Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
105 Cards in this Set
- Front
- Back
|
How do you calculate residual risk?
|
(Threats × vulnerability × asset value) × controls gap
|
|
|
Who has the primary responsibility of determining the classification level for information?
|
The owner
|
|
|
Which is the most valuable technique when determining if a specific security
control should be implemented? |
Cost/benefit analysis
|
|
|
Quantitative risk analysis is?
|
A quantitative risk analysis assigns monetary values and percentages to the different components within the assessment.
|
|
|
Qualitative risk analysis is?
|
A qualitative analysis uses opinions of individuals and a rating system to gauge the severity level of different threats and the benefits of specific countermeasures.
|
|
|
Why is a truly quantitative risk analysis not possible to achieve?
|
Quantitative measures must be applied to qualitative elements.
|
|
|
What is CobiT?
|
Open standards for control objectives.
It is a Framework for a model IT Governance and Control. Funtion on the Operation level. |
|
|
What are the four domains that make up CobiT?
|
Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
|
|
|
What is the ISO/IEC 27799 standard?
|
Provide guidance to health organizations and other holders of personal health information on how to protect such information via implementation of ISO/IEC 27002.
|
|
|
What is COSO ?
|
In a corporate environment prevent financial fraud.
COSO is a model for corporate governance on a strategic level. COSO deals with non-IT items |
|
|
Core Information Security Principles
|
Confidentiality, Integrity and Availability
|
|
|
Confidentiality
|
Only authorized individuals, processes, or systems should have access to information on a need-to-know basis.
|
|
|
Integrity
|
Information should be protected from intentional, unauthorized, or accidental changes.
|
|
|
Availability
|
Information is accessible by users when needed.
|
|
|
Business Continuity Planning (BCP)
|
Ensures that the department can function without the computer system within a defined period using alternate processes. (Plan of how to continue bussines.
|
|
|
Disaster Recovery Planning (DRP)
|
Recovering Plan from an IT disaster and having the IT infrastructure back to an acceptable operational state.
|
|
|
Continuity of Operations Plan (COOP)
|
The plan for continuing to do business until the IT infrastructure can be restored.
|
|
|
MTBF (Mean Time Between Failures)
|
A time determination for how long a piece of IT infrastructure will continue to work before it fails.
|
|
|
MTTR (Mean Time to Repair)
|
A time determination for how long it will take to get a piece of hardware/software repaired and back on-line.
|
|
|
RPO (Recovery Point Objective)
|
Is the organization’s definition of acceptable data loss.
|
|
|
RTO (Recovery Time Objective)
|
Is the organization’s definition of the acceptable amount of time an IT system can be off-line.
|
|
|
Intangible assets
|
Non-physical things of value that a company owns. These assets have no set monetary value and no physical measurement. They can not be seen or touched.
|
|
|
What are Tangible Assets ?
|
The amount of money in your bank account is tangible, as is the property you own, like cars, houses or boats.
|
|
|
What is a definite intangible asset?
|
Definite assets are those that last for a particular amount of time, like contract agreements.
|
|
|
What is a indefinite intangible asset?
|
Indefinite assets go on for an unspecified amount of time, like a brand name that will continue on for as long as the company chooses to produce the product.
|
|
|
Security Governance
|
Is the preparation that will guarantees that the appropriate information security activities are being performed to ensure that the risks are appropriately reduced.
|
|
|
Policies
|
Establishes the glue that ensures everyone has a common set of expectations and communicates management's goals and objectives.
|
|
|
Components that support the implementation of a security policy
|
Procedures, standards, guidelines, and baselines.
|
|
|
Standards
|
Are software and harware security mechanisms selected as the organization's method of controlling security risk,
|
|
|
Proceedures
|
step by step instructions in support of the policies, standards, guidelines, and baselines.
|
|
|
Baselines
|
Provide descriptions of how to implement security packages to ensure this implemantations are consistance throughtout the organization. Are specific list of rules that will be applied to harden.
|
|
|
Guidelines
|
Optionals controls used to enable individuals to make judgments with respect to a security action. Also set of recommendations or best practice.
|
|
|
Type of security planing
|
Strategic = Long term planing, and should be review at least anually. (3 to 5 years or more).
