Domain 1: Security and Risk Management 15% Flashcards

1
Q

Due Diligence

A

The research to build the IT Sec. architecture of your org. Best practices and common protection mechanisms. Research of new sys. before implementing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Due Care

A

Prudent person rule. Implementing the IT Security architecture, keeping sys patched. If comprimised: fix the issue, notify affected users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Negligence

A

is the opposite of Due Care. If a system under your control is compromised and you can prove you did your Due Care, you are most likely not liable. If a system under your control is compromised and you did NOT perform Due Care, you are most likely liable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Real Evidence

A

Tangible and physical objects in IT Security: Hard disks, USB drives –NOT the data on them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Direct Evidence

A

Testimony from a first hand witness, what they experienced with their 5 senses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Circumstantial Evidence

A

Evidence to support circumstances for a point or other evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Corroborative Evidence

A

Supports facts or elements of the case: not a fact on its own but support other facts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Hearsay

A

Not first-hand knowledge - normally inadmissible in a case. Rule 803 provides for the admissibility of a record or report that was “made at or near the time by. Must have clear chain of custody and hash the files/logs to assure the data was not modified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Best Evidence Rule

A

The courts prefer the best evidence possible. Evidence should be accurate, complete, relevant, authentic, and convincing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Secondary Evidence

A

This is common in cases involving IT. Logs and documents from the systems are considered secondary evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Evidence Integrity

A

It is vital that the evidence integrity cannot be questioned. We do this with hashes. Any forensics is done on copies and never originals. Check hashes on both original and copy before and after the fornsics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Chain of Custody

A

This is done to prove the integrity of the data; that no tampering was done. Who handled it? When did they handle it? What did they do with it? Where did they handle it?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Entrapment

A

Illegal and unethical: When someone is persuaded to commit a crime they had no intention of committing and is then charged with it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Enticement

A

Legal and ethical: Making committing a crime more enticing, but the person has already broken the law or at least has decided to do so. Honeypots can be a good way to use Enticement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Copyright

A

Automatically granted and lasts 70 years after creator’s death or 95 years after creation by/for coporations.
Attack: Software piracy and copyright infringement (songs and images)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Trademarks

A

Brand names, logos, slogans - Must be registered, is valid for 10 years at a time, can be renewed indefinitely.
Attack: Counterfeiting - fake Rolexes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Patents

A

Protects inventions for 20 years. Cryptography algorithms can be patented. Inventions must be novel, useful, nonobvious.
Attack: Patent infringment using someone else’s patent in your product without permission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Trade Secrets

A

You tell no one about your formula, your secret sauce. If discovered anyone can use it; you are not protected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

HIPAA

A

Health Insurance Portability and Accountability Act. Puts strict privacy and security rules on how Personal Health Info. is handled by health insurers, providers and clearing house agencies (Claims). Has 3 rules: Privacy rule, Security rule and Breach Notification rule. Risk Analysis is required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Electronic Communications Privacy Act (ECPA)

A

Protection of elect. comm. against warrantless wiretapping. This Act was weakened by the Patriot Act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Patriot Act of 2001

A

Expands law enf. elect. monitoring cabapbilities. Allows search and seizure without immediate disclosure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Computer Fraud and Abuse Act. (CFAA)

A

Most commonly used law to prosecute computer crimes. Enacted in 1986 and aamended many time including 2002 (Patriot Act) and 2008 (Identity Theft Enforcement and Restitution Act).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Gramm-Leach-Bliley Act (GLBA)

A

Applies to financial instit. Enacted in 1999, requires protection of the confidentiality and integrity of consumer financial information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Sarbanes-Oxley Act of 2002 (SOX)

