Domain 1 - Security and Risk Management Flashcards

1
Q

Confidentiality

A
  • We keep our data and secrets secret.

- We ensure no one unauthorized can access the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Integrity

A
  • Protection against modification of the data and the systems
  • We ensure the data has not been altered
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Availibility

A

We ensure authorized people can access the data they need, when they need to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Threats on Confidentiality

A
  • Attacks on encryption (cryptanalysis)
  • Social Engineering
  • Key Loggers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Countermeasures on threats on confidentiality

A
  • Encryption data at rest using AES256, full disk encryption
  • Secure transport protocol for data in motion using SSL, TLS, IPSEC
  • Using secure practice when data in use , for example, clean desk no shoulder surfing, PC locking
  • Strong password, multi factor authentication, masking, strict access control, Principle of Least Privilege (PoLP)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Threats on Integrity

A
  • Alteration of data
  • Code Injection
  • Attacks on encryption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Countermeasures on threats on Integrity

A
  • Cryptography
  • Check sums/Hash verification
  • Digital Signature (provide non-repudation)
  • Strict Access Control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Threats on Availability

A
  • Malicious attacks (DDOS, physical, system compromise, staff)
  • Application failures (errors in code)
  • Component failures (Hardware)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Countermeasures on threats on availability

A
  • IPS/IDS
  • SLAs - How high uptime to we want (99%)
  • Patch Management
  • Redundancy in Hardware power, Disks (RAID), Traffic Path, HVAC, staff, High Availability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The Opposite of CIA Triad

A

DAD (Disclosure, Alteration, and Destruction)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

IAAA services

A

Identification, Authentication, Authorization, and Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Identification

A

Claiming Identity for example, your name, username, id number

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Authentication

A

Proving you are the identity you were claimed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

3 types of Authentication

A

Type 1 - something you know (password, PIN, etc)
Type 2 - something you have (cookie, ID number, passport, token, etc)
Type 3 - something you are - biometrics - no way to reissue if compromises (fingerprint, iris scan, facial geometry, etc)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Authorization

A

Permission, What are you allowed to access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Accountability

A

Trace action to subject identity, prove who/what a given action was performed by (non-repudiation)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is mission IT Security in organization?

A

Supporting organization, enable organization to fulfill its mission and statement and business goals, not the most important part of organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is PoLP?

A

Principle of Least Privilege - We give our users/systems exactly the access they need, no more, no less.

Need to Know - Even if you have access, if you do not need to know, then you should not access the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is non-repudiation?

A

A user cannot deny having performed a certain action. This uses both Authentication and Integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Subject and Object on Security Governance

A

Subject (Active) - Most often users, but can also programs, Subject manipulates object.

Object (Passive) - Any passive data - Object manipulated by Subject

Some can both at different times, an active program is a subject; when closed, the data can be an object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Governance vs. Management

A

Governances - This is C-Level Executives
> What are stakeholder needs
> Setting direction through prioritization and decision making
> Monitoring performance and compliance againts agreed-upon direction and objectives
> Risk appetite - Aggresive, neutral, adverse

Management - How do we get to the destination
> Plans, builds, runs, monitor activities in alignment with the direction set by the governance to achieve the objectives.
> Risk tolerance - How are we going to practically work with our risk appetite and our environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Top-Down vs. Bottom-Up on Security Management

A

Bottom-Up : IT Security seen as annoyance not helper, this often changes when breaches happens.

Top-Down : IT leadership is on board with IT Security, they lead and set direction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is PCI-DSS?

A

Payment Card Industry Card Security Standard

> is a standard but required if we want to handle or issue debit and credit card

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is OCTAVE?

