Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Course 002 - Play It Safe: Manage Security Risks > Module 2 - 02-4 > Flashcards

Module 2 - 02-4 Flashcards

OWASP principles and security audits

1
Q

Define Vulnerability Scanner?

A

A network tool (hardware and/or software) that scans network devices to identify generally known and organization specific CVEs. It may do this based on a wide range of signature strategies.

A tool (hardware and/or software) used to identify hosts/host attributes and associated vulnerabilities (CVEs, CWEs, and others).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does CVE stand for?

A

Common Vulnerabilities and Exposures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does CWE stand for?

A

Common Weakness Enumeration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does OWASP stand for?

A

Open Web Application Security Project, recently renamed Open Worldwide Application Security Project®

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How many Security Principles does OWASP have?

A

Ten (10)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the OWASP Security Principles (10)?

A

1) Minimize Attack Surface Area
2) Establish Secure Defaults
3) The Principle of Least Privilege
4) The Principle of Defense in Depth
5) Fail Securely
6) Don’t Trust Services
7) Separation of Duties
8) Avoid Security by Obscurity
9) Keep Security Simple
10) Fix Security Issues Correctly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define Minimize Attack Surface Area

A

Attack surface refers to all the potential vulnerabilities a threat actor could exploit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define Attack Vector

A

Pathways attackers use to penetrate security defenses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is an example of a common Attack Vector (2)?

A
  • Phishing emails
  • Weak passwords
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How can an organization minimize attack surfaces and avoid security incidents (3)?

A
  • Disable software features
  • Restrict who can access certain assets
  • Establish more complex password requirements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define the Principle of Least Privilege

A

Users have the least amount of access required to perform their everyday tasks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the main reason for limiting access to organizational information and resources?

A

To reduce the amount of damage a security breach could cause

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Define Defense in Depth

A

Organizations should have multiple security controls that address risks and threats in different ways

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define Security Controls

A

Safeguards designed to reduce specific security risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is an example of security controls (4)?

A
  • Multi-factor authentication (MFA)
  • Firewalls
  • Intrusion Detection Systems (IDSs)
  • Permission settings that can be used to create multiple points of defense
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are examples of security controls that can be used to create multiple points of defense a threat actor must get through to breach an organization (4)?

A
  • Multi-factor authentication (MFA)
  • Firewalls
  • Intrusion detection systems (IDSs)
  • Permission settings
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Define Separation of Duties

A

Critical actions should rely on multiple people, each of whom follow the principle of least privilege.

No one should be given so many privileges that they can misuse the system
Used to prevent individuals from carrying out fraudulent or illegal activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Define Keep Security Simple

A

Avoid unnecessarily complicated solutions. Complexity makes security difficult.

When implementing security controls, unnecessarily complicated solutions should be avoided because they can become unmanageable.
The more complex the security controls are, the harder it is for people to work collaboratively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Define Fix Security Issues Correctly

A

When security incidents occur, identify the root cause, contain the impact, identify vulnerabilities, and conduct tests to ensure that remediation is successful.

Identify the root cause quickly and it is important to correct any identified vulnerabilities and conduct tests to ensure that repairs are successful

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Define Establish Secure Defaults

A

The optimal security state of an application is also its default state for users; it should take extra work to make the application insecure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Define Fail Securely

A

When a control fails or stops, it should do so by defaulting to its most secure option

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Define Don’t Trust Services

A

An organization shouldn’t explicitly trust that their partners’ systems are secure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Define Avoid Security by Obscurity

A

The security of key systems should not rely on keeping details hidden.

Consider the following example from OWASP (2016):
The security of an application should not rely on keeping the source code secret. Its security should rely upon many other factors, including reasonable password policies, defense in depth, business transaction limits, solid network architecture, and fraud and audit controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Define Audit

A

Independent reviews that evaluate whether an organization is meeting internal and external criteria

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Define Internal criteria

A

Outlined policies, procedures, and best practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Define External criteria

A

Regulatory compliance, laws, and federal regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Define Security Audit

A

A review of an organization’s security controls, policies, and procedures against a set of expectations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the goal of a security audit?

A

To ensure an organization’s information technology (IT) practices are meeting industry and organizational standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What do Audits provide?

A

Direction and Clarity by Identifying what the current failures are and developing a plan to correct them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is the objective of an internal security audit?

A

To identify and address areas of remediation and growth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are two main types of security audits?

A
  • External
  • Internal
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What are the purposes of internal security audits (3)?

A
  • Identify organizational risk
  • Assess controls
  • Correct compliance issues
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

How can internal security audits help an organization (2)?

A
  • Improve an organization’s security posture
  • Avoid fines from governing agencies due to a lack of compliance.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What are the common elements of internal security audits (5)?

A
  • Establishing the Scope and Goals
  • Conducting a Risk Assessment
  • Completing a Controls Assessment
  • Assessing Compliance
  • Communicating Results
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What two elements are part of the Audit Planning Process?

A
  • Establishing the scope and goals
  • Conducting a risk assessment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Define Scope

A

The specific criteria of an internal security audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What elements need to be identified for the Scope of an Internal Security Audit (5)?

