Domain 1: Security and Risk Management Flashcards
(119 cards)
1
Q
What is type 1 authentication?
A
Something you know (passwords, pass phrase, PIN etc.).
2
Q
What is type 2 authentication?
A
Something you have (ID, passport, smart card, token, cookie on PC etc.).
3
Q
What is type 3 authentication?
A
Something you are (and Biometrics) (Fingerprint, iris scan, facial geometry etc.).
4
Q
What is type 4 authentication?
A
Somewhere you are (IP/MAC Address).
5
Q
What is type 5 authentication?
A
Something you do (Signature, pattern unlock).
6
Q
How does top down security management differ from bottom up security management?
A
Bottom-Up: IT Security is seen as a nuisance and not a helper, often change when breaches happen.
Top-Down: IT leadership is on board with IT Security, they lead and set the direction. (The exam).
7
Q
What is OCTAVE?
A
OCTAVE® - Operationally Critical Threat, Asset, and Vulnerability Evaluation. Self Directed Risk Management.
8
Q
What is COBIT?
A
COBIT - Control Objectives for Information and related Technology. COBIT is a control framework for employing information security governance best practices within an organization. Goals for IT – Stakeholder needs are mapped down to IT related goals.
9
Q
What is COSO?
A
COSO – Committee Of Sponsoring Organizations. Goals for the entire organization.
10
Q
What is FRAP?
A
FRAP - Facilitated Risk Analysis Process. Analyses one business unit, application or system at a time in a roundtable brainstorm with internal employees. Impact analyzed, threats and risks prioritized.
11
Q
What is the purpose of ISO 27001?
A
ISO 27001: Establish, implement, control and improve the ISMS. Uses PDCA (Plan, Do, Check, Act)
12
Q
What is the purpose of ISO 27002?
A
ISO 27002: (Formerly ISO 17799) Provides practical advice on how to implement security controls. It has 10 domains it uses for ISMS.
13
Q
What is the purpose of ISO 27004?
A
ISO 27004: Provides metrics for measuring the success of your ISMS.
14
Q
What does ISO 27005 contain?
A
ISO 27005: Standards-based approach to risk management.
15
Q
What does ISO 27799 contain?
A
ISO 27799: Directives on how to protect PHI (Protected Health Information)
16
Q
What are the four types of evidence?
A
Real Evidence, Direct Evidence, and Circumstantial Evidence, Corroborative Evidence
17
Q
What is real evidence?
A
Real Evidence: Tangible and physical objects in IT Security: Hard disks, USB drives – NOT the data on them.
18
Q
What is direct evidence?
A
Direct Evidence: Testimony from a firsthand witness, what they experienced with their 5 senses.
19
Q
What is circumstantial evidence?
A
Circumstantial Evidence: Evidence to support circumstances for a point or other evidence.
20
Q
What is corroborative evidence?
A
Corroborative Evidence: Supports facts or elements of the case: not a fact on its own, but support other facts.
21
Q
What is hearsay?
A
Hearsay: Not first-hand knowledge – normally inadmissible in a case
22
Q
What does the fourth amendment protect against?
A
The Fourth Amendment to the United States Constitution protects citizens from unreasonable search and seizure by the government
23
Q
When do exigent circumstances apply? Who decides this?
A
Exigent circumstances apply if there is an immediate threat to human life or of evidence destruction. This will later be decided by a court if it was justified. Only applies to law enforcement and those operating under the “color of law” – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the Color of Law.
24
Q
What is entrapment?
A
Entrapment (Illegal and unethical): When someone is persuaded to commit a crime they had no intention of committing and is then charged with it.
25
What is enticement?
Enticement (Legal and ethical): Making committing a crime more enticing, but the person has already broken the law or at least has decided to do so.
26
What is the GPDR?
GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It does not matter where we are based, if we have customers in EU/EEA we have to adhere to the GDPR.
27
What is required for personal data to be processed under the GPDR?
Unless a data subject has provided informed consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so.
28
What is right to access under the GPDR?
Right to access: Data controllers must be able to provide a free copy of an individual’s data if requested.
29
What is right to erasure under the GPDR?
Right to erasure: All users have a ‘right to be forgotten’.
