Security and Risk Management

Question 1

5 Pillars of information security

Answer 1

1. Confidentiality: Secure read access
2. Integrity: Secure write access
3. Availability: Systems are available for normal business use
4. Authenticity: Proving an identity claim
5. Nonrepudiation: The combination of integrity and authenticity

Question 2

CIA Opposite

Answer 2

Disclosure, Alteration, Destruction

Question 3

Confidentiality (opp Disclosure)

Answer 3

Aims to prevent the unauthorized disclosure of information

Question 4

Integrity ( Opp Alteration)

Answer 4

Focuses on the prevention of unauthorized modification of assets.

Applies to both data and systems

Malware installation would be a violation of a system’s integrity

Question 5

Availability (Opp Destruction)

Answer 5

Ensures that required access to resources remains possible

Ransomware and denial of service(DoS) attacks represent breaches of availability

Question 6

Privacy

Answer 6

defined as confidentiality and protection of PII

Question 7

Identification

Answer 7

Provides a weak and unproven claim of identity

providing a username - an example of identification

Question 7

Authenticity

Answer 7

serves as proof a user’s identity claim is legitimate

strong authentication implies higher integrity means of proof

Question 8

Nonrepudiation

Answer 8

Combination of integrity and authenticity

Eg: proving a user signed a contract, while also proving that the contract was not subsequently altered

Question 9

Authorization

Answer 9

proceeds after successful authentication and determines what the authenticated user can do

Question 10

Accounting

Answer 10

details the interactions performed by individuals

Audit logs could be generated for accountability / documented actions

Question 11

4 main categories of authentication

Answer 11

something you know
something you have
something you are
someplace you are (GPS ) - SANS

Question 12

Two-factor or multi-factor authentication

Answer 12

using 2 of the categories

Question 13

PoLP

Answer 13

Principle of least privilege(PoLP) known as Min necessary access

fundamental principle of security

Any additional rights, permissions, privileges, or entitlements violate this principle

Question 14

Separation of Duties (SoD)

Answer 14

Goal of SoD is to limit risk associated with critical functions/transactions

Risk is mitigated by requireing two parties to perform what one person could

Eg: Requiring multiple individuals to sign a check (financial transactions)

Question 15

Rotation of duties

Answer 15

Another policy for fraud deterrence/detection
- force other people to be in charge of key tasks

eg: printing payroll checks

Question 16

Due Care and Due Deligence

Answer 16

Due Care: acting as any reasonable person would (referred to as prudent man rule)

Due diligence: practices to processes that ensure the decided upon standard of care is maintained

Question 17

types of controls

Answer 17

preventive :deny unauthorised access to resources
detective: tries to detect that ther eis a pbm after an attack
corrective: reacts to an attack
deterrent: discourages security violations
recovery : restores after an attack/failure
compensating: used to shore up existing controls deficiencies

Question 18

controls implemented across

Answer 18

Administrative : Background checks, policies n procedures
Technical: Encryption, smart cards
Physical: Locks, security laptops n magnetic media, protection of cable

Question 19

detective control eg

Answer 19

eg: Auditing and IDS (Intrusion detection system)

CCTV, Motion sensors

Question 19

preventive n deterrent control difference

Answer 19

eg: preventive control will not allow a user to violate the security policy

deterrent control will present a banner indicating not legal to use , but not orevent: eg: no trespassing sign

Question 20

NIST SP 800-30

Answer 20

Risk mgmt guide for information technology systems

Question 21

Asset Identification and Evaluation

Answer 21

understanding assets is key to effective risk analysis
inventory assets and assess their role in the org

Evaluate the asset value
understand how uncertain the data obtained is

Question 22

Risk

Answer 22

Risk = Threat * Vulnerability

Question 23

Threat

Answer 23

Threat: anything that can cause harm to an infosystem

threat agents / threat sources are who (Adversary)

Threat agent: organised crime
threat: sys compromise thru server-side attack

Question 24

Vulenrabilities

Answer 24

a weakness in a system that could potentially be exploited

Question 25

zero-day vulnerabilities

Answer 25

are those not publicly known (targeted with zero-day exploits)

