Domain 1 - Security and Risk Management COPY Flashcards
(228 cards)
1
Q
what is CIA
A
confidentiality
integrity
availability
2
Q
what are we protecting when we are talking about integrity
A
ensuring there is no unauthorized modifications to the data or systems (no data has been altered)
3
Q
what are we protecting when we are talking about availability
A
authorized persons have access to the data or system at a reasonable amount of time
4
Q
what are we protecting with confidentiality
A
only authorized persons or systems have access to the data when they need it
5
Q
tools that are used to ensure confidentiality
A
- encryption for data at rest (example AES256)
- secure transport protocols (SSL, TLS, IPSEC)
- best security practice for data in use ( clean desk, no shoulder surfing, screen view protector, pc locking policy,
- strong passwords, multi-factor authentication, masking data entry, access controls, need-to-know, least privilege
6
Q
threats to confidentiality
A
- attacks on encryption (cryptanalyst)
- social engineering
- key loggers (software/hardware), cameras, steganography
- IOT (internet of things) the numbers of these items pose a threat. less secure, most are not updated, can be used as backdoors to other systems
7
Q
what software/tools can we use to ensure integrity
A
- cryptography (again)
- check sums (this could be CRC)
- message digest (hash) this could be MD5, SHA1 or SHA2
- digital signatures
- access control
8
Q
examples of threats to integrity
A
- alteration of our data
- code injection
- attacks on your encryption (cryptanalysis)
9
Q
tools used to ensure availability
A
- IPS/IDS
- Patch management
- redundancy (multiple power supplies/UPS’s/generators), disks (raid), traffic paths(network design), HVAC, staff, HA and more
- SLA’s - how much uptime do we want (what is that cost?)
10
Q
threats to availability
A
- malicious attacks (DDOS, physical, system compromise, staff)
- application failures (errors in the code)
- component failure (hardware)
11
Q
what does IAAA stand for
A
identification
authentication
authorization
accountability (monitoring/logging)
12
Q
what is Identification
A
you name, username, serial number, id number, employee number
“I am XXXX”
13
Q
what is authentication
A
proving you are who you say you are (always should be multifactor)
14
Q
what is Type 1 authentication
A
something you know -Type 1 Authentication: (passwords, pass phrase, PIN, etc.)
15
Q
what is type 2 authentication
A
something you have -Type 2 Authentication: (ID, passport, smart card, token, cookies on PC, one time password (OTP) etc. )
16
Q
what is type 3 authentication
A
something you are - Type 3 Authentication: (biometrics) fingerprint, iris scan, facial geometry, etc)
17
Q
what is the opposite of CIA
A
Disclosure - (confidentiality)
destruction - (availability)
alteration - (integrity)
18
Q
formula for risk
A
risk = threat X vulnerability
Sometimes an added variable of impact is added
Risk = threat x vulnerability x impact
19
Q
if there is a vulnerability but no threat towards that vulnerability, is there risk?
A
no
if there is not threat towards the vulnerability there is not current risk
20
Q
what is authorization?
A
- what you are allowed to access
2. access control models ( DAC, MAC, RBAC(role based access), RUBAC(rule based access))
21
Q
what is the last A in IAAA
A
accountability -
- auditing(logs)
- prove who/what a given action was performed by (non-repudiation)
22
Q
explain least privilege
A
- give users/system exactly the access they need, no more
23
Q
explain need to know
A
- you are generally given more access than you need(in a need to know environment) but if you do not have a need then you should not be accessing that data.
example: doctors, they need to have access to all patients but if they are not their patients the do not have the need to access their data
24
Q
what is non-repudiation and what two functions are used to provide it
A
- can not deny having performed a certain action
- authentication
- integrity
25
what is a subject
(active) most often a user but can be a system. subjects manipulate objects
26
what is an object
1. (passive) object is manipulated by subjects
2. any passive data (both physical paper and data)
3. a program can be both object and subject depending on if its accessing data or something is accessing it
27
what is governance not (security governance)
* how an organization is managed
| * actions and controls placed on those charged with managing a business entity
28
what is security governance
1. how security is managed through policies, roles, processes used to make security decisions.
29
In this list there are 6 truths about organizational security goals. name as many as you can
• security must align with the organization goals, not dominate or drive them
• security is optional, its a support function
security and the budget that funds it, can be done away with at any time (probably not wise but it can be)
• security practitioners must align with organizational goals
• implemented correctly, it helps keep cost down
• the security program must serve the organization properly
30
what is a governance committee
a formal decision making body within the organization
31
list the need to know C-level (senior leadership) - ultimately liable.
1. CEO - chief executive officer
2. COO - chief operations officer
3. CIO - chief information officer
4. CTO - chief technology officer
5. CSO - chief security officer
6. CISO - chief information security officer
7 CFO - chief financial officer
32
what does pci-dss stand for and what is it
payment card industry data security standard..
| its a standard but IS required if you want to handle credit cards or debits cards
33
what is COBIT and what to remember about it
* framework created by ISACA for IT management and governance
* has 5 principals
* business framework for governance and management of enterprise IT
34
what is the goal behind COSO
* auditing controls framework
* designed to prevent fraud reporting of financial activities
* provides guiding principles for internal controls over the entire enterprise
35
what is ITIL
* is a framework (best practices) for IT service management for (ITSM)
* ITIL v4, essentially it’s a best practice for service management (IT)
36
what does ITSM stand for and what is it
Information Technology service management..
• improving business performance through better IT deliver.
• making IT better for
••• business operations
••• Employees
••• customers
37
Define ITSM
* information technology service management
* the craft of implementing, managing, and delivering and improving IT services
* focuses on aligning IT processes and services with the business objectives to help an organization grow
38
quickly define the FRAP methodology
* focus is on IT security threats
* qualitative risk management
* focus only on systems that really need assessing, reducing cost and time needed
* the author felt that trying to use mathematical formulas to figure risk was too complicated
39
what is ISO/IEC 27001?
this international standard provides requirements for establishing, implementing, maintaining and improving an Information Security management System (ISMS)
40
what does ISO/IEC 27002 accomplish
it is to be used as a reference for determining and implementing controls for information security risk treatment in a information security management system (ISMS) based on ISO/IEC 27001
41
what does ISO/IEC 27004 accomplish
intended to assist organizations to evaluate the performance and effectiveness of and ISMS (information, security management system).
* monitor
* measurement
* analysis
* evaluation
based from ISO 27001
42
what does ISO/IEC 27005 provide
guidelines for information security risk management in an organization.
• its just guidelines, it is up to the organization to define their approach to risk management
43
what does IS/IEC 27799 provid
standard that provides guidance to healthcare organizations and other custodians of protected health information (PHI) on how to best protect confidentiality, integrity and availability of that information
44
a couple of facts about criminal law
* society is the victim
* proof must be beyond a reasonable doubt
* incarceration, death, financial fines
45
facts about civil law
* another name is tort law
* individuals, groups and organizations are the victims
* proof must be "the majority of proof"
* financial fines to compensate the victim(s)
46
facts about administrative law
* regulatory law
| * enacted by government agencies (FDA laws, HIPAA, FAA laws etc.)
47
facts about private regulations
• compliance is required by contract (example: PCI-DSS)
48
facts about customary laws
* mostly handles personal conduct and patterns of behavior
| * traditions and customs of the area or region
49
facts about religious law
* pretty much what it sounds like
* religious beliefs in that area or country
* often include their code of ethics and morality
50
who is ultimately liable?
* senior leadership
| * this does not mean you are not liable if you did something wrong (depends on due care)
51
what is due care
* actions/behaviors
* prudent person rule
* what would a prudent(reasonable) person would do in this/that situation
* implementing/applying proper policies, procedures, processes etc.
* examples: changing systems settings (crypt algorithms, key size, protocols), employee training and awareness about security and their responsibility, disabling employee access when needed.
52
what is due diligence
* researching
* preparation
* leg work
* knowledge and understanding
* making sure the right things are done correctly (research, investigation)
* anything done before decisions are made
* example: knowledge of laws, regulations, industry standards, knowledge of best practices
53
explain negligence
* opposite of due care
| * if your systems are compromised and you did nothing to prevent it, you are likely negligent or gross negligent
54
explain real evidence
• tangible and physical objects (hard disks, usb drives) (but not the data))
55
what does evidence have to be in order to be considered in court
* relevant
* material
* complete
56
direct evidence is
* testimony from first hand witness
| * what they experiences with their 5 senses
57
what is circumstantial evidence
• evidence to support circumstances or other evidence
58
explain hearsay evidence
* mostly what it sounds like - not first hand knowledge
| * computer generated records
59
what type of evidence are logs and documents from the system
secondary evidence
60
the integrity of evidence is mandatory, what are a few things done during forensics
* disks are hashed (cd, hard drive, sd card, blue ray etc.)
