S3-m4/5 Flashcards
Privacy
Protects the rights of an individual and gives the individual control over what information they are willing to share with others
-dictates the types of authorization granted to information
Confidentiality
-Protects unauthorized access to information gathered by the company
-protecting personal privacy and proprietary information
-is required is that the information is only accessed by system or individuals with the appropriate authority
Creating Policies and Procedures
Data Collection
Organizations should develop comprehensive policies and procedures for protecting the confidentiality of PII and proprietary information by defining:
-specific confidential data collected
-how data is collected, accessed, and retained
-incident response
-privacy in the development cycle
-sharing rules
-consequences of violation
Conducting Training
Data Collection
Organizations should reduce the possibility that PII will be accessed, used, or disclosed inappropriately by requiring that all individuals receive appropriate training to understand the relevant guidelines and the repercussions of violating these guidelines
Personal Identifiable Information (PII)
All data that can be used to identify an individual:
-full name/ alias
-identification numbers
-addresses
De-identifying Personal Information
Data Processing
Organizations should de-identify records by removing enough personal information such that the remaining information does not identify and individual
Using Access Enforcement
Data Storage
Organizations should control access to personal info through access control policies and access enforcement mechanisms
Implementing Access Control for Mobile Devices
Data Collection
Organizations should prohibit or strictly limit access to personal information from portable and mobile devices, such as laptops, and phones
Auditing Events
Data Collection
Organizations can monitor events that affect confidentiality of personal information, such as inappropriate access to PII
Data Transmission
Organizations should protect the confidentiality of information transmitted. This is commonly accomplished through encrypting the communication
Data Deletion/Purging
Organizations should set up the policies to determine the data sets subject to be archived or purged
Obfuscation
the process of replacing production data or sensitive information with data that is less valuable to unauthorized users
Encryption
Obfuscation
Scrambles unencrypted data using cryptography so that it can generally only be deciphered with a key
Tokenization
Obfuscation
Removes production data and replaces it with a surrogate value or token.
Masking
Obfuscation
Swaps data with other like data so that the original identifying characteristics are disguised, or masked, while maintaining a similar structure to the unmodified data set
Symmetric Encyption
Involves a single shared or private key for encryption and decryption of data within a group.
-drawback: does not facilitate a non repudiation bc any person with the shared key can encrypt and decrypt messages
Asymmetric Encryption
Uses two keys, a public and private key. The public key is used to encrypt the message and the private key to decrypt it, or vice versa. Only the two opposite keys can be used in tandem.
-weakness is speed or operation: long keys/ complex
Hashing
Converts a message with variable lengths to a fixed length message or code called a message digest or hash value
Hashing vs Encryption
Difference is their intended use. Encryption is used fo secure data transfer to maintain confidentiality, whereas, hashing is used to maintain the integrity of the data, validating that the message is sent from the true sender
Cipher
The result of applying encryption algorithms that encode encrypted messages into an encrypted form. Results in a combo of numbers and letters that are meaningless and illegible to those without a key
Substitution Ciphers
Are algorithms that replace each character of a plaintext message with another character. Very basic ciphers imply replace one letter or number with another using a key, while more complex ciphers involve math to substitute.
Transposing Ciphers
Are encryption techniques that rearrange the letter of a message to form unreadable ciphertext, often by using a matrix to perform columnar transposition
Data Loss Prevention Systems (DLP)
Enables organizations to detect and prevent attempts by employees or unauthorized users to transfer sensitive information out of the organization electronically across multiple protocols, ports, and communication methods.
