Domain 1 Flashcards
What is the CIA Triad
- Confidentiality
- Integrity
- Availability
Achieving CIA Best Practices
- Separation of Duties
- Mandatory Vacations
- Job Rotation
- Least Privilege
- Need-to-know
- Dual Control
BIA
Business Impact Analysis
Define RTO
Planned recovery time. The amount of time allocated for a recovery plan to be executed
WRT
Work Recovery Time
Define WRT
The time needed to test and make sure everything is ready to go into live production environment
SLO
Service Level Objective
Define SLO
The level of Service a business needs to recover to in order to meet contractual requirements
RTO
Recovery Time Objective
COOP
Continuation of Operations
Define COOP
Focuses on delivering “something”, even if not optimal, while recovering critical systems to nominal
MTD
Maximum Tolerable Downtime
Define MTD
Amount of time we can be without a critical business function before business can no longer function from pain (pain of loss)
MTO
Maximum Tolerable Outage
Define MTO
The amount of time business can operate in recovery mode. May be limited by resources or constraint of inventory (example fuel in generators)
Steps of BIA
- Inventory and Define Assets (critical assets)
- Learn the business (understand what it does)
- Identify critical business functions
- Total list, critical and not of assets and their function
- Derive Plans - Create different plans for management to select from
Risk Management Constraints
Time and budget
Opposite of CIA Triad (DAD)
Disclosure, Alteration, Destruction
Protection Mechanisms
- Layering (defense in Depth)
- Abstractions
- Encryption
Security Control Categories
- Directive (administrative) -mandated requirements
- Deterrent - Reduces someone’s will to attack
- Preventative - Controls to prohibit activity
- Detective - Recognize hostile activity
- Corrective - Reacts to a situation to stop and restore 5. Recovery - restore operations to known good state
Define Risk Management
Process of identifying, examining, measuring, mitigating, or transferring (sharing) risk
Risk Terminology
Asset - Anything of value to a company
Vulnerability - a weakness; the absence of a safeguard
Threat - Things that could pose a risk to an asset
Threat agent - The entity which carries out attack
Exploit - An instance of compromise
Popular Security Frameworks
ISO 27001/27002 COBIT ITIL RMF CSA STAR
ISO 27001
ISO 27001 is known as the information security management system (ISMS) and is a comprehensive, holistic view of security governance within and organization, mostly focused on policy
ISO 27002
ISO 27002 is a comprehensive list of security controls that can be applied to an organization; the organization uses ISO 27002 to select the controls appropriate to its own ISMS, which the organization designs according to ISO 27001
COBIT
The COBIT framework (currently COBIT 5) is designed as a way to manage and document enterprise IT and IT security functions for an organization. COBIT widely uses a governance and process perspective for resource management and is intended to address IT performance, security operations, risk management, and regulatory compliance.
ITIL
“concentrates on how an organization’s IT environment should enhance and benefit its business goals. ITIL is also mapped to the ISO 20000 standard, perhaps the only non-ISO standard to have this distinction”
RMF
NIST, the U.S. National Institute of Standards and Technology, publishes two methods that work in concert (similar to how ISO 27001 and 27002 function);
Risk Management Framework (RMF), and the applicable list of security and privacy controls that goes along with it (respectively, these documents are Special Publications (SPs) 800-37 and 800-53).
Required to be followed by federal agencies in the United States,
CSA STAR
Cloud Security Alliance (CSA) publishes standards and tools for industry and practitioners, at no charge. The CSA also hosts the Security, Trust, and Assurance Registry (STAR), which is a voluntary list of all cloud service providers who comply with the STAR program framework and agree to publish documentation on the STAR website attesting to compliance
“STAR framework is a composite of various standards, regulations, and statutory requirements from around the world, covering a variety of IT security. Three tiers
Three Tiers of STAR Framework
Tier 1. Only requires vendor self-assessment, uses CAIQ
Tier 2. Assessment of the organization by an external auditor certified by CSA to perform CAIQ audits
Tier 3. will require continuous monitoring of the target organization by independent, certified entities
Due Care
“a legal concept pertaining to the duty owed by a provider to a customer. In essence, a vendor has to engage in a reasonable manner so as not to endanger the customer: the vendor’s products/services should deliver what the customer expects, without putting the customer at risk of undue harm.”
