Domain 1 - Security and Risk Management Flashcards

1
Q

what is the DRP (disaster recover plan)

A
  1. the plan for recovering from a disaster impacting IT and returning the IT infrastructure to operations
  2. focuses on the technical aspects of recovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Control Types and Purposes

A
  1. Preventive controls, for reducing risk
  2. Detective controls, for identifying violations and incidents
  3. Corrective controls, for remedying violations and incidents and improving existing preventive and detective controls
    4, Deterrent controls, for discouraging violations
  4. Recovery controls, for restoring systems and information
  5. Compensating controls, for providing alternative ways of achieving a task
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

reduction analysis 5 points to check

A

1, trust boundaries - any location where the level of trust or security changes. maybe where an application needs a specific role or privilege is required to access a resource or operation

  1. Data flow paths - the movement of data between locations and any exposures for breaches
  2. input points - Locations where external inputs are received. for example: on a web form where there is the potential for SQL injections and the protections need to prevent that
  3. Privileged operations - any activity that requires greater privilege than that of a standard user account.
  4. Details about security stance and approach - declaration of security policy, security foundations, and security assumptions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

attributes of Trademarks

A
  • -Protects brands – symbol, word, slogan, design, color or logo that can distinguish one source from another source
    • they last as long as your business continues to use them
    • not required by law by registering with PTO (patent trademark office) confers many benefits on the trademark owner
      example: Nike trademark and logo
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What programming method does vast work with

A

Agile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are three ways integrity works for us

A
  1. Preventing unauthorized subjects from making modifications
  2. Preventing authorized subjects from making unauthorized modifications
  3. Maintaining consistency of objects so that they are true and accurate
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

2 focus items of security from a business aspect are?

  1. enable business
  2. enable profit
  3. increase risk awareness
  4. increase value
A
  1. enable business
  2. increase value
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

7 steps of NIST RMF, what happens at select

A

Select an initial set of controls for the system, tailor and document the controls as needed to mitigate risk to an acceptable level based on an assessment of risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

two key elements of risk management

A
  1. risk assessment
  2. risk treatment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

can responsibility be delegated

A

yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

what are the 6 Access Control Types

A
  1. Preventative
  2. Detective
  3. Corrective
  4. Recovery
  5. Deterrent
  6. Compensating
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

security planning and definitions (3)

A
  1. Strategic - long term stable plan that should include a risk assessment (5 yr horizon, annual updates)
  2. Tactical - midterm plan developed to provide more details on goals of the strategic plan (usually 1 year) a little more flexible, can make some ad hoc adjustments if needed
  3. Operational - short-term, highly detailed plan based on the strategic and tactical plans (monthly, quarterly) this will have budget figures, staffing assignments, scheduling and implementation procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

is COBIT threat model

A

no, its a security control framework. sometimes described as an framework for IT management and governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The official four canons. number three is?

A

Provide diligent and competent service to principals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

explain MTD

A
  1. maximum tolerable downtime
  2. is the measurement in time that determines when an event changes from and incident to a disaster
  3. The total time a system can be inoperable before our organization is severely impacted
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

definition of asset

A

a resource, process, product, or system that has some value to an organization. could be tangible(computer, data, software) could be intangible (privacy, access, public image)
could have a tangible price(purchase price)
could have intangible value (competitive advantage)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

possible countermeasures to keep availability safe are

A

a. strict access controls / authentication
b. continuous monitoring
c. firewalls & routers to prevent DoS / DDoS attacks
d. redundant system design
e. periodic testing of backup systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

define qualitative

A

relative ranking system using words like High, medium, low

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

what is a seven-step
process for aligning business objectives and technical requirements, taking into
account compliance issues and business analysis

A

pasta threat modeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What does ALE stand for and Define it

A

annualized loss expectancy - estimated annual loss for a threat or even in dollars

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

what is residual risk

A

risk that is left over once safeguards or controls are in place

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What life cycle does vast work with

A

SDLC - software development life cycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

define impact

A

anything that negatively impacts the organization if a risk is realized.
examples: lost of confidentiality, integrity, availability, financial, reputational, non-compliance, lost of life etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

what is inherent risk

A

newly identified risk not yet addressed with risk management strategies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

vast threat modeling acronym

A
  1. Visual
  2. Agile
    and
  3. Simple
  4. Threat
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

explain RTO

A
  1. Recovery time objective
  2. refers to the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organization. This is the maximum agreed time for the resumption of the critical business functions.

example: if there was a failure at the primary data center. the RTO would be the measurement of how long does it take to get back up and running in the backup datacenter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is a risk centric threat modeling

A

Pasta

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

security policy guidelines

A

suggestions, things that are good to do but not necessarily required. – optional

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

qualitative is what

A

relative to importance - relative ranking system (high, medium, low) value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

what is a computer crime

A

a crime or (violation of law or regulation) this is a directed against or directly involves a computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

