Domain 1: Security and Risk Management Flashcards
Patent
Patents legally secure protection for inventions. Patents must be unique ideas that provide useful processes to complete a task.
Reduction Analysis
A reduction analysis supports threat modeling by identifying elements common to underlying threats.
Also called decomposition
Breaks threat modeling into 5 separate concepts:
Trust Boundaries
Dataflow paths
Input points
Privileged Operations
Details about security stance and approach.
If password attacks are a threat common to several applications, but each of those applications relies on Microsoft Active Directory for authentication and authorization, then Microsoft Active Directory need only be evaluated once for password attacks (not for each application).
Risk
The possibility or likelihood that a vulnerability will be exploited.
Risk = Threat x Vulnerability x Impact
OR
Risk = Threat x Vulnerability
DREAD rating system
Risk rating system
The DREAD rating system is designed to provide a flexible rating solution that is based on the answers to five main questions about each threat:
Damage potential
Reproducibility
Exploitability
Affected users
Discoverability
SLE
Single loss expectancy
ALE
Annual Loss Expectancy
SLE x ARO. Or ( EF x AV) x ARO
Annualized loss expectancy (ALE) measures exactly a one-year financial loss an asset may suffer from a specifically identified threat.
ARO
Annualized rate of occurence
EF (think quantitaive risk analysis)
Exposure Factor
Threat Modeling
Threat modeling is the security process wherein potential threats to assets are identified and analyzed. Goal is to proactively model attacks to identify weak spots and opportunites for control improvement
Threat Hunting
Threat hunting refers to a technique used in security operations in which production environments are actively scrutinized by an experienced analyst for threats and indicators of compromise.
Due Care
Due care is best defined as taking and making decisions that a reasonable and competent person would make.
Due Diligence
Puts governance structures in place to protect an organizations interests.
- Things done in advance.
- Generally strategic, not tactical.
Non repudiation
Non-repudiation in digital security refers to ensuring that an authentication event is genuine or provides proof of data’s origin and integrity.
Risk mitigation
Risk mitigation is when the risk is reduced to an acceptable level aligned with the organization’s risk appetite. It is never possible to eliminate all risk.
Risk analysis
Synonymous with Risk Assessment. Systematic process of identifying, analyzing, and evaluating potential threats and vulnerabilities that could impact an organization’s information assets.
What does a Trademark protect?
Brand Identity - i.e. logo, slogan, catchphase, etc
What is Governance?
Governance is the process in which senior management directs an organization to meet its objectives.
Governance must involve oversight to ensure that the goals set by senior management have been met. When performing security governance, IT managers need to keep security objectives in alignment with business objectives.
VAST
Threat Modeling framework:
Visual, Agile, and Simple Threat
VAST uses Agile programming concepts to conduct threat modeling.
Due care
Due Care is acting in a way that a reasonable and competent person would act in a given scenario. Exercising due care can help reduce an organization’s liability in the event of a security breach. A lack of due care can be described as negligence.
-Things done in the moment.
-Generally tactical, not strategic.
Ultimately, who is accountable for the security of a company or organization?
Senior management
Procedure
Procedures usually detail a step-by-step process to accomplish the desired results.
Guideline
Guidelines offer suggestions no how to execute policy, standards, or procedures. Provide recommendations but are not required.
NOT the same as best practices.
Baseline
Define minimum level of security that every system throughout the organization must meet.
Baseline is more operationally focused form of a standard.
All systems not complying w/baseline must be taken off line.
Usually system specific.
Inherent Risk
Level of default, natural, or native risk in an environment/system/product.
Residual Risk
Amount of risk leftover after remediating controls have been put in place.
BCP
A Business Continuity Plan (BCP) deals with both preparing for a disaster and aiding after a disaster has occurred.
7 step process:
Develop the contingency planning policy statement.
Conduct the Business Impact Analysis (BIA).
Identify preventive controls.
Create contingency strategies
.
Develop an information system contingency plan.
Ensure plan testing, training, and exercises.
Ensure plan maintenance.
Strategic Alignment
CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 17-19.
Strategic alignment means that security policy aligns and supports the business’s objectives, goals, and mission. This is done through the use of Strategic plans, Tactical plans, and Operational plans.
Strategic plans are long-term plans. Example: Create a disaster recovery location within five years.
Tactical plans are more detailed than strategic plans and cover a shorter amount of time. Example: Install servers in the third quarter and set up backups in the fourth quarter.
Operational plans are short, detailed plans. Example: Use Network File System (NFS) with a storage area network (SAN) to attach storage to the servers next week.
Change Management
The process of making intentional, vetted changes to an environment, including planning, testing, documenting, and validating security is maintained as a result.
Electrical Spike
Momentary period of high voltage.
Electrical Surge
Prolonged period of high voltage.
Electrical Sag
Momentary low voltage
Electrical brownout
Prolonged low voltage
Electrical Blackout
Complete loss of power.
FISMA
Federal Info Sec Management Act -
Applies to fed gov agencies and contractors. Passed in 2002.
