Security & Risk Management Flashcards
What is Trike?
Threat modelling methodology that provides a method of performing security audits in
How do you calculate SLE and what is it?
AV x EF
the coat associated with the threat or risk to your assets being realised
What is abstraction?
Groups entities into similar roles - used when assigning roles or classifying objects
Who manages security governance?
Managed by the governance committee or board of directors - knowledge experts who guide and inspect the actions of the security framework
What is the purpose of threat modelling?
To focus on the range of compromise concerns end goal of the attack and not identify every single attack method and technique (too vast). The goals and purposes of attacks remain fairly constant. Threats come from nature, technology and PEOPLE. Identifying threats let’s you design best defences.
Different elements of training?
Awareness, training and education
All part of security governance
Should also have metrics
4 stages of threat modelling?
Identify threats using a framework (STRIDE, PASTA, VAST)
Diagram potential attacks
Perform reduction analysis (decomposing)
Prioritisation and response
Cost/benefit analysis equation?
you will need a new ALE Once you have calculated your new EF and ARO (which should change)
ALE1 - ALE2 - ACS
What is a baseline?
Defined a minimum level of security that all systems must meet
How to monitor privilege abuse?
By strict monitoring and also by management performing privilege audits
What are the key elements of privacy?
Preventing aunathorised access to PII or confidential or personal data. Also the freedom of being monitored or observed without any knowledge or consent
What are commercial classification levels?
Confidential/private
Sensitive
Public
What are the steps of PASTA?
1) definition of the objectives for the analysis of risk
2) definition of the technical scope
3) application decomposition and analysis
4) threat analysis
5) weakness and vulnerability analysis
6) attack modelling and simulation
7) risk analysis and management
What is EF?
The % of loss that would occur if a threat or risk was realised (loss potential)
What is a risk framework?
Guideline or recipie for how risk is to be assessed, resolved or monitored
Why is risk analysis performed?
To perform upper management with details of risk so they can determine the appropriate actions of the risk. It also helps with security budget and integrate the security policy with business needs.
Seclusion
Put data in another room. Another aspect of confidentiality
Name the steps of NIST 800-37 risk management framework
Categorise assets Select security controls Implement security controls Assess security controls Authorise information system Monitor security controls
What are directive controls?
Try’s to control actions of subjects and encourages compliance with policy - posters, monitoring and signs
What is a security controls framework?
A catalogue of controls to help companies design, build and maintain secure processes, systems and applications
What does SOC stand for in the supply chain?
System and organisation controls
What is a security guideline?
They’re non compulsory and describe which security mechanisms should be deployed (instead of a specific control or configuration). They are similar to policies but usually in simpler terms.
Name the 3 types of controls
Preventative, detective and corrective
What does it mean when we risk is realised?
The threat has taken advantage of the vulnerability to harm the asset
What is the difference between a risk assessment and risk management framework?
Risk assessment - identifies, estimates and prioritises risk for a system. It’s a key park of risk management and requires careful analysis of the threat and vulnerability information.
RMF - is designed to improve security and strengthen risk management processes. 800-37 is a framework that operated through the system life cycle to ensure security and privacy
What does a SOC 2 do?
Looks at implemented security controls in relation to privacy, security and CIA
ARO
How often a threat/risk will occur in a year
How are corrective and recovery controls linked?
Recovering controls are more complex then corrective, which include things like rebooting the system and AV. Recovery controls include back ups, hot sites, fault tolerance etc.
What is due care and due diligence?
Due care is developing the security structure containing policy etc. Due diligence is the continued application of this security structure on IT infrastructure. Operational security is the ongoing maintenance of both of these
What are protection mechanisms?
They are part of protection controls where controls also add protection for CIA by having multiple layer of access, data hiding, abstraction and using encryption
Name a concern with Job rotation?
Privilege creep (should be reviewed)
Name the 5 laws that include compliance issues regarding privacy?
HIPPA SOX FEPRA GDPR PCI DSS
Explain reduction analysis
Decomposes an application, system or environment into smaller parts to understand changes in trust boundaries, data flows, input points, privilege operations