Cissp Domain 1 Flashcards
Difference between least privilege and need to know
Least privilege is all about type of access rights - read , write
Need to know - required access
What are the 3 perspectives integrity can be examined?
Modifications from unauthorised
Modifications from authorised
Data to be consistent internal and external
Availability concepts
Usability
Accessibility
Timeliness : low latency response
What is Authorization about ?
Rights and previliges
Accountability is dependent on ?
Tracking activities of individual
Defense in depth
Layering or parallel
Multiple control in place
Abstraction
Simplify security by enabling you to assign security controls, restrictions or permissions to a group of objects
Data hiding Vs security through obscurity
Intentionally position data being accessed by unauthorised users
Hiding data in plain sight
What is purpose of Security Governance?
Alignment of security function to business stratergy, Goals , mission and objectives
What are the 3 types of Plans devloped by security management?
Stratergic: Long term - 5 years
Tactical:Midterm - 1 Year
Operational: Product design, system deployment
What are the process to be considered when evaluating 3rd party ?
On site assessment
Document exchange and review
Process/policy review
Third party audit
What is role of asset owner ?
To classify assets
What is role of custodian?
Implementation of prescribed security protection
6 key principles of cobit ?
Provide stakeholders value
Holistic approach
Dynamic Governance system
Governance distinct from management
Tailored to enterprise needs
End to end governance system
What is Security policy?
Scope of security needed by organization and discusses assets needed protection
What is AuP ?
Level of acceptable performance and behaviour and activity
Security standards?
Compulsory documents for homogeneous use of hardware
Baseline
Minimum level of security that every system to meet
Guidelines
Offer recommendations on how standard and baseline to be implemented
SoP
Detailed step by step implement a security mechanism, control or solution
Threat modelling
Proactive measure during design and development
Reactive after product has been designed
How to identify threats? (Focus area)
Focused on assets
Focused on attackers
Focused on software
STRIDE
Spoofing
Tampering
Repudiation
Information disclosure
DoS
Elevation of prevlige
Process of attack stimulation and threat analysis - 7 steps
Definition of objectives
Definition of technical scope
Application decomposition and analysis
Threat analysis
Weakness and vulnerability analysis
Attack modelling and simulation
Risk analysis and management
Steps in Threat modelling - 5
Identify threats
Determining and diagram ing potential threats
Perform Reduction analysis
Prioritisation and response
What does diagramming potential attacks ?
Creation of diagram of the elements involved in a transaction along with data flow and previliges boundaries
What is reduction analysis and decomposition process ?
Gain greater understanding of the logic of the product, it’s internal components as well as it’s interactions with external elements
What are 5 key concepts in decomposition process ?
Trust boundaries- level of trust or security changes
Data flow paths - Movement of data between locations
Input points - location where external input is received
Previliged operations - Any activity that requires greater previliges than of a user account
Details about security stance and approach
DREAD system to rate threats
Damage potential
Reproducibility
Exploitablity
Affected users
Discoverablity
What is Concept of supply chain ?
Most computers, devices, networks , systems and cloud services are not built by a single entity
What is SLR ?
Service level requirment a statement of the expectations of service and performance from the product or service of a vendor
Prior to SLA and should incorporate above
Collusion in crime
When several people work together to prepetrate crime
Purpose of mandatory vacation
Detect abuses, verify the work tasks and previliges
Mutiparty risk
Several entities or organisation involved in project
Outsourcing
Used to describe the use of an external third party such as vendor consultant
Privacy
Active prevention of unauthorised access to pii
Freedom from unauthorised access to info deemed personal or confidential
Freedom from being observed, monitored or examined without consent or knowledge
Primary goal of Risk management
Reduce risk to an acceptable level
2 primary elements of risk management
Risk assessment: PXI
Risk response : Evaluating countermeasures, safeguards and security controls using c/b analysis
Countermeasures Vs Safeguards
Protection mechanism
Anything that removes or reduces a vulnerability or protects against one or more specific threats
Cyclic relationship of risk elements
Threats exploits vulnerabilities which results in exposure.