NIST risk management framework 7 steps (RMF)

A
  1. Prepare
  2. Categorize
  3. Select
  4. Implement
  5. Assess
  6. Authorize
  7. Monitor
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

what is BCP

A

business continuity plan - the overall organizational plan for “how-to” continue business

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

define threat agents

A

are what cause the threats by exploiting vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

4 steps to supply chain evaluation

A
  1. on-site assessment - visit the organization, interview personnel, view operating habits
  2. document exchange and review - investigate datasets and dock exchange, review processes
  3. process/policy review - request copies of security policies, processes and procedures
  4. third-party audit - having an independent auditor provide an unbiased review of their security infrastructure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

what is Maximum Tolerable Downtime

A

the amount of time we can be without the asset before we have to declare an disaster.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Risk Factors - something that increases risk or susceptibility - name and define the 5

A
  1. physical damage - natural disasters, power loss or vandalism
  2. Malfunctions - failure of systems, networks, HVAC system, peripherals
  3. Attacks - purposeful acts of a threat actor, whether that is inside or outside like unauthorized disclosure
  4. Human errors - usually considered accidental incidents, whereas attacks are purposeful
  5. application errors - failures of the application, including the operating system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

copyright and the digital millennium copyright act did what

A
  1. covers the expression of an idea in some sort of fixed medium (books, movies, musical and dramatic works) (artist)
  2. disclosure is required
  3. last for the life of the author plus 70 years
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What type of planning is long term stable plan that should include a risk assessment (5 yr horizon, annual updates)

A

Strategic planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

4 ways to treat a risk

A
  1. avoid -when the cost of mitigating or accepting are higher than the benefits of the service, you avoid that risk. moving to Kansas from Florida to avoid hurricanes
  2. transfer - insurance, 3rd party outsource
  3. mitigate - implementing cost justified controls to reduce the risk
  4. accept
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

in GDPR how much time to you have to report a data breach

A

72 hours

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

what is exposure factor (EF)

A

percentage of loss that an organization would experience if a specific asset were violated by a realized risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

high-level business rules that the organization agrees to follow that reduce risk and protect information. They define “what” the organization is going to do and often “who” is going to do

  1. baseline
  2. procedure
  3. security policy
  4. standard
A
  1. security policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

definition for threat

A

any natural or man-made circumstance or even that could have an adverse or undesirable impact on asset or process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

attributes of patents

A

is a form of intellectual property that gives its owner the legal right to exclude others from making, using, or selling an invention for a period of years
valid for 20 years
example: lightbulb

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

define risk

A

the likelihood of something bad happening and the impact if it did

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

which model is this: Threat
models are based on a “requirements model.” The requirements model establishes the
stakeholder-defined “acceptable” level of risk assigned to each asset class.

A

Trike

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

what is a security policy

A
  1. they are high level plans the describe the goals and the procedures.
  2. they are not guidelines or procedures
  3. policies describe security in general terms
  4. they are mandatory
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

what is the difference between technical and logical

A
  1. Technical - is the hardware
  2. Logical - is the software
    - - example: firewall - has hardware and software that runs on the hardware
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

what is NIST 800-37

A

RMF - risk management framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Qualitative risk analysis attribute

A
  1. uses a scoring system to rank threats and effective countermeasures (high, med, low)
  2. requires guesswork and estimation but still has meaningful results
  3. less accurate
  4. subjective
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

how do you define risk in a formula

A

risk = threat * vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

4 steps to risk analysis

A
  1. identify the assets to be protected, include relative value, sensitivity or importance
  2. define specific threats, include threat frequency and impact
  3. calculate annualized loss expectancy (ALE)
  4. select appropriate safeguards
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

what is recovery point objective (RPO)

A

the organizations definition of acceptable data loss.
the maximum period of time in which data would be lost in a disaster strikes. How often are you backups. the time between backups is your RPO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

the 2 general threat categories are? – pg 119 CD

A
  1. natural – earthquake, floods, hurricanes, lightning etc.
  2. man-made – unauthorized access, data-entry errors, strikes/labor disputes, theft, terrorism, sabotage, arson, social engineering, malicious code, viruses etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

what are 4 things to think about during Acquisitions and Divestitures

A
  1. Security governance and management - how is security being managed
  2. Security Policy - How do policies between the two organizations differ
  3. Security Posture - which security controls are present
  4. security Operations - what security operations are in place today and how do they operate - vulnerability management, third party risk management and incident management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

ALE (Annualized loss expectancy)

A

SLE(single loss expectancy) X ARO (annualized rate of occurrence) = ALE (annualized loss expectancy)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

what is vulnerability assessments

A

using automated tools to locate known security weaknesses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

licensing - 4 types to know

A
  1. contractual
  2. shrink wrap - EULA that is enclosed with purchased software like on DVDs
  3. click-through - requires a user to agree to terms and conditions (click-through) before a website or completing an installation or online purchase
  4. cloud services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

what is the COOP (continuity of operations plan)

