Domain 1 - Security and Risk Management

Question 1

Confidentiality

Answer 1

• We keep our data and secrets secret.

- We ensure no one unauthorized can access the data

Question 2

Integrity

Answer 2

• Protection against modification of the data and the systems
• We ensure the data has not been altered

Question 3

Availibility

Answer 3

We ensure authorized people can access the data they need, when they need to

Question 4

Threats on Confidentiality

Answer 4

• Attacks on encryption (cryptanalysis)
• Social Engineering
• Key Loggers

Question 5

Countermeasures on threats on confidentiality

Answer 5

• Encryption data at rest using AES256, full disk encryption
• Secure transport protocol for data in motion using SSL, TLS, IPSEC
• Using secure practice when data in use , for example, clean desk no shoulder surfing, PC locking
• Strong password, multi factor authentication, masking, strict access control, Principle of Least Privilege (PoLP)

Question 6

Threats on Integrity

Answer 6

• Alteration of data
• Code Injection
• Attacks on encryption

Question 7

Countermeasures on threats on Integrity

Answer 7

• Cryptography
• Check sums/Hash verification
• Digital Signature (provide non-repudation)
• Strict Access Control

Question 8

Threats on Availability

Answer 8

• Malicious attacks (DDOS, physical, system compromise, staff)
• Application failures (errors in code)
• Component failures (Hardware)

Question 9

Countermeasures on threats on availability

Answer 9

• IPS/IDS
• SLAs - How high uptime to we want (99%)
• Patch Management
• Redundancy in Hardware power, Disks (RAID), Traffic Path, HVAC, staff, High Availability

Question 10

The Opposite of CIA Triad

Answer 10

DAD (Disclosure, Alteration, and Destruction)

Question 11

IAAA services

Answer 11

Identification, Authentication, Authorization, and Accountability

Question 12

Identification

Answer 12

Claiming Identity for example, your name, username, id number

Question 13

Authentication

Answer 13

Proving you are the identity you were claimed.

Question 14

3 types of Authentication

Answer 14

Type 1 - something you know (password, PIN, etc)
Type 2 - something you have (cookie, ID number, passport, token, etc)
Type 3 - something you are - biometrics - no way to reissue if compromises (fingerprint, iris scan, facial geometry, etc)

Question 15

Authorization

Answer 15

Permission, What are you allowed to access.

Question 16

Accountability

Answer 16

Trace action to subject identity, prove who/what a given action was performed by (non-repudiation)

Question 17

What is mission IT Security in organization?

Answer 17

Supporting organization, enable organization to fulfill its mission and statement and business goals, not the most important part of organization.

Question 18

What is PoLP?

Answer 18

Principle of Least Privilege - We give our users/systems exactly the access they need, no more, no less.

Need to Know - Even if you have access, if you do not need to know, then you should not access the data.

Question 19

What is non-repudiation?

Answer 19

A user cannot deny having performed a certain action. This uses both Authentication and Integrity.

Question 20

Subject and Object on Security Governance

Answer 20

Subject (Active) - Most often users, but can also programs, Subject manipulates object.

Object (Passive) - Any passive data - Object manipulated by Subject

Some can both at different times, an active program is a subject; when closed, the data can be an object

Question 21

Governance vs. Management

Answer 21

Governances - This is C-Level Executives
> What are stakeholder needs
> Setting direction through prioritization and decision making
> Monitoring performance and compliance againts agreed-upon direction and objectives
> Risk appetite - Aggresive, neutral, adverse

Management - How do we get to the destination
> Plans, builds, runs, monitor activities in alignment with the direction set by the governance to achieve the objectives.
> Risk tolerance - How are we going to practically work with our risk appetite and our environment.

Question 22

Top-Down vs. Bottom-Up on Security Management

Answer 22

Bottom-Up : IT Security seen as annoyance not helper, this often changes when breaches happens.

Top-Down : IT leadership is on board with IT Security, they lead and set direction.

Question 23

What is PCI-DSS?