* make a copy using a write blocker to prevent changes to drive - hash again to make sure there was no change
* all investigation is done on the copy
* hash the copy when done to prove no changes were made
61
evidence chain of custody
* who obtained the evidence and secured it
* where and when it was obtained
* who had control or possession of the evidence
* secure storage in a monitored vault is common
62
reasonable searches - a few details
* the fourth amendment protects citizens from unreasonable search and seizure by the government
* in all cases the court will decide if the evidence was obtained legally
* exigent circumstances
63
when does exigent circumstances apply
* if there is an immediate threat to human life
| * or if evidence is about to be destroyed
64
define entrapement
* illegal and unethical
| * when someone is persuaded to commit a crime that they did not intend to and charged for that crime
65
define enticement
* legal and ethical
* making committing a crime more enticing - the person has broken the law or at least decided to do so
* an example would be honeypots
* check with legal before department before using honeypots - they pose both legal and practical risks
66
what does copyright cover
books, art, music, software
67
how long does a copyright last
* 70 years after creator's death
| * 95 years after creation by a corporation
68
what is the exceptions to copyright law
* first sale
| * fair use
69
what do trademarks cover
• brand names, logos, slogans(must be registered)
70
how long do trademarks last
* valid for 10 years
| * can be renewed indefinitely
71
what do patents cover
* inventions
| * cryptographic algorithms can be patented
72
how long do patents last
• 20 years
73
what is the criteria for a patent
1. profitable
2. novel
3. previously unknown
4. nonobvious
5. music\books\art
6. useful
2. novel (new idea no one has had before)
6. useful (can be used and is useful to others)
4. nonobvious (inventive work involved)
74
trade secret attributes
* you keep your secret recipe secret (KFC)
* if discovered, anyone can use it
* there is no protection
75
what are some attacks on a copyright
* piracy (software piracy is the most common)
| * copyright infringement (use of someone else's copyrighted material, often songs and images)
76
what are some attacks on trademarks
• counterfeiting (fake Rolexes, Prada, Nike) either using the real name or something similar
77
what are some attacks on patents
• patent infringement - using someone else's patent in your product without permission
78
what are some attacks on tradesecrets
• there is no law that protect trade secrets but you also cant break the law to discover it.
79
what is cybersquating
• buying a URL that you know someone else will need for the soul purpose of selling at a profit
80
what is typo squatting
• buying URL that are very close the the real thing (this can be illegal in some circumstances)
81
what does HIPAA stand for
• Health Insurance Portability and Accountability Act
82
what is the core protection of HIPAA
• Strict privacy and security rules on handling PHI (protected health information)
83
what does PHI stand for
• protected health information
84
what does SOX stand for, what was it and when was it created
* Sarbanes-Oxley Act
* created 2002
* created to prevent a repeat of accounting scandals in the 1990s
85
what sector is Gramm-Leach-Briley act (GLBA) aimed at
* applies to financial institutions
| * drive by the federal financial instutution
86
what did the patriot act do
| when was it
* expand law enforcement electronic monitoring capabilities
* allows search and seizure without immediate disclosure
* 2001
87
what does PCI-DSS stand for
• Payment Card Industry Data Security Standard
88
is PCI-DSS a law
• no, its a standard enforced by the payment card industry
89
what do PCI-DSS standards apply to and what is its purpose
* credit cards
* debit cards
* requires merchants and anyone dealing with credit cards and debit cards to meet a minimum set of security requirements
90
what does GDPR stand for and when was it enacted
• General data protection regulations
• enacted in 2016
° enforced in 2018
91
what region does GDPR apply to
• anyone living in the European Union
92
1. does GDPR (general protection privacy act) apply to anyone outside the EU
2. how about EU citizens living outside the EU
* no
| * it does not apply to EU citizens living outside the EU
93
what are possible fines if you break GDPR rules
• 20 million euro or 4% of annual revenue
94
list GDRP personal data types
name(even common), email address, living address, unsubscribe confirmation URLs that contain email and/or names, IP address etc.
95
according to GDPR what is required to use personal data and what are the limitations
* the individual has to give expressed consent to user the personal data and only the person data that the consent was given for
* the individual has the right to opt out
* no other personal data is legal to process, unless there is a legal reason to do so
* even after consent is given, the identity has to be anonymized
96
according to GDPR what are the only reasons that personal data would be allowed to be unmasked
* national security
* military
* police
* or the justice system
97
In GDPR - - what is right to access
• article 15, you have the right to request a copy of your personal data or request a electronic copy and it must be provided
98
GDPR what is right to erasure
• you have the right to request to be forgotten (all personal data about you must be destroyed), except for laws and regulatory reasons like credit cards etc.