A

the plan for continuing to do business until the IT infrastructure can be restored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

4 management/enterprise frameworks

A
  1. Zachman
  2. TOGAF - broad range of enterprise architectures (business, applications, data and tech)
  3. SABSA - ensures that the needs of your Enterprise are met completely
  4. COSO
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

the only threat modeling to supports enterprise-wide scalability is

A

VAST

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

3 things must be true for evidence to be admissible in a court of law

A
  1. relevant to a fact at issue in the case
  2. the fact must be material to the case
  3. the evidence must be competent or legally collected
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Availability is?

A

authorized requests for objects must be granted to subjects within a reasonable amount of time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

what is ISO 15408

A

common criteria for information technology security evaluation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

what is assurance when looking at controls

A

how do we ensure the control is working effectively. typically this is done with logging monitoring or another test of the control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Name 4 attrbutes about quantitative analysis

A
  1. using number (money) to define asset value.
  2. more labor intensive compared to qualitative
  3. data collection and analysis, cost benefit analysis
  4. objective
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

What is DRP

A

DRP (Disaster Recovery Plan)
• the plan for recovering from an IT disaster and having the IT infrastructure back in operation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

what is SLE?

A

single loss expectancy - cost of loss from a single realized threat or event in dollars.
—– formula for SLE is (asset value X exposure factor (EF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

what threat model is an attacker and threat centric approach

A

pasta

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Formula for MTD - maximum tolerable downtown

A

MTD = or > RTO + WRT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

define likelihood

A

the chance or how likely is the risk to occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

VAST acronym means what

A

Visual
Agile
Simple
Threat modeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

what are two objectives of threat modeling

  1. Reduce cost
  2. Fix threats
  3. Eradicate threats
  4. Mitigate threats
  5. Reduce threats
  6. Find threats
A
  1. Eradicate threats
  2. Reduce threats
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

formula for ALE (annualized loss expectancy)

A

SLE (single loss expectancy) X ARO (annualized rate of occurrence) = ALE (annualized loss expectancy)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

trademarks attributes

A
  1. covers words, slogans, and logos used to identify a company and its products or services
  2. U.S. trademarks generally last as long as the trademark is used in commerce and defended against infringement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

the business continuity plan (BCP) has just been updated after an recent outage. all of the lessons learned, and updates to come of the critical business functions have been incorporated and are ready for approval. at what point is the BCP considered validated for use within the organization

a. after i has been approved by senior management
b. after the disaster recovery plan has been approved
c. when a security assessment has been completed
d. when it has been tested and proven effective under realistic conditions

A

d. when it has been tested and proven effective under realistic conditions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What type of planning is midterm plan developed to provide more details on goals of the strategic plan (usually 1 year) a little more flexible, can make some ad hoc adjustments if needed

A

Tactical planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

which threat model is based on agile project management and programming (SDLC)

A

Vast

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

formula for SLE (single loss expectancy)

A

SLE = Asset Value (AV) X Exposure Factor (EF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

IAAA list steps and define them

A
  1. Identification - unique user identification
  2. authentication - validation of identification
  3. authorization - verification of privileges and permissions for the authenticated user
  4. accountability (auditing) - auditing, monitoring, logs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

what are the two electronic communication privacy laws

A
  1. Communications assistance for law enforcement act (CALEA)
  2. electronic communications privacy act (ECPA)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

what is total risk

A

the amount of risk an organization would face if no safeguards were implemented

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

3 common types of security evaluation

A
  1. risk assessment
  2. vulnerability assessment
  3. pen testing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

US cant export computer technologies to what countries

A
  1. Cuba
  2. Iran
  3. North Korea
  4. Sudan
  5. Syria
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

2 financial reporting security frameworks

A
  1. Sarbanes-Oakley
  2. COSO
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

formula for risk

A

risk= threat x vulnerability x impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

computer fraud and abuse act (CFAA) attributes

A

first major piece of cybercrime-specific law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

define impact

A

the negative consequence that will occur to the organization if a risk is realized. this could be a lost of confidentially, integrity or availability, could be financial, reputational, loss of life, any negative thing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

what is eDiscovery

A

organizations that feel the will be the target of a lawsuit have the obligation to preserve digital evidence in a process known as eDiscovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

2 ways to identify vulnerabilities

A
  1. vulnerability assessment
  2. pen testing
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

Integrity insures what?

A
  1. unauthorized users or processes dont make modifications to data
  2. authorized users or processes dont make unauthorized modifications to data
  3. data is internally and externally consistent, meaning a given input produces an expected output
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

what is the controls gap

A

the amount of risk reduced by implementing safeguards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

What type of planning is short-term, highly detailed plan based on the strategic and tactical plans (monthly, quarterly) this will have budget figures, staffing assignments, scheduling and implementation procedures

A

Operational planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

some countermeasures to keep confidentiality safe are?