Question 26

Exploits & the payload

Answer 26

Exploitation is the process of a threat taking advantage of a vulnerability

the actions triggered by the exploit are called the payload

Question 27

Risk Analysis - Quantitative and Qualitative risk analysis

Question 28

Quantitative formulas (SLE,ARO,ALE)

TCO , ROI, Cost/Benefit Analysis

Answer 28

SLE- Single loss expectancy
ARO -Annualised rate of occurrence
ALE - Annualised loss expectancy

SLE = EF (Exposure factor) * AV (Asset value)

ALE = SLE * ARO

TCO - Total cost of ownership
ROI - Return on investment

Question 29

Risk Management Key Formulas

Quantitative

Answer 29

Asset Value(AV) : The value os the asset
ARO: Frequency of threat occurrence per year
Exposure Factor (EF) : % of asset value at risk due to a threat

SLE = AV EF
ALE : SLEARO

Question 30

Qualitative risk analysis

Answer 30

Likehood and impact

Question 31

Excessive Risk

Answer 31

level of risk is unacceptable to the decision makers
eg: Injury or loss of life

Question 32

Risk mitigation

Answer 32

taking actions that decreases the risk

mitigation can come in flavours:
1. threat oriented : focused on reducing motivation of the threat agents
2.vulnerability oriented : reducing vulns
3.Impact oriented : reducing the impact
4. likelihood oriented : reducing likelihood

Question 33

Risk avoidance

Answer 33

not to move fwd with a new project that introduces risk

Question 34

transferring risk

Answer 34

eg:purchase of insurance
outsource risky systems to a third party

Eg:data breach insurance

Question 35

Accepting risk

Answer 35

accept residual risk
accept a certain level of risk

Question 36

controls identification and assessment

Answer 36

after identification, assess
TCO
ROI

Question 37

Security architecture: mergers n acquisitions
divestitures (demergers or deacquisitions)

Answer 37

acquisitions - challenge
deacquisitions - nightmare

Question 38

RFI / RFP/ / RFQ

Answer 38

Request for information / proposal / quote

Question 39

BPA (Business process agreement)

Answer 39

typically addresses things like ownership, profit/losses, partner contributions

Question 40

MOU / MOA

Answer 40

Memorandum of understanding or agreement -
goal is to establish the basic roles, responsibilities, and requirements for interconnection

Question 41

NIST 800-47

Answer 41

Security guide for interconnecting info technology systems

Question 42

SLA / OLA /ELA

Answer 42

OLA is an internal agreement that supports SLA

SLA: Expectations customer has for their service provider

ELA : Enterprise license agreement

Question 43

FedRAMP

Answer 43

Federal risk and authorization management program

Question 44

SCRM - Supply chain risk management

Question 46

SBOM ( Software bill of materials)

Answer 46

SBOM Minimums:
Supplier name
component name
version of the component
other unique identifiers
dependency relationship
author of SBOM data
timestamp

Question 47

SOC Reports - System and organisation controls

Answer 47

created/validated by auditors provide insight into 3rd party service providers

Question 48

SOC Reports : SOC 1, SOC 2, SOC 3

Answer 48

SOC1: Internal control over financial reporting (ICFR)
Focus on financial stmts

SOC2: Trust services criteria
emphasis on controls related to security

SOC3: Trust services criteria for general use report / public report

Question 49

SOC Type 1 / SOC Type 2

Answer 49

Type 1: Description / suitability of controls design

Type 2: Description/suitability/effectiveness of controls design

Note: SOC3 can be created as type 2 report

Question 49

SOC for cybersecurity
SOC for supply chain

Question 49

Threat modelling

Question 50

Microsoft STRIDE

Answer 50

Spoofing ID
Tampering with data
Repudiation
Information disclosure
DoS
Elevation of privilege

Question 50

Threat Identification

Vulnerability identification

Answer 50

identify various threats that could exeercise vulns
- understand various threats
-

Question 50

Attack Surface

Answer 50

A systems attack surface represents all the ways in which an attacker could attempt to introduce data to exploit a vuln

reducing attack surface — is by disabling unneeded services
or - not listening on unnecessary ports

Question 50

Scoring vulnerabilities
CVSS

Answer 50

5 to 1
CVSS - Common vulnerability scoring system
Developed by a consortium of US Govt orgs and vendors

