SSCP Domain 3

What is a threat vector?

It is the method that an attacker uses to get to your target. This might be a hacker tool kit, social engineer, or physical intrusion.

What are vulnerabilities?

They are weaknesses in your security controls that a threat might exploit to undermine CIA.

This includes missing patches, promiscuous firewall rules, or other security misconfigurations.

What is impact?

Amount of expected damage from a risk

What is a qualitative risk assessment?

Subjective judgement to assess risks, typically categorizing them as low, medium, or high on both the likelihood and impact scales.

What is a quantitative risk assessment?

Objective numeric ratings to assess likelihood and impact.

1. Asset value

2. Exposure factor

3. Single Loss Expectancy

Helps us assess our ability to restore IT services and components quickly in the event of a failure.

What is Asset Value?

The dollar value of an asset:

1. Original cost

2. Depreciated cost - Assets actual cost and then reduces its values over time as the asset ages.

3. Replacement cost

What is exposure factor?

Based upon the specific risk considered in the risk assessment, and this variable estimates the percentage of an asset that will be damaged if that risk materializes.

What is single loss expectancy?

Give us an idea of IMPACT of a specific risk during an assessment. Multiply the asset value by the exposure factor.

i.e., Data Center AV = $20 million

Flood damage EF = 50% of facility will be damaged

AV * EF = SLE

SLE = $10 million

What is the metric to use for non-repairable assets?

Mean Time to Failure (MTTF)

Average time a non-repairable component will last

What is the metric to use for repairable assets?

Mean Time between Failures (MTBF) of a repairable component

What is the metric to use to return a repairable asset?

Mean Time to Repair (MTTR)

Average time required to return a repairable component to service.

What is risk avoidance?

You change your organization's business practices so that you're no longer in a position where that risk can affect your business.

i.e., relocate or open a data center in a non-flooding area

What is risk transferrance?

Transferring a risk attempts to shift the impact of a risk from your organization to another organization.

What is risk acceptance?

It is accepting risk without taking further action.

Ignoring a risk is not the same as accepting a risk.

Ignoring a risk is a failure of risk management

What is a risk profile?

The full set of risks facing an organization

There is inherent risk, residual risk, and control risks.

What is inherent risk?

It is the initial level of risk that existed in an organization before any controls are put in place

What is residual risk?

The risks that remains after the inherent risk is reduced by controls.

Controls may introduce risks themselves.

What is risk tolerance/appetite?

It is the risk that leaders choose to accept.

What is a control assessment used for?

To test control effectiveness.

An organization should routinely review those risk assessments and perform periodic control assessments designed to test the correct functioning and effectiveness of their security controls.

i.e., A control assessment can be implemented on a firewall that is trying to block unwanted network traffic. An assessment of the firewall might use network scanning tools to verify that it is not allowing any unwanted traffic through the perimeter.

How can you measure control effectiveness?

- Compromised end-user accounts

- Vulnerabilities in public-facing systems

- Critical findings in initial web application scans

- Data breaches requiring notification

What is the purpose of NIST?

It is a risk management framework which is found ins NIST 800-37.

What must be gathered before entering into the Cybersecurity framework process.

1. Information technology architecture. It includes reference models, technical details, business process information, and information system boundaries

2. Organization of specific information, including laws, regulations, and policies that apply, the strategy of the organization, its priorities, resource available, and supply chain information.

What is the first step in the NIST Risk Management framework?

Categorize information systems.

This includes architectural description and organizational inputs.

What is the second step in the NIST Risk Management framework?

Select security controls.

Tailoring controls specific to Step 1, categorization.

Now the organization can begin with a standard baseline of controls and then add/subtract specific controls to tailor the specification to the system's needs.

What are the steps in the NIST framework after the first 2 steps are established?

The first step steps to the NIST Risk Management Framework are Categorize and Select security controls. Afterwards, it is:

3. Implementing

4. Assess the security controls

5. Authorize

6. Monitor

What should be identified for ISO 31000 Risk management framework?

Risk Identification

Risk Analysis

Risk Evaluation

Risk Treatment

Establishing the context

Monitoring and review

Communication and consultation

What is a risk register?

