D1: Security & Risk Management Flashcards
D1 from example test simulators keywords
NDA
Non Disclosure Agreement; restricts dissemination of information; Compelling parties to not reveal information to others; Keeping secrets;
NCA
Non Compete Agreement; relates to employment with competition; Work restrictions; Agreement not to enter into or start a similar line of work in competition against another party;
AUP
Authorized Use Policy; warns employees about proper use of organizational assets; Allows for firing employee for misuse;
Exit Interview
Useful for discovering serious problems that might not be otherwise disclosed;
Education
Providing fundamental knowledge & definitions
Training
Providing tactical knowledge necessary for a job or task
Awareness
Imparting sensitivity or importance to a topic/issue to all personnel
Indoctrination
Incorporating an individual or group into the culture of the larger organization
CEO
Chief Executive Officer; Responsible for overall organization and its mission
CIO
Chief Information Officer; Responsible for aligning information & technical strategies; Most senior official in an organization responsible for IT & Systems that support enterprise; Senior Technology official;
CPO
Chief Policy Officer: Responsible for ensuring that there is compliance with org and regulatory privacy rules
CISO
Chief Information Security Officer; Responsible for monitoring & analyzing risk information associate with data protection
CSO
Chief Security Officer; Responsible for physical & Technical security of orgs assets; Responsible for development, oversight, mitigation, & other risk strategies; Senior most security official;
CTO
Chief Technology Officer; Chooses technology & scientific items; Executive person tasked with identifying useful technology, IT strategies, & partnerships;
ISSO
Information Systems Security Officer; Organizational role charged with developing, implementing, testing, & reviewing IT security;
Risk Management Categorize
Related to assigning a security role to an IT system
Risk Management Select
Identifies the appropriate measures needed to reduce risk satisfactorily
Risk Management Implement
Regards enacting the selected security controls
Risk Management Assess
Involves an independent assessor to test the controls
Risk Management Authorize
Take the risk assessment and make a risk determination
Risk Management Monitor
Relates to ongoing review & updating of controls and security status
Opportunity Cost
Next best use for funds
Depreciated Cost
Reflects wear, tear, and evaluation over time
Replacement Cost
current expenditure to gain an identical item
Purchase Cost
Original cost
Code of Regulations
Administrative law is published here
Constitution
Provides for information about interpretation of laws
NIST
National Institute of Standards & Technology; Publishes Special Publications, but NO laws; Publishes recommendations and standards, many related to IT security; Government standards body;
United States Code
Laws enacted by Congress published here
Accept Risk
Accept with knowledge of risk.
Avoid Risk
Change course or cancelling a project.
Deter Risk
Pursue the threat actor.
Mitigate Risk
Addressing risk and its factors. Try to reduce/prevent risk.
Transfer Risk
Assign risk to another party, insurance.
Ignore Risk
Move ahead without knowledge of the risk. NEVER an appropriate response.
Copyright
Legal right for creator of original work
Trademark
Recognized signs or expressions to identify product or service;
Patent
Intellectual property rights to a product/process for a limited period of time; protect innovative product/process; Exclusive rights to product/process;
Trade Secret
Formula, process, or design that is generally not known by others and has a viable commercial use; Guarded info not disclosed to the world;
DRM
Digital Rights Management; Systematized access control for digital media; Encrypted PDFs; Access control technology for restricting the use of propriety hardware & copyrighted works;
Wassenaar
Covers conventional arms sales and controls.
Economic Espionage Act
Criminalized stealing trade secrets
GDRP
General Data Protection Regulation; European law endorsed by the US that handles privacy issues; Enforced by Department of Commerce; International data privacy regulation;
FISMA
Federal Information Security Management Act; Handles risk management in the US government; US requirements for data security within federal orgs; Requires each federal agency to develop, document, & implement an agency wide pgm to provide info sec; Uses RMF
PCI
Payment Card Industry; Self-regulation for banking cards
Data Owner
Party that collects & is responsible for the information
Data Subject
The person/thing referred to by data;
Data Processor
Group/organization responsible for manipulation & computations with the data w/in their systems;
Data Custodian
Manages the information systems that perform processing; has physical control & server control; Facilitates use;
ISO 27000
Information system management system standards are a flexible set of standards and practices to manage security risks in an org.
