Domain 1 Flashcards
(75 cards)
1
Q
Due Diligence
A
Practicing the activities that maintain the due care effort
Think before you act
2
Q
Due Care
A
Doing what a reasonable person would do in a given situation. “Prudent man” rule
Actions speak louder than words
3
Q
CIA Triad
A
Confidentiality
Integrity
Availability
4
Q
Confidentiality
A
Access controls help ensure that only authorized subjects can access objects
5
Q
Integrity
A
Ensures data or system config are not modified without authentication
6
Q
Availability
A
Auth requests or objects must be granted to subjects with in a reasonable amount of time
7
Q
ISC2 Code of Ethics
A
- Protect society, the common wealth, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to principals
- Advance and protect the profession
8
Q
Security Policy Development
A
from the bottom up
Security Procedures
- Detailed step by step
Security Guidelines
- Offer reccomendations
Security baselines
- Define “minimum levels”
Acceptable Use Policy
- Assign roles / responsibility
9
Q
Risk Categories
Damage
A
Result in physical loss of an asset or inability to access that asset
10
Q
Risk Categories
Disclosure
A
Disclosed critical info regardless of where or how it was disclosed
11
Q
Risk Categories
Losses
A
Permanent or temp, including altered or inaccessible data
12
Q
Risk Factors
Physical Damage
A
Natural disaster, power loss, vandalism
13
Q
Risk Factors
Malfunctions
A
Failure of systems, networks, or peripherals
14
Q
Risk Factors
Attacks
A
Purposeful acts
15
Q
Risk Factors
Human Errors
A
Accidental incidents
16
Q
Risk Factors
Application Errors
A
Fails of apps including OS
17
Q
Security Planning
Strategic
A
Long term, includes risk assessment
5 year, annual updates
18
Q
Security Planning
Tactical
A
Midterm, ~1 year
19
Q
Security Planning
Operational
A
Short term, monthly / quarterly
20
Q
Response to Risk
Acceptance
A
Do nothing, accept risk and potential loss
21
Q
Response to Risk
Mitigation
A
Implement countermeasure and aceept residual
22
Q
Response to Risk
Assignment
A
Transfer to 3rd party (insurance)
23
Q
Response to Risk
Avoidance
A
When cost to mitigate / accept are higher than the benefits of service
24
Q
Response to Risk
Deterance
A
Would be violators of policy
25
*Response to Risk*
Rejection
**Unacceptable**, to reject / ignore
26
*Risk Management Framework*
NIST 800-37
1. **Prepare**
2. **Categorize** info systems
3. **Select** security controls
4. **Implement** security controls
5. **Assess** security controls
6. **Authorize** the system
7. **Monitor** security controls
**P**eople **C**an **S**ee **I** **A**m **A**lways **M**onitoring
27
*Types of Risk*
Residual
remains, with all safeguards in place.
- Mngmt chose to accept rather than mitigate
*After*
28
*Types of Risk*
Inherent
New risk, not yet identified with mngmt
- exists in absence of controls
*Before*
29
*Types of Risk*
Total
risk if no safeguards in place
*Without*
```
Total Risk = threats * Vulns * asset value
```
30
*Formula*
Risk
Risk = Threat * Vuln
31
Quantitative Risk Analysis
(6 Steps)
1. **Inventory Assets** and Assign Value
`AV`
2. **Identify Threats** Research assets and Make list of all possible threats
`EF`, `SLE`
3. **Perform Threat Analysis** calc chance that each threat is realized in a single year
`ARO`
4. **Estimate Potential Loss** calc annual loss expectancy
`ALE`
5. **Research Countermeasures for Each Threat** then cal changes to `ARO` and `ALE`
6. **Perform a Cost / Benefit Analysis** for each safeguard --> threat --> asset
32
*Qualitative Risk Analysis*
Delphi Technique
**Anonymous** feedback / response process
33
*Qualitative Risk Analysis*
Loss Potential
What **would** be lost
34
*Qualitative Risk Analysis*
Delayed Loss
amount of loss than can occur over time
35
Exposure Factor (EF)
% of loss that an org faces if a specific asset were violated by a related risk
36
Single Loss Expectancy (SLE)
the cost associated with a **single** related risk against a **specific** asset
```
SLE = Asset Value * Exposure Factor
```
```
SLE = AV * EF
```
37
Annualized Rate of Occurence (ARO)
expected frequency with a specific threat or risk in a year
38
Annualized Loss Expectancy (ALE)
possible **yearly** **cost** of all instances of a specific realized threat against a specific asset
```
ALE = Single Loss Expectancy * Annual Rate of Occurance
```
```
ALE = SLE * ARO
```
39
*Formula*
Safeguard Evaluation
ALE1 = ALE **before** safeguard
ALE2 = ALE **after** safeguard
ACS = Annualized Cost of Safeguard
```
Value of Safeguard = ALE1 - ALE2 - ACS
```
40
*Formula*
Controls Gap
```
Residual Risk = Total Risk - Controls Gap
```
41
Supply Chain Eval
- On site assessment
- Docs exchange and review
- Process / policy Review
- 3rd Party Audit
42
Threat Modeling (General Approaches)
Proactive or Reactive
Focus on:
