OSG Chapter 1

Question 1

1) What does AAA stand for?
2) What are the 5 elements of AAA services?

Answer 1

Authentication, Authorisation and Accountability

1) Identification - claiming to be an identity.
2) Authentication - proving you are that identity.
3) Authorisation - defining permissions to resources for the identity.
4) Auditing - recording logs for activities related to the system/resources.
5) Accounting - reviewing logs to check for compliance or violations and holding the subject accountable for actions taken.

Question 2

What are the 3 levels of planning for security planning and their timelines?

Answer 2

1) Strategic Plan - 5 years (longer term and relatively stable)
2) Tactical Plan - yearly (more detail to meet objectives of the strategic plan)
3) Operational Plan - various lengths (highly detailed short plan to meet defines objectives, feeding into the higher level plans).

Question 3

What is a SLR with a 3rd party?

Answer 3

Service Level Requirement

A statement of the expectations of service and performance from the product of service of a vendor - often used for cloud providers.

Question 4

What is the asset owner?

Answer 4

The person who is responsible for classifying information for placement and protection within the security solution.

Question 5

What is the asset owner?

Answer 5

The person who is responsible for classifying information for placement and protection within the security solution.

Question 6

What is a custodian?

Answer 6

The person who is responsible for:
1) Implementing the prescribed protection defined by security policy or senior management.
2) Takes actions to protect the CIA of data

Question 7

Name 7 common risk frameworks across IT and security

Answer 7

1) COBIT
2) NIST 800-53
3) CIS - centre for internet security
4) NIST RMF
5) NIST CSF
6) ISO/IEC 27000 group
7) ITIL

Question 8

What is COBIT, what is it used for and what are it’s 6 key principles?

Answer 8

Control Objectives for Information and Related Technology

COBIT is a documented set of best IT practices made by ISACA, based on 6 key principles:

1) Provide stakeholder value
2) Holistic approach
3) Dynamic governance system
4) Governance distinct from management
5) Tailored to enterprise needs
6) End-to-end governance system

Question 9

What is NIST SP 800-53?

Answer 9

Security and privacy controls for information systems and organisations

This is the US government-sourced general recommendations for organisational security.

Question 10

What does the CIS framework provide?

Answer 10

Centre for Internet Security

They provide OS, application and hardware security configuration guides (CIS benchmarks).

Question 11

What is NIST RMF and what are it’s 6 phases?

Answer 11

NIST Risk Management Framework

It establishes mandatory requirements for federal agencies.

1) Categorise
2) Select
3) Implement
4) Assess
5) Authorise
6) Monitor

Question 12

What is the NIST CSF and what is it’s 5 categories?

Answer 12

NIST Cybersecurity Framework

It’s designed for critical infrastructure and commercial organisations and describes operational activities that are to be performed on an ongoing basis.

1) Identify
2) Protect
3) Detect
4) Respond
5) Recover

Question 13

What is the ISO/IEC 27000 group?

Answer 13

International Organisation for Standardisation/International Electrotechnical Comission

The international standards that can be the basis of implementing organisational security and related management practices.

Question 14

What is ITIL?

Answer 14

Information Technology Infrastructure Library

A set of recommended best practices for optimisation of IT services to support business growth, transformation and change.

Question 15

What is the difference between due diligence and due care?

Answer 15

Due Diligence:

Establishing a plan, policy and process to protect an organisation (i.e. knowing what should be done and planning for it).

Due Care:

Practicing the individual activities that maintain the due diligence effort (i.e. performing the right actions at the right time).

Question 16

What is a Security Policy for?

Answer 16

Security Policy:

Defines the scope of security needs, what assets need protecting and the extent the security solutions should go to provide necessary protection - roles, responsibilities, audit requirements, etc.
Often used by senior management to show due diligence.

Question 17

What is a security standard?

Answer 17

Standards define compulsory requirements for the use of hardware, software, technology and security controls to provide a uniform implementation, which aligns to the security policy

Question 18

What is a security baseline?

Answer 18

Defines the minimum level of security that every system in an organisation must meet.

Question 19

What is a security guideline?

Answer 19

A guideline offers recommendations on how standards and baselines are implemented. They are flexible and can be adapted for different unique systems or conditions.
They state which security mechanisms should be deployed, rather than a specific product/config settings.

Question 20

What is a security procedure?

Answer 20

A detailed, step-by-step, how-to document that describes the exact actions needed to implement a security mechanism, control or solution.

Question 21

What is STRIDE in threat modelling? Where is it used?

Answer 21

Spoofing - using a false Identity to gain access.

Tampering - actions that change or manipulate data.

Repudiation - the ability to deny responsibility.

Information Disclosure - release of sensitive info to external/unauthorised parties.

DoS - preventing authorised usage of a resource.

Elevation of Privilege - an account is elected into a privileged account.

It’s used to help inventory and categorise threats.

Question 22

What are the 7 stages of PASTA in threat modelling?
What is it used for?

Answer 22

Process for Attack Simulation and Threat Analysis

A risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected.

1) DO - definition of objectives for the analysis of risks

2) DTS - Definition of the technical scope

3) ADA - application decomposition and analysis

4) TA - Threat Analysis

5) WVA - weakness and vulnerability analysis

6) WVA - weakness and vulnerability analysis

7) RAM - risk analysis & management

Question 23

What is VAST?

Answer 23

Visual, Agile and Simple Threat

It’s a threat modelling concept that integrates threat and risk management into agile programming environments in a scalable basis.

Question 24

What is reduction analysis and what are the 5 key concepts of the decomposition process?

Answer 24

As part of threat modelling, it’s understanding the components of the system to assess (e.g. breaking an organisation down into multiple network segments, trust boundaries, etc.).

1) Trust Boundaries - any location where the level of trust or security changes

2) Dataflow paths

3) Input points - where external input is received.

4) Privileged operations - activities that require privileged accounts.

5) Details about security stance and approach

Question 25

What is the DREAD rating system and what is it used for?

Answer 25

Disaster, Reproducibility, Exploitability, Affected Users & Discoverability

It’s used to provide a flexible rating solution for prioritising risks and responses to threats.

1) Damage potential - how severe is the damage likely to be if the threat is realised?

2) Reproducibility - how complicated is it for attackers to reproduce the exploit?

3) Exploitability - How hard is it to perform the attack

4) Affected Users - how many users are likely to be affected by the attack?

5) Discoverability - how hard is it for an attacker to discover the weakness?

Question 26

What is SCRM?

Answer 26

Supply Chain Risk Management