30
What is data portability under the GPDR?
Data portability: All users will be able to request access to their data ‘in an electronic format’.
31
What is the data breach notification requirement under the GPDR?
Data breach notification: Users and data controllers must be notified of data breaches within 72 hours.
32
What is privacy by design under the GPDR?
Privacy by design: When designing data processes, care must be taken to ensure personal data is secure. Companies must ensure that data collection is only ‘absolutely necessary for the completion of duties’.
33
What are the 3 rules of HIPAA? What 3 safeguards do they mandate?
HIPAA has 3 rules – Privacy rule, Security rule and Breach Notification rule.
The rules mandate Administrative, Physical and Technical safeguards.
34
What is the purpose of the ECPA?
Electronic Communications Privacy Act (ECPA): Protection of electronic communications against warrantless wiretapping. The Act was weakened by the Patriot Act.
35
What is the purpose of the Patriot Act?
PATRIOT Act of 2001. : Expands law enforcement electronic monitoring capabilities. Allows search and seizure without immediate disclosure.
36
What is the CFAA?
Computer Fraud and Abuse Act (CFAA) – Title 18 Section 1030. Most commonly used law to prosecute computer crimes.
37
Who does the GLBA apply to? Who drives it?
Gramm-Leach-Bliley Act (GLBA): Applies to financial institutions; driven by the Federal Financial Institutions
38
What are the requirements of the EU Data Protection Directive? (4 points)
EU Data Protection Directive Very aggressive pro-privacy law.
- Organizations must notify individuals of how their data is gathered and used.
- Organizations must allow for opt-out for sharing with 3rd parties.
- Opt-in is required for sharing “most” sensitive data.
- No transmission out of EU unless the receiving country is perceived to have adequate (equal) privacy protections; the US does NOT meet this standard. EU-US Safe Harbor, optional between organization and EU
39
What is the ISC2 code of ethics preamble?
Code of Ethics Preamble:
The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this code is a condition of certification.
40
What are the ISC2 code of ethics canons?
Code of Ethics Canons:
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principles.
Advance and protect the profession.
41
What are the 5 components of information security governance?
Information Security Governance:
Policies – High level, non-specific
Standards – Describes specific use of a technology
Guidelines – Recommendatins
Procedures – Specific step by step guides
Baselines (Benchmarks) - Minimum requirements.
42
What are policies within information security governance?
Policies
- High level management directives, non-specific.
- They can contain “Patches, updates, strong encryption”
- They will not be specific to “OS, encryption type, vendor Technology”
43
What are standards within information security governance?
Standards
| -Describes a specific use of technology (All laptops are W10, 64bit, 8gig memory … )
44
What are guidelines within information security governance?
Guidelines
- Recommendations, discretionary
- Suggestions on how you would to do it.
45
What are procedures within information security governance?
Procedures
- Low level step-by-step guides, specific.
- They will contain “OS, encryption type, vendor Technology”
46
What are baselines within information security governance?
Baselines (Benchmarks)
| Baselines are uniform ways of implementing a standard. Serves as a minimum requirement.
47
What are the 7 access control types?
Access Control Defensive Types:
Preventive: Prevents an action from occurring
Detective: Controls that Detect during or after an attack – IDS, CCTV, alarms, antivirus.
Corrective: Controls that Correct an attack – Anti-virus, patches, IPS.
Recovery: Controls that help us Recover after an attack – DR Environment,backups, HA Environments .
Deterrent: Controls that Deter an attack – Fences, security guards, dogs, lights, Beware of the dog signs.
Compensating: Controls that Compensate – other controls that are impossible or too costly to implement.
Directive: directs, confines, or controls the actions of subjects to force or encourage compliance with security policy
48
What are the 5 types of risk responses?
Types of risk responses:
Accept the Risk – We know the risk is there, but the mitigation is more costly than the
cost of the risk (Low risks). We ensure we have a paper trail and this was a calculated decision.
Mitigate the Risk (Reduction) – The laptop encryption/wipe is an example – acceptable level (Leftover risk = Residual).
Transfer the Risk – The insurance risk approach – We could get flooding insurance for the data center, the flooding will still happen, we will still lose 15% of the infrastructure, but we are insured for cost.
