Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Information Technology > Risk Management Lecture 3 > Flashcards

Risk Management Lecture 3 Flashcards

1
Q

What are the 3 main objectives of information security?

A

Confidentiality
Integrity
Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How are the 3 Objectives in information Security Balanced?

Confidentiality - Integrity - Availablity

A

Depending on scenario, these 3 objectives are not balanced evenly.
For example, if enforcing 100% confidentiality put a stress on doing business negatively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In Regards to confidentiality, what does this entail?

A

Confidentiality measures protect information from unauthorized access and misuse.
Examples:
Encryption of data (stored and sent)
Data loss prevention
User Awareness
Non-disclosure policies
Logical Access Controls ie. No point for low lvl employees to have access to absolutely all company data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In Regards to Integrity, what does this entail?

A

Integrity measures protect information from unauthorized alteration.
Examples
- Hashing and digital signing
- Configuration and change management
- Access Controls
Eg limiting access to certain users as read-only to ensure they cannot modify the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

In Regards to Availability, what does this entail?

A 
In order for an information system to be useful it must be available to authorized users.  Availability measures protect timely and uninterrupted access to the system. 
Example:
	- Architecture/system design with redundancy built-in
		○ RAID
		○ Clustering
		○ Load Balancing
		○ Fail-over design
		○ Data backups
		○ Dual power supplies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the 3 categories of Control functionalities in information Security?

A
  1. Preventive Control
    a. Stop incidents from occuring
    i. Eg Only Granting Read access to data entry employees
    1. Detective Control
      a. Identify incidents starting/during
      i. Eg. User copying lots of information off the database off site
    2. Corrective Control
      a. Fix issues after incidents
      Eg. Restoring a previous backup after hardrive failure
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In information security, what is a Control that emphasizes stopping incidents from occurring?

A

Preventive Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In information security, what is a Control that enphasizes detecting incidents starting/during issues?

A

Detective Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In information security, what is a Control that emphasizes fixing issues after incidents?

A

Corrective Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the core Principles for managing InfoSec?

A
  1. Defense in depth
    a. Do not rely on single defense mechanism, its better to have numerous ones.
  2. Segregation of duties
    a. Avoid stacking tasks on individuals for risk reduction purposes
    i. Eg. Putting a manager in charge of auditing their own expenditures
  3. Minimum Privilege
    a. Restrict physical Access to resources
    b. Restrict Logical assess to computers/networks
    c. Base control decisions on least privilege
    i. Individuals should only be granted minimum access to resources that they require to complete their job
  4. Need To Know
    a. Information only provided when necessarily for business functions
    i. Eg. No point for a janitor to know what the computers do in the rooms they’re cleaning
  5. Avoid “Security by Obscurity”
    Having a key pad entry into a room with a post it note nearby with the code is probably not a good security mechanism
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Of The Core Principles for managing infosec what does Defense in depth mean?

A

The Principle of Defense in depth is to not rely on a single point of defense, always have numerous lines of defense.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Of The Core Principles for managing infosec what does Segregation of duties mean?

A

Avoid stacking duties/tasks on individuals/small departments to reduce risk.
An example of risk would be putting a manager in charge of auditing their own expenditures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Of The Core Principles for managing infosec what does Minimum Privleges mean?

A

Individuals should only be granted minimum access to resources that they require to complete their job
Also
a. Restrict physical Access to resources
b. Restrict Logical assess to computers/networks
c. Base control decisions on least privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Of The Core Principles for managing infosec what does Need to know mean?

A

a. Information only provided when necessarily for business functions
Eg. No point for a janitor to know what the computers do in the rooms they’re cleaning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Of The Core Principles for managing infosec what does “Avoid Security by obscurity” Mean?

A

Trying to hide bad security does not make for good security.

Hiding a key to your front door under a floor mat at your front door for example.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What Roles are there in regards to Data Management?

A

Data Owners
Data Custodians
System Owners
System Custodians

17
Q 
What are the responsiblities of:
Data Owners
Data Custodians
System Owners
System Custodians
A

Data Owner
- Usually a business function
- Owner has responsilbity and accountablitiy associated with the data set
- Responsible for Data classification
- Possible issues organizations risk within an organization
○ Data owners having very little knowledge of their roles/responsilbities typically leading to data classifications never truly defined
○ Mission-critcual data not defined properly leading to poor security
○ Possible regulatory issues when it comes to how long a piece of data is kept

Data Custodians

- Responsible for maintaining and protecting data on a day-to-day basis
- Usually fulfilled by internal IT, but some portions of it possibly by an external entity(Amazon AWS/Azure/Google Cloud)
- Ensuring C-I-A of the data is protected and maintained

System Owner/System Custodian
- Simliar to above
Eg. Oracle Database is maintained by IT(Custodian) but HR has final say in regards to access to data as the “owner”

18
Q

Name a few Well-known Web Application Risks

A

1) Broken Access Control
2) Cryptogrpahic failures
3) Injection
4) Insecure design
5) Security misconfiguration
6) Vulnerable and outdated components
7) Id and auth failures
8) Software nd data integrity failures
9) Security logging and monitor failures
10) Server-side request forgery

19
Q

What is the point of the Common Vulnerability Scoring System(CVSS)?

A

CVSS is an industry standard for rating risk involved in technical vulnerabilties.
Version 3.1 is the current standard with numbers randing between 0 - 10

20
Q

What is the Advantage of Microsofts “patch tuesday” method of pushing patches.

A

Since organizations can plan for it, they can be prepared in advance for upcoming patches.

21
Q

Why do some organizations dislike Redhats method of pushing out patches sporatically without warning?

A

Depending on the severity of issues presented in the patch, this forces the companies to scramble and push out patches for issues with very little lead time.

22
Q

In regards to security Patching, why might a business not implement a patch in a timely manner?

A
  1. But many common challenges get in the way of a business in acting immediately
    a. Sometimes the vulnerablity relies on software/hardware developers to develop the security patches
    i. Sometimes the vulnerablity was revealed before a patch was created, thus becoming a Zero day vulnerablity
    ii. Sometimes those very necessary security patches do not come out in a timely manner
    iii. Implementing patches can be disruptive and costly
23
Q

What is the most effective way of addressing vulnerabilities?

A

Implementing security patches in a timely manner is the most effective way of addressing vulnerablities

24
Q

What are 2 ways of dealing with Technical Vulnerabilties?

A

Proactive Approach

Reactive Approach

25
Q

In regards to dealing with technical vulnerabilties, what does it mean to have a proactive approach?

A

To be proactive, means to keep track of vender releases, and critical vulnerabiltiies that are made public, and start the patch procedure immediately upon discouvery.

26
Q

In regards to dealing with technical vulnerabilties, what does it mean to have a Reactive Approach?

A

a. Conduct vulnerablity scans on IT systems/applications regularly(montly/quarterly/etc)
b. Address findings with a risk-based approach
If high CVSS rating for instance

27
Q

In regards to technical Vulnerabilties,
Lets say you were running a bunch of systems with Windows XP a long since unsupported OS from Microsoft.
Lets say a huge vulnerability was discovered.
What action could you take with these machines if they were mission critical.

A

Since you cannot get rid of the systems, you could try a compensating control, for these systems, you could set them up in their own Vlan making them inaccessible from other networks.

Information Technology (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions