Question / Answers Flashcards
Name and explain the three evaluation criteria for risk assessment according to BSI Standard 100-3.
- Completeness: Do the standard security measures provide protection for all aspects of each threat? (Example: Was the back door to the building and on the emergency exits also considered?)
- Mechanism strength: Do the protection mechanisms recommended in the standard security measures counteract each threat adequately? (Example: Are the specifications for the minimum key length adequate?)
- Reliability: How difficult is it to circumvent the planned security mechanisms? (Example: How easy is it for users to gain entry to the server room and therefore circumvent the file access control?)
Name the three steps of the post-processing phase in the incident response process and provide an example for each.
Lessons learned:
The lessons learned meeting is used for improving and learning. In the meeting, the team reviews the event and identifies improvements.
Example Task: Hold a post-mortem meeting with the incident response team. Discuss what went well, what could be improved, and document actionable recommendations. For instance, if the incident revealed gaps in communication during critical moments, the lessons learned might emphasize the need for better coordination and timely updates.
Documentation:
Documentation is key for a proper incident response process. It is particularly helpful if similar events are happening.
Example:
Continuous Improvement:
Explanation: Implement changes based on lessons learned to enhance overall incident response capabilities.
Example Task: Update incident response playbooks, refine procedures, and provide additional training to team members. Continuously monitor and adapt the incident response process to stay resilient against evolving threats
Explain the difference between a risk and a threat and how they relate. Provide an example of a threat resulting in risk for an organization and an example of a threat without risk for an organization.
Risk: level of impact a threat
can have on an organization, combined with the likelihood of that threat occurring.
Threat: A threat refers to a potential event or action that can exploit a vulnerability in a system or organization, resulting in harm.
How are Threat and risk related?:
a threat does not equal a risk. Not all threats to an organization
are also risks, but all risks contain a threat. A threat that stands on its own, independent
from an organization, would not cause an issue.
Example of a Threat Resulting in Risk for an Organization:
Consider an organization that stores sensitive customer data on its servers. A cybercriminal gains unauthorized access to the organization’s network (the threat) by exploiting a vulnerability in its outdated software. As a result, the cybercriminal steals the customer data and sells it on the dark web. In this scenario, the threat (cyberattack) has resulted in risk for the organization, including potential financial losses due to legal liabilities, reputational damage, and loss of customer trust.
Example of a Threat without Risk for an Organization:
Now, imagine the same organization has robust cybersecurity measures in place, including regular software updates, firewalls, intrusion detection systems, and employee training on cybersecurity best practices. Despite receiving numerous attempted cyberattacks (threats), none of them are successful in breaching the organization’s defenses. In this case, although threats exist, the organization’s effective security measures mitigate the risks associated with these threats, resulting in no actual harm or damage to the organization. Thus, the threats exist but do not pose a significant risk due to the organization’s proactive risk management strategies.
List six steps of the risk management process according to NIST SP 800-37, and provide and explain an example task for each step.
Prepare: Develop a risk management plan outlining the scope, objectives, roles and responsibilities, and methodology for the risk management process. This plan should include a communication strategy to ensure that all stakeholders are informed and involved throughout the process.
Categorize: Conduct a criticality analysis to categorize information systems and assets based on their impact on the organization’s mission and objectives. This analysis may consider factors such as data sensitivity, system functionality, and the potential consequences of loss or compromise.
Select: Referencing the organization’s risk management framework, select security controls from relevant standards and guidelines (such as NIST SP 800-53) that are appropriate for mitigating identified risks within the organization’s information systems and assets.
Implement: Develop and implement security policies, procedures, and technical measures to deploy the selected security controls within the organization’s information systems. This may involve configuring firewalls, implementing encryption mechanisms, and enforcing access controls.
Assess: Conduct security control assessments, such as vulnerability scans, penetration tests, and security audits, to evaluate the effectiveness of the implemented controls in reducing identified risks to an acceptable level.
Authorize: Review the assessment findings and determine whether the residual risks associated with the information systems are acceptable within the organization’s risk tolerance. Based on this analysis, authorize the information systems to operate or implement additional measures to further mitigate identified risks.
Monitor: Establish a continuous monitoring program to regularly assess the effectiveness of security controls, detect and respond to security incidents, and update risk assessments based on changes in the organization’s environment or threat landscape. This may involve real-time monitoring of security alerts, periodic security assessments, and ongoing risk analysis.
