists between the organization and the supplier to ensure security expectations of the final product.
Service Level Agreement (SLA) ensures that security is a prescribed component of the contracted service. Should incorporate elements of the SLR
