Domain 1 - Security and Risk Management Flashcards
(240 cards)
1
Q
what is the DRP (disaster recover plan)
A
- the plan for recovering from a disaster impacting IT and returning the IT infrastructure to operations
- focuses on the technical aspects of recovery
2
Q
Control Types and Purposes
A
- Preventive controls, for reducing risk
- Detective controls, for identifying violations and incidents
- Corrective controls, for remedying violations and incidents and improving existing preventive and detective controls
4, Deterrent controls, for discouraging violations - Recovery controls, for restoring systems and information
- Compensating controls, for providing alternative ways of achieving a task
3
Q
reduction analysis 5 points to check
A
1, trust boundaries - any location where the level of trust or security changes. maybe where an application needs a specific role or privilege is required to access a resource or operation
- Data flow paths - the movement of data between locations and any exposures for breaches
- input points - Locations where external inputs are received. for example: on a web form where there is the potential for SQL injections and the protections need to prevent that
- Privileged operations - any activity that requires greater privilege than that of a standard user account.
- Details about security stance and approach - declaration of security policy, security foundations, and security assumptions
4
Q
attributes of Trademarks
A
- -Protects brands – symbol, word, slogan, design, color or logo that can distinguish one source from another source
- they last as long as your business continues to use them
- not required by law by registering with PTO (patent trademark office) confers many benefits on the trademark owner
example: Nike trademark and logo
- not required by law by registering with PTO (patent trademark office) confers many benefits on the trademark owner
5
Q
What programming method does vast work with
A
Agile
6
Q
What are three ways integrity works for us
A
- Preventing unauthorized subjects from making modifications
- Preventing authorized subjects from making unauthorized modifications
- Maintaining consistency of objects so that they are true and accurate
7
Q
2 focus items of security from a business aspect are?
- enable business
- enable profit
- increase risk awareness
- increase value
A
- enable business
- increase value
8
Q
7 steps of NIST RMF, what happens at select
A
Select an initial set of controls for the system, tailor and document the controls as needed to mitigate risk to an acceptable level based on an assessment of risk.
9
Q
two key elements of risk management
A
- risk assessment
- risk treatment
10
Q
can responsibility be delegated
A
yes
11
Q
what are the 6 Access Control Types
A
- Preventative
- Detective
- Corrective
- Recovery
- Deterrent
- Compensating
12
Q
security planning and definitions (3)
A
- Strategic - long term stable plan that should include a risk assessment (5 yr horizon, annual updates)
- Tactical - midterm plan developed to provide more details on goals of the strategic plan (usually 1 year) a little more flexible, can make some ad hoc adjustments if needed
- Operational - short-term, highly detailed plan based on the strategic and tactical plans (monthly, quarterly) this will have budget figures, staffing assignments, scheduling and implementation procedures
13
Q
is COBIT threat model
A
no, its a security control framework. sometimes described as an framework for IT management and governance
14
Q
The official four canons. number three is?
A
Provide diligent and competent service to principals
15
Q
explain MTD
A
- maximum tolerable downtime
- is the measurement in time that determines when an event changes from and incident to a disaster
- The total time a system can be inoperable before our organization is severely impacted
16
Q
definition of asset
A
a resource, process, product, or system that has some value to an organization. could be tangible(computer, data, software) could be intangible (privacy, access, public image)
could have a tangible price(purchase price)
could have intangible value (competitive advantage)
17
Q
possible countermeasures to keep availability safe are
A
a. strict access controls / authentication
b. continuous monitoring
c. firewalls & routers to prevent DoS / DDoS attacks
d. redundant system design
e. periodic testing of backup systems
18
Q
define qualitative
A
relative ranking system using words like High, medium, low
19
Q
what is a seven-step
process for aligning business objectives and technical requirements, taking into
account compliance issues and business analysis
A
pasta threat modeling
20
Q
What does ALE stand for and Define it
A
annualized loss expectancy - estimated annual loss for a threat or even in dollars
21
Q
what is residual risk
A
risk that is left over once safeguards or controls are in place
22
Q
What life cycle does vast work with
A
SDLC - software development life cycle
23
Q
define impact
A
anything that negatively impacts the organization if a risk is realized.
examples: lost of confidentiality, integrity, availability, financial, reputational, non-compliance, lost of life etc.
