Domain 1 - Security and Risk Management Flashcards
what is the DRP (disaster recover plan)
- the plan for recovering from a disaster impacting IT and returning the IT infrastructure to operations
- focuses on the technical aspects of recovery
Control Types and Purposes
- Preventive controls, for reducing risk
- Detective controls, for identifying violations and incidents
- Corrective controls, for remedying violations and incidents and improving existing preventive and detective controls
4, Deterrent controls, for discouraging violations - Recovery controls, for restoring systems and information
- Compensating controls, for providing alternative ways of achieving a task
reduction analysis 5 points to check
1, trust boundaries - any location where the level of trust or security changes. maybe where an application needs a specific role or privilege is required to access a resource or operation
- Data flow paths - the movement of data between locations and any exposures for breaches
- input points - Locations where external inputs are received. for example: on a web form where there is the potential for SQL injections and the protections need to prevent that
- Privileged operations - any activity that requires greater privilege than that of a standard user account.
- Details about security stance and approach - declaration of security policy, security foundations, and security assumptions
attributes of Trademarks
- -Protects brands – symbol, word, slogan, design, color or logo that can distinguish one source from another source
- they last as long as your business continues to use them
- not required by law by registering with PTO (patent trademark office) confers many benefits on the trademark owner
example: Nike trademark and logo
- not required by law by registering with PTO (patent trademark office) confers many benefits on the trademark owner
What programming method does vast work with
Agile
What are three ways integrity works for us
- Preventing unauthorized subjects from making modifications
- Preventing authorized subjects from making unauthorized modifications
- Maintaining consistency of objects so that they are true and accurate
2 focus items of security from a business aspect are?
- enable business
- enable profit
- increase risk awareness
- increase value
- enable business
- increase value
7 steps of NIST RMF, what happens at select
Select an initial set of controls for the system, tailor and document the controls as needed to mitigate risk to an acceptable level based on an assessment of risk.
two key elements of risk management
- risk assessment
- risk treatment
can responsibility be delegated
yes
what are the 6 Access Control Types
- Preventative
- Detective
- Corrective
- Recovery
- Deterrent
- Compensating
security planning and definitions (3)
- Strategic - long term stable plan that should include a risk assessment (5 yr horizon, annual updates)
- Tactical - midterm plan developed to provide more details on goals of the strategic plan (usually 1 year) a little more flexible, can make some ad hoc adjustments if needed
- Operational - short-term, highly detailed plan based on the strategic and tactical plans (monthly, quarterly) this will have budget figures, staffing assignments, scheduling and implementation procedures
is COBIT threat model
no, its a security control framework. sometimes described as an framework for IT management and governance
The official four canons. number three is?
Provide diligent and competent service to principals
explain MTD
- maximum tolerable downtime
- is the measurement in time that determines when an event changes from and incident to a disaster
- The total time a system can be inoperable before our organization is severely impacted
definition of asset
a resource, process, product, or system that has some value to an organization. could be tangible(computer, data, software) could be intangible (privacy, access, public image)
could have a tangible price(purchase price)
could have intangible value (competitive advantage)
possible countermeasures to keep availability safe are
a. strict access controls / authentication
b. continuous monitoring
c. firewalls & routers to prevent DoS / DDoS attacks
d. redundant system design
e. periodic testing of backup systems
define qualitative
relative ranking system using words like High, medium, low
what is a seven-step
process for aligning business objectives and technical requirements, taking into
account compliance issues and business analysis
pasta threat modeling
What does ALE stand for and Define it
annualized loss expectancy - estimated annual loss for a threat or even in dollars
what is residual risk
risk that is left over once safeguards or controls are in place
What life cycle does vast work with
SDLC - software development life cycle
define impact
anything that negatively impacts the organization if a risk is realized.
examples: lost of confidentiality, integrity, availability, financial, reputational, non-compliance, lost of life etc.
what is inherent risk
newly identified risk not yet addressed with risk management strategies
vast threat modeling acronym
- Visual
- Agile
and - Simple
- Threat
explain RTO
- Recovery time objective
- refers to the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organization. This is the maximum agreed time for the resumption of the critical business functions.
