Personnel Security and Risk Management Concepts Flashcards
(98 cards)
1
Q
What is the first step in hiring
A
Job Description
2
Q
What is the purpose of job responsibilities
A
Defines work tasks and defines what a person should be responsible for
3
Q
Process of adding new employees to the org, having them review/sign employment agreements and policies, and receive training on employee operations/logistics.
A
Onboarding
4
Q
Why is it important to have a good IAM?
A
Identity and Access Management:
- provisions account
- assigns privileges
- assigns accesses
5
Q
Describe the principle of least privilege
A
Users should have the least amount of privilege required to do their job.
6
Q
What must happen when a user leaves their job and why?
A
Review NDA - it is the one legally binding document that safeguards against disclosure.
7
Q
Why enforce mandatory vacations?
A
Used as a peer review process
- verify privileges of employees
- attempt to detect fraud and abuse..
8
Q
What is UBA
A
User Behavior Analytics: analyze the behavior of users, visoitors, customers, etc. for some specific goal.
9
Q
When would you go through offboarding processes ie remove someone from IAM
A
Hire | Fire | Transfer
10
Q
What is a risk that exists when several entities or organizations are involved in a project?
A
Multiparty Risk
11
Q
Define SLA
A
Service Level Agreement: Ensure that organizations providing services maintain an appropriate level of service agreed on by both the service provider, vendor, or contractor and the customer organization.
12
Q
What is the type of risk response option that is used in the process of outsourcing
A
assignment/transferrence
13
Q
The detailed process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost-effective solutions for mitigating risk.
A
Risk Management
14
Q
Examination of the environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of the damage it would occur.
A
Risk Assessment - probability
15
Q
Evaluating countermeasures, safeguards, and security controls using a cost/benefit analysis
A
Risk Response - implementing countermeasures
16
Q
Asset
A
Anything used in business process or task - person, place, or thing, tangible or intangible.
17
Q
Asset valuation
A
the value assigned to an asset based on actual cost, use in critical processes, and even non-monetary expense such as time
18
Q
Threats
A
any POTENTIAL OCCURENCE that may cause an undesirable or unwanted outcome
19
Q
Threat agents
A
usually people but could be programs, hardware or systems
20
Q
Threat events
A
accidental occurences and intentional exploitations of vulnerabilities: system failures fires flood earthquake human error power outage
21
Q
Threat vector
A
means by which an attack or attacker can gain access to target in order to cause harm
22
Q
Vulnerability
A
weakness in asset or weakness of a safeguard
loophole
limitation
susceptibility
23
Q
Exposure
A
Being susceptible to asset loss because of risk
24
Q
Risk (math and definition)
A
possibility or likelihood that threat will exploit a vulnerability to cause harm to an asset and severity of damage.
Risk = threat * vuln
Risk = probability of harm * severity of harm
25
Safeguard
security control, protection mechanism, countermeasure
26
Attack
intentionally attempted exploitation of a vulnerability
27
Breach
successful attack - intrusion or penetration beyond a security mechanism
28
Asset-Based Valuation
Start with inventorying all organizational assets and valuing them based on tangible and intangible issues.
29
Which method is preferred? Quantitative risk analysis or Qualitative risk analysis?
Neither - both methods are valuable to gain a balanced view of the security concerns.
30
Qualitative Risk Analysis
Assign subjective and intangible values to the loss of an asset. (can be SUBJECTIVE)
31
Quantitative Risk Analysis
Assign a real dollar figure to the loss of an asset-based on math calculations. (mostly OBJECTIVE)
32
An anonymous feedback and response process used to enable a group to reach an anonymous consensus.
Delphi Technique
33
Calc EF
Exposure Factor/ Loss potential
| % loss that org would experience if the specific assets were violated by realized risk.
34
Potential loss associated with a single realized threat against a specific asset.
SLE - Single loss expectancy
SLE = asset value AV * exposure factor EF
35
What is the SLE of an asset valued at $300,000 that has an exposure factor of 30%
0.3*300,000 = $90,000
36
The expected frequency with which a specific threat or risk will occur within a single year
The annualized rate of occurrence.