It is a tool that organizations use for maintaining ongoing visibility into risks.

it is a centralized document that tracks information about the nature and status of each risk facing the organization.

It can be organized by either the schemes of the risks, grouping, impact of the risk, and probability and impact scores.

It can also includes actions to take.

What is an externally occuring force that jeopardizes the security of your systems?

A threat

What type of tool is NMAP?

Port scanning tool

What is threat intelligence?

It is all the activities that are ongoing in the cybersecurity threat landscape and integrating information about changing threats into its cybersecurity intelligence.

What are the three criteria's you can use to see how reliable a threat intelligence source is?

Timeliness

Accuracy

Reliable

What are threat indicators?

They are properties/pieces of information that describes a threat.

i.e., IP addresses, malicious files, signatures, communication patterns, or other identifies that a threat analyst can use to identify a threat actor.

What is the CybOX framework?

A standardized schema for categorizing security observations.

CybOX helps us understand what properties we can use to describe intrusion attempts, malicious software, and other observable security events when we try to explain it to people.

What is STIX?

It is a standardized language used to communicate security information between systems and organizations.

STIX takes the properties of the CybOX framework and gives us a language that we can use to describe those properties in a structured manner.

What is TAXII?

Trusted Automated Exchange of Indicator Indication; 3 types of architectures hub/spoke, source/subscriber, peer to peer.

TAXII provides a technical framework for exchange messages that are written in the STIX language.

Describe the process of how CybOX, STIX, and TAXII all work together.

CybOX provides the schema that we can use to classify different threats

CybOX is used to define the information elements that we can then represent using the language of STIX.

Then we can exchange STIX formatted threat information using TAXII.

What is OpenIOC?

A framework for describing and sharing security threat information.

What is ISACs and the goal of it?

Information Sharing and Analysis Centers

To bring together cybersecurity teams from competing organizations to help share industry specific information in a confidential manner.

The goal is to gather and disseminate threat intelligence without jeopardizing anonymity.

What strategies can an organization use to create a structured approach for threat identification for potential threats to information and systems?

Assets approach - Looking at inventory and identifying potential threats to the asset. This can be fiber optic cables

Threat focused approach - Think of all possible threats out there and how they might affect your organizational information systems. Contractors, partners, and rogue employees

Service focused approach - Service providers who offer services over the internet to other organizations. i.e., an organization that exposes an API to the public might think all the interfaces offered by that API and the threats that could affect each interface.

What assists SIEMs with automation?

SOAR platforms

They automate the routine work of cybersecurity by facilitating automated responses.

What does it mean when a threat actor undermines confidentiality?

Confidentiality ensures that only authorized individuals have access to the information and resources. Malicious attackers engage in disclosure, making sensitive information available to individuals or the general public without consent.

What is integrity for information protection?

No unauthorized changes to information.

No altering of information or service disruption accidentally affecting data stored in the system

What is the purpose of availability?

Ensuring that information is readily available and accessible when needed.

DoS attacks

What is strategic risk?

It is the risk that an organization will become less effective in meeting its major goals and objectives, as the result of a breach.

i.e., An employee loses a laptop with sensitive product information. This may lead to significant production delays and the competition can gain hold of the market

What is operational risk?

Risk to the organization's ability to carry out its day-day function.

It may slow down business process, delay delivery, or require manual work arounds

What is Compliance risk?

When a security breach causes and organization to run a foul of legal and regulatory requirements.

What is End-Of-Sale for a product?

Product will no longer be offered for purchase, but the vendor will support existing customers

What is End-Of-Support for a product?

The vendor will reduce or eliminate support for existing users of the product.

What is End-Of-Life for a product?

The vendor will no longer provide support or updates for the product.

What is a system sprawl?

New devices are connected to a network, but old devices are nor promptly disconnected, leading to security vulnerabilities.

What is the purpose of vulnerability management?

It is to help handle the complexity of patching all types of equipment and software in your environment.

Detects, remediates, and reports vulnerabilities.

What is PCI DSS requirements when it comes to vulnerability management?

