Domain 1 - Security and Risk Management Flashcards
(140 cards)
1
Q
Administrative, Physical, and Technical controls
A
Three categories of access controls
2
Q
Technical Control
A
Protects access to systems, network architecture, control zones, auditing, and encryption and protocols (Access Control categories). AC category that restricts access.
3
Q
Administrative Control
A
Dictates how security policies are implemented to fulfill the company’s security goals. Includes policies, procedures, personnel controls, supervisory structure, security training, and testing. Includes policies and procedures, personnel controls, supervisory structure, security training, and testing (Access Control category).
4
Q
Physical Control
A
Access control category that includes badges, locks, guards, network segregation, perimeter security, computer controls, work area separation, backups, and cabling; used to secure physical access to an object, such as a building, a room, or a computer (access control category).
5
Q
Preventive control
A
Prevents security breaches and avoids risks.
6
Q
Detective control
A
Looks for security breaches as they occur.
7
Q
Corrective control
A
Restores control and attempts to recover from any damage that was inflicted during a security breach.
8
Q
Deterrent control
A
Stops potential violations.
9
Q
Recovery control
A
Restores resources.
10
Q
Compensative control
A
Provides an alternative control if another control may be too expensive. All controls are generally considered this type of control.
11
Q
Directive controls
A
Provides mandatory controls based on regulations or environmental requirements.
12
Q
Recovery-Technical control
A
Restores system capabilities and covers data backups.
13
Q
Detective-Technical control
A
Detects when a security breach occurs; covers audit logs and intrusion detection systems (IDS).
14
Q
Corrective-Technical control
A
Corrects any issue that arises because of security breaches; Antivirus software and server images are included in this category.
15
Q
Compensative-Technical control
A
Considered an alternative to other controls (example, server isolation).
16
Q
Preventative-Technical control
A
A router plus encryption used to improve network security.
17
Q
Deterrent, Preventive, Detective, Compensative, Corrective, Recovery, and Directive.
A
Access control types (types, not categories).
18
Q
Preventative control measures
A
Security awareness training, Firewalls, Anti-virus, security guards, and IPS.
19
Q
Detective control measures
A
System monitoring, IDS, Anti-Virus, motion detector, IPS.
20
Q
Corrective control measures
A
OS upgrade, backup data rostral, Anti-virus, vulnerability mitigation.
21
Q
Compensatory control measures
A
Backup generator, hot site, server isolation.
22
Q
To prevent the threat from coming into contact with the weakness.
A
Purpose for Preventative controls.
23
Q
To identify that a threat has landed in a system.
A
Purpose for Detective controls.
24
Q
To mitigate or lesson the effects of the threat that has manifested.
A
Purpose for Corrective controls.
25
ISO/IEC 27000
ISO/IEC standard on developing and maintaining information security management systems (ISMS).
26
Zachman Framework
An enterprise schema with two dimensional classification: six questions and six views intersecting in a matrix (what, how, where, who, when, why + planner, owner, designer, builder, programmer, users). This framework is NOT security orientated; it is used to relay information for personnel in a common language that is helpful to different groups in understanding each group's responsibilities.
27
TOGAF (The Open Group Architecture Framework)
An enterprise framework that helps organizations design, plan, implement, and govern enterprise information architecture. Its four domains are technology, applications, data, and, business.
28
DoDAF (Department of Defense Architecture Framework)
Architect framework with 8 viewpoints used to ensure DoD technologies integrate correctly with current infrastructures.
29
All Viewpoint (AV); Capability Viewpoint (CV); Data and Information Viewpoint (DIV); Operation Viewpoint (OV); Project Viewpoint (PV); Services Viewpoint (SvcV); Standards Viewpoint (STDV); and Systems Viewpoint (SV).
The eight views of the DoDAF
30
MODAF (British Ministry of Defense Architecture Framework)
An Architecture Framework which divides information into seven views points.
31
SABSA (Sherwood Applied Business Security Architecture)
An enterprise security architecture, which asks six communication questions that intersect with six layers; it is a a risk-driven architecture. The six layers of questions include: What, Where, When, Why, Who, and How. These question layers intersect with six additional layers: Operational, Component, Physical, Logical, Conceptual, and Contextual.
