Domain 1 - Security and Risk Management Flashcards
what is the DRP (disaster recover plan)
- the plan for recovering from a disaster impacting IT and returning the IT infrastructure to operations
- focuses on the technical aspects of recovery
Control Types and Purposes
- Preventive controls, for reducing risk
- Detective controls, for identifying violations and incidents
- Corrective controls, for remedying violations and incidents and improving existing preventive and detective controls
4, Deterrent controls, for discouraging violations - Recovery controls, for restoring systems and information
- Compensating controls, for providing alternative ways of achieving a task
reduction analysis 5 points to check
1, trust boundaries - any location where the level of trust or security changes. maybe where an application needs a specific role or privilege is required to access a resource or operation
- Data flow paths - the movement of data between locations and any exposures for breaches
- input points - Locations where external inputs are received. for example: on a web form where there is the potential for SQL injections and the protections need to prevent that
- Privileged operations - any activity that requires greater privilege than that of a standard user account.
- Details about security stance and approach - declaration of security policy, security foundations, and security assumptions
attributes of Trademarks
- -Protects brands – symbol, word, slogan, design, color or logo that can distinguish one source from another source
- they last as long as your business continues to use them
- not required by law by registering with PTO (patent trademark office) confers many benefits on the trademark owner
example: Nike trademark and logo
- not required by law by registering with PTO (patent trademark office) confers many benefits on the trademark owner
What programming method does vast work with
Agile
What are three ways integrity works for us
- Preventing unauthorized subjects from making modifications
- Preventing authorized subjects from making unauthorized modifications
- Maintaining consistency of objects so that they are true and accurate
2 focus items of security from a business aspect are?
- enable business
- enable profit
- increase risk awareness
- increase value
- enable business
- increase value
7 steps of NIST RMF, what happens at select
Select an initial set of controls for the system, tailor and document the controls as needed to mitigate risk to an acceptable level based on an assessment of risk.
two key elements of risk management
- risk assessment
- risk treatment
can responsibility be delegated
yes
what are the 6 Access Control Types
- Preventative
- Detective
- Corrective
- Recovery
- Deterrent
- Compensating
security planning and definitions (3)
- Strategic - long term stable plan that should include a risk assessment (5 yr horizon, annual updates)
- Tactical - midterm plan developed to provide more details on goals of the strategic plan (usually 1 year) a little more flexible, can make some ad hoc adjustments if needed
- Operational - short-term, highly detailed plan based on the strategic and tactical plans (monthly, quarterly) this will have budget figures, staffing assignments, scheduling and implementation procedures
is COBIT threat model
no, its a security control framework. sometimes described as an framework for IT management and governance
The official four canons. number three is?
Provide diligent and competent service to principals
explain MTD
- maximum tolerable downtime
- is the measurement in time that determines when an event changes from and incident to a disaster
- The total time a system can be inoperable before our organization is severely impacted
definition of asset
a resource, process, product, or system that has some value to an organization. could be tangible(computer, data, software) could be intangible (privacy, access, public image)
could have a tangible price(purchase price)
could have intangible value (competitive advantage)
possible countermeasures to keep availability safe are
a. strict access controls / authentication
b. continuous monitoring
c. firewalls & routers to prevent DoS / DDoS attacks
d. redundant system design
e. periodic testing of backup systems
define qualitative
relative ranking system using words like High, medium, low
what is a seven-step
process for aligning business objectives and technical requirements, taking into
account compliance issues and business analysis
pasta threat modeling
What does ALE stand for and Define it
annualized loss expectancy - estimated annual loss for a threat or even in dollars
what is residual risk
risk that is left over once safeguards or controls are in place
What life cycle does vast work with
SDLC - software development life cycle
define impact
anything that negatively impacts the organization if a risk is realized.
examples: lost of confidentiality, integrity, availability, financial, reputational, non-compliance, lost of life etc.
what is inherent risk
newly identified risk not yet addressed with risk management strategies
vast threat modeling acronym
- Visual
- Agile
and - Simple
- Threat
explain RTO
- Recovery time objective
- refers to the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organization. This is the maximum agreed time for the resumption of the critical business functions.
example: if there was a failure at the primary data center. the RTO would be the measurement of how long does it take to get back up and running in the backup datacenter
What is a risk centric threat modeling
Pasta
security policy guidelines
suggestions, things that are good to do but not necessarily required. – optional
qualitative is what
relative to importance - relative ranking system (high, medium, low) value
what is a computer crime
a crime or (violation of law or regulation) this is a directed against or directly involves a computer
NIST risk management framework 7 steps (RMF)
- Prepare
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
what is BCP
business continuity plan - the overall organizational plan for “how-to” continue business
define threat agents
are what cause the threats by exploiting vulnerabilities
4 steps to supply chain evaluation
- on-site assessment - visit the organization, interview personnel, view operating habits
- document exchange and review - investigate datasets and dock exchange, review processes
- process/policy review - request copies of security policies, processes and procedures
- third-party audit - having an independent auditor provide an unbiased review of their security infrastructure
what is Maximum Tolerable Downtime
the amount of time we can be without the asset before we have to declare an disaster.