A

a. encryption
b. traffic padding
c. strict access controls / authentication
d. data classification
e. awareness training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

what is Organization for Economic Cooperation and Development (OECD) Guidelines

A
  • 30 member nations from around the world, including the U.S.
  • Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, issued in 1980
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

what is the focus for business continuity management

A

the focus is on the most critical or essential systems or processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

two other considerations with risk analysis - define the following

  1. lost potential
  2. delayed loss
A
  1. lost potential - what would be lost if the threat agent is successful in exploiting a vulnerability
  2. delayed loss - the amount of loss that can occur over time. not always is loss all at once
98
Q

7 steps of NIST RMF, what happens at Monitor

A

monitor the system and the associated controls on an ongoing basis, changes to the system and conducting risk assessments and impact analysis periodically

99
Q

What does oecd stand for

A

ORGANISATION FOR ECONOMIC CO-OPERATION. AND DEVELOPMENT

100
Q

what is MTO (maximum tolerable outage

A

Maximum tolerable downtime (MTD) (aka maximum tolerable outage (MTO) The maximum length of time a business function can be inoperable without causing irreparable harm to the business.

101
Q

asset value is what

A

value of the asset in dollars and cents

102
Q

among other things, PASTA threat modeling provide 3 important pieces of information

A
  1. dynamic threat identification
  2. enumeration
  3. scoring process
103
Q

what are the 4 steps to risk analysis

A
  1. Identify the assets to be protected, including their relative value, sensitivity or importance to the organization; this is a component of risk identification (asset valuation)
  2. Define specific threats, including threat frequency and impact data; this is a component of risk identification (threat analysis)
  3. Calculate annualized loss expectancy (ALE)
  4. Select appropriate safeguards; this is a component of both risk identification and risk control
104
Q

what is NIST 800-161

A

cybersecurity supply chain risk management practices

105
Q

additional concepts linked to integrity

A
  1. accuracy
  2. authenticity
  3. validity
  4. nonrepudiation - user cannot deny having performed an action
106
Q

What three steps are included in vast threat modeling

A

Automation
Integration
Collaboration

107
Q

what is Single loss expectancy (SLE)

A

represents the cost associated with a single realized risk against a specific asset

108
Q

what are 4 different approaches to threat modeling (aast)

A
  1. Asset centric - identify threats to valuable assets
  2. attacker centric - identify potential attacker and identify threats based on the attackers goals
  3. software centric - considers potential threats against the software the org develops or implement
  4. Threat centric
109
Q

what is ARO?

A

annualized rate of occurrence — estimated annual frequency of occurrence of a threat or event

110
Q

GDPR (EU General Data Protection Regulation) stance on PI (personal information) being transferred outside the EU

A

GDPR restricts transferring or storing PI related to EU citizens outside EU

111
Q

define security standards

A

• specific requirements
• Formalized (Regulatory / Statutory)
• more specific than policies
• tactical
• mandatory
example: software or hardware mechanisms or products

112
Q

explain WRT

A
  1. Work recovery time
  2. maximum tolerable amount of time that is needed to verify the system and/or data integrity as they return to normal operations (logs, databases, apps)
    example: how long does it take to recover from your backup datacenter back to the primary datacenter and verify correct operations
113
Q

What are some legal alternatives for confiscation of evidence

A
  1. person with evidence could surrender it
  2. a subpoena
  3. a law officer performing a legally permissible duty may seize visible evidence that the officer has probably cause to be believe is associated with criminal activity
  4. search warrant
  5. a law enforcement office may collect evidence when exigent circumstances exist
114
Q

what is the functional aspect of a control

A

what it’s meant to do . example: what is a firewall meant to do? it is meant to control the flow of traffic between network segments

115
Q

what does NIST 800-30 cover (what is it)

A

Guide for conducting Risk Assessment

116
Q

what is the formula for Maximum Tolerable Downtime (MTD)?

A

Recovery Time Objective (RTO) + Work Recovery Time (WRT)

117
Q

what two ways at the highest level that you can evaluate risk to asset

A
  1. quantitative
  2. qualitative
118
Q

what is the Delphi Technique in qualitative risk analysis

A

an anonymous feedback -and-response process used to arrive at a consensus

119
Q

what is pen testing

A

using trusted individuals to stress test the security infrastructure to find issues that may not be discovered by a risk assessment or vulnerability assessment

120
Q

give some backstory of the 8 core principles from the OECD (economic cooperation and development)

A
  • the 8 core principles are for privacy and how we manage PII
  • every piece of privacy legislation in the world, no matter who wrote it or where it comes from references these 8 core principles verbatim as their founding principles
  • this is “THE” guideline globally
121
Q

