Domain 1 - Security and Risk Management Flashcards
Annualized Loss Expectancy, ALE
SLE x ARO, single loss expectancy x annual rate of occurence
Define Privacy
Confidentiality of Personal information, Personally identifiable information, PII
PII
Personally identifiable information
Procurement
Process of aquiring product from 3rd party. Security peeps should be involved early.
Vendor Governance, AKA Vendor managment
Ensures the organization is getting consistently good quality from the vendor
Acquisitions
a. Risk assessment should be conducted on the purchased company before merging networks.
Divesture
Splitting up one existing business into many. Very complex in terms of determining risk and ensuring security.
IAAA
Identity, Authentication, Authorization, Auditing
Information Security Governance
IS at the organizational level, senior management, policies, and processes, and staffing. Organizational priority as defined by leadership.
Policies
Describe the ‘why’ and the ‘when’ of an action.
High level mgmt directives. This is MANDATORY
Example Policies
NIST - 800-12
Procedures
step by step guide for accomplishing a task. Low level and specific. MANDATORY.
Standards
Describe the specific use of a technology. Example “All employess will use an Asus brand XYZ model PC,” or “All PCs will use Microsoft Office version ABC”
MANDATORY
Guidelines
Discretionary, NOT mandatory. Soft recommendations. i.e. “To create a strong password take the first letter of a sentance, and mix in some numbers and symbols.”
The Standard version of this would be - “All passwords must be at least 10 characters long, with upper case letters, lower case letters, numbers, and special characters.” The guideline example above is just suggesting an easy way to meet this standard, and also remember a password.
Baselines
Discretionary, NOT mandatory.
Uniform way of implementing a standard.
Example.
Standard = harden the system for security Baseline = harden the system by applying hte Cneter for Internet Security Linux Benchmarks.
Security Awareness
Awareness changes user behavior, to increase security.
security training
Provides a skillset to increase security.
Employee termination
firing an employee after a ladder of discipline has been exhasted.
Ladder of discipline
- coaching
- formal discusison
- verbal warning meeting w/ HR
- written warning w/ HR
- termination
Vendor, consultant, and contractor security
Vendors/contractors/consultants can introuduce more risk. Should be vetted/risk managed in a simliar way to an acquisition or new hire.
outsourcing/offshoring
thorough and accurate risk analysis must be performed. Again in a similar way to acquisition, vendors, contractors, etc.
Preventive access control
i. Prevent an action from occurring
ii. Examples
1. Limited priveleges of employees
2. Admin preventive control = background checks, drug screening
Detective Access Control
i. Alert someone during or after an attack
1. Intrusion detection system
2. Camera system
3. Door alarms
Corrective AC
i. Corrects a damaged system
1. Antivirus system that detects and quarantines bad files or deletes them
Recovery Access control
Restores functionality of system and organization.
- snapshots
- backups
- restoring files
Deterrent Access control
Scares threat actors away
- guard
- dog
Compensating Access control
Compensates for a weakness in another control
AC Type: Admin
AKA directive. implemented by creating and following organizational policy, procedrue. etc
Technical Controls
Software, hardware, firmware, that restricts logical access
Physical control
lock, fence, guard, dog, etc
Asset
valuable resource to protect.
Threat
potentially harmful occurence.
vulnerability
weakness that allows a threat to take place and/or cause harm.
Risk Formulas
threat x vulnerability =
or
Threat x vulnerability x impact =risk
AV
asset value
ARO
Annual rate of occurence
SLE
single loss expectancy
ALE
Annual loss expectancy
ALE =
SLE x ARO
market approach
way to value a tangible asset. Price = price of comparable assets in transactions under similar circumstances
income approach
value of earning capacity over life of the asset
cost approach
fair value = cost to replace. tangible asset
EF
exposure factor. percentage of asset lost due to an incident.
TCO
total cost of ownership. cost of a mitigating safeguard. combines upfront costs plus annual cost of maintenance.
ROI
return on investment.
If TCO is less than ALO your are saving
metrics
measurements used in risk analysis
Risk Choices (AMTA)
Accept the risk
Mitigate the risk
Transfer the risk (insurance)
Avoid Risk
Quantitative risk analysis
Calulated, cost analysis
Qualitative risk analysis
comparative/relative. Risk matrix
RPO
Recovery Point Objective. the maximum targeted period in which data can be lost without severely impacting the recovery of operations
For example, if a business process could not lose more than one day’s worth of data, then the RPO for that information would be 24 hours.
RTO
recovery time objective
planned earliest possible recovery time.
MTD
Maximum Tolerable Downtime (MTD)
Maximum tolerable downtime, also sometimes referred to as Maximum Allowable Downtime (MAD), represents the total amount of downtime that can occur without causing significant harm to the organization’s mission.
Internet Activities Boards code of ethics IAB
RFC 1087 - quick 5 point description of unethical behavior on the internet.
Six access Control Types
Preventive Detective Corrective Recovery Deterrent Compensating
Three Access Control Categories - Commercial
Administrative
Technical
Physical
Categories of Computer Crime
Military/Inteligence attacks Business Attacks Financial attacks terrorist attacks Grudge attacks Thrill attacks Hacktivist Attacks
Shoulder Surfing
Viewing another persons monitor or keyboard
data diddling
making small incremental changes to files that go un-noticed in the short term.
Fault
Momentary loss of power
Blackout
complete loss of power
sag
momentary low voltage
brownout
prolonged low voltage
spike
momentary high voltate
surge
prolonged high voltage
Inrush
Initial surge of power associated with connecting to a power source
ground
Ground wire
Electronic vaulting
transfer of backup data to an off-site location. This is primarily a batch process of dumping backup data through communications lines
remote journaling
arallel processing of transactions to an alternate site
Database shadowing
Similar to remote journaling, but creates even more redundancy by duplicating the database sets to multiple servers
Data Clustering
In clustering, two or more “partners” are joined into the cluster and may all provide service at the same time.
Industrial IP
Intellectual property pertaining to busines. Patents, trademarks, industrial designs, geographical indications of source
Copyright
Literary works, artistic works.
Digital signature
Encrypted message digest used to verify a message hasn’t been altered.
Three Access Control Categories - Govt
Management
Technical
Operational
Threat Analysis
Proactively monitoring and analyzing new threats, and how they can endanger your network.
Threat
Person or event that has the potential for impacting a resource in a negative manner.
Vulnerability
quality of a resource that allows a threat to be realized.
Warm Site
Between a hot and cold site. Typically dont’ have copies of data but do have necessary equipment. Activation is less than 12 hours.
Cold Site
Standby facilities large enough to handle processing load of an org, and equipped with necessary electrical/environmental systems. Large lag time between outage and spinning up, often weeks.
Hot site.
Backup facility is maintained and in constant working order. Less than an hour or two to full functionality.
ISC2 Code of Ethics - Canon 1
Protect Society, The Commonwealth, and the infrastructure
ISC2 Code of Ethics - Canon
Act honorably, honestly, justly, responsibly, and legally
ISC2 Code of Ethics - Canon 3
Provide diligent and competent service to principals.
ISC2 Code of Ethics - Canon 4
Advance and protect the profession.
ISC2 Code of Ethics - Preamble Statement 1
Safety and welfare of society/common good, principles, and each other requires we adhere to high ethical standards
ISC2 Code of Ethics - Preamble Statement 2
Strict adherence to this code is a condition of certification.