Answer 23

Payment Card Industry Card Security Standard

> is a standard but required if we want to handle or issue debit and credit card

Question 24

What is OCTAVE?

Answer 24

Operational Critical Threat, Asset, and Vulnerability Evaluation

> Flexible Risk Management

Question 25

What is COBIT?

Answer 25

Control Objectives for Information and related Technology

> Goals for IT - Stakeholder needs are mapped down to IT related goals.

Question 26

What is COSO?

Answer 26

Commitee of Sponsoring Organizations

> Goals for the entire organizations (more higher level)

Question 27

What is ITIL?

Answer 27

Information Technology Infrastructure Library

> IT Service Management (ITSM)

Question 28

What is FRAP?

Answer 28

Facilitated Risk Analysis Process
> Analyzed one business unit, application, or system at a time in roundtable brainstorm with internal employees, The impact is analyzed, and the threats and the risks are prioritized.

Question 29

List ISO 27000 series?

Answer 29

ISO 270001: Establish, implement, control, and improvement of the ISMS. Uses PDCA (Plan, Do, Check, Act)

ISO 27002: Provides practical advice on how to establish, implement, control, and improvement security controls. It has 10 domains it users for ISMS (cannot get this certified)

ISO 27003: Information security management system implementation guidance

ISO 27004: Provides metrics for measuring the success of your ISMS

ISO 27005: Standards based approach to risk management

ISO 27799: Directive on how to protect PHI (Protected Health Information)

Question 30

What is Defend in Depth?

Answer 30

> Layered Defense or Onion Defense, implement multiple overlapping security control to protect asset
This applies to physical, administrative, and logical controls
No single security control secures an asset
Improve organization CIA

Question 31

List Legal and Regulatory issues

Answer 31

Criminal Laws : Society is the victim, text law included in United States Code

Civil Law: Individuals, groups or organizations are the victim, mostly financial fines, text law included in United States Code

Administrative Law: Laws enacted by goverment agencies (FDA Laws, HIPAA, FAA)

Private Regulations: Compliance is required by contract (PCI-DSS)

Customary Law: handle personal conduct on area/region

Religious Law: Based on the religious beliefs in that area or country. include morality and code of ethics

Administrative Law : CFR (Code of Federal Regulations) contains all administrative law

Supreme Court rulling contains interpretation of law

Question 32

If something happens, who is ultimately liable?

Answer 32

Senior Leadership, but we need Negligence to prove it.

> Due Diligence (Do Detect), research to build IT Security architecture and preparing before implementing.
Due Care (Do Correct), Prudent person rule.

Negligence, if system under your control is compromised and you did NOT perform Due Care, you are most likely liable.

Question 33

List type of evidence

Answer 33

Real Evidence: Tangible and physical object in IT Security: Hard disks, USB drives (not the data)

Direct Evidence: Testimony from a first hand witness, what they experienced

Circumstantial Evidence: Evidence to support circumstances for a point or other evidence.

Corroborative Evidence: Support facts or elements of the case; not facts on their own but they support other fact

Hearsay: not first-hand knowledge - normally inadmissible in a case

Question 34

How do we ensure evidence integrity?

Answer 34

We do with hashes, any forensics done on copies and never the originals.

Question 35

Why logs and documents set as secondary evidence?

Answer 35

Because there is no real evidence, there is nothing you can touch.

Question 36

What need to bear in mind when searching for evidence?

Answer 36

> must be obtained legally, even on organization employee need to be aware if actions are monitored
no threat to human life

Question 37

What is entrapment and enticement?

Answer 37

Entrapment: When someone is persuaded to commit a crime they had no intention of commiting and is then charged with it

Enticement: Making commiting a crime more enticing, but the person has already broken the law. Honeypots can be good way to use Enticement

Question 38

What is Intellectual Property?

Answer 38

is a category of property that includes intangible creations of the human intellect.