NIST RMF
National Institute of Science & Technology Risk Management Framework; Government created set of guides to manage and control risk
COSO
Committee of Sponsoring Organizations is an initiative to combat organizational fraud; Preventing fraud and abuse; dedicated to guiding managers & government w/ regard to ethics, controls, & risk mgmt.;
COBIT
Control Objectives for Information and Related Technologies; is a best practice security framework from ISACA
AGILE
Software development methodology; Emphasize customer involvement & simple deliverables. Expects continual refinement of requirements, capabilities, & features through dev process;
Directive Security Control
Rules promulgated by management; EX] Policy, NDA, Exit Signs, Need to know policy;
Deterrent Security Control
Affect threat agents; EX] Guards, cameras, Logon banner with warning;
Preventative Security Control
stop an active attack; EX] Walls, fence, Biometric doorway control;
Compensating Security Control
take over for another function/measure while a threat is active; EX] RAID array;
Detective Security Control
only identify and do not stop threats; EX} motion detector, dogs, logs & audits;
Corrective Security Control
implements after a threat has manifested; EX] IPS, Fire Suppression;
Recovery Security Control
Restores operations to way they were; EX: Backups, DRP, cloud-based backup;
STRIDE Threat Modeling
Created by Microsoft; Spoofing, Tampering, Repudiation, Information Disclosure, DOS, Elevation of Privilege; Initially created as part of the process of Threat Modeling;
VAST Threat Modeling
Visual Agile & Simple Threat modeling; promotes its use across the entire infrastructure & the SDLC
ISA
Interconnection Service Agreement; Defines VPNs; Agreed-upon measures, settings & protocols taken by two orgs to facilitate communication;
OLA
Operating Level Agreement
MOU
Memorandum of Understanding; Provides refinement of duties and responsibilities; Provides terms & details necessary for two parties to work together;
MOA
Memorandum of Agreement; Achieving consensus toward a common goal; Document describing cooperative work to be taken together by two parties toward an objective;
SLA
Service Level Agreement; Contractual guarantee of performance; A promise; An agreement on the characteristics of quality and performance between two parties;
MSA
Master Services Agreement
MTD
Maximum Tolerable Downtime; Beginning of a disaster; Estimated time until catastrophic damage to an org has occurred;
MTBF
Mean Time Between Failures; The average failure rate; Estimation as to how often serious errors occur, typically measured in thousands of hours; Predicted elapsed time between failures of a mechanical or electronic system; Hardware reliability;
MTTR
Mean Time to Recovery (Repair); how long a system can take to recovery from a failure; Time needed to fix something; Standard recovery statistic indicating swiftness of DRP responses; Restoration average; Timely time it will take to regain functionality;
MTPD
Maximum Tolerable Period of Disruption; Identifies the point at which services must be restored or irrevocably damage the business;
RPO
Recovery Point Objective; What data must be available upon restoration & defines acceptable loss; Maximum # of transactions lost; # of transactions or quality of data that can be acceptably lost; Targeted maximum loss quantity;
RTO
Recovery Time Objective; When data must be available; Maximum amount of time lost; Maximum amount of time allowed for an outage;
MITM
Man-in-the-Middle; An attacker insinuates itself between client and server, observing or modifying communications; Intercepting and changing;
GDRP Lawful
Data must be legal to possess;
GDRP Purpose
Must have purpose for possessing the information;
GDRP Minimal
Data can only be retained as long as necessary;
GDRP Accuracy
Data must be as accurate as possible;
GDRP Storage Limitation
Only the information necessary for its purposes should be retained;
GDRP Integrity & Confidentiality
Must take measures to ensure integrity & confidentiality;
PCI DSS
Payment Card Industry Data Security Standard; Credit Card industry established to ensure regulated control & consumer confidence;
WIPO
World Intellectual Property Organization; Promote the protection of intellectual property; United Nations agency that overseas international trademarks & patents;
GLBA
Gramm-Leach-Biley Financial Services Modernization Act; Involves privacy concerns with financial institutions; Requires financial orgs to protect customer data and to disclose how this is done; Provide each consumer with a privacy notice at time of consumer relation started; Financial Rules overhaul;
SOX
Sarbanes-Oxley; Financial accountability; Implements criminal penalties for incorrect reporting of losses or liabilities; Requirements for US companies & mgmt. to provide accurate information;
COPPA
Federal Children’s Online Privacy Protection Act. Applies to collection of info/accounts for children < 13yo; AKA: CaliOPPA
HIPAA
Health Insurance Portability & Accountability Act; Medical security; Requires proper encryption of data transmission & storage as well as secure disposal; US law designed to protect the privacy of patient information;
PII
Personally Identifiable Information; EX] DL#, SSN, Credit Card #; Unique identifier; data or pieces of data used to uniquely correspond to or identify one individual and requires special handling;
PHI
Personal Health Information; Info within an EMR; Sensitive info regarding health of individual;
PIPEDA
Personal Information Protection & Electronic Documents Act; Canadian law involving privacy; Canadian PII;
Baselines
Required minimum levels of protection and performance that must be met
Guidelines
Recommended settings or levels and are considered optional
Standards
Security practices based on industry or governmental documents. Mandates steps to follow
Procedures
Step-By-Step instructions. Repeatable, Detailed.