24
Q
what is inherent risk
A
newly identified risk not yet addressed with risk management strategies
25
vast threat modeling acronym
1. Visual
2. Agile
and
3. Simple
4. Threat
26
explain RTO
1. Recovery time objective
2. refers to the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organization. This is the maximum agreed time for the resumption of the critical business functions.
example: if there was a failure at the primary data center. the RTO would be the measurement of how long does it take to get back up and running in the backup datacenter
27
What is a risk centric threat modeling
Pasta
28
security policy guidelines
suggestions, things that are good to do but not necessarily required. -- optional
29
qualitative is what
relative to importance - relative ranking system (high, medium, low) value
30
what is a computer crime
a crime or (violation of law or regulation) this is a directed against or directly involves a computer
31
NIST risk management framework 7 steps (RMF)
1. Prepare
2. Categorize
3. Select
4. Implement
5. Assess
6. Authorize
7. Monitor
32
what is BCP
business continuity plan - the overall organizational plan for "how-to" continue business
33
define threat agents
are what cause the threats by exploiting vulnerabilities
34
4 steps to supply chain evaluation
1. on-site assessment - visit the organization, interview personnel, view operating habits
2. document exchange and review - investigate datasets and dock exchange, review processes
3. process/policy review - request copies of security policies, processes and procedures
4. third-party audit - having an independent auditor provide an unbiased review of their security infrastructure
35
what is Maximum Tolerable Downtime
the amount of time we can be without the asset before we have to declare an disaster.
36
Risk Factors - something that increases risk or susceptibility - name and define the 5
1. physical damage - natural disasters, power loss or vandalism
2. Malfunctions - failure of systems, networks, HVAC system, peripherals
3. Attacks - purposeful acts of a threat actor, whether that is inside or outside like unauthorized disclosure
4. Human errors - usually considered accidental incidents, whereas attacks are purposeful
5. application errors - failures of the application, including the operating system
37
copyright and the digital millennium copyright act did what
1. covers the expression of an idea in some sort of fixed medium (books, movies, musical and dramatic works) (artist)
2. disclosure is required
3. last for the life of the author plus 70 years
38
What type of planning is long term stable plan that should include a risk assessment (5 yr horizon, annual updates)
Strategic planning
39
4 ways to treat a risk
1. avoid -when the cost of mitigating or accepting are higher than the benefits of the service, you avoid that risk. moving to Kansas from Florida to avoid hurricanes
2. transfer - insurance, 3rd party outsource
3. mitigate - implementing cost justified controls to reduce the risk
4. accept
40
in GDPR how much time to you have to report a data breach
72 hours
41
what is exposure factor (EF)
percentage of loss that an organization would experience if a specific asset were violated by a realized risk
42
high-level business rules that the organization agrees to follow that reduce risk and protect information. They define “what” the organization is going to do and often “who” is going to do
1. baseline
2. procedure
3. security policy
4. standard
3. security policy
43
definition for threat
any natural or man-made circumstance or even that could have an adverse or undesirable impact on asset or process
44
attributes of patents
is a form of intellectual property that gives its owner the legal right to exclude others from making, using, or selling an invention for a period of years
valid for 20 years
example: lightbulb
45
define risk
the likelihood of something bad happening and the impact if it did
46
which model is this: Threat
models are based on a “requirements model.” The requirements model establishes the
stakeholder-defined “acceptable” level of risk assigned to each asset class.
Trike
47
what is a security policy
1. they are high level plans the describe the goals and the procedures.
2. they are not guidelines or procedures
3. policies describe security in general terms
4. they are mandatory
48
what is the difference between technical and logical
1. Technical - is the hardware
2. Logical - is the software
- - example: firewall - has hardware and software that runs on the hardware
49
what is NIST 800-37
RMF - risk management framework
50
Qualitative risk analysis attribute
1. uses a scoring system to rank threats and effective countermeasures (high, med, low)
2. requires guesswork and estimation but still has meaningful results
3. less accurate
3. subjective
51
how do you define risk in a formula
risk = threat \* vulnerability
52
4 steps to risk analysis
1. identify the assets to be protected, include relative value, sensitivity or importance
2. define specific threats, include threat frequency and impact
3. calculate annualized loss expectancy (ALE)
4. select appropriate safeguards
53
what is recovery point objective (RPO)
the organizations definition of acceptable data loss.
the maximum period of time in which data would be lost in a disaster strikes. How often are you backups. the time between backups is your RPO
54
the 2 general threat categories are? -- pg 119 CD
1. natural -- earthquake, floods, hurricanes, lightning etc.
2. man-made -- unauthorized access, data-entry errors, strikes/labor disputes, theft, terrorism, sabotage, arson, social engineering, malicious code, viruses etc.
