D1: Security & Risk Management Flashcards
D1 from example test simulators keywords (203 cards)
1
Q
NDA
A
Non Disclosure Agreement; restricts dissemination of information; Compelling parties to not reveal information to others; Keeping secrets;
2
Q
NCA
A
Non Compete Agreement; relates to employment with competition; Work restrictions; Agreement not to enter into or start a similar line of work in competition against another party;
3
Q
AUP
A
Authorized Use Policy; warns employees about proper use of organizational assets; Allows for firing employee for misuse;
4
Q
Exit Interview
A
Useful for discovering serious problems that might not be otherwise disclosed;
5
Q
Education
A
Providing fundamental knowledge & definitions
6
Q
Training
A
Providing tactical knowledge necessary for a job or task
7
Q
Awareness
A
Imparting sensitivity or importance to a topic/issue to all personnel
8
Q
Indoctrination
A
Incorporating an individual or group into the culture of the larger organization
9
Q
CEO
A
Chief Executive Officer; Responsible for overall organization and its mission
10
Q
CIO
A
Chief Information Officer; Responsible for aligning information & technical strategies; Most senior official in an organization responsible for IT & Systems that support enterprise; Senior Technology official;
11
Q
CPO
A
Chief Policy Officer: Responsible for ensuring that there is compliance with org and regulatory privacy rules
12
Q
CISO
A
Chief Information Security Officer; Responsible for monitoring & analyzing risk information associate with data protection
13
Q
CSO
A
Chief Security Officer; Responsible for physical & Technical security of orgs assets; Responsible for development, oversight, mitigation, & other risk strategies; Senior most security official;
14
Q
CTO
A
Chief Technology Officer; Chooses technology & scientific items; Executive person tasked with identifying useful technology, IT strategies, & partnerships;
15
Q
ISSO
A
Information Systems Security Officer; Organizational role charged with developing, implementing, testing, & reviewing IT security;
16
Q
Risk Management Categorize
A
Related to assigning a security role to an IT system
17
Q
Risk Management Select
A
Identifies the appropriate measures needed to reduce risk satisfactorily
18
Q
Risk Management Implement
A
Regards enacting the selected security controls
19
Q
Risk Management Assess
A
Involves an independent assessor to test the controls
20
Q
Risk Management Authorize
A
Take the risk assessment and make a risk determination
21
Q
Risk Management Monitor
A
Relates to ongoing review & updating of controls and security status
22
Q
Opportunity Cost
A
Next best use for funds
23
Q
Depreciated Cost
A
Reflects wear, tear, and evaluation over time
24
Q
Replacement Cost
A
current expenditure to gain an identical item
25
Purchase Cost
Original cost
26
Code of Regulations
Administrative law is published here
27
Constitution
Provides for information about interpretation of laws
28
NIST
National Institute of Standards & Technology; Publishes Special Publications, but NO laws; Publishes recommendations and standards, many related to IT security; Government standards body;
29
United States Code
Laws enacted by Congress published here
30
Accept Risk
Accept with knowledge of risk.
31
Avoid Risk
Change course or cancelling a project.
32
Deter Risk
Pursue the threat actor.
33
Mitigate Risk
Addressing risk and its factors. Try to reduce/prevent risk.
34
Transfer Risk
Assign risk to another party, insurance.
35
Ignore Risk
Move ahead without knowledge of the risk. NEVER an appropriate response.
36
Copyright
Legal right for creator of original work
37
Trademark
Recognized signs or expressions to identify product or service;
38
Patent
Intellectual property rights to a product/process for a limited period of time; protect innovative product/process; Exclusive rights to product/process;
39
Trade Secret
Formula, process, or design that is generally not known by others and has a viable commercial use; Guarded info not disclosed to the world;
40
DRM
Digital Rights Management; Systematized access control for digital media; Encrypted PDFs; Access control technology for restricting the use of propriety hardware & copyrighted works;
41
Wassenaar
Covers conventional arms sales and controls.
42
Economic Espionage Act
Criminalized stealing trade secrets
43
GDRP
General Data Protection Regulation; European law endorsed by the US that handles privacy issues; Enforced by Department of Commerce; International data privacy regulation;
44
FISMA
Federal Information Security Management Act; Handles risk management in the US government; US requirements for data security within federal orgs; Requires each federal agency to develop, document, & implement an agency wide pgm to provide info sec; Uses RMF
45
PCI
Payment Card Industry; Self-regulation for banking cards
46
Data Owner
Party that collects & is responsible for the information
47
Data Subject
The person/thing referred to by data;
48
Data Processor
Group/organization responsible for manipulation & computations with the data w/in their systems;
49
Data Custodian
Manages the information systems that perform processing; has physical control & server control; Facilitates use;
50
ISO 27000
Information system management system standards are a flexible set of standards and practices to manage security risks in an org.
