Domain 1: Security and Risk Management Flashcards
(153 cards)
1
Q
CIA Triad
A
Confidentiality, Integrity, Availability
2
Q
Ex: Violation of Confidentiality
A
capturing network traffic, stealing password files, social engineering, port scanning, shoulder surfing, sniffing…
3
Q
Sensitivity
A
quality of info, which could cause harm or damage if disclosed
4
Q
Discretion
A
act or decision where an operator can influence of control disclosure to minimize damage
5
Q
Criticality
A
level to which info is mission critical
6
Q
Concealment
A
act of hiding or preventing disclosure
7
Q
Seclusion
A
Storing info in an out of the way location
8
Q
Ex: Violation of Integrity
A
Accidental deletion of files, entering invalid data, including errors in commands…
9
Q
Availability
A
Authorized subjects are granted timely and uninterrupted access to objects
10
Q
Ex: Violations of Availability
A
Accidental deletion of files, over utilization of HW/SW, underallocating resources…
11
Q
AAA Services
A
Identification, Authentication, Authorization, Auditing, Accounting
12
Q
Identification
A
who you are
13
Q
Authentication
A
you are who you say you are
14
Q
Authorization
A
allows and denials of resource and object access for who you are
15
Q
Auditing
A
recording of events
16
Q
Accounting/Accountability
A
holding subjects accountable for their actions
17
Q
Nonrepudiation
A
ensures that the subject of an activity or event cannot deny that the event occurred, possible through AAA services
18
Q
Layering
A
Defense in Depth, Delay an intruder
19
Q
Abstraction
A
Similar elements are put into groups, classes, or roles and assigned security controls as a collective
20
Q
Data Hiding
A
positioning data in a logical storage compartment not seen by subjects (think classification levels)
21
Q
Encryption
A
art and science of hiding the meaning or intent of a communication from unintended recepients
22
Q
Security Governance
A
Collection of practices related to supporting, defining, and directing the security efforts of an org
23
Q
The best key plan is useless without ________
A
approval by senior mgmt
24
Q
Security Plan Timeline
A
Strategic (5 year - risk assessment, stable, security purpose), Tactical (1 year - midterm, schedules tasks, project plans, hiring plans, budget plans), Operational (Months -short term, highly detailed, training plans, system deployment plans)
25
Importance of CM
Change can introduce new loopholes, overlaps, and oversights that lead to new vulnerabilities
26
Goal of CM
ensure that change does not lead to reduces security, backups and rollbacks
27
Data Classification
data is protected based on its need for secrecy, sensitivity, or confidentiality
28
Primary Objective of Data Classification
formalize and stratify the process of securing data based on assigned labels of importance and sensitivity
29
7 steps to implement a classification scheme
1. Identify the custodian and define responsibilities
2. Specify the evaluation criteria of how the info will be classified and labeled
3. Classify and label each resource
4. Document any exceptions to the classification policy
5. Select the security controls
6. Specify the procedures for declassifying resources
7. Create an enterprise-wide awareness program
30
Levels of Government Classification
Top Secret, Secret, Confidential, Sensitive but Unclass, Unclassified
31
Commercial Classification Levels
Confidential/Proprietary, Private, Sensitive, Public
32
Senior Manager
ultimately responsible for security maintained
33
Security Professional
experienced network, systems, and security engineer who is responsible for following the directives mandated by senior mgmt (functional responsibility)
34
Data Owner
responsible for the classifying of info
35
Data Custodian
responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management
36
User
person who has access to the system
37
Auditor
responsible for reviewing and verifying that the security policy is properly implemented
38
COBIT & COSO
goals for meeting security - COBIT is IT, COSO is org
39
Due Care
using reasonable care to protect the interests of the org
40
Due Diligence
Practicing the activities that maintain due care
41
Security Policy
document that defines the scope of security needed by and org and discusses assets that need protection. Assigns responsibilities, defines roles, specify audit requirements, defines acceptable risk levels
42
3 Categories of Security Policies
Regulatory (industry and legal standards), Advisory (acceptable use policy) and Informative (support, background)
43
Standards
define requirements for homogeneous use of hw, sw, tech, and security controls. Tactical docs that defines steps to accomplish goals defined by the security policy
44
Baseline
minimum level of security that every system must meet
45
Guidelines
recommendation on how standards and baselines are implemented
46
Procedures
step by step how to
47
Relationship of Policy Components
(Inverted Triangle) Procedures -> Guidelines -> Standards -> Policies
48
3 Approaches to ID Threats
Focus on Assets, Focus on Attackers, Focus on Software
49
STRIDE
Threat Categorization Scheme - Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privileges
50
Reduction Analysis
decomposing the application, system or environment
51
5 key concepts of decomposition
Trust Boundaries, Data Flow Paths, Input Points, Privileged Operations, Details about Security Stance and Approach
52
DREAD
Threat Ranking - Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability
53
Acquisition Assessment
On-Site Assessment, Document Exchange and Review, Process/Policy Review
54
Protection Mechanisms
Layering, Abstraction, Data Hiding, Encryption
55
Applying Threat Modeling
Identifying threats
Determining potential attacks
Performing reduction analysis
Prioritization and response
56
Separation of Duties
work tasks are divided among several individual administrators
57
Collusion
occurrence of negative activity undertaken by two or more people
58
Job Responsibilities
Specific work tasks an employee is required to perform on a job
59
Job Rotation
rotating employees among multiple positions to provide knowledge redundancy and reduce the risk of fraud, misuse of info, data modification, etc.
