Security and Risk Management Flashcards

1
Q

What is a Threat

A

Potential Danger associated with exploitation of a vulnerability

-A Tornado COULD happen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a Threat Agent

A

Entity taking advantage of vulnerability - the person, or actor

Example: The Wind of a tornado, or flying objects caused BY the tornado. If there was an actual tornado

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Risk

A

Likelihood a threat source exploits a vulnerability and the business impact involved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Exposure

A

Instance of being exposed to losses. For instance a vulnerability exposing possible damage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a Control

A

Also known as a countermeasure or safeguard. Put into place to mitigate, or reduce, potential risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Types of Security Controls

A

Physical, Administrative, Technical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Administrative Controls

A

“Soft Controls” ie security documentation, risk management, personnel security, and training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Technical Controls

A

AKA Logical Controls. Software OR hardware such as Firewalls, IDS, IPS, HIPS, encryption, and identification and authentication methods

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Physical Controls

A

Protection of facility, personnel, and resources. IE Door Locks, Alarms, Security Guards, Lighting, fences, CCTV, Turn-styles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Defense-In-Depth meaning

A

Mixture of admin, technical, and physical controls to help minimize exposure to risk of exploitation. Page 9 Shon Harris

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The more sensitive and asset the more____controls should be used

A

security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the different functionalities of security controls?

A

Preventative, Detective, Corrective, Deterrent, Recover, and Compensating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Preventative Function of Control

A

avoid an incident from occurring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Detective Function of a Control

A

Assist in the detection of incident activities and potentially an intruder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Corrective Function of a Control

A

Fixes components or systems AFTER an incident occurs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Deterrent Function of a Control

A

Discourages potential hackers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Recovery Function of a Control

A

Intended to bring environment back to regular ops

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Compensating Function of a Control

A

Provides an alternate measure of control that provides similar protection, but is often times cheaper or allows specific business functions to operate. Example: After evaluating cost of security guards, you use a fence instead since it is cheaper.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Examples of Preventative Admin Controls

A

Policies, procedures, testing, effective hiring practices, pre-employment background checks, controlled termination processes, data classification, labeling, security awareness training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Examples of Preventative Physical Controls

A

Badges, swipe cards, Guards, dogs, Fences, locks, mantraps, NOT A CAC OR SMART CARD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Examples of Technical Controls

A

Passwords, biometrics, smart cards, CAC, Encryption, security protocols, call-back systems, database views, IPS, Antivirus Software, ACLs, Firewalls, IDS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Corrective functions only apply to what type of control? How?

A

Technical via Server Images

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Recovery functions only apply to what type of controls? How?

A

Physical and Technical. Physical: Offsite facility Technical: Data backups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Deterrent functions only apply to what type of control? How?

A

Physical: Fences, Lighting, Dogs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Security through obscurity should be avoided? True or False? Why?

A

True! Like hiding a key under a doormat. Burglers know these tricks so try to avoid shortcuts to security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Ways to find vulnerabilities in code?

A

Fuzzing, input validation,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Security Programs are also called?

A

Security Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Security Framework

A

different types of technologies, methods, and procedures to accomplish the right protection level required to secure environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

ISO/IEX 27000

A

How to Develop and maintain an ISMS developed by ISO and IEC. AKA Security Program Development

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Zachman Framework

A

Model for development of enterprise architectures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

TOGAF

A

Model for development of enterprise architecture developed by THE OPEN GROUP.

Arhictecture Development Method (ADM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

DoDAF

A

US DoD architecture framework that ensures interoperability of systems to meet military mission goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

MODAF

A

Framework used by British Ministry of Defense. Based on DoDAF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

SABSA Model

A

Framework for development of enterprise security architecture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

COBIT 5

A

business framework developed by ISACA “Information Systems Audit and Control Association”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

NIST 800-53

A

Security controls to protect US Fed Systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

COSO Internal Control - Integrated Framework

A

Created to reduce risk of financial fraud by the Committee of Sponsoring Organization of the Treadway Commission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

ITIL

A

Developed by the UK office of Gov’t Commerce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Six Sigma

A

Business management strategy used to carry out process improvement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Capability Maturity Model Integration

A

AKA CMMI , process development created by Carnegie Mellon University

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

ISO/27001

A

Remember this one most - Requirements for organizations- ISMS Requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What is Enterprise Architecture?

A

Enterprise Structure (form) and behavior (function) embodies enterprise components and relationship to one another

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Framework

A

Like a blueprint. Blueprints can be modified to meet needs (enterprise) but all starts with blueprint

44
Q

Clinger-Cohen Act

A

Passed to reduce federal agency IT expenditure waste (spending) “Cling to the money”

45
Q

Zachman Architecture Framework

A

2-dimenstional chart that uses 6 comms interrogativeds (What, How, Where, Who, When, Why) vs. role prespectives (Executive, business Mans, sys ads, engineers…)

46
Q

What is Enterprise Security Architecture?