32
CobiT (Control Objectives for Information and Related Technology)
A security controls development framework documenting five principles, which drive control objectives of seven enablers: Meeting stakeholder needs; Steering the enterprise end-to-end; Applying a single integrated framework; Enabling a holistic approach; Separating and governance from management. The seven enablers include: Principles; Policies, and frameworks; Processes; Organizational structures; Culture, ethics, and behaviors; Information; Services, infrastructure, and applications; and People, skills, and competencies.
33
Meeting stakeholder needs; Steering the enterprise end-to-end; Applying a single integrated framework; Enabling a holistic approach; Separating and governance from management.
Five principles of CobiT
34
Principles, Policies, and frameworks; Processes; Organizational structures; Culture, ethics, and behaviors; Information; Services, infrastructure, and applications; and People, skills, and competencies.
Seven enablers of Cobit
35
Downstream Liabilities
When you outsource a system - you can outsource responsibility but you cannot outsource accountability
36
What is Due Care?
Setting and enforcing policy to bring organisation into compliance.
37
What does IAAA stand for?
Identification, Authentication, Authorization, Accountability
38
What is the difference between Authentication and Authorization?
Authentication is using your password to access a file which you have permissions (Authorization) to access.
39
What is a control?
A control or countermeasure is put into place to mitigate (reduce) the potential risk. It's PREVENTATIVE.
40
What is Strategic Alignment?
Strategic Alignment means that business drivers and the regulatory and legal requirements are being met by the security enterprise architecture.
41
What does Security Effectivenes deal with?
Security Effectiveness deals with metrics, SLA requirements, achieving ROI, meeting set baselines etc.
42
What is a Computer Assisted Crime?
Computer Assisted Crime is where a computer was used as a tool to help carry out a crime.
43
What is a Computer Targetted Crime?
A Computer Targetted Crime occurs when a computer is the victim of an attack crafted to harm it and its owners specifically.
44
What is a Computer Incidential Crime?
Where a computer happens to have been part of the crime, but did not assist the criminal and was not the victim.
45
In GDPR, who is the Data Subject?
The Individual to whom the data pertains
46
In GDPR, what is the Data Controller?
Any organization that collects data on EU residents
47
In GDPR, what is the Data Processor?
Any organization that processes datra for a data controller
48
What is the Concent provision for GDPR?
Data Collectors and Data Processors cannot use personal data without explicit consent of the data subjects
49
What is the Right to be Informed provision for GDPR?
Data Controllers and Data Processors must inform data subjects about how their data is, will, or could be used.
50
What is the Right to Restrict Processing provision for GDPR?
Data Subjects can agree to have their data stored by a collector but disallow it to be processed.
51
What is Right to Be Forgotten provision for in GDPR?
Data Subjects can request that their personal data be permanently deleted.
52
What is the Data Breaches provision for in GDPR?
Data Controllers must report a data breach within 72 hours of becoming aware of it.
53
What is a Trade Secret?
A Trade Secret is something that is proprietary to a company and important for it's survival and profitability.
54
What is a Copyright?
Copyright Law protects the right of the creator of an original work to control the public distribution, reproduction, display and adaptation of that original work.
55
What is a Trademark?
A Trademark is slightly different from a copyright in that it is used to protect a word, name, symbol, sound, shape, color etc.
56
What is a Patent?
Patents are given to individuals or companies to grant them legal ownership of, and enable them to exclude others from using or copying, the invention covered by the patent.
57
What is the strongest form of intellectual property protection?
A patent
58
What is an Issue-spesific policy?
Also called a functional policy, addresses spesific security issues that management feel need more detailed explanation and attention.
59
What is a System-Spesific Policy?
Spesific to the actual computers, networks, applications.
60
What types of Policies are there?
Regulatory, Advisory, Informative
61
What is a Standard?
Standard refer to mandatory activities, actions or rules. Standards can give a policy its support and reinforcement in direction.
62
What is a Procedure?
Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.
63
What can declare a Disaster and Emergency?
Anyone can declare an emergency, only the BCP coordinator can decalre a disaster. (Anyone can pull the fire alarm or trigger an emergency alarm. Only the BCP coordinator or someone specified in the BCP can declare disaster which will then trigger failover to another facility).
64
Regulatory, Advisory, Informative are examples of
Policies
65
MTD/MTO: Maximum Tolerable Downtime/Outage
Longest time the function can be inoperable because causing a loss to senior management that is unacceptable
66
RTO Recovery Time Objective
This is the amount of time in a which you can easily recover the function in the even of a disruption (must be less than MTD)
67
RPO Recovery Point Objective
Tolerance for Data Loss
68
What is the different between Business Impact Assessment and Risk Assessment?
