Domain 1 - Security and Risk Management Flashcards
Administrative, Physical, and Technical controls
Three categories of access controls
Technical Control
Protects access to systems, network architecture, control zones, auditing, and encryption and protocols (Access Control categories). AC category that restricts access.
Administrative Control
Dictates how security policies are implemented to fulfill the company’s security goals. Includes policies, procedures, personnel controls, supervisory structure, security training, and testing. Includes policies and procedures, personnel controls, supervisory structure, security training, and testing (Access Control category).
Physical Control
Access control category that includes badges, locks, guards, network segregation, perimeter security, computer controls, work area separation, backups, and cabling; used to secure physical access to an object, such as a building, a room, or a computer (access control category).
Preventive control
Prevents security breaches and avoids risks.
Detective control
Looks for security breaches as they occur.
Corrective control
Restores control and attempts to recover from any damage that was inflicted during a security breach.
Deterrent control
Stops potential violations.
Recovery control
Restores resources.
Compensative control
Provides an alternative control if another control may be too expensive. All controls are generally considered this type of control.
Directive controls
Provides mandatory controls based on regulations or environmental requirements.
Recovery-Technical control
Restores system capabilities and covers data backups.
Detective-Technical control
Detects when a security breach occurs; covers audit logs and intrusion detection systems (IDS).
Corrective-Technical control
Corrects any issue that arises because of security breaches; Antivirus software and server images are included in this category.
Compensative-Technical control
Considered an alternative to other controls (example, server isolation).
Preventative-Technical control
A router plus encryption used to improve network security.
Deterrent, Preventive, Detective, Compensative, Corrective, Recovery, and Directive.
Access control types (types, not categories).
Preventative control measures
Security awareness training, Firewalls, Anti-virus, security guards, and IPS.
Detective control measures
System monitoring, IDS, Anti-Virus, motion detector, IPS.
Corrective control measures
OS upgrade, backup data rostral, Anti-virus, vulnerability mitigation.
Compensatory control measures
Backup generator, hot site, server isolation.
To prevent the threat from coming into contact with the weakness.
Purpose for Preventative controls.
To identify that a threat has landed in a system.
Purpose for Detective controls.
To mitigate or lesson the effects of the threat that has manifested.
Purpose for Corrective controls.
ISO/IEC 27000
ISO/IEC standard on developing and maintaining information security management systems (ISMS).
Zachman Framework
An enterprise schema with two dimensional classification: six questions and six views intersecting in a matrix (what, how, where, who, when, why + planner, owner, designer, builder, programmer, users). This framework is NOT security orientated; it is used to relay information for personnel in a common language that is helpful to different groups in understanding each group’s responsibilities.
TOGAF (The Open Group Architecture Framework)
An enterprise framework that helps organizations design, plan, implement, and govern enterprise information architecture. Its four domains are technology, applications, data, and, business.
DoDAF (Department of Defense Architecture Framework)
Architect framework with 8 viewpoints used to ensure DoD technologies integrate correctly with current infrastructures.
All Viewpoint (AV); Capability Viewpoint (CV); Data and Information Viewpoint (DIV); Operation Viewpoint (OV); Project Viewpoint (PV); Services Viewpoint (SvcV); Standards Viewpoint (STDV); and Systems Viewpoint (SV).
The eight views of the DoDAF
MODAF (British Ministry of Defense Architecture Framework)
An Architecture Framework which divides information into seven views points.
SABSA (Sherwood Applied Business Security Architecture)
An enterprise security architecture, which asks six communication questions that intersect with six layers; it is a a risk-driven architecture. The six layers of questions include: What, Where, When, Why, Who, and How. These question layers intersect with six additional layers: Operational, Component, Physical, Logical, Conceptual, and Contextual.
CobiT (Control Objectives for Information and Related Technology)
A security controls development framework documenting five principles, which drive control objectives of seven enablers: Meeting stakeholder needs; Steering the enterprise end-to-end; Applying a single integrated framework; Enabling a holistic approach; Separating and governance from management. The seven enablers include: Principles; Policies, and frameworks; Processes; Organizational structures; Culture, ethics, and behaviors; Information; Services, infrastructure, and applications; and People, skills, and competencies.
