Domain 1 -- Security and Risk Management Flashcards
(89 cards)
1
Q
What are the ways to achieve Availability?
A
- RAID disks
- Clustering
- Load Balancing
- Redundant Data and Power lines
- Software and data backups
- Disk shadowing
- Co-location and off-site facilities
- Rollback functions
- Failover configurations
2
Q
What are the ways to achieve Integrity?
A
- Hashing (data integrity)
- Configuration management (system integrity)
- Change Control (process integrity)
- Access Control (Physical and technical)
- Software digital signing
- Transmission Cyclic Redundancy Check (CRC Functions)
3
Q
What are ways to achieve Confidentiality?
A
- Encryption for data at rest (whole disk or DB encryption)
- Encryption for data in transit (IPSec, TLS, PPTP, SSH)
- Access Control (physical and technical)
4
Q
Definition of Vulnerability
A
A vulnerability is a weakness in a system that allows a threat source to compromise its security
5
Q
What is a threat?
A
A threat is any potential danger that is associated with the exploitation of a vulnerability.
The entity that takes advantage of a vulnerability is a threat agent
6
Q
What is a risk?
A
A risk is a likelihood of a thread source exploiting a vulnerabilty.
7
Q
What is an exposure?
A
An exposure is an instance of being exposed to losses.
A vulnerability exposes an organization to possible losses
8
Q
What is a control?
A
A control is a countermeasure put in place to mitigate (reduce) the potential risk
Note: Control, Countermeasure and safeguard are interchangeable terms
9
Q
What is the relationship between Vulnerabilities, threats, risks, exposures and controls?
A
See Image
10
Q
What are the three types of Controls?
A
- Administrative
- Technical
- Physical
11
Q
Give Examples of Physical Controls
A
- Fence
- Locked external doors
- CCTV
- Security Guard
- Locked internal doors
- Locked server room
- Physically secured computers (cable locks)
12
Q
What are examples of Technical Controls?
A
- Firewalls
- Intrusion Detection Systems
- Intrusion Prevention systems
- Antimalware
- Access control
- Encryption
13
Q
What are examples of administrative controls?
A
- Security Documentation
- Risk Management
- Personnel security
- Training
14
Q
What are the six different control functionalities?
A
- Preventive
- Detective
- Corrective
- Deterrent
- Recovery
- Compensating
15
Q
Give examples of Administrative Preventive Contols
A
- Policies and procedures
- Effective hiring practices
- Pre-employment background checks
- Controlled termination processes
- Data Classification and labeling
- Security awareness
16
Q
Give examples of Physical Preventive Controls
A
- Badges and swipe cards
- Guards, dogs
- Fences, locks, mantraps
17
Q
Give examples of Techical Preventive Controls
A
- Passwords, biometrics, smart cards
- Encryption, secure protocols, call-back systems, database views, constrained user interfaces
- Antimalware software, access control lists firewalls, intrusion prevention systems
18
Q
Is Security through Obscurity a good idea or a bad idea?
A
Bad idea
19
Q
What is a framework for developing a Security Program?
A
ISO/IEC 27000 Series
Examples:
- ISO / IEC 27014 Information Security Governance
- ISO / IEC 27031 Business Continuity
- ISO / IEC 27035 Incident Management
- ETC.
20
Q
What are Standards for Enterprise Architecture Development?
A
- Zachman Framework
- TOGAF - The Open Group Arch Framework
- DoDAF - Dept of Defense Arch Framework
- MODAF - Arch frameword developed by British Ministry of Defence
- SABSA Model - Model and methodology for the Dev of Security enterprise architectures
21
Q
What are the Security Controls Development Frameworks?
A
- COBIT 5 - Developed by the Information Systems Audit and Control Association (ISACA)
- NIST SP 800-53 – Set of controls developed by NIST to protect Federal Systems
- COSO Internal Control - Integrated Framework. Developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commision
22
Q
What are the three key Process Management Development Frameworks?
A
- ITIL - IT Service Management (started in UK)
- Six Sigma
- CMMI - Capability Maturity Model Integration (developed by Carnegie Mellon)
23
Q
What are the key things to remember about the Zachman Framework?
