Domain 1 Flashcards
3 components of security education
Policy - what to do
Training - skills for doing it
Awareness - changes behavior
CIA Triad vs DAD
CIA: Confidentiality, Integrity, Availability
DAD (logical opposite of CIA): Disclosure, Alteration, Destruction
Controls are implemented across what three levels? Give examples for each
Administrative (aka directive): background checks, policies/procedures
Technical: encryption, smart cards
Physical: locks, securing laptops/magnetic media, protection of cable
Criminal vs Civil
Criminal: possible to get jail time, burden of proof is beyond a reasonable doubt (99.9%)
Civil: tip of scale (50.1%)
CVSS
Common Vulnerability Scoring System
Draw chart of 5 types of documentation
refer to “Types of Documentation - Drawing 1B”
Draw the qualitative RA matrix
Qualitative Risk Analysis Matrix helps identify most significant risks to organization
Likelihood on left vertical, Impact top horizontal (high med low)
Refer to “Qualitative RA Matrix - Domain 1 pg 67”
Excessive risk
means above acceptable level of risk for executive / data owner; excessive does NOT mean a lot of risk
Fork bomb
attack that says while 1=1 (which is always the case) keep forking out (starting new process) until all memory is used and system crashes
Formula for Risk
risk = threat x vulnerability
threat drives calculation, vulnerability reduces the risk
threat: potential for harm, can be internal/external/competitor/govt (hurricanes, snowstorms, viruses, worms)
vulnerability: weakness (unpatched system, default install)
variation of smurf involving spoofed UDP datagrams sent to UDP port 7
fraggle
IAAA
Identification: means by which users claim their identities to a system
Authentication: establishes, tests or reconciles a user’s identity
Authorization: rights/permissions granted to an individual (or process) that enable access to a computer
Accountability: system’s ability to determine actions of single individual within a system, shows that a particular individual performed a particular action e.g. audit trails and logs
LAND attack
creates recursive loop which crashes system e.g. from 192.168.1.1 > 192.168.1.1 on 8080
List all quantitative formulas
SLE (Single Loss Expectancy) = EF (exposure factor) x AV (asset value)
ARO (Annualized Rate of Occurrence)
ALE (Annualized Loss Expectancy) = SLE x ARO
TCO (Total Cost of Ownership)
ROI (Return on Investment)
Cost/Benefit Analysis
List all types of controls and examples of each
Preventative: locks on doors, firewalls
Detective: goes off during attack (alarm systems, IDS), means preventative failed
Corrective: short-term fix to prevent future attacks (police guards)
Compensating: alternative control (one-way firewall in hospital if MRI system could never be connected to network but doctors need info from it)
Recovery: long-term fix
Suppressive: where you detect and respond to deal with a problem
Name a directive control that is a strategic user-focused document?
Policy
Name the 5 types of documentation
‘Policy, Procedure, Standard, Baseline, Guideline (optional)
Name different types of DoS attacks
DoS attacks:
- Crafted Packets
- Ping of Death
- LAND attack
- Tear drop
- Flooding
- Syn flood
- Smurf
- Fraggle
DDoS - compromising multiple machines to attack the victim
-Fork bomb
OCTAVE
Operationally Critical Threat, Asset and Vulnerability Evaluation
password guessing vs password cracking
Guessing (online, where you try to guess at website login prompt but subject to account lockout)
Cracking (offline, no account lockout but need raw encrypted passwords)
PCI DSS requirements
Payment Card Industry Data Security Standard - aka dirty dozen (12 requirements), know in general the 12 goals (don’t need to know order):
Install/maintain firewalls, no vendor default passwords/parameters, protect stored data, encrypt transmission of data across public network, use/update antivirus, develop/maintain secure systems and applications, restrict access to cardholder data by business need to know, authenticate access to system components, restrict physical access to cardholder data, track and monitor all access to network resources to cardholder data, regularly test security systems/processes, maintain a policy that addresses information security for all personnel
buffer overflow attack, if you send ping packet larger than the largest size you can
ping of death
Info about individuals will be kept private and if it needs to be disclosed the person will be notified; regulated at state level
Privacy Act of 1974
RFI, RFP, RFQ
Request for Information - helps you tailor the RFP
Request for Proposal - stage of procurement to determine which providers will bid for project and what their proposal looks like, more detailed than RFQ
Request for Quote - can sometimes ask for RFQ to make sure we have enough budget before doing a full RFP
SLA, OLA, ELA
Service Level Agreement: delivering certain level of service and if you don’t there’s penalties e.g. ISP delivers certain level of bandwidth with certain reliability
Operating Level Agreement: internal agreement that supports SLA e.g. you need to make sure you have enough staff to meet the SLA
Enterprise License Agreement: site licensing for software e.g. Microsoft licensing agreement for Windows software
type of attack that spoofs the victim’s IP and sends ICMP Echo Request (ping) to directed broadcast
smurf attack. adversary sends out one request to broadcast address saying to 1 million computers to reply to “me” which is spoofed source address of person you want to bring down (smurfs singing down the street with hundreds joining like multiple packets growing together)
has table that keeps track of connections, if you fill up, no new connections can come in
syn flood
Attack that involves sending mangled IP fragments with overlapping, over-sized payloads to the target machine
tear drop. In other words putting a bunch of different puzzle pieces that could never be put together
Third party governance
Before purchasing third party products, assess exposures/risks, validate software, etc
COTS (Commercial Off the Shelf software) e.g. Windows/Office
Types of IP
Intellectual Property
Formal methods of protection:
Patent: public, can’t just be an idea, needs to be reduced to practice, show how it actually works; govt does it to encourage people to share best way to do something and share with society, then we’ll give you 20 yr monopoly
Copyright: creator of work is implied owner of copyright e.g. monkey who took selfies had copyright, not photographer
Trademark: “Ultimate driving machine”, “Just do it”
Informal means of protection:
Trade secret: formula for coca cola (if it were patent it would be public)
What is an internal SLA?
