Security & Risk Management

Question 1

What is Trike?

Answer 1

Threat modelling methodology that provides a method of performing security audits in

Question 2

How do you calculate SLE and what is it?

Answer 2

AV x EF

the coat associated with the threat or risk to your assets being realised

Question 3

What is abstraction?

Answer 3

Groups entities into similar roles - used when assigning roles or classifying objects

Question 4

Who manages security governance?

Answer 4

Managed by the governance committee or board of directors - knowledge experts who guide and inspect the actions of the security framework

Question 5

What is the purpose of threat modelling?

Answer 5

To focus on the range of compromise concerns end goal of the attack and not identify every single attack method and technique (too vast). The goals and purposes of attacks remain fairly constant. Threats come from nature, technology and PEOPLE. Identifying threats let’s you design best defences.

Question 6

Different elements of training?

Answer 6

Awareness, training and education
All part of security governance
Should also have metrics

Question 7

4 stages of threat modelling?

Answer 7

Identify threats using a framework (STRIDE, PASTA, VAST)

Diagram potential attacks

Perform reduction analysis (decomposing)

Prioritisation and response

Question 8

Cost/benefit analysis equation?

Answer 8

you will need a new ALE Once you have calculated your new EF and ARO (which should change)

ALE1 - ALE2 - ACS

Question 9

What is a baseline?

Answer 9

Defined a minimum level of security that all systems must meet

Question 10

How to monitor privilege abuse?

Answer 10

By strict monitoring and also by management performing privilege audits

Question 11

What are the key elements of privacy?

Answer 11

Preventing aunathorised access to PII or confidential or personal data. Also the freedom of being monitored or observed without any knowledge or consent

Question 12

What are commercial classification levels?

Answer 12

Confidential/private
Sensitive
Public

Question 13

What are the steps of PASTA?

Answer 13

1) definition of the objectives for the analysis of risk
2) definition of the technical scope
3) application decomposition and analysis
4) threat analysis
5) weakness and vulnerability analysis
6) attack modelling and simulation
7) risk analysis and management

Question 14

What is EF?

Answer 14

The % of loss that would occur if a threat or risk was realised (loss potential)

Question 15

What is a risk framework?

Answer 15

Guideline or recipie for how risk is to be assessed, resolved or monitored

Question 16

Why is risk analysis performed?

Answer 16

To perform upper management with details of risk so they can determine the appropriate actions of the risk. It also helps with security budget and integrate the security policy with business needs.

Question 17

Seclusion

Answer 17

Put data in another room. Another aspect of confidentiality

Question 18

Name the steps of NIST 800-37 risk management framework

Answer 18

Categorise assets
Select security controls 
Implement security controls
Assess security controls 
Authorise information system 
Monitor security controls

Question 19

What are directive controls?

Answer 19

Try’s to control actions of subjects and encourages compliance with policy - posters, monitoring and signs

Question 20

What is a security controls framework?

Answer 20

A catalogue of controls to help companies design, build and maintain secure processes, systems and applications

Question 21

What does SOC stand for in the supply chain?

Answer 21

System and organisation controls

Question 22

What is a security guideline?

Answer 22

They’re non compulsory and describe which security mechanisms should be deployed (instead of a specific control or configuration). They are similar to policies but usually in simpler terms.

Question 23

Name the 3 types of controls

Answer 23

Preventative, detective and corrective

Question 24

What does it mean when we risk is realised?

Answer 24

The threat has taken advantage of the vulnerability to harm the asset

Question 25

What is the difference between a risk assessment and risk management framework?

Answer 25

Risk assessment - identifies, estimates and prioritises risk for a system. It’s a key park of risk management and requires careful analysis of the threat and vulnerability information. RMF - is designed to improve security and strengthen risk management processes. 800-37 is a framework that operated through the system life cycle to ensure security and privacy

Question 26

What does a SOC 2 do?

Answer 26

Looks at implemented security controls in relation to privacy, security and CIA

Question 27

ARO

Answer 27

How often a threat/risk will occur in a year

Question 28

How are corrective and recovery controls linked?

Answer 28

Recovering controls are more complex then corrective, which include things like rebooting the system and AV. Recovery controls include back ups, hot sites, fault tolerance etc.