37
The possible yearly loss of all instances of a specific realized threat against a specific asset.
Annualized Loss Expectancy
ALE = Single loss expectancy * Annual Rate of Occurrence
ALE = AV * EF * ARO
38
What is ALE for $200,000 asset with an EF of 45% and an ARO of .67
$60,000
39
Risk Mitigation
Reducing risk through the implementation of safeguards, security controls, and countermeasures. Ie deploying encryption and using firewalls.
40
Risk Assignment
Outsourcing. Placing responsibility on outside entity or organization.
41
Risk Deterrence
Implementing deterrents like auditing, security cameras, warning banners, security guards.
42
Risk Avoidance
Selecting alternate options or activities that have less associated risk
43
Risk Acceptance
After cost/benefit analysis, the decision is made to accept the risk but it must be well documented and signed by upper management
44
Risk Rejection
Unacceptable. Ignoring risk by denying that it exists and hoping it goes away or that nothing happens. Negligence and could be illegal.
45
Natural or native default risk that exists in an environment, system, or product prior to any risk management efforts. (starting risk)
Inherent Risk
46
Risk after safeguards have been implemented.
Residual risk.
Total risk - controls gap = residual risk
47
Amount of risk org would face without safeguards
Total risk.
Threats * Vulnerabilities * asset value = total risk
48
Will a reduction in EF or a reduction in ARO reduce the SLE? ALE?
Only EF reduces SLE because SLE is the single loss expectancy whereas ARO is the annual rate of occurrence. SLE = AV * EF. Both reduce ALE because ALE = AV * EF * ARO.
49
Original asset threat pair risk is ALE1 or ALE2?
ALE1
50
Asset risk post safeguard is ALE1 or ALE2?
ALE2
51
How do you calculate the value of the safeguard to the company?
ALE1 - ALE2 - ACS = value to company
ALE1: asset-threat pair without safeguard
ALE2: asset-threat pair post-safeguard
ACS: Annual cost of the safeguard
52
What are the three categories of security controls in a defense-in-depth implementation
Physical, Logical/Technical, Administrative
53
What category of security control are the policies and procedures defined by an organization's security policy and other regulations or requirements?
Administrative Controls
54
What category of security control involves the hardware or software mechanisms used to manage access and provide protection for IT resources and systems?
Technical or Logical Controls
55
What category of security controls are focused on providing protection to the facility and real-world tangible objects?
Physical Controls
56
Deployed to discourage security policy violations
Deterrent control
57
Deployed to discover or detect unwanted or unauthorized activity
Detective control
58
Deployed to provide various contingency options to other existing controls
Compensating control (ie having a backup place to go in the event of a fire or storing files in a backed-up location).
59
Modification to the environment to return systems to normal after an unwanted or unauthorized activity occurs.
Corrective control
60
Extension of corrective controls - restores resources or capabilities after a security policy violation.
Recovery control
61
What can you perform to determine the effectiveness of the security mechanisms and evaluate the quality and thoroughness of the risk management processes of the organization and produce a report of the relative strengths and weaknesses of the deployed security infrastructure?
Security Controls Assessment (SCA)
62
What framework assesses the key indicators and activities of a mature, sustainable, and repeatable risk management process?
Risk Maturity Model (RMM)
63
Within the risk maturity model RMM a chaotic starting point from which all organizations initiate risk management this level is called:___________?
Ad hoc
64
Within the risk maturity model RMM when loose attempts are made to follow risk management processes but each department performs them independently, this step is called:___________?
Preliminary
65
Within the risk maturity model RMM when risk management operations are merged into business processes, metrics are used to gather data, and risk is considered an element in business strategy decisions this level is called:___________?
Integrated
66
Within the risk maturity model RMM when a common or standardized risk framework is adopted organization-wide, it is called:___________?
Defined
67
Within the risk maturity model RMM when risk management focuses on achieving objectives rather than merely reacting to external threats, increased strategic planning is geared toward business success rather than just avoiding incidents; and lessons learned are reintegrated into the risk management process, this level is called:___________?
Optimized
68
Can you continue to use a product that is at the end of life (EOL)? Why or why not?
