Security & Risk Management Flashcards

1
Q

What is Trike?

A

Threat modelling methodology that provides a method of performing security audits in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How do you calculate SLE and what is it?

A

AV x EF

the coat associated with the threat or risk to your assets being realised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is abstraction?

A

Groups entities into similar roles - used when assigning roles or classifying objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who manages security governance?

A

Managed by the governance committee or board of directors - knowledge experts who guide and inspect the actions of the security framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the purpose of threat modelling?

A

To focus on the range of compromise concerns end goal of the attack and not identify every single attack method and technique (too vast). The goals and purposes of attacks remain fairly constant. Threats come from nature, technology and PEOPLE. Identifying threats let’s you design best defences.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Different elements of training?

A

Awareness, training and education
All part of security governance
Should also have metrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

4 stages of threat modelling?

A

Identify threats using a framework (STRIDE, PASTA, VAST)

Diagram potential attacks

Perform reduction analysis (decomposing)

Prioritisation and response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Cost/benefit analysis equation?

A

you will need a new ALE Once you have calculated your new EF and ARO (which should change)

ALE1 - ALE2 - ACS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a baseline?

A

Defined a minimum level of security that all systems must meet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How to monitor privilege abuse?

A

By strict monitoring and also by management performing privilege audits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the key elements of privacy?

A

Preventing aunathorised access to PII or confidential or personal data. Also the freedom of being monitored or observed without any knowledge or consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are commercial classification levels?

A

Confidential/private
Sensitive
Public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the steps of PASTA?

A

1) definition of the objectives for the analysis of risk
2) definition of the technical scope
3) application decomposition and analysis
4) threat analysis
5) weakness and vulnerability analysis
6) attack modelling and simulation
7) risk analysis and management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is EF?

A

The % of loss that would occur if a threat or risk was realised (loss potential)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a risk framework?

A

Guideline or recipie for how risk is to be assessed, resolved or monitored

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Why is risk analysis performed?

A

To perform upper management with details of risk so they can determine the appropriate actions of the risk. It also helps with security budget and integrate the security policy with business needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Seclusion

A

Put data in another room. Another aspect of confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Name the steps of NIST 800-37 risk management framework

A
Categorise assets
Select security controls 
Implement security controls
Assess security controls 
Authorise information system 
Monitor security controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are directive controls?

A

Try’s to control actions of subjects and encourages compliance with policy - posters, monitoring and signs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a security controls framework?

A

A catalogue of controls to help companies design, build and maintain secure processes, systems and applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What does SOC stand for in the supply chain?

A

System and organisation controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is a security guideline?

A

They’re non compulsory and describe which security mechanisms should be deployed (instead of a specific control or configuration). They are similar to policies but usually in simpler terms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Name the 3 types of controls

A

Preventative, detective and corrective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What does it mean when we risk is realised?

A

The threat has taken advantage of the vulnerability to harm the asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the difference between a risk assessment and risk management framework?

A

Risk assessment - identifies, estimates and prioritises risk for a system. It’s a key park of risk management and requires careful analysis of the threat and vulnerability information.

RMF - is designed to improve security and strengthen risk management processes. 800-37 is a framework that operated through the system life cycle to ensure security and privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What does a SOC 2 do?

A

Looks at implemented security controls in relation to privacy, security and CIA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

ARO

A

How often a threat/risk will occur in a year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

How are corrective and recovery controls linked?

A

Recovering controls are more complex then corrective, which include things like rebooting the system and AV. Recovery controls include back ups, hot sites, fault tolerance etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is due care and due diligence?

A

Due care is developing the security structure containing policy etc. Due diligence is the continued application of this security structure on IT infrastructure. Operational security is the ongoing maintenance of both of these

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are protection mechanisms?

A

They are part of protection controls where controls also add protection for CIA by having multiple layer of access, data hiding, abstraction and using encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Name a concern with Job rotation?

A

Privilege creep (should be reviewed)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Name the 5 laws that include compliance issues regarding privacy?

A
HIPPA
SOX
FEPRA
GDPR
PCI DSS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Explain reduction analysis

A

Decomposes an application, system or environment into smaller parts to understand changes in trust boundaries, data flows, input points, privilege operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

How can you properly enforce security policy?

A

By keeping users accountable and being able to prove a subject identify and track their activities

35
Q

What are standards?

A

Documents that outline how you achieve your goals and requirements for using hardware, software and technology and security controls. I.e patching systems, disposing of data. Can also be mandated by regulations and contracts.

36
Q

What’s is VAST?

A

Visual, Agile and simple threat: integrate threat and risk management into an agile programming environment on a scalable basis.

37
Q

What is a security controls assessment?

A

Formal evaluation of security infrastructures individual mechanisms against a baseline or expectation

Usually performed alongside pen test or vulnerability assessment

You want to perform a report of how controls are working

38
Q

What is TP governance?

A

Oversight mandated by contracts, legal, regulations, standards etc.

39
Q

What does DREAD stand for and what’s it used for?

A
Damage potential
Reproducibility 
Exploitability 
Affected users
Discoverabiloty 

You ask these questions when rating a threat - you can assign H/M/L to each for a details threat prioritisation

40
Q

What does a security policy contain?

A

Main security objectives, the security framework and identifies major areas of data processing. Can be issue or system specific or organisational.

41
Q

Name 3 security control frameworks that help define the structure of security solutions

A

COBIT - defines components to build and sustain governance systems
ISO 27002 - controls for information management system
ITIL - helps to define service lifecycle model for design, development, delivery and support of IT service

42
Q

What are the steps of data classification?

