S3-m2 Flashcards
COSO objectives
operations, reporting, compliance
Operational Objectives
Include performance measures and safeguards that can help increase the likelihood that an organizations IT assets are protected against cybersecurity threats and fraud
Reporting Objectives
Related to increasing the likelihood that cybersecurity controls are in place so that they do not affect internal and external financial and nonfinancial reporting. Focus of transparency, reliability, timeliness, and trustworthiness
Compliance Objective
Based on adherence to governmental laws and compliance regulations. Compliance with industry standards such as those issued by NIST
Control Environment
the tone at the top
-sets ethical values for an organization by creating a top down approach
Risk Assmesment
Performing risks assessments to evaluate internal and external factors. Applied to cyber threats by tailoring the organizations risk assessment procedures to analyze cyber risks, likelihood of occurrence and the magnitude of their impact
Control Activities
Policies and procedures put in place to help to determine whether the tone at the top set by the control environment is being implemented at all levels of the organization
Information and Communication
Focuses on using consistent and relevant language, following best practices for sharing information, and communicating internally and externally with the right stakeholders
-BIA reports reviewed by management that outline the impact of interrupting key business functions
-Periodic emails addressing cybersecurity internal controls to the entire company
Monitoring Activities
Component that should be practiced on an ongoing basis to identify areas of risk vulnerability and to determine effectiveness and efficiencies.
-penetration testing
-vulnerability scanning
-Periodic phishing reports
Uppermost level of an security rules
security policies, which serve as an overview of an organizations security needs and strategic plan for what should be implemented
Mid level of security rules
set of standards that organizations use as a benchmark to accomplish the goals defined by the security policies
Bottom level of security rules
Standard operating procedures that are typically detailed documents that specially outline how to perform business processes
Acceptable Use Policy (AUP)
A control document created by an organization to regulate and protect technology resources by assigning varying levels of responsibilities to job roles, listing acceptable behaviors by employees and vendors, specifying consequences for those who violate the AUP
-Definition, scope, and purpose
-acceptable use of personal devices of business activities
Bring your own device (BYOD)
allows employees to use their personally owned devices for work related activities. It may include some of the same elements as an AUP but will address monitoring and enforcment of actions on personnel devices
What is a network?
a system of physical and virtual devices that are connected using wired cables or wireless technology that communicate using a mix of different protocols so that users can send, receive, and store data.
What is a security standard?
organizational requirements that are either mandatory by law or adopted by companies as guidelines for best practices. the next level of security rules beneath policies that serve as a course of action to achieve security polices
Standard Operating Procedures (SOPs)
The lowest level of documentation that provide detailed instructions on how to perform specific security tasks or controls. These SOPs usually involve a combination of systems, software, and physicals actions so that goals of the security policy and standards are achieved
Access Point (AP)
Network Hardware
a wireless connection point for users to directly connect to a wired network using wireless devices
Bridges
Network Hardware
connects separate networks that use the same protocol, even if those networks have different topologies or transmission speeds. Operate at the data link layer
Computers
Network Hardware
are user endpoint devices that are the primary mean of user interaction with a network
Gateway
Network Hardware
Connects multiple networks that use different protocols, translating one protocol to another so that the two networks can interact. Can operate in all layers but generally in the application
Hub
Network Hardware
Connection points that link multiple systems and devices using the same protocol within a single network
Mobile Phones and Tablets
Network Hardware
Devices that are another means through network connection
Modems
Network Hardware
Devices that modulate between digital info and analog signal to support networks.
Proxies
Network Hardware
A form of a gateway that does not translate protocols but rather acts as a mediator that performs functions on behalf of another network using the same protocol instead of just connecting the networks
Routers
Network Hardware
Devices that control data flow on an network
Servers
Network Hardware
Devices that support computer and networks by performing different core functions such as running apps with application servers, storing files with a file server
Single Modifiers
Network Hardware
Devices such as amplifiers, concentrators, and repeaters receive signals and modify them by increasing the signal strength, combining multiple signals
Switches
Network Hardware
Similar to hubs, but instead of broadcasting received signals to every other networked device , switches only route traffic to target destinations, connecting various devices within a network
Network Segmentation or Isolation
Security Method
The process of controlling network traffic so that it is either inaccessible or separated from outside communications or other segments within an organizations own network
Firewall
Security Method
Are physical devices, software, or both that filter and monitor incoming and outgoing network traffic to a public network to block malicious activity from attackers
Service Set Identifier (SSID)
Security Method
The name assigned to a wireless network is known as an SSID and is broadcast by a wireless access point within a certain range so that wireless enabled devices can connect. One way to improve wireless network security is to make networks less visible by disables SSID broadcasting so that the device, stops acting as a beacon that transmits a signal to nearby devices
Virtual Private Network
Security Method
A virtual network built on top of existing physical networks that provides a means of secure communications using encryption protocols such as tunneling or internet protocol security
Wifi Protected Access (WPA)
Security Method
Security protocol that encrypts traffic between a wireless access point, such as a switch, and a mobile device. Does not encrypt traffic
Endpoint Security
Security Method
The notion that every device , also called hosts, connected to
a network should have some form of local security that is separate from any other security measure in place on the network or communications channel
System Hardening
Security Method
Is a multipronged comprehensive security approach that reduces risk by minimizing the number of access points through which a company can be attacked. Access points are referred to as attack vectors and include all aspects of IT infrastructure, including applications, databases, operating systems, servers, and networking equipment
Media Access Control (MAC) Filtering
Security Method
A form of filtering in which an access point blocks access to unauthorized devices using a list of approved MAC addresses. A MAC address, also referred to as a physical or hardware address, is a unique identifier found on devices in a network that is used as an address for communicating with other devices
Tunneling
A process in which data, or packets, in one protocol are encapsulated in packers within a different protocol, which creates a tunnel of protection
IPsec
uses cryptography to encrypt communications, provides access control, and authenticate using IP protocols. Similar to tunneling, but it can also be used to only encrypt certain pieces of data, the payload, rathe than the entire IP packet
Database Hardening
Create different privilege levels so that there is a clear delineation between admin users and users that have tiered need to know access. Also, data at rest needs to be encrypted
Endpoint Hardening
Remove administrative rights for users on local devices so that endpoint users can only perform authorized functions. Restrict users from downloading certain files from the internet or email. Implement local firewalls and malware screening on all laptops.
Network Hardening
Revise the rules for the firewall so that it is configured to remove unused ports and block unnecessary protocols.
Server Hardening
Physically segregate servers in a secure facility, further separating backed up servers geographically. If one server or group is attacked, not all will be compromised.
Zero Trust
The concept of zero trust assumes that a company’s network is always at risk, even after a user has been authenticated, and it shifts a company’s cybersecurity focus away from onetime authentication to continuous validation at every point of a users interaction with a network
Prevent data breaches and limit internal lateral movement
ZTA tenets outlined by NIST
-all devices and data sources are considered resources, even those not directly managed
-all communications must be secure regardless of a networks location
-Access to company resources is granted on a per-session basis
NIST assumptions to implement ZTA tenets
-an organizations private network is not considered an implicit trust zone
-Some devices on a company’s network might not be owned or configurable by the company
-no resource is inherently trusted
-remote users should not trust local network connections
Least Privilege
The notion that users and systems are granted the minimum authorization and system resources needed to perform a function. It admins should put safeguards in place so that privileges’ do not become excessive or allow privilege’s creep in which access to system gradually increases over time as a persons job role evolves
Whitelisting
The process of identifying a list of applications that are authorized to run on an organizations system and only allowing those programs to be executed
Context aware Authentication
used to identify mobile device users by using contextual data points such as time, geographic location of the user or ip address
Digital signature
An electronic stamp of authentication that is usually encrypted and attached to a message for proof of identity
Password weaknesses
-people often use easy or reused passwords, share passwords
-short passwords can be easily guessed,
-passwords saved by companies in databases by the web are frequently breached
Hashing
the process of converting passwords into illegible text using hash algorithms such as secure hash algorithms (SHAs). then stored in databased
-one way meaning they are not intended to be reversed
Provisioning
The process in identity management when an organization creates a users account and provisions it with privilege’s based on their job role.