A

Operational Critical Threat, Asset, and Vulnerability Evaluation

> Flexible Risk Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is COBIT?
Control Objectives for Information and related Technology > Goals for IT - Stakeholder needs are mapped down to IT related goals.
26
What is COSO?
Commitee of Sponsoring Organizations | > Goals for the entire organizations (more higher level)
27
What is ITIL?
Information Technology Infrastructure Library | > IT Service Management (ITSM)
28
What is FRAP?
Facilitated Risk Analysis Process > Analyzed *one* business unit, application, or system at a time in roundtable brainstorm with internal employees, The impact is analyzed, and the threats and the risks are prioritized.
29
List ISO 27000 series?
ISO 270001: Establish, implement, control, and improvement of the ISMS. Uses PDCA (Plan, Do, Check, Act) ISO 27002: Provides practical advice on how to establish, implement, control, and improvement security controls. It has 10 domains it users for ISMS (cannot get this certified) ISO 27003: Information security management system implementation guidance ISO 27004: Provides metrics for measuring the success of your ISMS ISO 27005: Standards based approach to risk management ISO 27799: Directive on how to protect PHI (Protected Health Information)
30
What is Defend in Depth?
> Layered Defense or Onion Defense, implement multiple overlapping security control to protect asset > This applies to physical, administrative, and logical controls > No single security control secures an asset > Improve organization CIA
31
List Legal and Regulatory issues
Criminal Laws : Society is the victim, text law included in United States Code Civil Law: Individuals, groups or organizations are the victim, mostly financial fines, text law included in United States Code Administrative Law: Laws enacted by goverment agencies (FDA Laws, HIPAA, FAA) Private Regulations: Compliance is required by contract (PCI-DSS) Customary Law: handle personal conduct on area/region Religious Law: Based on the religious beliefs in that area or country. include morality and code of ethics Administrative Law : CFR (Code of Federal Regulations) contains all administrative law Supreme Court rulling contains interpretation of law
32
If something happens, who is ultimately liable?
Senior Leadership, but we need Negligence to prove it. > Due Diligence (Do Detect), research to build IT Security architecture and preparing before implementing. > Due Care (Do Correct), Prudent person rule. Negligence, if system under your control is compromised and you did NOT perform Due Care, you are most likely liable.
33
List type of evidence
Real Evidence: Tangible and physical object in IT Security: Hard disks, USB drives (not the data) Direct Evidence: Testimony from a first hand witness, what they experienced Circumstantial Evidence: Evidence to support circumstances for a point or other evidence. Corroborative Evidence: Support facts or elements of the case; not facts on their own but they support other fact Hearsay: not first-hand knowledge - normally inadmissible in a case
34
How do we ensure evidence integrity?
We do with hashes, any forensics done on copies and never the originals.
35
Why logs and documents set as secondary evidence?
Because there is no real evidence, there is nothing you can touch.
36
What need to bear in mind when searching for evidence?
> must be obtained legally, even on organization employee need to be aware if actions are monitored > no threat to human life
37
What is entrapment and enticement?
Entrapment: When someone is persuaded to commit a crime they had no intention of commiting and is then charged with it Enticement: Making commiting a crime more enticing, but the person has already broken the law. Honeypots can be good way to use Enticement
38
What is Intellectual Property?
is a category of property that includes intangible creations of the human intellect. Copyright: Automatically granted after creating something, last 70 years after creator death or 95 years for corporation Trademark: Brand names, logos, slogan - must be registered and valid for 10 years and can be renewed indefinitely. protected by USPTO (US Patent and Trademark Office) Patents: Protect invetion for 20 years, invention must be Novel, useful, Nonobvious Trade secrets: tell no one of your formula, not protected
39
What type of Attacks on Intellectual Property?
Copyright > Piracy Trademark > Counterfeiting Patent > used by someone else without permission Cyber Squatting > Buying url that you know someone will need it Typo Squatting > Buying url that is very close to real website name (can be illegal if for purpose is disguise)
40
What is GDPR?
General Data Protection Regulation, regulation in EU Law on data protection and privacy for all individuals within EU Violators of the GDPR may be fined up to 20 million EUR Unless a data subject has provided informed consent to data processing, personal data may not be processed unless there is at least one legal basis to do so. unless there is lawful interception
41
What is Privacy?
act of keeping hiding that contains PII (personally identifiable information)
42
Example Rules/Regulation in US?
HIPAA - Health Insurance Portability and Accountability Act. Strict privacy rules on handling PHI (Protected Health Information) Security Breach Notification Laws ECPA - Electronic Communication Privacy Act. Protection of electronic communication against warrantless wiretapping, weakened by the Patriot Act. Patriot Act of 2001: > Expand law enforcement electronic monitoring capabilities > Allow search and seizure without immediate disclosure CFAA - Computer Fraud and Abuse Act, protects computers used by the government or in interstate commerce from a variety of abuses GLBA - Gramm-Leach-Bliley Act Applies to financial institutions SOX - Sarbanes-Oxley Act Directly related to accounting scandals PCI-DSS - Payment Card Industry-Data Security Standard created by payment card industry FISMA - Federal Information Security Modernization Act (previously GISRA, expired in 2002), goverment contract sponsorship FERPA - Family Educational Rights and Privacy Act, It grants certain privacy rights to students older than 18 and the parents of minor students Identity Theft and Assumption Deterrence Act In 1998, This act makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law.