A

Identify data custodian
Identify evaluation criteria
Classify and label each resource
Document exceptions to the policy
Select security controls for each level
Specify procedures for declassifying data and transferring custody of a resource
Create an awareness programme on the system

43
Q

Preventative vs. Deterrent controls

A

Preventative blocks activity and detterant discourages behaviour like cameras etc.

44
Q

Who is senior management?

A

CEO who is ultimately responsible for security and signs off on all policies. They don’t implement solutions - this is delegated to the security team

45
Q

What is authorisation?

A

Defined the permissions of a resource and object access for a particular identity. In most cases it evaluated the access control matrix and used different access control methods. It also goes hand in hand with accountability

46
Q

What are 3 distinct areas of security management?

A

Run by upper management and includes policies, setting out roles and security activities and creating security plans (strategic, operational and tactical)

47
Q

ALE

A

ARO x SLE

The year cost of a specific threat against your asset

48
Q

What is data classification used for?

A

To determine how much money, resource and effort are allocated to protect the data and control access to it

49
Q

How can you rank or rate a threat?

A

High medium low
Probability x damaged potential ranking
DREAD

50
Q

How do data hiding and security through obscurity differ?

A

Data hiding is intentionally stopping someone accessing something and security through obscurity is hoping someone won’t come across it

51
Q

What does separation of duties cause?

A

Collusion

52
Q

What is COBIT?

A

Control objectives for information and related technology

  • set of best IT security practices
  • encourages the mapping of IT security ideals to business objectives
  • COBIT 5 looks at 5 key pro cripples for governance and security management

1) meet stakeholder needs
2) covering the enterprise end to end
3) apply a single integrated framework
4) enabling a holistic approach
5) separate governance from management

  • used to plan security of an organisation but also for auditors
  • very well respected security control framework
53
Q

Is implementing safe guards part of risk assessment or risk management?

A

Risk management

54
Q

What are the military classification levels?

A
Top secret 
Secret
Confidential 
Sensitive but unclassified 
Unclassified 

Last two are labels

55
Q

How are audit trails made?

A

Turning events into logs

56
Q

What’s is defence in depth?

A

Having multiple layers of controls in a series (not parallel) or having multiple security systems

57
Q

What is the risk equation?

A

Threat x vulnerability

58
Q

Security management planning includes…

A

Strategic, operational and tactics plans

59
Q

Tripwire

A

Used to monitor file hashes to ensure they don’t get modified without you knowing: related to integrity and a countermeasure

60
Q

What are the steps of quantitive risk assessment?

A
Asset value 
List of assets and threats 
Exposure factor (risk) 
SLE
ARO
ALE
Countermeausures
61
Q

What is residual risk?

A

The risk once you have implemented controls - you can chose to accept or mitigate this further. Total risk - controls gap

62
Q

When is the best time to terminate employment?

A

Mid week at the end of the day

63
Q

List and explain the key risk management terms

A
  • asset: anything that should be protected
  • asset valuation: dollar value assigned to asset
  • threats: anything that could cause harm
  • vulnerability: weakness in an asset or absence of a safeguard
  • exposure: being susceptible to asset loss because of a threat
    Risk: the likelihood that a threat will exploit a vulnerability to cause harm to an asset
64
Q

Throughout employment life cycle what should management audit?

A

Job descriptions, work fast, privilidges and responsibilities

65
Q

What kind of risk responses do SLAs invoke?

A

Risk reduction and risk avoidance

66
Q

What is compliance?

A

The act of conforming or adhering to policies, rules, regulations, requirements and standards

For employees it’s policy and procedures for jobs

67
Q

Why should you continually monitor the value of an asset?

A

So you protect the correct assets and so that the control cost never outweighs the cost of the asset loss

You have to come up with a value even if it’s hard

68
Q

Why do risk assessments need to be maintained?

A

Security changes, so do asset costs and threats! Must feed this into management consistently

69
Q

What is the highest level of data access?

A

The data owner/taking ownership

70
Q

What does PASTA stand for? What does it do?

A

Process for attack stimulation and threat analysis. Risk centric approach that selects countermeasures depending on the asset value.

71
Q

What does STRIDE stand for?

A

Spoofing, tampering, repudiation, information disclosure, DoS, elevation of privilege. Mainly used to assess threats to applications and operating systems

72
Q

How do data owner and data custodian work?

A

Data owner is responsible for protecting the data and classifying it (usually upper management) - but hands of management tasks to data custodian (back ups, deploying security solutions and manage storage based on classification)

73
Q

What is defended in depth?

A

Layering
Can be multiple controls around you assets (asset > admin controls > technical/logical controls > physical controls)
Can also be segmenting systems

74
Q

What happens if you fail to meet TP governance?

A

Loss or void of the ATO - authorisation to operate

75
Q

Name a number of elements of third party governance?

A
  • third party audits
  • security oversight of suppliers
  • verify their compliance with policies and controls (COBIT)
  • open document exchange and review (submit self assessments of how you comply)
  • document review
  • on site assessments
76
Q

What does IAM do?

A

Control and manager users access to resources and systems

77
Q

At what stages of SDLC Does threat modelling take place?

A

Initial design and specifications

78
Q

What’s included in diagraming attacks

A

The elements involved in transaction, data flows and privilege boundaries - identify points where compromise could occur

79
Q

What should the cost of a counter measure be?

A

Less then the value of the asset

Less then the benefit of the countermeasure

80
Q

Name some fundamentals of the security function

A
  • cost effective
  • time effective
  • measurable
  • good governance
  • consume as few resources as possible
81
Q

Isolate

A

Technically isolating your systems or services. Another aspect of confidentiality

82
Q

Full example of security policy, standard, procedure

A

Risk management

83
Q

What is threat modelling?

A

A process where threats are identified, categorised and analysed (usually in software and product development but also for the company as a whole) - proactive or reactive