Vulnerability Management
Is a proactive security practice designed to prevent the exploitation of IT vulnerabilities that could potentially harm a system or organization. Involves identifying, classifying, mitigating, and fixing known vulnerabilities within a system
Identify
Apply NIST Cybersecuirty Framwork - Vulnerability Tools
Use the CSF to identify resource vulnerabilities that present in systems, data, assets, and employees. Apply the framework to understand the business environment in which those assets operate, and understand the policies established regarding those resources to define how governance is executed.
Protect
Apply NIST Cybersecuirty Framwork - Vulnerability Tools
Apply the framework to create safeguards against vulnerabilities by establishing measures to manage identity and access controls, keep assets secure, and inform employees of threats
Detect
Apply NIST Cybersecuirty Framwork - Vulnerability Tools
Use framework to define relevant activities that can identify vulnerabilities quickly.
-performing continuous monitoring
-searching for anomalies
Respond
Apply NIST Cybersecuirty Framwork - Vulnerability Tools
Use CSF to put activities in place that will react to discovered vulnerabilities. Analysis of the issue so that the appropriate response is delivered, executing mitigating activities to prevent the vulnerability from affecting other parts of the org
Recover
Apply NIST Cybersecuirty Framwork - Vulnerability Tools
used to help org transition from its current state in which the vulnerability exists to a state where the vulnerability is mitigated.
-implement a recovery plan
-improvements
Vulnerability Scanners
applications that test a company’s system for known security risks. Works by checking results against a database of known threats. Scanning for open network ports that can be exploited, analyzing data packets transmitting across systems, identifying protocols
-can also be used against organizations
Vulnerability Assesments
Typically done as a part of initial risk analysis and then subsequently perform quarterly or annually after that.
Common Vulnerabilities and Exposures Dictionary (CVE)
A database of security vulnerabilities that provides unique identifiers for different vulnerabilities and risk exposures
Patch Management
As bugs are discovered, vendors release updated called patches so that customers can correct those vulnerabilities. Important part of minimizing security threats
-patch management is normally subject to inspection by service auditors during a SOC 2
What is the purpose of layered security?
To protect an org by using a diversified set of security tactics so that a single CS attack or security vulnerability does not compromise an entire system
What is the layered approach?
typically combines physical access controls, logical and technical controls, and administrative controls to provide control redundancy
Defense in Depth
Layerd Security Solution
focuses on a multilayered security approach that does not rely on technology alone, but rather it combines people, policies, technology, as well as both physical and logical access controls
Redundancy and Diversification
Layerd Security Solution
helps counter attacks that target different weaknesses an organization might have. Duplication is a form of redundancy that can be administered through layering processes, isolating processes, concealing data, segmenting hardwarer
Safeguarding Practices
Preventive Control
Strong preventive software and hardware controls should be coupled with well designed policies and procedures, such as requiring strong passwords, using multifactor authentication, background checks
Education and Timing
Preventive Control
Informing employees about cybersecurity risks and the corporate tools in place to mitigate those risks serves as a preventive control
Regular Security Updates
Preventive Control
Broad and comprehensive security enhancements should occur regularly in order for an organizations physical and logical security measures to be protected against the latest CS threats
Encryption
Preventive Control
encrypting data both at rest and in transit involves the process of converting the data into illegible formatted based on industry standards so that if the data is comprised or stolen, the hackers will not be able to decipher and use the data
Firewalls
Preventive Control
Monitors and filets traffic based on a set of predefined rules
Patches
Preventive Control
An update or mod to an existing program that is typically released by an applications creator
Physical Barriers
Preventive Control
Tangible barriers, or physical obstructions, are controls that are designed to both deter and prevent unauthorized physical access to an organization IT infrastructure
-security guards
-fences
Device and Software Hardening
Preventive Control
Hardening refers to implementing security tools so that the totality of vulnerable points or the surfaces that can be attacked are reduced
Intrusion Prevention System (IPS)
Preventive Control
a network security solution that is intended to detect and stop a cyberattack before it reaches the targeted systems. Done by receiving a direct feed of traffic so that all data coming into a network pass through the IPS
Access Controls
security measures put in place to allow access only to authorized employees
Discretionary Access Control (DAC)
Is a decentralized control that allows data owners, custodians, or creators to manage their own access to the data or object they own or created
-control the passing of info to other users
-grant or change security attributes of users
Mandatory Access Controls
nondiscretionary controls that allow admins to centrally manage and enforce rules consistently across an environment. Access is not based on identity but on general set of rules that govern the entire system.