Meeting stakeholder needs; Steering the enterprise end-to-end; Applying a single integrated framework; Enabling a holistic approach; Separating and governance from management.
Five principles of CobiT
Principles, Policies, and frameworks; Processes; Organizational structures; Culture, ethics, and behaviors; Information; Services, infrastructure, and applications; and People, skills, and competencies.
Seven enablers of Cobit
Downstream Liabilities
When you outsource a system - you can outsource responsibility but you cannot outsource accountability
What is Due Care?
Setting and enforcing policy to bring organisation into compliance.
What does IAAA stand for?
Identification, Authentication, Authorization, Accountability
What is the difference between Authentication and Authorization?
Authentication is using your password to access a file which you have permissions (Authorization) to access.
What is a control?
A control or countermeasure is put into place to mitigate (reduce) the potential risk. It’s PREVENTATIVE.
What is Strategic Alignment?
Strategic Alignment means that business drivers and the regulatory and legal requirements are being met by the security enterprise architecture.
What does Security Effectivenes deal with?
Security Effectiveness deals with metrics, SLA requirements, achieving ROI, meeting set baselines etc.
What is a Computer Assisted Crime?
Computer Assisted Crime is where a computer was used as a tool to help carry out a crime.
What is a Computer Targetted Crime?
A Computer Targetted Crime occurs when a computer is the victim of an attack crafted to harm it and its owners specifically.
What is a Computer Incidential Crime?
Where a computer happens to have been part of the crime, but did not assist the criminal and was not the victim.
In GDPR, who is the Data Subject?
The Individual to whom the data pertains
In GDPR, what is the Data Controller?
Any organization that collects data on EU residents
In GDPR, what is the Data Processor?
Any organization that processes datra for a data controller
What is the Concent provision for GDPR?
Data Collectors and Data Processors cannot use personal data without explicit consent of the data subjects
What is the Right to be Informed provision for GDPR?
Data Controllers and Data Processors must inform data subjects about how their data is, will, or could be used.
What is the Right to Restrict Processing provision for GDPR?
Data Subjects can agree to have their data stored by a collector but disallow it to be processed.
What is Right to Be Forgotten provision for in GDPR?
Data Subjects can request that their personal data be permanently deleted.
What is the Data Breaches provision for in GDPR?
Data Controllers must report a data breach within 72 hours of becoming aware of it.
What is a Trade Secret?
A Trade Secret is something that is proprietary to a company and important for it’s survival and profitability.
What is a Copyright?
Copyright Law protects the right of the creator of an original work to control the public distribution, reproduction, display and adaptation of that original work.
What is a Trademark?
A Trademark is slightly different from a copyright in that it is used to protect a word, name, symbol, sound, shape, color etc.
What is a Patent?
Patents are given to individuals or companies to grant them legal ownership of, and enable them to exclude others from using or copying, the invention covered by the patent.
What is the strongest form of intellectual property protection?
A patent
What is an Issue-spesific policy?
Also called a functional policy, addresses spesific security issues that management feel need more detailed explanation and attention.
What is a System-Spesific Policy?
Spesific to the actual computers, networks, applications.
What types of Policies are there?
Regulatory, Advisory, Informative
What is a Standard?
Standard refer to mandatory activities, actions or rules. Standards can give a policy its support and reinforcement in direction.
What is a Procedure?
Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.
What can declare a Disaster and Emergency?
Anyone can declare an emergency, only the BCP coordinator can decalre a disaster. (Anyone can pull the fire alarm or trigger an emergency alarm. Only the BCP coordinator or someone specified in the BCP can declare disaster which will then trigger failover to another facility).
Regulatory, Advisory, Informative are examples of
Policies
MTD/MTO: Maximum Tolerable Downtime/Outage
Longest time the function can be inoperable because causing a loss to senior management that is unacceptable
RTO Recovery Time Objective
This is the amount of time in a which you can easily recover the function in the even of a disruption (must be less than MTD)
RPO Recovery Point Objective
Tolerance for Data Loss
What is the different between Business Impact Assessment and Risk Assessment?
