Domain 1 - Security and Risk Flashcards
An emphasis on confidentiality can affect which other part of the CIA triad?
Availability. The data is harder to access.
What is cryptanalysis?
Attacks on encryption.
What is data in use?
Live data on your screen.
What is the opposite of the CIA triad?
DAD
Disclosure
Alteration
Destruction
A focus on integrity can cause what part of the CIA triad to suffer?
Availability
A focus on availability can cause what part of the CIA triad to suffer?
Confidentiality and Integrity
What does IAAA stand for?
Identification,
Authentication
Authorization,
Accountability
What is Type 1 Authentication?
Something you know.
Passwords, Pass phrases, PIN, etc..
What is Type 2 Authentication?
Something you have.
Your ID, smartcard, token, cookie, etc.
What is Type 3 Authentication?
Something you are.
fingerprint reader, iris scan, palm print, etc.
What is “Authorization”
Assignment of access to objects.
RBAC, MAC, DAC, etc.
What is the need to know security governance principal?
Even when you have access, if you do not need to know then you should not access the data.
What do “subjects” do?
They are usually users or programs and they manipulate objects.
Who manages security governance?
C-level executives, board of directors, owners, etc.
What is management’s job in security governance?
Implementing standards, policies, and procedures to meet the governance requirements.
What are some examples of governance standards and control frameworks?
PCI-DSS, ISO 27001, HITRUST, COBIT, etc…
What is criminal law?
Society is the victim, Proof must be beyond a reasonable doubt.
What is Civil Law (Tort Law)
Individuals, groups, or organizations are the victims. Proof must be the majority of proof.
What is Administrative Law?
Laws enacted by government bodies. FDA Laws, HIPAA, FAA, etc.
What are Private Regulations?
PCI DSS by the credit card industry
What is real evidence?
Tangible objects (drives, USB drives, etc.)
What is direct evidence?
Testimony from first hand witnesses
What is hearsay?
Not first-hand knowledge. Normally inadmissible
What evidence should you provide to a court first?
Your best evidence. It should be complete, accurate, relevant, and authentic.
What evidence should be supplied to the court as secondary evidence?
IT Logs and documents from the system.
How do you prove evidence integrity in court?
Hashes, forensics, etc.
What does the fourth amendment protect the people from?
Unreasonable search and seizure by the government. This can only be ignored in certain cases like human life or threat of destroying evidence.
What is Entrapment?
When someone is persuaded to commit a crime that they has no intention of committing.
What is Enticement?
Making committing a crime more enticing, but the person has already broken the law or at least has decided to do so.
How long does copyright last?
70 years after creator’s death or 95 years for creation by corporations.H
How long do trademarks last?
Ten years
How long to patents last?
Twenty years?
Can cryptographic algorithms be patented?
Yes
Are security breach notification laws federal?
No, each state has their own rules.
What is the Electronic communications Privacy Act?
It protects against warrantless wiretapping, but it was weakened by the patriot act.
What is the Patriot Act?
Expands Law Enforcement’s electronic monitoring connectivity.
What is the Computer Fraud and Abuse Act?
Most commonly used to prosecute computer crimes.
What is the Gramm-Leach-Bliley act?
applies to financial institutions driven by federal financial institutions.
What is the GDPR?
Data protection law for all people who live in the EU or EEA. It covers everyone regardless of citizenship.
Does GDPR have the right to be forgotten?
Yes.
What are legacy EU laws that should be noted?
EU Data Protection Directive
EU-US Safe Harbor
Privacy Shield
What are the organization for economic cooperation and development privacy guidelines
30 member nations including the US that provide guidelines on the protection of privacy and transborder flows of personal data.
What is the Wassenaar Arrangement?
41 member countries. Details export and import controls for conventional arms, but has details on cryptography.
What is the ISC2 code of ethics preamble?
The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere to the highest ethical standards.
Therefore, strict adherence to this code is a condition of certification.
What is the ISC2 code of ethics cannons
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
What is the “Mission” in governance?
Motivation or purpose
What are strategic plans?
Long-term, reviewed annually, 3 - 5 years
What are tactical plans?
1 year, projects, hiring, budgets, etc.
What are operational plans?
High detail, updated frequently
What are policies?
Mandatory, high-level, non-specific. They use language like “strong encryption”.
What are standards?
Describes a specific use of technology. For example, laptop specs for the enterprise.
What are Guidelines?
Not mandatory. They are recommendations.
What are procedures?
Low level step by step guides for how to complete a task. Very specific.
What does user awareness accomplish?
Change user behavior.
What does user training accomplish?
Provides user with a skillset.
What are administrative controls?
Policies, procedures, training, awareness, regulation (HIPAA)
What are examples of corrective access controls?
Anti-Virus, Patches, IPS
What are examples of recovery access controls
DR, Backups, High Availability
What is the equation for risk?
Threat x vulnerability
What is the equation for risk with impact?
Threat x vulnerability x impact
What is the equation for total risk?
Threat x vulnerability x asset value
What is the definition of exposure factor in quantitative risk analysis?
It is the percentage of asset loss.
What is the definition of Single Loss Expectancy in quantitative risk analysis?
It is the cost if “it” happens once
What is the definition of Annual Rate of Occurrence in quantitative risk analysis?
How often will “it” happen in a year
What is the definition of Annualized Loss Expectancy in quantitative risk analysis?
It is the cost per year if we do NOTHING
What is NIST 800-30
A nine step process for risk management
What is a Key Goal Indicator (KGI)?
Measured after the fact as to whether an IT process has achieved its business requirements.
What is a Key Performance Indicator (KPI)?
Defines measures that determines how well the process is performing.
What is a Key Risk Indicator (KRI)?
Measures risks that the organization is facing or how risky and activity is.
Measures adherence to risk appetite
Can be used as an early warning sign
What are RACI charts stand for?
Responsible
Accountable
Consulted
Informed
What is the definition of governance?
Ensures IT goals aligns with business objectives
What is the definition of Compliance?
Conforming with a stated requirement such as a laws, regulations, auditing, monitoring, ethics, privacy, etc..
What is NIST 800-53?
Provides detailed security controls for US federal systems. Provides guidance and a comprehensive risk based approach.
What are control families?
Focus on a specific aspect of security and privacy.
What are control classes?
management, operational, and technical
What are baseline controls?
The minimum level of security in a system.
What is a grey hat hacker?
They look for vulnerabilities in code, systems, or products
What is a bot?
A computer system that has been infected by malware.
What is a botnet?
a command and control network of bots. can be hundreds of thousands
What is voice phishing over voip?
Vishing
What should a change of senior leadership invoke in the BCP?
A BCP review with the new leadership
What is the most important part of the BCP?
The Business Impact Analysis (BIA)
What is Maximum Tolerable Downtime?
The total amount of time a system can be inoperable before the organization is severely impacted.
What is the Work Recovery Time?
The amount of time required to configure a recovered system.
What is mean time between failures?
How long a new or repaired system or component will function on average?
What is the mean time to repair?
How long will it take to recover a failed system
What is the minimum operating requirements
The minimum requirements for our critical systems to function
What are external dependencies?
All third party services.
