Domain 1 (Security and Risk Management) Flashcards
What does CIA stand for?
Confidentiality, Integrity and Availability
What is the purpose of confidentiality?
Enforces secrecy
What is the purpose of integrity?
Accuracy, reliability of data
What are example controls that enforce confidentiality?
Encryption, Access control
What are example controls that enforce Integrity?
Hashing, Change Control
What are example controls that enforce availability?
RAID, backups
Definition of Vulnerability
System weakness that allow treat agent to compromise
Definition of Threat
Danger associated with exploiting vulnerability
Examples of a Treat Agent
Intruder, careless employee or bad policy
Definition of Risk
Likelihood of threat source exploiting vulnerability and its business impact
Definition of Exposure
Instance of being exposed to loss. Example: Weak Password
Definition of Control
Countermeasure to mitigate risk
What are the three control types?
Administrative, Technical and Physical
Examples of Administrative controls
Documents, training, management related
Examples of Technical controls
Firewall, encryption, IDS
Example of physical control
Fences
Definition of Defense-In-Depth
coordinated use of several controls in layered approach
Name the six control functions
Preventative, Detective, Corrective, Deterrent, Recovery and Compensating
What does a Preventative control function do?
Intend to avoid incident happening
What does a detective control function do?
Identify incident activities
What does a corrective control function do?
Fixes systems after incident
What does a deterrent control function do?
Discourages attackers
What does a recovery control function do?
Brings environment back to operation
What does a compensating control function do?
Alternative measure of control
Definition of Security Through Obscurity
Assume your enemies are not as smart as you are
Definition of Methodology
Process to follow to build architecture
Definition of Strategic Alignment
Business drivers being met by security
Definition of Business enablement
Core business processes are integrated into security model
What does a system architect do?
Structure of software
What does a enterprise architect do?
Structure of organization
What is computer assisted crime?
Computer used to carry out crime
What is computer targeted crime?
Computer was victim
What is computer incidental crime?
A computer happen to have been used in crime
Definition of Advanced Persistent Threat
Very focused and motivated attacker
Characteristics of Civil law system
Decide liability not guilt. Financial compensation
Characteristics of criminal law
Innocent until proven guilty. Punishment loss of freedom
Characteristics of Customary Law Systems
Based on tradition, Deals with personal conduct, Fine or community service
What is a mixed law system?
Mostly mix civil and common law
Characteristics of Administrative law
Regulatory standards for performance and conduct
Characteristics of Trade Secret
Qualify only if provides company with competitive edge. Must require skill, money effort develop. Proprietary.
Examples of a Trade Secret
Algorithms, source code, recipe
Characteristics of Copyright
Does not cover resource but expression of idea
Examples of Copyright
Drawing, music
Examples of Trademark
Work, symbol, sound
Characteristics of Patent
Excludes others from copying, lasts 20 years
What do you call non practicing entities that do not use patent?
Patent troll
What is Freeware
Can use and share
What is Shareware
Released for marketing
What is Personally Identifiable Information?
Data that can identify a single person
What is privacy?
The ability to control who has information about you
What is a Chief Privacy Officer?
Usually lawyer oversees how data managed
Name three privacy problems
Data aggregation, loss of borders, convergent technologies
What is a generic approach regulation?
Stretches across industries, also called horizontal enactment
Tip for Reasonable Exception of Privacy?
Tell staff they are being monitored
Definition of Threat?
Something that has the potential to cause harm
Quality of a safeguard?
It’s proactive
Quality of a Countermeasure?
It’s reactive
What is a Secondary Risk?
A risk that comes later as the result of another risk response
What is Residual Risk?
The risk left over after a risk response
What does the Delphi Technique do?
Get users to contribute to risk analysis anonymously
Quantitative Analysis - what does AV stand for?
Asset value, Dollar number asset is worth
Quantitative Analysis - what does EF stand for?
Exposure factor. % of loss expected as result
Quantitative Analysis - what does SLE stand for?
Single loss expectancy. Dollar amount cost single occurrence of threat
Quantitative Analysis - what does ARO stand for?
Annual Rate of Occurrence. How often a threat is expected to materialize
Quantitative Analysis - what does ALE stand for?
Annual loss expectancy. Cost per year as a result of the threat
Quantitative Analysis - what does TCO stand for?
Total cost of ownership. Cost of implementing the safeguard
What is Asset Value (AV)?
Dollar number asset is worth
What is Exposure Factor (EF)?
% of loss expected as result
What is Single Loss Expectancy (SLE)?
Dollar amount cost single occurrence of threat
What is Annual Rate of Occurrence (ARO)?
How often the threat is expected to materialize
What is Annual Loss Expectancy (ALE)?
Cost per year as a result of the threat
What is Total Cost of Ownership (TCO)?
Total cost of implementing a safeguard
Formula for Single Loss Expectancy (SLE)?
SLE (Single Loss Expectancy) = AV (Asset Value) * EF (Exposure Factor)
Formula for Annual Loss Expectancy (ALE)?
ALE (Annual Loss Expectancy) = SLE (Single Loss Expectancy) * ARO (Annual Rate of Occurrence)
What are the five ways to mitigate risk?
