Other stuff Flashcards
Identification -> Assessment -> Treatment -> Tracking -> Review. What’s this?
Risk management phases
What’s the annual loss expectancy?
Single loss expectancy x annual rate of occurrence
Name the 6 types of security controls.
Physical, technical, administrative. Preventive, detective, corrective
What’s MAC?
Mandatory access control - set by administrator
What’s DAC?
Discretionary access control - set by the user
What’s RBAC?
Role-based access control
What’s a standard?
Mandatory rules that must be followed
What’s a baseline?
Provides the minimum necessary security
What’s a guideline?
Flexible, but recommended
What’s a procedure?
Step-by-step guides
Promiscuous, Permissive, Prudent, Paranoid. Explain?
Promiscuous - wide open. Permissive - only block “known bad”. Prudent - block all “known bad”, but allow based on business needs. Paranoid - no bad at all!
Name 6 of the 9 vulnerability types.
Misconfiguration, Buffer overflow, Default installation, Unpatched, Open services, Default passwords, Design flaws, OS flaws, App flaws
What’s the CC?
Common Criteria for Information Technology Security Evaluation - an itnernational standard (SIO/IEC 15408)
What’s the EAL and how can it be ranked?
Evaluation Assurance Level - from 1 to 7
What’s the TOE?
Target of evaluation - what’s being tested
What’s the ST?
Security target - a document that identifies the security properties of the TOE
What’s the PP?
Protection profile - a document that identifies the security requirements for the service or product
Name 5 relevant laws or standards and what they’re relevant to.
HIPAA - medical SOX - corporate disclosure PCI-DSS - cards, ATMs, PoS COBIT - IT governance framework ISO/IEC 27001 - standards for secure IS FISMA - US legislation to protect government information
What’s HIPAA for?
Medical
What’s SOX for?
Corporate disclosure
What’s PCI-DSS for?
Cards, ATMs, PoS
What’s COBIT?
IT governance framework created by ISACA and ITGI
What’s ISO/IEC 27001?
International standards for secure IS
What’s FISMA?
US legislation to protect government information
Name the standards that govern medical systems.
HIPAA
Name the standards that govern corporate disclosure.
SOX
Name the standards that govern cards, ATMs, point of sale.
PCI-DSS
Name the IT governance framework created by ISACA and ITGI.
COBIT
Name the international standards for secure IS.
ISO/IEC 27001
Name the US legislation to protect government information.
FISMA
Name the four attack types.
OS attacks, Application attacks, Shrink-wrap code, Misconfiguration.
What’s an OS attack?
Default settings, default passwords, admin panels
What’s an application attack?
Programming code, software logic
What’s shrinkwrap code?
Build-in code and scripts (eg jQuery)
What’s misconfiguration?
Easier for users = less secure
Name the 3 phases of the pen-test.
Preparation (scope, ROE), assessment, reporting
What’s GBLA?
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to take steps to protect customer information. It also forces them to provide their privacy practices to the public.