Role Based Access Control
manages access to areas, devices, or databases according to a predetermined set of rules or access permissions independent of the users role or position within the organization
-access rules are created
-rules are integrated
-control mechanisms check their credentials
Policy Based Access Control (PBAC)
uses a combo of user roles and policies consisting of rules to maintain and evaluate user access dynamically. More like a framework
Risk based Access Controls
Apply controls based on the risk level of the asset being accessed, the identity of the user, the intentions of accessing the asset, and the security risks that exits between the user and the system or asset being accessed
Detective Controls
designed to detect a threat event while it is occurring and provide assistance during investigations and audits after the event has occurred
Network Intrusion Detection System NIDS
Detective Controls
a security solution that monitors incoming traffic on all devices on a network by matching specific elements of that traffic to a library of known attacks and sending system alerts
Antivirus Software Monitoring
Detective Controls
works by scanning file in real time and comparing them to a library of known viruses. Scheduled scans of systems should occur automatically
Networking Monitoring
Detective Controls
There are various tools available to monitor a network, such as packet sniffers, which analyze data packets, NPM tools that measure stats or simple network management protocol (SNMP)
Log Analysis
Detective Controls
involves the recording and monitoring of data to analyze it so that anomalies, trends, or patterns can be detected that may indicated that unauthorized events have occured
Intrusion Detection System (IDS)
Detective Controls
A security solution that scans the environment to monitor and analyze network or system events for the purpose of finding and providing real time or near real time warnings of attempts to access system resources in an unauthorized manner
-service auditor within the scope of a SOC 2 may inspect
Corrective Controls
are intended to fix known vulnerabilities as a result of a recent security incident
Reconfigurations
Corrective Controls
Modifying an app or system config to rectify known vulnerabilities can restore affected operations and prevent further damages
-firewall rules, retooling
Upgrades and Patches
Corrective Controls
Security patches and software or app upgrades may be implemented to accomplish objectives such as enhancing system performance, adding new features
Revised Policies and Procedures
Corrective Controls
Periodically reviewing and revising organizational practices can eliminate some security issues without requiring the purchase of new tech or the modification of existing systems
Updated Employee Training
Corrective Controls
Gaps in employee knowledge about the risk of certain cyberattacks and other forms of IT exploitation can be reduced or even eliminated by training employees to recognize the hallmarks of common fraud schemes
Recovery and Continuity Plans
Corrective Controls
Orgs should have a robust plan in place that quickly allows them to recover from a disaster or attack and continue operating so that the period in which normal business operations are interrupted is minimized
Antivirus Software Removal of Malicious Viruses
Corrective Controls
Most modern antivirus programs are designed to not only identify actual or potential viruses but also to expunge those viruses so that they are no longer a threat
Virus Quarantining
Corrective Controls
Isolating actual or suspected viruses removes the threat from the rest of a company’s network and is usually accomplished in an automated manner via antivirus software or manually after being flagged
Batch Processing
Procedures include collection and grouping of input documents/transactions by type of transaction
Digital Certificates
a form of data security. They behave online in the same way drivers licenses, passports, and other trusted documents behave.
A filesystem ACL…
can deny privilege’s in an operating system by restricting access to certain files, folders, and directions. A lists of rules that outline which users have permission to access certain resources.
