InfoSec Final Flashcards
What is the assessment of physical and logical vulnerabilities in InfoSec and related systems. These systems may be technical/nontechnical. Prevention, Inside Out!
What is vulnerability testing?
What is a set of security tests and evaluations that simulate attacks by a hacker or other malicious external source (ethical hack). Basically an authorized security test and evaluation. This is a control, Outside in!
What is penetration testing?
What are: scanners (tools designed to identify if a system represents security threats). Patch management and Endpoint Configuration.
What are examples of vulnerability testing?
What are: White box test (complete info), Black box test (high-level info), Gray box test (limited info).
What are examples of penetration testing?
What is a generic outline that describes what the intended security control will look like. The framework/model basically outlines the organization-specific blueprint. The blueprint includes the details on how to get there.
What is an InfoSec framework/model?
What is set of responsibilities & practices exercised with the goal of providing strategic direction by executive management, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly.
What is good InfoSec Governance?
What is The overall planning for unexpected adverse events.
What is Contingency Planning and why is it necessary?
Why is it necessary – the main goal of CP is to restore normal modes of operation with minimum cost and disruption to normal business activities as quickly as possible after an unexpected adverse event.
What are the 4 components of CP?
BIA, IR PLan, DR Plan, and BC Plan in that order.
What (keep threats from happening, guard the perimeter). Firewalls, IPS, Proxy Servers, SETA.
Prevention Controls
(designed to find threats after they have occurred). Example: anti-malware, log monitors, SIEM, IDS
Detection Controls
(correct any threats procedurally that were found by the detective internal controls) Example: changes to a Firewall to block the recurrence of an attack. Forensic procedures, employee retention. CP plans.
Corrective controls.
What are examples of Risk Management
Ø Risk Identification (where and what is the risk)
Ø Risk Analysis (how severe is the current level of risk)
Ø Risk Evaluation (Is the current level of risk acceptable)
Ø Risk Treatment (What can be done to bring risk to acceptable level)
What are the following?
Ø Defense: Applying controls/safeguards that eliminate/reduce the remaining uncontrolled risk.
Ø Transference: Shifting risks to other areas or to outside entities.
Ø Mitigation: Reducing the impact to information assets.
Ø Acceptance: the decision to do nothing beyond the current level of protection to protect an information asset from risk, and to accept the outcome from any resulting exploitation
Ø Termination: Removing/discontinuing the information asset from the orgs operating environment.
Examples of Risk Treatment strategies
What is Prevent, Detect, Respond/Correct (PDR): Problems can be used to satisfy time-based model. Multiple controls, no single point of failure. Residual risk is always greater than 0. Layering to where the risk is below risk appetite.
Layers of Defense
What is Implementing a combination of p, d and r controls that protect info assets long enough to enable an org to recognize that an attack is occurring and thwart it. Dim & DaR encryption, multi-factor authentication, firewalls, WAN/LAN segmentation and role-based access, Host and App Hardening Pen and Vul. Testing, Lastly, Log monitoring (SIEM & DLP)
Time-Based Model