Business Impact Assessment is focused on assets and how important they are to the business where as Risk Management is the same but includes vulnerabilities and likelihood.
How do you calculate Total Risk?
Asset Value * Probability * Impact = Total Risk
How do you calculate Residual Risk?
Total Risk * Controls Gap = Residual Risk
What is a Checklist Test?
Copies of plan distributed to different departments. No disruption to the business.
What is a Structured Walk-Through (Table Top) Test?
Representatives from each department go over the plan. Still paper based.
What is a Simulation Test?
Going through the disaster scenario. Still does not distrupt business.
What is a Parallel Test?
Systems moved to alternative site, and processing takes place there. This involves risk.
What is a Full-Interruption Test?
Original Site shut down and all processing moved to offsite facility.
What is Layering?
Layering (also known as Defense in Depth), is simply the use of multiple controls in a series.
What is Abstraction?
Abstraction is used for efficiency. Simular elements are put into groups, classes or roles that are assigned security controls, restrictions, or permissions as a collective.
What is Data Hiding?
Data Hiding is exactly what it sounds like: preventing data from being discovered or accessed by a subject positioning the data in a logical storage compartment that is not accessible or seen by the subject.
What is Security Governance?
Security Governance is the collection of practices related to supporting, defining, and directing the security efforts of an organisation.
What is a Business Case?
A business case is usually a documented argument or stated position in order to define a need to make a decision or take some form of action.
What is a Strategic Plan (as opposed to Tactical and Operational)?
A strategic plan is a long term plan that is fairly stable.
What is a Tactical Plan (as oppsed to Strategic or Operational)?
The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events.
What is a Operational Plan (as opposed to Strategic or Tactical)?
An Operational Plan is a short-term, highly detailed plan based on the strategic and tactical plans.
What is the goal of Change Management?
The goal of change management is to ensure that any change does not lead to reduced to compromised security.
Who reviews and approves Changes?
The Change Advisory Board (CAB).
What does the Change Advisory Board do?
Review and Approve changes
What is Data Classification?
Data Classification, or categorization, is the primary means by which data is protected based on its need for security, sensitivity, or confidentiality.
What are the levels of government/military classification?
Top Secret, Secret, Confidential, Sensitive but unclassified, Unclassified. TO REMEMBER: US CAN STOP TERRORISM
What data is Sensitive but Unclassified?
Sensitive but Unclassified (SBU) is used for data that is for internal use or for office use only.
What are the levels of data classification for the private sector?
Confidential, Private, Sensitive, Public
What is the difference between confidential and private data?
Confidential Data is company data and Private Data relates to individuals.
What is the Data Owners responsibilities?
The Data Owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution.
What is the Data Custodians responsibilites?
Data Custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.
What is STRIDE?
A threat model designed by Microsoft which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.
What is PASTA?
Process for Attack Simulation and Threat Analysis (PASTA) is a seven step threat model
What are the steps of PASTA?
1) Definition of Objectives 2) Definitions of Technical Scope 3) Application Decomposition and Analysis 4) Threat Analysis 5) Weakness and Vulnerability Analysis 6) Attack Modeling and Simulation 7) Risk Analyusis and Management
What is Reduction Analysis?
Reduction Analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product as well as its interaction with external elements.
What are the five key concepts of Reduction Analysis which must be considered?
Trust Boundaries, Data Flow Paths, Input Points, Privilege Operations, Details about Security Stance and Approac.
In the decomposition process, what is Trust Boundaries?
Trust Boundaries are any location where the level of trust or security changes.
In the decomposition process, what is Data Flow Paths?
Data Flow Paths is the movement of data between locations
In the decomposition process, what is Input Points?
Input points are locations where external input is received
In the decomposition process, what is Privileged Operations?
Privileged Operations are any activity that requires greater privileges than that of a standard user.
What is DREAD used for?
Prioritization and Response
What are the considerations of DREAD?
Damage Potential, Reproducibility, Exploitability, Affected Users and Discoverability
What is Seperation of Duties?
Separation of Duties is the security concept in which critical, significant and sensitive work tasks are divided among several individual administrators or high level operators. Prevents one person from having too much control.
What is Onboarding?