Exposure is risk and risk is mitigated by Safeguards which are endangered by threats
Primary goal of Risk analysis
C-b Safeguards are applied
Risk management steps
Threat based RA or Asset based RA
1.Asset valuation
2.Identify threats and vulnerabilities
3.Risk assessment Analysis
- Quantitative:
AV and Threat Identification
EF
SLE
ARO
ALE
Research countermeasures
C-B countermeasures - Qualitative: Scenario based
Brainstorm
Delphi : Anonymous feedback
Interviews
Risk Response
- Reduction
- Transfer
- Deterrence
- Avoidance
- Acceptance
- Reject
6 major elements of Quantitative RA
AV
EF
SLE
ARO
ALE
Perform c-b countermeasures
Define exposure factor aka loss potential
Percentage of loss that an organisation would experience if specific assets were violated by risk
Risk appetite Vs Risk capacity Vs Risk Tolerance Vs Risk limit
Total amount of risk that organization is willing to shoulder in aggregate across all assets
Level of risk an organisation is able to shoulder
RA>RC
Amount of risk that an organization will accept per individual asset threat pair
Maximum level of risk above risk target that will be tolerated before further risk management actions are taken
Residual risk
Upper management has chosen not to implement a response
Total risk, Inherent risk and residual risk
No Safeguards
Before security control
After security control
Total risk
Amount of risk an organisation would face if no safeguards implemented
ThreatsVulnerabilityAsset Value
Control Gap
Total risk- Residual risk
Control risk
Risk introduced by introduction of countermeasures
ALE1 and ALE2- Safeguards evaluation to see if safeguards are cost effective
For each asset threat pairing an inventory of potential and available Safeguards must be made
ALE1 - Pre Safeguards
ALE 2- Post Safeguards
Annual cost of the Safeguards (ACS) and value of Safeguards to company
[ALE1 - ALE2] - ACS = Value of Safeguards to company
If it’s-ve not good choice
C/B analysis of Safeguards 3 elements
Pre safeguards ALE for an asset threat pairing ( ALE1)
Potential post Safeguard ALE for an asset threat pairing (ALE2)
ACS
Categories of security controls
Administrative: Management controls,
Policy, procedure, hiring practices
Technical or logical: H/W or S/W mechanism to manage access and provide protection for IT resources
Physical control
Preventive control
Unwanted or unauthorised activity
Fences, locks, SoD, job rotation, dlp
Deterent control
Deployed to discourage security policy violations
CCTV, awareness
Detective control
Discover or detect unwanted or unauthorised activity
Corrective
Modifies the environment to return systems to normal after an unwanted or unauthorised activity has occurred
Reboot System, IPS, back and restore, antimalware solution
Recovery controls
Extension of corrective controls
Attempt to repair or restore resources after a security violation
BCP, DR, Reciprocal agreement, cloud providers
Directive controls
Deployed to direct to force or encourage compliance with security policies
Guidance from security gaurd, monitoring and supervision
Security controls assessment
Effectiveness of security mechanism, evaluate toughness of the risk management process of the organization, produce a report of relative strengths and weakness of devloped security infra
EOL vs EOSL
EOL: Manufacturer no longer produces product.
Service and support may continue for a period of time after EOL
EOSL: Those systems that longer receiving updates and support from vendor
Risk management framework
Prepare : Process initiation
Categorize
Select
Implement: Controls
Asses
Authorize
Monitor
Two primary forms: Social engineering
Convincing someone to perform an unauthorised operation
Convincing someone to reveal confidential information
Social engineering principles
Authority
Intimidating
Consensus: Social proof or following herd
Scarcity
Familiarity
Trust
Eliciting information
Research method in order to craft a more effective pretext
Pretext - False statement crafted to sound believable
Prepending in email
Adding RE: or FW: infront of message to make it look genuine
It can fool spam filters
Drive by download
Installs itself without users knowledge
It takes advantage of web browser vulnerability or plug ins
How can you stop shoulder surfing?
Dividing worker groups by sensitivity levels and limiting access to certain areas of building by using locked doors
Invoice scam and protection
To steal funds by providing false invoice
Proper file sharing mechanism
Impersonation Vs Masquerading
Identity theft and identity fraud are also related to impersonation. Impersonation is
the act of taking on someone’s identity. This might be accomplished by logging into their account with stolen credentials or claiming to be someone else when on the phone.
Masquerading- amateurishly
Tailgating Vs piggyback
Unauthorised entry gains under authorisation of valid worker without knowledge
Tricking victim into providing consent - Piggyback
Typo squatting
User is re directed to fake website after typo
Difference between awareness, training and education
Awareness - Baseline for understanding
Training - Bring change
Education - Certificate
Difference between BCP and DR ?