Question 51

Threat Vectors

Answer 51

are methods attackers use to touch or exercise vulns

Question 52

Laws

Answer 52

Laws, directives, regulations do not normally provide detailed instructions for protecting computer related assets

instead they specify requirements such as restricting the availability of PII

Question 53

Types of laws

Statutes
Administrative
Civil
Common law
Religious

Answer 53

Constitution
Statutes
- criminal proceedings
- civil proceedings

Administrative :
Regulations : HIPAA

Common law:case law or judicial precedent

Legal systems:
Civil law:
- Statutory
- Most common
Common law ( case law)
eg: UK, US, Canada

Religious law:
Sharia : Islamic law

Customary law

Question 54

Criminal Law

Answer 54

society has been harmed
criminal charges are the only laws in which someone can get jail time

successful prosecution can warrant being removed from society

Question 55

Civil Law

Answer 55

Deals with civil actions initiated by individual or orgs

Eg: torts, contracts, property and loss by business/individual

takes less time in courtroom

person can be ordered to pay monetary damages

Question 56

Computer crime challenges

Answer 56

difficult to keep pace with rapidly changing tech

Question 57

Types of damages

Answer 57

Compensatory : monetary award — rel to actual loss/harm

Statutory: Monetary damages designated by law

Punitive: award meant to punish the defendant, not tied to actual losses

Legal fees:

Question 58

International difficulties , international cooperation

Question 59

IP - Intellectual Property

Answer 59

Patent
Copyright
Trademark
Servicemark
Trade secret

Question 60

Patent

Answer 60

protects inventions for 20 years from date of filing

invention must:
have utility
novelty
be non-obvious

must reduce the invention to practice and cover single idea

Question 61

Copyright

Answer 61

form of expression
provided to the authors of original works
recorded thought on - paper, vinyl, plastic, magnetic media, or other

Question 62

Trademark

Answer 62

is a word , name, symbol or device that is used in trade with goods

servicemark - a trademark for a service instead of a product

Question 62

Trade secret

Answer 62

protects critical IP that is not publicly available

Question 63

IP enforcement and attacks

Answer 63

Trademark attacks :
1. counterfeiting : products intended to be mistakenly associated with brand
2. Dilution: widespread use of brand names

Copyright attacks:
Piracy: unauthorised use or reproduction of material

Trade secrets:
economic/industrial espionage

Question 64

Counterfeit products

Answer 64

eg: cisco fiber transceiver

Question 65

Product implants and tampering

Answer 65

hardware supply chain attack
1. seeding: modify the product in the facotry itself
2. interdiction: intercept products that move between factories

Question 66

Software licensing issues

Answer 66

licensing can serve as a form of IP Protection

site license
per-user/per-device license
concurrent users license

Question 67

Workplace privacy

Answer 67

employee privacy
management responsibilities

Question 68

European Union

Answer 68

Data protection directive

Question 69

International privacy considerations

Answer 69

OECD : Org for economic co-operation and development
EU
GDPR

Question 70

GDPR - General data protection regulation

Answer 70

Supersedes EU data protection directive

Question 71

OECD Guidelines

Answer 71

key provisions
- limitations on collection
lawful collection
accuracy of data ensured
collected for legitimate purposes
no data disclosure
accountable for data controller

Question 72

GDPR principles

Answer 72

lawfulness, fairness, transparency
purpose limitation
data minimization
accuracy
storage limitation
integrity n confidentiality
accountability

Question 73

Enforcement of GDPR began in may 2018

Answer 73

eg: Google LLC , Amazon europe - 60,34 million euros for pushing advertising cookies without consent

Question 74

GDPR: Data breach

Answer 74

breach notification to supervisory authority within 72hrs of discsovery

communication of data breach to those affected

eg: british airways - 20million euros - 400k customers

Marriot : 18.4m - 339 million customers

Question 75

GDRP - DPIA - Data protection impact assessment

Answer 75

Designate a DPO Data protection officer

Question 76

PIPL - Personal information protection law (China) - 2021

Answer 76

SPI - Sensitive personal info

PIPIA - personal information protection impact assessment

Question 77

PoPIA - enforce 2021 - South Africa
Protection of personal information act

Question 78

CCPA - California consumer privacy act

Answer 78

2018 state-level law

Question 78

US - FIPPs (Fair information practice principles )

