Security and Risk Management Flashcards
What is a Threat
Potential Danger associated with exploitation of a vulnerability
-A Tornado COULD happen.
What is a Threat Agent
Entity taking advantage of vulnerability - the person, or actor
Example: The Wind of a tornado, or flying objects caused BY the tornado. If there was an actual tornado
What is Risk
Likelihood a threat source exploits a vulnerability and the business impact involved
What is Exposure
Instance of being exposed to losses. For instance a vulnerability exposing possible damage.
What is a Control
Also known as a countermeasure or safeguard. Put into place to mitigate, or reduce, potential risk
Types of Security Controls
Physical, Administrative, Technical
Administrative Controls
“Soft Controls” ie security documentation, risk management, personnel security, and training
Technical Controls
AKA Logical Controls. Software OR hardware such as Firewalls, IDS, IPS, HIPS, encryption, and identification and authentication methods
Physical Controls
Protection of facility, personnel, and resources. IE Door Locks, Alarms, Security Guards, Lighting, fences, CCTV, Turn-styles
Defense-In-Depth meaning
Mixture of admin, technical, and physical controls to help minimize exposure to risk of exploitation. Page 9 Shon Harris
The more sensitive and asset the more____controls should be used
security
What are the different functionalities of security controls?
Preventative, Detective, Corrective, Deterrent, Recover, and Compensating
Preventative Function of Control
avoid an incident from occurring
Detective Function of a Control
Assist in the detection of incident activities and potentially an intruder
Corrective Function of a Control
Fixes components or systems AFTER an incident occurs
Deterrent Function of a Control
Discourages potential hackers
Recovery Function of a Control
Intended to bring environment back to regular ops
Compensating Function of a Control
Provides an alternate measure of control that provides similar protection, but is often times cheaper or allows specific business functions to operate. Example: After evaluating cost of security guards, you use a fence instead since it is cheaper.
Examples of Preventative Admin Controls
Policies, procedures, testing, effective hiring practices, pre-employment background checks, controlled termination processes, data classification, labeling, security awareness training
Examples of Preventative Physical Controls
Badges, swipe cards, Guards, dogs, Fences, locks, mantraps, NOT A CAC OR SMART CARD
Examples of Technical Controls
Passwords, biometrics, smart cards, CAC, Encryption, security protocols, call-back systems, database views, IPS, Antivirus Software, ACLs, Firewalls, IDS
Corrective functions only apply to what type of control? How?
Technical via Server Images
Recovery functions only apply to what type of controls? How?
Physical and Technical. Physical: Offsite facility Technical: Data backups
Deterrent functions only apply to what type of control? How?
Physical: Fences, Lighting, Dogs
Security through obscurity should be avoided? True or False? Why?
True! Like hiding a key under a doormat. Burglers know these tricks so try to avoid shortcuts to security.
Ways to find vulnerabilities in code?
Fuzzing, input validation,
Security Programs are also called?
Security Framework
Security Framework
different types of technologies, methods, and procedures to accomplish the right protection level required to secure environment.
ISO/IEX 27000
How to Develop and maintain an ISMS developed by ISO and IEC. AKA Security Program Development
Zachman Framework
Model for development of enterprise architectures
TOGAF
Model for development of enterprise architecture developed by THE OPEN GROUP.
Arhictecture Development Method (ADM)
DoDAF
US DoD architecture framework that ensures interoperability of systems to meet military mission goals.
MODAF
Framework used by British Ministry of Defense. Based on DoDAF
SABSA Model
Framework for development of enterprise security architecture
COBIT 5
business framework developed by ISACA “Information Systems Audit and Control Association”
NIST 800-53
Security controls to protect US Fed Systems
COSO Internal Control - Integrated Framework
Created to reduce risk of financial fraud by the Committee of Sponsoring Organization of the Treadway Commission
ITIL
Developed by the UK office of Gov’t Commerce
Six Sigma
Business management strategy used to carry out process improvement
Capability Maturity Model Integration
AKA CMMI , process development created by Carnegie Mellon University
ISO/27001
Remember this one most - Requirements for organizations- ISMS Requirements
What is Enterprise Architecture?
Enterprise Structure (form) and behavior (function) embodies enterprise components and relationship to one another