Domain Five: Risk Management Flashcards
Define the Business Impact document ?
The business impact analysis is often seen as being a document but it is also a set of processes comprising of several different functions and roles within the organisation identifying key business functions or processes that will be impacted during a disruption.
What are the two key metrics used in the BIA ?
Mean Time Between Failure
Mean Time to Repair
What is the first stage in the BIA process or document ?
We need to firstly identify critical functions and then associate the systems that aid those functions. We need to be able to answer the following questions
Do we know what services our customers always expect to be available ?
Do we know what service our employees need available at all times ?
This stage needs SMEs from all the functional areas to help identify this.
What are the five impct areas a BIA document or process should consider ?
Life
Property
Safety
Financial
Reputation
What is a privacy threshold assement ?
A privacy threshold assessment is conducted to determine what levels of information a system is collecting to determine a privacy impact assessment is required.
What is a privacy impact assessment ?
A privacy impact assessment determines the impact on PII contained within that system if it is compromised.
What is the RPO ?
RPO is the maximum allowable time between backups
What is the RTo ?
RTO is the maximum time allowed to restore backups. It designates the amount of real time that can pass before the disruption begins to seriously and unacceptable impede the flow of normal business operations
Describe the four common data sensitivity types ?
Public - Free to all
Proprietary - This is information peculiar to that organisation and can include such things as trade secrets
Confidential Information - Requires restrictive access through such mechanisms as NDA
Private Information - This information sensitivity includes PII and PHI and should be protected extensively
Describe the role of the privacy officer ?
Is responsible for the organisations data privacy. They implement policies and procedures to help carry out privacy controls.
Describe the role of the data steward ?
Manages the day to day control and protection of data for the organisation responsible for compliancy and regulatory understanding
Describe the role of the data owner ?
Responsible for specific data sets but delegates the day to day procedures around data
What are the three reasons for having a data retention policy ?
Version Control - Returning to a last know state
Recovery from Cyber attacks - Especially as attacks are not always discovered immediately
Legal/Regulatory compliance
Name some of the techniques for data sanitisation ?
Burning
Shredding
Pulping
Pulverising
Degaussing
Purging
Wiping
What in digital forensics is the order of volatility ?
Data for investigations should be collected in an order to make sure that most volatile sources prone to destruction as harvested first.
CPU Cache and Registers
Remaining data stored in RAM
Temporary File Systems
Files Written to Disk
Remote monitoring data for the system
Archived Data
What is chain of custody ?
As evidence is collected, we need to ensure that we maintain the integrity of the evidence collected. Everyone that comes into contact with the evidence must be documented and the chain of custody document should show how the evidence was stored.
Name some of the sources we can use for evidence ?
There are several sources of information. We should also capture hashes of the system to be able to prove that it has remained unaltered during the investigation.
Capturing System Images
Network Traffic and Logs
Capturing Video
Screenshots
Witness Interviews
What is legal hold ?
Legal hold refers to special procedures put in place to aid any court proceedings.
What does the term preservation mean ?
Preservation procedures should be put in place to maintain the integrity of the evidence
What are the three areas to consider with recovery ?
Active Logging, Strategic Intelligence, Counterintelligence gathering
What are the different types of backup ?
Full - Backup of whole drive irrespective of whats changed
Incremental/Differential - Backup of whats changed between full backups
Snapshots - VM backups used to spin up new backups
Define continuity of operations ?
Usually attributed to the US Federal Government helps to ensure operations through unanticipated events. The US Government mandates that agencies need to continue to provide services even during times of crisis.
What is continuity planning ?
Usually attributed to the US Federal Government helps to ensure operations through unanticipated events. The US Government mandates that agencies need to continue to provide services even during times of crisis.
What are the five control of disaster recovery controls ?
Deterrant - Those controls that deter but do not prevent, Preventative - Those controls that prevent something from occurring.
Compensatory - Are those mechanisms that are put in place to satisfy requirements for a security measure when management has deemed it to impractical to implement the actual fix.
Corrective - Remediate a risk after being discovered
Detective - Detects events after they have been discovered
Directive controls - Direct on how to achieve security compliancy such as policies
What are the three disaster recovery control types ?
Administrative, Technical, Physical, Operational
Give an example of a administrative technical control type ?
Acceptable Use Policy
Give an example of a physical control type ?
Crash Barrier
Give an example of a technical control type ?
IPS
What are the Geographic consideration for disaster recovery and planning
Locations Selection
Legal Considerations
Off Site storage
Distance
Data Sovereignty
What are the three categories for recovery sites ?
Hot - Like for like replacement always on including software and data
Warm - Infrastructure in place but software and backups may need to be restored
Cold - Site is available but infrastructure and everything else needs to be put in place
What is incident response ?
This is how we recover minimising downtime and reducing damage when an incident occurs.
What are the six stages of incident response ?
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
What are the main categories of incident response ?
External/Removable Media
Attrition
Web
Email
Improper Usage
Loss or Theft of Equipment
Other
What is the role of security management in incident response ?
Responsible for leading the response team during planning and carrying out IR procedures. They also offer corporate support for the IR team.
What is the role of the compliance officer in incident response ?
They help to advise what steps need to be taken to maintain compliance with various rules and procedures.
What is the role of the incident response team ?
This team is a specialised group, they train and are tested for incident response. These individuals walk through exercises to determine when, why and who to engage during particular incidents.
What is the role of supplementary technical staff in incident response ?
Used to provide technical help over and above that in the IR team.
What is the role of the Cyber Incident Response team ?
Responsible for providing detailed Cybersecurity knowledge.
What are the personnel functions in Organisational Security?
Policies, Background checks,and JMl
What is the purpose of the exit interview ?
Determines the morale and culture of the team as well as a chance to gain an understanding of where things have gone wrong and can be improved.
What is a acceptable use policy ?
Also known as Rules of Behaviour - May include security policies such as the restriction of social media or personal email.
What are adverse actions ?
Describes the steps taken when abuse has taken place
Name the six agreement types ?
SLA, Memorandum of Understanding, Standard Operating Procedures, Business Partner Agreement, Interconnection security agreement, Memorandum of agreement
What is a clean desk policy
Removal each day of documents and printouts that could compromise security.
How often do we embark on a continuous education program ?
Annually
Why should we have mandatory job holidays and rotation ?
Besides cross training and other issues it also helps prevent users being involved in malicious actions as well as highlighting improvements required in processes and job functions.
What is the thinking behind separation of duties ?
Also for security purposes as it avoids a single person being compromised due to have complete access and knowledge of a system.
What is single loss expectance (SLE) ?
This is the monetary cost of an event to an organisation
What is the annual rate of occurrence (ARO) ?
This is the number of times a year an event occurs
What is annual loss expectancy (ALE) ?
SLE * ARO
This represents the actual cost to the company and can be used to determine if a compensating control is worth it.
What are the four main risk response techniques ?
Risk Acceptance, Risk Avoidance, Risk Transferrance, Risk Mitigation
What are the two main sources of threats ?
Environmental and Man Made
Describe the relationships betwee control categories and types
Categories contain types.
Describe the detective control category ?
Controls that detect activity after the event has taken place
What type of control is a threat assessment ?
Managerial
What type of control is a sign warning you of a guard dog ?
Deterrent - Its tempting to say physical but the sign does not physically prevent someone from doing something.
What is the most common way to ensure that companies destroy data ?
Signing of a contract that mandates this and that the third party has certification standards around this area.
Describe the role of the CEO in an organisation ?
The chief executive officer manages the companies operations. The CEO is hired by the board and is dismissed by the board and has their performance reviews and compensations determined by the board.
What are the three areas covered by a GRC program ?
Governance, Risk and Compliance
What are the two types of governance models ?
Centralised and Decentralised
What is a centralised governance model ?
Top Down - Central Authority creates policies and standards
What is a decentralised governance model ?
Bottom Up - Individual teams responsible for governance
What is a definition of a policy ?
High level statement of management intent.
What are some typical points covered in a policy ?
A statement of the importance of cybersecurity to the organisation
A requirement that staff and contractors maintain CIA principles and guidelines
A statement on the ownership and creation of information created or processed by the organisation
Designation of the CISO or other individual as the executive responsible for Cybersecurity issues
Delegation of authority to CISO the ability to create standards, procedures and guidelines and to implement them
What is a business continuity policy document ?
Describes steps to protect and recover critical business systems in response to unforseen outage and that the data assets are recovered and protected.
What is a change management policy ?
Describe how the organisation will review, approve and implement proposed changes to information systems
What is an incident response policy ?
