Chapter 11 - Implementing Policies to Mitigate Risks

Question 1

Separation of duties

Answer 1

prevents any single person or entity from controlling all the functions of a critical or sensitive process by dividing tasks between employees. Helps prevent potential fraud such as a single person printing and signing checks

Question 2

Job rotation

Answer 2

a concept that has employees rotate through different jobs to learn the processes and procedures in each job; it helps prevent or expose dangerous shortcuts or even fraudulent activity. People would understand there is going to be some oversight if different people are rotating in and out of a certain role.

Question 3

Supply chain

Answer 3

includes all the elements required to produce and sell products and services, and your supply chain can become an attack vulnerability.

Question 4

Vendor diversity

Answer 4

policy that provides cybersecurity resilience. Using more than one vendor for the same supply reduces the organization’s risk if that vendor can no longer provide the product or service.

Question 5

EOL

Answer 5

End of life

Generally refers to the date when a product will no longer be available for sale, ie a product’s shelf life

Question 6

EOSL

Answer 6

End of service life

indicates the date when you expect a lack of vendor support because vendors no longer create patches or upgrades to resolve vulnerabilities for the product.

Question 7

SLA

Answer 7

Service level agreement

Ab agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Used when contracting services from service providers such as ISPs, and many SLAs include a monetary penalty if the vendor cannot deliver.

Question 8

MOU

Answer 8

Memorandum of understanding

Sometimes called a memorandum of agreement (MOA), expresses an understanding between 2 or more parties indicating their intention to work together toward a common goal. Less formal than an SLA and does not include monetary penalties.

Question 9

BPA

Answer 9

Business partners agreement

A written agreement that details the relationship between business partners, including their obligations towards the partnership. Can help settle conflicts when they arise.

Question 10

MSA

Answer 10

Measurement systems analysis

Evaluates the processes and tools used to make measurements. Uses various methods to identify variations within a measurement process that can result in invalid results. A measurement system should produce the same values when measuring the same sample, otherwise it results in inaccurate data.

Question 11

Incident response process

Answer 11

1. Preparation
   Occurs before an incident and provides guidance to personnel on how to respond to an incident, including establishing the incident response plan.
2. Identification
   All events aren’t security incidents, so when a potential incident is reported, personnel take the time to verify it is an actual incident.
3. Containment
   After identifying an incident, security personnel attempt to isolate or contain it and protect critical systems while maintaining business operations.
4. Eradication
   After containing the incident, it’s often necessary to remove components from the attack, such as malware installed on systems. May need to delete or disable compromised accounts.
5. Recovery
   Admins return all affected systems to normal operation and verify they are operating normally. Might include rebuilding systems from images, restoring data from backups, and installing updates. Also need to remove vulnerabilities.
6. Lessons learned
   Security personnel performs a lesson learvned review

Question 12

SOAR

Answer 12

Security Orchestration, Automation and Response (SOAR) tools are used to respond to low-level security events automatically.

A SOAR platform is typically a combination of tools that can work together to detect and respond to suspicious activirt.

Question 13

Playbooks and runbooks

Answer 13

A SOAR platform uses playbooks and runbooks. Playbooks provide general guidelines, and a run book provides the technical detail to implement the playbook guidelines.

EX:
Playbook documents the steps of formal procedures to follow for well-known incidents.

A runbook would implement the guidelines documented in the playbooks using the available tools within the organization, ie implementing a rule to quarantine or delete a phishing email if it has discrepancies in its header.

Question 14

Chain of custody

Answer 14

Process that provides assurances that evidence has been controlled and appropriately handled after collection. Forensic experts establish a chain of custody when they first collect evidence to ensure the evidence presented in court is the same evidence the professionals collected.

The chain of custody documents who handled the evidence and when they handled it.

*A tag is placed on evidence items when they are identified.

Question 15

Legal hold

Answer 15

refers to a court order to maintain different types of data as evidence, ie a court ordering a company to maintain digital and paper documents for the past 3 years related to a case.

Data retention policies apply here - if a policy is in writing to delete emails older than 6 months, that is ok if admins are following it. But if they didn’t follow it and have emails from 2 years ago, those need to be maintained.

Question 16

Sequence of events

Answer 16

Forensic analysis seeks to determine the timeline of an event. Often uses interviews and event logs.

-Log entries include timestamps which can easily determine exactly when an event occurred.
–> It’s essential to consider time offsets based on how timestamps are recorded. Many use Greenwich Mean Time (GMT) or Coordinated Universal Time (UTC).

Question 17

Right to audit clause

Answer 17

Clause that customers often require from cloud service providers since most customers don’t know exactly where their cloud data is stored.

Allows a customer to hire an auditor to review the cloud provider’s records, and can help ensure CSP is implementing adequate security.

Question 18

Regulatory jurisdiction

Answer 18

Relates to laws a company must abide by - if in the EU for example a company would need to follow GDPR (General Data Protection Regulation) as well as any relevant data breach notification laws.