43
What are example of GDPR regulation?
> Right to access: Data controllers must be able to provide a free copy of individual data if requested > Right to erasure: All users have a "right to be forgotten" > Data portability: All users will be able to request access to their data "in electronic format" > Data breach notification: Users and data controllers must be notified of data breaches within 72 hours > Privacy by design: When designing data processes, care must be taken to ensure personal data is secure > Data Protection Officers: Companies whose activities involve data processing and monitoring must appoint a data protection officer
44
What is OECD Privacy Guidelines?
Organization for Economic Cooperation and Development contains 30 members nations from around the worlds. 8 Driving Principles issued in 1980, Collection limitation(collection must within knowledge of subject), Data Quality (data should be complete), Purpose Spesification (why data being collected), Use Limitation (only consent of subject/law), Security Safeguards (there is reasonable safeguard to protect CIA) , Openness(has to be communicate openly), Individual Participation (be able to which organization has the data), Accountability (organization must held with 7 principles)
45
What is wassenaar Arrangement?
Arrangement mostly for arms and dual use, cryptography is considered dual use (harmful and good)
46
How we ensure security on 3rd party services and applications?
- Set SLA (Service Level Agreement) - Have right to penetration test and Right to audit on agreement - Vendor must be accredited to industry standard, ISO, SOC, PCI-DSS
47
Security Governance Principles Pyramid
> Values (Ethics, Principles, Belief) > Vision (Hope and Ambition) > Mission (Motivation and Purpose) > Strategic Objectives (Plans, goals, and sequencing) > Action and KPIs (Actions, Resources, Outcomes, Owners, and Timeframes)
48
Policies, Standards, Guidelines, Procedures and Baselines on Security Governance
> Policy (Mandatory) : General Management Needs, High level, non-specific > Standards (Mandatory) : Specific Mandatory Control, specific > Guidelines (non-Mandatory) : Recommendation/Best Practice > Procedures (Mandatory) : Low level step-by-step guides > Baselines (Mandatory) : minimum requirement, implement stronger if needed
49
How to increase Personnel Security using Security Governance?
> Awareness: establishes a minimum standard common denominator or foundation of security understanding > Training: Set security training > Hiring Practices: Do background checks > Employee Termination Practices: Coordinate with HR to shut off access at the right time
50
List Access Control categories
> Administrative (Directive) Control: Organizational policies, Regulation > Technical Controls: Hardware/software/firmware - Firewalls, routers, encryption > Physical Controls: Locks, fences, guards, turnstile
50
List Access Control categories
> Administrative (Directive) Control: Organizational policies, Regulation > Technical Controls: Hardware/software/firmware - Firewalls, routers, encryption > Physical Controls: Locks, fences, guards
51
List Access Control types
> Preventative: Prevents action from happening - Least privilege, IPS, firewalls > Detective: Controls that detect during or after attack, IDS, CCTV, alarms > Corrective: Controls that Correct an attack - Anti-virus, patches, IPS > Recovery: Controls that help us Recover after attack, DR Environment, backups, HA environments > Deterrent: Controls that Deter an attack - Fences, security guards, dogs > Compensating: Controls that Compensate, when other control are impossible or too costly to implement
52
4 Phases - Risk Management Lifecycle
> Risk Identification: If there a risk, identify assets, which type of risk appetite do we have Tangible Assets: physically touch - building, hardware Intangible Assets: untouchable physically - data, trade secrets > Risk Assessment: How bad is the risk > Risk Mitigation: How do we want to react to this > Risk and Control: Iterative, monitor control, uses KRI and KPI
53
The Prudent Man Rule (1991)
Require senior executive take personal responsibility for information security matters
54
Quantitative Risk Assessment vs Qualitative Risk Assessment
Qualitative Risk Assessment > more scenario based than it is calculator based. best tool for intangible assets > Delphi technique : anonymous feedback-and-response process used to enable a group to reach an anonymous consensus > Risk Analysis Matrix : Consequences x Likelihood Quantitative Risk Assessment > results in concrete probability indications or a numeric indication of relative risk potential > Assign Asset Value > Calculate Exposure Factor (EF) : percentage of loss that an organization would experience if a specific asset were violated by a realized risk > Calculate Single Loss Expectancy (SLE) : SLE = asset value (AV) * exposure factor (EF), potential loss associated with a single realized threat against a specific asset > Assess Annual Rate Occurence (ARO) : is the expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year > Get Annualize Loss Expectancy (ALE) : ALE = SLE * ARO > Perform Cost/Benefit Analysis for countermeasures, Mitigation Cost vs ALE Total Risk = Threat * Vulnerability * Asset Value Residual Risk = Total Risk - Countermeasures