Copyright: Automatically granted after creating something, last 70 years after creator death or 95 years for corporation

Trademark: Brand names, logos, slogan - must be registered and valid for 10 years and can be renewed indefinitely. protected by USPTO (US Patent and Trademark Office)

Patents: Protect invetion for 20 years, invention must be Novel, useful, Nonobvious

Trade secrets: tell no one of your formula, not protected

Question 39

What type of Attacks on Intellectual Property?

Answer 39

Copyright > Piracy
Trademark > Counterfeiting
Patent > used by someone else without permission

Cyber Squatting > Buying url that you know someone will need it
Typo Squatting > Buying url that is very close to real website name (can be illegal if for purpose is disguise)

Question 40

What is GDPR?

Answer 40

General Data Protection Regulation, regulation in EU Law on data protection and privacy for all individuals within EU

Violators of the GDPR may be fined up to 20 million EUR

Unless a data subject has provided informed consent to data processing, personal data may not be processed unless there is at least one legal basis to do so. unless there is lawful interception

Question 41

What is Privacy?

Answer 41

act of keeping hiding that contains PII (personally identifiable information)

Question 42

Example Rules/Regulation in US?

Answer 42

HIPAA - Health Insurance Portability and Accountability Act. Strict privacy rules on handling PHI (Protected Health Information)

Security Breach Notification Laws

ECPA - Electronic Communication Privacy Act. Protection of electronic communication against warrantless wiretapping, weakened by the Patriot Act.

Patriot Act of 2001:
> Expand law enforcement electronic monitoring capabilities
> Allow search and seizure without immediate disclosure

CFAA - Computer Fraud and Abuse Act, protects computers used by the government or in interstate commerce from a variety of abuses

GLBA - Gramm-Leach-Bliley Act
Applies to financial institutions

SOX - Sarbanes-Oxley Act
Directly related to accounting scandals

PCI-DSS - Payment Card Industry-Data Security Standard
created by payment card industry

FISMA - Federal Information Security Modernization Act (previously GISRA, expired in 2002), goverment contract sponsorship

FERPA - Family Educational Rights and Privacy Act, It grants certain privacy rights to students older than 18 and the parents of minor students

Identity Theft and Assumption Deterrence Act In 1998, This act makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law.

Question 43

What are example of GDPR regulation?

Answer 43

> Right to access: Data controllers must be able to provide a free copy of individual data if requested
Right to erasure: All users have a “right to be forgotten”
Data portability: All users will be able to request access to their data “in electronic format”
Data breach notification: Users and data controllers must be notified of data breaches within 72 hours
Privacy by design: When designing data processes, care must be taken to ensure personal data is secure
Data Protection Officers: Companies whose activities involve data processing and monitoring must appoint a data protection officer

Question 44

What is OECD Privacy Guidelines?

Answer 44

Organization for Economic Cooperation and Development contains 30 members nations from around the worlds.

8 Driving Principles issued in 1980, Collection limitation(collection must within knowledge of subject), Data Quality (data should be complete), Purpose Spesification (why data being collected), Use Limitation (only consent of subject/law), Security Safeguards (there is reasonable safeguard to protect CIA) , Openness(has to be communicate openly), Individual Participation (be able to which organization has the data), Accountability (organization must held with 7 principles)

Question 45

What is wassenaar Arrangement?

Answer 45

Arrangement mostly for arms and dual use, cryptography is considered dual use (harmful and good)

Question 46

How we ensure security on 3rd party services and applications?

Answer 46

• Set SLA (Service Level Agreement)
• Have right to penetration test and Right to audit on agreement
• Vendor must be accredited to industry standard, ISO, SOC, PCI-DSS

Question 47

Security Governance Principles Pyramid

Answer 47

> Values (Ethics, Principles, Belief)
Vision (Hope and Ambition)
Mission (Motivation and Purpose)
Strategic Objectives (Plans, goals, and sequencing)
Action and KPIs (Actions, Resources, Outcomes, Owners, and Timeframes)

Question 48

Policies, Standards, Guidelines, Procedures and Baselines on Security Governance

Answer 48

> Policy (Mandatory) : General Management Needs, High level, non-specific
Standards (Mandatory) : Specific Mandatory Control, specific
Guidelines (non-Mandatory) : Recommendation/Best Practice
Procedures (Mandatory) : Low level step-by-step guides
Baselines (Mandatory) : minimum requirement, implement stronger if needed

Question 49

How to increase Personnel Security using Security Governance?