51
NIST RMF
National Institute of Science & Technology Risk Management Framework; Government created set of guides to manage and control risk
52
COSO
Committee of Sponsoring Organizations is an initiative to combat organizational fraud; Preventing fraud and abuse; dedicated to guiding managers & government w/ regard to ethics, controls, & risk mgmt.;
53
COBIT
Control Objectives for Information and Related Technologies; is a best practice security framework from ISACA
54
AGILE
Software development methodology; Emphasize customer involvement & simple deliverables. Expects continual refinement of requirements, capabilities, & features through dev process;
55
Directive Security Control
Rules promulgated by management; EX] Policy, NDA, Exit Signs, Need to know policy;
56
Deterrent Security Control
Affect threat agents; EX] Guards, cameras, Logon banner with warning;
57
Preventative Security Control
stop an active attack; EX] Walls, fence, Biometric doorway control;
58
Compensating Security Control
take over for another function/measure while a threat is active; EX] RAID array;
59
Detective Security Control
only identify and do not stop threats; EX} motion detector, dogs, logs & audits;
60
Corrective Security Control
implements after a threat has manifested; EX] IPS, Fire Suppression;
61
Recovery Security Control
Restores operations to way they were; EX: Backups, DRP, cloud-based backup;
62
STRIDE Threat Modeling
Created by Microsoft; Spoofing, Tampering, Repudiation, Information Disclosure, DOS, Elevation of Privilege; Initially created as part of the process of Threat Modeling;
63
VAST Threat Modeling
Visual Agile & Simple Threat modeling; promotes its use across the entire infrastructure & the SDLC
64
ISA
Interconnection Service Agreement; Defines VPNs; Agreed-upon measures, settings & protocols taken by two orgs to facilitate communication;
65
OLA
Operating Level Agreement
66
MOU
Memorandum of Understanding; Provides refinement of duties and responsibilities; Provides terms & details necessary for two parties to work together;
67
MOA
Memorandum of Agreement; Achieving consensus toward a common goal; Document describing cooperative work to be taken together by two parties toward an objective;
68
SLA
Service Level Agreement; Contractual guarantee of performance; A promise; An agreement on the characteristics of quality and performance between two parties;
69
MSA
Master Services Agreement
70
MTD
Maximum Tolerable Downtime; Beginning of a disaster; Estimated time until catastrophic damage to an org has occurred;
71
MTBF
Mean Time Between Failures; The average failure rate; Estimation as to how often serious errors occur, typically measured in thousands of hours; Predicted elapsed time between failures of a mechanical or electronic system; Hardware reliability;
72
MTTR
Mean Time to Recovery (Repair); how long a system can take to recovery from a failure; Time needed to fix something; Standard recovery statistic indicating swiftness of DRP responses; Restoration average; Timely time it will take to regain functionality;
73
MTPD
Maximum Tolerable Period of Disruption; Identifies the point at which services must be restored or irrevocably damage the business;
74
RPO
Recovery Point Objective; What data must be available upon restoration & defines acceptable loss; Maximum # of transactions lost; # of transactions or quality of data that can be acceptably lost; Targeted maximum loss quantity;
75
RTO
Recovery Time Objective; When data must be available; Maximum amount of time lost; Maximum amount of time allowed for an outage;
76
MITM
Man-in-the-Middle; An attacker insinuates itself between client and server, observing or modifying communications; Intercepting and changing;
77
GDRP Lawful
Data must be legal to possess;
78
GDRP Purpose
Must have purpose for possessing the information;
79
GDRP Minimal
Data can only be retained as long as necessary;
80
GDRP Accuracy
Data must be as accurate as possible;
81
GDRP Storage Limitation
Only the information necessary for its purposes should be retained;
82
GDRP Integrity & Confidentiality
Must take measures to ensure integrity & confidentiality;
83
PCI DSS
Payment Card Industry Data Security Standard; Credit Card industry established to ensure regulated control & consumer confidence;
84
WIPO
World Intellectual Property Organization; Promote the protection of intellectual property; United Nations agency that overseas international trademarks & patents;
85
GLBA
Gramm-Leach-Biley Financial Services Modernization Act; Involves privacy concerns with financial institutions; Requires financial orgs to protect customer data and to disclose how this is done; Provide each consumer with a privacy notice at time of consumer relation started; Financial Rules overhaul;
86
SOX
Sarbanes-Oxley; Financial accountability; Implements criminal penalties for incorrect reporting of losses or liabilities; Requirements for US companies & mgmt. to provide accurate information;
87
