Methodologies and Security Controls

Question 1

What is the purpose of a Security Assessment?

Answer 1

To check the organizations security and make sure its configured properly to thwart attacks and threats.

Note:  
Vulnerability Assessments
Penetration Testing
Internal and External Audits
Self Assessments 
Password Analysis
And More

Question 2

Are these assessments required?

Answer 2

They may be in order to fulfill a contract, regulations, or legal requirements.

Question 3

What are the two main methodologies to conduct an assessment?

Answer 3

Active and Passive

Question 4

What is an active assessment?

Answer 4

These are more intrusive techniques. Scanning, hands-on testing, probing the network to find vulnerabilities. These types of assessments have the potential to bring down the network.

Question 5

What is a passive assessment?

Answer 5

These use passive collection and analysis of network data. Looking for open source information, and anything that may find information without direct contact with the targeted systems.

Note: Passive techniques are limited in scope.

Question 6

What are the first three types of security controls?

Answer 6

Physical, Technical, and Administrative

Question 7

What is a physical control?

Answer 7

Security measure that physically prevent access to sensitive information or the systems that contain it.

Note: This literally means fences, door locks, etc.

Question 8

What is a technical control?

Answer 8

These are safeguards and countermeasures to avoid, detect, counteract, minimize security risks to our systems and information.

Note: These are things like passwords and encryption etc.

Question 9

What is an administrative control?

Answer 9

These are things to change the behavior of people such as setting a company policy or procedure.

Question 10

What 3 other categories does National Institute of Standards and Technology (NIST) use?

Answer 10

Management, Operational, and Technical

Question 11

What are management controls?

Answer 11

Security controls that focus on decision-making and management of risk.

Question 12

What are operational controls?

Answer 12

Focused on things done by people.

User training, testing, disaster recovery, configuration management

Question 13

What are technical controls?

Answer 13

Logical controls put into a system to help secure it.

Encryption, AAA, Passwords, etc

Question 14

What is ANOTHER set of 3 security controls?

Answer 14

Preventative, Detective, and Corrective

Question 15

What are preventative controls?

Answer 15

Preventive control: It prevents any security breach from occurring. Aimed at preventing an incident from occurring.

Example

Security guards at door,
Proximity cards or bio-metrics at the entrance to the building,
Change management policy, etc.

Question 16

What are detective controls?

Answer 16

Detective controls: Detective controls attempt to detect any break-in that has already happened. Aimed at detecting incidents after they have occurred.

Example

Log monitoring,
Trend analysis,
Security audit
video surveillance systems
motion detection systems.

Question 17

What is a corrective control?

Answer 17

Corrective controls: Corrective controls attempt to reverse the impact of an incident or problem after it has occurred. Aimed at reversing the impact of an incident.

Example:

Active IDS. Active intrusion detection systems (IDSs) - IDS detects an intruder and engage systems that block the progression of intrusion.
Backups and system recovery.

Question 18

What is the last security control and why use it?

Answer 18

Compensating control - Used whenever you cant meet the requirements for a normal control.

Question 19

Note for exam:

Answer 19

Security controls be categorized into multiple types of categories and expect to have to do this on the test.