Personnel Security and Risk Management Concepts Flashcards
What is the first step in hiring
Job Description
What is the purpose of job responsibilities
Defines work tasks and defines what a person should be responsible for
Process of adding new employees to the org, having them review/sign employment agreements and policies, and receive training on employee operations/logistics.
Onboarding
Why is it important to have a good IAM?
Identity and Access Management:
- provisions account
- assigns privileges
- assigns accesses
Describe the principle of least privilege
Users should have the least amount of privilege required to do their job.
What must happen when a user leaves their job and why?
Review NDA - it is the one legally binding document that safeguards against disclosure.
Why enforce mandatory vacations?
Used as a peer review process
- verify privileges of employees
- attempt to detect fraud and abuse..
What is UBA
User Behavior Analytics: analyze the behavior of users, visoitors, customers, etc. for some specific goal.
When would you go through offboarding processes ie remove someone from IAM
Hire | Fire | Transfer
What is a risk that exists when several entities or organizations are involved in a project?
Multiparty Risk
Define SLA
Service Level Agreement: Ensure that organizations providing services maintain an appropriate level of service agreed on by both the service provider, vendor, or contractor and the customer organization.
What is the type of risk response option that is used in the process of outsourcing
assignment/transferrence
The detailed process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost-effective solutions for mitigating risk.
Risk Management
Examination of the environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of the damage it would occur.
Risk Assessment - probability
Evaluating countermeasures, safeguards, and security controls using a cost/benefit analysis
Risk Response - implementing countermeasures
Asset
Anything used in business process or task - person, place, or thing, tangible or intangible.
Asset valuation
the value assigned to an asset based on actual cost, use in critical processes, and even non-monetary expense such as time
Threats
any POTENTIAL OCCURENCE that may cause an undesirable or unwanted outcome
Threat agents
usually people but could be programs, hardware or systems
Threat events
accidental occurences and intentional exploitations of vulnerabilities: system failures fires flood earthquake human error power outage
Threat vector
means by which an attack or attacker can gain access to target in order to cause harm
Vulnerability
weakness in asset or weakness of a safeguard
loophole
limitation
susceptibility
Exposure
Being susceptible to asset loss because of risk
Risk (math and definition)
possibility or likelihood that threat will exploit a vulnerability to cause harm to an asset and severity of damage.
Risk = threat * vuln
Risk = probability of harm * severity of harm
Safeguard
security control, protection mechanism, countermeasure
Attack
intentionally attempted exploitation of a vulnerability
Breach
successful attack - intrusion or penetration beyond a security mechanism
Asset-Based Valuation
Start with inventorying all organizational assets and valuing them based on tangible and intangible issues.
Which method is preferred? Quantitative risk analysis or Qualitative risk analysis?
Neither - both methods are valuable to gain a balanced view of the security concerns.
Qualitative Risk Analysis
Assign subjective and intangible values to the loss of an asset. (can be SUBJECTIVE)
Quantitative Risk Analysis
Assign a real dollar figure to the loss of an asset-based on math calculations. (mostly OBJECTIVE)
An anonymous feedback and response process used to enable a group to reach an anonymous consensus.
Delphi Technique
Calc EF
Exposure Factor/ Loss potential
% loss that org would experience if the specific assets were violated by realized risk.
Potential loss associated with a single realized threat against a specific asset.
SLE - Single loss expectancy
SLE = asset value AV * exposure factor EF
What is the SLE of an asset valued at $300,000 that has an exposure factor of 30%
0.3*300,000 = $90,000
The expected frequency with which a specific threat or risk will occur within a single year
The annualized rate of occurrence.
The possible yearly loss of all instances of a specific realized threat against a specific asset.
Annualized Loss Expectancy
ALE = Single loss expectancy * Annual Rate of Occurrence
ALE = AV * EF * ARO
What is ALE for $200,000 asset with an EF of 45% and an ARO of .67
$60,000
Risk Mitigation
Reducing risk through the implementation of safeguards, security controls, and countermeasures. Ie deploying encryption and using firewalls.
Risk Assignment
Outsourcing. Placing responsibility on outside entity or organization.
Risk Deterrence
Implementing deterrents like auditing, security cameras, warning banners, security guards.
Risk Avoidance
Selecting alternate options or activities that have less associated risk
Risk Acceptance
After cost/benefit analysis, the decision is made to accept the risk but it must be well documented and signed by upper management
Risk Rejection
Unacceptable. Ignoring risk by denying that it exists and hoping it goes away or that nothing happens. Negligence and could be illegal.
Natural or native default risk that exists in an environment, system, or product prior to any risk management efforts. (starting risk)
Inherent Risk
Risk after safeguards have been implemented.
Residual risk.
Total risk - controls gap = residual risk
Amount of risk org would face without safeguards
Total risk.
Threats * Vulnerabilities * asset value = total risk
Will a reduction in EF or a reduction in ARO reduce the SLE? ALE?
Only EF reduces SLE because SLE is the single loss expectancy whereas ARO is the annual rate of occurrence. SLE = AV * EF. Both reduce ALE because ALE = AV * EF * ARO.
Original asset threat pair risk is ALE1 or ALE2?
ALE1
Asset risk post safeguard is ALE1 or ALE2?
ALE2
How do you calculate the value of the safeguard to the company?
ALE1 - ALE2 - ACS = value to company
ALE1: asset-threat pair without safeguard
ALE2: asset-threat pair post-safeguard
ACS: Annual cost of the safeguard
What are the three categories of security controls in a defense-in-depth implementation
Physical, Logical/Technical, Administrative
What category of security control are the policies and procedures defined by an organization’s security policy and other regulations or requirements?
Administrative Controls
What category of security control involves the hardware or software mechanisms used to manage access and provide protection for IT resources and systems?
Technical or Logical Controls
What category of security controls are focused on providing protection to the facility and real-world tangible objects?
Physical Controls
Deployed to discourage security policy violations
Deterrent control
Deployed to discover or detect unwanted or unauthorized activity
Detective control
Deployed to provide various contingency options to other existing controls
Compensating control (ie having a backup place to go in the event of a fire or storing files in a backed-up location).
Modification to the environment to return systems to normal after an unwanted or unauthorized activity occurs.
Corrective control
Extension of corrective controls - restores resources or capabilities after a security policy violation.
Recovery control
What can you perform to determine the effectiveness of the security mechanisms and evaluate the quality and thoroughness of the risk management processes of the organization and produce a report of the relative strengths and weaknesses of the deployed security infrastructure?
Security Controls Assessment (SCA)
What framework assesses the key indicators and activities of a mature, sustainable, and repeatable risk management process?
Risk Maturity Model (RMM)
Within the risk maturity model RMM a chaotic starting point from which all organizations initiate risk management this level is called:___________?
Ad hoc
Within the risk maturity model RMM when loose attempts are made to follow risk management processes but each department performs them independently, this step is called:___________?
Preliminary
Within the risk maturity model RMM when risk management operations are merged into business processes, metrics are used to gather data, and risk is considered an element in business strategy decisions this level is called:___________?
Integrated
Within the risk maturity model RMM when a common or standardized risk framework is adopted organization-wide, it is called:___________?
Defined
Within the risk maturity model RMM when risk management focuses on achieving objectives rather than merely reacting to external threats, increased strategic planning is geared toward business success rather than just avoiding incidents; and lessons learned are reintegrated into the risk management process, this level is called:___________?
Optimized
Can you continue to use a product that is at the end of life (EOL)? Why or why not?
It is ok to use a product that is at the EOL but it should be scheduled for replacement before it reaches end of support (EOS) or end of service life (EOSL).
Can you continue to use a product that is at the end of life (EOSL)? Why or why not?
It is not good practice because the vendor will have terminated support so the business will be liable to maintain the equipment, service, and security of it.
What are the five steps of the Cybersecurity Framework CSF?
Identify, Protect, Detect, Respond, Recover
What are the six cyclical phases of the Risk management framework RMF?
Prepare to execute the RMF from an org and system level
Categorize system and info processed
Select controls
Implement controls
Assess controls
Authorize system or common controls
Monitor system and associated controls on ongoing basis
A form of attack that exploits human nature and human behavior.
Social engineering
A social engineering technique where the attacker attempts to convince the target that they are in a valid position of power within the organization such as spoofing the CEOs email.
Authority
A social engineering technique where the attacker attempts to use authority, confidence, or even threat of harm to motivate the target to follow orders/instructions.
Intimidation
A social engineering technique where the attacker takes advantage of a person’s natural tendency to mimic what others are doing or are perceived as having done in the past - an example is an attacker claiming that an out-of-office worker promised a large discount on a purchase.
Consensus
A social engineering technique where the attacker attempts to convince the target that an object has a higher value based on limited opportunities to have it. For example they could claim that only a few tickets are left for a game.
Scarcity
A social engineering technique where the attacker attempts to convince the target that they have a common contact or relationship with the target such as mutual friends, experiences, or another work contact.
Familiarity
A social engineering technique where the attacker works to develop a relationship with the victim that they can exploit.
Trust
A social engineering technique where the attacker tries to relay a need to act quickly (usually dovetails well with scarcity). For example, an attacker may ask for an invoice to be paid immediately or else an essential business service will be shut off.
Urgency
Social engineering attacks focused on stealing credentials or identity information from the target.
Phishing
A more targeted form of stealing credentials or identity information from the targets by using a stole customer database or some other address book of potential victims.
Spearphishing
What is a good way to defend against spearphishing
Establish a secondary out of band contact with the requester.
A form of phishing that targets high value individuals such as someone from the C-suite.
Whaling
What is Smishing?
Phishing over SMS text message
What is Vishing?
Phishing over voice communication systems
What are some risk factors to shoulder surfing?
Having your computer face outside
Working on sensitive data in a public space
Keeping worker groups together
What is it called when an attacker attempts to steal funds from an organization by providing a false bill for a service?
Invoice Scam
What is it called when lies are perpetuated throughout an organization about how to protect yourself from some imminent threat.
Hoax
Taking on the identity of someone else is known as?
Impersonation/Masquerading
When an attacker follows closely behind a worker WITHOUT THEIR KNOWLEDGE who uses valid credentials to gain entry to a locked space this is known as?
Tailgating
Vestibules
Security Guards/cameras
Company policy
When an attacker follows closely behind a worker who uses valid credentials to gain entry to a locked space and asks them to hold the door this is known as?
Piggybacking
Access control vestibules mitigate this
How can you mitigate dumpster diving?
shred information
storage media securely disposed
What is the difference between identity fraud and identity theft
Theft is the act of stealing someone’s credentials and taking over their accounts.
Fraud is falsely claiming to be the individual after the information has been stolen.
When an attacker redirects traffic by taking advantage of the fact that someone may have incorrectly typed an IP address or URL.
Typo Squatting
When an attacker collects information about an individual and publically releases the data for the purpose of changing public perception of the target this is called__________?
Doxing
What is the type of cyber warfare that nation-states engage in when they employ a number of offensive cyber attacks in tandem?
Hybrid Warfare
What is the best way to limit exposure to risk from social media sites?
Block the sites or filter domain name system queries.
What is the difference between education and training?
Training is internally developed with specificities to the organization whereas education is often externally coordinated and students learn much more than they actually need to know to perform work tasks. It might involve getting a certification.
