OSG Chapter 1 Flashcards
1) What does AAA stand for?
2) What are the 5 elements of AAA services?
Authentication, Authorisation and Accountability
1) Identification - claiming to be an identity.
2) Authentication - proving you are that identity.
3) Authorisation - defining permissions to resources for the identity.
4) Auditing - recording logs for activities related to the system/resources.
5) Accounting - reviewing logs to check for compliance or violations and holding the subject accountable for actions taken.
What are the 3 levels of planning for security planning and their timelines?
1) Strategic Plan - 5 years (longer term and relatively stable)
2) Tactical Plan - yearly (more detail to meet objectives of the strategic plan)
3) Operational Plan - various lengths (highly detailed short plan to meet defines objectives, feeding into the higher level plans).
What is a SLR with a 3rd party?
Service Level Requirement
A statement of the expectations of service and performance from the product of service of a vendor - often used for cloud providers.
What is the asset owner?
The person who is responsible for classifying information for placement and protection within the security solution.
What is the asset owner?
The person who is responsible for classifying information for placement and protection within the security solution.
What is a custodian?
The person who is responsible for:
1) Implementing the prescribed protection defined by security policy or senior management.
2) Takes actions to protect the CIA of data
Name 7 common risk frameworks across IT and security
1) COBIT
2) NIST 800-53
3) CIS - centre for internet security
4) NIST RMF
5) NIST CSF
6) ISO/IEC 27000 group
7) ITIL
What is COBIT, what is it used for and what are it’s 6 key principles?
Control Objectives for Information and Related Technology
COBIT is a documented set of best IT practices made by ISACA, based on 6 key principles:
1) Provide stakeholder value
2) Holistic approach
3) Dynamic governance system
4) Governance distinct from management
5) Tailored to enterprise needs
6) End-to-end governance system
What is NIST SP 800-53?
Security and privacy controls for information systems and organisations
This is the US government-sourced general recommendations for organisational security.
What does the CIS framework provide?
Centre for Internet Security
They provide OS, application and hardware security configuration guides (CIS benchmarks).
What is NIST RMF and what are it’s 6 phases?
NIST Risk Management Framework
It establishes mandatory requirements for federal agencies.
1) Categorise
2) Select
3) Implement
4) Assess
5) Authorise
6) Monitor
What is the NIST CSF and what is it’s 5 categories?
NIST Cybersecurity Framework
It’s designed for critical infrastructure and commercial organisations and describes operational activities that are to be performed on an ongoing basis.
1) Identify
2) Protect
3) Detect
4) Respond
5) Recover
What is the ISO/IEC 27000 group?
International Organisation for Standardisation/International Electrotechnical Comission
The international standards that can be the basis of implementing organisational security and related management practices.
What is ITIL?
Information Technology Infrastructure Library
A set of recommended best practices for optimisation of IT services to support business growth, transformation and change.
What is the difference between due diligence and due care?
Due Diligence:
Establishing a plan, policy and process to protect an organisation (i.e. knowing what should be done and planning for it).
Due Care:
Practicing the individual activities that maintain the due diligence effort (i.e. performing the right actions at the right time).
What is a Security Policy for?
Security Policy:
Defines the scope of security needs, what assets need protecting and the extent the security solutions should go to provide necessary protection - roles, responsibilities, audit requirements, etc.
Often used by senior management to show due diligence.
What is a security standard?
Standards define compulsory requirements for the use of hardware, software, technology and security controls to provide a uniform implementation, which aligns to the security policy
What is a security baseline?
Defines the minimum level of security that every system in an organisation must meet.
What is a security guideline?
A guideline offers recommendations on how standards and baselines are implemented. They are flexible and can be adapted for different unique systems or conditions.
They state which security mechanisms should be deployed, rather than a specific product/config settings.
What is a security procedure?
A detailed, step-by-step, how-to document that describes the exact actions needed to implement a security mechanism, control or solution.
What is STRIDE in threat modelling? Where is it used?
Spoofing - using a false Identity to gain access.
Tampering - actions that change or manipulate data.
Repudiation - the ability to deny responsibility.
Information Disclosure - release of sensitive info to external/unauthorised parties.
DoS - preventing authorised usage of a resource.
Elevation of Privilege - an account is elected into a privileged account.
It’s used to help inventory and categorise threats.
What are the 7 stages of PASTA in threat modelling?
What is it used for?
Process for Attack Simulation and Threat Analysis
A risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected.
1) DO - definition of objectives for the analysis of risks
2) DTS - Definition of the technical scope
3) ADA - application decomposition and analysis
4) TA - Threat Analysis
5) WVA - weakness and vulnerability analysis
6) WVA - weakness and vulnerability analysis
7) RAM - risk analysis & management
What is VAST?
Visual, Agile and Simple Threat
It’s a threat modelling concept that integrates threat and risk management into agile programming environments in a scalable basis.
What is reduction analysis and what are the 5 key concepts of the decomposition process?
As part of threat modelling, it’s understanding the components of the system to assess (e.g. breaking an organisation down into multiple network segments, trust boundaries, etc.).
1) Trust Boundaries - any location where the level of trust or security changes
2) Dataflow paths
3) Input points - where external input is received.
4) Privileged operations - activities that require privileged accounts.
5) Details about security stance and approach
What is the DREAD rating system and what is it used for?
Disaster, Reproducibility, Exploitability, Affected Users & Discoverability
It’s used to provide a flexible rating solution for prioritising risks and responses to threats.
1) Damage potential - how severe is the damage likely to be if the threat is realised?
2) Reproducibility - how complicated is it for attackers to reproduce the exploit?
3) Exploitability - How hard is it to perform the attack
4) Affected Users - how many users are likely to be affected by the attack?
5) Discoverability - how hard is it for an attacker to discover the weakness?
What is SCRM?
Supply Chain Risk Management