55
what are 4 things to think about during Acquisitions and Divestitures
1. Security governance and management - how is security being managed
2. Security Policy - How do policies between the two organizations differ
3. Security Posture - which security controls are present
4. security Operations - what security operations are in place today and how do they operate - vulnerability management, third party risk management and incident management
56
ALE (Annualized loss expectancy)
SLE(single loss expectancy) X ARO (annualized rate of occurrence) = ALE (annualized loss expectancy)
57
what is vulnerability assessments
using automated tools to locate known security weaknesses
58
licensing - 4 types to know
1. contractual
2. shrink wrap - EULA that is enclosed with purchased software like on DVDs
3. click-through - requires a user to agree to terms and conditions (click-through) before a website or completing an installation or online purchase
4. cloud services
59
what is the COOP (continuity of operations plan)
the plan for continuing to do business until the IT infrastructure can be restored.
60
4 management/enterprise frameworks
1. Zachman
2. TOGAF - broad range of enterprise architectures (business, applications, data and tech)
3. SABSA - ensures that the needs of your Enterprise are met completely
4. COSO
61
the only threat modeling to supports enterprise-wide scalability is
VAST
62
3 things must be true for evidence to be admissible in a court of law
1. relevant to a fact at issue in the case
2. the fact must be material to the case
3. the evidence must be competent or legally collected
63
Availability is?
authorized requests for objects must be granted to subjects within a reasonable amount of time.
64
what is ISO 15408
common criteria for information technology security evaluation
65
what is assurance when looking at controls
how do we ensure the control is working effectively. typically this is done with logging monitoring or another test of the control
66
Name 4 attrbutes about quantitative analysis
1. using number (money) to define asset value.
2. more labor intensive compared to qualitative
3. data collection and analysis, cost benefit analysis
4. objective
67
What is DRP
DRP (Disaster Recovery Plan)
• the plan for recovering from an IT disaster and having the IT infrastructure back in operation.
68
what is SLE?
single loss expectancy - cost of loss from a single realized threat or event in dollars.
----- formula for SLE is (asset value X exposure factor (EF)
69
what threat model is an attacker and threat centric approach
pasta
70
Formula for MTD - maximum tolerable downtown
MTD = or \> RTO + WRT
71
define likelihood
the chance or how likely is the risk to occur
72
VAST acronym means what
Visual
Agile
Simple
Threat modeling
73
what are two objectives of threat modeling
1. Reduce cost
2. Fix threats
3. Eradicate threats
4. Mitigate threats
5. Reduce threats
6. Find threats
3. Eradicate threats
5. Reduce threats
74
formula for ALE (annualized loss expectancy)
SLE (single loss expectancy) X ARO (annualized rate of occurrence) = ALE (annualized loss expectancy)
75
trademarks attributes
1. covers words, slogans, and logos used to identify a company and its products or services
2. U.S. trademarks generally last as long as the trademark is used in commerce and defended against infringement
76
the business continuity plan (BCP) has just been updated after an recent outage. all of the lessons learned, and updates to come of the critical business functions have been incorporated and are ready for approval. at what point is the BCP considered validated for use within the organization
a. after i has been approved by senior management
b. after the disaster recovery plan has been approved
c. when a security assessment has been completed
d. when it has been tested and proven effective under realistic conditions
d. when it has been tested and proven effective under realistic conditions
77
What type of planning is midterm plan developed to provide more details on goals of the strategic plan (usually 1 year) a little more flexible, can make some ad hoc adjustments if needed
Tactical planning
78
which threat model is based on agile project management and programming (SDLC)
Vast
79
formula for SLE (single loss expectancy)
SLE = Asset Value (AV) X Exposure Factor (EF)
80
IAAA list steps and define them
1. Identification - unique user identification
2. authentication - validation of identification
3. authorization - verification of privileges and permissions for the authenticated user
4. accountability (auditing) - auditing, monitoring, logs
81
what are the two electronic communication privacy laws
1. Communications assistance for law enforcement act (CALEA)
2. electronic communications privacy act (ECPA)
82
what is total risk
the amount of risk an organization would face if no safeguards were implemented
83
3 common types of security evaluation
1. risk assessment
2. vulnerability assessment
3. pen testing
84
US cant export computer technologies to what countries
1. Cuba
2. Iran
3. North Korea
4. Sudan
5. Syria
85
2 financial reporting security frameworks
1. Sarbanes-Oakley
2. COSO
86
formula for risk
risk= threat x vulnerability x impact
87
computer fraud and abuse act (CFAA) attributes
first major piece of cybercrime-specific law
88
define impact
the negative consequence that will occur to the organization if a risk is realized. this could be a lost of confidentially, integrity or availability, could be financial, reputational, loss of life, any negative thing
89
what is eDiscovery
organizations that feel the will be the target of a lawsuit have the obligation to preserve digital evidence in a process known as eDiscovery
90
2 ways to identify vulnerabilities
1. vulnerability assessment
2. pen testing
91
Integrity insures what?