Name and explain the three levels of risk management according to NIST
Organization Level: At the organization level, risk management involves establishing an overall risk management strategy and governance structure that aligns with the organization’s mission, objectives, and risk tolerance. This level focuses on strategic decision-making and setting policies and procedures to manage risks across the entire organization. It includes establishing roles and responsibilities, defining risk management processes, and allocating resources for risk management activities.
Mission/Business Process Level: The mission/business process level involves identifying and managing risks specific to individual mission or business processes within the organization. At this level, organizations assess the impact of risks on critical processes and prioritize risk mitigation efforts accordingly. This level of risk management is more focused and tailored to the unique requirements of each mission or business process, considering factors such as operational requirements, dependencies, and criticality.
Information System Level: At the information system level, risk management is applied to individual information systems and the data they process, store, and transmit. This level involves identifying system-specific risks, selecting and implementing security controls to mitigate those risks, and assessing the effectiveness of those controls. It includes activities such as system categorization, security control selection and implementation, security control assessments, and authorization to operate (ATO) decisions.
A company has identified a design flaw in its web application, the rectification of which would cost 10,000 euros. The application processes intellectual property of customers, and the design flaw could potentially expose this data. Explain when and why the company must mitigate the risk.
The company must mitigate the risk posed by the design flaw in its web application as soon as possible. There are several reasons why mitigation is necessary:
Protection of Intellectual Property: The web application processes intellectual property of customers, which is likely sensitive and valuable information. Any exposure of this data due to the design flaw could lead to significant harm, including theft, unauthorized access, or disclosure to competitors. Mitigating the risk helps protect the company’s intellectual property and preserves its competitive advantage.
Legal and Regulatory Compliance: Depending on the nature of the intellectual property processed by the web application and the jurisdiction in which the company operates, there may be legal and regulatory requirements governing the protection of customer data. Failure to address the design flaw could result in non-compliance with these regulations, leading to potential fines, legal actions, or reputational damage.
Customer Trust and Reputation: Customers expect companies to safeguard their sensitive information and privacy. If the design flaw leads to a data breach or unauthorized access to intellectual property, it could erode customer trust and damage the company’s reputation. Mitigating the risk demonstrates a commitment to security and customer protection, helping to maintain trust and loyalty.
Financial Impact: While the cost of rectifying the design flaw may seem significant (e.g., 10,000 euros in this case), the potential financial impact of a data breach or loss of intellectual property could be far greater. Data breaches can result in direct financial losses due to legal costs, regulatory fines, and compensation to affected customers, as well as indirect costs such as damage to brand reputation and loss of business opportunities. Investing in risk mitigation upfront can help prevent or minimize these potential financial impacts.
Name and explain the various sources of threats and provide two examples for each.
Human Threats:
Insider Threats: These threats arise from individuals within the organization who misuse their access privileges or intentionally cause harm.
Example 1: An employee with access to sensitive customer data steals the information for personal gain or to sell it to competitors.
Example 2: A disgruntled former employee launches a cyberattack against the company’s network, aiming to disrupt operations or cause damage.
Social Engineering: Social engineering involves manipulating individuals into divulging confidential information or performing actions that compromise security.
Example 1: A hacker poses as a trusted IT support technician and convinces an employee to share their login credentials, allowing unauthorized access to the company’s systems.
Example 2: A phishing email impersonates a legitimate organization (e.g., a bank or a government agency) and tricks recipients into clicking on malicious links or providing personal information.
Technical Threats:
Malware: Malware refers to malicious software designed to disrupt, damage, or gain unauthorized access to computer systems.
Example 1: A ransomware attack infects the company’s computers, encrypting files and demanding payment for their release.
Example 2: A keylogger silently captures keystrokes on a user’s device, including passwords and other sensitive information, which are then sent to the attacker.
Vulnerabilities: Vulnerabilities are weaknesses in software, hardware, or network configurations that can be exploited by attackers to compromise systems.
Example 1: An unpatched software vulnerability in the company’s web server allows attackers to execute arbitrary code and gain unauthorized access to the server.
Example 2: A misconfigured firewall permits unauthorized inbound traffic to the company’s internal network, exposing sensitive data to external threats.
Environmental Threats:
Natural Disasters: Natural events such as floods, earthquakes, fires, or storms can disrupt business operations and cause damage to infrastructure.
Example 1: A severe flood damages the company’s data center, resulting in data loss and extended downtime for critical systems.
