Domain 1. Security and Risk Management Flashcards
You attempt to access your online banking account and are redirected to another website. What is this and how to prevent it?
Pharming attack. Implement DNSSEC to prevent.
After you repair the user’s computer and ensure that the problem is fixed, what you should do next?
Provide the user with a list of the company’s approved software prior to taking any other action.
Best described as ignoring the cost of loss when replacement expenses are less than the cost to mitigate the problem.
For example: installing software that is known to have vulnerabilities.
Risk acceptance.
Determining the cost-effectiveness of mitigating the potential harm or loss to a company.
Risk management.
The process of evaluating threats to ascertain the amount of vulnerability they represent to a company.
Risk assessment.
Quantifying the weakness of an asset owned by the company.
Vulnerability assessment.
Involves storing and maintaining data and hardware in an offsite location so that the alternate assets can be used in the event that a disaster damages hardware and data at the primary facility.
Disaster recovery (DR).
The process of securing weak points in a security implementation. And attempts to close all avenues a malicious user could exploit to gain unauthorized access to a network.
Network hardening.
The process of simulating a malicious attack on a system to identify and exploit potential weaknesses in network security. And provides insight into the methods a malicious user might employ in an attempt to compromise a network.
Penetration testing.
Must endorse a company’s security policy in order to promote company-wide acceptance.
Responsible for ensuring that all of company’s assets, both physical and logical, are protected.
Senior management.
Indicates why a company should have employees acknowledge that they have read and understood the company’s security policy?
To ensure that the company is protected.
Not accurate regarding security policy best practices?
Policies need to be changed every year.
Policy reviews should include the following:
Need to be reviewed at least once per year.
Reviews should follow a formal process.
Should include an analysis of any security incidents that have occured.
To determine the precise components of the policy that need to be rewritten to obtain the desired outcome. And a process by which an existing security policy is compared to a desired outcome.
Gap analysis.
It’s a discretionary document. And provide helpful bits of advice to employees. Since they are discretionary, employees are not required to follow this, even though they probably should.
Guidelines.
A comprehensive security program includes the following components:
Policies, Procedures, Standards, Baselines, and Guidelines.
Provide a high-level overview of the company’s security posture, creating the basic framework upon which a company’s security program is based. Contains mandatory directives that employees must follow.
Policies.
A well-formed policy should include the following four elements:
Purpose - the reason the policy exists.
Scope - the entities that are covered by the policy.
Responsibilities - the things that covered individuals must do to comply with the policy.
Compliance - how to measure the effectiveness of the policy and the consequences for violating the policy.
Are low-level guides that explain how to accomplish a task. And are specific and providing as much as detail as possible. Step by Step. They are mandatory as well.
Procedures.
Define the technical aspects of a security program, including any hardware and software that is required.
Standards.
Provide a minimum level of security that a company’s employees and systems must meet.
Baselines.
Which documents are mandatory and which are discretionary?
Policies, Procedures, and Standards = Mandatory.
Guidelines and Baselines = Discretionary.
A guidelines you should not follow when creating a security policy?
Ensure that the policy is as comprehensive as possible.
Instead, you should keep the policy to two or three pages. The policy should be concise and as understandable as possible.
Sometimes called the information owner or the business owner, is responsible for classifying data. Typically a manager who maintains responsibility for the security of a particular information asset. They also assigned sensitivity labels to each asset (sensitivity label ensures that the data is accessible only be users who posses the appropriate level of clearance).
Data owner.
Responsible for the hands-on protection of data.
Data custodian.
Responsible for protecting the data that they access on a daily basis.
End users.
Eliminates the use of a technology or a service altogether rather than deal with the risks that are incurred by implementing the technology or service. Should be performed whenever the costs of mitigating or accepting the risk are higher than the benefits gained by providing the service.
Risk avoidance.
Lowers the chance that a risk event occurs or lowers the damage that a risk event causes.
Risk mitigation.
Occurs when a company chooses to leave an asset unprotected rather than undergo the time and expense to protect the asset. Should be performed only when the risk or the consequences of exposure are low.
Risk acceptance.
What is AV, EF, ARO, SLE, and ALE
AV - the value of the asset that is at risk, including any data stored on the asset.
EF - is the percentage of value that is lost when a risk event occurs. For example: Failure only? 10% Theft? 100%.