1. unauthorized users or processes dont make modifications to data
2. authorized users or processes dont make unauthorized modifications to data
3. data is internally and externally consistent, meaning a given input produces an expected output
92
what is the controls gap
the amount of risk reduced by implementing safeguards
93
What type of planning is short-term, highly detailed plan based on the strategic and tactical plans (monthly, quarterly) this will have budget figures, staffing assignments, scheduling and implementation procedures
Operational planning
94
some countermeasures to keep confidentiality safe are?
a. encryption
b. traffic padding
c. strict access controls / authentication
d. data classification
e. awareness training
95
what is Organization for Economic Cooperation and Development (OECD) Guidelines
* **30 member nations from around the world, including the U.S.**
* **Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, issued in 1980**
96
what is the focus for business continuity management
the focus is on the most critical or essential systems or processes
97
two other considerations with risk analysis - define the following
1. lost potential
2. delayed loss
1. lost potential - what would be lost if the threat agent is successful in exploiting a vulnerability
2. delayed loss - the amount of loss that can occur over time. not always is loss all at once
98
7 steps of NIST RMF, what happens at Monitor
monitor the system and the associated controls on an ongoing basis, changes to the system and conducting risk assessments and impact analysis periodically
99
What does oecd stand for
ORGANISATION FOR ECONOMIC CO-OPERATION. AND DEVELOPMENT
100
what is MTO (maximum tolerable outage
Maximum tolerable downtime (MTD) (aka maximum tolerable outage (MTO) The maximum length of time a business function can be inoperable without causing irreparable harm to the business.
101
asset value is what
value of the asset in dollars and cents
102
among other things, PASTA threat modeling provide 3 important pieces of information
1. dynamic threat identification
2. enumeration
3. scoring process
103
what are the 4 steps to risk analysis
1. Identify the assets to be protected, including their relative value, sensitivity or importance to the organization; this is a component of risk identification (asset valuation)
2. Define specific threats, including threat frequency and impact data; this is a component of risk identification (threat analysis)
3. Calculate annualized loss expectancy (ALE)
4. Select appropriate safeguards; this is a component of both risk identification and risk control
104
what is NIST 800-161
cybersecurity supply chain risk management practices
105
additional concepts linked to integrity
1. accuracy
2. authenticity
3. validity
4. nonrepudiation - user cannot deny having performed an action
106
What three steps are included in vast threat modeling
Automation
Integration
Collaboration
107
what is Single loss expectancy (SLE)
represents the cost associated with a single realized risk against a specific asset
108
what are 4 different approaches to threat modeling (aast)
1. Asset centric - identify threats to valuable assets
2. attacker centric - identify potential attacker and identify threats based on the attackers goals
3. software centric - considers potential threats against the software the org develops or implement
4. Threat centric
109
what is ARO?
annualized rate of occurrence --- estimated annual frequency of occurrence of a threat or event
110
GDPR (EU General Data Protection Regulation) stance on PI (personal information) being transferred outside the EU
GDPR restricts transferring or storing PI related to EU citizens outside EU
111
define security standards
• specific requirements
• Formalized (Regulatory / Statutory)
• more specific than policies
• tactical
• mandatory
example: software or hardware mechanisms or products
112
explain WRT
1. Work recovery time
2. maximum tolerable amount of time that is needed to verify the system and/or data integrity as they return to normal operations (logs, databases, apps)
example: how long does it take to recover from your backup datacenter back to the primary datacenter and verify correct operations
113
What are some legal alternatives for confiscation of evidence
1. person with evidence could surrender it
2. a subpoena
3. a law officer performing a legally permissible duty may seize visible evidence that the officer has probably cause to be believe is associated with criminal activity
4. search warrant
5. a law enforcement office may collect evidence when exigent circumstances exist
114
what is the functional aspect of a control
what it's meant to do . example: what is a firewall meant to do? it is meant to control the flow of traffic between network segments
115
what does NIST 800-30 cover (what is it)
Guide for conducting Risk Assessment
116
what is the formula for Maximum Tolerable Downtime (MTD)?