Due Diligence
“is any activity used to demonstrate or provide due care. Using the previous example, the car vendor might engage in due diligence activities such as quality control testing (sampling cars that come off the production line for construction/assembly defects), subjecting itself to external safety audit, prototype and regular safety testing”
Samples of Types of Vulnerabilities
- Software
- Physical
- Personnel
Two Risk Analysis Categories
Qualitative, Quantitative
Define Qualitative
A subjective approach to risk analysis. The organization should opt for this method when the organization does not have a sufficient availability of time, budget, or personnel trained in risk analysis to put toward the effort.
Define Quantitative
An objective approach to risk analysis; the quantitative method should produce objective, discrete numeric values. The organization should opt for this method when it has sufficient time, budget, and personnel trained in risk analysis to put toward the effort.
General Risk Management Options
Avoidance, Acceptance, Mitigation, Transference
Remaining risk after risk management efforts is called
Residual risk
ALE
Annual Loss Expectancy
(ex. if ARO is 1000 and SLE is 5 then;
ALE = 1000*5; ALE = 5000)
SLE
Single Loss Expectancy
ex. a single incident you expect $5 in loss
ARO
Annual (annualized) Rate of Occurrence
What is the loss expectancy model (equation)
ALE = ARO * SLE
EF
Exposure Factor
AV
Asset Value
how is SLE calculated
SLE = AV * EF
Define ARO
Number of times per year a given impact is expected expressed as a number.
(ex1. 1000 events in the course of a yr is 1000/1; is 1000)
(ex. once every 50 years is 1/50 so; ARO = .02)
Define Defense in Depth (Layered Defense)
Using multiple types of security controls to prevent single failures, and improve likelihood to stop attacks
SCA
Security Control Assessment
Define SCA
“a plan and process for determining the proper function and management of controls is necessary and should be customized to the needs of the organization. This is very similar to an audit with specific focus on security controls and includes performance of those controls”
Control Assessment Techniques
Vulnerability Assessment
Penetration Test
What NIST Special Publication is 800-37
RMF (publication)
S.T.R.I.D.E
Spoofing Tampering Repudiation Information Disclosure Denial of Service Escalation of Privilege's
What are the Threat Modeling Concepts
STRIDE, DREAD, MART
D.R.E.A.D.
Damage Reproducibility Exploitability Affected Discoverability
M.A.R.T.
Mitigate
Accept
Reject
Transfer
SLA
Service Level Agreement
GDPR
General Data Protection Regulation
Define GDPR
European Union privacy protection Act
Define HIPPA
American federal law that impacts medical privacy
GLBA Graham-Leach-Bliley Act
US law that allows banks to merge with insurance providers for information
Sarbanes-Oxley Act (SOX)
Law created to regulate fraud prevention and finances of publicly traded companies
FISMA Federal Information Systems Management Act
Law applicable only to federal government to comply with NIST
Computer Related Crimes
Malware Unauthorized Access Ransomware Theft Illegal Use of Source (botnet, DDOS attacks) Fraud
Intangible Assets are called
Intellectual Property
Modern Forms Of Licensing Include
Site Licensing
Per-seat Licensing
Shareware
Public Domain
DRM
Digital Rights Management
DRM Traits
Persistency, Dynamic policy control, Automatic expiration, continuous audit trail, interoperability
Define Import/Export Controls
The controls to limit and monitor the Trans border passing of data, software and hardware. Protects US interest and intellectual property
As of 2018, does US Adhere to GDPR
No
Types of Laws
Criminal, Civil, Administrative, comprehensive crime act (1984) Computer Fraud and Abuse act (1986) Computer Security Act (1987) Gov information security reform act (2000) Federal information security Management Act (2002)
Types of Intellectual Property
Copyright Trademarks Patents Trade Secrets Licensing
6 steps of Risk Management Framework
- Categorize information systems
- Select security controls
- Implement security controls
- Assess controls
- Authorize system
- Monitor controls
Risk Value Equation
Risk Value = Probability * Impact
Security Governances
ISO 27000 Series COBIT COSO OCTAVE ITIL