A

Directly related to the acct scandals in the late 90’s. Regulatory compliance mandated standards for financial report of publicily traded companies. Intential violations can result in criminal penalties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
EU Data Protection Directive
Very aggressive pro-privacy law. Orgs must notify individ of how their data is gathered and used. Orgs must allow for opt-out for sharing with 3rd parties. Opt-in is required for sharing "most" sensitive data. No transmission out of EU unless the recieving country is perceived to have adequate (equal) privacy protections; the US does NOT meet this standard.
26
Organization for Economic Cooperation and Development (OECD) Privacy Guidelines
Eight driving principles. Security safeguards principles: Reasonable safeguards should be put in place to protect personal data against risks such as loss, unauthorized access, modification, and disclosure.
27
Wassenaar Arranagement
Export/import controls for Conventional Arms and Dual-Use Goods and Technologies. 41 countries are a part of the arrangement. Cryptography is considered "Dual-Use" Iran, Iraq, China, Russia and others have import restrictions on strong cryptography.
28
Procurement
When we buy products or services from a 3rd party, security is included and not an afterthought.
29
Service Level Agreement (SLA)
a certain uptime can be promised.
30
Acquisitions
Your company acquires another. How do you ensure their security standards are high enough? How do you ensure data availability in the transition?
31
Divestures
You org is being split up. How do you ensure no data crosses boundaries it shouldn't? Who gets the IT Infrastructure?
32
GDPR, General Data Protection Regulation
is a regulation in EU law on data protection and privacy for all individuals within the EU and European Economic Area (EEA). It does not matter where we are based, if we have customers in EU/EEA we have to adhere to the GDPR. Violators of the GDPR may be fined up to 20 million Euros or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
33
ISC Code of Ethics Preamble
The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this code is condition of certification.
34
ISC Code of Ethics Canons
Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competant service to principles. Advance and protect the profession.
35
IAB's Ethics and the Internet
Defined as RFC #1087. Considered unethical behavior: 1. Seeks to gain unauthorized access to the resources of the Internet. 2. Disrupts the intended use of the Internet. 3. Wastes resources.
36
Informaton Security Governance Mandatory items
Policies, Standards, Procedures
37
Informaton Security Governance non-Mandatory items
Guidelines, Baselines (Benchmarks)
38
Informaton Security Governance: Personnel Security
Users often pose the largest security risk: Awareness, Training, Hiring Practices, Employee Termination Practices, Vendors, Consultants, and Contractor Security, Outsourcing and Offshoring
39
Administrative (Directive) Access Controls
Organizational policies and procedures. Regulation. Training and awareness
40
Technical Access Control
Hardware/software/firmware-Firewalls, routers, encryption
41
Physical Access Controls
Locks, fences, guards, dogs, gates, bollards
42
Preventative
Prevents action from happening - least privilege, drug tests, IPS, firewalls, encryption
43
Detective
Controls that detect during or after an attack - IDS, CCTV, alarms, anti-virus
44
Corrective
Controls that Correct an attack - Anti-virus, patches, IPS
45
Recovery
Controls that help us Recover after an attack - DR Enviroment, backups, HA Enviroments
46
Deterrent
Controls that Deter an attack - Fences, security guards, dogs, lights, Beware of the dog signs
47
Compensating
Controls that Compensate - other controls that are impossible or too costly to implement
48
Qualitative Risk Analysis
How likely is it to happen and how bad is it if it happens? Most often done to know where to focus the Quantitative Risk Analysis. Sometimes used with a Risk Analysis Matrix. Think "quality" This concept is semi-vague, e.g., "pretty good quality."
49
Quantitative Risk Analysis
What will it actually cost us in $? This is fact based analysis, Total $ value of asset, math is involved.
50
Threat
A potential harmful incident.
51
Vulnerability
A weakness that can allow a Threat to do harm.
52
Risk
Threat x Vulnerability
53
Impact
Can at times be added to give a more full picture.
54
Total Risk
Threat x Vulnerability x Asset Value
55
Residual Risk
Total Risk - Countermeasures
56
Single Loss Expectancy (SLE)
Asset Value (AV) x Exposure factor (EF)
57
Annual Rate of Occurrence (ARO)
How often will this happen each year?
58
Annualized Loss Expectancy (ALE)
This is what it cost per year if we do nothing.
59
Transfer the Risk
The insurance risk approach.
60
Risk Avoidance
Don't issue laptops to employees or build data-center where there are no floods.
61
Risk Rejection
This is never acceptable.
62
Secondary Risk
Mitigating one risk may open up another risk.
63
Risk Analysis: NIST 800-30
9-step process for Risk Management
64
White Hat hackers
Professional pen testers trying to find flaws so we can fix it. Ethical Hackers
65
Black Hat hackers
Malicious hackers, trying to find flaws to exploit them
66
Grey Hat hackers
They are somewhere between the white and black hats. Look for a vulnerability and publish it if the company does nothing to fix it.
67
Hacktivist
Hacking for political or socially motivated purposes
68
Bots
are a system with malware controlled by a botnet
69
Botnets
is a Command and Control network, controlled by the people (bot-herders)
70
Phishing
social engineering email attack
71
Spear Phishing
targeted phishing, not just random spam, but targeted at specific individuals
72
Whale Phishing (Whaling)
Spear phishing targeted at senior leadership of an organization.