Day 2 12/22/2018 @27th march

Question 1

Abstraction

Answer 1

similar elements are put into same group/class ,that are assigned security controls , restrictions or permissions as a collective .

Question 2

Difference between Data hiding and Security through obscurity

Answer 2

Data hiding is the act of intentionally positioning data so that its not viewable from unauthorized subject. Security through obsecurity is the idea not informing subject about the object and thinks that data will be protected that way(no secuirty)

Question 3

Risk Factor associated with Merger and Acquisition

Answer 3

Inappropriate information disclosure , data loss,downtime or failure to achieve sufficient return on investment .

Question 4

Divestiture

Answer 4

selling off business or employee reduction, Data disclosure risk . Assets has to be sanitized to prevent data leakage , storage media should be removed and destroyed.employee exit interview , nda …

Question 5

Change Management

Answer 5

The goal of change management
> Change does not lead to reduced or compromised security
> Rollback

Question 6

Change Control process

Answer 6

> > implement changes in a monitored and orderly manner
a formalized testing process ensures that expected results will be found
all the changes can be reversed or roll back
users are informed of changes before they occur to prevent loss of productivity
analyze if there is any negative impact
changes are reveiwed and approved by CAB .

Question 7

Security Control Framework

Answer 7

COBIT   best IT security practices crafted by ISACA.Itis also used by auditors. Business focused .
5 Principals
Stake khete end to end a gelam ask korlo single kina, holistic approach niye bollam separate governence from management
1. Meet stake holder needs
2. covering the enterprise end to end
3. apply single integrated framework
4. enabling holistic approach
5. separate governence from management.

Question 8

ITIL

Answer 8

developed by british government. customized it security solution starting point , IT services management.

Question 9

IEC/ISO 270002 Starndard

12 security controls and their objectives

Answer 9

12 security controls and their objectives

1. R isk Assessment
2. S ecurity policy
3. O riganization information security
4. A sset Management
5. H uman Resource Security
6. P hysical and Environment security
7. C ommunication and operations managment
8. A ccess control
9. I nformation system acquisition, development and maintennace
10. I nformation security incident management
11. B usiness continuity management
12. C omplaince

Question 10

Threat Modeling

Answer 10

Identify threats, categorize and anaylize, 3 types of threat modeling 1. asset based(identify valuable asset first then find vulnerabilities) 2. threat based (identify attackers and their goals) 3. software based (for companies who develop softwares, even those have own websites)

Question 11

S
T
R
I
D
E
Model

Answer 11

developed by microsoft , threat categorization scheme
S - spoofing
T - tempering - unauth changes and manipulation of data
R - repudation
I - information disclosure
D - denial
E - elevation of privileges

Question 12

D R E A D model

Answer 12

its a rating system of threats ,
D - Damage potential (how severe)
R - Reproducibility
E - exploitability - how hard its perform to attack
A - Affected users
D - Discoverability - how hard its to identify the weakness

Question 13

Precautions to be taken before integration with 3rd party

Answer 13

1. On site assessment take interviews to know their work procedure
2. Document exchange and review
3. process/policy review

Question 14

SOC1 vs SOC2 Audit

Answer 14

SOC1 for companies who hosting financial information of customers .
SOC2 security controls in relation to CIA .

Question 15

job description

Answer 15

job descriptions are important to the design and support of a security solution, SOC2 and ISO 27001 requires annual job description review

Question 16

seperation of duties

Answer 16

Least privilege, prevent collusion -> means two three people make some illegal thing to happen

Question 17

job rotation

Answer 17

1. All gets same knowledge , so many alternatives, with the help of cross training its also possible to achieve
2. Theft protection which can happen due to single person is the only handler
3. also prevents collusion

Question 18

NCA

Answer 18

Non complete agreement , not often enforceable in court ,NCA used to prevent worker from jumping one company to another company for salary increase .

Question 19

onboard

Answer 19

adding new employee in Identity and access management system or reward or promote exsting employee to different role

Question 20

Life cycle risk threat vulnerability

Answer 20

Assets------ Threat
       \                \
Safeguards     Vulnerabilites 
        \                / 
         Risk -- Exposure

Question 21

For Risk Assessment rather than internal employees

Answer 21

external consultant will be preferred

Question 22

SLE single loss expectency

Answer 22

SLE=AV(asset value)X EF(exposure factor)-> if any loss happens then what is the percentage .

Question 23

ALE (annual loss expectancy)

Answer 23

=SLE * ARO (annual rate of occurrence)

Question 24

Qualitive Risk analysis technique

Answer 24

1. Brainstorming 2. Delphi technique 3. story boarding

4. Focus groups 5.Surveys 6..questionnaires 7.checklists 8.one to one meeting 9.interviews

Question 25

Delphi technique

Answer 25

Feedback and response process used for a group to come to an consensus.

Question 26

Risk Acceptance

Answer 26

clearly written as sign off letter, why safeguard not implelemted , who is responsible for this .

Question 27

RISK Avoidance

Answer 27

choosing alternate option which has less risk , suppose dont build home near river .

Question 28

Residual Risk=remaining Risk

Answer 28

=total Risk(=Threat * vulnerability*asset value) - control gap

Question 29

Quantititve Vs qualitive

Answer 29

Quantitative risk assessment—Deals with dollar amounts. It attempts to assign a cost (monetary value) to the elements of risk assessment and the assets and threats of a risk analysis.
Qualitative risk assessment—Ranks threats by nondollar values and is based more on scenario, intuition, and experience

Question 30

Risk Rejection

Answer 30

Rejected—Depending on the situation, any one of the preceding methods might be an acceptable way to handle risk. Risk rejection is not acceptable, as it means that the risk will be ignored on the hope that it will go away or not occur

Question 31

Points to be remembered

Answer 31

Another item that is sometimes overlooked in quantitative risk assessment is the total cost of a loss. The team should review these items for such costs:

Lost productivity
Cost of repair
Value of the damaged equipment or lost data
Cost to replace the equipment or reload the data

Question 32

RISK Rating Qualitative

Answer 32

Low—Minor inconvenience; can be tolerated for a short period of time but will not result in financial loss.
Medium—Can result in damage to the organization, cost a moderate amount of money to repair, and result in negative publicity.
High—Will result in a loss of goodwill between the company, client, or employee; may result in a large legal action or fine, or cause the company to significantly lose revenue or earnings