Risk Avoidance – We don’t issue employees laptops (if possible) or we build the data center in an area that doesn’t flood. (Most often done before launching new projects – this could be the data center build).
Risk Rejection – You know the risk is there, but you are ignoring it. This is never acceptable. (You are liable).
49
What is NIST 800-30?
NIST 800-30 - United States National Institute of Standards and Technology Special Publication. A 9-step process for Risk Management.
50
What are the 9 steps in the risk management process within NIST 800-30?
NIST 800-30 - United States National Institute of Standards and Technology Special Publication. A 9-step process for Risk Management.
1. System Characterization (Risk Management scope, boundaries, system and data sensitivity).
2. Threat Identification (What are the threats to our systems?).
3. Vulnerability Identification (What are the vulnerabilities of our systems
4. Control Analysis (Analysis of the current and planned safeguards, controls and mitigations).
5. Likelihood Determination (Qualitative – How likely is it to happen)?
6. Impact Analysis (Qualitative – How bad is it if it happens? Loss of CIA).
7. Risk Determination (Look at 5-6 and determine Risk and Associate Risk Levels).
8. Control Recommendations (What can we do to Mitigate, Transfer, … the risk).
9. Results Documentation (Documentation with all the facts and recommendations).
51
What is confidentiality?
Confidentiality seeks to prevent the unauthorized disclosure of information; it keeps data secret
52
What is integrity?
Integrity seeks to prevent unauthorized modification of information
53
What is availability?
Availability ensures that information is available when needed
54
What is authentication?
Proving an identity claim is called authentication
55
What is authorization?
Authorization describes the actions you can perform on a system once you have been identified and authenticated
56
What is accountability?
Accountability holds users accountable for their actions. This is typically done by logging and analyzing audit data.
57
What is a subject?
A subject is an active entity on a data system. Most examples of subjects involve people accessing data files. A subject manipulates an object.
58
What is an object?
An object is any passive data within the system. Objects can range from documents on physical paper to database tables to text files
59
What is the difference between due diligence and due care?
Due care: What would a prudent person due in this situation? Negligence is the opposite of due care. Due diligence is acting on due care.
60
What are the three types of financial damages?
3 types of financial damages:
Statutory, Compensatory, and Punitive.
61
What are statutory damages?
Statutory damages are those prescribed by law, which can be awarded to the victim even if the victim incurred no actual loss or injury
62
What is the OECD?
The Organisation for Economic Co-operation and Development (OECD), though often considered exclusively European, consists of 30 member nations from around the
world. The OECD provides a forum in which countries can focus on issues that impact the global economy. The OECD will routinely issue consensus recommendations that can serve as
an impetus to change current policies and legislation in the OECD member countries and beyond.
63
What are the 10 commandments of computer ethics?
Ten Commandments of Computer Ethics are:
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
64
What are compensatory damages?
Compensatory: provide the victim with a financial award in effort to compensate for the loss or injury incurred as a direct result of the wrongdoing
65
What are punitive damages?
Punitive: The intent of punitive damages is to punish an individual or organization. These damages are typically awarded to attempt to discourage a particularly egregious violation where the compensatory or statutory damages alone would not act as a deterrent.
66
At a meeting with upper management, we are looking at different types of intellectual property materials. How is copyright protected?
70 years after creator's death or 95 years for corporations.
67
What is the exposure factor?
How many percentage points of an asset is lost
68
Healthcare insurers, providers and clearing house agencies must comply with HIPAA (Health Insurance Portability and Accountability Act) if they operate in the United States. What rules they MUST follow?
Privacy rule, security rule, breach notification rule.
69
Who in our organization should approve the deployment of honeypots and honeynets?
Senior management and legal team
70
If we are wanting to implement governance standard and control frameworks focused on internal risk analysis, what should we implement?
FRAP (Facilitated Risk Analysis Process) analyses one business unit, application or system at a time in a roundtable brainstorm with internal employees. Impact analyzed, Threats and Risks Prioritized.
71
What is the legality of typo squatting? What is the legality of cyber squatting?