99
GDPR breach notification is what
• users and data controllers must be notified of data breaches within 72 hours
100
in the US, are you required to report a data breach if your data was encrypted
• no
101
from a company perspective, what are some thoughts when dealing with GDPR and personal data
* care must be taken to ensure personal data security
* only store personal data that is absolutely necessary - if its not needed, do not store it, you are not legally allowed to do so
* of you are data processing and monitoring information in the EU you must appoint a data protection officer
102
what are some legacy laws between the EU and US
* EU data protection directive (predecessor to GDPR)
* EU-US safe harbor
* Privacy Shield
103
is it legal to transport data outside the EU
• only if the county has equal to or greater privacy protection as GDPR
• the US does not
Note: there are agreements/ requirements to allow data to and from the US (safe harbor act is an example)
104
what laws dealing with privacy did the European court of justice declare invalid
* EU-US safe harbor in 2015
| * Privacy shield in 2020
105
Wassenaar Arrangement attributes
* 41 members
* was originally for conventional arms
* "dual-use" good and technologies was added (cryptography is part of that)
* import and export restriction on cryptographic algorithms
* Iran, Iraq, China, Russia have restrictions on how strong the encryption is allowed in their country (they don't want it to be too hard to spy on their citizens)
106
which is not mandatory
1. policies
2. standards
3. guidelines
4. procedures
5. baselines (benchmarks)
3. guidelines
107
which are mandatory
1. policies
2. standards
3. guidelines
4. procedures
5. baselines (benchmarks)
1. policies
2. standards
4. procedures
5. baselines
108
define policies
* mandatory
* high level - none specific (broad umbrella)
* strategic
* why and what we are doing (not how)
* can contain "patches, updates, strong encryption"
* not specific to OS, encryption type or vendor technology
109
define standards
* standards set a describes a specific use of technology ( all laptops will be windows 10 64bit , 8 gigs of memory 1TB hard drive etc.)
* tactical
* formalization of regulatory or compliance
* laws and regulations from outside the organization
* mandatory
* A perfect example is when a standard sets a mandatory requirement, such as that encryptions must be applied to all email communications.
110
define guidelines
• recommendations, discretionary
---- suggestions on how you would do things
• non-mandatory
• do not confuse guidelines with best practices. they are not the same
111
define procedures
* mandatory
* very detailed step by step approach on how to implement a security practice
* most specific
* they will contain " OS type, encryption type, vendor technology"
112
define baseline
* mandatory
* benchmarks for server hardening, apps, network
* minimum requirements
* stronger can be implemented if needed but these are minimum requirements
113
users often pose the largest security risk. what are some ways to minimize
* awareness training - change users behavior
* training - provide users with a skillsets
* hiring practices - background checks, check references, degrees, employment, criminal and maybe credit history.
* employee termination practices - coach and train employees before firing them (they get warnings)
* •• proper termination process, all access is properly shut down at the right time
114
what should you do to ensure you are protected when dealing with vendors, consultants etc.
* vendors, consultants and contractor security should be trained on processes for handling data.
* their systems need to secure enough for our policies and procedures
115
what are the 3 access control categories
* administrative
* technical
* physical
116
what are the 6 access control categories
1. preventative
2. detective
3. corrective
4. recover
5. deterrent
6. compensating
117
define administrative access controls
* policies and procedures defined by organization security policy to implement and enforce overall access control.
* (personnel and business practices)
* •• examples: policies and procedures, background checks, hiring practices, data classification, vacation history, reviews, security training awareness
118
define technical access control
* hardware/software/ that manages access control to systems and resources
* firewalls, routers, encryption, protocols, smart cards, ACLs, passwords, constrained interfaces
119
define physical access control
* barriers deployed to prevent direct contact with systems or facilities.
* •• examples: locks, fences, guards, dogs, gates, bollards,
120
define preventive access control
* stops unwanted or unauthorized activity from happening, prevents actions from happening
* ••• examples: fences, least privilege, security policies, security awareness training, drug testing, IPS, firewalls, encryption, data classification, strong authentication, biometric access, mantraps
121
define detective access control
* controls that detect during or after unauthorized activities
* •• examples: IDS, CCTV, alarms, anti-virus, security guards, mandatory vacations, honey pots, audit trails, incident investigation, security guards
122
define corrective controls
* any measures taken to repair damage or restore resources and capabilities to prior state
* •• examples: patching a system, updating an outdated antivirus, quarantine a virus, terminating a process, rebooting a system, business continuity plan, applying a fix, restoring from backup
123
define recovery access control
* deployed to repair or restore resources. can repair damage as well as stop further damage
* •• examples: DR environment, backups, HA environment, fault tolerant drive systems, server clustering, database shadowing.