Question 29

What is due care and due diligence?

Answer 29

Due care is developing the security structure containing policy etc. Due diligence is the continued application of this security structure on IT infrastructure. Operational security is the ongoing maintenance of both of these

Question 30

What are protection mechanisms?

Answer 30

They are part of protection controls where controls also add protection for CIA by having multiple layer of access, data hiding, abstraction and using encryption

Question 31

Name a concern with Job rotation?

Answer 31

Privilege creep (should be reviewed)

Question 32

Name the 5 laws that include compliance issues regarding privacy?

Answer 32

``` HIPPA SOX FEPRA GDPR PCI DSS ```

Question 33

Explain reduction analysis

Answer 33

Decomposes an application, system or environment into smaller parts to understand changes in trust boundaries, data flows, input points, privilege operations

Question 34

How can you properly enforce security policy?

Answer 34

By keeping users accountable and being able to prove a subject identify and track their activities

Question 35

What are standards?

Answer 35

Documents that outline how you achieve your goals and requirements for using hardware, software and technology and security controls. I.e patching systems, disposing of data. Can also be mandated by regulations and contracts.

Question 36

What’s is VAST?

Answer 36

Visual, Agile and simple threat: integrate threat and risk management into an agile programming environment on a scalable basis.

Question 37

What is a security controls assessment?

Answer 37

Formal evaluation of security infrastructures individual mechanisms against a baseline or expectation Usually performed alongside pen test or vulnerability assessment You want to perform a report of how controls are working

Question 38

What is TP governance?

Answer 38

Oversight mandated by contracts, legal, regulations, standards etc.

Question 39

What does DREAD stand for and what’s it used for?

Answer 39

``` Damage potential Reproducibility Exploitability Affected users Discoverabiloty ``` You ask these questions when rating a threat - you can assign H/M/L to each for a details threat prioritisation

Question 40

What does a security policy contain?

Answer 40

Main security objectives, the security framework and identifies major areas of data processing. Can be issue or system specific or organisational.

Question 41

Name 3 security control frameworks that help define the structure of security solutions

Answer 41

COBIT - defines components to build and sustain governance systems ISO 27002 - controls for information management system ITIL - helps to define service lifecycle model for design, development, delivery and support of IT service

Question 42

What are the steps of data classification?

Answer 42

Identify data custodian Identify evaluation criteria Classify and label each resource Document exceptions to the policy Select security controls for each level Specify procedures for declassifying data and transferring custody of a resource Create an awareness programme on the system

Question 43

Preventative vs. Deterrent controls

Answer 43

Preventative blocks activity and detterant discourages behaviour like cameras etc.

Question 44

Who is senior management?

Answer 44

CEO who is ultimately responsible for security and signs off on all policies. They don’t implement solutions - this is delegated to the security team

Question 45

What is authorisation?

Answer 45

Defined the permissions of a resource and object access for a particular identity. In most cases it evaluated the access control matrix and used different access control methods. It also goes hand in hand with accountability

Question 46

What are 3 distinct areas of security management?

Answer 46

Run by upper management and includes policies, setting out roles and security activities and creating security plans (strategic, operational and tactical)

Question 47

ALE

Answer 47

ARO x SLE The year cost of a specific threat against your asset

Question 48

What is data classification used for?

Answer 48

To determine how much money, resource and effort are allocated to protect the data and control access to it

Question 49

How can you rank or rate a threat?

Answer 49

High medium low Probability x damaged potential ranking DREAD

Question 50

How do data hiding and security through obscurity differ?

Answer 50

Data hiding is intentionally stopping someone accessing something and security through obscurity is hoping someone won’t come across it

Question 51

What does separation of duties cause?

Answer 51

Collusion

Question 52

What is COBIT?

Answer 52

Control objectives for information and related technology - set of best IT security practices - encourages the mapping of IT security ideals to business objectives - COBIT 5 looks at 5 key pro cripples for governance and security management 1) meet stakeholder needs 2) covering the enterprise end to end 3) apply a single integrated framework 4) enabling a holistic approach 5) separate governance from management - used to plan security of an organisation but also for auditors - very well respected security control framework

Question 53

Is implementing safe guards part of risk assessment or risk management?