A
- Interogatives / Perspectives
- What / How / Where / Who / When / Why
- Top to bottom Executives to Technicians
24
Q
What are the key things to remember about TOGAF
A
Used to develop
- Business Architecture
- Data Architecture
- Application architecture
- Technology architecture
- Architecture Development Model
25
What are the key things to remember regarding DoDAF and MODAF?
* These are military architectural frameworks
* These are designed to solve the problem of communicating information from a very large collection of agencies/stakeholders
26
What does SABSA stand for and why is it important?
* SABSA stands for Sherwood Applied Business Security Archicture
* Similar to Zachman framework for security architecture
* What are you trying to do at this layer?
* Why are you doing it?
* How are you trying to do it?
* Who is involved?
* Where are you doing it?
* When are you doing it?
27
What does ISMS stand for and what is a synonym for it?
ISMS stands for Information System Management System
An ISMS is the same as a Security Program
28
What does COBIT stand for and what are its five key principles?
COBIT -- Controls Objectives for Information and related Technology
5 principles
* Meeting stakeholders needs
* Covering the enterprise end to end
* Applying a single integrated framework
* Enabling a holistic approach
* Separating governance from management
Note -- COBIT deals with all aspects of IT, not just security
Note -- COBIT is used in the private sector, NIST SP 800-53 is used in gov
29
What does COSO stand for and what are its five control principles?
COSO stands for Committe of Sponsoring Organizations (COSO)
The COSO Internal Control -- Integrated Framework is a set of internal corporate controls to help reduce the risk of financial fraud.
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring Activities
30
What's the difference between the COSO IC framework and COBIT?
* The COSO Integrated Controls Framework is a model for ***corporate*** governance
* COBIT is a model for ***IT*** governance
31
Which is more dangerous -- a script kiddie or an Advanced Persistent Threat (APT)?
An Advanced persistent threat is more dangerous
32
What does GDPR stand for and what is its goal?
GDPR stands for General Data Protection Regulation
It is intended to protect personal data and privacy for EU citizens
33
What does the Wassenaar arrangement deal with and what is its goal
The Wassenaar arrangement implements export controls for Conventional Arms and Dual-use Goods and Technologies.
* It is designed to prevent one country from building up too much military capability
* Part of the Wassenaar arrangement deals with cryptography
34
What is the strongest form of intellectual property protection?
a patent
35
What's the difference between the following?
* Freeware
* Shareware/Trial Software
* Commercial Software
* Academic software
* Freeware - Free
* Shareware/Trial Software - Free trial version
* Commercial Software
* Academic software - software used by academic institutions at a reduced cost
36
What does DMCA stand for and what is its intent?
DMCA stands for Digital Millennium Copyright Act.
It makes it illegal to circumvent copyright protection mechanisms
37
What do policies need to be independent of?
Policies need to be independent of technologies and solutions.
Policies should outline goals and missions, but leave it up to the organization to decide how to accomplish them
38
Name three types of policies
* Regulatory
* Advisory
* Informative
39
What is a baseline?
The term baseline refers to a point in time that is used as a comparison for future changes
40
What is a Guideline?
Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standards does not apply.
41
What are procedures?
Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.
42
What is Risk Management?
Risk Management (RM) is the process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level.
43
What are the three tiers of Risk Management?
1. Organizational Tier
2. Business process Tier
3. Information Systems Tier
44
What does ISRM stand for?
Information Systems Risk Management
45
What are the four components of the NIST SP 800-39 standard for Risk Management?
1. Frame Risk
2. Assess Risk
3. Respond to Risk
4. Monitor Risk
46
What is Threat Modeling?
Threat Modeling is the process of describing feasible adverse effects on our assets caused by threat sources.
47
What are three components of vulnerabilities in threat modeling?
* Information
* Data (at rest, in motion, in use)
* Processes
* People
48
What are two common threat modeling methodologies?
* Attack Trees - make a graph to show the threat
* Reduction analysis
* Reduce the number of attacks that must be considered
* Reduce the threat posed by the attack
49
What's the difference between Risk Assessment and Risk Analysis?
For the CISSP exam. . .
Risk Assessment is the broader effort
Risk Analysis are the specific tasks performed in order to support the goal of risk assessment
50
What are the four main goals of Risk Management?
