Professor Messer 5.1 - 5.6 Study Sets
Studied by 0 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/102
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
103 Terms
CIA
Refers to: Confidentiality, Integrity, and Availability.
Acceptable Use Policies (AUP)
What is acceptable use of company assets (ie: computers, telephones, mobile devices, etc.)
- Detailed documentation that may be documented in the Rules of Behavior.
Used by an organization to limit legal liability.
Business Continuity
Planning for a disaster or disruption.
Planning for an alternative:
- Manual transactions.
- Paper receipts.
Must be documented and tested before a problem occurs.
Diasaster Recovery Plan
If a disaster happens, IT should be ready to keep the organization up and running.
- Part of business continuity planning.
Disaster plan for natural disasters, technology or system failures, human-created disasters.
Security Incident
Types:
User clicks on email attachments and executes malware. DDoS attack.
Confidential Info is stolen.
Incident Response Roles
Roles:
Incident response team.
IT security management.
Compliance officers. Technical staff. User Community.
NIST SP800-61
Computer Security Incident Handling Guide.
Contains the Incident response lifecycle: -
Preparation.
- Detection and Analysis.
- Containment, Eradication, and Recovery.
- Post Incident Recovery.
Software Development Lifecycle (SDLC)
To move from the idea phase to having an application.
Many ways to go from idea to app.
- Customer requirements.
- Keeping the process on schedule.
- Staying in budget.
There is no "best way".
Types:
Agile and Waterfall.
Agile = Faster. Requirements, design, develop, test, deploy.
Waterfall = Requirements, design, develop, test, deploy, maintenance.
Encryption
Defining specific standards for securing data.
- All things cryptographic.
- Can include implementation standards.
Ex: Password storage
- as a hash or salted hash.
Data encryption different for each data state: data in transit, data in use, data at rest.
Onboarding
Formal process of bringing a new person to the organization via hire or transfer.
IT agreements need to be signed.
A new account will need to be created
- to associate the user with the proper groups and departments.
Provide new person with required IT hardware - laptops, tablets, etc
Offboarding
What happens to the data and hardware?
Playbooks
Conditional steps/procedures to follow; a broad process. - Used to investigate a data breach, recover from ransomeware.
Step-by-step set of processes and procedures.
- A manual checklist.
Often integrated with a SOAR platform.
- Security Orchestration, Automation, and Response.
- Integrated third-party tools and data sources.
- Makes security teams more effective.
- To automate mundane tasks.
Monitoring and Revision
IT security is constantly changing
- so processes and procedures must also change.
Update to security posture
- Additional playbooks.
Change to individual procedure.
- Update the playbooks, include additional checks.
Governance Structures
Boards, or board of directors.
- A panel of specialists that sets the tasks or requirements for the committees.
Committees:
- made up of subject matter experts.
- Considers the input from a board.
- Determines next steps for a topic at hand.
- Presents the results to the board.
For public and private organizations, can be centralized or decentralized.
Centralized:
- Located in one location with one group of decision makers.
Decentralized:
- Decisions can be made by others -other individuals or locations
Govornment Entities
- Different kind of machine because it is different from a private organization.
- Deals with legal concerns, administrative requirements, political issues,
- Often open to the public.
Sarbanes-Oxley Act (SOX)
A federal regulation passed in 2002 as the Public Company Accounting Reform and Investor Protection Act, which ensures that financial data is protected and the right people have access to it.
Legal (Security Considerations)
IT security team is tasked with legal responsibilities.
- Reporting illegal activities.
- Holding data for legal proceedings.
Security breach notifications
- a legal requirement in many jurisdictions.
Cloud computing can make this challenging
- since data moves between jurisdictions.
- Security team must follow legal guidelines.
Industry (Security Considerations)
Industries may require specific security considerations.
Ex:
Electrical power and public utilities on an isolated and protected network. (There are strict requirements on how someone can access that info.)
