foundations

Question 1

Security Mindset

Answer 1

Understand past and recent.
- How things work and can be made to fail

1. Trust, but verify
2. Stop. Think. Connect.
3. If you see something, say something

Question 2

Business Email Compromise

Answer 2

• attacker obtains access to a business email account and imitates the owner
• man in the email attack
  Archetypes:
• false invoice scheme
• ceo fraud
• account compromise
• attorney impersonation
• data theft
  Countermeasures
• IDS rules to flag emails
• email rules reply different from
• color coding employee/internal vs external
• payment 2-factor
• confirmation requests 2-factor

Question 3

Security Principles

Answer 3

Framework for all security programs.
-Economy of mechanism
-Fail-safe defaults
-Complete mediation
-Open design
-Separation of privilege
-Least privilege
-Least common mechanism
-User-friendly interface

Question 4

Economy of mechanism

Answer 4

Keep things small and simple
Complexity is an enemy of security

Question 5

Fail-safe

Answer 5

Anticipate how things can go wrong
Fail smart

Question 6

Least privilege

Answer 6

Minimum privileges needed to do a job

Question 7

Choke points and defense in depth

Answer 7

• only one way in or out (choke point)
• defense in depth (layers of security)

Question 8

CIA

Answer 8

Confidentiality - Integrity - Availability
Confidentiality - who can see and read sensitive information
Integrity - limit who can change sensitive information
Availability - ensuring the information is there when we need it

Question 9

Standard Organizations

Answer 9

-NIST
-ISO
-IEC
-PCI