-pattern matching
-word recognition
Objectives of a DLP
-implement a centralized DLP program, with collaboration from various departments, which oversee data for the entire organization
-define and create enterprise data usage policies
-evaluate the different forms of data, define levels of sensitivity
-monitor the use of sensitive data
-enforce security policies
-implement employee education programs
Network Based DLP
Scan outgoing data that meet specific criteria and are transmitted using means such email, file transfer protocols, and direct messaging
-cloud based DLP apply same protection but to a cloud
Endpoint based DLP
Scan files stored or sent to devices that might be outside of a network, such as a printer, USB drive, or any other device to which data can be transferred
Physical Security
locked cabinet and closets, security cameras and badge entry
Digital Security Controls
Encrypted hard drives, encrypted USB drives, or secure file systems that are encypted
Authorization and User Access Controls
Control mechanisms, such as role based access controls, rule based access controls, discretionary access controls
-multifactor authentication
Change Management Controls
require there to be processes in place for requesting changes to a system or data, review and approval, implementation, reversion, and documentation
Backup and Recovery Mechanisms
these redundancy defenses protect data so it is not lost and can be restored in the event of a disaster, cyberattack, or accidental deletion or modification
A read through
Involves distributing security, confidentiality, and privacy procedures to member of both the IT departments and no-IT departments supporting the walk-through for review
-inform personnel of tactical and strategic procedures
Walk Throughs
occur in phases starting with a planning and preparation phase, followed by obtaining an understanding of the process being evaluated, performing the walk-through, creating documentation, performing tests, and finally evaluating the procedures
1. Plan and Prep
2. Obtain an Understanding
3. Perform Walk-through
4. Create Documentation
5. Test
6. Evaluate and report
Finance and Accounting
Walk Through
-for confidentiality and privacy, focus on ensuring confidentiality and privacy policies are followed such that minimal PIIs are collected and each user has minimal level of PII and proprietary data to execute job function
-for security, focus on ensuring security policies are in place to only allow authorized employees access to systems that control any accounting functions that involve withdrawing or transferring cash
Corporate Training and Education
Walk Through
-viewing security, confidentiality, and privacy content being delivered to employees
-employee acknowledgement of policies and procedures
-attending courses delivered by trainers
-reviewing materials an assessments given to trainees
Human Resources
Walk Through
-for confidentiality and privacy, focus on how human resources follow the policies and procedures to identify an collect PII
-for security, focus on practices regarding background checks, defining security roles
IT Risk Management
Walk Through
-for confidentiality and privacy, focus on identifying ways the department monitors the controls, identifying and communicating potential violations
-for security, focus on identifying ways the department tracks assets and systems that should be protected,
Walk through procedures to be performed by SOC 2 engagement service auditor
-Following a transaction, event, or activity from origination until final disposition through the service organizations system using the same documents used by service organization personnel
-Inquiry, observation, inspection of relevant documentation, and flowcharts, questionnaires, or decision tables to facilitate understanding the design of the controls
-inquiry about instances during the period in which controls did not operate as described or designed
-questioning variations in the process for different types of events or transactions
Factors when determining whether identified deviations may have a pervasive effect on other controls
-effect that entity level controls have on the operation of other controls
-the extent of the use of segmentation, a technique that enhances security by dividing networks or systems into multiple segments, across the service organization
For potential fraud involving senior mangement
How should the service auditor respond?