1. Identify assets and their value to the organization
2. Determine the likelihood that a threat exploits a vulnerability
3. Determine the business impact of these potential threats
4. Provide economic balance between the impact of the threat and the cost of the countermeasure
At a high level Risk Analysis provides a cost/benefit comparison
51
Should the risk assessment team only include specialists from IT and from Security?
No -- It should include representatives from a broad cross section of the company
52
What are four good questions to ask during a Risk Assessment?
1. What event could occur (threat event)?
2. What could b the potential impact (risk)?
3. How often could it happen (frequency)?
4. What level of confidence do we have in the answers to the first three questions (certainty)?
53
What is the document that NIST developed for Conducting Risks Assessments?
NIST SP 800-30 Revision 1
54
What does FRAP stand for and what should be remembered about it?
FRAP stands for Facilitated Risk Analysis Process
It is a **qualitative** methodology
It's IT focused
55
What does OCTAVE stand for and what is it used for?
OCTAVE stands for:
Operationally Critical Threat, Asset, and Vulnerability Evaluation
It's a Risk Assessment Methodology.
IT focused
56
How does the ISO 27005 Risk Assessment Methodology differ from other risk assessement methodologies?
Other methodologies are focused on IT and operations.
The ISO 27005 is focused not only on IT and operations, but on other softer issues as well, such as documentation and training
57
What does FMEA stand for and what is it used for?
FMEA stands for
Failure Mode Effect Analysis
Figure out where things are most likely to break and then determine what to do about it.
It is a methodology used in product development
58
What does CRAMM stand for and what is it used for?
Central Computing and Telecommunications Agency Risk Analysis and Management Method
Was created by the United Kingdom and now an automated tool sold by Siemens
59
What's the difference between a risk assessment and a risk analysis?
A risk assessment is used to gather the data
A risk analysis examines the gathered data to produce results that can be acted upon
60
What are the two main risk analysis approaches?
1. Quantitative
2. Qualitative
61
What's the difference between a vulnerability assessment and a risk assessment?
A vulnerability assessment just identifies the vulnerabilities (holes)
A risk assessment calculates the probability of the vulnerabilities being exploited and the associated business impact
62
What does SLE stand for and give an equation that uses it
SLE stands for Single Loss Expectancy
SLE = Asset Value x Exposure Factor (EF)
63
What is the Exposure Factor (EF)?
The Exposure Factor represents the percentage of loss a realized threat could have on a certain asset.
If a data warehouse was valued at $150K and the EF was 25%, then the SLE would be ($150K x 25%) = $37.5K
64
What does ALE stand for and how is it used?
ALE stands for Annual Loss Expectancy.
ALE = SLE x Annualized Rate of Occurrence (ARO)
ARO stands for Annual Rate of Occurence and it is the estimated frequency of a specific threat taking place within a 12-month timeframe
Key point -- Never spend more per year than the ALE to protect something.
65
What are the five expected results of a Quantitative Risk Analysis?
1. Monitary value assigned to assets
2. Comprehensive list of all significant threats
3. Probability of the occurrence rate of each threat
4. Loss potential the company can endure per threat in a 12-month time span
5. Recommended controls
66
What's the quantitative equation for cost/benefit analysis in Risk Management
(ALE before implementing safeguard)
-
(ALE after implementing safeguard) -
-
_(Annual cost of safeguard)_
=Value of Safeguard to company
67
A Business Impact Analysis (BIA) is a component of what Broader Effort?
Business Continuity Planning
68
What is Residual Risk
Even after implementing a countermeasure, there is still some risk left over. Risk is never completely eliminated
69
What are the four ways of dealing with risk?
1. Transfer it
2. Avoid it
3. Reduce it
4. Accept it
70
What is Supply Chain Risk Management and what is the Target Example?
Some attackers will attack the supply chain of a company, rather than the company itself.
Target's HVAC vendor was targeted and compromised.
From there, the attackers were able to target Point of Sale systems and get credit card info.
71
What does RMF stand for?
Risk Management Framework
72
List three Commonly accepted Risk Management Frameworks
* NIST RMF (SP 800-37r1)
* ISO 31000:2018
* ISACA Risk IT
73
What are the six steps in the NIST Risk Management Framework?
1. Categorize information system
2. Select Security Controls
3. Implement Security Controls
4. Assess security controls
5. Authorize information system
6. Monitor Security Controls
74
What is the equation for Residual Risk?