Recovery Time Objective (RTO) + Work Recovery Time (WRT)
117
what two ways at the highest level that you can evaluate risk to asset
1. quantitative
2. qualitative
118
what is the Delphi Technique in qualitative risk analysis
an anonymous feedback -and-response process used to arrive at a consensus
119
what is pen testing
using trusted individuals to stress test the security infrastructure to find issues that may not be discovered by a risk assessment or vulnerability assessment
120
give some backstory of the 8 core principles from the OECD (economic cooperation and development)
* the 8 core principles are for privacy and how we manage PII
* every piece of privacy legislation in the world, no matter who wrote it or where it comes from references these 8 core principles verbatim as their founding principles
* this is "THE" guideline globally
121
Integrity (2) defined
ensures that data or system configurations are not modified without authorization
122
Trade Secrets attributes
1. intellectual property that is absolutely critical to their business and must not be disclosed (KFC secret recipe)
2. you do not need to register
3. there is no legal law protecting the secret but there is likely a law on how someone obtained the secret.
123
what is exposure factor (EF)
part of the formula for SLE (single loss expectancy) -- its a measure of the negative effect or impact of a realized threat or event..... expressed in percentages
124
three basic elements used to determine the value of an asset are? pg 118 CD
1. initial and maintenance cost - tangible -- also think about what revenue does this asset generates or protects. this should probably be considered along with initial cost
2. organizational cost - intangible and
3. public (or external) value - intangible and difficult to asses
125
security controls have 3 categories
1. Technical (logical) - controls the provide logical security (firewalls, security information and event management systems (SIEM), IDS or IPS
2. Administrative - policies and procedures defined by the org's security policy, other regulations and requirements: hiring practices, background checks, data classifications and labeling, security awareness training etc.
3. physical - items you can physically touch : guards, fences, motion detectors, lights, locked doors, sealed windows, laptop locks etc.
126
what threat model is a unique open source with a focus on satisfying the security auditing process from a cyber risk perspective.
Security auditing
Cyber risk
Trike
127
what does RTO stand for
Recovery Time Objective
128
what is an incident
• some sort of occurrence or event that has a negative outcome
129
do confidentiality and integrity depend on each other
• yes, one is not effective without the other
130
explain RPO
1. recovery point object
2. maximum amount of data loss the organization is will to accept, measured in time.
example: for some services maybe that is an hour (you need hourly backups) if another service maybe you can accept a day (you need daily backups)
131
the basis for privacy rights is what amendment
fourth amendment to the US constitution
132
the 4 main steps to (BCP) business continuity planning
1. project scope and planning
2. business impact analysis
3. continuity planning
4. approval and implement
133
what are two laws related to healthcare
1. HIPAA - Health Insurance Portability and Accountability Act
2. HITECH - Health Technology for Economic and clinical Health Act
134
a risk-centric threat modeling methodology that provides a step-by-step process to inject risk analysis and context into an organization's overall security strategy from the beginning - - - is what
Pasta
135
what threat model is a Visual Representations based on Data Flow Diagrams
PASTA
TRIKE
136
7 steps of NIST 800-37 RMF (risk management framework) mnemonic device
People Can See I Am Always Monitoring
1. Prepare
2. Categorize
3. Select
4. Implement
5. Assess
6. Authorize
7. Monitor
137
formula for total risk
threats \* vulnerability \* asset value = total risk
138
are standards mandatory
yes mandatory
139
if you hire someone to create copyrighted contented how long is the content protected
* if you hire someone or its written under an anonymous name its 95 years from first publication and or 120 years from creation (whichever is shorter)
* if the writer is no longer anonymous and has been identified then if flips to 70 years after the authors death.
140
7 steps of NIST 800-37
1. Prepare - prepare to execute the processes for RMF
2. Categorize
3. Select
4. Implement
5. Assess
6. Authorize
7. Monitor
141
what is a threat and give some examples
1. any potential danger to an organization
2. natural (hurricanes, floods)
3. technical (systems going offline, viruses, malware)
4. physical (power going out, lack of cooling)
5. people (malicious insiders, riots outside your office)
142
7 steps of NIST RMF, what happens at Authorize
provides accountability by requiring senior management to determine if the security and privacy risks based on the controls are acceptable to mitigate the risk.
143
what is the safeguard evaluation formula
ALE before safeguard - ALE after safeguard - annual cost of safeguard = Value of safeguard (is the safeguard cost effective)
144
can accountability be deligated
no
145
safeguard evaluation - safeguards must fit 4 criteria to be good security controls
1. must mitigate risk
2. are transparent to users
3. are difficult to bypass
4. are cost effective
146
define controls gap
* the amount of risk that is reduced by implementing safeguards
* The level of residual risk that has been determined to be a reasonable
147
Threat models are used to satisfy the security auditing process. Threat models are based on a “requirements model.” The requirements model establishes the stakeholder-defined “acceptable” level of risk assigned to each asset class
Trike
Pasta
Simple
Vast
Trike
148
6 categories of computer crimes are?
