Domain 1: Security and Risk Management Flashcards
CIA Triad
Confidentiality, Integrity, Availability
Ex: Violation of Confidentiality
capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, sniffing…
Sensitivity
quality of info, which could cause harm or damage if disclosed
Discretion
act or decision where an operator can influence of control disclosure to minimize damage
Criticality
level to which info is mission critical
Concealment
act of hiding or preventing disclosure
Seclusion
Storing info in an out of the way location
Ex: Violation of Integrity
Accidental deletion of files, entering invalid data, including errors in commands…
Availability
Authorized subjects are granted timely and uninterrupted access to objects
Ex: Violations of Availability
Accidental deletion of files, over utilization of HW/SW, underallocating resources…
AAA Services
Identification, Authentication, Authorization, Auditing, Accounting
Identification
who you are
Authentication
you are who you say you are
Authorization
allows and denials of resource and object access for who you are
Auditing
recording of events
Accounting/Accountability
holding subjects accountable for their actions
Nonrepudiation
ensures that the subject of an activity or event cannot deny that the event occurred, possible through AAA services
Layering
Defense in Depth, Delay an intruder
Abstraction
Similar elements are put into groups, classes, or roles and assigned security controls as a collective
Data Hiding
positioning data in a logical storage compartment not seen by subjects (think classification levels)
Encryption
art and science of hiding the meaning or intent of a communication from unintended recepients
Security Governance
Collection of practices related to supporting, defining, and directing the security efforts of an org
The best key plan is useless without ________
approval by senior mgmt
Security Plan Timeline
Strategic (5 year - risk assessment, stable, security purpose), Tactical (1 year - midterm, schedules tasks, project plans, hiring plans, budget plans), Operational (Months -short term, highly detailed, training plans, system deployment plans)
Importance of CM
Change can introduce new loopholes, overlaps, and oversights that lead to new vulnerabilities
Goal of CM
ensure that change does not lead to reduces security, backups and rollbacks
Data Classification
data is protected based on its need for secrecy, sensitivity, or confidentiality
Primary Objective of Data Classification
formalize and stratify the process of securing data based on assigned labels of importance and sensitivity
7 steps to implement a classification scheme
- Identify the custodian and define responsibilities
- Specify the evaluation criteria of how the info will be classified and labeled
- Classify and label each resource
- Document any exceptions to the classification policy
- Select the security controls
- Specify the procedures for declassifying resources
- Create an enterprise-wide awareness program
Levels of Government Classification
Top Secret, Secret, Confidential, Sensitive but Unclass, Unclassified
Commercial Classification Levels
Confidential/Proprietary, Private, Sensitive, Public
Senior Manager
ultimately responsible for security maintained
Security Professional
experienced network, systems, and security engineer who is responsible for following the directives mandated by senior mgmt (functional responsibility)
Data Owner
responsible for the classifying of info
Data Custodian
responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management
User
person who has access to the system
Auditor
responsible for reviewing and verifying that the security policy is properly implemented
COBIT & COSO
goals for meeting security - COBIT is IT, COSO is org
Due Care
using reasonable care to protect the interests of the org
Due Diligence
Practicing the activities that maintain due care
Security Policy
document that defines the scope of security needed by and org and discusses assets that need protection. Assigns responsibilities, defines roles, specify audit requirements, defines acceptable risk levels
3 Categories of Security Policies
Regulatory (industry and legal standards), Advisory (acceptable use policy) and Informative (support, background)
Standards
define requirements for homogeneous use of hw, sw, tech, and security controls. Tactical docs that defines steps to accomplish goals defined by the security policy
Baseline
minimum level of security that every system must meet
Guidelines
recommendation on how standards and baselines are implemented
Procedures
step by step how to
Relationship of Policy Components
(Inverted Triangle) Procedures -> Guidelines -> Standards -> Policies
3 Approaches to ID Threats
Focus on Assets, Focus on Attackers, Focus on Software
STRIDE
Threat Categorization Scheme - Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privileges
Reduction Analysis
decomposing the application, system or environment
5 key concepts of decomposition
Trust Boundaries, Data Flow Paths, Input Points, Privileged Operations, Details about Security Stance and Approach
DREAD
Threat Ranking - Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability
Acquisition Assessment
On-Site Assessment, Document Exchange and Review, Process/Policy Review
Protection Mechanisms
Layering, Abstraction, Data Hiding, Encryption
Applying Threat Modeling
Identifying threats
Determining potential attacks
Performing reduction analysis
Prioritization and response
Separation of Duties
work tasks are divided among several individual administrators
Collusion
occurrence of negative activity undertaken by two or more people
Job Responsibilities
Specific work tasks an employee is required to perform on a job
Job Rotation
rotating employees among multiple positions to provide knowledge redundancy and reduce the risk of fraud, misuse of info, data modification, etc.
