Chapter 10 - Cybersecurity tools, techniques and reporting Flashcards

1
Q

Why use forensic analysis?

A
  • Determine cause, culprits and consequences of a breach to ensure it cannot be repeated and to address the damaged caused
  • Requires an expert to carry it out properly
  • May require actions that compromise process of preserving evidence
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Levels of forensic analysis:

A
  • System level analysis – has the treat affected the entire system or just parts of it?
  • Storage analysis – has the treat affected data stored by the org?
  • Network analysis – could the treat have come from outside source via network?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Malware analysis:

A

Determining how the code behind a piece of malware works by either finding a way to remove it or finding a way of disabling it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is reverse engineering?

A

Allows you to understand how something works by taking it apart and then attempting to replicate it at a base level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Responding to malware:

A
  • Reverse engineering uses decompilation and disassembly techniques to break the malware down into different forms of code to understand how it works and what it is intending to achieve - once they understand how it works, reverse engineers can create solutions to the malware
  • Quarantine the endpoint using segmented networks
  • Learn from malware – understand how it came in, how it spread and how it functions
  • Prevention – upgrade patches, security policies or firewall settings
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is penetration testing?

A
  • Systematic process of probing for vulnerabilities in applications and networks
  • Controlled form of hacking undertaken by a white-hat hacker
  • Penetration testing is essential if org have previously suffered a cybersecurity breach or risk of such an event has increased
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Types of penetration testing:

A
  • Connections with the internet
  • Connections between org’s own users
  • Creating web applications
  • Simulating phishing and social engineering testing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does penetration involve?

A
  • Attack is simulated to see where vulnerabilities are, what impact they might have and what actions an org can take to counter them
  • Test can be done remotely via a network or on site
  • It can look at individual systems or all systems together
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

White, grey and black-box testing:

A
  1. White-box testing:
    * Allowed to access the entire network to review the way in which system works
    * Quality check used at the creation stage but only in what has been coded
  2. Grey-box testing:
    * Access is granted at user level privileges only
  3. Black-box testing:
    * No privilege info is shared, up to the tester to find a way in however they can
    * Only focuses on the user’s perspective as it only focuses on the systems outputs and has no visibility of way system operates
    * Looks at what system actually creates, regardless of what went into creating it and therefore adapted as part of user testing
    * Take longer and is more expensive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

UK National Cyber Security Centre (NCSC) advice on data security controls:

A
  • Appropriate devices and operating systems should be selected
  • Policy for employees who bring own devices to work
  • Network should be treated as unsecure and encryption technology should be adopted
  • All data travelling between two points on a network – IPSec should be used for more secure connection
  • One single data stream – transport layer security (TLS) should be used for secure encrypted communication
  • Peer-to-peer – MIKEY-SAKKE should be used for real-time encryption
  • No one systems should be used for all data as it can be exploited
  • Services on network can be managed locally to stay in control of operations or cloud providers can be used to harness their expertise
  • Once reviewed and implemented, constant monitoring to ensure it stays effective
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is IPSec?

A

IP security is a suite of protocols that interact with one another to provide secure private communications across IP networks (uses whatever security protocols that are in place on network)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is TLS?

A

Transport Layer Security provides secure communications but carries its own form of encryption and uses own security protocols

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is MIKEY-SAKKE?

A

Protocol that allows org’s to provide secure communications with end-to-end encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

NCSC guidance on how management should control, direct and communicate cybersecurity risk management activities as part of security governance:

A
  • Covers how cybersecurity happens within an org and who leads it
  • Depends on your org
  • Link cybersecurity with org’s objectives
  • Identifies individuals with responsibility for making security decisions
  • System of feedback, empowerment and accountability to ensure effective cybersecurity governance, connected to existing government arrangements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

NCSC cybersecurity reporting needs:

A

Internal:
* Org’s core values and why they are core values
* Risks the org is prepared to take
External:
* Risk management and decision-making context
* What needs to be protected and why
* Reliance placed on one party by another when protecting its assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Cybersecurity management program (CRMP):

A
  • CRMP is a formal approach to explaining the approach used by a org to manage its cybersecurity risks
  • Need to balance costs and benefit when creating CRMP
  • Risk management techniques within CRMP can be twofold – component driven (risks of individual components) or system-driven (purpose of overall system, how details work together to allow risk management to happen)
  • Not a tick-box approach – series of options to consider when deciding on the approach that best suits org and its cybersecurity needs
17
Q

SOC for cybersecurity framework:

A
  • Description criteria = describes entity’s CRMP
  • Control criteria = management assess the effectiveness of controls used in program
  • Attestation = independent CPAs who have examined org’s CRMP provide their opinion on description criteria and control criteria as presented by management
18
Q

Contents of a SOC of cybersecurity report:

A
  • Description of CRMP in line with agreed description criteria
  • Written assertion by management that – description is in line with these criteria and controls were effective in achieving cybersecurity objectives in line with controls criteria
  • Opinion from CPAs that – description by management is in line with description criteria and controls were effective in achieving cybersecurity objectives in line with controls criteria
  • Does not contain a detailed list of the tests carried out
19
Q

SOC 2:

A
  • Produced by service org’s who process transactions for user org’s
  • Describes the service org’s CRMP and the effectiveness of its controls when processing client’s data
20
Q

Key features of SOC 2:

A
  • Reports are intended for users to assess service org’s controls
  • Specific criteria applied to CRMP’s description and controls – criteria are reviewed by CPA who gives an opinion that provides reasonable assurance
  • Description criteria = types of services provided, systems used to provide them and boundaries of the system
  • Written assertion by the service org’s management that the description uses the SOC criteria and that controls were designed appropriately and were effective in achieving objectives
  • Unlike SOC for cybersecurity reports, there is no choice about the criteria used in SOC - they must be the AICPA trust services criteria
21
Q

Contents of a SOC 2 report:

A
  • Description by service org’s management of CRMP used to process users’ data in line with applicable trust service criteria
  • Written assertion by management that description is in line with SOC 2 criteria and that controls were suitably designed and operating effectively
  • Opinion from CPAs that – description by management is in line with description criteria and controls were effective in achieving cybersecurity objectives in line with controls criteria
  • Detailed description of tests carried out by CPA and their results in reaching their opinion
22
Q

Availability of SOC for cybersecurity report and SOC 2 to stakeholders:

A
  • SOC for cybersecurity report is prepared for general distribution among all relevant stakeholders
  • SOC 2 is only available to individuals within the service org and those outside who possess suitable skills and experience to understand its contents
23
Q

What is decompilation?

A

Converting binary code into source code for the purposes of responding to a malware threat

24
Q

What is disassembly?

A

Converting binary code into assemblers code for the purpose of responding to a malware threat

25
Q

BOYD Policies:

A

Policy that specifies the minimum standards of software security that an employee would need in order to use their own device at work