Answer 49

> Awareness: establishes a minimum standard common denominator or foundation of security understanding
Training: Set security training
Hiring Practices: Do background checks
Employee Termination Practices: Coordinate with HR to shut off access at the right time

Question 50

List Access Control categories

Answer 50

> Administrative (Directive) Control: Organizational policies, Regulation
Technical Controls: Hardware/software/firmware - Firewalls, routers, encryption
Physical Controls: Locks, fences, guards, turnstile

Question 50

List Access Control categories

Answer 50

> Administrative (Directive) Control: Organizational policies, Regulation
Technical Controls: Hardware/software/firmware - Firewalls, routers, encryption
Physical Controls: Locks, fences, guards

Question 51

List Access Control types

Answer 51

> Preventative: Prevents action from happening - Least privilege, IPS, firewalls
Detective: Controls that detect during or after attack, IDS, CCTV, alarms
Corrective: Controls that Correct an attack - Anti-virus, patches, IPS
Recovery: Controls that help us Recover after attack, DR Environment, backups, HA environments
Deterrent: Controls that Deter an attack - Fences, security guards, dogs
Compensating: Controls that Compensate, when other control are impossible or too costly to implement

Question 52

4 Phases - Risk Management Lifecycle

Answer 52

> Risk Identification: If there a risk, identify assets, which type of risk appetite do we have
Tangible Assets: physically touch - building, hardware
Intangible Assets: untouchable physically - data, trade secrets
Risk Assessment: How bad is the risk
Risk Mitigation: How do we want to react to this
Risk and Control: Iterative, monitor control, uses KRI and KPI

Question 53

The Prudent Man Rule (1991)

Answer 53

Require senior executive take personal responsibility for information security matters

Question 54

Quantitative Risk Assessment vs Qualitative Risk Assessment

Answer 54

Qualitative Risk Assessment > more scenario based than it is calculator based. best tool for intangible assets
> Delphi technique : anonymous feedback-and-response process used to
enable a group to reach an anonymous consensus
> Risk Analysis Matrix : Consequences x Likelihood

Quantitative Risk Assessment > results in concrete probability indications or a numeric indication of relative risk potential
> Assign Asset Value
> Calculate Exposure Factor (EF) : percentage of loss that an organization
would experience if a specific asset were violated by a realized risk
> Calculate Single Loss Expectancy (SLE) : SLE = asset value (AV) * exposure
factor (EF), potential loss associated with a single realized threat against a
specific asset
> Assess Annual Rate Occurence (ARO) : is the expected frequency with
which a specific threat or risk will occur (that is, become realized) within a
single year
> Get Annualize Loss Expectancy (ALE) : ALE = SLE * ARO
> Perform Cost/Benefit Analysis for countermeasures, Mitigation Cost vs ALE

Total Risk = Threat * Vulnerability * Asset Value
Residual Risk = Total Risk - Countermeasures

Question 55

Example US Privacy Law

Answer 55

> Fourth Amendment : The basis for privacy rights
Privacy Act of 1974 : applies only to government agencies, agencies maintain only the records that are necessary for conducting their business and that they destroy those records when they are no longer needed
Electronic Communications Privacy Act of 1986 : crime to invade the electronic privacy of an individual
Economic Espionage Act : protect trade secret
Communications Assistance for Law Enforcement Act (CALEA) of 1994 : requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use
Health Insurance Portability and Accountability Act of 1996 (HIPAA) : strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals.

Question 56

What is due diligence and due care?

Answer 56

Due diligence is establishing a plan, policy, and process to protect the interests of an organization.

Due care is practicing the individual activities that maintain the due diligence effort. Due diligence is knowing what should be done and planning for it; due care is doing the right action at the right time.