- Conduct quarterly internal and external vulnerability scans

- Repeat scans after any significant change

- Use an approved scanning vendor (ASV)

- Remediate and rescan until you achieve a clean report

If you work for an agency of the US government, what security controls must be followed due to the enforcement of what act?

If you work for the US governemtn, you must follow the FISMA (Federal Information Security Management Act). FISMA requires that you follow the security controls found in NIST special publication 800-53.

This set of requirements includes a section on vulnerability management that requires that you:

- Regularly scan systems and applications for vulnerabilities

- Analyze the results of those scans, remediate vulnerabilities deemed legitimate

- Share information about vulnerabilities with other government agencies.

What type of scans should you conduct regularly to find vulnerabilities?

Network vulnerability scans

Web applications

Application scans

What should you supplement a vulnerability scan with?

Supplement vulnerability scans with configuration and log reviews

What is the good starting point for vulnerability management?

Having a set idea of your asset inventory.

Once an inventory scan is done, you want to prioritize the assets.

How do you determine how to prioritize the assets after an inventory scan is done?

1. IMPACT Identify the highest level of data classification that's stored, processed or transmitted by the system, device, or application.

2. LIKELIHOOD The level of risk posed to the system based upon how exposed it is to an attacker. aka, Likelihood of a successful attack? Is it exposed to the internet? External access? Is there a firewall?

3. CRITICALITY The criticality of the system and resources. How will it impact business operations?

What are the attack vectors when measuring the CVSS score?

Attack Vector are the types of access that an attacker has to exploit a vulnerability:

Physical

Local - physical or logical console access is required

Adjacent Network - Local network access is required

Network - Remotely exploitable vulnerability

What is the attack complexity when measuring the CVSS score?

High - Requires specialized conditions

Low - Does not require specialized conditions

What are privileges required when measuring the CVSS score?

High - Requirements administrative control

Low - Requires basic user privileges

None - Requires no privileges

What are user interactions when measuring the CVSS score?

Required - Requires that a user take some action

None - Does not require user interaction

What are the four vectors used to measure the CVSS score and what is the purpose?

The AV, AC, PR, and UI metrics combine to describe the exploitability of a vulnerability.

What can be used to determine the impact of a vulnerability?

CIA Triad

How is confidentiality rated when determining the impact of a vulnerability?

None - No confidentiality impact

Low - Access to some information is possible

High - All information compromised

How is integrity rated when determining the impact of a vulnerability?

None - No integrity impact

Low - Modification of some information is possible

High - All information is compromised

How is availability rated when determining the impact of a vulnerability?

None - No availability impact

Low - Performance is degraded

High - The system is shut down

How is scope rated when determining the impact of a vulnerability?

Changed - Exploiting the vulnerability can affect other components

Unchanged - Exploiting the vulnerability only affects resources managed by the same security authority

What are the main priorities when presenting vulnerabilities to team members during your interpretation of results?

The top 5 prioritization factors include:

1. Vulnerability Severity

2. System Criticality

3. Information Sensitivity

4. Remediation Difficulty

5. System Exposure

What is GAPP?

Generally Accepted Privacy Principles

10 components of data privacy that can be used to help organizations design their own privacy programs.

What is the first principal of the GAPP principle?

Management

An organization handling private information should have policies, procedures, and governance structures in place to protect privacy. Such as defining roles for data own, steward and custodian.

What is the second principal of the GAPP principle?

Notice

Anyone who is subject of records maintained by the organization should receive notice of that fact as well as access to privacy policies and procedures followed by the organization.

Through is often accomplished through the terms of agreement for a website and a formal private notice.

What is the third principal of the GAPP principle?

Choice and consent

The organism should inform data subject of their options regarding the data they own and get consent from those individuals for the collection, storage, use and sharing of the information.

What is the fourth principal of the GAPP principle?

Collection

The organization should only collect personal information for purposes disclosed in their privacy notices.

What is the fifth principal of the GAPP principle?

Use, retention and disposal

When the organization collects personal information, it should only use it for disclosed purposes and not use it for other reasons just because they already have the data.

They should also dispose the data when its no longer needed.

What is the sixth principal of the GAPP principle?