COPPA
Federal Children's Online Privacy Protection Act. Applies to collection of info/accounts for children < 13yo; AKA: CaliOPPA
88
HIPAA
Health Insurance Portability & Accountability Act; Medical security; Requires proper encryption of data transmission & storage as well as secure disposal; US law designed to protect the privacy of patient information;
89
PII
Personally Identifiable Information; EX] DL#, SSN, Credit Card #; Unique identifier; data or pieces of data used to uniquely correspond to or identify one individual and requires special handling;
90
PHI
Personal Health Information; Info within an EMR; Sensitive info regarding health of individual;
91
PIPEDA
Personal Information Protection & Electronic Documents Act; Canadian law involving privacy; Canadian PII;
92
Baselines
Required minimum levels of protection and performance that must be met
93
Guidelines
Recommended settings or levels and are considered optional
94
Standards
Security practices based on industry or governmental documents. Mandates steps to follow
95
Procedures
Step-By-Step instructions. Repeatable, Detailed.
96
Policies
High level written
97
NIST SP 800-30
9 steps: System characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, recommend controls, & results documentation;
98
Due Care
Requires an organization to act and enforce security mechanisms put into place; Being careful; Legal standard
99
Due Diligence
Demonstrating that the organization is following its own policies; verifying work, researching, being forewarned & prepared;
100
Prudent Man
Relates to taking appropriate responsibility for actions; Test for activies in the protection of assets, considered what a careful & responsible person would de;
101
Preponderance of Guilt
In civil litigation it is only necessary for a preponderance of guilt to be believed;
102
Compliance
Adherence to external mandates
103
Audits
Tools, processes, & activities used to preform compliance reviews;
104
Virus
Attaches itself to programs in order to replicate; Most common; Copies itself; Requires interaction from user;
105
Backdoor
Privileged access to software or a system;
106
Worm
Replicates independently to infect systems; Fastest; Attacks the OS; No user interaction is needed;
107
Trojan Horse
Appears to provide a valid service hiding its malicious nature; Commonly downloaded; Introduced to system by misdirection or trust
108
Logic Bomb
Set to happen based on certain events; Typically date & time; Launches malicious activity when predetermined conditions are met/triggered;
109
Spyware/Adware
Secretly installed; Collects info about user; plays, displays, or downloads w/o consent; designed to spy on system activity;
110
Rootkit
Capable of hiding user files and processes; Maliciously disguises or blocks observation of malware;
111
Polymorphic
Constantly re-factoring code to evade detection by signatures
112
Macro
Capable of attacking multiple operating systems
113
Bipartile
A multimodal virus that may infect boot sectors and executable files
114
Boot Sector
Attacks an operating system prior to the kernel being loaded
115
Risk Formula
Risk = Threat * Vulnerability; sometimes risk = threat * value * vulnerability
116
RMF Authorize
Based upon a determination of risk by independent parties
117
Dynamic Policy
Is one that can be implemented and changed from a central location as needed;
118
1st Amendment
Freedom of speech
119
4th Amendment
Search & seizures
120
Accountability
Holding individuals responsible for their actions
121
Availability
refers to providing data when and where a user requires access
122
Non-Repudiation
refers to the characteristic of data where the user cannot deny they performed their actions on the data;
123
Authenticity
Data which can be described as not corrupted, or genuine;
124
CSS / XSS
Cross Site Scripting; Users inserting JavaScript into a URL or blog page to force unwanted actions by other users; Sends unwanted code to clients; Web Application attack; Malicious user using script input to steal info from other users;
125
Session Hijacking
Allowing another user to login and then seizing control;
126
SQL Injection
Using web front end to implement database actions on the backend; Insertion of DB commands by client that cause unwanted server actions.
127
Privilege Escalation
The surfing of authority in order to gain additional access;
128
CSRF / XSRF
Cross-Site Request Forgery; Devising a webpage that bounces commands often unwary client to an unsecured site to force a transaction; Attack wherein a message is spoofed from a user to a trusted site; Web application attack; Iframes & server flaws that allow illicit fake message to be processed;
129
Buffer Overflow
The insertion of assembler-level commands into the input data stream by exploiting a boundary error; Corrupting the memory of a host by causing lg amount of data to be inserted in the stack/heap; lg amt data cause other instructions to be overwritten; Cause DoS or take over completely.