Stratergic focused at high level and center around business process and operations
DR- Tactical and describe technical details such as recovery sites, backups and fault tolerance
4 main steps of BCP
Project scope and planning
BIA
Continuity planning
Approval and implementation
Project scope and planning
Organization review
- Identify core department
- Critical support services to upkeep system
BCP team selection
Resource requirements
BCP devlopment
BCP testing, training and maintenance
BCP implementation
Legal and regulatory requirements
BIA
Identifies business process and tasks that are critical to an organisation
Impact assessment
1. Quantitative impact assessment
- AV
*MTD or MTO - RTO
*RPO
- Qualitative impact assessment
Identifying priorities
Create a comprehensive list of critical business functions and rank them in order of importance
Risk identification - Purely Qualitative
- Natural
- Man made
Likelihood assessment
ARO for the risks
Impact analysis
EF
SLE
ALE
Resource prioritisation
Risk to be prioritised based on ALE to be addressed
Merge both quantitative and qualitative risks
Continuity planning - 2 primary sub tasks
Devlop continuity stratergy
1. Stratergy devlopment
Implementation of zero down time posture
Risk to be acceptable and mitigated based on MTD
- Provision and processes
Meat of BCP
Designs procedures and mechanism that will mitigate the risks deemed unacceptable during strategy development
Three categories to be protected
People
Building and facilities- Hardening and alternate sites
Infrastructure - “
Plan approvals and implementation
Plan approvals
Plan implementation- Implementation of resources, Deploying resources
Training and education
BCP documentation:
Continuity planning goals
1.Statement of importance: Address employee on why we need BCP
2.Statement of priorities
- Statement of organisation responsibility
- Statement of urgency and timing
- Risk assessment
- Risk acceptance/Mitigation
- Vital records program: Where critical records will be stored and backups
- Emergency response guidelines
- Maintanence
- Testing and exercise
Civil law
Govern matters that are not crime
Difference between civil and criminal law is how it’s enforced
- govt. through enforcement authorities does not get involved in civil law
Administrative laws
Immigration policies
Intellectual property
Intangible assets
Copyright
Expression of ideas
Protection against unauthorised duplication
Trademark
Avoid confusion
Words, slogan and logos
Patents
IP rights of inventors
3 main requirements:
- Invention must be new
- Invention must be useful
- Invention must not be obvious
Trade secrets
IP absolutely critical to business could damage if disclosed
Patents and copyright can be protected using trade secrets but:
- Removes secrecy
- Protection limited period of time
Liscencing types
Contractual: vendor and customer
Shrink wrap: Agreement acknowledgement outside of sw package
Click through: Browser click
Cloud services: Same as above
Import/Export
Transborder data flow of IP, PII, new tech
Key provision of GDPR
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation: Right to be forgotten
Security
Accountability
4 actions of project scope and planning
Structured analysis of organisation
Creation of BCP team
Assessment of available resources
Analysis of legal and regulatory landscape
Risk acceptance
Taking no action and accept
IAAAA
Identification Identification is claiming to be an identity when attempting to access a secured area or system.
Authentication Authentication is proving that you are that claimed identity. Authorization Authorization is defining the permissions (i.e., allow/grant and/or deny)
of a resource and object access for a specific identity or subject.
Auditing Auditing is recording a log of the events and activities related to the system and subjects.
Accounting Accounting (aka accountability) is reviewing log files to check for com- pliance and violations in order to hold subjects accountable for their actions, especially violations of organizational security policy.
SLR
An SLR is a statement of the expectations of service and performance from the product or service of a vendor. Often, an SLR is provided by the customer/client prior to the establishment of the SLA (which should incorporate the elements of the SLR if the vendor expects the customer to sign the agreement).
What is security control assessment and its goal?
A security control assessment (SCA) is the formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation. The SCA can be per- formed in addition to or independently of a full security evaluation, such as a penetration test or vulnerability assessment.
The goals of an SCA are to ensure the effectiveness of the security mechanisms, evaluate the quality and thoroughness of the risk management processes of the organization, and pro- duce a report of the relative strengths and weaknesses of the deployed security infrastructure.
