Domain 1 Flashcards
1
Q
What is the CIA Triad
A
- Confidentiality
- Integrity
- Availability
2
Q
Achieving CIA Best Practices
A
- Separation of Duties
- Mandatory Vacations
- Job Rotation
- Least Privilege
- Need-to-know
- Dual Control
3
Q
BIA
A
Business Impact Analysis
4
Q
Define RTO
A
Planned recovery time. The amount of time allocated for a recovery plan to be executed
5
Q
WRT
A
Work Recovery Time
6
Q
Define WRT
A
The time needed to test and make sure everything is ready to go into live production environment
7
Q
SLO
A
Service Level Objective
8
Q
Define SLO
A
The level of Service a business needs to recover to in order to meet contractual requirements
9
Q
RTO
A
Recovery Time Objective
10
Q
COOP
A
Continuation of Operations
11
Q
Define COOP
A
Focuses on delivering “something”, even if not optimal, while recovering critical systems to nominal
12
Q
MTD
A
Maximum Tolerable Downtime
13
Q
Define MTD
A
Amount of time we can be without a critical business function before business can no longer function from pain (pain of loss)
14
Q
MTO
A
Maximum Tolerable Outage
15
Q
Define MTO
A
The amount of time business can operate in recovery mode. May be limited by resources or constraint of inventory (example fuel in generators)
16
Q
Steps of BIA
A
- Inventory and Define Assets (critical assets)
- Learn the business (understand what it does)
- Identify critical business functions
- Total list, critical and not of assets and their function
- Derive Plans - Create different plans for management to select from
17
Q
Risk Management Constraints
A
Time and budget
18
Q
Opposite of CIA Triad (DAD)
A
Disclosure, Alteration, Destruction
19
Q
Protection Mechanisms
A
- Layering (defense in Depth)
- Abstractions
- Encryption
20
Q
Security Control Categories
A
- Directive (administrative) -mandated requirements
- Deterrent - Reduces someone’s will to attack
- Preventative - Controls to prohibit activity
- Detective - Recognize hostile activity
- Corrective - Reacts to a situation to stop and restore 5. Recovery - restore operations to known good state
21
Q
Define Risk Management
A
Process of identifying, examining, measuring, mitigating, or transferring (sharing) risk
22
Q
Risk Terminology
A
Asset - Anything of value to a company
Vulnerability - a weakness; the absence of a safeguard
Threat - Things that could pose a risk to an asset
Threat agent - The entity which carries out attack
Exploit - An instance of compromise
23
Q
Popular Security Frameworks
A
ISO 27001/27002 COBIT ITIL RMF CSA STAR
24
Q
ISO 27001
A
ISO 27001 is known as the information security management system (ISMS) and is a comprehensive, holistic view of security governance within and organization, mostly focused on policy
25
ISO 27002
ISO 27002 is a comprehensive list of security controls that can be applied to an organization; the organization uses ISO 27002 to select the controls appropriate to its own ISMS, which the organization designs according to ISO 27001
26
COBIT
The COBIT framework (currently COBIT 5) is designed as a way to manage and document enterprise IT and IT security functions for an organization. COBIT widely uses a governance and process perspective for resource management and is intended to address IT performance, security operations, risk management, and regulatory compliance.
27
ITIL
"concentrates on how an organization’s IT environment should enhance and benefit its business goals. ITIL is also mapped to the ISO 20000 standard, perhaps the only non-ISO standard to have this distinction"
28
RMF
NIST, the U.S. National Institute of Standards and Technology, publishes two methods that work in concert (similar to how ISO 27001 and 27002 function);
Risk Management Framework (RMF), and the applicable list of security and privacy controls that goes along with it (respectively, these documents are Special Publications (SPs) 800-37 and 800-53).
Required to be followed by federal agencies in the United States,
29
CSA STAR
Cloud Security Alliance (CSA) publishes standards and tools for industry and practitioners, at no charge. The CSA also hosts the Security, Trust, and Assurance Registry (STAR), which is a voluntary list of all cloud service providers who comply with the STAR program framework and agree to publish documentation on the STAR website attesting to compliance
"STAR framework is a composite of various standards, regulations, and statutory requirements from around the world, covering a variety of IT security. Three tiers
30
Three Tiers of STAR Framework
Tier 1. Only requires vendor self-assessment, uses CAIQ
Tier 2. Assessment of the organization by an external auditor certified by CSA to perform CAIQ audits
Tier 3. will require continuous monitoring of the target organization by independent, certified entities
31
Due Care
"a legal concept pertaining to the duty owed by a provider to a customer. In essence, a vendor has to engage in a reasonable manner so as not to endanger the customer: the vendor’s products/services should deliver what the customer expects, without putting the customer at risk of undue harm."