NDA
Nondisclosure agreement used to protect the confidential information within an organization from being disclosed by a former employee
NCA
Noncompete Agreement prevents employees with secrets from working in a competing org
6 parts of employee termination policy
Return of assets, remove or disable the employees network user account, notify HR to issue final paycheck, arrange for security to escort out, inform security personnel at entrance points that employee does not reenter unescorted
SLA
Service Level Agreement
Compliance
the act of conforming to or adhering to rules, policies, regulation, standards, or requirements
Third-party Governance
security oversight on third parties that your org relies on
Risk
the possibility that something could happen to damage, destroy, or disclose data or other resources
The primary goal of risk management is __________
to reduce risk to an acceptable level
Risk Analysis
The process by which the goals of risk management are achieved
Asset
anything within an environment that should be protected
Asset Valuation
dollar value assigned to an asset
Threats
Any potential occurrence that may cause an undesirable or unwanted outcome
Vulnerability
The weakness in an asset or the absence or weakness of a safeguard or countermeasure
Exposure
being susceptibility to asset loss because of a threat
Risk = A x B
Threat X Vulnerability
Safeguard
countermeasure, anything that removes or reduces a vulnerability or protects against one of more specific threats
Attack
exploitation of a vulnerability by a threat agent (intentional attempt)
Breach
occurrence of a security measure being bypassed or thwarted by a threat agent
Elements of Risk
THREATS exploit VULNERABILITIES which results in EXPOSURE which is RISK which is mitigated by SAFEGUARDS which protect ASSETS which are endangered by THREATS
Risk management/analysis is primarily an exercise for _______
upper management
Six Major Elements of Quantitative Risk Analysis
Assign Asset Value, Calculate Exposure Factor, Calculate SLE, Assess ARO, Derive ALE, Perform cost/benefit analysis of countermeasures
EF
Exposure Factor - loss potential %
SLE
Single Loss Expectancy = AV * EF
ARO
Annualized Rate of Occurrence is the expected frequency with which a threat or risk will occur in a single year
ALE
Annualized Loss Expectancy = SLE * ARO
Cost/Benefit Analysis steps
Pre-countermeasure ALE, Post-countermeasure ALE, Annual Cost of safeguard
Delphi Technique
anonymous feedback and response process used to enable a group to reach an anonymous consensus
4 Possible Risk Responses
Reduce/Mitigate, Assign/Transfer, Accept, Reject/Ignore
Risk Mitigation or Reduction
implementing safeguards and countermeasures to reduce threats
Risk Assignment
Insurance
Residual Risk
Risk remaining once countermeasures are implemented
Total Risk = _______
Threats * Vulnerabilities * AV (Not multiplications)
Difference between total risk and residual risk
Controls gap - amount of risk reduced by implementing safeguards
3 Categories of Security Control Implementation
Physical, Logical/Technical, Administrative
Technical Controls
involves hw or sw mechanisms used to manage access and provide protection
Administrative Controls
policies and procedures
Physical Controls
Controls you can physically touch
Control Types (7)
Deterrent - convinces user to not taking actions Preventative - blocks user from taking action
Detective - post action, discover activity
Compensating- aid in enforcement
Corrective - modifies environment to return to normal
Recovery - extension of corrective, more advanced
Directive - direct, control, or confine the actions of subjects to force or encourage compliance
A prerequisite to security training is ______
Awareness
Training vs Education
education is more detailed and provides more than users needs to know for their jobs
BCP
Business Continuity Planning involves assessing the risks to organizational processes and creating policies, plans, and procedures to minimize the impact those risks might have on the organization if they were to occur
The top priority of BCP and DRP is always __________
people
The overall goal of BCP is ____________________
to provide a quick, calm, and efficient response in the event of an emergency
4 main steps of the BCP process
Project Scope and Planning
Business Impact Analysis
Continuity Planning
Approval and implementation
Project Scope and Planning Requirements
■ Business Org Analysis
■ BCP Team Creation
■ Resource Assessment
■ Legal and regulatory analysis
Business Org Analysis
identify all departments and individuals who have a stake in the BCP
BCP Team Selection
Reps from core service departments, reps from key support departments, IT reps, security reps, legal reps, senior management reps
Three Phases of BCP
BCP Development, BCP Testing, Training, and Maintenance, and BCP Implementation
The most significant resources consumed by the BCP plan are ________
people
BIA
Business Impact Analysis - identifies the resources that are critical to an organization’s ongoing viability and the threats posed to those resources, assess likelihood and impact of those threats being realized
5 Steps of BIA
- Identify Priorities
- Identify Risks
- Likelihood Assessment
- Impact Assessment
- Resource Prioritization
Identify Priorities