A
  • People
  • Assets
  • Policies
  • Procedures
  • Technologies that might impact an organization’s security posture
38
Q

Define Goals

A

An outline of the organization’s security objectives

What they want to achieve in order to improve their security posture

39
Q

Define Conducting a Risk Assessment

A

Focused on identifying potential threats, risks, and vulnerabilities

This helps organizations consider what security measures should be implemented and monitored to ensure the safety of assets.

40
Q

After reviewing the Scope, Goals, and Risk Assessment what are some Audit questions you should ask yourself (4)?

A

1) What is the audit meant to achieve?
2) Which assets are most at risk?
3) Are current controls sufficient to protect those assets?
4) If not, what controls and compliance regulations need to be implemented?

41
Q

Define Controls Assessment

A

Closely reviewing an organization’s existing assets, then evaluating potential risks to those assets, to ensure internal controls and processes are effective

42
Q

What are the three Control Categories?

A

1) Administrative controls
2) Technical controls
3) Physical controls

43
Q

Define Administrative controls

A

This is related to the human component of cybersecurity. These include policies and procedures that define how an organization manages data and clearly defines employee responsibilities, including their role in protecting the organization.
While administrative controls are typically
policy based, the enforcement of those policies may require the use of technical or
physical controls.

44
Q

Define Technical controls

A

Hardware and software solutions used to protect assets, such as the use of intrusion detection systems, or IDS’s, and encryption

45
Q

Define Physical controls

A

Measures put in place to prevent physical access to protected assets, such as surveillance cameras and locks

46
Q

What are some examples of Control Types (4)?

A
  1. Preventative
  2. Corrective
  3. Detective
  4. Deterrent

These controls work together to provide defense in depth and protect assets.

47
Q

Define Preventative Controls

A

Designed to prevent an incident from occurring in the first place.

48
Q

Define Corrective Controls

A

Used to restore an asset after an incident

49
Q

Define Detective Controls

A

Implemented to determine whether an incident has occurred or is in progress

50
Q

Define Deterrent Controls

A

Designed to discourage attacks

51
Q

What are examples of Administrative Controls (6)?

A
  • Least Privilege
  • Disaster recovery plans
  • Password policies
  • Access control policies
  • Account management policies
  • Separation of duties
52
Q

What are examples of Technical Controls (7)?

A
  • Firewall
  • IDS/IPS
  • Encryption
  • Backups
  • Password management
  • Antivirus (AV) software
  • Manual monitoring, maintenance, and intervention
53
Q

What are examples of Physical Controls (7)?

A
  • Time-controlled safe
  • Adequate lighting
  • Closed-circuit television (CCTV)
  • Locking cabinets (for network gear)
  • Signage indicating alarm service provider
  • Locks
  • Fire detection and prevention (fire alarm, sprinkler system, etc.)
54
Q

What are examples of Preventative Controls (12)?

A
  • Least Privilege
  • Password policies
  • Access control policies
  • Account management policies
  • Separation of duties
  • Firewall
  • Password management
  • Manual monitoring, maintenance, and intervention
  • Closed-circuit television (CCTV)
  • Locking cabinets (for network gear)
  • Locks
  • Fire detection and prevention (fire alarm, sprinkler system, etc.)
55
Q

What are examples of Corrective Controls (3)?

A
  • Disaster recovery plans
  • Backups
  • Antivirus (AV) software
56
Q

What are examples of Detective Controls (3)?

A
  • IDS/IPS
  • Closed-circuit television (CCTV)
  • Fire detection and prevention (fire alarm, sprinkler system, etc.)
57
Q

What are examples of Deterrent Controls (5)?

A
  • Encryption
  • Time-controlled safe
  • Adequate lighting
  • Signage indicating alarm service provider
  • Locks
58
Q

What is the Control Type and Purpose of Least Privilege?

A

Preventative

Reduce risk and overall impact of malicious insider or compromised accounts

59
Q

What is the Control Type and Purpose of Disaster recovery plans?

A

Corrective

Provide business continuity

60
Q

What is the Control Type and Purpose of Password policies?

A

Preventative

Reduce likelihood of account compromise through brute force or dictionary attack techniques

61
Q

What is the Control Type and Purpose of Access control policies?

A

Preventative

Bolster confidentiality and integrity by defining which groups can access or modify data

62
Q

What is the Control Type and Purpose of Account management policies?

A

Preventative

Managing account lifecycle, reducing attack surface, and limiting overall impact from disgruntled former employees and default account usage

63
Q

What is the Control Type and Purpose of Separation of duties?

A

Preventative

Reduce risk and overall impact of malicious insider or compromised accounts

64
Q

What is the Control Type and Purpose of Firewall?

A

Preventative

To filter unwanted or malicious traffic from entering the network

65
Q

What is the Control Type and Purpose of IDS/IPS?

A

Detective

To detect and prevent anomalous traffic that matches a signature or rule

66
Q

What is the Control Type and Purpose of Encryption?

A

Deterrent

Provide confidentiality to sensitive information

67
Q

What is the Control Type and Purpose of Backups?