Business Impact Assessment is focused on assets and how important they are to the business where as Risk Management is the same but includes vulnerabilities and likelihood.
69
How do you calculate Total Risk?
Asset Value * Probability * Impact = Total Risk
70
How do you calculate Residual Risk?
Total Risk * Controls Gap = Residual Risk
71
What is a Checklist Test?
Copies of plan distributed to different departments. No disruption to the business.
72
What is a Structured Walk-Through (Table Top) Test?
Representatives from each department go over the plan. Still paper based.
73
What is a Simulation Test?
Going through the disaster scenario. Still does not distrupt business.
74
What is a Parallel Test?
Systems moved to alternative site, and processing takes place there. This involves risk.
75
What is a Full-Interruption Test?
Original Site shut down and all processing moved to offsite facility.
76
What is Layering?
Layering (also known as Defense in Depth), is simply the use of multiple controls in a series.
77
What is Abstraction?
Abstraction is used for efficiency. Simular elements are put into groups, classes or roles that are assigned security controls, restrictions, or permissions as a collective.
78
What is Data Hiding?
Data Hiding is exactly what it sounds like: preventing data from being discovered or accessed by a subject positioning the data in a logical storage compartment that is not accessible or seen by the subject.
79
What is Security Governance?
Security Governance is the collection of practices related to supporting, defining, and directing the security efforts of an organisation.
80
What is a Business Case?
A business case is usually a documented argument or stated position in order to define a need to make a decision or take some form of action.
81
What is a Strategic Plan (as opposed to Tactical and Operational)?
A strategic plan is a long term plan that is fairly stable.
82
What is a Tactical Plan (as oppsed to Strategic or Operational)?
The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad hoc based upon unpredicted events.
83
What is a Operational Plan (as opposed to Strategic or Tactical)?
An Operational Plan is a short-term, highly detailed plan based on the strategic and tactical plans.
84
What is the goal of Change Management?
The goal of change management is to ensure that any change does not lead to reduced to compromised security.
85
Who reviews and approves Changes?
The Change Advisory Board (CAB).
86
What does the Change Advisory Board do?
Review and Approve changes
87
What is Data Classification?
Data Classification, or categorization, is the primary means by which data is protected based on its need for security, sensitivity, or confidentiality.
88
What are the levels of government/military classification?
Top Secret, Secret, Confidential, Sensitive but unclassified, Unclassified. TO REMEMBER: US CAN STOP TERRORISM
89
What data is Sensitive but Unclassified?
Sensitive but Unclassified (SBU) is used for data that is for internal use or for office use only.
90
What are the levels of data classification for the private sector?
Confidential, Private, Sensitive, Public
91
What is the difference between confidential and private data?
Confidential Data is company data and Private Data relates to individuals.
92
What is the Data Owners responsibilities?
The Data Owner role is assigned to the person who is responsible for classifying information for placement and protection within the security solution.
93
What is the Data Custodians responsibilites?
Data Custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management.
94
What is STRIDE?
A threat model designed by Microsoft which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.
95
What is PASTA?
Process for Attack Simulation and Threat Analysis (PASTA) is a seven step threat model
96
What are the steps of PASTA?
1) Definition of Objectives 2) Definitions of Technical Scope 3) Application Decomposition and Analysis 4) Threat Analysis 5) Weakness and Vulnerability Analysis 6) Attack Modeling and Simulation 7) Risk Analyusis and Management
97
What is Reduction Analysis?
Reduction Analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product as well as its interaction with external elements.
98
What are the five key concepts of Reduction Analysis which must be considered?
Trust Boundaries, Data Flow Paths, Input Points, Privilege Operations, Details about Security Stance and Approac.
99
In the decomposition process, what is Trust Boundaries?
Trust Boundaries are any location where the level of trust or security changes.
100
In the decomposition process, what is Data Flow Paths?
Data Flow Paths is the movement of data between locations
101
In the decomposition process, what is Input Points?
Input points are locations where external input is received
102
In the decomposition process, what is Privileged Operations?
Privileged Operations are any activity that requires greater privileges than that of a standard user.
103
What is DREAD used for?
Prioritization and Response
104
What are the considerations of DREAD?
Damage Potential, Reproducibility, Exploitability, Affected Users and Discoverability
105
What is Seperation of Duties?
Separation of Duties is the security concept in which critical, significant and sensitive work tasks are divided among several individual administrators or high level operators. Prevents one person from having too much control.