OLA (Operating Level Agreement)
What is OECD?
Organization for Economic Co-operation and Development, 34 countries in Europe, strict controls for information held on your behalf
-Working Party on Information Security and Privacy develops non-binding guidance (member countries do not have to implement recommendations)
EUDPD (European Union’s Data Protection Directive) - binding requirement for EU member states, considered more stringent than US Privacy laws
What is the ultimate output of threat mapping or attack services?
Security dashboard: visual representation that shows you where high exposures are and what systems they are on
What is TOC/TOU?
Time of Check / Time of Use; difference should always be zero e.g. if you put system online for two hours before it’s fully patched and secured there’s a good chance it will be compromised
What methodology is most common for scoring vulnerabilities? Name a second system as well.
CVSSv2 (Common Vulnerability Scoring System) is most common. Another is OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)
Which country does not have one set of privacy laws?
The US since privacy laws are at a state level, not federal. All of Europe has one set of laws.
Your company has decided to perform a major technology overhaul. Which would best describe impact to the organization:
a) policies and procedures will need major revisions
b) policies and procedures will need minor revisions
c) minor revisions to policy and major revisions to procedures
d) minor revisions to procedures and major revisions to policy
Answer: c
good for addressing ownership, profit & loss, clearly lays out who makes what decision, who owns what part of company
BPA (Business Partnership Agreement)
when two organizations connect their networks together, who owns what info, who is responsible for what actions, who has liabilities for particular exposures
MOU/A: Memorandum of Understanding/Agreement
typically part of MOU, involves who is allowed to keep info if partners separate. dictates technical security requirements associated with two organizations connecting networks
Interconnection Security Agreement
preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary data
Confidentiality
guarding against improper data modification, includes ensuring information non-repudiation and authenticity
Integrity
ensuring timely and reliable access to and use of information
Availability
high level statement of what to do, should be specific, measurable, achievable e.g. All servers must be properly hardened by patching and turning off services
Policy
details of how to do something e.g. all the steps to apply the security configuration when a system is built
Procedure
specifies a certain way something should be done or a certain brand/type of equipment to be used e.g. Admins must use Windows Server 2012 R2 as the base operating system
Standard
more specific implementation, specific technical details of how a system’s hardware/software should be configured e.g. the specific settings for Win Server 2012 R2 should match those in the CIS Security Benchmark
Baseline. usually a baseline starts off as a guideline until it has been properly modified to meet the needs of org
recommended way of doing something; e.g. to ease the config, local GPOs can be used to roll out the changes
Guideline. best practice might start off as a guideline and if analysis shows there is great benefit, it may become a standard (mandatory)
Due __ is the prudent management and execution of due care e.g. maintaining the proper environment
due diligence
Due __ is the minimum and customary practice of responsible protection of assets aka the “Prudent Man Rule”; are you doing what a reasonable organization would do when implementing security. This is an important concept to the legal matter of negligence and therein potential liability.
due care
__ is performing reasonable examination and research before committing to a course of action. Basically ‘look before you leap’. In law, you would perform this by researching the terms of a contract before signing it e.g. doing your homework. The opposite would be haphazard.
due diligence
__ is performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if this situation exists because of a contract, regulation, or law. The opposite of this is negligence.
due care
Due __ is identifying threats and risks while Due __ is acting upon findins to mitigate risks.
due diligence (do detect), due care (do correct)