Medical data must be highly secured in data storage. Data must also be encrypted.
Geographical Security
Local/regional:
- City and state government records.
National:
- Fed government and national defense.
- Multi-state orgs. -
State secrets remain secret.
Global:
- Multinational companies.
- Global financial markets.
- Legal concerns will vary based on area.
Data Owner
Responsible for specific data, often a senior officer.
Ex: VP of sales owns the customer relationship data.
Data Controller
Manages the purposes and means by which personal data is processed. (How it will be used)
Data Processor
Process the data on behalf of the data controller, often a third-party or diff group.
Data Custodian/Steward
Responsible for data accuracy, privacy, and security.
- Ensures compliance with laws and standards.
- Manages access rights to data.
- Implements security controls.
Risk Identification
Helps to understand potential risks and identify weaknesses before they become an issue.
Risk Management
Manage a potential risk.
Qualify internal and external threats.
Risk analysis helps plan for contingencies.
Risk Assessments
Not all risk requires constant evaluation.
Can be one-time, but can also be continuous.
Ad Hoc Assessment
To perform an assessment when the situation requires it.
Ex: CEO is back from a conference and wants to know if the org is protected from a new attack type.
Done when a committee is created and the risk assessment proceeds.
Recurring Risk Assessments
When an evaluation occurs at standard intervals.
Can be:
An internal assessment.
- performed every 3 months at the beginning of the quarter.
A mandated risk assessment.
- Required by certain orgs. - Some legal requirements will mandate an assessment.
Qualitative Risk Assessment
A type of assessment based on when you identify certain risk factors
- It is based on impact and likelihood of occurrence.
- Display visually with traffic light grid or a similar method.
ARO (Annualized Rate of Occurrence)
How often something will happen within a year.
- How likely is it that a hurricane will hit? In Montana? In Florida?
Asset Value (AV)
- The value of the asset to the organization.
- Includes the cost of the asset, the effect on company sales, potential regulatory fines, etc.
EF (Exposure Factor)
- The percentage of the value lost due to an incident.
- Losing a quarter of the value is .25.
- Losing the entire asset is 1.0.
SLE (Single Loss Expectancy)
- The monetary loss if a single event occurs.
- Asset Value (AV) x Exposure Factor (EF).
- Laptop stolen = $1,000 (AV) x 1.0 (EF) = $1,000 (SLE).
ALE (Annualized Loss Expectancy)
The monetary loss for an asset due to a risk over a one-year period; calculated by multiplying:
- Annualized Rate of Occurrence (ARO) x SLE.
- 7 laptops stolen a year (ARO) x $1,000 (SLE) = $7,000.
Impact (Risk Analysis)
Life (the most important consideration).
Property.
Safety.
Finance.
Risk Likelihood
A qualitative measurement of a risk.
- Rare, possible, almost certain, etc.
Risk Probability
A quantitative measurement of risk.
- A statistical measurement.
- Can be based on historical performance.
Risk Appetite
- A broad description of risk-taking deemed acceptable.
- The amount of accepted risk an org is willing to take before taking any action to reduce that risk.
Risk Appetite Posture
A qualitative description for readiness to take risk.
- Conservative, neutral, and expansionary.
Risk Tolerance
An acceptable variance
- Usually larger than risk appetite.
Risk Appetite vs Risk Tolerance
Risk appetite = a highway's speed limit.
Risk Tolerance = Drivers getting ticketed for driving at the speed well above the speed limit.
- Can change with road conditions.
Risk Register
Ledger of risks for a project/plan.
- Identify and document the risk associated with each step.
- Monitor the results.
Each line in the register will contain:
Key Risk Indicators:
- Which identifies risks that could impact the organization.
Risk Owners:
- Each indicator is assigned to someone to manage the risk.
Risk Threshold:
- Cost of mitigation is at least equal to value gained by mitigation.