124
define deterrent access controls
* deployed to discourage the violation of security policies - deter an attack
* •• examples: locks, fences, security badges, security guards, mantraps, cameras, trespass or intrusion alarms, separation of duties, encryption, auditing, firewalls, awareness training, dogs
125
define compensating access controls
* provide various options to other existing controls, to aid the enforcement and support of a security policy.
* •• examples: security policies, personnel supervision, monitoring, work task procedures
126
what is the formula for risk
* risk = threat X vulnerability
* impact can be added
* risk = threat X vulnerability X impact (how bad is it)
127
what are the 4 steps to risk management lifecycle that Thor teaches
```
• Risk identification
• risk assessment (analysis)
• risk response/mitigation
• risk and control monitoring
its an iterative process
```
128
what is an asset
• anything of value to the company
129
what is a vulnerability
• a weakness, the absence of a safeguard
130
what is a threat
* an incident that could negatively effect the organization
| * Any natural or man-made circumstance that could harm an organizational asset
131
what is a threat agent
• the entity which carries out the attack
132
what is an exploit
• an instance of compromise
133
what is a risk
* the probability of a threat materializing
| * the probability of exposure or loss resulting from a cyber attack or data breach on your organization
134
what are controls
• physical, administrative, technical protections (including safeguards and countermeasures)
135
two types of risk assessments
* qualitative
| * quantitative
136
what is qualitative risk assessment
* how likely is it to happen
* how bad is it if it happens
* some guess work, estimations based off feel - very subjective
* a pretty quick process
137
what is quantitative risk analysis
* this is dealing with dollars. what is the actual cost
* dealing with actual value of the asset
* based on facts
* labor intensive
* objective
138
what is asset value
• the value of the asset
139
what does EF stand for and what is it
* exposure factor
| * percentage of asset lost due to an incident
140
what is SLE and how do you figure it
• single loss expectancy
• SLE = (AV X EF)
single loss expectancy = asset value X exposure factor
141
what is ARO and how do you figure it
* annual rate of occurrence
| * how often will this loss happen per year (usually shown as a percentage)
142
what is ALE and how to figure it
• Annualized loss expectancy
• yearly cost due to a risk
• ALE = SLE X ARO
annualized loss expectancy = single loss expectancy X annual rate of occurrence
143
what is TCO and how is it figured
* total cost of ownership
* the total cost of a mitigating safeguard. (upfront cost plus the annual cost of maintenance) this includes staff hours, vendor maintenance fees, software subscriptions, etc.
144
what are the 4 types of risk response and some details if needed
* accept risk - we know the risk but the cost to mitigate is more costly than the risk
* mitigate the risk (reduction)
* avoid - decide to no longer do that activity because mitigation is too expensive
* transfer - insurance or 3rd party support (msp etc.)
145
* can you mitigate all risk?
| * what is residual?
* no
| * residual risk is what is left after you mitigate the risk to an acceptable level
146
what is risk avoidance
* we choose not to do the action to avoid the risk
| * ••• example: maybe there is a risk to loss of data on stolen laptops. to avoid that risk, you don't deploy laptops.
147
what is risk rejection
* you know the risk is there and you do nothing
| * we never do this, its not an acceptable answer
148
what is transfer of risk
* handing the risk off to a willing 3rd party
* think insurance
* possibly any 3rd party vendor if you are choosing them to transfer risk (order fulfillment, payroll services, customer service, managed service provider)
149
what is secondary risk
• mitigating one risk, may open up another risk
150
according to nist 800-39 what does the risk management process include
* Framing risk
* assessing risk
* responding to risk
* monitoring risk
151
according to nist 800-39 what are the 3 tiers that risk assessments can be conducted
* organization
* missions/business processes
* information systems
* ••• process should start at the top, go down the stack then the inter tier and and intra tier feedback loop goes back to the top.
152
according to nist 800-39 why should all 3 tiers in the risk assessment be considered
• traditionally risk assessment is focused at the information system tier. many risks can be missed by not looking at organization and mission tiers.