130
What do Privacy Laws protect
Customers data, Employees data, & Employee rights
131
What is the purpose of a BIA
Determine the impact to business operations of disruptions
132
Countermeasures
Reactive controls to mitigate or correct an incident
133
Safeguards
Proactive controls to mitigate or correct an incident
134
Responses
Actions after an incident has occurred
135
Exposures
How vulnerable are systems to threats
136
Qualitative Assessments
Use non-numerical levels or categories, and Expert or best judgement
137
Quantitative Assessments
Use consistent numerical values, Financial performance measurements
138
DRP
Disaster Recovery Plan; An immediate plan to cope with disasters & problems; aid in recovery from short-term issues
139
Change Management Policy
Dictates how and when changes are made to a system; enforces accountability and create an audit trail of modifications;
140
AIC
Another way of saying CIA; Availability, Integrity, and Confidentiality; Primary security goals; Having a system that is able to be accessed, accurate with its info and maintain proper access controls;
141
ARO
Annualized Rate of Occurrence; frequency in which an attack occur; Number of attacks per year; Total # of expected successful attacks on an annual basis;
142
EMI
Electromagnetic Interference; Threat to copper-based media
143
ESP
Encapsulating Security Payload; Protocol to encrypt IPsec payloads
144
EF
Exposure Factor; Percentage of an asset lost from a single attack; Indicates value loss from one attack; Assessed damage level;
145
SPIM
Spam over Internet Messaging; Unwanted messages; Chat messages delivered as a hoax to induce purchase;
146
SPIT
Spam over Internet Telephony; Use of SMS to deliver unwanted messages;
147
Pivot
Gaining control of one application or host in order to manipulate a secondary target; Staging a new attack;
148
MITM
Man in the Middle; Between Client and Server; An attack wherein a node listens to and takes over a conversation by insinuating itself into the stream of communication;
149
BO
Buffer Overflow; The insertion of malicious computer instructions into the RAM of a host to accomplish a DoS or injecting shellcode;
150
Brute Force
Discovers a has or encrypted secret by attempting all combinations and permutations; Always works if time is not a factor;
151
ALE
Annualized Loss Expectancy: SLE * ARO; hint: SLEAROoooo -> Drunk at a bar with ALE; Total annual damage;
152
APT
Advanced Persistence Threat; Highly target threat; Full featured exploit designed to attack specific target, commonly assembled by teams of attackers to achieve a particular goal;
153
BIA
Business Impact Analysis: Impact estimate; Prerequisite for disaster recovery and continuity planning to identify potential losses;
154
BPA
Business Partners Agreement: Outlines the goals and responsibilities between entities pursuing a common work product; Cooperation and partnership;
155
CERT
Computer Emergency Response Team; IT First responders; A multi-discipline group designated to handle IT incidents;
156
CIRT
Computer Incident Response Team: A group that investigates & resolves IT security problems; Handles breaches;
157
DBA
Database Administrator; Creates & maintains large data repositories; Personnel capable of managing automated and large information repositories;
158
DDoS
Distributed Denial of Service; Attack methodology involves a multitude of remotely controlled devices focusing upon a single target; Mass attack; Attacker leverages thousands/millions of zombies/bots to degrade a victim;
159
DEP
Data Execution Prevention; Stops buffer overflows; An operating system memory management technique that prevents user data from overlapping into computer instructions;
160
DoS
Denial of Service; Stopping operation; A one on one attack that causes access or utility to cease; Singular attackers seeks to make a resource unavailable;
161
MSP
Managed Service Provider; Handle specific applications of IT; Specialty provider of IT services management contracted by a client;
162
POODLE
Padding Oracle on Downgrade Legacy Encryption; An attack technique that could support confidentiality in SSL connection; Decryption threat;
163
RAT
Remote Access Trojan; Backdoor placement; Software that implements illicit remote control software;
164
ROI
Return on Investment; Cost divided by expense; Primary metric to be used when evaluating whether something is worth the time, effort, or cost;
165
RMF
Risk Management Framework; NIST created framework; Paradigm that was promulgated by the US government;
166
SCAP
Security Content Automation Protocol; Security Automation; Framework promoted by US govt to create open standards for automation of information assurance;
167
SEH
Structured Exception Handler; Memory Corruption; facility within windows that identifies memory corruption and contingencies;
168
SLE
Single Loss Expectancy; Damage from one incident; The value of an asset multiplied by the exposure factor (EF); One time cost;
169
AV
Asset Value; Cost of an asset; The value of an asset or its repair cost as measured in risk formulas;
170
BSI