1. military and intelligence
2. business attacks
3. financial attacks
4. terrorist attacks
5. grudge attack
6. thrill attack
149
can accountability be delegated
no
150
availability defined
authorized request for objects must be granted to subjects within a reasonable amount of time (we need to keep system available, uptime etc.)
151
which is a seven-step process for aligning business objectives and technical requirements, taking into account compliance issues and business analysis
Vast
Trike
Pasta
Stride
Pasta
152
business impact assessment, what are the 4 measurements in time
1. RPO (recovery point objective
2. RTO (recovery time objective)
3. WRT (work recovery time)
4. MTD (maximum tolerable downtime)
153
explain trans-border data flow - defined by OECD
* it involved the geography border associations the data flow crosses.
* rules, regulations, risk and security are all effected by the geographic location of that data.
* its not where the data started, its what geographic location it resides when the different regulations are applied
154
there can be some overlap between deterrent controls and preventative but the technical difference is what
1. deterrent controls really rely on someone making the decision to not do something
2. preventative controls are really designed to stop the unwanted behavior :
155
what does Maximum tolerable downtime (MTD) mean
maximum period of time that a critical business function can be inoperative before the company incurs significant and log lasting damage
156
confidentiality (1) defined
access controls help ensure that only authorized subjects can access objects
157
exposure factor is what
is the percentage of the asset that will be lost if the risk is realized (this is shown as a percentage)
158
Availability - name some threats to availability
1. denial of service attack
2. single points of failure
3. inadequate capacity (storage, bandwidth, processing)
4. lack of planning
5. equipment malfunction
6. business interruptions or disasters
159
7 steps of NIST RMF, what happens at Assess
Assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes
160
formula for DREAD threat modeling
1. damage
2. reproducibility
3. exploitability
4. affected users
5. discoverability
* quantitative approach 0-10
* take the total for the 5 above and divide by 5
161
are guidelines mandatory
suggestions, not mandatory
162
what are security controls
they are the security measures for countering and minimizing loss or unavailability of services and apps due to vulnerabilities
163
are polices mandatory
yes mandatory
164
formula for safeguard evaluation
ALE before safeguard - ALE after safeguard - annual cost of safeguard = value of safeguard
165
definition of vulnerability
the absence or weakness of a safeguard or control in an asset or process that makes a threat potentially more harmful or costly
166
what is the Wassenaar arrangement
any country that is a signing member of the Wassenaar arrangement can use cryptography of any strength with anyone else
167
what are the 3 Access Control Categories
1. Administrative (Directive)
2. Technical Control
3. Physical Control
168
risk management consist of what 3 main elements
1. threat identification
2. risk analysis
3. risk treatment
169
3 types of law and explain
1. criminal law --contains prohibitions against acts such as murder, assault, robbery, and arson.
- -- society is the victim and proof must be beyond reasonable doubt
2. civil law (tort law)
- -- individuals and organizations are the victims
- -- proof must be the majority (preponderance of proof)
- -- include contract disputes, real estate transactions, employment, estate and probate (lawsuits)
3. administrative law - laws enacted by government agencies (FDA Laws, HIPAA, FAA Laws, etc.)
170
how many members are in
the Wassenaar arrangement?
41
171
what threat model is a Visual Representations based on Process Flow Diagrams
VAST
172
What provides a step-by-step process to inject risk analysis and context into an organization's overall security strategy from the beginning
Risk centric
Attacker perspective on a business with risk
Pasta threat modeling
173
attributes of copyrights
- -protect the rights of "authors" in their original creative works.
- - the term is equal to the life of the author plus 70 years
example: novels, paintings, films and songs
174
risk assessment is what
process of identifying assets, threats, and vulnerabilities, then using that information to calculate risk
175
according to nist 800-37 rev 2 what is in the middle of the risk management framework, or what should you do first
• prepare - prepare to execute the RMF by establishing context and priorities for managing security and privacy risk
176
define vulnerability
a weakness that exists. (any weakness) -- an unpatches system, a lack of a fire suppression system, a lack of high enough fences around a facility
177
Patents attributes
1. patents protect the intellectual property rights of inventors
2. they last 20 years
3. to apply for a patent the product must be needed, novel, useful and not obvious.
