Security Governance

Question 1

What is the CIA triad ?

Answer 1

CIA are the primary goals and objectives of a security infrastructure. Security controls are evaluated how well they address these three core principal

Question 2

What is the concept of Confidentiality in the CIA triad ?

Answer 2

This is a concept of the measures to ensure the protection of the secrecy of data objects and resources.

Question 3

What controls are aimed at providing Confidentiality ?

Answer 3

Encryption
Access Controls
Steganography

Question 4

Is Confidentiality always breeched through intentional acts ?

Answer 4

No it can be breeched by accident or incompetence and carelessness such as leaving documents on a printer

Question 5

In the CIA triad what is the concept of subject and object ?

Answer 5

A subject is Active element in a security relationship such as users, programs and computers which acts upon the object which could be a database, filesystem or another person

Question 6

What are the 8 related concepts to confidentiality ?

Answer 6

Isolation,
Sensitivity,
Discretion,
Criticality,
Concealment,
Secrecy,
Privacy,
Seclusion

Question 7

What are the treats to Confidentiality ?

Answer 7

Threats to encryption (cryptanalysis)

Social Engineering

Key Loggers

IOT

Question 8

What are the three modes of data involved with Confidentiality ?

Answer 8

1. Data at rest - Encryption
2. Data in transit - TLS, IPSEC,SSL
3. Data in Use - Clean desk policy & PC Locking

Question 9

What are the common attacks on Integrity ?

Answer 9

1. Cryptanalysis
2. Code Injections
3. Alteration of Data

Question 10

What are some of the protections for Integrity ?

Answer 10

1. Hashing
2. Encryption
3. Digital Signatures
4. Checksums
5. Access Control

Question 11

What are the common threats to Availability ?

Answer 11

1. Malicious attacks (DDOS, physical attack)
2. Application (Malicious or bad code)
3. Hardware Failure

Question 12

What are some of the measure to stop attacks on availability ?

Answer 12

1. IPS/IDS
2. SLA
3. Patch Management
4. Redundancy and High Availability measures

Question 13

What is the opposite of the CIA triad ?

Answer 13

Disclosure, Destruction, Alteration

Question 14

What is happening that brings about the DAD scenario ?

Answer 14

Disclosure, Alteration and Destruction are symptoms of the mix between CIA being incorrect

Question 15

What is identification ?

Answer 15

It is something that uniquely identifies you such as a username or a social security number

Question 16

Does just claiming identity imply access or authority ?

Answer 16

No

Question 17

What are the three types of authentication ?

Answer 17

Type 1 - Something you know such as a password

Type 2 - Something you have which is a MFA token

Type 3 - Something you are such as Biometric

Question 18

What is authorisation ?

Answer 18

Determines what you can access ?

Question 19

What are the four most common types of access control ?

Answer 19

Discretionary

Mandatory

Role Based

Accountability Based

Question 20

What is accountability ?

Answer 20

The ability to trace an action to a subjects identity

Question 21

Give an example of an action that helps accountability/auditing ?

Answer 21

Log files

Question 22

What is the difference between monitoring and auditing ?

Answer 22

Monitoring is a type of watching or oversight whereas auditing is a recording of information to a record or a file

Question 23

Why is accountability important ?

Answer 23

If you are unable to legally support your security and support non repudiation with accountability then it may be difficult to prove malicious intent

Question 24

Whats the difference between discretionary and mandatory access control ?

Answer 24

Discretionary gives you more permissions that you strictly need i.e. there is some discretion where as mandatory is the exact access permissions that you need and no more

Question 25

In Security what is the need to know principle ?

Answer 25

Even if you have access if you dont have a reason then you should not access the data

Question 26

What is the difference between governance and management ?

Answer 26

Governance is a enterprise led vision and direction undertaken by company owners, board members etc and shows where the organisation wants to go whereas management is how to get there and is implemented by managers and team leads

Question 27

Does the governance or management function determine an organisations risk appetite ?

Answer 27

Governance

Question 28

What is risk tolerance ?

Answer 28

It is the how we are going to work with our environments and risk appetite

Question 29

What are the typical six c - level executive roles responsible for governance ?

Answer 29

1. CISO
2. CTO
3. CEO
4. CIO
5. CFO
6. CSO

Question 30

Why must CISO and CEO function report independently of the IT function ?

Answer 30

To ensure independence

Question 31

What is PCI-DSS

Answer 31

A required standard for the credit card payments industry

Question 32

What is Octave

Answer 32

Operationally Critical Threat Asset Vulnerability Evaluation

Question 33

What is COBIT

Answer 33

Control Objectives for Information related Technology -Stakholders needs are mapped to goals for IT

Question 34

What is COSO

Answer 34

Committee Of Sponsoring Organisations - Goals for entire organisation

Question 35

What is ITIL

Answer 35

Information Technology Infrastructure Library - IT Service Management

Question 36

What is FRAP ?

Answer 36

Facilitated Risk Analysis Process - Focusses on Individual Business units with internal employees

Question 37

What is ISO207001

Answer 37

Government Standard around Establish Implement Control of information systems management

Question 38

What is ISO27002

Answer 38

Provides practical help on implementing security controls

Question 39

Whats is ISO27004

Answer 39

Provides metrics for measuring success of ISO program

Question 40

What is ISO27005

Answer 40

Standards around risk management

Question 41

What is ISO27799

Answer 41

Controls and Standards around Protected Health Information

Question 42

What is defence in depth ?