Policies
High level written
NIST SP 800-30
9 steps: System characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, recommend controls, & results documentation;
Due Care
Requires an organization to act and enforce security mechanisms put into place; Being careful; Legal standard
Due Diligence
Demonstrating that the organization is following its own policies; verifying work, researching, being forewarned & prepared;
Prudent Man
Relates to taking appropriate responsibility for actions; Test for activies in the protection of assets, considered what a careful & responsible person would de;
Preponderance of Guilt
In civil litigation it is only necessary for a preponderance of guilt to be believed;
Compliance
Adherence to external mandates
Audits
Tools, processes, & activities used to preform compliance reviews;
Virus
Attaches itself to programs in order to replicate; Most common; Copies itself; Requires interaction from user;
Backdoor
Privileged access to software or a system;
Worm
Replicates independently to infect systems; Fastest; Attacks the OS; No user interaction is needed;
Trojan Horse
Appears to provide a valid service hiding its malicious nature; Commonly downloaded; Introduced to system by misdirection or trust
Logic Bomb
Set to happen based on certain events; Typically date & time; Launches malicious activity when predetermined conditions are met/triggered;
Spyware/Adware
Secretly installed; Collects info about user; plays, displays, or downloads w/o consent; designed to spy on system activity;
Rootkit
Capable of hiding user files and processes; Maliciously disguises or blocks observation of malware;
Polymorphic
Constantly re-factoring code to evade detection by signatures
Macro
Capable of attacking multiple operating systems
Bipartile
A multimodal virus that may infect boot sectors and executable files
Boot Sector
Attacks an operating system prior to the kernel being loaded
Risk Formula
Risk = Threat * Vulnerability; sometimes risk = threat * value * vulnerability
RMF Authorize
Based upon a determination of risk by independent parties
Dynamic Policy
Is one that can be implemented and changed from a central location as needed;
1st Amendment
Freedom of speech
4th Amendment
Search & seizures
Accountability
Holding individuals responsible for their actions
Availability
refers to providing data when and where a user requires access
Non-Repudiation
refers to the characteristic of data where the user cannot deny they performed their actions on the data;
Authenticity
Data which can be described as not corrupted, or genuine;
CSS / XSS
Cross Site Scripting; Users inserting JavaScript into a URL or blog page to force unwanted actions by other users; Sends unwanted code to clients; Web Application attack; Malicious user using script input to steal info from other users;
Session Hijacking
Allowing another user to login and then seizing control;
SQL Injection
Using web front end to implement database actions on the backend; Insertion of DB commands by client that cause unwanted server actions.
Privilege Escalation
The surfing of authority in order to gain additional access;
CSRF / XSRF
Cross-Site Request Forgery; Devising a webpage that bounces commands often unwary client to an unsecured site to force a transaction; Attack wherein a message is spoofed from a user to a trusted site; Web application attack; Iframes & server flaws that allow illicit fake message to be processed;
Buffer Overflow
The insertion of assembler-level commands into the input data stream by exploiting a boundary error; Corrupting the memory of a host by causing lg amount of data to be inserted in the stack/heap; lg amt data cause other instructions to be overwritten; Cause DoS or take over completely.