ARO - the frequency at which a risk event occurs and is expressed as the number of losses that occur in one year. For example (1 failure divided by 5 years = 0.2 failures per year)
SLE - the cost of a loss, including the cost of materials, the technical service hours required, and loss productivity that is experienced because of the loss.
ALE - average yearly cost of a particular risk. For example ($1,200 “SLE” x 0.25 “ARO” = $300 ALE).
Tricking an individual into revealing authentication credentials or other PII to a potential attacker.
Social engineering.
Installing software that is known to have vulnerabilities is what example of risk responses.
Risk acceptance.
Is the practice of contracting with a third party in another country to perform a business function or service.
For example: a healthcare provider who offshores the storage of medical imaging files? ensure the foreign company will take proper steps to protect the data. If not, healthcare provider will be liable. U.S laws does not apply to companies located in other countries.
Offshoring.
Practice of contracting with a third party to perform business function or service. (this can be performed within the country). Subject to the U.S laws and regulations (U.S and foreign companies).
Outsourcing.
Allowing a business function or service to be performed by employees within the company rather than by a third party.
Insourcing.
Third-party contractors outsource work that was originally assigned to them.
Subcontracting.
A healthcare company is hiring you as an ISO. You will be tasked with securing the company’s networks and workstations. Which individuals or departments would you be least likely to report?
The internal audit department. Why? they’re tasked with evaluating how the company’s employees are handling business processes, including IT security. Conflict of Interest.
Which of the following situations would be most likely to delete a user account?
termination of an employee who is starting a new job the next day.
Why? user accounts should be deleted only if the user is unlikely to return to the company and the user’s account is not tied to data that cannot be easily accessed by another user account, such as encrypted information.
A connection attempt by a malicious program on the network and can propagate without user interaction is called?
Worm.
A stream of MAC addresses being sent to a switch on a network and attempt to overload the ARP (is a network protocol that maps IP addresses to MAC addresses) cache of a switch, which could induce the switch to act as a hub by broadcasting information out each port is called?
MAC flooding attack.
An attacker intercepting transmissions between two target hosts. And the flow of traffic between the target hosts is typically routed through a device that the attacker controls is known as?
Man-in-the-middle attack.
Is an intellectual property attack in which an entity registers an internet domain name that is a common misspelling of or is closely related to another entity’s trademark.
Example: legitimate (example.com), typosquatter might register (exampel.com).
Typosquatting.
Is an intellectual property attack that focuses on infringement of a trademark. Occurs when an entity registers an internet domain name that infringes on a different entity’s trademark.
For example: well-known company with a trademark for “ExampleBrand”, a cybersquatter might purchase the domain ‘examplebrand.com’ before the company has a chance to register it. Then the squatter might sell that to the company for an inflated price, or might use the domain to create a website that capitalizes on the trademarked name’s popularity for their own benefit.
Cybersquatting.
An industry standard that an entity in a particular industry should strive to meet or exceed.
Best practice.
Best described as business practices that a reasonable individual would consider appropriate.
It’s a legal liability concept that defines the minimum level of information protection that an organization must achieve.
Prudent Man Rule or Due Care.
Tip: the Prudent Man Rule is often applied to the process of due care, which is a legal liability concept that defines the minimum level of information protection that a business must achieve.
An organization to continually review its practices to ensure that protection requirements are met.
Due diligence.
Occurs when an individual who was already planning to commit a crime is eventually lured into doing so at the urging of law enforcement.
Enticement.
Justification for the seizure of evidence without a warrant in order to protect the evidence from being destroyed.
Exigent circumstances.
Is an aggregated threat-modeling methodology that was developed by Microsoft.
STRIDE
Spoofing
Tampering
Repudiation
Information disclosure
Denial of Service
Elevation of Privilege
Is a risk-based threat modeling methodology that contains the following seven stages.
Process for Attack Simulation and Threat Analysis (PASTA).
Stage I: Definition of the Objectives (DO) for the Analysis of Risks.
Stage II: Definition of the Technical Scope (DTS).
Stage III: Application Decomposition and Analysis (ADA).
Stage IV: Threat Analysis (TA).
Stage V: Weakness and Vulnerability Analysis (WVA)
Stage VI: Attack Modeling & Simulation (AMS)
Stage VII: Risk Analysis & Management (RAM).
Is a risk-based threat-modeling methodology that allows security audits to be performed consistently, reliably, and repeatably. And an acceptable of risk is assigned to each class of asset; these risk levels are then used to determine the appropriate response to each threat.
Trike.