Risk Management Strategies
Transfer
Accept
Accept with Exemption
Accept with exception
Avoid
Mitigate
Transfer (Risk Management Strategy)
Move the risk to another party.
- Ex: Buy cybersecurity insurance.
Accept (Risk Management Strategy)
A business decision;"We'll take/accept the risk!"
- Often the usual course
Accept with Exemption (Risk Management Strategy)
When a security policy or regulation cannot be followed.
- May be based on available security controls, size of the organization, total assets, etc.
- Exemption may need approval.
Accept with Exception (Risk Management Strategy)
When internal security policies are not applied.
- Ex: The monthly updates cause a critical software package to crash and an exception is made to the update timeframe.
Avoid (Risk Management Strategy)
To stop participating in a high-risk activity.
- This effectively removes the risk.
Mitigate (Risk Management Strategy)
To decrease the risk level. - Invest in security systems.
Risk Reporting
A formal document
- that identifies risks for an organization.
- Contains detailed information for each risk.
Usually created for senior management to make business decisions regarding resources, budgeting, security tasks, and critical and emerging risks.
RTO (Recovery Time Objective)
How long it takes to get back up and running to a particular service level from an incident/event.
RPO (Recovery Point Objective)
A point in time in which " we are up and running."
MTTR (Mean Time to Repair)
The mean/average time required to fix an issue.
- Includes time spent diagnosing the problem.
- An important metric for determine the cost and time associated with unplanned outages.
MTBF (Mean Time Between Failures)
- The time between outages.
- Can be used as a prediction based on historical performance.
- Total time / number of breakdowns.
Third-Party Risk
The risk that comes when an organization works with vendors and important company data is shared.
Perform a risk assessment
- to categorize risk by vendor and manage the risk.
Use contracts for clear understanding.
- To make sure everyone understands the expectations and to enforce a secure environment.
Penetration Testing
To simulate an attack; similar to a vulnerability scan.
Often a compliance mandate.
Regular pen testing can be done by a 3rd-party.
- Very specialized.
Rules of Engagement
An important document that defines the purpose and scope of the pen test.
Contains type of testing and schedule.
- On-site physical breach, internal test, external test, work hours, etc.
The rules:
- IP address ranges tested.
- Emergency contacts.
- How to handle sensitive info.
- In-scope and out-of-scope devices or apps.
Right-to-Audit Clauses
A legal agreement/contract between business parters to have the option to perform a security audit at any time.
- So everyone agrees to the terms and conditions.
- To verify security before breach occurs.
Evidence of Internal Audits
Used to evaluate the effectiveness of security controls.
- To have a third-party perform an audit.
A check for security controls and processes.
- Access management, off boarding, passw security, VPN controls, etc.
May be required for compliance.
Perform at a reasonable frequency.
Supply Chain Analysis
Analyzing the system involved when creating a product.
Analysis:
- Get a product or service from supplier to customer.
- Evaluate coordination between groups.
- Identify areas of improvement.
- Access the IT systems supporting the operation.
- Document the business process changes.
Independent Assessments
To bring in a person, team, or outside firm to evaluate security and provide recommendations.
-Specialists in their field.
Vendor Selection Process
Performing due diligence
- Checking a company out before doing business to make sure they're legit.
Done to see if there is a conflict of interest.
- Can compromise judgement.
- Ex: A potential partner also does business with your largest competitor.
Vendor Monitoring
Ongoing management of the vendor relationship.
- Doesn't end when the contract is signed, have continued monitoring.
Reviews should occur on a regular basis.
- Monitor financial checks, IT security, and news articles and social media posts associated with this partner.
Assign a person to be in charge of the vendor relationship to manage the monitoring process.
Common Agreements
- Service Level Agreement (SLA).
- Contract with an internet provider.
- Memorandum of Understanding (MOU).
- Memorandum of Agreement (MOA).
- Master Service agreement Agreement (MSA).
- Work Order (WO / Statement of Work (SOW).