32
Due Diligence
"is any activity used to demonstrate or provide due care. Using the previous example, the car vendor might engage in due diligence activities such as quality control testing (sampling cars that come off the production line for construction/assembly defects), subjecting itself to external safety audit, prototype and regular safety testing"
33
Samples of Types of Vulnerabilities
1. Software
2. Physical
3. Personnel
34
Two Risk Analysis Categories
Qualitative, Quantitative
35
Define Qualitative
A subjective approach to risk analysis. The organization should opt for this method when the organization does not have a sufficient availability of time, budget, or personnel trained in risk analysis to put toward the effort.
36
Define Quantitative
An objective approach to risk analysis; the quantitative method should produce objective, discrete numeric values. The organization should opt for this method when it has sufficient time, budget, and personnel trained in risk analysis to put toward the effort.
37
General Risk Management Options
Avoidance, Acceptance, Mitigation, Transference
38
Remaining risk after risk management efforts is called
Residual risk
39
ALE
Annual Loss Expectancy
(ex. if ARO is 1000 and SLE is 5 then;
ALE = 1000*5; ALE = 5000)
40
SLE
Single Loss Expectancy
| ex. a single incident you expect $5 in loss
41
ARO
Annual (annualized) Rate of Occurrence
42
What is the loss expectancy model (equation)
ALE = ARO * SLE
43
EF
Exposure Factor
44
AV
Asset Value
45
how is SLE calculated
SLE = AV * EF
46
Define ARO
Number of times per year a given impact is expected expressed as a number.
(ex1. 1000 events in the course of a yr is 1000/1; is 1000)
(ex. once every 50 years is 1/50 so; ARO = .02)
47
Define Defense in Depth (Layered Defense)
Using multiple types of security controls to prevent single failures, and improve likelihood to stop attacks
48
SCA
Security Control Assessment
49
Define SCA
"a plan and process for determining the proper function and management of controls is necessary and should be customized to the needs of the organization. This is very similar to an audit with specific focus on security controls and includes performance of those controls"
50
Control Assessment Techniques
Vulnerability Assessment
| Penetration Test
51
What NIST Special Publication is 800-37
RMF (publication)
52
S.T.R.I.D.E
```
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Escalation of Privilege's
```
53
What are the Threat Modeling Concepts
STRIDE, DREAD, MART
54
D.R.E.A.D.
```
Damage
Reproducibility
Exploitability
Affected
Discoverability
```
55
M.A.R.T.
Mitigate
Accept
Reject
Transfer
56
SLA
Service Level Agreement
57
GDPR
General Data Protection Regulation
58
Define GDPR
European Union privacy protection Act
59
Define HIPPA
American federal law that impacts medical privacy
60
GLBA Graham-Leach-Bliley Act
US law that allows banks to merge with insurance providers for information
61
Sarbanes-Oxley Act (SOX)
Law created to regulate fraud prevention and finances of publicly traded companies
62
FISMA Federal Information Systems Management Act
Law applicable only to federal government to comply with NIST
63
Computer Related Crimes
```
Malware
Unauthorized Access
Ransomware
Theft
Illegal Use of Source (botnet, DDOS attacks)
Fraud
```
64
Intangible Assets are called
Intellectual Property
65
Modern Forms Of Licensing Include
Site Licensing
Per-seat Licensing
Shareware
Public Domain
66
DRM
Digital Rights Management
67
DRM Traits
Persistency, Dynamic policy control, Automatic expiration, continuous audit trail, interoperability
68
Define Import/Export Controls
The controls to limit and monitor the Trans border passing of data, software and hardware. Protects US interest and intellectual property
69
As of 2018, does US Adhere to GDPR
No
70
Types of Laws
```
Criminal,
Civil,
Administrative,
comprehensive crime act (1984)
Computer Fraud and Abuse act (1986)
Computer Security Act (1987)
Gov information security reform act (2000)
Federal information security Management Act (2002)
```
71
Types of Intellectual Property
```
Copyright
Trademarks
Patents
Trade Secrets
Licensing
```
72
6 steps of Risk Management Framework
1. Categorize information systems
2. Select security controls
3. Implement security controls
4. Assess controls
5. Authorize system
6. Monitor controls
73
Risk Value Equation
Risk Value = Probability * Impact
74
Security Governances
```
ISO 27000 Series
COBIT
COSO
OCTAVE
ITIL
```