Describes how an organisation will respond to security incidents
Describe an acceptable use policy ?
Also known as Rules of Behaviour - May include security policies such as the restriction of social media or personal email.
Describe and information security policy ?
Provides high level authority and guidance for security program
What is a standard ?
Provide mandatory requirements describing how an organisation will carry out its information security policies. These may include specific configuration settings used for common operating systems, the controls that have to be in place for sensitive information. Standards are approved at a lower level than policies and therefore can change more frequently.
What is a guideline ?
Guidelines provide best practices and recommendations. Compliance is not mandatory and guidelines are offered in the spirit or providing helpful advice.
What two ways can policy effectiveness be measured ?
This can be a combination of tool based (SIEM) and human based (Feedback, Exit Interviews)
What is the primary goal of change management ?
The primary goal of change management is to ensure that changes do not cause outages. Change management processes ensure that appropriate personnel review and approval of changes takes place before implementation and also ensure testing and documentation have taken place.
What are the six steps in a typical change request proces ?
Request, Review, Accept or Request, Test, Schedule, Document
What is a NDA ?
Non Disclosure Agreements often require that employees protect any confidential information that they gain access to in the course of their employment. Usually signed on hire and reminded about on exit.
What are the two main consideration during the vendor selection process ?
There are two aspects of vendor selection that should be considered
Due Diligence and Conflict of Interests
What three ways can we use to assess a vendor ?
Penetration Testing
Questionnaire
Supply Chain Analysis
What is a master service agreement ?
Provide an umbrella contract for the work that a vendor does with an organisation over an extended period of time. Typically cover privacy and security agreements and then can be referenced in statement of work and work orders.
What are the three consideration around vendor monitoring ?
The rules of engagement agreement should specify monitoring requirements.
KPI metrics should also be established
Compliance Monitoring is also fundamental
What is HIPPA ?
Includes security and privacy rules that affect health care providers, health insurers, and health information clearing houses in the United States.
What is PCIDSS ?
Provides detailed rules about the storage, processing, and transmission of credit card and debit card information. PCIDSS is not law but rather a contractual obligation that applies to credit card merchants and service providers worldwide.
What is the Gramm Leach Bliley act ?
Covers US Financial services. Requires that there is a distinct security program with an individual responsible for it.
What is the Sarbanes Oxley Act ?
Act applies to the financial records of US publicly traded companies and requires that those companies have a strong degree of assurance for the IT systems that store and process those records.
What is the Family and Educational Rights Privacy Act (FERPA)
Covers student records and requires US educational institutions implement security and privacy controls for student educational records.
Whats involved with internal compliance reporting ?
Internal Reporting typically involves regular reports to management or the board highlighting the state of compliance, identifying the gaps and what is required to improve.
What is external compliance reporting ?
This is mandated by external regulatory bodies or as part of contractual obligations. It involves providing the necessary documentation and evidence to external entities to demonstrate that the organisation is in compliance with the relevant laws and regulations.
What does the term due care mean in compliance monitoring ?
Refers to the ongoing efforts to ensure that the implemented policies and controls are effectively and continuously maintained throw a process of regular review, updates to policies and proactive steps.
What is meant by acknowledgement in the due care process of compliance monitoring ?
Part of the due care process it means ensuring that employees and business partners state that they are aware of the compliance requirements.
What does attestation mean in the compliance monitoring process ?
Is the step where employees and business partners state they are aware of these compliance requirements and have also confirmed that they have adhered to these standards.
Whats the difference between an incremental and a differential backup ?
An incremental back up just backsup changes since the last backup. Differential backsup all the changes since last fullbackup so it gets progressively large until reset at next full backup.
What is the NIST Core detailing ?
Covers the five functions of
Identify
Protect
Detect
Recover
Respond
Which is then further subdivided into further sub categories
What is a framework tier in NIST CF ?
Assessment of ready your organisation is to implement cybersecurity objectives. It is an example of a maturity model.
What is a profile in NIST CF ?
Describes how an organisation might use the framework to describe its current state and then a separate profile to describe its future state.
Is Risk Acceptance the same as doing nothing ?
This occurs when it is not financially viable to tackle the risk - This is usually when the control is more expensive than the actual risk. It is not to be viewed as deliberately not taking action.
Often their are exceptions where the risk is acknowledged and is accepted as an exception. An exemption is like an exception but will need a more formal sign off.