153
what is nist 800-30
• guide to conducting risk assessments
154
what is nist 800-37
• RMF (risk management framework for Information Systems and Organizations)
155
according to NIST 800-37 what are the 7 risk management framework steps
* Prepare - to execute RMF
* Categorize - the systems and information
* select - initial set of controls
* implement - the controls and document
* assess - are controls implemented correctly and working
* authorize - sign off by senior management or data owner
* monitor - continue to monitor controls, conduct risk assessments and impact analysis
156
what are the NIST cybersecurity framework core funcitons
* Identify
* protect
* detect
* respond
* monitor
157
what falls in the Identify function in the NIST cybersecurity framework
* asset management
* governance
* risk assessment
* supply chain risk management
158
what falls in the protect function in the NIST cybersecurity framework
* awareness training
* data security
* Identity management and access control
* maintenance
159
what falls in the detect function in the NIST cybersecurity framework
* anomalies and events
* security monitoring
* detection process
160
what falls in the respond function in the NIST cybersecurity framework
* response planning
* communications
* mitigation
* improvements
* analysis
161
what falls in the recover function of the NIST cybersecurity framework
* recovery planning
* improvements
* communications
162
what is KGI
* key goal indicators
| * KGI are lagging indicators, the function is to confirm whether or not a business goal has been reached.
163
what is KPI
* key performance indicators
| * are used to show how the organization is performing based on the goals set by leadership.
164
what is KRI
* key risk indicators
* measures the organizations risk and how its risk profile changes
* metrics that demonstrate the risks that an organization is facing or how risky and activity is
* metrics used by organizations to provide an early signal of increasing risk exposures in various areas
165
what is a risk register
* an information repository an organization creates to document the risks they face and the responses the are taking to address the risks.
* at a minimum each risk documented should contain a description of each risk, the likelihood and impact from a cost standpoint.
* each risk should be ranked in priority relevant to other risks, the response for each risk and how owns it.
166
what is C&C
• command and control, when talking about botnets and malware
167
what protocols do botnets often use
• IRC, HTTP, HTTPS
168
what are the 4 types of fishing and the media/target they us
* phishing - social engineering, small attacks or mass emails, not specific target
* spear phishing - targeted phishing at a specific person. still using social engineering but there has been information gathered on a person or group
* whale phishing - spear phishing targeted at senior leadership
* vishing - attacks over voice. automated calls "your taxes are due" "your account is locked, enter your PII to prevent this"
169
what is the purpose of the business continuity plan
• to respond to disruptions, activate recovery teams, handle tactical disaster status communication, assess damage caused by disruption
170
what does BCP stand for
• business continuity plan
171
define BCP
* a document that outlines how a business will continue to operate during an unplanned disruption in service
* is the process of ensuring the continuous operation of your business before, during, and after a disaster event
172
what are the important NIST publications for security and risk management
* NIST 800-30 - guide for conducting risk assessments
* NIST 800- 39 Managing Information Security Risk
* NIST 800-34 Contingency Planning Guide for Federal Information Systems
* NIST 800-53
173
what is the focus of continuity planning and what section of the company does it normally apply to
• Continuity Planning normally applies to the mission/business itself; it concerns the ability to continue critical functions and process during and after an emergency event.
174
what is the focus of contingency planning and what section of the company does it normally apply to
• contingency planning applies to information systems, and provides the steps needed to recover the operations for all or part of designated information systems
175
define cyber incident response planning
• a plan that normally focuses on detection, response and recovery to a computer security incident or event
176
define (BCP)
* business continuity plan focuses on sustaining the organizations mission/business processes during and after a disruption
* BCP can be scoped for a single business unit or the entire organization
* BCP may be used as a long-term recovery in conjunction with the COOP
* ••• an example: how do deal with payroll processes during a disruption
177
what does COOP stand for
• continuity of operations
178
what is the function of COOP
* focuses on restoring an organizations missions essential functions (MEF) at an alternate site and performing those functions for 30 days before returning to normal operations
* may also be activated with BCP, ISCP or DRP
179
what is the function of the crisis communication plan
* documents standard procedures for internal and external communications in the event of a disruption
* provides various formats
* often defines specific people as the "only" authority to answer questions from or providing information to the public
* should be communicated to COOP and BCP planners
180
what does CIPP stand for
• critical infrastructure protection plan (CIPP)
181
what is the function of CIP (critical infrastructure protection plan)
* critical infrastructure and key resources (CIKR)
* components of the national infrastructure that are deemed so vital that their loss would have debilitation effect of the safety, security, economy, and/or health of the Unites States.
182
what is Cyber Incident Response plan
* establishes procedures to address cyber attack's against an organization's information system.