What do Privacy Laws protect
Customers data, Employees data, & Employee rights
What is the purpose of a BIA
Determine the impact to business operations of disruptions
Countermeasures
Reactive controls to mitigate or correct an incident
Safeguards
Proactive controls to mitigate or correct an incident
Responses
Actions after an incident has occurred
Exposures
How vulnerable are systems to threats
Qualitative Assessments
Use non-numerical levels or categories, and Expert or best judgement
Quantitative Assessments
Use consistent numerical values, Financial performance measurements
DRP
Disaster Recovery Plan; An immediate plan to cope with disasters & problems; aid in recovery from short-term issues
Change Management Policy
Dictates how and when changes are made to a system; enforces accountability and create an audit trail of modifications;
AIC
Another way of saying CIA; Availability, Integrity, and Confidentiality; Primary security goals; Having a system that is able to be accessed, accurate with its info and maintain proper access controls;
ARO
Annualized Rate of Occurrence; frequency in which an attack occur; Number of attacks per year; Total # of expected successful attacks on an annual basis;
EMI
Electromagnetic Interference; Threat to copper-based media
ESP
Encapsulating Security Payload; Protocol to encrypt IPsec payloads
EF
Exposure Factor; Percentage of an asset lost from a single attack; Indicates value loss from one attack; Assessed damage level;
SPIM
Spam over Internet Messaging; Unwanted messages; Chat messages delivered as a hoax to induce purchase;
SPIT
Spam over Internet Telephony; Use of SMS to deliver unwanted messages;
Pivot
Gaining control of one application or host in order to manipulate a secondary target; Staging a new attack;
MITM
Man in the Middle; Between Client and Server; An attack wherein a node listens to and takes over a conversation by insinuating itself into the stream of communication;
BO
Buffer Overflow; The insertion of malicious computer instructions into the RAM of a host to accomplish a DoS or injecting shellcode;
Brute Force
Discovers a has or encrypted secret by attempting all combinations and permutations; Always works if time is not a factor;
ALE
Annualized Loss Expectancy: SLE * ARO; hint: SLEAROoooo -> Drunk at a bar with ALE; Total annual damage;
APT
Advanced Persistence Threat; Highly target threat; Full featured exploit designed to attack specific target, commonly assembled by teams of attackers to achieve a particular goal;
BIA
Business Impact Analysis: Impact estimate; Prerequisite for disaster recovery and continuity planning to identify potential losses;
BPA
Business Partners Agreement: Outlines the goals and responsibilities between entities pursuing a common work product; Cooperation and partnership;
CERT
Computer Emergency Response Team; IT First responders; A multi-discipline group designated to handle IT incidents;
CIRT
Computer Incident Response Team: A group that investigates & resolves IT security problems; Handles breaches;
DBA
Database Administrator; Creates & maintains large data repositories; Personnel capable of managing automated and large information repositories;
DDoS
Distributed Denial of Service; Attack methodology involves a multitude of remotely controlled devices focusing upon a single target; Mass attack; Attacker leverages thousands/millions of zombies/bots to degrade a victim;
DEP
Data Execution Prevention; Stops buffer overflows; An operating system memory management technique that prevents user data from overlapping into computer instructions;
DoS
Denial of Service; Stopping operation; A one on one attack that causes access or utility to cease; Singular attackers seeks to make a resource unavailable;
MSP
Managed Service Provider; Handle specific applications of IT; Specialty provider of IT services management contracted by a client;
POODLE
Padding Oracle on Downgrade Legacy Encryption; An attack technique that could support confidentiality in SSL connection; Decryption threat;
RAT
Remote Access Trojan; Backdoor placement; Software that implements illicit remote control software;
ROI
Return on Investment; Cost divided by expense; Primary metric to be used when evaluating whether something is worth the time, effort, or cost;
RMF
Risk Management Framework; NIST created framework; Paradigm that was promulgated by the US government;
SCAP
Security Content Automation Protocol; Security Automation; Framework promoted by US govt to create open standards for automation of information assurance;
SEH
Structured Exception Handler; Memory Corruption; facility within windows that identifies memory corruption and contingencies;
SLE
Single Loss Expectancy; Damage from one incident; The value of an asset multiplied by the exposure factor (EF); One time cost;
AV
Asset Value; Cost of an asset; The value of an asset or its repair cost as measured in risk formulas;
BSI