Example 2: A wildfire threatens the company’s headquarters, forcing evacuation and disrupting operations until the area is deemed safe for return.
Power Outages: Power outages or electrical failures can disrupt access to critical systems and lead to data loss or corruption.
Example 1: A widespread power outage in the region causes the company’s servers to shut down unexpectedly, leading to temporary loss of services and potential data corruption.
Example 2: A sudden power surge damages the company’s network infrastructure, rendering it inoperable until repairs can be completed.
In a web application, a security vulnerability has been found. This vulnerability can be exploited to access internal server data. The security vulnerability can only be exploited if a user is logged in. List nine possible mitigation measures and classify the mitigation strategy of each measure.
Implement Multi-factor Authentication (MFA):
Classification: Preventive
Explanation: Require users to provide multiple forms of authentication (such as a password and a one-time code sent to their phone) before accessing the application. This adds an extra layer of security, making it more difficult for unauthorized users to exploit the vulnerability even if they manage to gain login credentials.
Enforce Strong Password Policies:
Classification: Preventive
Explanation: Require users to create strong passwords with a combination of alphanumeric characters, special symbols, and minimum length requirements. This helps prevent unauthorized access via brute-force attacks or password guessing.
Implement Session Management Controls:
Classification: Detective
Explanation: Set session timeouts to automatically log users out after a period of inactivity. Additionally, implement mechanisms to detect and terminate suspicious or inactive sessions to reduce the window of opportunity for attackers to exploit the vulnerability.
Regular Security Patching and Updates:
Classification: Corrective
Explanation: Regularly apply security patches and updates to the web application and underlying server software to fix known vulnerabilities and weaknesses. This helps address the root cause of the vulnerability and reduces the likelihood of exploitation.
Implement Role-based Access Controls (RBAC):
Classification: Preventive
Explanation: Restrict access to sensitive data and functionalities based on users’ roles and permissions. Only users with specific roles or privileges should be allowed to access internal server data, reducing the attack surface and limiting the impact of potential exploits.
Use Web Application Firewalls (WAF):
Classification: Preventive
Explanation: Deploy a WAF to monitor and filter HTTP traffic between the web application and the internet. WAFs can help detect and block suspicious requests or malicious payloads that attempt to exploit the vulnerability.
Implement Input Validation and Sanitization:
Classification: Preventive
Explanation: Validate and sanitize user inputs to prevent injection attacks, such as SQL injection or cross-site scripting (XSS). By validating and sanitizing input data, the application can prevent attackers from injecting malicious code to exploit the vulnerability.
Encrypt Sensitive Data at Rest and in Transit:
Classification: Preventive
Explanation: Encrypt sensitive data stored on the server and ensure that data transmitted between the client and server is encrypted using secure protocols (e.g., HTTPS). Encryption helps protect data confidentiality and integrity, even if attackers manage to access it.
Implement Intrusion Detection and Monitoring:
Classification: Detective
Explanation: Deploy intrusion detection systems (IDS) or intrusion prevention systems (IPS) to monitor network traffic and detect suspicious activities or attempts to exploit the vulnerability. Monitoring and alerting mechanisms can help identify and respond to potential threats in real-time.
Name three differences and three similarities between STRIDE and LINDDUN.
Focus on Threat Categories:
- STRIDE: STRIDE focuses on categorizing threats based on six different threat types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. It identifies threats based on the attacker’s actions or objectives.
- LINDDUN: LINDDUN, on the other hand, categorizes threats based on six architectural properties: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of Information, and Unawareness. LINDDUN focuses more on architectural vulnerabilities and how they can be ex-ploited.
- Application Stage:
* STRIDE: STRIDE is typically applied during the design and develop-ment stages of software engineering. It helps in identifying potential threats early in the software development lifecycle to design appropri-ate security controls.
* LINDDUN: LINDDUN is often applied during the architectural design phase of software development. It focuses on identifying architectural vulnerabilities and making design decisions to mitigate these vulnera-bilities. - Origin and Usage:
* STRIDE: STRIDE was originally developed by Microsoft as a threat modeling framework for designing secure software systems. It is widely used in the software industry, especially in environments where Mi-crosoft technologies are prevalent.
* LINDDUN: LINDDUN was developed by Cigital (now Synopsys) as a lightweight threat modeling approach specifically for agile and DevOps environments. It is designed to be simpler and more accessible than traditional threat modeling frameworks like STRIDE.
.
Similarities:
1. Structured Approach:
* Both STRIDE and LINDDUN provide structured methodologies for iden-tifying and categorizing threats to software systems. They offer a sys-tematic approach to analyzing potential vulnerabilities and risks.
2. Six Categories:
* Both frameworks use a categorization scheme based on six elements. While STRIDE focuses on threat types (Spoofing, Tampering, Repudia-tion, Information Disclosure, Denial of Service, and Elevation of Privi-lege), LINDDUN focuses on architectural properties (Linkability, Identi-fiability, Non-repudiation, Detectability, Disclosure of Information, and Unawareness).
3. Integration with Development Lifecycle:
* Both frameworks emphasize integrating threat modeling into the soft-ware development lifecycle. They promote the idea of considering se-curity concerns early in the design and development stages to build more secure software systems.
Name and explain three LINDDUN threats.
Linkability:
Threat: Linkability refers to the ability to link different pieces of information together, which can lead to unintended correlations or associations between data elements. Attackers may exploit linkability to aggregate and analyze data to reveal sensitive information or patterns.
Explanation: For example, in a healthcare system, if patient records are not properly anonymized or if identifiers such as social security numbers or medical record numbers are exposed, an attacker could correlate patient data across different databases or systems. This could lead to breaches of privacy or unauthorized access to sensitive medical information.
Identifiability:
Threat: Identifiability refers to the ability to uniquely identify individuals or entities based on available information. When sensitive information is exposed or improperly handled, it may be possible for attackers to identify specific individuals or entities.
Explanation: For instance, in an online platform where users are required to register with personal information such as email addresses or usernames, if this information is leaked or improperly protected, attackers could use it to identify and target specific users. This could lead to various risks such as identity theft, harassment, or unauthorized access to accounts.
Non-repudiation:
Threat: Non-repudiation refers to the inability of a party to deny the authenticity or origin of a message or action. If non-repudiation is not ensured, it becomes possible for malicious actors to deny their involvement in certain actions or transactions.
Explanation: For example, in an e-commerce application, if proper mechanisms for non-repudiation are not in place, a user could make a purchase and then deny having placed the order. Without sufficient evidence to prove otherwise, such as transaction logs or digital signatures, the user’s claim of non-involvement could be difficult to refute, leading to potential disputes or loss of revenue for the organization.
Name three risk management strategies and provide an example for each.
Risk Avoidance:
Definition: Risk avoidance involves taking actions to eliminate or avoid activities, processes, or exposures that pose a significant risk to the organization.
Example: An organization decides not to engage in a particular business venture that carries a high risk of financial loss or reputational damage. For instance, a company may choose not to enter a volatile market with uncertain demand and potential regulatory hurdles, thereby avoiding the associated risks.
Risk Mitigation:
Definition: Risk mitigation focuses on reducing the impact or likelihood of identified risks through proactive measures or controls.
Example: A software development company implements regular security patches and updates to its applications and infrastructure to mitigate the risk of cyberattacks and data breaches. By promptly addressing known vulnerabilities and weaknesses, the organization reduces the likelihood of successful exploitation by malicious actors.
Risk Transfer:
Definition: Risk transfer involves transferring the financial consequences of a risk to another party, such as an insurance company or a contractual partner.
Example: A construction firm purchases liability insurance to transfer the financial risk associated with workplace accidents or property damage to the insurance provider. In the event of an incident, the insurance company covers the costs of legal claims, medical expenses, or property repairs, thereby reducing the financial impact on the construction firm.
Name and explain the different sources of threats and provide two examples for each.
see question 7
Name and explain the four types of measures in resilience engineering, and provide two examples for each type of measure.
Anticipation:
Definition: Anticipation measures involve proactively identifying and preparing for potential disruptions or challenges before they occur. These measures aim to anticipate possible scenarios and develop strategies to mitigate their impact.
Examples:
Conducting regular risk assessments and scenario planning exercises to identify potential threats and vulnerabilities. For example, a manufacturing company might simulate a supply chain disruption scenario to assess its resilience and develop contingency plans.
Implementing early warning systems and monitoring tools to detect emerging risks or trends. For instance, an IT department might deploy intrusion detection systems and security monitoring software to identify and respond to cyber threats before they escalate.
Monitoring:
Definition: Monitoring measures involve continuously monitoring organizational processes, systems, and environments to detect deviations from normal operations or signs of impending disruptions.