* this plan may be an appendix in the BCP
* this may activate a ISCP or DRP
183
what does DRP stand for
• disaster recovery plan
184
what is the function of the DRP
* DRP is a information system-focused plan designed to restore operability of the target system, applications, or computer facility infrastructure at an alternate site after an emergency
* DRP only address information system disruptions the require relocation
* DRP may support BCP or COOP
185
what does ISCP stand for
* information system contingency plan
* provides procedures for the assessment and recovery of a system following a system disruption
* differs from the DRP in the fact that the plan focuses on recovery and is not specific to site (primary or failover site)
* can work in conjunction with coop, drp and bcp
186
what does OEP stand for
• occupant emergency plan
187
what is the OPE (occupancy emergency plan) focus on
* people are most important
* first response procedures for occupants of a facility in the event of a threat or incident to the health and safety of personnel, the environment, or property.
* physical threat
* fire, bomb threat, chemical release, domestic violence in the work place, or medical emergency
* initiated preceding a COOP or DRP activation
188
what is the BIA pupose
• to correlate the system with the critical mission/business processes and services provided, and based on that information, characterize the consequences of a disruption.
189
what plans should the BIA be incorporated into
* BCP
* DRP
* COOP
190
3 stages typically involved with BIA
1. determine mission/business process and recovery criticality
2. Identify resource requirements - what resources are needed to resume mission critical processes
3. Identify recovery priorities for system recourses - prioritize the mission critical processes
191
what is MTD
* Maximum Tolerable Downtime
* the total amount of time the system owner/authorizing official is willing to accept for a mission process outage or disruption.
192
what is RTO
* Recovery time Objective
* the amount of time to restore the system (hardware)
* RTO and WRT must not exceed MTD
193
what two formulas should be equal to or less than MTD
• RTO and WRT
194
what is WRT
• Work Recovery Time (software)
195
what is MTBF
* Mean Time Between Failures
| * •••• example: average time that drives fails is 5 years. MTBF is 5 years
196
what is MTTR
• Mean Time To Repair -- how long it takes to recovery the failed system
197
what is MOR
• Minimum Operating Requirements - the minimum requirements for critical systems to function
198
what will suffer if you have too much confidentiality
• availability
199
what will suffer if you have too much integrity
• availability
200
what will suffer if you have to much availability
• confidentiality and integrity
201
what is IT security's main purposes
* to support the business mission statement
* support business goals
* we are not the most important department but we span all departments
* we are security leaders and business leaders
202
should senior management be part of the BCP and DROP process
* yes, they need to be involved and committed
* ultimately they are liable
* they must show due care and due diligence
* be careful during the process, most departments feel they are the most important therefore their systems should be take priority
203
what is the ISC2 ethics mnemonic
* PAPA
* Protect
* Act
* Provide
* Advance
204
what is type 1 authentication
• something you know --- password, pass, phrase, PIN, etc.
205
what is type 2 authentication
• something you have -- ID, passport, smart card, token, cookies on PC, one time password(OTP) etc.
206
what is type 3 authentication
• something you are -- (biometrics) fingerprint, iris scan, facial geometry, your gait (walking pattern)
207
what is the subject of ISO 27799
• Directives on how to protect PHI
208
what is the subject of ISO 27005
• standards based approach to risk management
209
explain Sabsa
* layers and framework create and define a top down architecture for every requirement, control and process available in COBIT
* model and methodology for developing a risk-driven enterprise information security architecture and service management, to support critical business processes
210
explain TOGAF framework
• TOGAF is useful for defining the architecture goals, benefits and vision, and setting up and implementing projects to reach those goals.
211
types of evidence
* Demonstrative evidence
* Documentary evidence
* Real evidence
* Testimonial evidence
212
what is corroborative evidence
is supporting evidence used to help prove an idea or point. It cannot stand on its own but is used as a supplementary tool to help prove a primary
piece of evidence.
213
what is secondary evidence
• is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases). Oral evidence, such as a witness’s testimony, and copies of original documents are placed in this category.
• Logs and documents from the systems are considered secondary
evidence.
214
corrective access control is what
Corrective controls include any measures taken to repair damage or restore resources and capabilities to their prior state following an unauthorized or unwanted activity. Examples of technical corrective controls include patching a system, quarantining a virus, terminating a process, or rebooting a system
215
Which of these is automatically granted, you do NOT have to apply for it?
1. patent
2. trademark
3. copyright
4. legal immunity
3. copyright
216
We are considering how we should protect our intellectual property. Which of these do you need to apply for to be protected? (Select all that apply).