British Standards Institute; Engineering Standards; US engineering groups that defines various terms and standards;
CBK
Common Body of Knowledge; ISC2 goals; Collection of topics related to information security professionals;
CC
Common Criteria; Framework in which computer system users can specify their security functional & assurance requirements (SFRs & SARs respectively) in a security target (ST) & may be taken from Protection Profiles (PPs);
CSF
Critical Success Factor; Important results; Necessary for an organization or project to achieve its mission;
CVE
Common Vulnerabilities & Exposures; List of software flaws that is published by Mitre to act as a dictionary of known issues; Vulnerability list;
DoDAF
Department of Defense Architecture Framework; Overview & details aimed to specific stakeholders; Provides visualization infrastructure for specific stakeholders concerns through viewpoints organized by various views;
DPA
Data Protection Act; Provision about the processing of personal data; UK law that complements the GDRP;
GDRP
General Data Protection Regulation; European Union’s;
DSS
Decision Support Systems; Planning and organizational tool;
EULA
End-user Licensing Agreement; Terms of use; type of software agreement;
FIPS
Federal Information Processing Standard; Federal requirements; Openly announced standards developed by the US Govt for use in computer systems or network;
HSPD
Homeland Security Presidential Directive; Presidential commands; issues by presidents involving foreign, military, & domestic policies;
IA
Information Assurance; Securing computers & other information; The orgs function associated with assessing & managing risk so as to reduce it to an acceptable level;
IAB
Internet Architecture Board; Architectural oversight of IEFT; seeks to improve the Internet by providing high quality technical documents & guidance in the way the internet is used and managed;
IAM
Information Assurance Management; In charge of IT; Management personnel associated with defense of IT resources;
IAM
Identity & Access Management; Granting or blocking access; An organizational function associated with creating & managing digital identities;
IAT
Information Assurance Technical; Hands on IT security; Technical person associated with the defense of IT resources;
IEC
International Electrotechnical Commission; Electrical & electronic standards; Covers vast range of technologies from power generation, transmission, & distribution to home appliance and office equipment;
IP
Intellectual Property; Proprietary stuff; Plans, designs, creative works of human thought that have value;
ISMS
Information Security Management Systems; Standards body; Cohesive set of policies, plans, & procedures for an org;
ITIL
Information Technology Infrastructure Library; Linking business & technology; groups of practices for IT service mgmt. that focuses on creating synergy between IT services & business requirements;
ITSEC
Information Technology Security Evaluation Criteria; Security evaluation; Organized set of criteria for evaluating computer security within products & systems;
IV&V
Independent Verification & Validation; Objective assurance; Ensuring a product, service, or system meets specified requirements and designs;
KEDB
Known-Error Database; Compendium of problems with solutions; Collection of problems that are successfully diagnosed & which either a work around or a perm solution has been determined;
KMS
Key Management Server; Licensing; Provide software activation through a central system to handle compliance;
MDC
Modification Detection Codes; Hashing; Mathematical algorithm designed to create message digest that can be used to indicate when a message has been altered;
OEM
Original Equipment Manufacturer; An org/company that manufactures parts & components that may be marketed by other companies; “Third-party products”;
PDCA
Plan-Do-Check-Act; Continuous improvement; Iterative four step management system designed to facilitate control & improvement;
PP
Protection Profile; Certifification document; Element of the CC that specifies evaluation criteria to validate the security claims of a product;
SABSA
Sherwood Applied Business Security Architecture: Security framework; Methodology for enterprise architecture & management of security services;
TCSEC
Trusted Computer System Evaluation Criteria; Standard IT security verification; US DoD standard for assessing the effectiveness of computer security;
TOC/TOU
Time of check/Time of use; Problem with race condition vulnerability; Problematic time period of time between the time at which a resource is set or known and the time at which it is ultimately used;
TOE
Target of Evaluation; Item being inspected; System or application that is being subjected to detailed examination & analysis for security features;
TOGAF
The Open Group Architecture Framework; Enterprise architecture for design, planning, implementing, & governing IT; Four level framework for modeling the business, application, data, & technology;