178
what privacy act deals with financial institutions
is a federal law enacted in the United States in 1999, to control the ways financial institutions deal with the private information of individuals.
179
some countermeasures to keep integrity safe are?
a. strict access controls / authentication
b. IDS
c. encryption
d. hashing
e. interface restrictions / controls
f. input / function checks (validation)
180
risk avoidance is what
1. not do that thing that you have identified as a risk.
- --if moving to the cloud is risky, then you don't do it.
181
what is Annualized Loss Expectancy (ALE)
the possible yearly cost of all instances of a specific realized threat against a specific asset
182
what is the BCP (business continuity plan)
1. the overall organizations plan for how-to continue business
2. focuses on the whole business - back to doing business
3. is an umbrella policy and DRP falls under that umbrella as part of the broader plan
183
What threat modeling is based off of the agile programming
VAST
184
what is Annualized Rate of Occurrence (ARO)
the expected frequency with which a specific threat or risk will occur within a single year
185
What ISO standard uses PDCA (plan do check act) and what is thanks standard for
ISO 27001 - establishing, implementing maintaining and continually improving an ISMS (information security management system)
186
Integrity is?
ensures that data or system configurations are not modified without authorization
187
do you ever mitigate all risk
no
188
what is RTO (recovery time objective)
The organizations definition of the acceptable amount of time an IT system can be off-line
189
ARO (annualized rate of occurrence)
how often you expect the risk to occur per year (hurricane, flood, compromise etc.)
190
threat modeling framework stride was developed by who
Microsoft, focused on software
191
difference between safeguard and countermeasures
1. safeguard is proactive or attempting to prevent a risk via directive, deterrent and preventive controls
2. countermeasures is - reactive, controls put in place when a risk has occurred
192
security governance should enable what
1. corporate governance (enable business)
193
what is the primary goal of the threat modeling framework VAST
integrate threat management into an Agile programming environment
194
7 steps of NIST RMF, what happens at Implement
Implement the controls and document how the controls are employed within the system and its environment of operation.
195
ISC2 code of Ethics Preamble:
1. The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
2. Therefore, strict adherence to this code is a condition of certification
196
what is an event
• something that has happened
197
COBIT is based of what 5 principles
1. meeting stakeholder needs
2. covering enterprise end-to-end
3. applying a single, integrated framework
4. enabling a holistic approach
5. separating governance from management
198
when developing new safeguards, you are establishing a new security baseline. is keeping compliance with the existing baseline a consideration
no, you are updating that baseline, the new baseline is the new compliance level
199
6 steps to quantitative risk analysis
1. inventory assets and assign value (asset value - AV)
2. Calculate Exposure Factor (EF)
3. Calculate Single Loss Expectancy (SLE)
4. Assess the Annualized Rate of Occurrence (ARO)
5. Derive the annualized loss expectancy (ALE)
6. perform a cost/benefit analysis of each countermeasure for each threat to each asset
200
confidentiality is?
access controls help ensure that only authorized subjects can access objects
201
SLE (single loss expectancy) formula is
(asset value) X (exposure factor) = SLE
202
define threat
any potential danger to the organization
203
What threat model takes an attackers perspective on a business with risk
Pasta
204
what is a breach
• an occurrence or event that has a negative outcome
205
what is the formula for Annualized Loss Expectancy (ALE)
ALE = Single Loss Expectancy (SLE) X Annualized Rate of Occurrence (ARO)
206
what are security controls definition
they are the security measures for countering and minimizing loss or unavailability of services and apps due to vulnerabilities
207
importance of Federal Information Security Management Act (FISMA)
required a formal InfoSec operations for federal gov't
208
risk categories - a group of potential causes of risk. name and define the 3
1. Damage - physical lost of an asset or inability to access that asset
2. Disclosure - disclosing of critical information regardless of how or where. malicious act from a threat actor or unintentional on the part of a user
3. Losses - these might be permanent or temporary, including altered data or inaccessible data
209
quantitative is related to what
related to cost
210
Computer Ethics Institute ten commandments
1. Thou shalt not use a computer to harm other people
2. Thou shalt not interfere with other peoples computer work
3. Thou shalt not snoop around in other peoples computer files
4. Thou shalt not use a computer to steal
5. Thou shalt not use a computer to bear false witness
6. Thou shalt not copy or use proprietary software for which you have not paid
7. Thou shalt not use other peoples computer resources without authorization or proper compensation
8. Thou shalt not appropriate other peoples intellectual output
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing
10. Thou shalt always use a compute in ways that ensure consideration and respect for your fellow humans
211
The official four canons. number one is?