1. patent
2. trademark
3. trade secret
4. copyright
1. patent
| 2. trademarks
217
Which of these would be a type of corrective access control?
1. encryption
2. backups
3. patches
4. IDS
3. patches
218
Jane is working on strengthening our preventative controls. What could she look at to do that?
1. patches
2. IDS
3. drug tests
4. backup
3. drug test
219
Healthcare insurers, providers and clearing house agencies must comply with HIPAA (Health Insurance Portability and Accountability Act) if they operate in the United States. Which of these are rules they MUST follow? (Select all that apply).
1. privacy
2. disclosure rule
3. encryption rule
4. breach notification
5. security rule
1. privacy rule
3. breach notification rule
5. security rule
Explanation
Puts strict privacy and security rules on how Protected Health Information (PHI) is handled by health insurers, providers and clearing house agencies (Claims). Health Insurance Portability and Accountability Act (HIPAA) has 3 rules – Privacy rule, Security rule and Breach Notification rule. The rules mandate Administrative, Physical and Technical safeguards. Security Breach Notification Laws. NOT Federal, 48 states have individual laws, know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many have an encryption clause. Lost encrypted data may not require disclosure.
220
If we are wanting to implement a governance standard and control framework focused on IT service management, which of these should we implement?
coso
frap
cobit
ITIL
ITIL
```
Explanation
ITIL (Information Technology Infrastructure Library) focuses on ITSM (IT Service Management).
```
221
One of our senior VPs calls you up to explain a term he heard at a conference. He heard about cybersquatting and wants to know more. Which of these is TRUE about it?
never profitable
potentially illegal
always illegal
legal
legal
Explanation
Cybersquatting – Buying an URL you know someone else will need (To sell at huge profit – not illegal).
222
Which type of companies are subject to the Sarbanes-Oxley act (SOX)?
1. startup companies
2. healthcare companies
3. private companies
4. publicly traded companies
4. publicly traded companies
Explanation
Sarbanes-Oxley Act of 2002 (SOX): Directly related to the accounting scandals in the late 90’s. Regulatory compliance mandated standards for financial reporting of publicly traded companies. Intentional violations can result in criminal penalties.
223
```
Jane is looking at the CIA triad and working on mitigating our availability vulnerabilities. Select all the threats against our availability:
software coding errors
code injections
keyloggers
hardware failure
ddos
```
software coding errors (meaning fault error. something failing to a halt) "I did not read this correctly the first time"
hardware failure
DDOS
Explanation
Common attacks on our availability includes Distributed Denial Of Service (DDOS) attacks, hardware failures, software failures. Keyloggers are normally attacks on our confidentiality and code injections are attacks on our integrity.
224
The US HIPAA (Health Insurance Portability and Accountability Act) laws have 3 core rules. Which of these is NOT one of them?
encryption rule
breach notification rule
security rule
privacy rule
encryption rule
Explanation
HIPAA (Health Insurance Portability and Accountability Act) has 3 rules – Privacy rule, Security rule and Breach Notification rule. The rules mandate administrative, physical and technical safeguards. Risk Analysis is required.
225
What could be a security concern we would need to address in a procurement situation?
1. who gets the IT infrastructure
2. all of these
3. how do we ensure their security stands are high enough
4. security is part of the SLA
4. security is part of the SLA (read this question wrong. this is buying from a 3rd party not buying a business)
Explanation
Procurement: When we buy products or services from a 3rd party, security part of the SLA.
226
You hear that senior management is looking at the ISO 27005 standard, and a colleague asks you, "What is that focused on?"
1. PHI
2. risk management
3. HIPAA
4. ITSM
2. risk management
Explanation
ISO 27005: Standards based approach to Risk Management.
227
What would be one of the security concerns we would need to address in a divestiture?
1. who gets the IT infrastructure
2. all of these
3. security is part of the SLA
4. how do we ensure their security standards are high enough
1. who gets the IT infrastructure
Explanation
Divestitures: Your organization is being split up. How do you ensure no data crosses boundaries it shouldn't? Who gets the IT Infrastructure?
228
With the CIA triad in mind, if we have too much confidentiality which other control will suffer the MOST?
1. authentication
2. integrity
3. availability
4. accountability
3. availability
Explanation
Finding the right mix of Confidentiality, Integrity and Availability is a balancing act. This is really the cornerstone of IT Security – finding the RIGHT mix for your organization. Too much Confidentiality and the Availability can suffer.
