Security & Risk Management Flashcards
What is Trike?
Threat modelling methodology that provides a method of performing security audits in
How do you calculate SLE and what is it?
AV x EF
the coat associated with the threat or risk to your assets being realised
What is abstraction?
Groups entities into similar roles - used when assigning roles or classifying objects
Who manages security governance?
Managed by the governance committee or board of directors - knowledge experts who guide and inspect the actions of the security framework
What is the purpose of threat modelling?
To focus on the range of compromise concerns end goal of the attack and not identify every single attack method and technique (too vast). The goals and purposes of attacks remain fairly constant. Threats come from nature, technology and PEOPLE. Identifying threats let’s you design best defences.
Different elements of training?
Awareness, training and education
All part of security governance
Should also have metrics
4 stages of threat modelling?
Identify threats using a framework (STRIDE, PASTA, VAST)
Diagram potential attacks
Perform reduction analysis (decomposing)
Prioritisation and response
Cost/benefit analysis equation?
you will need a new ALE Once you have calculated your new EF and ARO (which should change)
ALE1 - ALE2 - ACS
What is a baseline?
Defined a minimum level of security that all systems must meet
How to monitor privilege abuse?
By strict monitoring and also by management performing privilege audits
What are the key elements of privacy?
Preventing aunathorised access to PII or confidential or personal data. Also the freedom of being monitored or observed without any knowledge or consent
What are commercial classification levels?
Confidential/private
Sensitive
Public
What are the steps of PASTA?
1) definition of the objectives for the analysis of risk
2) definition of the technical scope
3) application decomposition and analysis
4) threat analysis
5) weakness and vulnerability analysis
6) attack modelling and simulation
7) risk analysis and management
What is EF?
The % of loss that would occur if a threat or risk was realised (loss potential)
What is a risk framework?
Guideline or recipie for how risk is to be assessed, resolved or monitored
Why is risk analysis performed?
To perform upper management with details of risk so they can determine the appropriate actions of the risk. It also helps with security budget and integrate the security policy with business needs.
Seclusion
Put data in another room. Another aspect of confidentiality
Name the steps of NIST 800-37 risk management framework
Categorise assets Select security controls Implement security controls Assess security controls Authorise information system Monitor security controls
What are directive controls?
Try’s to control actions of subjects and encourages compliance with policy - posters, monitoring and signs
What is a security controls framework?
A catalogue of controls to help companies design, build and maintain secure processes, systems and applications
What does SOC stand for in the supply chain?
System and organisation controls
What is a security guideline?
They’re non compulsory and describe which security mechanisms should be deployed (instead of a specific control or configuration). They are similar to policies but usually in simpler terms.
Name the 3 types of controls
Preventative, detective and corrective
What does it mean when we risk is realised?
The threat has taken advantage of the vulnerability to harm the asset
What is the difference between a risk assessment and risk management framework?
Risk assessment - identifies, estimates and prioritises risk for a system. It’s a key park of risk management and requires careful analysis of the threat and vulnerability information.
RMF - is designed to improve security and strengthen risk management processes. 800-37 is a framework that operated through the system life cycle to ensure security and privacy
What does a SOC 2 do?
Looks at implemented security controls in relation to privacy, security and CIA
ARO
How often a threat/risk will occur in a year
How are corrective and recovery controls linked?
Recovering controls are more complex then corrective, which include things like rebooting the system and AV. Recovery controls include back ups, hot sites, fault tolerance etc.
What is due care and due diligence?
Due care is developing the security structure containing policy etc. Due diligence is the continued application of this security structure on IT infrastructure. Operational security is the ongoing maintenance of both of these
What are protection mechanisms?
They are part of protection controls where controls also add protection for CIA by having multiple layer of access, data hiding, abstraction and using encryption
Name a concern with Job rotation?
Privilege creep (should be reviewed)
Name the 5 laws that include compliance issues regarding privacy?
HIPPA SOX FEPRA GDPR PCI DSS
Explain reduction analysis
Decomposes an application, system or environment into smaller parts to understand changes in trust boundaries, data flows, input points, privilege operations
How can you properly enforce security policy?
By keeping users accountable and being able to prove a subject identify and track their activities
What are standards?
Documents that outline how you achieve your goals and requirements for using hardware, software and technology and security controls. I.e patching systems, disposing of data. Can also be mandated by regulations and contracts.
What’s is VAST?
Visual, Agile and simple threat: integrate threat and risk management into an agile programming environment on a scalable basis.
What is a security controls assessment?
Formal evaluation of security infrastructures individual mechanisms against a baseline or expectation
Usually performed alongside pen test or vulnerability assessment
You want to perform a report of how controls are working
What is TP governance?
Oversight mandated by contracts, legal, regulations, standards etc.
What does DREAD stand for and what’s it used for?
Damage potential Reproducibility Exploitability Affected users Discoverabiloty
You ask these questions when rating a threat - you can assign H/M/L to each for a details threat prioritisation
What does a security policy contain?
Main security objectives, the security framework and identifies major areas of data processing. Can be issue or system specific or organisational.