example: if there was a failure at the primary data center. the RTO would be the measurement of how long does it take to get back up and running in the backup datacenter
What is a risk centric threat modeling
Pasta
security policy guidelines
suggestions, things that are good to do but not necessarily required. – optional
qualitative is what
relative to importance - relative ranking system (high, medium, low) value
what is a computer crime
a crime or (violation of law or regulation) this is a directed against or directly involves a computer
NIST risk management framework 7 steps (RMF)
- Prepare
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
what is BCP
business continuity plan - the overall organizational plan for “how-to” continue business
define threat agents
are what cause the threats by exploiting vulnerabilities
4 steps to supply chain evaluation
- on-site assessment - visit the organization, interview personnel, view operating habits
- document exchange and review - investigate datasets and dock exchange, review processes
- process/policy review - request copies of security policies, processes and procedures
- third-party audit - having an independent auditor provide an unbiased review of their security infrastructure
what is Maximum Tolerable Downtime
the amount of time we can be without the asset before we have to declare an disaster.
Risk Factors - something that increases risk or susceptibility - name and define the 5
- physical damage - natural disasters, power loss or vandalism
- Malfunctions - failure of systems, networks, HVAC system, peripherals
- Attacks - purposeful acts of a threat actor, whether that is inside or outside like unauthorized disclosure
- Human errors - usually considered accidental incidents, whereas attacks are purposeful
- application errors - failures of the application, including the operating system
copyright and the digital millennium copyright act did what
- covers the expression of an idea in some sort of fixed medium (books, movies, musical and dramatic works) (artist)
- disclosure is required
- last for the life of the author plus 70 years
What type of planning is long term stable plan that should include a risk assessment (5 yr horizon, annual updates)
Strategic planning
4 ways to treat a risk
- avoid -when the cost of mitigating or accepting are higher than the benefits of the service, you avoid that risk. moving to Kansas from Florida to avoid hurricanes
- transfer - insurance, 3rd party outsource
- mitigate - implementing cost justified controls to reduce the risk
- accept
in GDPR how much time to you have to report a data breach
72 hours
what is exposure factor (EF)
percentage of loss that an organization would experience if a specific asset were violated by a realized risk
high-level business rules that the organization agrees to follow that reduce risk and protect information. They define “what” the organization is going to do and often “who” is going to do
- baseline
- procedure
- security policy
- standard
- security policy
definition for threat
any natural or man-made circumstance or even that could have an adverse or undesirable impact on asset or process
attributes of patents
is a form of intellectual property that gives its owner the legal right to exclude others from making, using, or selling an invention for a period of years
valid for 20 years
example: lightbulb
define risk
the likelihood of something bad happening and the impact if it did
which model is this: Threat
models are based on a “requirements model.” The requirements model establishes the
stakeholder-defined “acceptable” level of risk assigned to each asset class.
Trike
what is a security policy
- they are high level plans the describe the goals and the procedures.
- they are not guidelines or procedures
- policies describe security in general terms
- they are mandatory
what is the difference between technical and logical
- Technical - is the hardware
- Logical - is the software
- - example: firewall - has hardware and software that runs on the hardware
what is NIST 800-37
RMF - risk management framework
Qualitative risk analysis attribute
- uses a scoring system to rank threats and effective countermeasures (high, med, low)
- requires guesswork and estimation but still has meaningful results
- less accurate
- subjective
how do you define risk in a formula
risk = threat * vulnerability
4 steps to risk analysis
- identify the assets to be protected, include relative value, sensitivity or importance
- define specific threats, include threat frequency and impact
- calculate annualized loss expectancy (ALE)
- select appropriate safeguards
what is recovery point objective (RPO)
the organizations definition of acceptable data loss.
the maximum period of time in which data would be lost in a disaster strikes. How often are you backups. the time between backups is your RPO
the 2 general threat categories are? – pg 119 CD
- natural – earthquake, floods, hurricanes, lightning etc.
- man-made – unauthorized access, data-entry errors, strikes/labor disputes, theft, terrorism, sabotage, arson, social engineering, malicious code, viruses etc.
what are 4 things to think about during Acquisitions and Divestitures
- Security governance and management - how is security being managed
- Security Policy - How do policies between the two organizations differ
- Security Posture - which security controls are present
- security Operations - what security operations are in place today and how do they operate - vulnerability management, third party risk management and incident management
ALE (Annualized loss expectancy)
SLE(single loss expectancy) X ARO (annualized rate of occurrence) = ALE (annualized loss expectancy)
what is vulnerability assessments
using automated tools to locate known security weaknesses
licensing - 4 types to know
- contractual
- shrink wrap - EULA that is enclosed with purchased software like on DVDs
- click-through - requires a user to agree to terms and conditions (click-through) before a website or completing an installation or online purchase
- cloud services
what is the COOP (continuity of operations plan)
the plan for continuing to do business until the IT infrastructure can be restored.
4 management/enterprise frameworks
- Zachman
- TOGAF - broad range of enterprise architectures (business, applications, data and tech)
- SABSA - ensures that the needs of your Enterprise are met completely
- COSO
the only threat modeling to supports enterprise-wide scalability is
VAST
3 things must be true for evidence to be admissible in a court of law
- relevant to a fact at issue in the case
- the fact must be material to the case
- the evidence must be competent or legally collected
Availability is?
authorized requests for objects must be granted to subjects within a reasonable amount of time.
what is ISO 15408
common criteria for information technology security evaluation
what is assurance when looking at controls
how do we ensure the control is working effectively. typically this is done with logging monitoring or another test of the control
Name 4 attrbutes about quantitative analysis
- using number (money) to define asset value.
- more labor intensive compared to qualitative
- data collection and analysis, cost benefit analysis
- objective
What is DRP
DRP (Disaster Recovery Plan)
• the plan for recovering from an IT disaster and having the IT infrastructure back in operation.
what is SLE?
single loss expectancy - cost of loss from a single realized threat or event in dollars.
—– formula for SLE is (asset value X exposure factor (EF)
what threat model is an attacker and threat centric approach
pasta
Formula for MTD - maximum tolerable downtown
MTD = or > RTO + WRT
define likelihood
the chance or how likely is the risk to occur
VAST acronym means what
Visual
Agile
Simple
Threat modeling
what are two objectives of threat modeling
- Reduce cost
- Fix threats
- Eradicate threats
- Mitigate threats
- Reduce threats
- Find threats
- Eradicate threats
- Reduce threats
formula for ALE (annualized loss expectancy)
SLE (single loss expectancy) X ARO (annualized rate of occurrence) = ALE (annualized loss expectancy)
trademarks attributes
- covers words, slogans, and logos used to identify a company and its products or services
- U.S. trademarks generally last as long as the trademark is used in commerce and defended against infringement
the business continuity plan (BCP) has just been updated after an recent outage. all of the lessons learned, and updates to come of the critical business functions have been incorporated and are ready for approval. at what point is the BCP considered validated for use within the organization
a. after i has been approved by senior management
b. after the disaster recovery plan has been approved
c. when a security assessment has been completed
d. when it has been tested and proven effective under realistic conditions
d. when it has been tested and proven effective under realistic conditions
What type of planning is midterm plan developed to provide more details on goals of the strategic plan (usually 1 year) a little more flexible, can make some ad hoc adjustments if needed
Tactical planning
which threat model is based on agile project management and programming (SDLC)
Vast
formula for SLE (single loss expectancy)
SLE = Asset Value (AV) X Exposure Factor (EF)
IAAA list steps and define them
- Identification - unique user identification
- authentication - validation of identification
- authorization - verification of privileges and permissions for the authenticated user
- accountability (auditing) - auditing, monitoring, logs
what are the two electronic communication privacy laws
- Communications assistance for law enforcement act (CALEA)
- electronic communications privacy act (ECPA)
what is total risk
the amount of risk an organization would face if no safeguards were implemented
3 common types of security evaluation
- risk assessment
- vulnerability assessment
- pen testing
US cant export computer technologies to what countries
- Cuba
- Iran
- North Korea
- Sudan
- Syria
2 financial reporting security frameworks
- Sarbanes-Oakley
- COSO
formula for risk
risk= threat x vulnerability x impact
computer fraud and abuse act (CFAA) attributes
first major piece of cybercrime-specific law
define impact
the negative consequence that will occur to the organization if a risk is realized. this could be a lost of confidentially, integrity or availability, could be financial, reputational, loss of life, any negative thing
what is eDiscovery
organizations that feel the will be the target of a lawsuit have the obligation to preserve digital evidence in a process known as eDiscovery
2 ways to identify vulnerabilities
- vulnerability assessment
- pen testing
Integrity insures what?