Answer 53

Risk management

Question 54

What are the military classification levels?

Answer 54

``` Top secret Secret Confidential Sensitive but unclassified Unclassified ``` Last two are labels

Question 55

How are audit trails made?

Answer 55

Turning events into logs

Question 56

What’s is defence in depth?

Answer 56

Having multiple layers of controls in a series (not parallel) or having multiple security systems

Question 57

What is the risk equation?

Answer 57

Threat x vulnerability

Question 58

Security management planning includes...

Answer 58

Strategic, operational and tactics plans

Question 59

Tripwire

Answer 59

Used to monitor file hashes to ensure they don’t get modified without you knowing: related to integrity and a countermeasure

Question 60

What are the steps of quantitive risk assessment?

Answer 60

``` Asset value List of assets and threats Exposure factor (risk) SLE ARO ALE Countermeausures ```

Question 61

What is residual risk?

Answer 61

The risk once you have implemented controls - you can chose to accept or mitigate this further. Total risk - controls gap

Question 62

When is the best time to terminate employment?

Answer 62

Mid week at the end of the day

Question 63

List and explain the key risk management terms

Answer 63

- asset: anything that should be protected - asset valuation: dollar value assigned to asset - threats: anything that could cause harm - vulnerability: weakness in an asset or absence of a safeguard - exposure: being susceptible to asset loss because of a threat Risk: the likelihood that a threat will exploit a vulnerability to cause harm to an asset

Question 64

Throughout employment life cycle what should management audit?

Answer 64

Job descriptions, work fast, privilidges and responsibilities

Question 65

What kind of risk responses do SLAs invoke?

Answer 65

Risk reduction and risk avoidance

Question 66

What is compliance?

Answer 66

The act of conforming or adhering to policies, rules, regulations, requirements and standards For employees it’s policy and procedures for jobs

Question 67

Why should you continually monitor the value of an asset?

Answer 67

So you protect the correct assets and so that the control cost never outweighs the cost of the asset loss You have to come up with a value even if it’s hard

Question 68

Why do risk assessments need to be maintained?

Answer 68

Security changes, so do asset costs and threats! Must feed this into management consistently

Question 69

What is the highest level of data access?

Answer 69

The data owner/taking ownership

Question 70

What does PASTA stand for? What does it do?

Answer 70

Process for attack stimulation and threat analysis. Risk centric approach that selects countermeasures depending on the asset value.

Question 71

What does STRIDE stand for?

Answer 71

Spoofing, tampering, repudiation, information disclosure, DoS, elevation of privilege. Mainly used to assess threats to applications and operating systems

Question 72

How do data owner and data custodian work?

Answer 72

Data owner is responsible for protecting the data and classifying it (usually upper management) - but hands of management tasks to data custodian (back ups, deploying security solutions and manage storage based on classification)

Question 73

What is defended in depth?

Answer 73

Layering Can be multiple controls around you assets (asset > admin controls > technical/logical controls > physical controls) Can also be segmenting systems

Question 74

What happens if you fail to meet TP governance?

Answer 74

Loss or void of the ATO - authorisation to operate

Question 75

Name a number of elements of third party governance?

Answer 75

- third party audits - security oversight of suppliers - verify their compliance with policies and controls (COBIT) - open document exchange and review (submit self assessments of how you comply) - document review - on site assessments

Question 76

What does IAM do?

Answer 76

Control and manager users access to resources and systems

Question 77

At what stages of SDLC Does threat modelling take place?

Answer 77

Initial design and specifications

Question 78

What’s included in diagraming attacks

Answer 78

The elements involved in transaction, data flows and privilege boundaries - identify points where compromise could occur

Question 79

What should the cost of a counter measure be?

Answer 79

Less then the value of the asset | Less then the benefit of the countermeasure

Question 80

Name some fundamentals of the security function

Answer 80

- cost effective - time effective - measurable - good governance - consume as few resources as possible

Question 81

Isolate

Answer 81

Technically isolating your systems or services. Another aspect of confidentiality

Question 82

Full example of security policy, standard, procedure

Answer 82

Risk management

Question 83

What is threat modelling?

Answer 83

A process where threats are identified, categorised and analysed (usually in software and product development but also for the company as a whole) - proactive or reactive