Answer 42

A layer approach to IT security aka Onion defence covers physical, logical and administrative controls

Question 43

Should you use Defence in Depth in series or in parallel ?

Answer 43

In Series

Question 44

What is abstraction ?

Answer 44

A process where similar elements are put into groups, classes or roles that are assigned security controls

Question 45

What is data hiding ?

Answer 45

Data hiding is the act of intentionally positioning data so that it is not viewable or accessible to an unauthorised subject

Question 46

What is a security boundary ?

Answer 46

A line of intersection between any two areas, subnets or environments that have different security requirements or needs

Question 47

Why are security boundaries important ?

Answer 47

They represent a point where security controls must be added

Question 48

Can Security boudaries exist between physical and logical items ?

Answer 48

Yes

Question 49

What is security governance ?

Answer 49

Collection of practices related to the supporting, evaluating, defining and directing the security efforts of the organisation

Question 50

Who performs security governance ?

Answer 50

Board of directors and C level executives not managers

Question 51

What is third party governance ?

Answer 51

This is where the governance effort is carried out by independent third party contractors may include things such as technical support or accounting services

Question 52

What is documentation review ?

Answer 52

The process of reading the exchanged materials and verifying them against standards and expectations.

Question 53

Does an on site review take place before or after document exchange ?

Answer 53

after

Question 54

What is ATO ?

Answer 54

Authorisation to Operate - can be revoked if there is a failure to supply governance bodies with documentation that can be reviewed

Question 55

What is the security function ?

Answer 55

That area of the business that is responsible for evaluating and improving security overtime

Question 56

What is a top down approach to security ?

Answer 56

Initiation by senior management middle management to flesh out implemented by security professionals

Question 57

Is security management the responsibility of IT staff ?

Answer 57

No Upper management

Question 58

What is the strategic plan ?

Answer 58

A stable long term plan defined by Upper management describing the security vision of the organisation

Question 59

What is the tactical plan ?

Answer 59

More detail on the strategic plan covering months

Question 60

What is operational plan ?

Answer 60

Covers the implementation of the tactical plan (weeks)Updated regularly to maintain compliance with tactical plan

Question 61

What are the six types of law/regulations ?

Answer 61

1. Criminal - Where society is the victim aim is to Punish and deter
2. Civil - Individual/Single organisation is victim and financial penalties apply
3. Administrative - Gov Agencies e.g. HIPAA
4. Private - Compliance required for contract PCI-DSS
5. Customary - Personal Conduct - Individual org as relating to an areas customs
6. Religious - Code of ethics

Question 62

What is liability ?

Answer 62

Determining who is at fault and who has to pay. Ultimate liability lies with senior management but individuals lower down can also be liable.

Question 63

What is due diligence and due care ?

Answer 63

Steps required to show appropriate action and care aimed at answering the question what would a prudent organisation or individual do

Question 64

What is negligence ?

Answer 64

Opposite of due care i.e. a lack of implementation of due care and diligence

Question 65

What is the difference between due diligence and due care ?

Answer 65

Due diligence (Preparation) is what you do up front such as research due care is the ongoing implementation such as patching, and monitoring

Question 66

You have found a vulnerability in your webserver what are the due diligence and due care actions ?

Answer 66

Due diligence - research vulnerability and possible fixes

Due care - implementation of the fix and monitoring the results

Question 67

What are the five types of evidence ?

Answer 67

1. Real Evidence - Tangible and Physical objects in IT security
2. Direct - Testimony from direct witness gathered through their five senses
3. Circumstantial - Evidence that supports circumstances
4. Corroborative - Facts that support facts or elements of the case
5. Hearsay - Not first hand evidence not normally admissable

Question 68

Do you perform forensics on the original object ?

Answer 68

No you always make a copy and prove that the copy is the same through hashing

Question 69

What are the four rules around evidence ?

Answer 69

1. Best Evidence - Accurate, Relevant, Authentic, Convincing
2. Secondary Evidence - Logs and audits
3. Evidence Integrity - Preserved through hashing
4. Chain of Custody - Who handled it, When, What, Where

Question 70

What US Law protects citizens from unreasonable searches ?

Answer 70

fourth ammendment

Question 71

Who in the US determines if a search is legal ?

Answer 71

Courts

Question 72

What are the exceptions to the fourth ammendment ?

Answer 72

Immediate Threat to life or destruction of evidence

Question 73

Do you have to inform your employees that you are monitoring them ?

Answer 73

Yes

Question 74

What is entrapment ?

Answer 74

Illegal and unethical practice that persuades someone to commit a crime that they had not intention of committing

Question 75

What is enticement ?

Answer 75

Legal and Ethical - Making committing the crime more enticing as the person has already committed to breaking the law or has decided to do so.

Question 76

Are Honeypots entrapment of enticement ?

Answer 76

If done properly they are enticement

Question 77

What are the five types of intellectual property ?

Answer 77

1. Copyright - Anything that is created such as books or art 70 years for individuals 95 for corporations
2. Brand Names - Logos - must be registered can last from ten ears to indefinite
3. Patents - Protects inventions 20 years
4. Cryptography Algorithms
5. Trade Secrets

Question 78

Do you have to apply for copyright ?

Answer 78

No it is automatically granted

Question 79

What is an attack against copyright ?

Answer 79

Piracy

Question 80

What is an attack against Trademarks ?

Answer 80

Counterfeiting

Question 81

What is an attack on Patents ?

Answer 81

Patent infringement