Security Assessment and Training Flashcards
Security assessments, audits, tests, or other assessment activities can be of two types:
formal and informal
formal assessments, the audit, test, or other assessment activity is
an evaluation against a compliance standard
And audit is a formal evaluation against a compliance standard. It is performed by
individuals who are outside the audited entity’s management structure
For informal assessments, the audit, test, or other assessment activity is conducted to provide insights and observations about the systems being evaluated but not for the direct purpose of meeting a compliance requirement.
the direct purpose of meeting a compliance requirement.
The accuracy of the audit depends on
the integrity of the artefacts.
A typical finding would identify these elements.
Condition is a statement that describes the results of the audit.
Criteria are the standards used to measure the activity or performance of the auditee.
Cause is an explanation of why a problem occurred.
Effect is the difference between and significance of the condition and the criteria.
Recommendation is the action that must be taken to correct the cause.
Formal security assessments are primarily related to
Risk management compliance such as that required by law
For U.S. government agencies and many of their contractors, the Risk Management Framework ___________ serves as the standard against which audits and control assessments will be performed.
SP 800-37r2
What is NIST SP 800-171r1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organisations for?
When private companies become part of a Federal government supply chain or process, they need to take on the responsibility of protecting information covered by this security category.
What are SOC reports
Service Organization Control Reports. reports that evaluate organizational controls against a set of five Trust Services Principles.
The SOC framework defines two major report types:
SOC 1: Attests to the condition of the organisation’s Internal controls over financial reporting (ICFR.)
SOC2: Trust Services Criteria Principles. AICPA defines these to be:
Security
Availability
Confidentiality
Processing Integrity
Privacy
Aside from SOC1 and SOC2 what are the other aspects of a SOC report
- SOC 3 reports provide a summary of the findings and attestations of a SOC 2 report, in less technical form.
- SOC for Cybersecurity: This report focuses specifically on the cybersecurity plans, programs, processes, procedures, services or functions used by the organisation to meet its cybersecurity requirements.
What is the difference between Type 1 and Type 2 reports for SOC1 and SOC2
Type 1 - Point in time (Initial baseline)
Type 2 - Performance over time
What is the focus of SOC 1 reports
Internal Control over Financial Reporting
What is the focus of SOC 2 reports
Security controls
What are the five trust services criteria
Security, Availability, Processing Integrity, Confidentiality and Privacy
The SOC 3 report has been used where there is a need to communicate a level of assurance to a broad base of users without having to
disclose detailed controls and test results
Which of the SOC 2 types proves design effectiveness
Type II -> Type 1 is only point in time, therefore only confirms the design
ISO 27001:2013 control 12.4.1 addresses event logging and states the following
Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed.
In security assessments tests of controls are generally categorized as
compliance tests or substantive tests
In security assessments Compliance tests determine if, in the opinion of the controls assessor, give an example
the control exists and is operating properly
a compliance test might compare a sample of the organization’s employees who are entitled to access a system with the named users of the system. The expected outcome should show that the two lists are identical.
A substantive test evaluates …
Give an example
A substantive test evaluates the proper operation of the process. In the same example, a tester might perform an onboarding operation to give access to a new user, attempt to use the credentials for an authorised transaction, and then off-board that identity.
The adoption of ______________________ and de-perimeterization practices are moving to erase the concept of insiders versus outsiders
zero-trust security models
In the development stages where an application is not yet sufficiently mature enough to be placed into a test environment, the following techniques are applicable:
Static analysis and security testing (SAST): Throughout development, analysis tools and procedures can be used to find possible vulnerabilities without actually executing the source code
Static binary code analysis and manual binary review: Analysis of the compiled application (binary) for finding vulnerabilities without executing the application.
Once the organization has determined that a penetration test should be conducted, ____________________(A) are drafted which define the ________(B), _________(C) and ___________(D) associated with the penetration test activities. The (A) will be subjected to formal ________________(E) by the organization.
A. Rules of engagement
B. Scope
C. Methods
D. Constraints
E. Formal risk assessment
This approach forces production systems to fail, and then tracks the detection, incident response and recovery activities
Chaos engineering
a primary tenet of the Gramm–Leach–Bliley Act (GLBA) is the requirement for
financial institutions to protect customer information, and their log reviews can be used to identify and rectify security violations.
The _________________ provides a centralized repository of all information pertaining to a given identity that is known to the organization.
Identity store
What are the three subsystems in the centre of an IAM system
Identity store
Access Accounting
System, App Logs
_________________________ is an approach to monitoring that aims to capture and analyze every transaction of every user of a website or application.
Real user monitoring (RUM)
Synthetic performance monitoring, sometimes called proactive monitoring, involves
having external agents run scripted transactions against a web application. These scripts are meant to follow the steps a typical user might follow to search, view product, log in, and check out to assess the experience of a user.