communicating to those charged with governance and discussing with them the nature, extent, and timing of procedures necessary to complete the examination
Incident response plan (IRP)
the documentation of a set of procedures, people, and information to detect, respond to, and limit the consequences of a cyberattack against an organization
Key elements of a IRP outlined by NIST
-mission, strategies and goals, senior management approval and statement of commitment, organizational approach to incident response, purpose and objectives of the policy, scope of the policy, metrics for measuring the incident, roadmap, definition of computer security incidents and related terms
Incident Response Timeline
Recovery timeline to be charted when an incident occurs, clearly delineating the point at which the incident starts, when its detected, contained, and eradicated and when normal operations are stored
Method of detection
-vulnerability scanning software
-anomaly detection
-endpoint detection and response solutions
-file integrity monitoring
-log analysis
-intrusion detection
-intrusion prevention
Centralized Incident Reponse Team
A single incident response team is tasked with managing incidents across the organization. This approach is effective for smaller organizations and those with computing environments that aren’t distributed geographically
Distribute Incident Reponse Teams
Organizations in this model have multiple incident response teams that are responsible for specific logical or physical segments of a company’s network. Effective for orgs that have geographically widespread computing resources
Coordinating Team
A secondary function of either a distributed or centralized incident response team is coordinating with other departments without having authority over those teams
Employee Morale
Segregating roles may be one option to combat this fatigue and be a morale booster
Event
An observable occurrence in a system or network. Examples include a user connecting to a shared file server, a server receiving a request for a web page, a user sending an email, and a firewall blocking a connection attempt
Adverse Event
Any event with a negative consequence is defined as an adverse event, such as system crashes, packet floods, unauthorized use of system privilege’s, unauthorized access to sensitive data, and the execution of malware that destroys data
Computer System Incident
A type of adverse event that is computer security related and caused by malicious human intent, not by environmental or indirect human factors such as power failures or natural disasters
-any violation or imminent threat of computer security policies
Preparation
Initial phase of incident response planning involves assembling key personnel, tools, and processes so the organization will be prepared to handle many scenarios
Detection and Analysis/Identification
The second phase concentrates on recognizing deviation from normal operations, evaluating deviations, and correctly classifying them as either an acceptable event or a problematic CS incident
Containment
Once threat is correctly identified, the org must contain it so that further damage is not incurred.
-isolating a segment of network, removing infected servers
-nontechnical measures like informing employees so that certain routine operations might stop
step 3
Eradication
Targets the extraction of the threat and restoration of affected systems, which may be as simple as restoring infected files with clean backup copies or as complex as using specialized software and forensic analysis to help decrypt or remove infected file.
step 4
Reporting
Emphasizes communicating of the incident to management, IT personnel, and affected employees
Recovery
Prioritizes returning an organizations normal IT operations to full functional state
-phased approach with early days focused on increasing overall security and implementing immediate high impact changes
Post Incident Activity/Lessons Learned
Last step. Senior management and directly affected employees examine the incident, understand how it occurred, and develop ways to improve the response.
SysAdmin, Audit, Network, and Security (SANS) institute
Incident response phases
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
NIST IRP
Incident response stages
- Preparation
- Detection
- Containment, eradication, recovery
- post incident activity
International Organization for Standardization (ISO) IRP
Security Incident Management Activities
- evaluating event criteria and defining incident
- monitoring and detecting events
- managing incidents to the end of their lifecycle
- coordinating with authorities and handling evidence properly
- performing a root cause analysis
- reporting on all incident managment activities
Mean Time to Detect
amount of minutes or hours that it takes an organization to detect a prior incident or one in progress
Mean time to acknowledge
used to determine the amount of time an organization takes to acknowledge an incident once it has occurred
difference between the point in time when incident is reported and when it is recognized as an actual threat
Mean time Between Failures
mean time between consecutive failures
System Availability or Downtime
amount of time that a production system is completely or partially unusabel
Service level agreement compliance
Involves evaluating whether qualitative or quantitively specified performance levels in a series level agreement with a IT provider were met
Business Interruption Losses
Insurable Loss
Lost Revenue from operating delays that are due to the inability to access records, systems, or financial resources may be part of a cyber insurance policy
Cyber Extortion Losses
Insurable Loss
Coverage may include funds for ransom payments and fees to attorneys or IT experts for the cost of negotiating with attackers
Incident Reponse Costs
Insurable Loss
costs associated with recovery of lost or stolen data by external IT experts or managed services providers
Replacement Costs for information systems
Insurable Loss
if an attack results in corrupted software or physically damaged hardware, insurance may cover a partial or complete replacement of IT assets
Cyber Insurance Requirements for Applicants
- backround checks
- compliacne with regulations
- disaster recovery
- employee training
- company policies
- independent risk assessment
- incident response plans
- IT controls
- Mandatory PEN testing
- Loss history
User Behavior Analytics Tools
UBA tools monitor, analyze, and interpret user activities to detect patterns and anomalies. Listed in an IRP
Tabletop Excecises
also know as simulations