- unauthorized users or processes dont make modifications to data
- authorized users or processes dont make unauthorized modifications to data
- data is internally and externally consistent, meaning a given input produces an expected output
what is the controls gap
the amount of risk reduced by implementing safeguards
What type of planning is short-term, highly detailed plan based on the strategic and tactical plans (monthly, quarterly) this will have budget figures, staffing assignments, scheduling and implementation procedures
Operational planning
some countermeasures to keep confidentiality safe are?
a. encryption
b. traffic padding
c. strict access controls / authentication
d. data classification
e. awareness training
what is Organization for Economic Cooperation and Development (OECD) Guidelines
- 30 member nations from around the world, including the U.S.
- Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, issued in 1980
what is the focus for business continuity management
the focus is on the most critical or essential systems or processes
two other considerations with risk analysis - define the following
- lost potential
- delayed loss
- lost potential - what would be lost if the threat agent is successful in exploiting a vulnerability
- delayed loss - the amount of loss that can occur over time. not always is loss all at once
7 steps of NIST RMF, what happens at Monitor
monitor the system and the associated controls on an ongoing basis, changes to the system and conducting risk assessments and impact analysis periodically
What does oecd stand for
ORGANISATION FOR ECONOMIC CO-OPERATION. AND DEVELOPMENT
what is MTO (maximum tolerable outage
Maximum tolerable downtime (MTD) (aka maximum tolerable outage (MTO) The maximum length of time a business function can be inoperable without causing irreparable harm to the business.
asset value is what
value of the asset in dollars and cents
among other things, PASTA threat modeling provide 3 important pieces of information
- dynamic threat identification
- enumeration
- scoring process
what are the 4 steps to risk analysis
- Identify the assets to be protected, including their relative value, sensitivity or importance to the organization; this is a component of risk identification (asset valuation)
- Define specific threats, including threat frequency and impact data; this is a component of risk identification (threat analysis)
- Calculate annualized loss expectancy (ALE)
- Select appropriate safeguards; this is a component of both risk identification and risk control
what is NIST 800-161
cybersecurity supply chain risk management practices
additional concepts linked to integrity
- accuracy
- authenticity
- validity
- nonrepudiation - user cannot deny having performed an action
What three steps are included in vast threat modeling
Automation
Integration
Collaboration
what is Single loss expectancy (SLE)
represents the cost associated with a single realized risk against a specific asset
what are 4 different approaches to threat modeling (aast)
- Asset centric - identify threats to valuable assets
- attacker centric - identify potential attacker and identify threats based on the attackers goals
- software centric - considers potential threats against the software the org develops or implement
- Threat centric
what is ARO?
annualized rate of occurrence — estimated annual frequency of occurrence of a threat or event
GDPR (EU General Data Protection Regulation) stance on PI (personal information) being transferred outside the EU
GDPR restricts transferring or storing PI related to EU citizens outside EU
define security standards
• specific requirements
• Formalized (Regulatory / Statutory)
• more specific than policies
• tactical
• mandatory
example: software or hardware mechanisms or products
explain WRT
- Work recovery time
- maximum tolerable amount of time that is needed to verify the system and/or data integrity as they return to normal operations (logs, databases, apps)
example: how long does it take to recover from your backup datacenter back to the primary datacenter and verify correct operations
What are some legal alternatives for confiscation of evidence
- person with evidence could surrender it
- a subpoena
- a law officer performing a legally permissible duty may seize visible evidence that the officer has probably cause to be believe is associated with criminal activity
- search warrant
- a law enforcement office may collect evidence when exigent circumstances exist
what is the functional aspect of a control
what it’s meant to do . example: what is a firewall meant to do? it is meant to control the flow of traffic between network segments
what does NIST 800-30 cover (what is it)
Guide for conducting Risk Assessment
what is the formula for Maximum Tolerable Downtime (MTD)?
Recovery Time Objective (RTO) + Work Recovery Time (WRT)
what two ways at the highest level that you can evaluate risk to asset
- quantitative
- qualitative
what is the Delphi Technique in qualitative risk analysis
an anonymous feedback -and-response process used to arrive at a consensus
what is pen testing
using trusted individuals to stress test the security infrastructure to find issues that may not be discovered by a risk assessment or vulnerability assessment
give some backstory of the 8 core principles from the OECD (economic cooperation and development)
- the 8 core principles are for privacy and how we manage PII
- every piece of privacy legislation in the world, no matter who wrote it or where it comes from references these 8 core principles verbatim as their founding principles
- this is “THE” guideline globally
Integrity (2) defined
ensures that data or system configurations are not modified without authorization
Trade Secrets attributes
- intellectual property that is absolutely critical to their business and must not be disclosed (KFC secret recipe)
- you do not need to register
- there is no legal law protecting the secret but there is likely a law on how someone obtained the secret.
what is exposure factor (EF)
part of the formula for SLE (single loss expectancy) – its a measure of the negative effect or impact of a realized threat or event….. expressed in percentages
three basic elements used to determine the value of an asset are? pg 118 CD
- initial and maintenance cost - tangible – also think about what revenue does this asset generates or protects. this should probably be considered along with initial cost
- organizational cost - intangible and
- public (or external) value - intangible and difficult to asses
security controls have 3 categories
- Technical (logical) - controls the provide logical security (firewalls, security information and event management systems (SIEM), IDS or IPS
- Administrative - policies and procedures defined by the org’s security policy, other regulations and requirements: hiring practices, background checks, data classifications and labeling, security awareness training etc.
- physical - items you can physically touch : guards, fences, motion detectors, lights, locked doors, sealed windows, laptop locks etc.
what threat model is a unique open source with a focus on satisfying the security auditing process from a cyber risk perspective.
Security auditing
Cyber risk
Trike
what does RTO stand for
Recovery Time Objective
what is an incident
• some sort of occurrence or event that has a negative outcome
do confidentiality and integrity depend on each other
• yes, one is not effective without the other
explain RPO
- recovery point object
- maximum amount of data loss the organization is will to accept, measured in time.
example: for some services maybe that is an hour (you need hourly backups) if another service maybe you can accept a day (you need daily backups)
the basis for privacy rights is what amendment
fourth amendment to the US constitution
the 4 main steps to (BCP) business continuity planning
- project scope and planning
- business impact analysis
- continuity planning
- approval and implement
what are two laws related to healthcare
- HIPAA - Health Insurance Portability and Accountability Act
- HITECH - Health Technology for Economic and clinical Health Act
a risk-centric threat modeling methodology that provides a step-by-step process to inject risk analysis and context into an organization’s overall security strategy from the beginning - - - is what
Pasta
what threat model is a Visual Representations based on Data Flow Diagrams
PASTA
TRIKE
7 steps of NIST 800-37 RMF (risk management framework) mnemonic device
People Can See I Am Always Monitoring
- Prepare
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
formula for total risk
threats * vulnerability * asset value = total risk
are standards mandatory
yes mandatory
if you hire someone to create copyrighted contented how long is the content protected
- if you hire someone or its written under an anonymous name its 95 years from first publication and or 120 years from creation (whichever is shorter)
- if the writer is no longer anonymous and has been identified then if flips to 70 years after the authors death.
7 steps of NIST 800-37
- Prepare - prepare to execute the processes for RMF
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
what is a threat and give some examples
- any potential danger to an organization
- natural (hurricanes, floods)
- technical (systems going offline, viruses, malware)
- physical (power going out, lack of cooling)
- people (malicious insiders, riots outside your office)
7 steps of NIST RMF, what happens at Authorize
provides accountability by requiring senior management to determine if the security and privacy risks based on the controls are acceptable to mitigate the risk.
what is the safeguard evaluation formula
ALE before safeguard - ALE after safeguard - annual cost of safeguard = Value of safeguard (is the safeguard cost effective)
can accountability be deligated
no
safeguard evaluation - safeguards must fit 4 criteria to be good security controls
- must mitigate risk
- are transparent to users
- are difficult to bypass
- are cost effective
define controls gap
- the amount of risk that is reduced by implementing safeguards
- The level of residual risk that has been determined to be a reasonable
Threat models are used to satisfy the security auditing process. Threat models are based on a “requirements model.” The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class
Trike
Pasta
Simple
Vast
Trike
6 categories of computer crimes are?