This involves having external agents run scripted transactions against a web application. These scripts are meant to follow the steps a typical user might follow to search, view product, log in, and check out to assess the experience of a user.
Synthetic performance monitoring, sometimes called proactive monitoring, involves
ISO 27001, Annex A:12.3 is the principal control addressing
backup
Who can declare a disaster?
A. The security professionals
B. Physical and IT security teams
C. Members of a BCP Committee
D. Previously designated members of staff only
The correct answer is D.
Now when it comes to actually declaring a disaster, this does need to be a previously identified and designated set of individuals, typically senior management, as declaring a disaster can and will have serious implication on business operations. The BCP Committee should have identified these roles ahead of time.
Which type of monitoring is an approach to web monitoring that aims to capture and analyze every transaction of every user of a website or application?
A. Real user
B. End user
C. Synthetic performance
D. Proactive
A Real User
end-user experience monitoring (EUM), is
a form of passive monitoring, relying on web-monitoring services that continuously observe a system in action, tracking availability, functionality, and responsiveness.
Synthetic performance monitoring, sometimes called proactive monitoring involves
having external agents run scripted transactions against a web application. These scripts are meant to follow the steps a typical user might follow to search, view product, log in, and check out to assess the experience of a user.
Perhaps the most commonly used (Continuous Process Improvement) CPI model is
the Plan-Do-Check-Act PDCA
If a weakness or vulnerability is discovered in testing is there ever a case for Non-Disclosure
Ethically, one can argue that disclosure to the affected party is required; contractually and legally, however, this can place the discovering party in jeopardy, either of compromising a potential civil or criminal investigation, of violating the privacy or data protection rights of an individual, or other violations. The bottom line is that in these circumstances, non-disclosure may be the only legal and ethical course of action.
Full disclosure implies that when a weakness is discovered, the individual or organization discovering the weakness should
publicize the weakness as soon as possible to all potentially affected organizations.
Responsible disclosure implies that the individual discovering a weakness should
report the weakness to the organization responsible for addressing the weakness and give that organization some time to address the weakness before public disclosure
During which phase of the Plan-Do-Check-Act model are root causes of failure identified, risk is re-evaluated, and the baseline is determined to measure performance of future changes?
A. Plan
B. Do
C. Check
D. Act
D. Act
Act (Adjust) is the correct phase as it is based on the information generated in the Do and Check phases, root causes of failure are identified, risk is re-evaluated, and the baseline is determined to measure performance of future changes. Choices A, B and C are incorrect.
Difference between white box, black box and grey box testing
black box testing is used to simulate an external attacker with no prior knowledge of the system, grey box testing is used to simulate an attacker with limited knowledge, and white box testing is used to simulate an insider with full knowledge of the system.
What report would be good for attracting additional clients yet unknown to your business?
Question options:
A) SOC 5 Type II
B) SOC 3
C) SOC 5 Type II New Client
D) SOC 5 Type I Existing Content
The correct answer is B. SOC 3 is an executive summary that can be used as a web seal to advertise a summary opinion of technical controls. The summary can be posted to a website to advertise for potential customers. There are no SOC 5 reports
What are SOC 5 reports
There are none
All of the major control frameworks emphasize the importance of organizational logging practice. Which of the following does not stipulate the need for log management and review?
Question options:
A) NIST SP 800-92
B) Gramm-Leach-Bliley Act (GLBA)
C) Sarbanes-Oxley Act (SOX)
D) They all do
The correct answer is D. While all of the examples relate to
different areas or organizations, they all place an emphasis on the
importance of effective and timely log management. Remember
one of the five critical tenets from the Center for Internet Security
(CIS): Offense informs defense. By knowing what is happening
and what has happened, an organization is able to take the
appropriate actions.
What is a compliance calendar
A calendar that tracks an organization’s audits, assessment, required filings, their due dates, and related details.
Compliance Tests
An evaluation that provides assurance an organization’s controls are being applied in accordance with management policies and procedures.
Assessment
The testing or evaluation of the controls in an information system or an organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome
Audit/Auditing
The process of reviewing a system for compliance against a standard or baseline
Chaos Engineering
The discipline of experimenting on a software system in production in order to build confidence in the system’s capability to withstand turbulent and unexpected conditions.
Examination
The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects
Judgmental Sampling
Also called purposive sampling or authoritative sampling, and is a non-probability sampling technique in which the sample members are chosen only on the basis of the researcher’s knowledge and judgment.
Testing strategy and technique from the point of view of an actor hostile to the system, using deliberately chosen sets of actions, which could lead to systems integrity failures, malfunctions, or other security or safety compromises.
Misuse Case Testing
POA&M
Plan of Action and Milestones
Substantive Test
The testing technique used by an auditor to obtain the audit evidence in order to support auditor opinion.