Onboarding is the process of adding new employees to the identity and access management (IAM) system of an organization.
What is a Vulnerability?
A vulnerability is the weakness in an asset or the absence or the weakness of a safeguard or countermeasure is a vulnerability.
What is Exposure?
Exposure is being susceptible to asset loss because of a threat, there is the possibility that a vulnerability can or will be exploited by a threat agent or event.
How is Risk calculated?
Risk = Threat * Vulnerability
What are the six major elements of Quantitative Risk Analysis?
Assign Asset Valuation (AV)
Calculate Exposure Factor (EF)
Calculate the Single Loss Expectancy (SLE)
Assess Rate of Occurrence (ARO)
Assess Annualized Loss Expectancy (ALE)
Perform Cost/Benifit analysis of Countermeasures
What is Asset Valuation (AV)?
The monatory value of an asset
What is Exposure Factor (EF)?
The exposure factor (EF) represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.
What is the Annualized Loss Expectancy (ALE)?
Possible yearly cost of all instances of a specific realized threat against a specific asset.
How is Annualized Loss Expectancy (ALE) calculated?
ALE = SLE * ARO. ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO).
What does a Safeguard reduce?
To reduce ARO
How is Single Loss Expectancy (SLE) calculated?
SLE = AV * EF. SLE = Asset Value (AV) * Exposure Factor (EF).
How do you calculate the value of a safeguard?
(ALE1 - ALE2) - ACS (Annual Cost of Safegaurd)
What is the Delphi Technique?
The Delphi Technique is simply an anonymous feedback and response process used to enable a group to reach an anonymous consensus.
In what situation is the Delphi Technique used?
In Qualitative Risk Analysis
What is Risk Assignment?
Assigning or transferring risk is placement of the cost of a loss that a risk represents to a third party. For example, Insurance.
What is Risk Deterrence?
Risk Deterrence is the process of implementing deterrents to would-be-violators of security and policy.
What is Risk Avoidance?
Risk Avoidance is the process of selecting alternate options or activities that have less associated risk than the default.
What is Risk Rejection?
A final but unacceptable possibile response to risk is to reject risk or ignore risk.
How is Total Risk calculated?
Threats * Vulnerabilities * Asset Value = Total Risk
How is Residual Risk calculated?
Total Risk - Control Gaps = Residual Risk
What are the Six Steps of the NIST RMF (Risk Management Framework)? **
Step 1) CATEGORIZE Information Systems Step 2) SELECT Security Controls Step 3) IMPLEMENT Security Controls Step 4) ASSESS Security Controls Step 5) AUTHORIZE Information Systems Step 6) MONITOR Security Controls
Once a Business Continuity Planning (BCP) team is selected, what is their first responsibility?
To perform an analysis of the business organization to identify all departments and individuals who have a stake in the BCP process.
What does MTD stand for?
Maximum torable downtime
What does Maximum Tolerable Downtime (MTD) mean?
Also known as the MTO Maximum Tolerable Outage. This is the maximum time that a business function can be inoperable before causing irreparable harm.
What does RTO stand for?
Recovery Time Objective (RTO)
What does Recovery Time Objective (RTO) mean?
This is the amount of time that you think you can feasibly recover the function in the event of a disruption
What is the Computer Fraud and Abuse Act (CFAA)?
CFAA was carefully written in 1984 to exclusively cover computer crimes that crossed state boundaries to avoid infringing on states rights and reading on thin constitutional ice. This covers any computer exclusively used by US government or financial institutions.
What law woudl you use If you want to protect the Intellectual Property of source code?
Copyright, while you can protect the source code you cannot protect the idea.
How long is a patent valid for?
20 years
What is a Contractual License Agreement?
A written contract between software vendor and the customer
What is Shrink-Wrap license agreements?
Shrink-Wrap license agreements are written on the outside of the software packaging. You accept the agreement by opening the packaging.
What is Click-Throuh license agreements?
A license agreement which you accept if you click next
What are Cloud Service license agreements?
This simply flashes legal terms on the screen for review
Who does the Privacy Act of 1974 apply to?
Government Agencies only
What agreement is in place in the USA to comply with GDPR?
Privacy Shield
