Final Exam

Question 1

What is vulnerability testing?

Answer 1

Vulnerability testing – is the assessment of physical and logical vulnerabilities in InfoSec and related systems. These systems may be technical/nontechnical. Prevention, Inside Out!

Question 2

What is penetration testing?

Answer 2

Penetration testing – is a set of security tests and evaluations that simulate attacks by a hacker or other malicious external source (ethical hack). Basically an authorized security test and evaluation. This is a control, Outside in!

Question 3

What are examples of vulnerability testing?

Answer 3

scanners (tools designed to identify if a system represents security threats). Patch management and Endpoint Configuration.

Question 4

What are examples of penetration testing?

Answer 4

White box test (complete info), Black box test (high-level info), Gray box test (limited info).

Question 5

What is an InfoSec framework/model?

Answer 5

InfoSec Framework/Model – a generic outline that describes what the intended security control will look like. The framework/model basically outlines the organization-specific blueprint. The blueprint includes the details on how to get there.

Question 6

What are the benefits of an InfoSec framework/model?

Answer 6

a framework essentially sets out a structure and path for the design, selection, and implementation of security controls, including policies, education, and training programs to make an overall best InfoSec program for the org.

Question 7

Best approach for using InfoSec models?

Answer 7

InfoSec can use security models as an outline. Two (2) of the most widely referenced InfoSec models are the ISO 27000 Series and NIST, both can be used “as is”, or be customized by an organization based on their specific business requirements and risk appetite.

Question 8

What is good InfoSec Governance?

Answer 8

Good InfoSec Governance – set of responsibilities & practices exercised with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.

Question 9

How to best deliver (execute) good InfoSec Governance?

Answer 9

Good Delivery – asking for every information resource what security technologies protect it, and what every security technology protects.

Question 10

What are key best practices for InfoSec Governance?

Answer 10

Governance Best Practices – When selecting recommended practices, you should use the following criteria: Does your organization resemble the target organization? Are the resources you spend similar to those called for by the practice? Are you in a similar threat environment as the one assumed by the practice? The biggest limitation to benchmarking in InfoSec is the fact that organizations do not talk to each other. Another limitation is that no two organizations are identical. A third limitation is that recommended practices are a moving target.

Question 11

What is Contingency Planning and why is it necessary?

Answer 11

CP – The overall planning for unexpected adverse events.
Why is it necessary – the main goal of CP is to restore normal modes of operation with minimum cost and disruption to normal business activities as quickly as possible after an unexpected adverse event.

Question 12

What are the 4 components of Contingency Planning?

Answer 12

BIA: Helps orgs determine which business functions and information systems are most critical to the success of the org.
IR Plan: Focuses on the immediate response to an incident. Determines the criticality of the incident from Recognition, to Containment, to Recovery, & Follow-up
DR Plan: Focuses on restoring ops at the primary site, is invoked. Determines criticality of the incident from Initial Response, to Relocation, to Recovery, & Restoration of Key IT Business Systems & Architecture
BC Plan: Focuses on enabling the business to continue at an alternate site. Determines the criticality of the incident from Initial Response, to Relocation, to Recovery, & Restoration of key Business Processes & possibly supporting IT services.

Question 13

Describe why & how are InfoSec Policies, Procedures, & Standards relate to a Security Education, Training, and Awareness (SETA) Program.

Answer 13

The benefits of awareness, training, and education include improving employees’ behavior as they become knowledgeable and aware of the different aspects of security. Also, the organization can hold employees responsible for their actions because they have been given training on security issues. In addition, employees realize that any false actions would cause major harm to their company.

Question 14

What are examples of best practices of InfoSec policies procedures?

Answer 14

Frequent – Formal Training should take place minimally every 12 months
Relevant – Training content should apply to the employee’s role & context, should be done at least 4 times a year.
Interesting – Content should be informative & challenging

Question 15

Explain how & why organizations should manage risk.

Answer 15

How/Why Orgs Manage Risk – Know yourself and know your enemy! Risk management is the process of discovering and assessing the risks to an organization’s operations and determining how those risks can be controlled or mitigated. It is important because management needs to know the value of each company asset and what losses will be incurred if an asset is compromised.

Question 16

Examples of Risk management?

Answer 16

Ø Risk Identification (where and what is the risk)
Ø Risk Analysis (how severe is the current level of risk)
Ø Risk Evaluation (Is the current level of risk acceptable)
Ø Risk Treatment (What can be done to bring risk to acceptable level)

Question 17

Explain how & why organizations should treat risks.

Answer 17

Review the risk assessment. Management can decide if they can live the risk. However if management is not comfortable with the risk assessment the risk treatment begins with:
Ø Defense: Applying controls/safeguards that eliminate/reduce the remaining uncontrolled risk.
Ø Transference: Shifting risks to other areas or to outside entities.
Ø Mitigation: Reducing the impact to information assets.
Ø Acceptance: the decision to do nothing beyond the current level of protection to protect an information asset from risk, and to accept the outcome from any resulting exploitation
Ø Termination: Removing/discontinuing the information asset from the orgs operating environment.

Question 18

Describe the concepts of “Layers of Defense.”

Answer 18

Prevent, Detect, Respond/Correct: Problems can be used to satisfy time-based model. Multiple controls, no single point of failure. Residual risk is always greater than 0. Layering to where the risk is below risk appetite.

Question 19

Describe “Time-based Model of Cybersecurity?”

Answer 19

Implementing a combination of p, d and r controls that protect info assets long enough to enable an org to recognize that an attack is occurring and thwart it. Dim & DaR encryption, multi-factor authentication, firewalls, WAN/LAN segmentation and role-based access, Host and App Hardening Pen and Vul. Testing, Lastly, Log monitoring (SIEM & DLP)

Question 20

How do the Layers of Defense and Time-Based Model add value to an InfoSec Architecture?

Answer 20

adds comprehensive protection, all 3 reduce risk even though residual risk is always greater than 0.

Question 21

Describe at a high-level a phased approach to implementing an InfoSec Program based on best practices within an organization where an ineffective program currently exists.

Answer 21

Ø Phased Approach to Implement InfoSec Program – All about applying layers of defense to protect the perimeter. We PLAN by inventorying assets, analyzing our risks to develop security policy. Then PROTECT by implementing InfoSec Controls, then RESPOND by Monitoring and Revising when needed. Do it over again.
Ø Best Practices for Org with an Ineffective Program – Keep monitoring for new and emerging threats, threat vectors, review and update policies regularly, change out initial controls when needed. Monitor and revise as needed.
Ø You can never be totally secure, but you can be secured enough!

Question 22

Examples of Prevention Controls?

Answer 22

Prevention Control Examples – (keep threats from happening, guard the perimeter). Firewalls, IPS, Proxy Servers, SETA.

Question 23

Examples of Detection controls?

Answer 23

Detection Control Examples – (designed to find threats after they have occurred). Example: anti-malware, log monitors, SIEM, IDS

Question 24

Example of corrective controls?

Answer 24

Corrective Control Examples– (correct any threats procedurally that were found by the detective internal controls) Example: changes to a Firewall to block the recurrence of an attack. Forensic procedures, employee retention. CP plans.