A

Corrective

Restore/recover from an event

68
Q

What is the Control Type and Purpose of Password management?

A

Preventative

Reduce password fatigue

69
Q

What is the Control Type and Purpose of Antivirus (AV) software?

A

Corrective

Detect and quarantine known threats

70
Q

What is the Control Type and Purpose of Manual monitoring, maintenance, and intervention?

A

Preventative

Necessary to identify and manage threats, risks, or vulnerabilities to out-of-date systems

71
Q

What is the Control Type and Purpose of Time-controlled safe?

A

Deterrent

Reduce attack surface and overall impact from physical threats

72
Q

What is the Control Type and Purpose of Adequate lighting?

A

Deterrent

Deter threats by limiting “hiding” places

73
Q

What is the Control Type and Purpose of Closed-circuit television (CCTV)?

A

Preventative/Detective

Closed circuit television is both a preventative and detective control because it’s presence can reduce risk of certain types of events from occurring, and can be used after an event to inform on event conditions

74
Q

What is the Control Type and Purpose of Locking cabinets (for network gear)?

A

Preventative

Bolster integrity by preventing unauthorized personnel and other individuals from physically accessing or modifying network infrastructure gear

75
Q

What is the Control Type and Purpose of Signage indicating alarm service provider?

A

Deterrent

Deter certain types of threats by making the likelihood of a successful attack seem low

76
Q

What is the Control Type and Purpose of Locks?

A

Deterrent/Preventative

Bolster integrity by deterring and preventing unauthorized personnel, individuals from physically accessing assets

77
Q

What is the Control Type and Purpose of Fire detection and prevention (fire alarm, sprinkler system, etc.)?

A

Detective/Preventative

Detect fire in physical location and prevent damage to physical assets such as inventory, servers, etc.

78
Q

Define Compliance Regulations

A

Laws that organizations must follow to ensure private data remains secure

79
Q

Define Communication

A

Once the internal security audit is complete, results and recommendations need to be communicated to stakeholders

80
Q

What topics would be part of the Stakeholder Communication (5)?

A

1) Summarizes the scope and goals
2) Lists existing risks
3) Notes how quickly those risks need to be addressed
4) Identifies compliance regulations
5) Provides recommendations

81
Q

What areas of focus are on an Audit checklist (5)?

A

1) Identify the scope of the audit
2) Complete a risk assessment
3) Conduct the audit
4) Create a mitigation plan
5) Communicate results to stakeholders

82
Q

Define Identify the scope of the audit (4)

A

o List assets that will be assessed (e.g., firewalls are configured correctly, PII is secure, physical assets are locked, etc.)
o Note how the audit will help the organization achieve its desired goals
o Indicate how often an audit should be performed
o Include an evaluation of organizational policies, protocols, and procedures to make sure they are working as intended and being implemented by employees

83
Q

Define Complete a risk assessment

A

A risk assessment is used to evaluate identified organizational risks related to budget, controls, internal processes, and external standards (i.e., regulations).

84
Q

Define Conduct the audit

A

When conducting an internal audit, you will assess the security of the identified assets listed in the audit scope.

85
Q

Define Create a mitigation plan

A

A mitigation plan is a strategy established to lower the level of risk and potential costs, penalties, or other issues that can negatively affect the organization’s security posture.

86
Q

Define Communicate results to stakeholders

A

The end result of this process is providing a detailed report of findings, suggested improvements needed to lower the organization’s level of risk, and compliance regulations and standards the organization needs to adhere to.

87
Q

A security analyst disables certain software features to reduce the potential vulnerabilities that an attacker could exploit at their organization. Which OWASP security principle does this scenario describe?

  • Minimize the attack surface
  • Separation of duties
  • Fix security issues correctly
  • Defense in depth
A

Minimize the attack surface

This scenario describes minimizing the attack surface.

88
Q

A security _____ is a review of an organization’s security controls, policies, and procedures against a set of expectations.

  • classification
  • examination
  • audit
  • survey
A

audit

89
Q

A security professional closely examines their organization’s network, then evaluates potential risks to the network. Their goal is to ensure internal safeguards and processes are effective. What security concept does this scenario describe?

  • Compliance regulations
  • Communicating results
  • Controls assessment
  • Security recommendations
A

Controls assessment

This scenario describes a controls assessment. A controls assessment involves closely reviewing an organization’s existing assets, then evaluating potential risks to those assets in order to ensure internal controls and processes are effective.

90
Q

A security professional is asked to communicate the results of an internal security audit to stakeholders. What should be included in that communication? Select three answers.

  • A summary of the audit’s scope and goals
  • A list of risks and compliance requirements that need to be addressed
  • A recommendation about how to improve the organization’s security posture
  • A list of questions for stakeholders to answer
A
  • A summary of the audit’s scope and goals
  • A list of risks and compliance requirements that need to be addressed
  • A recommendation about how to improve the organization’s security posture

When communicating the results of an internal audit to stakeholders, the communication should include a summary of the audit’s scope and goals; a list of risks and compliance requirements that need to be addressed; and a recommendation about how to improve the organization’s security posture.

Course 002 - Play It Safe: Manage Security Risks (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions