Domain 1 Flashcards

1
Q

Due Diligence

A

Practicing the activities that maintain the due care effort

Think before you act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Due Care

A

Doing what a reasonable person would do in a given situation. “Prudent man” rule

Actions speak louder than words

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

CIA Triad

A

Confidentiality
Integrity
Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Confidentiality

A

Access controls help ensure that only authorized subjects can access objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Integrity

A

Ensures data or system config are not modified without authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Availability

A

Auth requests or objects must be granted to subjects with in a reasonable amount of time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ISC2 Code of Ethics

A
  1. Protect society, the common wealth, and the infrastructure
  2. Act honorably, honestly, justly, responsibly, and legally
  3. Provide diligent and competent service to principals
  4. Advance and protect the profession
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security Policy Development

A

from the bottom up
Security Procedures
- Detailed step by step
Security Guidelines
- Offer reccomendations
Security baselines
- Define “minimum levels”
Acceptable Use Policy
- Assign roles / responsibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Risk Categories
Damage

A

Result in physical loss of an asset or inability to access that asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk Categories
Disclosure

A

Disclosed critical info regardless of where or how it was disclosed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Risk Categories
Losses

A

Permanent or temp, including altered or inaccessible data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Risk Factors
Physical Damage

A

Natural disaster, power loss, vandalism

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Risk Factors
Malfunctions

A

Failure of systems, networks, or peripherals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Risk Factors
Attacks

A

Purposeful acts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Risk Factors
Human Errors

A

Accidental incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Risk Factors
Application Errors

A

Fails of apps including OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Security Planning
Strategic

A

Long term, includes risk assessment
5 year, annual updates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Security Planning
Tactical

A

Midterm, ~1 year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Security Planning
Operational

A

Short term, monthly / quarterly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Response to Risk
Acceptance

A

Do nothing, accept risk and potential loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Response to Risk
Mitigation

A

Implement countermeasure and aceept residual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Response to Risk
Assignment

A

Transfer to 3rd party (insurance)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Response to Risk
Avoidance

A

When cost to mitigate / accept are higher than the benefits of service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Response to Risk
Deterance

A

Would be violators of policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Response to Risk
Rejection

A

Unacceptable, to reject / ignore

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Risk Management Framework
NIST 800-37

A
  1. Prepare
  2. Categorize info systems
  3. Select security controls
  4. Implement security controls
  5. Assess security controls
  6. Authorize the system
  7. Monitor security controls

People Can See I Am Always Monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Types of Risk
Residual

A

remains, with all safeguards in place.
- Mngmt chose to accept rather than mitigate
After

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Types of Risk
Inherent

A

New risk, not yet identified with mngmt
- exists in absence of controls
Before

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Types of Risk
Total

A

risk if no safeguards in place
Without

Total Risk = threats * Vulns * asset value
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Formula
Risk

A

Risk = Threat * Vuln

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Quantitative Risk Analysis
(6 Steps)

A
  1. Inventory Assets and Assign Value
    AV
  2. Identify Threats Research assets and Make list of all possible threats
    EF, SLE
  3. Perform Threat Analysis calc chance that each threat is realized in a single year
    ARO
  4. Estimate Potential Loss calc annual loss expectancy
    ALE
  5. Research Countermeasures for Each Threat then cal changes to ARO and ALE
  6. Perform a Cost / Benefit Analysis for each safeguard –> threat –> asset
32
Q

Qualitative Risk Analysis
Delphi Technique

A

Anonymous feedback / response process

33
Q

Qualitative Risk Analysis
Loss Potential

A

What would be lost

34
Q

Qualitative Risk Analysis
Delayed Loss

A

amount of loss than can occur over time

35
Q

Exposure Factor (EF)

A

% of loss that an org faces if a specific asset were violated by a related risk

36
Q

Single Loss Expectancy (SLE)

A

the cost associated with a single related risk against a specific asset

SLE = Asset Value * Exposure Factor
SLE = AV * EF
37
Q

Annualized Rate of Occurence (ARO)

A

expected frequency with a specific threat or risk in a year

38
Q

Annualized Loss Expectancy (ALE)

A

possible yearly cost of all instances of a specific realized threat against a specific asset

ALE = Single Loss Expectancy * Annual Rate of Occurance
ALE = SLE * ARO
39
Q

Formula
Safeguard Evaluation

A

ALE1 = ALE before safeguard
ALE2 = ALE after safeguard
ACS = Annualized Cost of Safeguard

Value of Safeguard = ALE1 - ALE2 - ACS
40
Q

Formula
Controls Gap

A
Residual Risk = Total Risk - Controls Gap
41
Q

Supply Chain Eval

A
  • On site assessment
  • Docs exchange and review
  • Process / policy Review
  • 3rd Party Audit
42
Q

Threat Modeling (General Approaches)

A

Proactive or Reactive
Focus on:
- Assets using AV to ID threats
- Attackers ID attackers and threats based on attackers goals
- Software potential threats against software itself

43
Q

Threat Modeling
STRIDE by Microsoft

A

Spoofing
Tampering
Repudation
Info disclosure
Denial of Service
Elevation of privelige

44
Q

Threat Modeling
PASTA

A

countermeasure based on AV
1. Define objectives
2. Def technical scope
3. App Decomposition and analysis
4. Threat analysis
5. Weakness & Vuln analysis
6. Attack Modeling & Simulation
7. Risk analysis & Mngmt

45
Q

Threat Modeling
VAST

A

based on Agile
Visual
Agile
Simple
Threat

46
Q

Threat Modeling
DREAD

A

based on 5 ?’s
Damage Potential
Reproducibility
Exploitability
Affected Users
Discoverability

47
Q

Threat Modeling
TRIKE

A

focus on acceptible risk
- Open src threat modeling that implements requirements model
- assigns lvl of risk for each asset as “acceptable” to stakeholders

48
Q

Security Control Framework
COBIT

A

IT Mgmt and Govt
1. Meeting stakeholder needs
2. Covering Enterprise end to end
3. Applying in single, integrated framework
4. Enabling a Holistic Approach
5. Separation of Govt from Mgmt

49
Q

Risk Reduction Analysis
(5 parts)

A
  1. Trust Boundaries Any location where the level of trust or security changes
  2. Data Flow Paths
  3. Input Points
  4. Privileged Operators
  5. Details ab Security Stance + Approach
50
Q

Security Controls
(2 types)

A

Safeguards = Proactive
Countermeasure = Reactive

51
Q

Security Controls
Categories (3 types)

A
  1. Technical: hardware / software
  2. Administrative: Policies, procedures, regulations
  3. Physical: Barriers, locked doors, moats
52
Q

Security Controls
Control Types (7 types)

A
  1. Deterrant discourage violations
  2. Preventative stops unauthorized activity from happening
  3. Detective Discovers unauth acts
  4. Compensating: Provides options to other controls to aid enforcements
  5. Corrective: Returns system to normal
  6. Recovery: extension of corrective, with more abilities
  7. Directive Direct actions of subjects to force security compliance
53
Q

Important Laws
Computer Fraud and Abuse Act (CFAA)

A

The first major US cybercrime specific legislation

54
Q

Important Laws
Federal Sentencing Guidelines

A

Gave punishment guidelines for computer crimes

55
Q

Important Laws
Federal Info Security Mgmt Act (FISMA)

A

Required a formal infosec operations for feds

56
Q

Important Laws
Copyright and the Digital Millenium Copyright Act

A

Covers literary, musical, and drama works

57
Q

IP and Licensing
Trademarks

A

Words, slogans and logos

58
Q

IP and Licensing
Patents

A

IP of inventors

59
Q

IP and Licensing
Licensing (4 types)

A
  1. Contractual:
  2. Shrink wrap - a permission given to someone to use a software or product that would otherwise be illegal
  3. Click through - End User License Agreement (EULA)
  4. Cloud servers- licenses sit in the virtual cloud.
60
Q

IP and Licensing
Trade Secrets

A

IP that is critical to business and cannot be disclosed

61
Q

Encryption and Privacy Laws
Computer Export Controls

A

US companies cannot export to Cuba, Iran, North Korea, Sudan or Syra

62
Q

Encryption and Privacy Laws
Encryption Export Controls

A

Dept of commerce controls this

63
Q

Encryption and Privacy Laws
Privacy (US)

A

4th amendment rights against unwarranted searches and seizures

64
Q

Encryption and Privacy Laws
Privacy (EU)

A

General Data Protection Regulation (GDPR)
Applies to any company with customers in EU!!

65
Q

US Privacy Laws
HIPAA

A

Health Insurance Portability and Accountability Act

66
Q

US Privacy Laws
HITECH

A

Health Info Tech for Economic Clinical Health

67
Q

US Privacy Laws
Gramm-Leach-Bliley Act

A

for Financial institutions

68
Q

US Privacy Laws
COPPA

A

Childrens Online Privacy Protection Act

69
Q

US Privacy Laws
ECPA

A

Electronic Comms Privacy Act

70
Q

US Privacy Laws
CALEA

A

Comm Assistance for Law Enforcement Act

71
Q

Business Continuity Planning (BCP)
(5 steps)

A
  1. Strategy development
  2. Provisions and processes
  3. Plan approval
  4. Plan implementation
  5. Training and education

“Overall how-to plan”

72
Q

BCP Definitions
Disaster Recovery Plan (DRP)

A

recovery from a disaster impacting IT and returning IT to operational

BCP for whole business
DRP just for IT

73
Q

BCP Definitions
Continuity of Operation Plan (COOP)

A

Continuing business until IT is restored

74
Q

Consequences of Privacy and Data Breach
(4 types)

A
  1. Reputation Damage
  2. ID Theft
  3. IP Theft
  4. Fines from failing to report
    - GDPR can fine up to 4% of global revenue or 20 Million Euros
75
Q

Data Breach Notifications
(Notes :/ )

A
  1. GDPR is 72 hours
  2. Escalations to external sources possible
  3. Countries have their own reporting timescale
  4. Delays can warrant a criminal investigation