Examples:
Implementing real-time performance monitoring systems to track key indicators and metrics related to operational efficiency, safety, and security. For example, an airline might use cockpit instruments and sensors to monitor aircraft performance during flight.
Establishing regular review processes and audits to assess the effectiveness of organizational controls and procedures. This might involve conducting periodic safety inspections or security assessments to identify and address potential weaknesses before they result in incidents.
Response:
Definition: Response measures involve implementing plans and procedures to effectively respond to disruptions or incidents as they occur. These measures focus on mobilizing resources, coordinating actions, and mitigating the impact of disruptions.
Examples:
Developing incident response plans and protocols to guide actions during emergencies or crises. For instance, a hospital might have a detailed response plan for managing patient surges during a mass casualty event.
Conducting regular training and drills to ensure that personnel are prepared to respond effectively to different types of emergencies. This could involve simulating fire drills, active shooter scenarios, or cyberattack simulations to practice response procedures and coordination.
Learning:
Definition: Learning measures involve capturing lessons learned from past experiences and using them to improve organizational resilience over time. These measures focus on fostering a culture of continuous learning, adaptation, and improvement.
Examples:
Conducting post-incident reviews and debriefings to analyze root causes, identify opportunities for improvement, and implement corrective actions. For example, an IT team might conduct a post-mortem analysis after a major system outage to identify the underlying causes and prevent similar incidents in the future.
Encouraging open communication, feedback, and knowledge sharing among employees to promote a learning culture. This could involve establishing forums, workshops, or communities of practice where employees can share insights, best practices, and lessons learned from their experiences.
Name four fundamental tasks that a Security Champion can take on.
Security Awareness and Training:
A Security Champion can help facilitate security awareness training sessions for employees to educate them about common security threats, best practices for safeguarding sensitive information, and the organization’s security policies and procedures. They can also create and distribute security awareness materials, such as posters, email reminders, or online resources, to reinforce key security messages.
Policy Advocacy and Compliance:
Security Champions can advocate for the adoption and enforcement of security policies and standards within their respective teams or departments. They serve as ambassadors for security initiatives, ensuring that employees understand the importance of adhering to security policies and procedures. They can also assist in identifying areas where security policies may need to be updated or strengthened to address emerging threats or compliance requirements.
Risk Assessment and Mitigation:
Security Champions can help assess and mitigate security risks within their areas of responsibility. They can collaborate with the organization’s security team to identify potential vulnerabilities, conduct risk assessments, and implement appropriate security controls or measures to mitigate identified risks. This may involve reviewing system configurations, conducting security assessments, and recommending security improvements or remediation actions.
Incident Response and Reporting:
In the event of a security incident or breach, Security Champions can serve as first responders to help contain the incident, gather relevant information, and escalate the issue to the appropriate authorities or incident response team. They can also assist in documenting and reporting security incidents, including their root causes, impact, and remediation steps, to ensure that lessons are learned and improvements are made to prevent future incidents.
Name the three steps of crisis management and provide an example for each.
Prevention and Preparation:
Definition: This step involves identifying potential crisis scenarios, assessing risks, and implementing preventive measures and preparedness plans to minimize the likelihood and impact of crises.
Example: A manufacturing company conducts regular safety audits and implements robust safety protocols and training programs to prevent workplace accidents. By proactively identifying and addressing potential safety hazards, the company reduces the risk of accidents and associated injuries or disruptions to production.
Response and Mitigation:
Definition: In this step, the organization responds to the crisis as it unfolds, mobilizing resources, implementing crisis management plans, and taking immediate actions to mitigate the impact of the crisis on the organization and its stakeholders.
Example: In the event of a cybersecurity breach, an organization activates its incident response team to investigate the incident, contain the breach, and restore affected systems and data. The team collaborates with internal and external stakeholders, such as IT professionals, legal counsel, and law enforcement, to assess the extent of the breach and mitigate further damage to the organization’s reputation and customer trust.
Recovery and Learning:
Definition: After the crisis has been contained, this step focuses on restoring normal operations, addressing the aftermath of the crisis, and learning from the experience to strengthen the organization’s resilience and preparedness for future crises.
Example: Following a natural disaster, a retail store damaged by flooding takes immediate steps to clean up the premises, repair damaged infrastructure, and resume business operations as quickly as possible. The organization also conducts a post-incident review to evaluate its response efforts, identify areas for improvement, and update its crisis management plans and procedures based on lessons learned from the experience.