ITAR
International Traffic in Arms Regulation
The International Traffic in Arms Regulation (ITAR) is a U.S. regulation that restricts and controls the export of defense and military technologies to foreigners. Organizations that manufacture or process information on controlled technologies must establish strict and rigid controls to ensure data is not disclosed to unauthorized individuals.
CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 158-159.
Economic Espionage Act
1996 Protects trade secrets.
If stolen, up to $250,000 fine. If stolen and traded to foreign govt, then $500,000 fine.
Computer Fraud and Abuse Act CFAA
1984 First major piece of cybercrime legislation in the US. Covers computer crimes crossing state boundaries.
Privacy Act of 1974
The Privacy Act of 1974 restricts the way the government can use private information. It also defines exceptions, such as the census, law enforcement, and health and safety.
CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 160-161.
When conducting a BIA - is negative publicity qualitative, or quantitative?
Generally qualitative.
What does this statement define?
Presence of a vulnerability when a related threat exists
Exposure
TOGAF
The Open Group Architecture Framework (TOGAF) is a standard that helps organizations design, plan, implement, and govern information technology architecture.
TOGAF uses the Architecture Development Method (ADM) to create architectures for business, data, applications, and technology.
Strategic Plan
Strategic plans are long-term plans that are fairly stable and define the organizations security purpose. Aligns goals , mission, and objectives of the organization.
Example: Create a disaster recovery location within five years.
Tactical plans are more detailed than strategic plans and cover a shorter amount of time. Example: Install servers in the third quarter and set up backups in the fourth quarter.
Operational plans are short, detailed plans. Example: Use Network File System (NFS) with a storage area network (SAN) to attach storage to the servers next week.
Cybersecurity Enhancement Act of 2014
Amends the National Institute of Standards and Technology Act to permit the National Institute of Standards and Technology (NIST) to produce and support industry-led standards and procedures that reduce cyber risks for organizations.
USPTO
United Stated Patent and Trademark Office.
Administers registration of trademarks.
Who administers the copyright program?
Library of Congress
PCI-DSS
Payment Card Industry Data Security Standard:
has 12 main requirements.
Digital Millennium a copyright act
Digital Millennium Copyright Act (DMCA) of 1998 inhibits trading, manufacturing, or selling in any way that is designed to override copyright protection mechanisms. It also addresses ISPs that unknowingly support the posting of copyrighted material by subscribers. If the ISP is alerted the material is copyrighted, the ISP must remove the material
COBIT - control objectives for information and related technology
ISACA Specified:
six principles
Provide Stakeholder Value
Holistic Approach
Dynamic Governance System
Governance Distinct from Management
Tailored to Enterprise Needs
End-to-End Governance System
COSO - Committee of Sponsoring Organizations of the Treadway Commission
Framework focused on reducing and detecting financial fraud.
Has 20 main principles.
Trade Secret
Trade secrets legally secure protections on data critical to an organization’s operations. This intellectual property usually requires other legal support, such as non-disclosure agreements (NDA) and non-compete clauses. An example of a trade secret is the Coca-Cola formula.
(Threat x vulnerability x asset value) - control gap = _________________
Residual risk.
SCRM - Supply Chain Risk Management
SCRM (Supply Chain Risk Management) is a structured approach to managing resiliency in the sourcing of components and materials. Due to the global, interconnected nature of modern supply chains, the effects from even minor or distant disruptions can cascade to have critical institutional impacts, making supply chain risk management an essential element of broader enterprise risk management practices.
Abstraction
Abstraction is a principle that is commonly applied to simplify security-related management activities, such as permissions assignment. Abstraction simplifies complex sets through the grouping of similar, fundamental elements. Organizing similar user characteristics into roles, and security permissions into groups, are examples of abstraction being applied.
CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 12.
License
A legally established contract of use and limitations. Licenses are a contract between a vendor and a consumer. Most software vendors require a license per seat, which means you need to purchase one for each computer that has the software installed.R
RFC 1087
In 1989, the Internet Architecture Board (IAB) published RFC 1087, a statement of policy titled “Ethics and the Internet”. This statement promoted responsible use of the internet and characterized five categories of activity as unethical. RFC 1087 is considered a forerunner to many contemporary ethics policies.
Ten Commandments of Computer Ethics
The Ten Commandments of Computer Ethics was developed by the Computer Ethics Institute to provide an ethical framework for computer use. Each of its canons begins with “Thou shalt not” in the style of the biblical Ten Commandments.
The Code of Fair Information Practices
Developed by a government advisory committee in 1973, was an early attempt at defining ethical principles for the handling of personal information. The COSO Framework does not directly relate to ethics, but to internal controls.
Does PHI include billing information?
Yes
Administrative investigation
only internal, not meant for legal or third party disputes
Directive control
An access control that directs, confines, or controls the actions of subjects to force or encourage compliance with security policy.
i.e. - a sign on doors that says, “No Tailgating!”
Safe Harbor - DMCA Digital millenium copyright act
This protects ISPs or other online providers from liability for their users sharing copyrighted material, provided they meet specific requirements, such as implementing a notice and takedown procedure and adopting a policy to terminate the accounts of repeat infringers.
Military and Intelligence Attack
Goal is to obtain secret and restricted information from military or law enforcement systems. Targets the classified data that resides on systems.