106
What is Onboarding?
Onboarding is the process of adding new employees to the identity and access management (IAM) system of an organization.
107
What is a Vulnerability?
A vulnerability is the weakness in an asset or the absence or the weakness of a safeguard or countermeasure is a vulnerability.
108
What is Exposure?
Exposure is being susceptible to asset loss because of a threat, there is the possibility that a vulnerability can or will be exploited by a threat agent or event.
109
How is Risk calculated?
Risk = Threat * Vulnerability
110
What are the six major elements of Quantitative Risk Analysis?
Assign Asset Valuation (AV)
Calculate Exposure Factor (EF)
Calculate the Single Loss Expectancy (SLE)
Assess Rate of Occurrence (ARO)
Assess Annualized Loss Expectancy (ALE)
Perform Cost/Benifit analysis of Countermeasures
111
What is Asset Valuation (AV)?
The monatory value of an asset
112
What is Exposure Factor (EF)?
The exposure factor (EF) represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.
113
What is the Annualized Loss Expectancy (ALE)?
Possible yearly cost of all instances of a specific realized threat against a specific asset.
114
How is Annualized Loss Expectancy (ALE) calculated?
ALE = SLE * ARO. ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO).
115
What does a Safeguard reduce?
To reduce ARO
116
How is Single Loss Expectancy (SLE) calculated?
SLE = AV * EF. SLE = Asset Value (AV) * Exposure Factor (EF).
117
How do you calculate the value of a safeguard?
(ALE1 - ALE2) - ACS (Annual Cost of Safegaurd)
118
What is the Delphi Technique?
The Delphi Technique is simply an anonymous feedback and response process used to enable a group to reach an anonymous consensus.
119
In what situation is the Delphi Technique used?
In Qualitative Risk Analysis
120
What is Risk Assignment?
Assigning or transferring risk is placement of the cost of a loss that a risk represents to a third party. For example, Insurance.
121
What is Risk Deterrence?
Risk Deterrence is the process of implementing deterrents to would-be-violators of security and policy.
122
What is Risk Avoidance?
Risk Avoidance is the process of selecting alternate options or activities that have less associated risk than the default.
123
What is Risk Rejection?
A final but unacceptable possibile response to risk is to reject risk or ignore risk.
124
How is Total Risk calculated?
Threats * Vulnerabilities * Asset Value = Total Risk
125
How is Residual Risk calculated?
Total Risk - Control Gaps = Residual Risk
126
What are the Six Steps of the NIST RMF (Risk Management Framework)? **
```
Step 1) CATEGORIZE Information Systems
Step 2) SELECT Security Controls
Step 3) IMPLEMENT Security Controls
Step 4) ASSESS Security Controls
Step 5) AUTHORIZE Information Systems
Step 6) MONITOR Security Controls
```
127
Once a Business Continuity Planning (BCP) team is selected, what is their first responsibility?
To perform an analysis of the business organization to identify all departments and individuals who have a stake in the BCP process.
128
What does MTD stand for?
Maximum torable downtime
129
What does Maximum Tolerable Downtime (MTD) mean?
Also known as the MTO Maximum Tolerable Outage. This is the maximum time that a business function can be inoperable before causing irreparable harm.
130
What does RTO stand for?
Recovery Time Objective (RTO)
131
What does Recovery Time Objective (RTO) mean?
This is the amount of time that you think you can feasibly recover the function in the event of a disruption
132
What is the Computer Fraud and Abuse Act (CFAA)?
CFAA was carefully written in 1984 to exclusively cover computer crimes that crossed state boundaries to avoid infringing on states rights and reading on thin constitutional ice. This covers any computer exclusively used by US government or financial institutions.
133
What law woudl you use If you want to protect the Intellectual Property of source code?
Copyright, while you can protect the source code you cannot protect the idea.
134
How long is a patent valid for?
20 years
135
What is a Contractual License Agreement?
A written contract between software vendor and the customer
136
What is Shrink-Wrap license agreements?
Shrink-Wrap license agreements are written on the outside of the software packaging. You accept the agreement by opening the packaging.
137
What is Click-Throuh license agreements?
A license agreement which you accept if you click next
138
What are Cloud Service license agreements?
This simply flashes legal terms on the screen for review
139
Who does the Privacy Act of 1974 apply to?
Government Agencies only
140
What agreement is in place in the USA to comply with GDPR?
Privacy Shield