Question 19

Order of volatility

Answer 19

Refers to the order in which you should collect evidence - most volatile (ie least permanent) to least volatile

1. Cache
   In the cache memory including the processor cache and HD cache. Data in the cache is removed as new data is used.
2. RAM
3. Swap or pagefile
   A swap file is on the system disk drive and is an extension of RAM
4. Disk
5. Attached storage (such as USB drives)
6. Network
   Servers and shared folders accessible by users and is used to store log files. These should have robust backup policies in place, making them the least volatile.

Question 20

Snapshots and artifacts

Answer 20

Snapshots are used by security experts to capture data for forensic analysis - lots of tools can capture snapshots of memory (including cache memory), disk contents, cloud-based storage and more.

Forensic artifacts are pieces of data on a device that regular users are unaware of, but digital forensic experts can identify and extract. They include:
-web history
-recycle bin
-windows error reporting
-RDP cache

Question 21

Forensic tools

Answer 21

CAPTURING DATA:

-dd command (data duplicator):
available in Linux, a disk imaging tool used for forensics

-memdump (memory dump):
open source tool to capture and extract memory contents and digital artifacts; can dump any addressable memory space to the terminal or redirect the output to a dump file

-WinHex:
Windows based hexadecimal editor used for evidence gathering, data analysis, editing, recovery of data and data removal

-FTK imager:
Part of the Forensic Toolkit (FTK) sold by AccessData; can capture an image of a disk as a single file or multiple files and save the image in various formats; you can also create images of individual folders or files

-Autopsy:
A GUI digital forensics platform allowing users to add CLI utilities from Sleuth Kit (TSK), used in both W&L

Question 22

Provenance

Answer 22

refers to tracing something back to its origin. In digital forensics, hashing the checksums allow you to prove the analyzed copy of data is the same as the original data, which is required if the file is to be admissible in court.

After using dd to create a disk copy, you can use a sha1sum command to create and compare hashes.

Question 23

eDiscovery

Answer 23

Electronic discovery, is the identification and collection of electronically stored information; files of any kind including VM, social media entries etc.

Also includes metadata:
-file
-email
-web
-mobile

Question 24

Data recovery

Answer 24

restoring lost data such as restoring a corrupt file from a backup; in forensics, even without backups it’s possible to recover data that a user has intentionally or accidentally deleted. Forensics experts have tools to undelete files and unformat drives.

Question 25

Impact assessment

Answer 25

Helps an org understand the value of data by considering the impact if it is lost or released to the public.

Question 26

Data governance

Answer 26

refers to the processes an organization uses to manage, process and protect data. Some methods help ensure or improve the quality of the data, others are driven by regulations; all need to ensure that critical data elements are identified.

-HIPAA
-GLBA (Graham-Leach Bliley
Also known as Financial Services Modernization Act, requires notifying user of privacy policy.
-SOX (Sarbannes Oxley).
Execs at companies have to take individual responsibility for financial reports
-GDPR
EU law protecting PII and privacy of EU citizens regardless of the location of the org
–>Mandate the use of privacy notices on websites as well

Question 27

Data minimization

Answer 27

a principle requiring organizations to limit the information they collect and use

Question 28

Data masking

Answer 28

refers to modifying data to hide the original content, usually to protect sensitive information such as PII. The process retains usable data but converts it to inauthentic data.

Substitution is one method used in data masking, and data masking processes may go through several passes of substitution.

Question 29

Anonymization

Answer 29

Modifies data to protect privacy of individuals by removing all PII within a data set. The goal is to remove any data that can be traced back to an individual while maintaining other data within the dataset.

Can be useful for medical data and studying results without revealing PII.

Question 30

Pseudo-anonymization

Answer 30

Replaces PII and other data with pseudonyms or artificial identifiers. Appears anonymous to outsiders but anyone with the separate data matching the pseudonyms with the original data set can reverse the process and re-create the original data.

Question 31

Tokenization

Answer 31

Replaces sensitive data elements with a token, ie a substitute value used in place of the sensitive data. It can convert the token back to its original form.

Used in credit cards at POS terminals. A phone passes cc data to a tokenization system and requests a token, and the system stores the token and cc data, then when user makes a charge the phone pps sends the token to the cc processor, who then sends the token to the tokenization system to retrieve the cc data and process the charge.

Question 32

Data sanitization

Answer 32

methods that ensure that data is removed or destroyed from any devices before disposing of the device. Methods include:

-file shredding
-wiping
-erasing and overwriting
-paper shredding
-burning
-pulping
-pulverizing
-degaussing
-third party solutions

Question 33

Data owner

Answer 33

responsible for ensuring adequate security controls are in place to protect the data.

Question 34

Data controller

Answer 34

Determines why and how personal data should be processed.

Question 35

Data processor

Answer 35

Uses and manipulates the data on behalf of the data controller.

Question 36

Data custodian/steward

Answer 36

responsible for routine daily tasks like back up the data

Question 37

Data protection officer

Answer 37

acts as an independent advocate for customer data