55
Example US Privacy Law
> Fourth Amendment : The basis for privacy rights > Privacy Act of 1974 : applies only to government agencies, agencies maintain only the records that are necessary for conducting their business and that they destroy those records when they are no longer needed > Electronic Communications Privacy Act of 1986 : crime to invade the electronic privacy of an individual > Economic Espionage Act : protect trade secret > Communications Assistance for Law Enforcement Act (CALEA) of 1994 : requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use > Health Insurance Portability and Accountability Act of 1996 (HIPAA) : strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals.
56
What is due diligence and due care?
Due diligence is establishing a plan, policy, and process to protect the interests of an organization. Due care is practicing the individual activities that maintain the due diligence effort. Due diligence is knowing what should be done and planning for it; due care is doing the right action at the right time.
57
What is RAID and level of RAID?
Redundant Array of Inexpensive Disk RAID 0 - no fault tolerance (high performance) RAID 1 - Mirroring, data duplicate two drives (expensive) RAID 5 - Stripping with parity, 3 or more disk RAID 6 - Double Parity RAID 10 - most common, combine RAID 0 (stripping) and RAID 1 (mirroring). can survive failure up to 2 disk
58
Data custodian
assigned role who is responsible for implementing security control defined by policy and senior management
59
Type of Risk Responses
> Risk Mitigation (Reducing risk) : the implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats > Risk Assignment (Risk Transference) : the placement of the responsibility of loss due to a risk onto another entity or organization, Purchasing cybersecurity insurance > Risk Deterrence : implementing deterrents to would-be violators of security and policy, the goal is to convince a threat agent not to attack. example, security cameras, and warning banners > Risk Avoidance : process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. example, remove unused but vulnerable server. > Risk Acceptance : is the result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk > Risk Rejection : An unacceptable possible response to risk is to reject risk, ignoring risk may be considered negligence in court
60
List of Social Engineering Principle
- Authority : claimed as higher authority - Intimidation - Consensus : past familiar action - Scarcity : a technique used to convince someone that an object has a higher value based on the object's scarcity - Familiarity - Trust - Urgency
61
Why mandatory vacations is necessary?
Mandatory vacations of one to two weeks are used to audit and verify the work tasks and privileges of employees. This often results in easy detection of abuse, fraud, or negligence.
62
What is UBA/UEBA?
User behavior analytics (UBA) and user and entity behavior analytics (UEBA) are the concepts of analyzing the behavior of users, subjects, visitors, customers, and so forth for some specific goal or purpose. Information collected from UBA/UEBA monitoring can be used to improve personnel security policies, procedures, training, and related security oversight programs.
63
Risk management framework (RMF) from NIST
> Prepare, to execute the RMF from an organization- and system-level perspective by establishing a context and priorities for managing security and privacy risk. > Categorize, the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss. > Select, an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk. > Implement, the controls and describe how the controls are employed within the system and its environment of operation. > Assess, the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements. > Authorize, the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation is acceptable. > Monitor, the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.
64
What is SCRM?
supply chain risk management (SCRM), means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners
65
What is the goal of Reduction Analysis?
to gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements 5 keys concept: > Trust Boundaries : Any location where the level of trust or security changes > Dataflow Paths : The movement of data between locations > Input Points : Locations where external input is received > Privileged Operations : Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security > Details about Security Stance and Approach : The declaration of the security policy, security foundations, and security assumptions
66
4 Steps of BCP process
- Project scope and planning - Business impact analysis - Continuity planning - Approval and implementation
67
Differences between BCP vs DRP
BCP: Business Continuity Planning deals with keeping business operations running — perhaps in another location or by using different tools and processes — after a disaster has struck. DRP: Disaster Recovery Planning deals with restoring normal business operations after the disaster takes place. The BCP project concentrates on continuing business operations, whereas the DRP project focuses on recovering the original business functions
68
5 Stages on business impact analysis process
``` > identification of priorities > risk identification > likelihood assessment > impact analysis > resource prioritization ```
69
d/ element of data categorization management
70
d/ military data and private sector data classification
71
d/ licensing agreements
72
What is KGI, KPI, and KRI?
KGI (Key Goal Indicator) measures wheter IT process has achieved its business need KPI (Key Performance Indicators) : how well process performing in enabling the goal KRI (Key Risk Indicator) : Quantify the risk organization is facing
73
Key Goal Indicator