Name 3 security control frameworks that help define the structure of security solutions
COBIT - defines components to build and sustain governance systems
ISO 27002 - controls for information management system
ITIL - helps to define service lifecycle model for design, development, delivery and support of IT service
What are the steps of data classification?
Identify data custodian
Identify evaluation criteria
Classify and label each resource
Document exceptions to the policy
Select security controls for each level
Specify procedures for declassifying data and transferring custody of a resource
Create an awareness programme on the system
Preventative vs. Deterrent controls
Preventative blocks activity and detterant discourages behaviour like cameras etc.
Who is senior management?
CEO who is ultimately responsible for security and signs off on all policies. They don’t implement solutions - this is delegated to the security team
What is authorisation?
Defined the permissions of a resource and object access for a particular identity. In most cases it evaluated the access control matrix and used different access control methods. It also goes hand in hand with accountability
What are 3 distinct areas of security management?
Run by upper management and includes policies, setting out roles and security activities and creating security plans (strategic, operational and tactical)
ALE
ARO x SLE
The year cost of a specific threat against your asset
What is data classification used for?
To determine how much money, resource and effort are allocated to protect the data and control access to it
How can you rank or rate a threat?
High medium low
Probability x damaged potential ranking
DREAD
How do data hiding and security through obscurity differ?
Data hiding is intentionally stopping someone accessing something and security through obscurity is hoping someone won’t come across it
What does separation of duties cause?
Collusion
What is COBIT?
Control objectives for information and related technology
- set of best IT security practices
- encourages the mapping of IT security ideals to business objectives
- COBIT 5 looks at 5 key pro cripples for governance and security management
1) meet stakeholder needs
2) covering the enterprise end to end
3) apply a single integrated framework
4) enabling a holistic approach
5) separate governance from management
- used to plan security of an organisation but also for auditors
- very well respected security control framework
Is implementing safe guards part of risk assessment or risk management?
Risk management
What are the military classification levels?
Top secret Secret Confidential Sensitive but unclassified Unclassified
Last two are labels
How are audit trails made?
Turning events into logs
What’s is defence in depth?
Having multiple layers of controls in a series (not parallel) or having multiple security systems
What is the risk equation?
Threat x vulnerability
Security management planning includes…
Strategic, operational and tactics plans
Tripwire
Used to monitor file hashes to ensure they don’t get modified without you knowing: related to integrity and a countermeasure
What are the steps of quantitive risk assessment?
Asset value List of assets and threats Exposure factor (risk) SLE ARO ALE Countermeausures
What is residual risk?
The risk once you have implemented controls - you can chose to accept or mitigate this further. Total risk - controls gap
When is the best time to terminate employment?
Mid week at the end of the day
List and explain the key risk management terms
- asset: anything that should be protected
- asset valuation: dollar value assigned to asset
- threats: anything that could cause harm
- vulnerability: weakness in an asset or absence of a safeguard
- exposure: being susceptible to asset loss because of a threat
Risk: the likelihood that a threat will exploit a vulnerability to cause harm to an asset
Throughout employment life cycle what should management audit?
Job descriptions, work fast, privilidges and responsibilities
What kind of risk responses do SLAs invoke?
Risk reduction and risk avoidance
What is compliance?
The act of conforming or adhering to policies, rules, regulations, requirements and standards
For employees it’s policy and procedures for jobs
Why should you continually monitor the value of an asset?
So you protect the correct assets and so that the control cost never outweighs the cost of the asset loss
You have to come up with a value even if it’s hard
Why do risk assessments need to be maintained?
Security changes, so do asset costs and threats! Must feed this into management consistently
What is the highest level of data access?
The data owner/taking ownership
What does PASTA stand for? What does it do?
Process for attack stimulation and threat analysis. Risk centric approach that selects countermeasures depending on the asset value.
What does STRIDE stand for?
Spoofing, tampering, repudiation, information disclosure, DoS, elevation of privilege. Mainly used to assess threats to applications and operating systems
How do data owner and data custodian work?
Data owner is responsible for protecting the data and classifying it (usually upper management) - but hands of management tasks to data custodian (back ups, deploying security solutions and manage storage based on classification)
What is defended in depth?
Layering
Can be multiple controls around you assets (asset > admin controls > technical/logical controls > physical controls)
Can also be segmenting systems
What happens if you fail to meet TP governance?
Loss or void of the ATO - authorisation to operate
Name a number of elements of third party governance?
- third party audits
- security oversight of suppliers
- verify their compliance with policies and controls (COBIT)
- open document exchange and review (submit self assessments of how you comply)
- document review
- on site assessments
What does IAM do?
Control and manager users access to resources and systems
At what stages of SDLC Does threat modelling take place?
Initial design and specifications
What’s included in diagraming attacks
The elements involved in transaction, data flows and privilege boundaries - identify points where compromise could occur
What should the cost of a counter measure be?
Less then the value of the asset
Less then the benefit of the countermeasure
Name some fundamentals of the security function
- cost effective
- time effective
- measurable
- good governance
- consume as few resources as possible
Isolate
Technically isolating your systems or services. Another aspect of confidentiality
Full example of security policy, standard, procedure
Risk management
What is threat modelling?
A process where threats are identified, categorised and analysed (usually in software and product development but also for the company as a whole) - proactive or reactive
