• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/28

Click to flip

28 Cards in this Set

  • Front
  • Back
When describing the system or process, you often focus on what two primary areas?
Operational Characteristics and Mission of the System
Define operational characterisics
how the system operates in your environment, you need to identify how the system is currently configured and operating
Define the mission of the system
what the system does
In reviewing previous findings, what three (3) items are worth investigating?
Recommendations
Current status of accpted recommendations
Unapproved recommendations
Management structure refers to?
how responsibilities are assigned
Define Asset Valuation
the process of determing the fair market value of an asset, one of the first priorities of risk management
Replacement value
the/ cost to purchase a new asset in its place
Recovery value
the cost to get the asset operaional after a failure
Elements to consider when determining the value of different assets
-system access and system availability
-system functions
-hardware assets
-software assets
-personnel assets
-data and information assets
-facilities and supplies
Access and availability
refers to how and when the asset needs to be available
Whitelist
a list of approved e-mail addresses or e-mail domains
Blacklist
automatically marked as spam
Define hardware assets
any assets that you can physically touch
Define software assets
include both the operating system and the applications
Define personnel assets
personnel that an organization is able to retain often has fewer problems than one witha high turnover rate
Define data and information assets
different levels of value based on the classification of the data:
-public data: freely available to anyone
-private data: internal data, data on employees and customers
-proprietary data: highly valuable data, deserves a lot of protection, if lost could seriously effect the company's profitability
Define facilities and supplies
information needed when calculating your insurance needs
-hot site: a location that can take over the operations of another location within a short period
-cold site: a building wth electricity and running water but little else
-warm site: a compromise between a hot site and a cold site, may include all the hardware but the data may not be up to date
In identifying and evaluating relevant threats, use what two (2) methods?
review historical data and modeling
Reviewing historical data, you should look for
attacks
natual events
accidents
equipment failures
Define threat modeling
a process used to identify possbile threats on a system, which provide on:
-the system: background information
-threat profile: list of threats
-threat analysis: to determine if an asset is vulnerable
Define vulnerability assessment
a process used to discover weakness in a system, with multiple goals such as:
-identify IP address
-Identify names
-identify operating systems
-identify open ports
-identify weak passwords
-capture data
Name some common vulnerability assessments tools
-Nmap: a network mapping tool that determines open ports
-Nessus: commercial product that can detect common vulnerabilities in the configuration of a system
-SATAN: Security Administrator Tool for Analyzing Networks, not as popular as the other tools
-SAINT: System Administrator's Integrated Network Tool, full suite of vulnerability tools
Define exploit assessment
attempts to discover what vulnerabilities an attacker can exploit, aka "penetration tests"
Define countermeasures
a security control or a safeguard
Name the Control Categories
Administrative security controls, which are the controls in place in response to the rules and guidelines directed by upper-level management
-Technical security control, uses computers or software to protect systems
-Physical security control, which controls the physical environment such as locked doors, guards and access logs, video cameras
Name a common mistake needed to implement a control
underestimating the costs needed
Best practices for performing risk assessments
-ensure systems are fully described
-review past audits
-review past risk assessments
-match the RA to the management structure
-identify assets with the RA boundaries
-identify and evaluate relevant threats
-identify and evaluate relevant vulnerabilities
-identify and evaluate countermeasures
-track the results
What is used to track and monitor the controls and approved recommendations?
POAM: Plan of Actions or Milestones