Integrity (2) defined

A

ensures that data or system configurations are not modified without authorization

122
Q

Trade Secrets attributes

A
  1. intellectual property that is absolutely critical to their business and must not be disclosed (KFC secret recipe)
  2. you do not need to register
  3. there is no legal law protecting the secret but there is likely a law on how someone obtained the secret.
123
Q

what is exposure factor (EF)

A

part of the formula for SLE (single loss expectancy) – its a measure of the negative effect or impact of a realized threat or event….. expressed in percentages

124
Q

three basic elements used to determine the value of an asset are? pg 118 CD

A
  1. initial and maintenance cost - tangible – also think about what revenue does this asset generates or protects. this should probably be considered along with initial cost
  2. organizational cost - intangible and
  3. public (or external) value - intangible and difficult to asses
125
Q

security controls have 3 categories

A
  1. Technical (logical) - controls the provide logical security (firewalls, security information and event management systems (SIEM), IDS or IPS
  2. Administrative - policies and procedures defined by the org’s security policy, other regulations and requirements: hiring practices, background checks, data classifications and labeling, security awareness training etc.
  3. physical - items you can physically touch : guards, fences, motion detectors, lights, locked doors, sealed windows, laptop locks etc.
126
Q

what threat model is a unique open source with a focus on satisfying the security auditing process from a cyber risk perspective.

Security auditing
Cyber risk

A

Trike

127
Q

what does RTO stand for

A

Recovery Time Objective

128
Q

what is an incident

A

• some sort of occurrence or event that has a negative outcome

129
Q

do confidentiality and integrity depend on each other

A

• yes, one is not effective without the other

130
Q

explain RPO

A
  1. recovery point object
  2. maximum amount of data loss the organization is will to accept, measured in time.
    example: for some services maybe that is an hour (you need hourly backups) if another service maybe you can accept a day (you need daily backups)
131
Q

the basis for privacy rights is what amendment

A

fourth amendment to the US constitution

132
Q

the 4 main steps to (BCP) business continuity planning

A
  1. project scope and planning
  2. business impact analysis
  3. continuity planning
  4. approval and implement
133
Q

what are two laws related to healthcare

A
  1. HIPAA - Health Insurance Portability and Accountability Act
  2. HITECH - Health Technology for Economic and clinical Health Act
134
Q

a risk-centric threat modeling methodology that provides a step-by-step process to inject risk analysis and context into an organization’s overall security strategy from the beginning - - - is what

A

Pasta

135
Q

what threat model is a Visual Representations based on Data Flow Diagrams

A

PASTA
TRIKE

136
Q

7 steps of NIST 800-37 RMF (risk management framework) mnemonic device

A

People Can See I Am Always Monitoring

  1. Prepare
  2. Categorize
  3. Select
  4. Implement
  5. Assess
  6. Authorize
  7. Monitor
137
Q

formula for total risk

A

threats * vulnerability * asset value = total risk

138
Q

are standards mandatory

A

yes mandatory

139
Q

if you hire someone to create copyrighted contented how long is the content protected

A
  • if you hire someone or its written under an anonymous name its 95 years from first publication and or 120 years from creation (whichever is shorter)
  • if the writer is no longer anonymous and has been identified then if flips to 70 years after the authors death.
140
Q

7 steps of NIST 800-37

A
  1. Prepare - prepare to execute the processes for RMF
  2. Categorize
  3. Select
  4. Implement
  5. Assess
  6. Authorize
  7. Monitor
141
Q

what is a threat and give some examples

A
  1. any potential danger to an organization
  2. natural (hurricanes, floods)
  3. technical (systems going offline, viruses, malware)
  4. physical (power going out, lack of cooling)
  5. people (malicious insiders, riots outside your office)
142
Q

7 steps of NIST RMF, what happens at Authorize

A

provides accountability by requiring senior management to determine if the security and privacy risks based on the controls are acceptable to mitigate the risk.

143
Q

what is the safeguard evaluation formula

A

ALE before safeguard - ALE after safeguard - annual cost of safeguard = Value of safeguard (is the safeguard cost effective)

144
Q

can accountability be deligated

A

no

145
Q

safeguard evaluation - safeguards must fit 4 criteria to be good security controls

A
  1. must mitigate risk
  2. are transparent to users
  3. are difficult to bypass
  4. are cost effective
146
Q

define controls gap

A
  • the amount of risk that is reduced by implementing safeguards
  • The level of residual risk that has been determined to be a reasonable
147
Q

Threat models are used to satisfy the security auditing process. Threat models are based on a “requirements model.” The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class

Trike
Pasta
Simple
Vast

A

Trike

148
Q

6 categories of computer crimes are?

A
  1. military and intelligence
  2. business attacks
  3. financial attacks
  4. terrorist attacks
  5. grudge attack
  6. thrill attack
149
Q

can accountability be delegated

A

no

150
Q

availability defined

A

authorized request for objects must be granted to subjects within a reasonable amount of time (we need to keep system available, uptime etc.)