- **Assets** using AV to ID threats
- **Attackers** ID attackers and threats based on attackers goals
- **Software** potential threats against software itself
43
*Threat Modeling*
STRIDE by Microsoft
**S**poofing
**T**ampering
**R**epudation
**I**nfo disclosure
**D**enial of Service
**E**levation of privelige
44
*Threat Modeling*
PASTA
*countermeasure based on AV*
1. Define objectives
2. Def technical scope
3. App Decomposition and analysis
4. Threat analysis
5. Weakness & Vuln analysis
6. Attack Modeling & Simulation
7. Risk analysis & Mngmt
45
*Threat Modeling*
VAST
*based on Agile*
**V**isual
**A**gile
**S**imple
**T**hreat
46
*Threat Modeling*
DREAD
*based on 5 ?'s*
**D**amage Potential
**R**eproducibility
**E**xploitability
**A**ffected Users
**D**iscoverability
47
*Threat Modeling*
TRIKE
*focus on acceptible risk*
- Open src threat modeling that implements **requirements model**
- assigns lvl of risk for each asset as "acceptable" to stakeholders
48
*Security Control Framework*
COBIT
*IT Mgmt and Govt*
1. Meeting stakeholder needs
2. Covering Enterprise end to end
3. Applying in single, integrated framework
4. Enabling a **Holistic Approach**
5. Separation of **Govt** from **Mgmt**
49
Risk Reduction Analysis
(5 parts)
1. **Trust Boundaries** Any location where the level of trust or security changes
2. **Data Flow Paths**
3. **Input Points**
4. **Privileged Operators**
5. **Details ab Security Stance + Approach**
50
Security Controls
(2 types)
**Safeguards** = **Pro**active
**Countermeasure** = **Re**active
51
*Security Controls*
Categories (3 types)
1. **Technical**: hardware / software
2. **Administrative**: Policies, procedures, regulations
3. **Physical**: Barriers, locked doors, moats
52
*Security Controls*
Control Types (7 types)
1. **Deterrant** discourage violations
2. **Preventative** stops unauthorized activity from happening
3. **Detective** Discovers unauth acts
4. **Compensating**: Provides options to other controls to aid enforcements
5. **Corrective**: Returns system to normal
6. **Recovery**: extension of corrective, with more abilities
7. **Directive** Direct actions of subjects to force security compliance
53
*Important Laws*
Computer Fraud and Abuse Act (CFAA)
The first major US cybercrime specific legislation
54
*Important Laws*
Federal Sentencing Guidelines
Gave punishment guidelines for computer crimes
55
*Important Laws*
Federal Info Security Mgmt Act (FISMA)
Required a formal infosec operations for feds
56
*Important Laws*
Copyright and the Digital Millenium Copyright Act
Covers literary, musical, and drama works
57
*IP and Licensing*
Trademarks
Words, slogans and logos
58
*IP and Licensing*
Patents
IP of inventors
59
*IP and Licensing*
Licensing (4 types)
1. **Contractual**:
2. **Shrink wrap** - a permission given to someone to use a software or product that would otherwise be illegal
3. **Click through** - End User License Agreement (EULA)
4. Cloud servers- licenses sit in the virtual cloud.
60
*IP and Licensing*
Trade Secrets
IP that is critical to business and cannot be disclosed
61
*Encryption and Privacy Laws*
Computer Export Controls
US companies cannot export to Cuba, Iran, North Korea, Sudan or Syra
62
*Encryption and Privacy Laws*
Encryption Export Controls
Dept of commerce controls this
63
*Encryption and Privacy Laws*
Privacy (US)
4th amendment rights against unwarranted searches and seizures
64
*Encryption and Privacy Laws*
Privacy (EU)
General Data Protection Regulation (GDPR)
**Applies to any company with customers in EU!!**
65
*US Privacy Laws*
HIPAA
Health Insurance Portability and Accountability Act
66
*US Privacy Laws*
HITECH
Health Info Tech for Economic Clinical Health
67
*US Privacy Laws*
Gramm-Leach-Bliley Act
for Financial institutions
68
*US Privacy Laws*
COPPA
Childrens Online Privacy Protection Act
69
*US Privacy Laws*
ECPA
Electronic Comms Privacy Act
70
*US Privacy Laws*
CALEA
Comm Assistance for Law Enforcement Act
71
Business Continuity Planning (BCP)
(5 steps)
1. Strategy development
2. Provisions and processes
3. Plan approval
4. Plan implementation
5. Training and education
"Overall how-to plan"
72
*BCP Definitions*
Disaster Recovery Plan (DRP)
recovery from a disaster impacting IT and returning IT to operational
BCP for **whole** business
DRP just for **IT**
73
*BCP Definitions*
Continuity of Operation Plan (COOP)
Continuing business until IT is restored
74
Consequences of Privacy and Data Breach
(4 types)
1. Reputation Damage
2. ID Theft
3. IP Theft
4. Fines from failing to report
- GDPR can fine up to **4%** of global revenue or **20 Million Euros**
75
Data Breach Notifications
(Notes :/ )
1. GDPR is 72 hours
2. Escalations to external sources possible
3. Countries have their own reporting timescale
4. Delays can warrant a criminal investigation