A

Subset of Enterprise Architecture,

47
Q

Governace Analogy

A

Policy: Employees will nail boards together using a company-issued hammer

Standard: Company-issued hammers will be 11 inches long, and made of fiberglass

Guideline: To avoid splitting wood, a pilot hole will be drilled before hammering

Prodedure: 1. Position nail on board. 2. Strike nail head with hammer. 3. repeat until nail is flush with board and board is secure. 4. If catch finger between hammer and nail, see “First-Aid Procedure”.

48
Q

ISC Code of Ethic Canons (1-4). Which one is the most important?

A
  1. Protect society, the commonwealth, and the infrastructure. MOST IMPORTANT
  2. Act honorably, honestly, justly, responsibly, and legally.
  3. Provide diligent and competent service to principals
  4. Advance and protect the profession LEAST IMPORTANT
49
Q

ISC2 Ethical Basis. Where were ethics derived?

A
  • Golden Rule - reciprocity
  • Kants Categorical Imperative - uniformity - No exceptions without extreme consideration
  • Descartes Rule of change - Slippery slope - when you DO make exceptions opens the door to issues
  • Utilitarian Principle - What does the most good. Subjective because it can be opinionated
  • Risk Aversion Principle - least harm - also subjective
  • Avoid Harm - Do No Harm.
  • No Free Lunch Rule - assumes ownership
  • Legalism - is it against the law?
  • Professionalism - is it contrary to the code of ethics?
  • Demonstrate due care/diligence?
  • Evidentiary guidance - can you prove it?
  • Client/customer choice - affected people make decisions “informed consent
  • Equity - equal distribution of costs/benefits
  • Competition - Market sets prices/quality
  • Compassion - Most vulnerable parties protected - Elderly/Children
  • Impartiality/Objectivity - biases?
  • Impartiality/Full Disclosure - affected persons informed?
  • Confidentiality - individual security
  • Trustworthiness - is IT staff/technology accountable?
50
Q

Ways to obtain leadership support (3)

A
  1. Financially - Probability * Magnitude (Value of items) = Cost (of plan to implement)
  2. Reputation
  3. Regulatory - Prudent Person Rule
51
Q

Data Retention Policies - Business Docs

A

7 yrs

52
Q

Data Retention Policies - Invoices

A

5 years

53
Q

Data Retention Policies - Accounts Payable/Receivable

A

7 Years

54
Q

Data Retention Policies - Human Resources

A

7 years for employees who leave

3 years for candidates who did not get hired

55
Q

Data Retention Policies - Tax Records

A

4 years AFTER tax has been paid

56
Q

Data Retention Policies - Legal Docs

A

FOREVER

57
Q

What are the information life cycle phases

A

Acquisition, Use, Archival, Disposal (AUAD)

58
Q

Recovery Point Objective

A

Amount of time an org can function until the function will cause irreversable damage, if not restored. ex 5 Days of lost customer revenue

59
Q

Recovery Time Obective

A

Amount of time that an org will start to lose data. Ex. 1 days worth of data.

60
Q

Differential Backup

A

All changes since last full backup

61
Q

Incremental Backup

A

All changes since last increment

62
Q

Mirrored Site

A

Full functioning backup with all data

63
Q

Hot site

A

Full network infrastructure, however data may not be loaded. RTO = 4 hours

64
Q

Warm Site

A

Partially equipped. More set up required than Hot site. RTO = a few days

65
Q

Cold Site

A

Site not equipped. Empty warehouse, long setup time.

66
Q

Service Level Agreement (SLA)

A

Agreement between 2 parties where a level of service is defined

67
Q

Business Partner Agreement (BPA)

A

Contract between 2 entities dictating their business relationship. Defining expectations and obligations of each party

68
Q

Memorandum of Understanding (MOU)

A

Letter of intent (not legally binding) with a means to document the specifics of an agreement or arrangement between 2 parties.

69
Q

Interconnection Security Agreement (ISA)

A

Formal declaration of the security stance, risks, and technical requirements of a link between 2 orgs

70
Q

5 Phases of SDLC

A
  1. Initiation
  2. Acquisition/Development
  3. Implementation
  4. Operation/Maintenance
  5. Disposition
71
Q

Difference between trademark and copyright?

A

Trademark is something like a logo. Copyright is literary or artistic such as a book, drawing, or other written documentation.

72
Q

Which symmetric cipher is a Feistal-type block cipher with 64-128 bit blocks?

A

CAST

73
Q

What is a tangible asset?

A

Physical - Can be owned. If you can drop it on your head or bump your foot AND HAS VALUE, it is tangible

-Servers, Hard disks, Data Centers, Optical Disks, Facilities, workforce

74
Q

What is a intangible asset?

A
  • Software, soft data, intellectual property.

