Studied by 7 people
Threats
external force jeapordizing security
Threat Vector
Specific methods that threats use to exploit a vulnerability
Vulnerability
Weakness in security controls
Risk
the combination of a vulnerability and a corresponding threat
Likelihood
Probability that a risk will occur
Impact
Amount of damage of expected damage
Qualitative Risk Assessment
A risk assessment that uses judgment to categorize risks. it is based on impact and likelihood of occurrence.
Quantitative Risk Assessment
A risk assessment that uses specific monetary amounts to identify cost and asset value. It then uses the SLE and ARO to calculate the ALE.
Asset Value
value of an asset
Asset Valuation Techniques
- Original Cost
- Depreciated Cost
- Replacement Cost
Exposure Factor
Expected Percentage of damage to an asset
Single Loss Expectancy (SLE)
Expected monetary loss every time a risk occurs; calculated by multiplying asset value by exposure factor.
SLE Calculation
AV*EF=SLE
Annualized Rate of Occurrence (ARO)
The probability that a risk will occur in a particular year.
Annualized Loss Expectancy (ALE)
Expected monetary loss for an asset due to a risk over a one-year period; calculated by multiplying single loss expectancy by annualized rate of occurrence.
ALE Calculation
SLE*ARO=ALE
Mean time to failure (MTTF)
The average amount of time expected until the first failure of a piece of equipment.
Mean Time Between Failures (MTBF)
A statistical value that is the average time until a component fails, cannot be repaired, and must be replaced.
Mean Time to Repair (MTTR)
The average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.
Internal Risk
- Arise from within the organization
External Risk
- Arise from outside the organization
- Internal controls also mitigate internal risks
Multipart Risks
shared across many orgs
Legacy Risks
arise from unsupportable systems
Risk Avoidance
A risk response strategy whereby the project team acts to eliminate the threat or protect the project from its impact.
Risk Transference
A risk response strategy whereby the project team shifts the impact of a threat to a third party, together with ownership of the response.
Risk Mitigation
A risk response strategy whereby the project team acts to reduce the probability of occurrence or impact of a risk.
Risk Acceptance
A risk response strategy whereby the project team decides to acknowledge the risk and not take any action unless the risk occurs.
Risk Profile
the full set of risks facing an org
Inherent Risk
risk before controls are applied
Residual Risk
risk after controls are applied
Control Risk
risk that comes from implementing a new control
Categorizing Security Controls
1. Preventive: Stop from occurring in the first place
2. Detective: Identify potential security issues that have taken place
3. Corrective: Remediate security issues that have already occurred
4. Deterrent: Prevent an attacker from seeking to violate security policies
5. Physical: Impact the physical world
6. Compensating: Filling a known gap in a security environment
Technical Controls
Use technology to achieve security control objectives.
Operational Controls
Use human-driven processes to manage technology in a secure manner
Technical vs Operational Contols
Technical controls are implemented by technology, operational controls are implemented by people
Management Controls
Controls that mitigate strategic risks to the organization and promote effectiveness of decision making and business activities
NIST Risk Management Framework
1. Categorize
2. Select
3. Implement
4. Assess
5. Authorize
6. Monitor
COBIT
Control Objectives for Information and Related Technology
ISO 27001
Cybersecurity control objectives
ISO 27002
Cybersecurity Control Implementation
ISO 27701
Privacy controls
ISO 31000
Risk Management Objectives
NIST 800-53
Mandatory for federal agencies
Risk Register
A document in which the results of risk analysis and risk response planning are recorded.
Data Controller
determine the reasons for processing personal information and direct the methods of processing
Data Processors
Service providers that process information on behalf of a data controller
Data Owner
Individuals, normally managers or directors, who have responsibility .for the integrity, accurate reporting and use of computerized data.
Data Steward
handle day-to-day governance actives
delegated responsibilities by data owners
Data Custodian
Actually store and process information (often IT staff)
Policies
- provide foundation for security program
- written carefully over a long period of time
- require compliance from all employees
- are approved by mgmt
Standards
- provide specific details of security controls
- derive authority from policies
- follow a less rigorous approval from all employees
Guidelines
- provide security advice to the org
- follow best practices from industry
- suggest optional practices, not mandatory
Procedures
- outline a step-by-step process for an activity
- may require compliance
GAPP
Generally Accepted Privacy Principles
GAPP Principals
1. Management
2. Notice
3. Choice and Consent
4. Collection
5. Use, Retention, and Disposal
6. Access
7. Disclosure to 3rd Parties
8. Security
9. Quality
10. Monitoring and Enforcement
Security Training
Provides users with the knowledge they need to protect the organization's security
Security Awareness
Keeps the lessons learned top of mind during security training
Which two factors are used to evaluate a risk?
frequency and likelihood
likelihood and impact
criticality and likelihood
impact and criticality
likelihood and impact
What is the correct formula for computing the annualized loss expectancy?
ALE = ARO * AV
ALE = EF SLE ARO
ALE = AV - SLE
ALE = SLE * ARO
ALE = SLE * ARO
What is the lowest level of classification in the government's classification scheme?