60
NDA
Nondisclosure agreement used to protect the confidential information within an organization from being disclosed by a former employee
61
NCA
Noncompete Agreement prevents employees with secrets from working in a competing org
62
6 parts of employee termination policy
Return of assets, remove or disable the employees network user account, notify HR to issue final paycheck, arrange for security to escort out, inform security personnel at entrance points that employee does not reenter unescorted
63
SLA
Service Level Agreement
64
Compliance
the act of conforming to or adhering to rules, policies, regulation, standards, or requirements
65
Third-party Governance
security oversight on third parties that your org relies on
66
Risk
the possibility that something could happen to damage, destroy, or disclose data or other resources
67
The primary goal of risk management is __________
to reduce risk to an acceptable level
68
Risk Analysis
The process by which the goals of risk management are achieved
69
Asset
anything within an environment that should be protected
70
Asset Valuation
dollar value assigned to an asset
71
Threats
Any potential occurrence that may cause an undesirable or unwanted outcome
72
Vulnerability
The weakness in an asset or the absence or weakness of a safeguard or countermeasure
73
Exposure
being susceptibility to asset loss because of a threat
74
Risk = A x B
Threat X Vulnerability
75
Safeguard
countermeasure, anything that removes or reduces a vulnerability or protects against one of more specific threats
76
Attack
exploitation of a vulnerability by a threat agent (intentional attempt)
77
Breach
occurrence of a security measure being bypassed or thwarted by a threat agent
78
Elements of Risk
THREATS exploit VULNERABILITIES which results in EXPOSURE which is RISK which is mitigated by SAFEGUARDS which protect ASSETS which are endangered by THREATS
79
Risk management/analysis is primarily an exercise for _______
upper management
80
Six Major Elements of Quantitative Risk Analysis
Assign Asset Value, Calculate Exposure Factor, Calculate SLE, Assess ARO, Derive ALE, Perform cost/benefit analysis of countermeasures
81
EF
Exposure Factor - loss potential %
82
SLE
Single Loss Expectancy = AV * EF
83
ARO
Annualized Rate of Occurrence is the expected frequency with which a threat or risk will occur in a single year
84
ALE
Annualized Loss Expectancy = SLE * ARO
85
Cost/Benefit Analysis steps
Pre-countermeasure ALE, Post-countermeasure ALE, Annual Cost of safeguard
86
Delphi Technique
anonymous feedback and response process used to enable a group to reach an anonymous consensus
87
4 Possible Risk Responses
Reduce/Mitigate, Assign/Transfer, Accept, Reject/Ignore
88
Risk Mitigation or Reduction
implementing safeguards and countermeasures to reduce threats
89
Risk Assignment
Insurance
90
Residual Risk
Risk remaining once countermeasures are implemented
91
Total Risk = _______
Threats * Vulnerabilities * AV (Not multiplications)
92
Difference between total risk and residual risk
Controls gap - amount of risk reduced by implementing safeguards
93
3 Categories of Security Control Implementation
Physical, Logical/Technical, Administrative
94
Technical Controls
involves hw or sw mechanisms used to manage access and provide protection
95
Administrative Controls
policies and procedures
96
Physical Controls
Controls you can physically touch
97
Control Types (7)
Deterrent - convinces user to not taking actions Preventative - blocks user from taking action
Detective - post action, discover activity
Compensating- aid in enforcement
Corrective - modifies environment to return to normal
Recovery - extension of corrective, more advanced
Directive - direct, control, or confine the actions of subjects to force or encourage compliance
98
A prerequisite to security training is ______
Awareness
99
Training vs Education
education is more detailed and provides more than users needs to know for their jobs
100
BCP
Business Continuity Planning involves assessing the risks to organizational processes and creating policies, plans, and procedures to minimize the impact those risks might have on the organization if they were to occur
101
The top priority of BCP and DRP is always __________
people
102
The overall goal of BCP is ____________________
to provide a quick, calm, and efficient response in the event of an emergency
103
4 main steps of the BCP process
Project Scope and Planning
Business Impact Analysis
Continuity Planning
Approval and implementation
104
Project Scope and Planning Requirements
■ Business Org Analysis
■ BCP Team Creation
■ Resource Assessment
■ Legal and regulatory analysis
105
Business Org Analysis
identify all departments and individuals who have a stake in the BCP
106
BCP Team Selection
Reps from core service departments, reps from key support departments, IT reps, security reps, legal reps, senior management reps
107
Three Phases of BCP
BCP Development, BCP Testing, Training, and Maintenance, and BCP Implementation
108
The most significant resources consumed by the BCP plan are ________
people
109
BIA
Business Impact Analysis - identifies the resources that are critical to an organization's ongoing viability and the threats posed to those resources, assess likelihood and impact of those threats being realized
110
5 Steps of BIA
1. Identify Priorities
2. Identify Risks
3. Likelihood Assessment
4. Impact Assessment
5. Resource Prioritization
111
Identify Priorities