(threats x vulnerability x asset value) x controls gap = residual risk
75
What is the order of steps in the Capability Maturity Model Integration?
1. Initial
2. Repeatable
3. Defined
4. Quantitively Managed
5. Optimizing
76
What is the purpose of the Organization for Economic Cooperation and Development (OECD)?
Almost every country has its own rules pertaining to what constitutes private data and how it should be protected. As the information/digital age upon us, the different laws started to negatively affect international trade.
Thus, the OECD was born to develop guidelines so that data is protected and everyone follows one set of rules.
77
# Define the roles of the following committees:
* Security policy committee
* Audit committee
* Risk Management Committee
* Security Steering Committee
* **Security Policy Committe** -- chosen by senior management to produce security policies
* **Audit Committe** -- goal is to provide independenct and open communication among the board of directors, management, internal auditors and external auditors.
Reports its findings to the steering committee
* **Risk Management Committee** -- purpose is to understand the risks that an organization faces as a whole and work with senior management to reduce them to acceptable levels
* **Security Steering Committe** - Responsible for making decisions on strategic and tactical issues within an organization
* Should be made up of individuals throughout the org.
* Responsible for Vision statement and Mission statement for CIA
* Does not create the actual policies themselves
78
What is the purpose of AS/NZS 4360?
AS/NZS 4360 takes a very broad approach to risk management. It can be used to understand a company's financial, captial, human safety and business decision risks.
While it can be used to analyze security risks, it was not created for that purpose.
79
What are the four ways of dealing with risk?
* Risk Mitigation
* Risk Transference
* Risk Acceptance
* Risk Avoidance
80
# Define the following:
* ISO/IEC 27002
* ISO/IEC 27003
* ISO/IEC 27004
* ISO/IEC 27005
* **ISO/IEC 27002** - Code of practice for information security management
* **ISO/IEC 27003** - Guideline for ISMS implementation
* **ISO/IEC 27004** - Guideline for information security management measurement and metrics framework
* **ISO/IEC 27005** - Guideline for information security risk management
81
What are the 8 steps of a Business Impact Analysis (BIA)?
1. Select individuals to interview for data gathering
2. Create data gathering techniques (surveys,questionnaires, etc.)
3. Identify the company's critical business functions
4. Identify the resources these functions depend on
5. Calculate how long these functions can survive without these resources (maximum tolerable downtime)
6. Identify vulnerabilities and threats to these functions
7. Calculate the risk for each different business function
8. Document findings and report to management
82
What's the best way to keep the BCP plan up to date?
Integrate the BCP with the Change Management process
83
What does the ISO/IEC 27031 standard deal with?
ISO/IEC 27031 is a set of guidelines for information and communications technology readiness for business continuity. It is a component of the overall ISO/IEC 27000 series
84
What are the key features of the Digital Millennium Copyright Act (DMCA)?
The DMCA is a US copyright law that criminalizes the production and dissemination of technology, devices or services that circumvent access control measures that are put into prlace to protect copyright material.
85
What is the Internet Architecture Board and what role does it play?
The Internet Architecture Board (IAB) is the coordinating committee for Internet design, engineering and management. It is responsible for:
* The architectural oversight of the Internet Engineering Task Force (IETF) activities
* The Internet Standards Process oversight
* Appeal and editor of Request for Comments
* It issues ethics related statements concerning the use of the Internet
86
What was the first international treaty seeking to address computer crimes by coordinating national laws and improving investigative techniques and international cooperation?
The Council of Europe Convention on Cybercrime
87
What is the European Union Data Protection Directive?
The Data Protection Directive is a set of principles addressing using and transmitting information that is considered private.
All EU contries must comply
Any company that wants to do business in the EU must comply
88
What is the purpose of the Safe Harbor requirements?
The Safe Harbor requirements were created to harmonize the data privacy practices of the US with the EU's stricter privacy controls and to prevent accidental information disclosure and leaks.
US companies certify against the Safe Harbor rule base.
89
How many sets of instructional books are included in ITIL and which is considered the core set?
* ITIL consists of 5 sets of books.
* The core fundamental approach of ITIL lies in the creation of a **Service Strategy**, which is focused on overall planning for intended IT Services.
* Other components of ITIL:
* Service Design
* Service Transition Stage
* Service Operation
* Continual Service Improvement