Question 57

What is RAID and level of RAID?

Answer 57

Redundant Array of Inexpensive Disk

RAID 0 - no fault tolerance (high performance)
RAID 1 - Mirroring, data duplicate two drives (expensive)
RAID 5 - Stripping with parity, 3 or more disk
RAID 6 - Double Parity
RAID 10 - most common, combine RAID 0 (stripping) and RAID 1 (mirroring). can survive failure up to 2 disk

Question 58

Data custodian

Answer 58

assigned role who is responsible for implementing security control defined by policy and senior management

Question 59

Type of Risk Responses

Answer 59

> Risk Mitigation (Reducing risk) : the implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats

> Risk Assignment (Risk Transference) : the placement of the responsibility of loss due to a risk onto another entity or organization, Purchasing cybersecurity insurance

> Risk Deterrence : implementing deterrents to would-be violators of security and policy, the goal is to convince a threat agent not to attack. example, security cameras, and warning banners

> Risk Avoidance : process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. example, remove unused but vulnerable server.

> Risk Acceptance : is the result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk

> Risk Rejection : An unacceptable possible response to risk is to reject risk, ignoring risk may be considered negligence in court

Question 60

List of Social Engineering Principle

Answer 60

• Authority : claimed as higher authority
• Intimidation
• Consensus : past familiar action
• Scarcity : a technique used to convince someone that an object has a higher value based on the object’s scarcity
• Familiarity
• Trust
• Urgency

Question 61

Why mandatory vacations is necessary?

Answer 61

Mandatory vacations of one to two weeks are used to audit and verify the work tasks and privileges of employees. This often results in easy detection of abuse, fraud, or negligence.

Question 62

What is UBA/UEBA?

Answer 62

User behavior analytics (UBA) and user and entity behavior analytics (UEBA) are the concepts of analyzing the behavior of users, subjects, visitors, customers, and so forth for some specific goal or purpose. Information collected from UBA/UEBA monitoring can be used to improve personnel security policies, procedures, training, and related security oversight programs.

Question 63

Risk management framework (RMF) from NIST

Answer 63

> Prepare, to execute the RMF from an organization- and system-level perspective by establishing a context and priorities for managing security and privacy risk.

> Categorize, the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss.

> Select, an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk.

> Implement, the controls and describe how the controls are employed within the system and its environment of operation.

> Assess, the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements.

> Authorize, the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation is acceptable.

> Monitor, the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.

Question 64

What is SCRM?

Answer 64

supply chain risk management (SCRM), means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners

Question 65

What is the goal of Reduction Analysis?

Answer 65

to gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements

5 keys concept:
> Trust Boundaries : Any location where the level of trust or security changes
> Dataflow Paths : The movement of data between locations
> Input Points : Locations where external input is received
> Privileged Operations : Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security
> Details about Security Stance and Approach : The declaration of the security policy, security foundations, and security assumptions

Question 66

4 Steps of BCP process

Answer 66

• Project scope and planning
• Business impact analysis
• Continuity planning
• Approval and implementation

Question 67

Differences between BCP vs DRP

Answer 67

BCP: Business Continuity Planning deals with keeping business operations running — perhaps in another location or by using different tools and processes — after a disaster has struck.

DRP: Disaster Recovery Planning deals with restoring normal business operations after the disaster takes place.

The BCP project concentrates on continuing business operations, whereas the DRP project focuses on recovering the original business functions

Question 68

5 Stages on business impact analysis process

Answer 68

> identification of priorities
> risk identification
> likelihood assessment
> impact analysis
> resource prioritization

Question 69

d/ element of data categorization management

Question 70

d/ military data and private sector data classification

Question 71

d/ licensing agreements

Question 72

What is KGI, KPI, and KRI?

Answer 72

KGI (Key Goal Indicator) measures wheter IT process has achieved its business need
KPI (Key Performance Indicators) : how well process performing in enabling the goal
KRI (Key Risk Indicator) : Quantify the risk organization is facing

Question 73

Key Goal Indicator