151
Q

which is a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis

Vast
Trike
Pasta
Stride

A

Pasta

152
Q

business impact assessment, what are the 4 measurements in time

A
  1. RPO (recovery point objective
  2. RTO (recovery time objective)
  3. WRT (work recovery time)
  4. MTD (maximum tolerable downtime)
153
Q

explain trans-border data flow - defined by OECD

A
  • it involved the geography border associations the data flow crosses.
  • rules, regulations, risk and security are all effected by the geographic location of that data.
  • its not where the data started, its what geographic location it resides when the different regulations are applied
154
Q

there can be some overlap between deterrent controls and preventative but the technical difference is what

A
  1. deterrent controls really rely on someone making the decision to not do something
  2. preventative controls are really designed to stop the unwanted behavior :
155
Q

what does Maximum tolerable downtime (MTD) mean

A

maximum period of time that a critical business function can be inoperative before the company incurs significant and log lasting damage

156
Q

confidentiality (1) defined

A

access controls help ensure that only authorized subjects can access objects

157
Q

exposure factor is what

A

is the percentage of the asset that will be lost if the risk is realized (this is shown as a percentage)

158
Q

Availability - name some threats to availability

A
  1. denial of service attack
  2. single points of failure
  3. inadequate capacity (storage, bandwidth, processing)
  4. lack of planning
  5. equipment malfunction
  6. business interruptions or disasters
159
Q

7 steps of NIST RMF, what happens at Assess

A

Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes

160
Q

formula for DREAD threat modeling

A
  1. damage
  2. reproducibility
  3. exploitability
  4. affected users
  5. discoverability
  • quantitative approach 0-10
  • take the total for the 5 above and divide by 5
161
Q

are guidelines mandatory

A

suggestions, not mandatory

162
Q

what are security controls

A

they are the security measures for countering and minimizing loss or unavailability of services and apps due to vulnerabilities

163
Q

are polices mandatory

A

yes mandatory

164
Q

formula for safeguard evaluation

A

ALE before safeguard - ALE after safeguard - annual cost of safeguard = value of safeguard

165
Q

definition of vulnerability

A

the absence or weakness of a safeguard or control in an asset or process that makes a threat potentially more harmful or costly

166
Q

what is the Wassenaar arrangement

A

any country that is a signing member of the Wassenaar arrangement can use cryptography of any strength with anyone else

167
Q

what are the 3 Access Control Categories

A
  1. Administrative (Directive)
  2. Technical Control
  3. Physical Control
168
Q

risk management consist of what 3 main elements

A
  1. threat identification
  2. risk analysis
  3. risk treatment
169
Q

3 types of law and explain

A
  1. criminal law –contains prohibitions against acts such as murder, assault, robbery, and arson.
    - – society is the victim and proof must be beyond reasonable doubt
  2. civil law (tort law)
    - – individuals and organizations are the victims
    - – proof must be the majority (preponderance of proof)
    - – include contract disputes, real estate transactions, employment, estate and probate (lawsuits)
  3. administrative law - laws enacted by government agencies (FDA Laws, HIPAA, FAA Laws, etc.)
170
Q

how many members are in
the Wassenaar arrangement?

A

41

171
Q

what threat model is a Visual Representations based on Process Flow Diagrams

A

VAST

172
Q

What provides a step-by-step process to inject risk analysis and context into an organization’s overall security strategy from the beginning

Risk centric
Attacker perspective on a business with risk

A

Pasta threat modeling

173
Q

attributes of copyrights

A
  • -protect the rights of “authors” in their original creative works.
    • the term is equal to the life of the author plus 70 years
      example: novels, paintings, films and songs
174
Q

risk assessment is what

A

process of identifying assets, threats, and vulnerabilities, then using that information to calculate risk

175
Q

according to nist 800-37 rev 2 what is in the middle of the risk management framework, or what should you do first

A

• prepare - prepare to execute the RMF by establishing context and priorities for managing security and privacy risk

176
Q

define vulnerability

A

a weakness that exists. (any weakness) – an unpatches system, a lack of a fire suppression system, a lack of high enough fences around a facility

177
Q

Patents attributes

A
  1. patents protect the intellectual property rights of inventors
  2. they last 20 years
  3. to apply for a patent the product must be needed, novel, useful and not obvious.
178
Q

what privacy act deals with financial institutions

A

is a federal law enacted in the United States in 1999, to control the ways financial institutions deal with the private information of individuals.

179
Q

some countermeasures to keep integrity safe are?