Protect society, the common good, necessary public trust and confidence, and the infrastructure
212
what threat modeling. Focuses on the necessity of scaling the threat modeling process across the infrastructure and entire SDLC,
Simple
Stride
Trike
Vast
Pasta
Vast
213
define security policy baselines
minimum levels of security requirements - mandatory
214
Federal Sentencing guidelines did what
provided punishment guidelines to help judges interpret computer crime laws
215
7 steps of NIST RMF, what happens at categorize
Categorize the system and the information processed, stored and transmitted by the system based on analysis of impact loss ---- determine the risk
216
attributes of Trade Secrets
--Protect secret or confidential information (formulas, practices, processes, designs, instruments, patterns, or compilations of information)
Example: Coca-Cola recipe
217
what is an asset
* an asset is anything that is valuable, but usually means
* •• data (such as PII)
* •• software
* •• IT components
* •• Intellectual property
* ••• band
* ••• reputation
* ••• real estate/facilities
218
attributes of a hot site
- -- highest cost backup site
- -- always running
- -- exact duplication to main site including data, patches, software and hardware
- --the site is staffed
- --RTO - (recovery time objective): 5 minutes or hours
219
The official four canons. number four is?
Advance and protect the profession
220
attributes of a warm site
- -- backup site that contains IT infrastructure (hardware and sometimes software)
- -- does not contain data
- -- contains equipment and data circuits required for rapid recovery
- -- middle ground between hot site and cold site
- -- RTO (recovery time objective): 1-2 days
221
are baseline mandatory
yes mandatory
222
steps to the threat modeling framework Stride
1. spoofing
2. Tampering
3. Repudiation
4. Information of services
5. Denial of Services
6. Elevation of privilege
223
asset valuation can be done in two ways
1. Quantitative analysis
2. Qualitative analysis
224
what are the 4 steps to threat analysis
1. Define the actual threat.
2. Identify possible consequences to the organization if the threat is realized.
3. Determine the probable frequency of a threat.
4. Assess the probability that a threat will materialize.
225
Nist 800-30 has 4 steps with 5 additional sub steps for conducting risk assessment. name them
1. Prepare for assessment
2. Conduct Assessment
2A. identify thereat sources and events
2B. identify vulnerabilities and predisposing conditions
2C. determine likelihood of occurrence
2D. determine magnitude of impact
2E. determine Risk
3. Communicate Results
4. Maintain Assessment
226
The official four canons. number two is?
Act honorably, honestly, justly, responsibly, and legally
227
Controls Gap forumala
* total risk - controls gap = residual risk
* the difference between total risk and residual risk. Contols gap is the amount of risk the contol mitigated
228
What are these items describing
1. threats
2. vulnerability
3. likelihood - how likely will this happen
4. impact
Risk analysis
229
what is disclosure
• making "secret" information public
230
how to determine MTD (maximum tolerable downtime
RTO (recover time objective) + WRT (working recovery time) is = or less than MTD
231
two methods to identify vulnerabilities
1. vulnerability assessment
2. pen test
232
What is MTD stand for
Maximum Tolerable Downtime
233
what types of evidence can be used in a criminal or civil trial
1. real evidence - evidence that can be brought into the court room
2. documentary evidence - written documents that provide insight into the facts
3. testimonial evidence - verbal or written statements made by a witness
234
what is reduction analysis in threat modeling
breaking a system down into its parts, looking at each element looking for weaknesses and vulnerabilities
235
are procedures mandatory
yes mandatory
236
From a high level what are 3 risk assessment steps
* risk identification
* risk analysis
* risk prioritization
237
what is RPO (recovery point objective)
Recovery point objective (RPO) is defined as the maximum amount of data – as measured by time – that can be lost after a recovery from a disaster, failure, or comparable event before data loss will exceed what is acceptable to an organization
238
consequences to privacy and data breach
1. reputational damage - effects could last for years
2. identity theft
3. intellectual property
4. fines - failing to report a breach can result in fines in the millions. may also lead to lawsuits
- -- GDPR outlines fine of up to 4% of companies annual global revenue or 20 million euros for failing to report a breach
- -- any company that does business in the EU is subject to GDPR
239
attributes of a cold site
* least expensive backup site
* no IT infrastructure (computing and network hardware)
* electrical and data circuits are in place
ready to receive replacement equipment and data in the event the users have to move to an alternate site
* RTO (recovery time objective): 1-2 weeks
240
are policies mandatory
yes