What is inherent risk ?
The inherent risk facing an organisation is the original level of risk that exists before implementing any controls.
What is residual risk ?
Is the risk left after controls have been implemented
What is risk appetite ?
Is the level of risk that is willing to be accepted as the cost of doing business
What is risk threshold ?
It is the level at which a risk becomes unacceptable
What is risk tolerance ?
The ability to withstand risk and maintain operations.
What are key risk indicators ?
Metrics to measure and provide early warning for increasing levels of risk.
What three stances come under risk appetite ?
Expansionary, Conservative, Neutral
Name three common items on a risk register ?
Risk Owner
Risk Threshold Information
Key Risk Indicators
What are the four ways of risk reporting ?
Adhoc reports, Regular Updates, Dashboard, Risk Trend Analysis
What is the Mean Time Between Failure (MTBF) ?
BIA metric about the reliability of a system. It is the expected amount of time between failures.
What is the Mean Time To Repair (MTTR) ?
BIA metric is the average amount of time to restore the system to its normal operating state after failure
In a data inventory should only human readable files be included ?
No - It is important that the data inventory should contain all types of information that may contain sensitive information even non human readable binary files should be included if they contain sensitive information.
What items are typically part of a data inventory ?
PII, Legal, Financial, Regulatory, Intellectual Property, PHI
What is a data subject ?
Individuals whose data is being processed
What should be the response when a data breach occurs ?
Implement Response plan. Some regulations such as GDPR mandate that the breech is publically notified.
I want to encrypt data at rest on my disk what options do I have ?
FDE, File, Volume, Partition
I want to encrypt a large amount of data on disk but I dont want to encrypt the whole drive what is my next best option ?
Volume
What three options do I have to encrypt data at rest in a database ?
Transparent Level Encryption (Whole database), Record, Column
What is certificate verification ?
When you receive the certificate you should verify it by
Checking it is not on the Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP)
Digital Signature is Authentic
Certificate contains data you are trusting
What is certificate pinning ?
Certificate pinning is where we specify the exact certificate we trust so for example only accept the certificates from one particular CA.
What is OCSP ?
This eliminates the latency of CRL it is a process where the browser in real time can determine the status of a certificate by issuing a OCSP request to CA OCSP server and it will receive a status of Good, Revoked or Unknown
What are CRL and the issues with them ?
A list of revoked certificates and when they are revoked. They are maintained by multiple CAs.
The main issue is that the list has to be downloaded to be used by browser so there can be a lag from when the certifcate was revoked and when the browser notices.
What is certificate stapling ?
It is costly having the browser send OCSP request every time on the CAs servers so instead of having individual clients contact the OCSP server it is usual for the web server to do this every twenty four hours and staple the response to the certificate. The browser then verifies both the certificate and the OCSP response.
When is a certificate revoked ?
Certificate has been compromised
Certificate has been erroneously issued
Details have changed
Security Association has changed
What are the binary formats for certificates ?
PFX and DER
What formats are PEM and PB7
Text
The .crt extension covers which formats ?
PEM and DER
What typically takes place in the preparation phase in the incident response process ?
Defining roles and responsibilities and conducting regular training drills
Whats the difference between TCO and ROI ?
TCO covers the whole lifetime of the asset whereas ROI doesnt.
Who determines the means of processing data, the Data Owner or the Data Controller ?
Data Controller
What is more secure cellular, wifi or bluetooth ?
Cellular
What is a horizontal password attack ?
Using the same user password combo to attack multiple accounts
Does a shadow IT actor have malicious intent ?
No
What is a feature of SCAP ?
All data is encrypted before it is stored
Why is deguassing not as effective as pulverising ?
Doesnt work on all types of disks
What is a conservative approach to risk ?
Avoiding risk as much as possible
What is a exapansionary approach to risk ?
Willing to take on higher levels of risk for greater rewards
What is a neutral approach to risk ?
Balanced approach
What is a tabletop exercise ?
Used to talk through processes. Team members are given scenarios and are asked questions on how they would respond, what issues may arise and what they would need to do to accomplish tasks and then document improvements to IR plane. Can resemble a brainstorming session.
What is a simulation ?
Can be a wide variety of events and simulate individual functions or elements of a plan. They can also be done at full scale or organisation wide.
What is the major differences between DKIM, SPA and DMARC ?
DKIM - Tags in DKIM Signature Header SPA - List of authentic Email servers as DNS Recors and DMARC uses both to determine whether you should accept a email as being from sender by rejecting or quarantining
What is the CVSS category 0
None
What is the CVSS category 0.1 - 3.9
Low
What is the CVSS category 4.0 - 6.9
Medium
What is the CVSS category 7.0 - 8.9
Hiigh
What is the CVSS category 9.0 - 10.00
Critical
What other data sources should be taken into account alongside CVE scores ?
Log Reviews
SIEM
Configuration Management System
What are the four categories of pen test
Physical, Offensive, Defensive and Integrated
What should a behaviours section in a pentest rules of engagement cover ?
Determines which behaviours are in scope. Common behaviours are shunning, deny listing or other active testing which may be usefull if a full simulation but need to be removed if we are looking at for examples a response to a breach.
Which legislation mandates the implementation of risk assessments, internal controls, and audit procedures for ensuring transparency and accountability in financial reporting in the US?
SOX
What is FISMA ?
FISMA (Federal Information Security Management Act) aims to govern the security of data processed by federal government agencies, but it doesn’t specifically focus on financial transparency and accountability.
What is operational security ?
Operational security is a risk management process that encourages managers to view information protection from an adversary’s perspective. Data loss prevention is a set of tools and processes designed to detect a potential data breach and prevent them by monitoring and controlling data transfers.
What is a strong indicator of compromise pertaining to logs ?
A missing log is a strong sign of an attacker’s presence since they often remove or alter logs to hide their actions.
What is a business continuity plan ?
Refers to the plans and processes used during a response to a disruptive event. A BCP should outline the primary, secondary and tertiary steps needed during a disaster and if the disaster is prolonged or fundamentally changes the nature of the business operating model.
Responsibility of Senior Managers. There should be a Business Continuity Committee containing members across the organisation such as IT, Legal. Its task is to determine the recovery priorities for the events that may occur.
Senior managers prevent scope creep by determining the level of risk they are going to accept
What is the process of tracking user activity for cost, billing and audit purposes ?
Accounting
What is the recovery service level ?
This is a metric that displays the percentage of computing power will be needed during a disaster. For example in a fire I need a minimum of 60% computing power.
What is a disaster recovery plan ?
Refers specifically to plans and processes used during a disaster.
What are the seven steps to developing a business recovery plan ?
Develop policy for contingency plkanning
Conduct a bia
Identify preventative controls
Create recovery strategies
Develop BCP
Test Train Exercises
Maintain BCP
What are the types of recovery site ?
Hot - Like for like replacement always on including software and data - Normally used for just mission critical things rather than everything
Warm - Infrastructure in place but software and backups may need to be restored
Cold - Site is available but infrastructure and everything else needs to be put in place
Mobile Site - Can be all of the above but it is made up of mobile portable units e.g. trailers, tents
What is the work recovery time ?
The Work Recovery Time is the additional time that is needed after the RTO (restoration of backup) such as checking data is correct
or the synching of interconnected services and systems
What is the maximum tolerable downtime ?
The most amount of time a business can tolerate an asset being down.
RTO + WRT
Where WRT is Work recovery time.
Name the six types of Risk Testing Plans
Checklists
Full Interruption Test
Simulation Test
Tabletop
Walkthrough
Parallel Test
What are the three aims of a Privacy Impact Assessment ?
Ensure conformance and compliance
Identifies and evaluates the risk of privacy breaches
Identifies appropriate privacy controls
Who are typical members of the Cybersecurity Incident Response Team
Forensic Analyst
Team Lead
Vulnerability and Threat Analyst
Legal and HR
Triage Analyst
What are the six areas that determine an assets value ?
The value an asset has to the owner
The work required to develop or obtain the asset
The cost to maintain the asset
The damage that would result if the asset was lost
The cost a competitor would pay for the asset
The penalties that would be liable if the asset was lost
What is the process of aggregating risk ?
A system is made up of many parts for example an ecommerce website is made up of the site, database and telemetry.
We will normally score each element in terms of CIA as high, low, medium. For the system we will score the CIA as the highest CIA of each element.
What are the steps of scenario planning ?
Analyse all threats that the organisation faces
Determine security controls used
Determine what to protect
Develop scenarion incorporating the threats and assets
Develop an attack tree