Top Secret
Public
Secret
Confidential
Confidential
Which one of the following is not one of the major principles of COBIT?
securing the enterprise end-to-end
meeting stakeholder needs
separating governance from management
applying a single integrated framework
securing the enterprise end-to-end
Where would an organization normally record its risks?
risk register
security policy
risk management framework
risk management policy
risk register
What data security role is normally filled by a senior-level official who bears overall responsibility for the data?
data custodian
data guardian
data owner
data steward
data owner
What is the first step in the NIST risk management framework?
Select security controls.
Authorize information system.
Categorize information system.
Monitor security controls.
Categorize information system.
Purchasing an insurance policy is an example of which risk management strategy?
risk mitigation
risk deterrence
risk transference
risk acceptance
risk transference
Backups are an example of what category of security control?
preventive
corrective
deterrent
detective
corrective
(T/F) Risk assessments represent a point-in-time analysis of the risks facing an organization.
True
(T/F) Vendors extend your organization's technology environment. If they handle data on your behalf, you should expect they execute the same degree of care that you would in your own operations.
True
(T/F) Data ownership issues often arise in supplier relationships.
True
(T/F) Audits may be performed by either internal or external entities.
True
What type of Service Organization Controls audit is designed for public consumption?
SOC 3
SOC 2
SOC 4
SOC 1
SOC 3
What type of agreement is used to define availability requirements for an IT service that an organization is purchasing from a vendor?
MOU
SLA
ISA
BPA
SLA
Which element of the security policy framework includes suggestions that are not mandatory?
Procedures
Policies
Guidelines
Standards
Guidelines
What security principle prevents against an individual having excess security rights?
least privilege
mandatory vacations
separation of duties
job rotation
least privilege
Which one of the following is not one of the GAPP principles?
Collection
Notice
Management
Integrity
Integrity
What law contains specific requirements for data breaches that occur in the healthcare industry?
Sarbanes-Oxley
PCI DSS
FERPA
HIPAA
HIPAA
(T/F) ZIP code, date of birth, and gender uniquely identify 87% of people in the United States.
True
What data obfuscation technique is intended to be reversible?
tokenization
hashing
deletion
masking
tokenization
What is the name of the practice where a user holds a door open for the individual following them into a building?
smurfing
tailgating
politeness
shoulder surfing
tailgating
What type of security training is specifically designed to educate employees about attack techniques?
gamification
capture the flag
awareness efforts
phishing simulation
capture the flag
ECB
each block encrypted with the same key
simplest encryption mode
ea. block encrypted w same key
CBC
each plaintext is XORed w previous ciphertext block
adds additional randomization
use an initialization vector for the first block
CTR (Counter)
Block cipher mode acts like stream cipher
encrypt successive value of “counter”
Plaintext can be any size, since its part of the XOR
ie - 8 bits at a time (streaming) instead of 128 bit block
GCM
encryption w authentication
auth part of block mode
combines Counter mode w Galois authentication
Minimum Latency, minimum operation overhead
very efficient encryption and authentication
Commonly used in packetized data
Network traffic security (wireless, IPsec)
SSH, TLS
Cryptographic Nonce
Aribitrary number
used once
random or pseudo-random number
cant be reasonably guessed
can also b counter
use nonce during login process
server give u nonce
calc ur pswrd hash using nonce
ea pswd sent to host will be diff, so replay dont work
IV
used in encryption scheme
strengthens scheme
usined in encryption ciphers, WEP, and some SSL implementations
UEBA
detect insider threats
identify targeted attacks
catches what the SIEM and DLP systems might miss
SIEM Data inputs
server auth attempts
VPN connections
Firewall session logs
Denied outbound traffic flows
Network utilizations
packet captures
nw packets
often associated w critical alert
some orgs capture everything
Sentiment analysis
using public tweets, posts, and using those words to analyze how the public feels about company
can predict if more likely to be hacked
SOAR
automates routine, and time intense activities
Orchestration
connect many diff tools together
Automation
handle sec tasks auto
Response
react to anything on nw
passive footprinting
learning from open sources
social media
corporate web site
online forums
social engineering
dumpster diving
DLP on computer
for data in use EndPoint DLP
DLP on network
data in motion
DLP on Server
Data at rest
Edge Computing
process application data on edge server
close to user
Often process data on the device itself
no latency, no nw requirement
increased speed and performance
process where the data is, instead of processing in the cloud
Fog Computing
cloud that close to data
Cloud + IoT
distributed cloud architecture, extends the cloud
immediate data stays local - no latency
local decisions made from local data - no bandwidth req.
private data never leaves - minimizes sec concerns
long-term analysis can occur in the cloud - internet only when req.
IaC
desc infastructure
def server, nw, applications as code
Mod infrastructure and create versions
use the desc (code) to build other application instances
important concept for cloud computing
SDN
networking devices have 2 functional planes of operations
Control plane, Data plane
Directly programmable
Agile
Centrally Managed
Programmatically config.
open std / vendor neutral
SDV
dynamic deployments include sec and network visibility devices
NGFW, WAF (web app FW), SIEM
Data is encapsulated and encrypted
Security devices monitor application traffic
visibility expands as the application instances expanded
application flows can be controlled via API
VXLAN
encapsulation method used in cloud technologies
Note
Flashcard