Typo squatting - potentially illegal
| Cyber squatting - legal
72
We are in a court of law presenting our case from a security incidence. What constitutes corroborative evidence?
Supporting facts and elements
73
In our risk analysis, we are looking at the total risk of a vulnerability. What would we look at to find the total risk?
Total Risk = Threat * Vulnerability * Asset Value.
| Risk = Threat * Vulnerability
74
What is a qualitative risk analysis?
Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.
75
How long are trademarks protected for?
Trademarks ™ and ® (Registered Trademark). Brand Names, Logos, Slogans – Must be registered, is valid for 10 years at a time, can be renewed indefinitely.
76
What regulation formalizes the prudent man rule, requiring that senior executives take personality responsibility for ensuring due care?
Federal Sentencing Guidelines
77
What law requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order?
Communications Assistance for Law Enforcement Act of 1994.
78
What is SD3+C?
Microsoft's security development lifecycle with the motto "secure by design, secure by default, secure in deployment and communication"
79
What are the 5 steps in the BIA process?
```
Identification of priorities
Risk identification
Likelihood assessment
Impact assessment
Resource prioritization
```
80
What is the parole evidence rule?
States that when an agreement between two parties is put into written form, the written document is assumed to contain all terms of the agreement, and no verbal agreements may modify it.
81
What are the basic requirements for the admissibility of evidence?
Evidence must be relevant, material, and competent.
82
What is the controls gap?
The difference between total risk and residual risk. The controls gap is the amount of risk that is reduced by implementing safeguards.
83
What is STRIDE?
Microsoft's threat categorization scheme. Stands for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
84
What is FISMA?
Federal Information Security Management Act, passed in 2002, requires that federal agencies implement an information security program that covers the agency's operations. Activities of contractors must be included in their security management programs.
85
What are the three types of plans employed in security management?
Strategic plan-long-term and fairly stable
Tactical plan- midterm and somewhat detailed
Operational plan- short term and highly detailed
86
What law grants rights to students enrolled in educational institutions that accept government funding?
Family Educational Rights and Privacy Act
87
What are the HITECH data breach notification requirements?
HIPAA covered entities that experience a data breach must notify affected individuals of the breach and must also notify both the Secretary of Health and Human Services and the media when the breach affects more than 500 individuals.
88
What are the three requirements for acceptance of a patent application?
The invention must be new, useful, and non-obvious.
89
What is the Children's Online Privacy Act?
Law requiring websites to provide parents with the opportunity to review any information collected from their children
90
What are the three access control categories?
Physical, technical, administrative
91
What are the 11 areas of ISO ISO 27002 (17799)?
ISO 27002 has 11 areas, focusing on specific information security controls:
1. Policy
2. Organization of information security
3. Asset management
4. Human resources security
5. Physical and environmental security
6. Communications and operations management
7. Access control
8. Information systems acquisition, development, and maintenance
9. Information security incident management
10. Business continuity management
11. Compliance
92
What was ISO 17799 renumbered to? Why was that done?
ISO 17799 was renumbered to ISO 27002 in 2005 in order to make it consistent with the 27000 series of ISO security standards
93
What are the four domains of COBIT?
COBIT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate
94
What are the five service publications of ITIL?
```
ITIL® contains five Service Management Practices—Core Guidance publications:
• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement
```
95
How is cryptography affected by the Wassenaar Arrangement?
Wassenaar Arrangement - 1996 – present. Limits exports on military and "dual-use” technologies. Cryptography is part of that. Some nations also use it to prevent their citizens from having strong encryption (easier to spy on your own people if they can't use strong cryptography). SQL databases are not covered.
96
What is e-Discovery?
e-Discovery or Discovery of electronically stored information (ESI) is the process of producing all relevant documentation and data to a court or external attorneys in a legal proceeding.
97
What are the 9 phases of the e-Discovery reference model?
```
Information Governance
Identification
Preservation
Collection
Processing
Review
Analysis
Production
Presentation
```
98
What are the 7 principles of the EU-US Privacy Shield
| Framework?
```
Notice
Choice
Onward Transfer
Security
Data Integrity
Access
Enforcement
```
99
99
99
100
100
101
102
102
103
104
105
106
107
107
108
108
109
109
110
110
110