Access

Organization should provide data subjects with the ability to review and update their personal information

What is the seventh principal of the GAPP principle?

Disclosure to third parties

The organization should only share information with third parties that sharing is consistent with the purposes disclosed in privacy notices, and they have consent of the individuals to share that information.

What is the eigth principal of the GAPP principle?

Security

The organization must secure private information against unauthorized access

What is the ninth principal of the GAPP principle?

Quality

The organization should take reasonable steps to ensure that the private information they maintain is accurate, complete, and relevant.

What is the tenth principal of the GAPP principle?

Monitoring and enforcement

The organization should have a program in place to monitor compliance with its privacy policies and provide a dispute resolution mechanism.

What is ISO Standard 27018?

A standard that provides a code of practice for the protection of PII in public cloud environments. Organization developing and monitoring their privacy programs should conduct regular privacy impact assessments to identify the privacy ramifications of their business operations.

What is minimization?

Organizations should collect only the information that they need in the legitimate course of employment.

What is need to know?

Enforcing the amount of sensitive information that individuals should have, and this is because they possess the appropriate security credentials and clearance.

What is privilege aggregation/creep?

It is when least privilege is jeopardized. When old permissions are not revoked.

What is the separation of duties principle?

No single person should possess two permissions that, in combination, allow them to perform a sensitive operation. Those permissions should be separate.

What is change management?

It is a way to ensure that an organization follows a standard for requesting, reviewing, approving, and implement changes to information systems.

What should a request for change include?

RFC

1. Description of the change

2. Expected impact

3. Risk assessment

4. Rollback plan

5. Identity of the individuals or groups involved with the change

6. Proposed schedule

7. Affected configuration items

What is configuration management?

Tracks specific device settings, tracks the way a specific device is set up.

Tracks both the inventory of the software's installed on the device and operating system settings.

What is the terminology when you get a snapshot of the configuration?

Baselining

It can be used to assess whether a system has changed outside of an approved changed management process.

What should you focus on when evaluating the results of a scan for a vulnerability scan?

1. Severity

2. Criticality of the systems affected

3. Sensitivity of information involved

4. Difficulty of remediation

5. Expose of the system with the vulnerability

If a report says that a vulnerability requires your immediate remediation in your environment, what should you do first?

Check if the vulnerability actually exists as stated in the report.

Vulnerability scanners do produce false positives. This can be due to:

Old signatures, or a not well defined signature, or the scanner is not able to detect the presence of a security control that mitigates the vulnerability.

What are the four possible outcomes for any vulnerability report?

True Positive - Reports a finding that a vulnerability really exists

False Positive - Reports a find but a vulnerability does not really exist

True Negative - No findings and no vulnerabilities

False Negative - The scanner misses an actual vulnerability.

When validating your vulnerability scan results, what information should you validate it against?

1. Consult with any industry standards, best practices, or compliance obligations that are relevant to your organization

2. Correlate with technical information

3. Correlate with the vulnerability scan itself. Watch for historic trends and see if there are any underlying issues.

What is the definition of a jurisdiction?

It is the power that a court has to render legal judgements. Jurisdiction may be limited by subject matter and/or geographic applicability.

What is the definition of a preeption?

Law that stems from a higher authority takes precedence over laws that stem from lower authorities.

What is private right of action?

Laws with a private right of action grant legal persons the ability to bring cases to court.

What is the definition of a person?

A person is a human or non-human entity that can sue and be sued, can own property, and can take part in contracts.

This can include a legal organization or business. It is a person if it can sue or be sued, own property, and sign contracts.

What is the difference between PII and PHI?

PII - Any information that can be traced back to an individual

PHI - Individually identifiable health records governed under HIPAA

What is GAPP in relation to privacy?

Generally Accepted Privacy Principles

10 components of data privacy that can be used to help organizations design their own privacy programs.

What is the first principal to GAPP?

Mangement

An organization handling private information should have policies, procedures, and governance structures in place to protect privacy.

Clearly define roles for data owner, steward, and custodian.

What is the second principal to GAPP?

Notice

Anyone who is subject of records maintained by the organization should receive notice of the fact as well as access to privacy policies and procedures followed by the organization.