Service Level Agreement (SLA)
An agreement or minimum terms for services provided.
Commonly used between customers and service providers.
Contract with Internet Provider
SLA is no more than four hours of unscheduled downtime.
Technician will be dispatched.
Memorandum of Understanding (MOU)
- Both sides agree on the contents of the memorandum.
- Usually states common goals, but not much more.
- Includes statements of confidentiality and an Informal letter of intent (not a signed contract).
Memorandum of Agreement (MOA)
- The next step above a MOU.
- Both sides conditionally agree to the objectives.
- Can also be a legal document.
- May not contain legally enforceable promises.
Master Service Agreement (MSA)
- A legal contract and agreement of terms.
-A broad framework to cover later transactions.
- Future projects will be based on this agreement.
Work Order (WO)/ Statement of Work (SOW)
- Specific list of items to be completed.
- Used in conjunction with a MSA.
- Details the scope of the job, location, deliverables schedule, acceptance criteria, and more.
- Was the job done properly? Refer to the SOW.
NDA (Non-Disclosure Agreement)
A confidentiality agreement between parties. Protects confidential information.
- Ie: Trade secrets, business activities, anything else in the NDA.
Unilateral or bilateral (or multilateral) ie: one-sided, 2 parties, or more than 2 parties.
- One-way NDA or mutual NDA.
A formal contract.
- Sigs are required.
Business Partners Agreement (BPA)
Going into business together.
- Owner stake.
- Financial contract.
Involves decision-making and how the business will work. - Who makes the business decisions?
- BPA lists specific individuals and scope.
Prepare for contingencies/ when things go wrong.
- Financial issues
- Disaster events and recovery.
Compliance
Meeting the standards of laws, policies, and regulations.
A healthy catalog of rules across many aspects of business and life.
Domestic and international.
Internal Compliance Reporting
Monitoring and reporting on organizational compliance efforts.
Large orgs have a Central Compliance Officer (CCO).
Used to provide details to customers or potential investors.
External Compliance Reporting
Documentation required by external or industry regulators.
May require ongoing reporting.
Missing/invalid reporting could result in fines or sanctions.
Regulatory Compliance
Examples:
The Sarbanes-Oaxley Act (SOX) , HIPAA, The Gramm-Leach Bliley Act of 1991 (GLBA)
Consequences of Not Being in Compliance
Loss of license.
Contactual impacts.
Fines.
Reputation.
Etc.
Compliance Monitoring
To ensure compliance in day-to-day operations.
Due diligence/due care are associated with it.
- A duty to act honestly and in good faith.
- Due diligence = associated with 3rd-party activities.
- Due care refers to internal activities.
The executive in charge of this compliance monitoring process must "sign off" on formal compliance documentation to note the compliance is in good standing. This is referred to attestation and acknowledgment.
The compliance must be monitored with internal and external tools.
- You may provide access or information to a third-party.
Large organizations will use automation for this.
Privacy Legal Implications
Starts at local/regional/state level.
- State and local governments set privacy limits.
National.
- Privacy laws for everyone in a country.
Global.
GDPR (General Data Protection Regulation)
European Union Regulation.
- Data protection and privacy for individuals in the EU.
- Users can decide where their data goes and request removal of data from search engines.
- Gives "data subjects" control over their personal data - a "right to be forgotten".
Data Subject
Any information relating to an identified or identifiable natural person.
- An individual with personal data.
This includes everyone with name, ID number, address info, genetic makeup, physical characteristics, etc.
Privacy is ideally defined from the perspective of the data subject.
Data Roles
Data Controller:
Manages the purposes and means by which personal data is processed.
Data Processor:
- Processes data on behalf of the data controller, often a 3rd party.
Ex: Payroll Controller and Processor:
- Payroll department = data controller. Defines payroll amounts and timeframes.
- Payroll company = data processor. Processes payroll and stores employee info.
Data Inventory and Retention
A listing of all managed data.