- military and intelligence
- business attacks
- financial attacks
- terrorist attacks
- grudge attack
- thrill attack
can accountability be delegated
no
availability defined
authorized request for objects must be granted to subjects within a reasonable amount of time (we need to keep system available, uptime etc.)
which is a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis
Vast
Trike
Pasta
Stride
Pasta
business impact assessment, what are the 4 measurements in time
- RPO (recovery point objective
- RTO (recovery time objective)
- WRT (work recovery time)
- MTD (maximum tolerable downtime)
explain trans-border data flow - defined by OECD
- it involved the geography border associations the data flow crosses.
- rules, regulations, risk and security are all effected by the geographic location of that data.
- its not where the data started, its what geographic location it resides when the different regulations are applied
there can be some overlap between deterrent controls and preventative but the technical difference is what
- deterrent controls really rely on someone making the decision to not do something
- preventative controls are really designed to stop the unwanted behavior :
what does Maximum tolerable downtime (MTD) mean
maximum period of time that a critical business function can be inoperative before the company incurs significant and log lasting damage
confidentiality (1) defined
access controls help ensure that only authorized subjects can access objects
exposure factor is what
is the percentage of the asset that will be lost if the risk is realized (this is shown as a percentage)
Availability - name some threats to availability
- denial of service attack
- single points of failure
- inadequate capacity (storage, bandwidth, processing)
- lack of planning
- equipment malfunction
- business interruptions or disasters
7 steps of NIST RMF, what happens at Assess
Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes
formula for DREAD threat modeling
- damage
- reproducibility
- exploitability
- affected users
- discoverability
- quantitative approach 0-10
- take the total for the 5 above and divide by 5
are guidelines mandatory
suggestions, not mandatory
what are security controls
they are the security measures for countering and minimizing loss or unavailability of services and apps due to vulnerabilities
are polices mandatory
yes mandatory
formula for safeguard evaluation
ALE before safeguard - ALE after safeguard - annual cost of safeguard = value of safeguard
definition of vulnerability
the absence or weakness of a safeguard or control in an asset or process that makes a threat potentially more harmful or costly
what is the Wassenaar arrangement
any country that is a signing member of the Wassenaar arrangement can use cryptography of any strength with anyone else
what are the 3 Access Control Categories
- Administrative (Directive)
- Technical Control
- Physical Control
risk management consist of what 3 main elements
- threat identification
- risk analysis
- risk treatment
3 types of law and explain
- criminal law –contains prohibitions against acts such as murder, assault, robbery, and arson.
- – society is the victim and proof must be beyond reasonable doubt - civil law (tort law)
- – individuals and organizations are the victims
- – proof must be the majority (preponderance of proof)
- – include contract disputes, real estate transactions, employment, estate and probate (lawsuits) - administrative law - laws enacted by government agencies (FDA Laws, HIPAA, FAA Laws, etc.)
how many members are in
the Wassenaar arrangement?
41
what threat model is a Visual Representations based on Process Flow Diagrams
VAST
What provides a step-by-step process to inject risk analysis and context into an organization’s overall security strategy from the beginning
Risk centric
Attacker perspective on a business with risk
Pasta threat modeling
attributes of copyrights
- -protect the rights of “authors” in their original creative works.
- the term is equal to the life of the author plus 70 years
example: novels, paintings, films and songs
- the term is equal to the life of the author plus 70 years
risk assessment is what
process of identifying assets, threats, and vulnerabilities, then using that information to calculate risk
according to nist 800-37 rev 2 what is in the middle of the risk management framework, or what should you do first
• prepare - prepare to execute the RMF by establishing context and priorities for managing security and privacy risk
define vulnerability
a weakness that exists. (any weakness) – an unpatches system, a lack of a fire suppression system, a lack of high enough fences around a facility
Patents attributes
- patents protect the intellectual property rights of inventors
- they last 20 years
- to apply for a patent the product must be needed, novel, useful and not obvious.
what privacy act deals with financial institutions
is a federal law enacted in the United States in 1999, to control the ways financial institutions deal with the private information of individuals.
some countermeasures to keep integrity safe are?
a. strict access controls / authentication
b. IDS
c. encryption
d. hashing
e. interface restrictions / controls
f. input / function checks (validation)
risk avoidance is what
- not do that thing that you have identified as a risk.