1st step of BIA, determine most essential activities to day to day operations
112
MTD/MTO
Maximum Tolerable Downtime, Maximum Tolerable Outage - maximum length of time a business function can be inoperable without causing harm to the business
113
RTO
Recovery Time Objective - amount of time in which you think you can feasibly recover the function in the event of a disruption
114
Goal of BCP is to ensure that RTO is _____ than your MTD
less
115
Sources for Likelihood Assessment
NOAA, FEMA, USGS
116
Categories of Law
Criminal, civil, adminstrative
117
CCCA of 1984
Comprehensive Crime Control Act, exclusively cover computer crimes that crossed state boundaries to
avoid infringing on states’ rights and treading on thin constitutional ice
118
CFAA of 1986
Computer Fraud and Abuse Act - changes to cover all federal interest computers
119
1994 CFAA Amendments (4)
■ Outlawed the creation of any type of malicious code that might cause damage
■ Modified the CFAA to cover any computer used in interstate commerce
■ Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage
■ Provided legal authority for the victims of computer crime to pursue civil action
120
CSA of 1987
Computer Security Act, mandated baseline security requirements for all federal agencies, gave NIST responsibility for developing standards
121
Following the CSA, the NSA retained authority over __________ and NIST gained responsibility for _________
NSA retained authority over classified systems, NIST gained responsibility for securing all other federal govt systems
122
Three Major provisions of Federal Sentencing Guidelines
Prudent Man Rule (hold senior executives responsible), Minimize punishment by showing due care and due diligence, Three burdens of proof (legalize recognized obligation, failure to comply with standards, and relationship between act of negligence and damages)
123
National Information Infrastructure Protection Act of 1996
Amendments to CFAA, covers international commerce, covers national infrastructure, treats damage causing act as felony
124
Law Timeline
```
1984 - CCCA
1986 - CFAA
1987 - CSA
1991 - Federal Sentencing Guidelines
1994 - CFAA Amendments
1995 - Paperwork Reduction Act
1996 - National Info Infrastructure Protection Act
2000 - GISRA
2002 - FISMA
```
125
Paperwork Reduction Act
agencies must obtain OMB approval before requesting info from the public
126
GISRA
Government Information Security Reform Act of 2000 amended Paperwork Reduction Act to implement additional information security policies and procedures
127
FISMA
Federal Information Security Management Act, requires that federal agencies implement an information security program that covers the agency's operations
128
The most valuable asset of most organizations is their __________
Intellectual Property
129
Copyright Law
guarantees the creators of "original works of authorship" protection again the unauthorized duplication of their work
130
The precedent for copyrighting computer software puts software under the scope of _______
literary works
131
Copyright law as it pertains to computer software protections ___________
the actual source code - the Expression inherent in the computer software
132
Copyright law: Works by one or more authors are protected until __ years after ____________
70 years after the death of the last surviving author
133
Works for hire and anonymous works are provided protection for ________
95 years from the date of the first publication or 120 years from the date of creation, whichever is shorter
134
Trademarks
Protect words, slogans, and logos sued to identify a company and its products or services
135
Patents
protect the intellectual property rights of inventors, 20 years of exclusive rights then public
136
Trade Secrets
Not time limit, IP that is critical to business, best wya to protect computer software
137
Licensing types
Contractual (written contract), shrink-wrap, Click-through, Cloud services
138
4th Amendment
protection of privacy
139
Privacy Act of 1974
limits federal governments ability to disclose and retain private information
140
ECPA of 1986
Electronic Communications Privacy Act of 1986 makes it a crime to invade the electronic privacy of an individual
141
CALEA of 1994
Communications Assistance for Law Enforcement Act amended ECPA and requires all communication carries to make wiretaps possible for law enforcement with an appropriate court order
142
Economic and Protection of Proprietary Information Act of 1996
extends definition of property to include proprietary economic information (expands definition of theft)
143
HIPAA
Health Insurance Portability and Accountability Act - privacy and security regulations requires strict security for medical information
144
HITECH
Health Information Technology for Economic and Clinical Health Act, update to HIPAA, data break notification law
145
COPPA
Children's Online Privacy Protection Act - state information collected, parents can review and collected information, verifiable consent for under age 13
146
Gramm-Leach-Biley Act
types of info which can be exchanged by banks
147
USA PATRIOT Act
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
148
FERPA
Family Educational Right and Privacy Act - affects any education institution that accepts any federal funding
149
Identify Theft and Assumption Deterrent Act
made identify theft a crime
150
ITIL
IT service mgmt
151
OCTAVE
self directed risk assessment
152
ISO 27001
intro on the control for ISMS
153
ISO 27002
the how to implement security controls for ISMS