- Software, databases, source code, data files, PII

75
Q

______ implies the absence of a countermeasure

A

Vulnerability

76
Q

Types of confidentiality threats

A

Eavesdropping, shoulder surfing, sniffing, dumpster diving

- an ACTIVE attack

77
Q

Types of Integrity threats

A
  • Errors and omissions
  • Insider Threats
  • Man in the middle - NOT a sniffer because sniffer is passive. man in the middle is not passive. A person could intercept, modify, then deliver
  • Falsified invoices.
  • A PASSIVE attack
78
Q

Is a man in the middle attack effect confidentiality or integrity?

A

Integrity because it is not passive. They could intercept and alter network traffic, then redeliver.

79
Q

Threat to Availability examples

A

Hard disk crash

Server Failure

Corruption

DoS, DDoS

80
Q

Non-repudiation relates to C. I. or A.

A

Integrity

81
Q

What is nonrepudiation?

A

Proving validity of an action or task – being able to identify the origin of an event. Cannot be disproven

82
Q

Order of reliance for the C.I.A.

A

It all starts with confidentiality, then integrity, then accessibility. In that order.

83
Q

Authentication, Authorization, and Accounting (AAA) actually have 5 components – what are they

A
  1. Identification
  2. Authentication
  3. Authorization
  4. Auditing
  5. Accountability

IN THAT ORDER – user (subject) must identify themselves, then authenticate themselves, then they are authorized based on permissions. Objects are auditing subject activity, logs, etc, and then are accounted for by reviewing logs

84
Q

3 types of organizational plans

A

Strategic - Long term ~5 year plan - includes risk assessment

Tactical - ~1 year plans - project plans, aquisitions plans, hiring plans, budget plans, system development plans

Operational - VERY short term plan. highly detailed. Staffing assignments, close-range schedule, budget requirements, training plans, system deployment plans, product design plans.

85
Q

Business Classifications NOT DoD

A

Confidential, Private, Sensitive, Public

Confidential - High Security relating to BUSINESS only – Propriatary business functions could be an example

Private - High Security relating to PERSONNEL data such as PII, or medical data.

Sensitive - causes a negative business impact if disclosed

Public - No impact

86
Q

What is a Security Manager

A

Ultimate responsibility for protection of assets. SIGNS off all security policies. All activities approved and signed by SM. Also held organizationally responsible for due care. due diligence. RARELY implements solutions and leaves this up to Security Professional

87
Q

What is a Security Professional

A

Information Security Officer, CIRT, or other experienced IT. IS/IT function role where responsible for writing the security policy and implementing it. NOT decision makers. ARE implementers.

88
Q

Data Owner

A

high-level manager whos sole responsibility is data protection. Usually delegates actual data management responsibilities to Data Custodian.

89
Q

Data Custodian

A

Assigned to user by Data Owner. Responsible for implementing protection defined by senior management. Performs all activities to provide CIA protection – backups, validating data, deploying security solutions, etc

90
Q

COBIT

A

Control Objectives for Information and Related Technology

ISACA framework

91
Q

COBIT 5

A

5 Principles:

  1. Meeting Stakeholder needs
  2. Covering the Enterprise End-to-End
  3. Applying a Single, Integrated Framework
  4. Enabling a Holistic Approach
  5. Separating Governance from Management
92
Q

OSSTMM

A

Open Source Security Testing Methodology Manual - Testing and analysis of a security infrastricture

93
Q

ISO/IEC 27002

A

Replaced ISO 17799 - International standard used for implementing org security practices

94
Q

ITIL

A

Information Technology Infrastructure Library

Developed by British - recommended security practices

95
Q

Due Care is Dependent on Due Diligence?

A

False - Due Diligence is dependent on Due Care

Due Care - reasonable care to protect assets of an org

Due Diligence - activities that maintain the Due Care effort.

96
Q

What is a Security Policy

A

defines scope of security needed at org/discusses org assets

used as proof by senior management to show due care

97
Q

How many different types of security policies?

A

3 - Organizational, Issue-Specific, and System-Specific

98
Q

Organizational Security Policy

A

issues relevant to every aspect of the organization

99
Q

Issue Specific Security Policy

A

Focuses on specific organizational procedures – network services, departments, functions…

100
Q

System Specific Security Policy

A

focuses on individual systems or types of systems and appliance related security controls – Firewalls, base-lining, approved hardware and software use

101
Q

Security Policy Categories (3)

A

Regulatory, Advisory, Informative

Regulatory - Required by industry or legal standards
Advisory - Provide behaviors and activities that are acceptable (MOST POLICIES ARE ADVISORY)
Informative - Informational in nature, provides information about specific subjects

102
Q

Security Policies should address specific individual responsibilities? T or F

A

False – Policy should define tasks and responsibilities to FIT a role.

103
Q

Confidentiality Controls

A

Encryption
Least Privilege
Access Control (MAC, DAC, Physical…)
Need to Know

104
Q

Integrity Controls

A

Hashing
Separation of Duties
Dual Control

105
Q

Availability Controls

A

Backups
Remote site hosting / recovery
High Availability
Fault Tolerance