It is ok to use a product that is at the EOL but it should be scheduled for replacement before it reaches end of support (EOS) or end of service life (EOSL).
69
Can you continue to use a product that is at the end of life (EOSL)? Why or why not?
It is not good practice because the vendor will have terminated support so the business will be liable to maintain the equipment, service, and security of it.
70
What are the five steps of the Cybersecurity Framework CSF?
Identify, Protect, Detect, Respond, Recover
71
What are the six cyclical phases of the Risk management framework RMF?
Prepare to execute the RMF from an org and system level
Categorize system and info processed
Select controls
Implement controls
Assess controls
Authorize system or common controls
Monitor system and associated controls on ongoing basis
72
A form of attack that exploits human nature and human behavior.
Social engineering
73
A social engineering technique where the attacker attempts to convince the target that they are in a valid position of power within the organization such as spoofing the CEOs email.
Authority
74
A social engineering technique where the attacker attempts to use authority, confidence, or even threat of harm to motivate the target to follow orders/instructions.
Intimidation
75
A social engineering technique where the attacker takes advantage of a person's natural tendency to mimic what others are doing or are perceived as having done in the past - an example is an attacker claiming that an out-of-office worker promised a large discount on a purchase.
Consensus
76
A social engineering technique where the attacker attempts to convince the target that an object has a higher value based on limited opportunities to have it. For example they could claim that only a few tickets are left for a game.
Scarcity
77
A social engineering technique where the attacker attempts to convince the target that they have a common contact or relationship with the target such as mutual friends, experiences, or another work contact.
Familiarity
78
A social engineering technique where the attacker works to develop a relationship with the victim that they can exploit.
Trust
79
A social engineering technique where the attacker tries to relay a need to act quickly (usually dovetails well with scarcity). For example, an attacker may ask for an invoice to be paid immediately or else an essential business service will be shut off.
Urgency
80
Social engineering attacks focused on stealing credentials or identity information from the target.
Phishing
81
A more targeted form of stealing credentials or identity information from the targets by using a stole customer database or some other address book of potential victims.
Spearphishing
82
What is a good way to defend against spearphishing
Establish a secondary out of band contact with the requester.
83
A form of phishing that targets high value individuals such as someone from the C-suite.
Whaling
84
What is Smishing?
Phishing over SMS text message
85
What is Vishing?
Phishing over voice communication systems
86
What are some risk factors to shoulder surfing?
Having your computer face outside
Working on sensitive data in a public space
Keeping worker groups together
87
What is it called when an attacker attempts to steal funds from an organization by providing a false bill for a service?
Invoice Scam
88
What is it called when lies are perpetuated throughout an organization about how to protect yourself from some imminent threat.
Hoax
89
Taking on the identity of someone else is known as?
Impersonation/Masquerading
90
When an attacker follows closely behind a worker WITHOUT THEIR KNOWLEDGE who uses valid credentials to gain entry to a locked space this is known as?
Tailgating
Vestibules
Security Guards/cameras
Company policy
91
When an attacker follows closely behind a worker who uses valid credentials to gain entry to a locked space and asks them to hold the door this is known as?
Piggybacking
| Access control vestibules mitigate this
92
How can you mitigate dumpster diving?
shred information
| storage media securely disposed
93
What is the difference between identity fraud and identity theft
Theft is the act of stealing someone's credentials and taking over their accounts.
Fraud is falsely claiming to be the individual after the information has been stolen.
94
When an attacker redirects traffic by taking advantage of the fact that someone may have incorrectly typed an IP address or URL.
Typo Squatting
95
When an attacker collects information about an individual and publically releases the data for the purpose of changing public perception of the target this is called__________?
Doxing
96
What is the type of cyber warfare that nation-states engage in when they employ a number of offensive cyber attacks in tandem?
Hybrid Warfare
97
What is the best way to limit exposure to risk from social media sites?
Block the sites or filter domain name system queries.
98
What is the difference between education and training?
Training is internally developed with specificities to the organization whereas education is often externally coordinated and students learn much more than they actually need to know to perform work tasks. It might involve getting a certification.