A

a. strict access controls / authentication
b. IDS
c. encryption
d. hashing
e. interface restrictions / controls
f. input / function checks (validation)

180
Q

risk avoidance is what

A
  1. not do that thing that you have identified as a risk.
    - –if moving to the cloud is risky, then you don’t do it.
181
Q

what is Annualized Loss Expectancy (ALE)

A

the possible yearly cost of all instances of a specific realized threat against a specific asset

182
Q

what is the BCP (business continuity plan)

A
  1. the overall organizations plan for how-to continue business
  2. focuses on the whole business - back to doing business
  3. is an umbrella policy and DRP falls under that umbrella as part of the broader plan
183
Q

What threat modeling is based off of the agile programming

A

VAST

184
Q

what is Annualized Rate of Occurrence (ARO)

A

the expected frequency with which a specific threat or risk will occur within a single year

185
Q

What ISO standard uses PDCA (plan do check act) and what is thanks standard for

A

ISO 27001 - establishing, implementing maintaining and continually improving an ISMS (information security management system)

186
Q

Integrity is?

A

ensures that data or system configurations are not modified without authorization

187
Q

do you ever mitigate all risk

A

no

188
Q

what is RTO (recovery time objective)

A

The organizations definition of the acceptable amount of time an IT system can be off-line

189
Q

ARO (annualized rate of occurrence)

A

how often you expect the risk to occur per year (hurricane, flood, compromise etc.)

190
Q

threat modeling framework stride was developed by who

A

Microsoft, focused on software

191
Q

difference between safeguard and countermeasures

A
  1. safeguard is proactive or attempting to prevent a risk via directive, deterrent and preventive controls
  2. countermeasures is - reactive, controls put in place when a risk has occurred
192
Q

security governance should enable what

A
  1. corporate governance (enable business)
193
Q

what is the primary goal of the threat modeling framework VAST

A

integrate threat management into an Agile programming environment

194
Q

7 steps of NIST RMF, what happens at Implement

A

Implement the controls and document how the controls are employed within the system and its environment of operation.

195
Q

ISC2 code of Ethics Preamble:

A
  1. The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  2. Therefore, strict adherence to this code is a condition of certification
196
Q

what is an event

A

• something that has happened

197
Q

COBIT is based of what 5 principles

A
  1. meeting stakeholder needs
  2. covering enterprise end-to-end
  3. applying a single, integrated framework
  4. enabling a holistic approach
  5. separating governance from management
198
Q

when developing new safeguards, you are establishing a new security baseline. is keeping compliance with the existing baseline a consideration

A

no, you are updating that baseline, the new baseline is the new compliance level

199
Q

6 steps to quantitative risk analysis

A
  1. inventory assets and assign value (asset value - AV)
  2. Calculate Exposure Factor (EF)
  3. Calculate Single Loss Expectancy (SLE)
  4. Assess the Annualized Rate of Occurrence (ARO)
  5. Derive the annualized loss expectancy (ALE)
  6. perform a cost/benefit analysis of each countermeasure for each threat to each asset
200
Q

confidentiality is?

A

access controls help ensure that only authorized subjects can access objects

201
Q

SLE (single loss expectancy) formula is

A

(asset value) X (exposure factor) = SLE

202
Q

define threat

A

any potential danger to the organization

203
Q

What threat model takes an attackers perspective on a business with risk

A

Pasta

204
Q

what is a breach

A

• an occurrence or event that has a negative outcome

205
Q

what is the formula for Annualized Loss Expectancy (ALE)

A

ALE = Single Loss Expectancy (SLE) X Annualized Rate of Occurrence (ARO)

206
Q

what are security controls definition

A

they are the security measures for countering and minimizing loss or unavailability of services and apps due to vulnerabilities

207
Q

importance of Federal Information Security Management Act (FISMA)

A

required a formal InfoSec operations for federal gov’t

208
Q

risk categories - a group of potential causes of risk. name and define the 3

A
  1. Damage - physical lost of an asset or inability to access that asset
  2. Disclosure - disclosing of critical information regardless of how or where. malicious act from a threat actor or unintentional on the part of a user
  3. Losses - these might be permanent or temporary, including altered data or inaccessible data
209
Q

quantitative is related to what

A

related to cost

210
Q

Computer Ethics Institute ten commandments

A
  1. Thou shalt not use a computer to harm other people
  2. Thou shalt not interfere with other peoples computer work
  3. Thou shalt not snoop around in other peoples computer files
  4. Thou shalt not use a computer to steal
  5. Thou shalt not use a computer to bear false witness
  6. Thou shalt not copy or use proprietary software for which you have not paid
  7. Thou shalt not use other peoples computer resources without authorization or proper compensation
  8. Thou shalt not appropriate other peoples intellectual output
  9. Thou shalt think about the social consequences of the program you are writing or the system you are designing
  10. Thou shalt always use a compute in ways that ensure consideration and respect for your fellow humans
211
Q

The official four canons. number one is?