Risk Factors - something that increases risk or susceptibility - name and define the 5
- physical damage - natural disasters, power loss or vandalism
- Malfunctions - failure of systems, networks, HVAC system, peripherals
- Attacks - purposeful acts of a threat actor, whether that is inside or outside like unauthorized disclosure
- Human errors - usually considered accidental incidents, whereas attacks are purposeful
- application errors - failures of the application, including the operating system
copyright and the digital millennium copyright act did what
- covers the expression of an idea in some sort of fixed medium (books, movies, musical and dramatic works) (artist)
- disclosure is required
- last for the life of the author plus 70 years
What type of planning is long term stable plan that should include a risk assessment (5 yr horizon, annual updates)
Strategic planning
4 ways to treat a risk
- avoid -when the cost of mitigating or accepting are higher than the benefits of the service, you avoid that risk. moving to Kansas from Florida to avoid hurricanes
- transfer - insurance, 3rd party outsource
- mitigate - implementing cost justified controls to reduce the risk
- accept
in GDPR how much time to you have to report a data breach
72 hours
what is exposure factor (EF)
percentage of loss that an organization would experience if a specific asset were violated by a realized risk
high-level business rules that the organization agrees to follow that reduce risk and protect information. They define “what” the organization is going to do and often “who” is going to do
- baseline
- procedure
- security policy
- standard
- security policy
definition for threat
any natural or man-made circumstance or even that could have an adverse or undesirable impact on asset or process
attributes of patents
is a form of intellectual property that gives its owner the legal right to exclude others from making, using, or selling an invention for a period of years
valid for 20 years
example: lightbulb
define risk
the likelihood of something bad happening and the impact if it did
which model is this: Threat
models are based on a “requirements model.” The requirements model establishes the
stakeholder-defined “acceptable” level of risk assigned to each asset class.
Trike
what is a security policy
- they are high level plans the describe the goals and the procedures.
- they are not guidelines or procedures
- policies describe security in general terms
- they are mandatory
what is the difference between technical and logical
- Technical - is the hardware
- Logical - is the software
- - example: firewall - has hardware and software that runs on the hardware
what is NIST 800-37
RMF - risk management framework
Qualitative risk analysis attribute
- uses a scoring system to rank threats and effective countermeasures (high, med, low)
- requires guesswork and estimation but still has meaningful results
- less accurate
- subjective
how do you define risk in a formula
risk = threat * vulnerability
4 steps to risk analysis
- identify the assets to be protected, include relative value, sensitivity or importance
- define specific threats, include threat frequency and impact
- calculate annualized loss expectancy (ALE)
- select appropriate safeguards
what is recovery point objective (RPO)
the organizations definition of acceptable data loss.
the maximum period of time in which data would be lost in a disaster strikes. How often are you backups. the time between backups is your RPO
the 2 general threat categories are? – pg 119 CD
- natural – earthquake, floods, hurricanes, lightning etc.
- man-made – unauthorized access, data-entry errors, strikes/labor disputes, theft, terrorism, sabotage, arson, social engineering, malicious code, viruses etc.
what are 4 things to think about during Acquisitions and Divestitures
- Security governance and management - how is security being managed
- Security Policy - How do policies between the two organizations differ
- Security Posture - which security controls are present
- security Operations - what security operations are in place today and how do they operate - vulnerability management, third party risk management and incident management
ALE (Annualized loss expectancy)
SLE(single loss expectancy) X ARO (annualized rate of occurrence) = ALE (annualized loss expectancy)
what is vulnerability assessments
using automated tools to locate known security weaknesses
licensing - 4 types to know
- contractual
- shrink wrap - EULA that is enclosed with purchased software like on DVDs
- click-through - requires a user to agree to terms and conditions (click-through) before a website or completing an installation or online purchase
- cloud services
what is the COOP (continuity of operations plan)
the plan for continuing to do business until the IT infrastructure can be restored.