1st step of BIA, determine most essential activities to day to day operations
MTD/MTO
Maximum Tolerable Downtime, Maximum Tolerable Outage - maximum length of time a business function can be inoperable without causing harm to the business
RTO
Recovery Time Objective - amount of time in which you think you can feasibly recover the function in the event of a disruption
Goal of BCP is to ensure that RTO is _____ than your MTD
less
Sources for Likelihood Assessment
NOAA, FEMA, USGS
Categories of Law
Criminal, civil, adminstrative
CCCA of 1984
Comprehensive Crime Control Act, exclusively cover computer crimes that crossed state boundaries to
avoid infringing on states’ rights and treading on thin constitutional ice
CFAA of 1986
Computer Fraud and Abuse Act - changes to cover all federal interest computers
1994 CFAA Amendments (4)
■ Outlawed the creation of any type of malicious code that might cause damage
■ Modified the CFAA to cover any computer used in interstate commerce
■ Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage
■ Provided legal authority for the victims of computer crime to pursue civil action
CSA of 1987
Computer Security Act, mandated baseline security requirements for all federal agencies, gave NIST responsibility for developing standards
Following the CSA, the NSA retained authority over __________ and NIST gained responsibility for _________
NSA retained authority over classified systems, NIST gained responsibility for securing all other federal govt systems
Three Major provisions of Federal Sentencing Guidelines
Prudent Man Rule (hold senior executives responsible), Minimize punishment by showing due care and due diligence, Three burdens of proof (legalize recognized obligation, failure to comply with standards, and relationship between act of negligence and damages)
National Information Infrastructure Protection Act of 1996
Amendments to CFAA, covers international commerce, covers national infrastructure, treats damage causing act as felony
Law Timeline
1984 - CCCA 1986 - CFAA 1987 - CSA 1991 - Federal Sentencing Guidelines 1994 - CFAA Amendments 1995 - Paperwork Reduction Act 1996 - National Info Infrastructure Protection Act 2000 - GISRA 2002 - FISMA
Paperwork Reduction Act
agencies must obtain OMB approval before requesting info from the public
GISRA
Government Information Security Reform Act of 2000 amended Paperwork Reduction Act to implement additional information security policies and procedures
FISMA
Federal Information Security Management Act, requires that federal agencies implement an information security program that covers the agency’s operations
The most valuable asset of most organizations is their __________
Intellectual Property
Copyright Law
guarantees the creators of “original works of authorship” protection again the unauthorized duplication of their work
The precedent for copyrighting computer software puts software under the scope of _______
literary works
Copyright law as it pertains to computer software protections ___________
the actual source code - the Expression inherent in the computer software
Copyright law: Works by one or more authors are protected until __ years after ____________
70 years after the death of the last surviving author
Works for hire and anonymous works are provided protection for ________
95 years from the date of the first publication or 120 years from the date of creation, whichever is shorter
Trademarks
Protect words, slogans, and logos sued to identify a company and its products or services
Patents
protect the intellectual property rights of inventors, 20 years of exclusive rights then public
Trade Secrets
Not time limit, IP that is critical to business, best wya to protect computer software
Licensing types
Contractual (written contract), shrink-wrap, Click-through, Cloud services
4th Amendment
protection of privacy
Privacy Act of 1974
limits federal governments ability to disclose and retain private information
ECPA of 1986
Electronic Communications Privacy Act of 1986 makes it a crime to invade the electronic privacy of an individual
CALEA of 1994
Communications Assistance for Law Enforcement Act amended ECPA and requires all communication carries to make wiretaps possible for law enforcement with an appropriate court order
Economic and Protection of Proprietary Information Act of 1996
extends definition of property to include proprietary economic information (expands definition of theft)
HIPAA
Health Insurance Portability and Accountability Act - privacy and security regulations requires strict security for medical information
HITECH
Health Information Technology for Economic and Clinical Health Act, update to HIPAA, data break notification law
COPPA
Children’s Online Privacy Protection Act - state information collected, parents can review and collected information, verifiable consent for under age 13
Gramm-Leach-Biley Act
types of info which can be exchanged by banks
USA PATRIOT Act
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
FERPA
Family Educational Right and Privacy Act - affects any education institution that accepts any federal funding
Identify Theft and Assumption Deterrent Act
made identify theft a crime
ITIL
IT service mgmt
OCTAVE
self directed risk assessment
ISO 27001
intro on the control for ISMS
ISO 27002
the how to implement security controls for ISMS