A

Protect society, the common good, necessary public trust and confidence, and the infrastructure

212
Q

what threat modeling. Focuses on the necessity of scaling the threat modeling process across the infrastructure and entire SDLC,

Simple
Stride
Trike
Vast
Pasta

A

Vast

213
Q

define security policy baselines

A

minimum levels of security requirements - mandatory

214
Q

Federal Sentencing guidelines did what

A

provided punishment guidelines to help judges interpret computer crime laws

215
Q

7 steps of NIST RMF, what happens at categorize

A

Categorize the system and the information processed, stored and transmitted by the system based on analysis of impact loss —- determine the risk

216
Q

attributes of Trade Secrets

A

–Protect secret or confidential information (formulas, practices, processes, designs, instruments, patterns, or compilations of information)
Example: Coca-Cola recipe

217
Q

what is an asset

A
  • an asset is anything that is valuable, but usually means
  • •• data (such as PII)
  • •• software
  • •• IT components
  • •• Intellectual property
  • ••• band
  • ••• reputation
  • ••• real estate/facilities
218
Q

attributes of a hot site

A
  • – highest cost backup site
  • – always running
  • – exact duplication to main site including data, patches, software and hardware
  • –the site is staffed
  • –RTO - (recovery time objective): 5 minutes or hours
219
Q

The official four canons. number four is?

A

Advance and protect the profession

220
Q

attributes of a warm site

A
  • – backup site that contains IT infrastructure (hardware and sometimes software)
  • – does not contain data
  • – contains equipment and data circuits required for rapid recovery
  • – middle ground between hot site and cold site
  • – RTO (recovery time objective): 1-2 days
221
Q

are baseline mandatory

A

yes mandatory

222
Q

steps to the threat modeling framework Stride

A
  1. spoofing
  2. Tampering
  3. Repudiation
  4. Information of services
  5. Denial of Services
  6. Elevation of privilege
223
Q

asset valuation can be done in two ways

A
  1. Quantitative analysis
  2. Qualitative analysis
224
Q

what are the 4 steps to threat analysis

A
  1. Define the actual threat.
  2. Identify possible consequences to the organization if the threat is realized.
  3. Determine the probable frequency of a threat.
  4. Assess the probability that a threat will materialize.
225
Q

Nist 800-30 has 4 steps with 5 additional sub steps for conducting risk assessment. name them

A
  1. Prepare for assessment
  2. Conduct Assessment
    2A. identify thereat sources and events
    2B. identify vulnerabilities and predisposing conditions
    2C. determine likelihood of occurrence
    2D. determine magnitude of impact
    2E. determine Risk
  3. Communicate Results
  4. Maintain Assessment
226
Q

The official four canons. number two is?

A

Act honorably, honestly, justly, responsibly, and legally

227
Q

Controls Gap forumala

A
  • total risk - controls gap = residual risk
  • the difference between total risk and residual risk. Contols gap is the amount of risk the contol mitigated
228
Q

What are these items describing

  1. threats
  2. vulnerability
  3. likelihood - how likely will this happen
  4. impact
A

Risk analysis

229
Q

what is disclosure

A

• making “secret” information public

230
Q

how to determine MTD (maximum tolerable downtime

A

RTO (recover time objective) + WRT (working recovery time) is = or less than MTD

231
Q

two methods to identify vulnerabilities

A
  1. vulnerability assessment
  2. pen test
232
Q

What is MTD stand for

A

Maximum Tolerable Downtime

233
Q

what types of evidence can be used in a criminal or civil trial

A
  1. real evidence - evidence that can be brought into the court room
  2. documentary evidence - written documents that provide insight into the facts
  3. testimonial evidence - verbal or written statements made by a witness
234
Q

what is reduction analysis in threat modeling

A

breaking a system down into its parts, looking at each element looking for weaknesses and vulnerabilities

235
Q

are procedures mandatory

A

yes mandatory

236
Q

From a high level what are 3 risk assessment steps

A
  • risk identification
  • risk analysis
  • risk prioritization
237
Q

what is RPO (recovery point objective)

A

Recovery point objective (RPO) is defined as the maximum amount of data – as measured by time – that can be lost after a recovery from a disaster, failure, or comparable event before data loss will exceed what is acceptable to an organization

238
Q

consequences to privacy and data breach

A
  1. reputational damage - effects could last for years
  2. identity theft
  3. intellectual property
  4. fines - failing to report a breach can result in fines in the millions. may also lead to lawsuits
    - – GDPR outlines fine of up to 4% of companies annual global revenue or 20 million euros for failing to report a breach
    - – any company that does business in the EU is subject to GDPR
239
Q

attributes of a cold site

A
  • least expensive backup site
  • no IT infrastructure (computing and network hardware)
  • electrical and data circuits are in place
    ready to receive replacement equipment and data in the event the users have to move to an alternate site
  • RTO (recovery time objective): 1-2 weeks
240
Q

are policies mandatory

A

yes