Question 79

Databreach - minimization

Answer 79

• insure against the loss with data breach insurance
• plan comms in advanceof a breach

Question 80

PCI DSS

Answer 80

developed by major credit card companies to reduce fraud associated with credit card companies

Question 81

Ethics bodies
IAB (Internet activities board)

Answer 81

what not to do
- seek to gain unauthorized access on internet
disrupt intended use of internet
waste resources
destroy the integrity of computer based info

Question 81

Code of Ethics:

Answer 81

1. Protect society
2. Act honorably, honestly, justly, responsibly, and legally
3. provide diligent and competent service to principals
4. Advance and protect the profession

Question 82

Security Policies

Answer 82

provide high level guidance regarding expected conditions

eg: password s must be changed every 90 days

Question 83

Policy components

Answer 83

Purpose
Related docs
Cancellation
background
scope/exceptions
policy statement
responsibility
ownership
effective date / expiration date

Question 84

Scope : Levels of policy

Answer 84

Policies can exist on differnet levels with a hierarchy that can determine scope
- enterprise-wide / corporate policy
- division-wide policy
- local policy
- Issue - specific policy

Question 85

Security procedures

Answer 85

are more detailed than security policies

• focussed on how to achieve what security policies mandate

eg: follow these step-by-step instructions to build the server

Question 86

policies vs procedures

Answer 86

policies are high level, procedures are detailed guidance

Question 87

Security standard

Answer 87

organizational, compulsory

eg: admins must use windows server 2019 as the base OS

Baseline: is a more specific implementation of a standard

Question 88

Security Guideline

Answer 88

suggestions
not compulsory

Question 89

Personnel Security

Answer 89

prior to hiring, during employment, during the separation

Question 90

Background checks

Answer 90

pre-employment background checks and screenings are a common way of vetting candidates

Question 91

Cross-training
Job rotation

Question 92

Mandatory vacation

Answer 92

helps to force job rotation

Question 92

AUP - Acceptable use policy

Answer 92

establishes expectations of employees

Question 93

Personnel Monitoring

Question 94

Non-Disclosure Agreement (NDA)

Answer 94

• Company data should not be shared with competitors

Question 95

Non-compete agreement

Answer 95

purpose is to establish that an employe who leaves the org agrees not to work for a competitor

Hiring, training, grooming employees can be costly for an org

Question 96

non-solicitation agreement

Answer 96

if an employee leaves the company, agreement prohibits an employee from
— soliciting other employees to also leave
–soliciting customers of the employer for business

Question 97

Termination

Answer 97

Mishandling access revocation poses significant risk

ensuring all access has been removed in a timely basis can decrease the likelihood of compromise

imp with disgruntled individuals

Question 98

Controlling your env : key principles

Answer 98

Policy : tells a user what to do
Training: provides the skillset
Awareness: changes user behaviour
Key threat: social engineering
- manipulation
- people need to be made aware of the dangers

Question 99

Audit Standards: SSAE

Answer 99

Statement on Standards for Attestation Engagements (SSAE),

Question 100

Audit Standards: AICPA

Answer 100

American institute of certified public accountants

Question 101

Audit Standards: ISAE

Answer 101

International standard on assurance engagements

Question 102

Audit Standards: IAASB

Answer 102

International Auditing and Assurance Standards Board

Question 103

global digital forensics standards:

Answer 103

1.ISO/IEC 27037:2012: Guide for collecting, identifying, and preserving electronic evidence
2. ISO/IEC 27041:2015: Guide for incident investigations
3. ISO/IEC 27042:2015: Guide for digital evidence analysis
4.ISO/IEC 27043:2015: Incident investigation principles and processes
5.ISO/IEC 27050-1:2016: Overview and principles for eDiscovery

Question 104

ISO 27001

Answer 104

ISO 27001 is the standard for international information security management.

ISMS - Information security management system

Question 105

ISO 27002

Answer 105

ISO 27002 is a supporting standard that guides how the information security controls can be implemented.

Question 106

ISO/IEC 27017:2015

Answer 106

A set of standards regarding the guidelines for information security controls applicable to the provision and use of cloud services and cloud service customers