Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ISC2 - Study Notes > ISC2 - Study Notes 17 > Flashcards

ISC2 - Study Notes 17 Flashcards

1
Q

Gain permissions, Perform Vulnerability Assessment (discovery/recon, fingerprinting, identify Vuln.s), Attempt to exploit Vuln.’s, Report Results to Management (report with recommendations for controls to mitigate any of the Vuln.’s.

A

Steps for Penetration Testing :

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The cost of a control is justified if the cost of the control is significantly lower than the annual loss expectancy (ALE) without the control. The cost is usually not justified if the cost of the control is significantly higher than the ALE without the control. When the costs and savings are about the same, management may request a return on investment (ROI) analysis to determine whether the cost is justified. The ROI looks at the cost over a longer period of time.

A

Info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

(1) Select Security Controls (The evaluation often includes a risk assessment, including either a quantitative analysis or a qualitative analysis, and a cost-benefit analysis to determine the benefit of the control), (2) Implement Security Controls, (3) Assess Security Controls (verify controls to see if they are implemented correctly), (4) Monitor Security Controls (monitoring on continual basis to see their effectiveness - and also monitor additional factors such as changes to the protected system and changes to external laws, regulations, policies, and guidelines).

Controls have three primary goals: prevention, detection, and correction.

A

Security Controls Lifecycle / Info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Intrusion prevention systems

Written policies and procedures

Background checks on prospective employees

Implementation of separation of duties and least privilege policies

Strong access control processes (starting with strong authentication)

Technical password policies that force users to create strong passwords and change them periodically

Termination processes that ensure personnel disable accounts for terminated employees

Classification of data (such as public, private, and proprietary) and implementation of varying levels of protection based on the classification

Encryption of data (both at rest and in transit)

Security cameras, fences, and guards

A

Preventative Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Forensics analysis

Physical inventories

Intrusion detection systems

Scripts to automate discovery of events of interest

AV software that can detect malware installed on a system

Audit logs (including logs on servers and network resources such as firewalls)

Reconciliation (comparing different sets of data with each other, such as comparing a database inventory with a physical inventory)

A

Detective Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Intrusion detection systems (that can actively make changes)

AV software that can remove or isolate malware

Procedures to back up data and restore backups

Disaster recovery and business continuity plans

Scripts to automate corrective processes

A

Corrective Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Many controls combine preventive, detective, and corrective measures. For example, AV software is detective when it identifies malware and corrective when it removes it. Similarly, a backup policy is a preventive control because it attempts to prevent the loss of data. The procedures to restore data from backups are corrective controls because they provide the means to restore data after a data loss.

A

Info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Directive controls These are controls mandated by a higher authority. For example, the Health Insurance Portability and Accountability Act (HIPAA) directs organizations to implement specific safeguards to protect private health information (PHI). The controls that an organization implements to protect PHI are directive controls.

A

Info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Written documents such as security policies and standards that provide direction to employees

Step-by-step procedures for routine operations such as performing backups and verifying proper operation of fire prevention and detection equipment

Baseline templates to provide a starting point for security controls

Clear processes for configuration, change, and patch management

Tests and assessments such as risk assessments and vulnerability assessments

Plans (such as incident response plans) that help an organization respond to incidents

User awareness and training programs to help users take an active role in security

A

Administrative Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Identification and authentication controls that allow users to prove their identity

Technical password policies that enforce the written security policies, such as password aging settings that force users to change their password periodically

Access controls that ensure only authorized entities have access to systems and data

Auditing and accountability controls that track activity and detect unauthorized access

Network access controls that restrict access to networks to clients that do not meet minimum security requirements

Encryption protocols that scramble data and provide confidentiality

Session timeout settings that lock a user’s system or close a web browser session after a period of inactivity

A

Technical Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

ISC2 - Study Notes (28 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions