Security standards organizations

Question 1

Center for Internet Security (CIS)

Answer 1

A non-profit organization formed by a large number of commercial, academic, and government organizations. The CIS’s mission is to identify, develop, and promote best practices in cybersecurity. To this end, it develops security benchmarks and assessment tools for a wide variety of operating systems and network applications.

Question 2

Institute of Electrical and Electronics Engineers (IEEE)

Answer 2

A professional association of engineers and scientists of many disciplines, including computer scientists, software developers, and IT professionals. The IEEE’s mission is to advance technological innovation of all sorts, and they publish standards in many technological fields. One family you’re likely familiar with is the IEEE 802 networking standards, such as Ethernet (802.3) and Wi-Fi (802.11).

Question 3

Internet Engineering Task Force (IETF)

Answer 3

An open standards organization under the management of the Internet Society, consisting of volunteer contributors. It developed many common Internet protocols by consensus, distributing numbered Request For Comments (RFC) documents via internal mailing lists. A specification that advances through the review process is classified as a Proposed Standard, and finally, an Internet Standard.

Question 4

International Organization for Standardization (ISO)

Answer 4

An international organization comprised of the standards bodies of over 160 member nations. ISO standards include everything from the OSI network model (ISO/IEC 7498-1) to the twist direction of yarn (ISO 2); many involve information technology or security standards and practices. When ISO standards are revised, their years are attached: In 2013, ISO 27001:2013 replaced the older ISO 27001:2005.

Question 5

Internet Society (ISOC)

Answer 5

The parent organization of the IETF and several other organizations and committees involved in Internet development. The ISOC doesn’t directly develop standards: instead, it focuses primarily on providing organizing conferences, seminars, and training services for its member organizations.

Question 6

International Telecommunication Union (ITU)

Answer 6

A UN agency charged with global tasks related to telecommunications. It allocates shared global use of the radio spectrum, coordinates national governments in assigning satellite orbits, and promotes global technical standards related to networking and communication. Many ITU standards are recognizable by their “letter-period-number” format: some you might have heard of include X.509 (Digital certificates) used by secure websites, and H.264 (MPEG-4) used for digital video encoding both on the Internet and by television providers.

Question 7

National Institute of Standards and Technology (NIST)

Answer 7

A US government agency charged with developing and supporting standards used by other government organizations: while it primarily promotes standards for use by the US government, they frequently are used by others with similar technology needs. In recent years, computer security standards have become a major part of its mission. NIST shares most of its findings with the broader security community and regularly publishes information about known software vulnerabilities and security best practices.

Question 8

National Security Agency (NSA)

Answer 8

A US signals intelligence agency, responsible for information gathering, codebreaking, and codemaking. The NSA develops cryptographic standards and secures government information against attack. Much of the NSA’s work is classified, but it has had a visible role in designing and standardizing some of the most widely used cryptographic standards, such as DES, AES, and SHA.

Question 9

Open Web Application Security Project (OWASP)

Answer 9

An international non-profit organization founded to further the state of web application security. OWASP provides freely available guidelines, articles, software tools, and other resources, all of which are devoted to the development and testing of secure web applications. Their regularly updated “Top Ten” list is a popular resource for common web application vulnerabilities.

Question 10

World Wide Web Consortium (W3C)

Answer 10

A standards organization founded to develop and maintain interoperable standards for the World Wide Web (WWW) used by web browsers, servers, and other technologies. W3C standards include HTML, XML, CSS, and many others used for web-based communications. While the W3C’s publications don’t focus on security technologies, the security of web standards is an essential topic in information security.

Question 11

Consider a network service you regularly use, such as email. How could its confidentiality be compromised?

Answer 11

One example could be someone reading or intercepting it.

Question 12

How could its integrity be compromised?

Answer 12

Mail could be altered when you send or receive it.

Question 13

How could its availability be compromised?

Answer 13

You could be unable to access your mail when you need to.

Question 14

There’s been a rash of burglaries in your area, and you notice that one door into a part of the building with valuable equipment has a keypad lock set to “12345.” Identify the asset, the vulnerability, the threat, and the risk in the situation.

Answer 14

The asset is valuable equipment in the building. The vulnerability is that a lock with an easily-guessed access code is simple to bypass. The threat is burglars in the area. The risk is the combination of how likely you are to be burglarized, how hard stolen equipment would be to replace, and how much its loss would otherwise affect your business.

Question 15

You’ve set a stronger passcode and added a security alarm. How does this affect the vulnerability, threat, and risk of the situation?

Answer 15

Strengthened or added security measures reduce vulnerabilities, which in turn reduces risk. In this case, the threat is unchanged: the burglars are still out there, just less likely to get in unnoticed

Question 16

Also known as administrative controls, these represent organizational policies and training regarding security. Management controls define the other control types in use by an organization, so they’re the starting point for implementing security. Common management controls include password policies, employee screening, training procedures, and compliance with legal regulations.

Answer 16

Managerial

Question 17

Technological solutions used to enforce security, sometimes also called logical controls. Technical controls include firewalls, authentication systems, and encryption protocols, among others. In modern data systems, technical controls do a great amount of the work and require the most exacting knowledge. However, they’re still only effective in conjunction with human activities used to implement and enforce them.

Answer 17

Technical controls

Question 18

Day-to-day employee activities which are used to achieve security goals. These are often defined by policies but exist in the effective execution of secure practices. Operational controls include backup management, security assessments, and incident response.

Answer 18

Operational controls

Question 19

Methods used to guarantee the physical security and safety of organizational assets. Physical controls can include locks, fences, video surveillance, and security guards.

Answer 19

Physical controls

Question 20

Proactive controls which act to prevent a loss from occurring in the first place. Preventive controls include locked doors, network firewalls to prevent intrusion, and policies designed to minimize vulnerabilities. Ideally, preventive controls work well enough that the other types are just backup. Since that’s not likely in the real world, you can’t ignore the others.

Answer 20

Preventive controls

Question 21

Monitoring controls which either detect an active threat as it occurs or record it for later evidence. Either way, detective controls primarily notify security personnel who can take preventive or corrective measures, rather than securing assets themselves. Typical detective controls include security cameras, network logs, auditing policies, and physical or network alarms.

Answer 21

Detective controls

Question 22

Follow up controls used to minimize the harm caused by a security breach and to prevent a recurrence. Corrective controls include restoring data from backups, changing compromised passwords, or patching vulnerable systems. Ideally, a corrective control leaves the system more secure than it was before the threat occurred.

Answer 22

Corrective controls

Question 23

Visible controls designed to discourage attack or intrusion, especially in physical security. A locked door might be a preventive control and a security camera a detective one, but the “NO TRESPASSING” sign and the visibility of the camera might convince casual attackers from going in regardless of whether it is locked. Deterrent controls also include disciplinary policies or training used to discourage employees from ignoring good security practices out of convenience.

Answer 23

Deterrent Controls

Question 24

Integrity controls

Answer 24

Hashing, Digital signatures, Backups, Version control

Question 25

Confidentiality controls

Answer 25

Least privilege, Need to know, Separation of duties

Question 26

Availability controls

Answer 26

Redundancy, Fault tolerance, Patch management

Question 27

Why is a false negative worse than a false positive?

Answer 27

False positives only do damage by consuming incident response resources. False negatives allow security breaches to go undetected