Reduce, Accept, Transfer, Avoidance, Rejection
What does Risk Reduction do?
Lessen the probability and/or impact of a risk
What is Risk Transference?
Shares the risk with someone else. Insurance or SLA. Lessen portion of loss. Does not reduce likelihood.
What is Risk Acceptance?
Logical solution when cost of mitigation is greater than the potential for loss
What is Risk Rejection?
Happens when we ignore the risk
What is Risk Avoidance?
When we don’t go ahead with whatever would expose us to that risk
What is Total Risk?
The risk that exists before any control is implemented
What is Governance?
Ensures that stakeholder needs and goals understood
What is Management?
Plans, build, runs and monitors activities as directed by governance
COBIT and COSO buzzword
Goal orientated
OCTAVE buzzword
Self directed risk assessment
What does ISO 27002 do?
Practical advise for implementing security controls in ISMS (Information Security Management System)
What does ISO 27001 do?
Establish, Implement, Control and Improve ISMS (Information Security Management Systems).
What does ISO 27004 do?
Provides metrics for measuring the success of ISMS (Information Security Management Systems).
What does ISO 27799 do?
Directives on protecting personal health information
What does ISO 27005 do?
A standards based approach to risk management
What standard replaced ISO 17799?
ISO 27002
Who is ultimately responsible for the security within an organization?
Senior management
What is Due Diligence?
Continuously monitoring an organizations practices to ensure they are meeting the security requirements
What is Due Care?
Ensuring that best practices and implemented and followed.
What is the Prudent Man Rule?
Acting responsibly and cautiously as a prudent man would
What are the three characteristics of the Organization Security Policy?
Very high level management statement,
Assign responsibility,
Explains drivers.
What is a System Specific Policy?
Every system has a different policy (printers, AD etc)
What is a Issue Specific Policy?
Company stance on various employee issues. Privacy, e-mail usage etc
What are Standards within Policies?
Mandatory, gives specifics about how to support policy
What are Procedures?
Mandatory, Step by step instructions
What are Guidelines?
Not mandatory, suggestive in nature. Recommended actions and guides to users
What are Baselines?
Mandatory, minimum acceptable security configuration for a system or process
What is Disaster Recovery Planning (DRP)?
Handels disaster and ramification right after disaster hits
What is Business Continuity Planning (BCP)?
Deals with long term effects of outage
What is Business Continuity Management (BCM)?
Holistic management process that cover both
Who is the leader of the BCP (Business Continuity Management) team?
Business continuity coordinator
What is Maximum Tolerable Downtime (MTD)?
Classifications for how long each system can be down (Critical, Normal, nonessential etc)
What is performed before Business Continuity Planning (BCP)?
A business impact analysis (BIA)
What is Separation of Duties?
Ensure no individual cannot complete a critical task by himself
What is Collusion?
At least two people working together to cause fraud
What is Split Knowledge?
No one person knows how to completely perform a task (IE launch codes)
What is Dual Control?
Two people must perform action such as key turn
What is Rotation of Duties?
No one person hold position for too long
What is the WASSENAAR agreement?
Cannot export crypto to terrorist countries
What is cyber squatting?
Registering a URL that somebody else would need
What is HIPPA (Health Insurance Portability and Accountability Act)?
Applies to healthcare
What is a Crisis Communication Plan?
How to report to staff and public
What is a Occupant Emergency Plan (OEP)?
Keep people safe
How often should a Disaster Recovery Plan be tested?
At least once a year
What is a Failover?
Action taken to recover
What is a Failback?
Go back to normal after failover
What is a Parallel test in DRP?
System moved and used offsite, risky
What is a Full Interruption Test?
Shutdown original site, risky
What is Recovery Point Objective (RPO)?
How current must my data be if restoring from a backup?
What is Maximum Tolerable Downtime (MTD)?
What is the longest that a system can be down?
What is Mean Time Between Failures (MTBF)?
Lifespan of hardware
What is Minimum Operating Requirements (MOR)?
What is the minimum system spec
What is the opposite of CIA?
Disclosure, Alteration and Destruction
What does IAAA stand for?
Identity and Authentication, Authorization and Accountability
What in an example of Identity and Authentication?
Username and password
What is an example of Authorization as it relates to IAAA?
Actions done on a system after Authentication such as read and write access
What is nonrepudiation?
A user cannot deny having performed a transaction
What is the difference between subjects and objects?
Subject is a user, object is a file
What are the three types of Financial Damages in legal terms?
Statutory, Compensatory and Punitive
What are Statutory Financial Damages?
Prescribed by law awarded to victim even if they have suffered no loss
What are Compensatory Financial Damages?
Provide victim with financial award to compensate for loss
What are Punitive Financial Damages?
Punish individual or organization
What is Attestation?
Having a third-party audit a service provider to ensure they can be trusted
What is a Divestiture?
The opposite of an acquisition in which two companies become one
Is a Policy mandatory or discretionary?
Mandatory
Is a Procedure mandatory or discretionary?
Mandatory
Is a Standard mandatory or discretionary?
Mandatory
Is a Guideline mandatory or discretionary?
Discretionary
Is a Baseline mandatory or discretionary?
Discretionary
What is offshoring?
Outsourcing to another country