- –if moving to the cloud is risky, then you don’t do it.
what is Annualized Loss Expectancy (ALE)
the possible yearly cost of all instances of a specific realized threat against a specific asset
what is the BCP (business continuity plan)
- the overall organizations plan for how-to continue business
- focuses on the whole business - back to doing business
- is an umbrella policy and DRP falls under that umbrella as part of the broader plan
What threat modeling is based off of the agile programming
VAST
what is Annualized Rate of Occurrence (ARO)
the expected frequency with which a specific threat or risk will occur within a single year
What ISO standard uses PDCA (plan do check act) and what is thanks standard for
ISO 27001 - establishing, implementing maintaining and continually improving an ISMS (information security management system)
Integrity is?
ensures that data or system configurations are not modified without authorization
do you ever mitigate all risk
no
what is RTO (recovery time objective)
The organizations definition of the acceptable amount of time an IT system can be off-line
ARO (annualized rate of occurrence)
how often you expect the risk to occur per year (hurricane, flood, compromise etc.)
threat modeling framework stride was developed by who
Microsoft, focused on software
difference between safeguard and countermeasures
- safeguard is proactive or attempting to prevent a risk via directive, deterrent and preventive controls
- countermeasures is - reactive, controls put in place when a risk has occurred
security governance should enable what
- corporate governance (enable business)
what is the primary goal of the threat modeling framework VAST
integrate threat management into an Agile programming environment
7 steps of NIST RMF, what happens at Implement
Implement the controls and document how the controls are employed within the system and its environment of operation.
ISC2 code of Ethics Preamble:
- The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
- Therefore, strict adherence to this code is a condition of certification
what is an event
• something that has happened
COBIT is based of what 5 principles
- meeting stakeholder needs
- covering enterprise end-to-end
- applying a single, integrated framework
- enabling a holistic approach
- separating governance from management
when developing new safeguards, you are establishing a new security baseline. is keeping compliance with the existing baseline a consideration
no, you are updating that baseline, the new baseline is the new compliance level
6 steps to quantitative risk analysis
- inventory assets and assign value (asset value - AV)
- Calculate Exposure Factor (EF)
- Calculate Single Loss Expectancy (SLE)
- Assess the Annualized Rate of Occurrence (ARO)
- Derive the annualized loss expectancy (ALE)
- perform a cost/benefit analysis of each countermeasure for each threat to each asset
confidentiality is?
access controls help ensure that only authorized subjects can access objects
SLE (single loss expectancy) formula is
(asset value) X (exposure factor) = SLE
define threat
any potential danger to the organization
What threat model takes an attackers perspective on a business with risk
Pasta
what is a breach
• an occurrence or event that has a negative outcome
what is the formula for Annualized Loss Expectancy (ALE)
ALE = Single Loss Expectancy (SLE) X Annualized Rate of Occurrence (ARO)
what are security controls definition
they are the security measures for countering and minimizing loss or unavailability of services and apps due to vulnerabilities
importance of Federal Information Security Management Act (FISMA)
required a formal InfoSec operations for federal gov’t
risk categories - a group of potential causes of risk. name and define the 3
- Damage - physical lost of an asset or inability to access that asset
- Disclosure - disclosing of critical information regardless of how or where. malicious act from a threat actor or unintentional on the part of a user
- Losses - these might be permanent or temporary, including altered data or inaccessible data
quantitative is related to what
related to cost
Computer Ethics Institute ten commandments
- Thou shalt not use a computer to harm other people
- Thou shalt not interfere with other peoples computer work
- Thou shalt not snoop around in other peoples computer files
- Thou shalt not use a computer to steal
- Thou shalt not use a computer to bear false witness
- Thou shalt not copy or use proprietary software for which you have not paid
- Thou shalt not use other peoples computer resources without authorization or proper compensation
- Thou shalt not appropriate other peoples intellectual output
- Thou shalt think about the social consequences of the program you are writing or the system you are designing
- Thou shalt always use a compute in ways that ensure consideration and respect for your fellow humans
The official four canons. number one is?