- Owner, update frequency, format of the data.
Internal use
- Project collab, IT security, data quality checks.
External Use
- Selecting data to share publicly.
- Following existing laws and regulations.
Cybersecurity Audit
Examines the IT infrastructure, software, devices, etc.
.
Checks for effectiveness of policies and procedures.
Find vulnerabilities before the attackers.
Can be performed internally or by a third-party.
Attestation - (often used in conjunction with audit).
- Provides an opinion of truth or accuracy of a company's security positioning.
Audit Committee
Oversees risk management activities.
All audits stop and stop here.
Internal audits start with self-assessments, where the organization performs their own checks.
External Audits
Can be regulatory requirements. An independent third-party may be required to perform the audit.
Often requires hands-on research.
Will perform an assessment/assess current activities.
Physical Penetration Testing
Operating system security can be circumvented by physical means.
-You can modify the boot process, boot from other media, and modify or replace OS files.
Physical security is key.
- Prevent access by unauthorized individuals.
Assess and test physical security.
- Doors, windows, elevators, etc.
Pentesting Perspectives
Red team = offensive.
- Attack systems and look for vulnerabilities to exploit
Blue team = defensive.
- Identify attacks in real time and prevent any unauthorized access.
Integrate the two teams together.
- Red team finds exploits and can give info to blue team.
- Identify and patch exploitable systems & services.
Pentesting or Known Environment
A known environment.
- Full disclosure.
Partially Known Environment
A mix of known of unknown environment.
- Focus on certain applications or systems.
Unknown Environment
The pentester knows nothing about the systems under attack.
- "Blind" test.
Reconnaissance (Pentesting)
Needing information before the attack.
Gathering a digital footprint and learning everything you can about the environment.
Helps to understand the security posture/what's in place.
Allows the pentesting team to minimize the attack area and focus on key systems.
When done, they can create a network map
-To identify routers, networks, remote sites.
Passive Reconnaissance (Pentesting)
Learning as much info as you can from open sources.
(Social media, corporate website, Reddit/forums, social engineering, Google, dumpster diving, etc.)
Active Reconnaissance (Pentesting)
Going into the network and querying devices for info.
- Trying the doors. Maybe one is unlocked.
We can be easily visible or seen on this network, on network traffic and logs (shows evidence that we were there).
Example of this:
Ping scans and port scans, DNS queries, OS scans, OS fingerprinting, service scans and version scans.
Phishing Campaigns
Testing an organization by sending phishing emails to its employees and seeing who clicks on the link in those emails.
Many companies will perform their own phishing campaign.
Is an automated process.
Anomalous Behavior Recognition
Looking for anything unusual on a user's workstation.
Risky behavior
- Modifying hosts file.
- Replacing a core OS file.
- Uploading sensitive files.
Unexpected behavior
- Logon from another country.
- Increase in data transfers.
Unintentional behavior
- Typing in the wrong domain name.
- Misplacing USB drives.
- Misconfiguring security settings.
Reporting and Monitoring
Track and analyze security awareness metrics.
- Automated.
- Phishing click rates.
- Password manager adoption, MFA use, passw sharing.
when someone initially clicks a phishing link or some type of risky behavior, we can use it as an opportunity for user training.
We can also do this to see if these security events occur again, are recurring.
Security Awareness Team
Create this kind of team to determine the roles for training, monitoring, policy creation, etc.
Establish a minimum awareness level
- Information delivery (emails, posters, notices, training).
Integrate compliance mandates (PCI, DSSm HIPAA, GDPR, etc).
Define metrics.
- Assess the performance of security awareness programs.
Execution (Security Awareness)
Create training materials.
Document success measurements.
Identify the stakeholders.
Deploy the training materials.
Track user training efforts.
Security Awareness Training
Before providing access, train your users.
Specialized training
- each user role has unique security responsibilities.
Also applies to third-parties.
Detailed documentation and records.