4 management/enterprise frameworks
- Zachman
- TOGAF - broad range of enterprise architectures (business, applications, data and tech)
- SABSA - ensures that the needs of your Enterprise are met completely
- COSO
the only threat modeling to supports enterprise-wide scalability is
VAST
3 things must be true for evidence to be admissible in a court of law
- relevant to a fact at issue in the case
- the fact must be material to the case
- the evidence must be competent or legally collected
Availability is?
authorized requests for objects must be granted to subjects within a reasonable amount of time.
what is ISO 15408
common criteria for information technology security evaluation
what is assurance when looking at controls
how do we ensure the control is working effectively. typically this is done with logging monitoring or another test of the control
Name 4 attrbutes about quantitative analysis
- using number (money) to define asset value.
- more labor intensive compared to qualitative
- data collection and analysis, cost benefit analysis
- objective
What is DRP
DRP (Disaster Recovery Plan)
• the plan for recovering from an IT disaster and having the IT infrastructure back in operation.
what is SLE?
single loss expectancy - cost of loss from a single realized threat or event in dollars.
—– formula for SLE is (asset value X exposure factor (EF)
what threat model is an attacker and threat centric approach
pasta
Formula for MTD - maximum tolerable downtown
MTD = or > RTO + WRT
define likelihood
the chance or how likely is the risk to occur
VAST acronym means what
Visual
Agile
Simple
Threat modeling
what are two objectives of threat modeling
- Reduce cost
- Fix threats
- Eradicate threats
- Mitigate threats
- Reduce threats
- Find threats
- Eradicate threats
- Reduce threats
formula for ALE (annualized loss expectancy)
SLE (single loss expectancy) X ARO (annualized rate of occurrence) = ALE (annualized loss expectancy)
trademarks attributes
- covers words, slogans, and logos used to identify a company and its products or services
- U.S. trademarks generally last as long as the trademark is used in commerce and defended against infringement
the business continuity plan (BCP) has just been updated after an recent outage. all of the lessons learned, and updates to come of the critical business functions have been incorporated and are ready for approval. at what point is the BCP considered validated for use within the organization
a. after i has been approved by senior management
b. after the disaster recovery plan has been approved
c. when a security assessment has been completed
d. when it has been tested and proven effective under realistic conditions
d. when it has been tested and proven effective under realistic conditions
What type of planning is midterm plan developed to provide more details on goals of the strategic plan (usually 1 year) a little more flexible, can make some ad hoc adjustments if needed
Tactical planning
which threat model is based on agile project management and programming (SDLC)
Vast
formula for SLE (single loss expectancy)
SLE = Asset Value (AV) X Exposure Factor (EF)
IAAA list steps and define them
- Identification - unique user identification
- authentication - validation of identification
- authorization - verification of privileges and permissions for the authenticated user
- accountability (auditing) - auditing, monitoring, logs
what are the two electronic communication privacy laws
- Communications assistance for law enforcement act (CALEA)
- electronic communications privacy act (ECPA)
what is total risk
the amount of risk an organization would face if no safeguards were implemented
3 common types of security evaluation
- risk assessment
- vulnerability assessment
- pen testing
US cant export computer technologies to what countries
- Cuba
- Iran
- North Korea
- Sudan
- Syria
2 financial reporting security frameworks
- Sarbanes-Oakley
- COSO
formula for risk
risk= threat x vulnerability x impact
computer fraud and abuse act (CFAA) attributes
first major piece of cybercrime-specific law
define impact
the negative consequence that will occur to the organization if a risk is realized. this could be a lost of confidentially, integrity or availability, could be financial, reputational, loss of life, any negative thing
what is eDiscovery
organizations that feel the will be the target of a lawsuit have the obligation to preserve digital evidence in a process known as eDiscovery
2 ways to identify vulnerabilities
- vulnerability assessment
- pen testing
Integrity insures what?
- unauthorized users or processes dont make modifications to data
- authorized users or processes dont make unauthorized modifications to data
- data is internally and externally consistent, meaning a given input produces an expected output
what is the controls gap
the amount of risk reduced by implementing safeguards
What type of planning is short-term, highly detailed plan based on the strategic and tactical plans (monthly, quarterly) this will have budget figures, staffing assignments, scheduling and implementation procedures
Operational planning
some countermeasures to keep confidentiality safe are?
a. encryption
b. traffic padding
c. strict access controls / authentication
d. data classification
e. awareness training
what is Organization for Economic Cooperation and Development (OECD) Guidelines
- 30 member nations from around the world, including the U.S.
- Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, issued in 1980
what is the focus for business continuity management
the focus is on the most critical or essential systems or processes