Protect society, the common good, necessary public trust and confidence, and the infrastructure
what threat modeling. Focuses on the necessity of scaling the threat modeling process across the infrastructure and entire SDLC,
Simple
Stride
Trike
Vast
Pasta
Vast
define security policy baselines
minimum levels of security requirements - mandatory
Federal Sentencing guidelines did what
provided punishment guidelines to help judges interpret computer crime laws
7 steps of NIST RMF, what happens at categorize
Categorize the system and the information processed, stored and transmitted by the system based on analysis of impact loss —- determine the risk
attributes of Trade Secrets
–Protect secret or confidential information (formulas, practices, processes, designs, instruments, patterns, or compilations of information)
Example: Coca-Cola recipe
what is an asset
- an asset is anything that is valuable, but usually means
- •• data (such as PII)
- •• software
- •• IT components
- •• Intellectual property
- ••• band
- ••• reputation
- ••• real estate/facilities
attributes of a hot site
- – highest cost backup site
- – always running
- – exact duplication to main site including data, patches, software and hardware
- –the site is staffed
- –RTO - (recovery time objective): 5 minutes or hours
The official four canons. number four is?
Advance and protect the profession
attributes of a warm site
- – backup site that contains IT infrastructure (hardware and sometimes software)
- – does not contain data
- – contains equipment and data circuits required for rapid recovery
- – middle ground between hot site and cold site
- – RTO (recovery time objective): 1-2 days
are baseline mandatory
yes mandatory
steps to the threat modeling framework Stride
- spoofing
- Tampering
- Repudiation
- Information of services
- Denial of Services
- Elevation of privilege
asset valuation can be done in two ways
- Quantitative analysis
- Qualitative analysis
what are the 4 steps to threat analysis
- Define the actual threat.
- Identify possible consequences to the organization if the threat is realized.
- Determine the probable frequency of a threat.
- Assess the probability that a threat will materialize.
Nist 800-30 has 4 steps with 5 additional sub steps for conducting risk assessment. name them
- Prepare for assessment
- Conduct Assessment
2A. identify thereat sources and events
2B. identify vulnerabilities and predisposing conditions
2C. determine likelihood of occurrence
2D. determine magnitude of impact
2E. determine Risk - Communicate Results
- Maintain Assessment
The official four canons. number two is?
Act honorably, honestly, justly, responsibly, and legally
Controls Gap forumala
- total risk - controls gap = residual risk
- the difference between total risk and residual risk. Contols gap is the amount of risk the contol mitigated
What are these items describing
- threats
- vulnerability
- likelihood - how likely will this happen
- impact
Risk analysis
what is disclosure
• making “secret” information public
how to determine MTD (maximum tolerable downtime
RTO (recover time objective) + WRT (working recovery time) is = or less than MTD
two methods to identify vulnerabilities
- vulnerability assessment
- pen test
What is MTD stand for
Maximum Tolerable Downtime
what types of evidence can be used in a criminal or civil trial
- real evidence - evidence that can be brought into the court room
- documentary evidence - written documents that provide insight into the facts
- testimonial evidence - verbal or written statements made by a witness
what is reduction analysis in threat modeling
breaking a system down into its parts, looking at each element looking for weaknesses and vulnerabilities
are procedures mandatory
yes mandatory
From a high level what are 3 risk assessment steps
- risk identification
- risk analysis
- risk prioritization
what is RPO (recovery point objective)
Recovery point objective (RPO) is defined as the maximum amount of data – as measured by time – that can be lost after a recovery from a disaster, failure, or comparable event before data loss will exceed what is acceptable to an organization
consequences to privacy and data breach
- reputational damage - effects could last for years
- identity theft
- intellectual property
- fines - failing to report a breach can result in fines in the millions. may also lead to lawsuits
- – GDPR outlines fine of up to 4% of companies annual global revenue or 20 million euros for failing to report a breach
- – any company that does business in the EU is subject to GDPR
attributes of a cold site
- least expensive backup site
- no IT infrastructure (computing and network hardware)
- electrical and data circuits are in place
ready to receive replacement equipment and data in the event the users have to move to an alternate site - RTO (recovery time objective): 1-2 weeks
are policies mandatory
yes
