Security Governance Flashcards

1
Q

What are the three parts of the CIA triad ?

A

Confidentiality, Integrity and Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the Confidentiality part of the CIA Triad ?

A

Ensures sensitive information is only seen by authorised users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the three controls that ensure confidentiality ?

A

Encryption, Access Controls, Steganography

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the eight most common attacks that breech Confidentiality ?

A

Sniffing, Shoulder Surfing, Stealing Password files, Capturing Network Traffic, Social Engineering, Port Scanning, Eavesdropping and Escalation of Privileges

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the six countermeasures to ensure confidentiality ?

A

Encryption, Network Traffic Padding, Strong Access Control, Strict authentication procedures, Data classification, Personnel Training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the four components of Confidentiality ?

A

Sensitivity, Discretion, Criticality, Concealment, Secrecy, Privacy, Seclusion, Isolation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the Integrity part of the CIA triad ?

A

Refers to the prevention of unauthorised alterations to the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Integrity ensures that data is _ _ _

A

Unaltered, Preserved Correct

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Besides encryption what other counter measures can be used to preserve integrity ?

A

Hashing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the availability part of the CIA triad ?

A

Ensuring that resources are available to access whenever those authorised to do so need to.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the three most common threats to availability ?

A

DOS, Human Error, Natural Disaster

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Name three common countermeasures for availability attacks

A

DOS mitigation and load balancers, backups and high fault tolerance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is identification ?

A

The process by which an individual submits proof of their identity to the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is authentication ?

A

The process by which the system checks and verifies the provided identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is authorisation ?

A

The set of permissions given to a user of the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is auditing ?

A

Tracking and recording user activity to find out any anomalies in behaviour.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the difference between monitoring and auditing ?

A

Monitoring doesnt record unlike auditing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is accounting ?

A

Linking user activity to identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is threat modelling ?

A

Identifying all possible threats to a system so that they can be categorized and analyzed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What does the phrase threat modelling is proactive mean ?

A

You are attempting to find and fix issue before they arise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the two categories of threats in threat modelling ?

A

Internal and External

22
Q

Where is the highest risks within threat modelling ?

A

Internal

23
Q

What are the seven stages of threat analysis ?

A

Definition of Objectives (DO), Definition of Technical Scope (DTS), Application Decomposition and Analysis (ADA), Threat Analysis (TA), Weakness and Vulnerability Analysis (WVA), Attack Modelling and Simulation (AMS), Risk Analysis and Management (RAM)

24
Q

What is the main threat modelling scheme for application threats ?

A

STRIDE - Spoofing, Tampering, Repudiation, Information Disclosure, DOS and Elevation of Privelege

25
Q

What is spoofing ?

A

The misrepresentation of identity - MAC Addresses, Wireless Access Points, IP addresses can be spoofed

26
Q

What is tampering ?

A

The altering of data at rest or in transit

27
Q

What is repudiation ?

A

The denying or shifting of blame for the attack

28
Q

What are the eight areas that a security policy should cover?

A

Encryption, Access Control, Authentication, Firewalls, Antivirus, Websites, Routers and switches.

29
Q

What are the four categories of security policy

A

promiscous, prudent, permissive and paranoid

30
Q

Workplace privacy policies should cover ?

A

Informing you employees, collecting only the information that is required, allow employees access to their own information, keeping information in a secure area.

31
Q

Who is responsible for enforcing policies ?

A

HR

32
Q

What is risk management ?

A

Ongoing process of identifying and addressing security risks that could damage or disclose data

33
Q

What is risk analysis ?

A

First step of Risk Management which identifies the risks the likelihood of occurrence and impact and determines the cost/benefit ratio for settting up safeguards

34
Q

What is an Asset ?

A

Any physical, intellectual property item that belongs to a business and must be protected.

35
Q

What is asset valuation ?

A

attributing a monetary and non monetary cost to an asset

36
Q

What is a threat ?

A

Anything that could cause damage to an organizations assets

37
Q

What is a vulnerability

A

A weakness that can be exploited to cause damage to an organizations assets

38
Q

What is exposure ?

A

An assets susceptibility to damage or loss to threat

39
Q

What is a risk ?

A

The likelihood that an asset can be exploited

40
Q

What are safeguards ?

A

Measures that are intended to reduce the likelihood of an asset being exploited

41
Q

What is an atttack ?

A

A concentrated effort to take advantage of a vulnerability

42
Q

What is a breach ?

A

Term used to describe a successfull attack on an asset

43
Q

What is quantitative risk analysis

A

Calculates the total monetary loss associated with damage or loss to an asset

44
Q

What is exposure factor (EF) ?

A

The percentage loss to the organisation if an asset were to be damaged or lost.

45
Q

What is single loss expectancy (SLE) ?

A

The expected loss to the organisation if a single risk was realised against the asset. Asset_Value(AV) * EF

46
Q

What is the annualised rate of occurrence (ARO) ?

A

The frequency with which a particular risk is to occur each year

47
Q

What is annualised loss expectancy ?

A

Expected yearly cost for all threats against each asset ARO * SLE

48
Q

What are safeguard cost calculations ?

A

The cost benefit ration of implementing safeguards

ALE (Before) - ALE (After) - Annual Cost of Safeguard

49
Q

What is Qualitative Risk Analysis ?

A

Determination of intangible cost of damage or loss to an asset

50
Q

What are six risk responses coming out of Qualitative Risk Analysis /

A

Reduce, Assign, Transfer, Deter, Reject, Avoid

51
Q

What is risk rejection ?

A

Ignoring the risk

52
Q

What is risk assignment ?

A

Transferring the risk to another entity or assignment