British Standards Institute; Engineering Standards; US engineering groups that defines various terms and standards;
171
CBK
Common Body of Knowledge; ISC2 goals; Collection of topics related to information security professionals;
172
CC
Common Criteria; Framework in which computer system users can specify their security functional & assurance requirements (SFRs & SARs respectively) in a security target (ST) & may be taken from Protection Profiles (PPs);
173
CSF
Critical Success Factor; Important results; Necessary for an organization or project to achieve its mission;
174
CVE
Common Vulnerabilities & Exposures; List of software flaws that is published by Mitre to act as a dictionary of known issues; Vulnerability list;
175
DoDAF
Department of Defense Architecture Framework; Overview & details aimed to specific stakeholders; Provides visualization infrastructure for specific stakeholders concerns through viewpoints organized by various views;
176
DPA
Data Protection Act; Provision about the processing of personal data; UK law that complements the GDRP;
177
GDRP
General Data Protection Regulation; European Union's;
178
DSS
Decision Support Systems; Planning and organizational tool;
179
EULA
End-user Licensing Agreement; Terms of use; type of software agreement;
180
FIPS
Federal Information Processing Standard; Federal requirements; Openly announced standards developed by the US Govt for use in computer systems or network;
181
HSPD
Homeland Security Presidential Directive; Presidential commands; issues by presidents involving foreign, military, & domestic policies;
182
IA
Information Assurance; Securing computers & other information; The orgs function associated with assessing & managing risk so as to reduce it to an acceptable level;
183
IAB
Internet Architecture Board; Architectural oversight of IEFT; seeks to improve the Internet by providing high quality technical documents & guidance in the way the internet is used and managed;
184
IAM
Information Assurance Management; In charge of IT; Management personnel associated with defense of IT resources;
185
IAM
Identity & Access Management; Granting or blocking access; An organizational function associated with creating & managing digital identities;
186
IAT
Information Assurance Technical; Hands on IT security; Technical person associated with the defense of IT resources;
187
IEC
International Electrotechnical Commission; Electrical & electronic standards; Covers vast range of technologies from power generation, transmission, & distribution to home appliance and office equipment;
188
IP
Intellectual Property; Proprietary stuff; Plans, designs, creative works of human thought that have value;
189
ISMS
Information Security Management Systems; Standards body; Cohesive set of policies, plans, & procedures for an org;
190
ITIL
Information Technology Infrastructure Library; Linking business & technology; groups of practices for IT service mgmt. that focuses on creating synergy between IT services & business requirements;
191
ITSEC
Information Technology Security Evaluation Criteria; Security evaluation; Organized set of criteria for evaluating computer security within products & systems;
192
IV&V
Independent Verification & Validation; Objective assurance; Ensuring a product, service, or system meets specified requirements and designs;
193
KEDB
Known-Error Database; Compendium of problems with solutions; Collection of problems that are successfully diagnosed & which either a work around or a perm solution has been determined;
194
KMS
Key Management Server; Licensing; Provide software activation through a central system to handle compliance;
195
MDC
Modification Detection Codes; Hashing; Mathematical algorithm designed to create message digest that can be used to indicate when a message has been altered;
196
OEM
Original Equipment Manufacturer; An org/company that manufactures parts & components that may be marketed by other companies; "Third-party products";
197
PDCA
Plan-Do-Check-Act; Continuous improvement; Iterative four step management system designed to facilitate control & improvement;
198
PP
Protection Profile; Certifification document; Element of the CC that specifies evaluation criteria to validate the security claims of a product;
199
SABSA
Sherwood Applied Business Security Architecture: Security framework; Methodology for enterprise architecture & management of security services;
200
TCSEC
Trusted Computer System Evaluation Criteria; Standard IT security verification; US DoD standard for assessing the effectiveness of computer security;
201
TOC/TOU
Time of check/Time of use; Problem with race condition vulnerability; Problematic time period of time between the time at which a resource is set or known and the time at which it is ultimately used;
202
TOE
Target of Evaluation; Item being inspected; System or application that is being subjected to detailed examination & analysis for security features;
203
TOGAF
The Open Group Architecture Framework; Enterprise architecture for design, planning, implementing, & governing IT; Four level framework for modeling the business, application, data, & technology;