Tatical = Mid term planing, and is the action of the strategic planing. (6 to 18 month). Operational = Daily, weekly or short term projects. |
|
|
Security Officer
|
Who directs, coordinates, plans, and organizes information security activities throughout the organization.
Who chairs the security oversight committee? |
|
|
Risk management
|
A discipline for living with the possibility that future events may cause harm. The technique of assessing, minimizing and preventing accidental loss to a business, using safety measures. Reducing risks by defining and controlling threats and vulnerabilities
|
|
|
What are the two types of risk assessments?
|
Quantitative risk analysis and Qualitative risk analysis.
|
|
|
SLE
|
Single Lost Expectancy
Asset value ($) * exposure factor % = SLE |
|
|
ARO
|
Annual Rate of Occurrence. How often a threat will be successful in exploiting a vulonerability over the period of a year .
|
|
|
ALE
|
Annualized Loss Expectancy. Product of the yearly estimate for the exploit (ARO) and the loss in value of an assets after a single exploitation.
ARO * SLE = ALE |
|
|
LAFE
|
Localized Annual Frequency Estimate (adjusted for geographical distances)
|
|
|
OCTAVE
|
(Operationally Critical Threat, Asset, and Vulnerability Evaluation) Is a self-directed information security risk evaluation. Set of principles, attributes and outputs.
|
|
|
The Total Cost of Ownership (TCO)
|
Is the total cost of a mitigating safeguard. TCO combines upfront costs (often a one-time capital expense) plus annual cost of maintenance, including staff hours, vendor maintenance fees, software subscriptions, etc.
|
|
|
The Return on Investment (ROI)
|
Is the amount of money saved by implementing a safeguard.
|
|
|
Nonrepudiation
|
A user cannot deny (repudiate) having performed a transaction.
|
|
|
Risk assesment methodology
|
FRAP = Facilitated Risk Analysis Process
CRAMM = CCTA Risk Analysis and Management Method Spanning Tree Analysis = Creates a tree of all possible threats to or faults of the system . OCTAVE = self-directed information security risk valuation. |
|
|
What are the four risk management principles?
|
1) Avoidance = Cutting the service.
2) Transfer = Using insurance. 3) Mitigation = reducing the risk 4) Acceptance = after monetary analysis. |
|
|
Threat
|
The potential to successfully exploit a particular vulnerability.
|
|
|
Separation of duties
|
Tasks are broken into different phases. This limits chances for financial fraud
|
|
|
Consistency in security implementation is achieved through?
|
Standards and baselines
|
|
|
Job rotation
|
To avoid Collusion.
|
|
|
Risk
|
Describes the probability of a theat materializing.
|
|
|
How do you calculate total risk?
|
Threats * vulnerability * asset Value
|
|
|
Delphi methods
|
Consensus Delphi Method = Experts opinions help to identify the highest priority security issues and corresponding countermeasures.
Modified Delphi Method = is a silent form of brainstorming in which the participants develop ideas individually and silently with no group interaction. |
|
|
ISO/IEC 27799
|
Standard on how to protect personal health information. It is referred to as the health informatics. Protect such information via implementation of ISO/IEC 27002.
|
|
|
NIST 800-30
|
Risk Management Guide for Information Technology Systems is a U.S. federal standard that is focused on IT risks.
|
|
|
AS/NZS 4360
|
Takes a much broader approach to risk management. This methodology can be used to understand a company's financial, capital, human safety, and business decisions risks. Although it can be used to analyze security risks, it was not created specifically for this purpose.
|
|
|
Security Controls : Types
|
Deterrent = Informed people they are been monitor.
Preventing = Actions been taking to prevent after the investigation. Corrective = Making the adjustments. |
|
|
Change Controls
|
Documentation detailing changes made to the system architecture and infrastructure. Detail what changes were made, when, why, and by whom, remainder of pass changes.
|
|
|
The Delphi
|
Qualitative technique uses each person’s honest opinion in a group
setting to get a wide range of ideas on how to address the issue. It allows people to submit their opinions anonymously to ensure that they are not intimidated or bullied by others who might sway them from giving their honest feelings on a specific subject. |
|
|
Security Access controls
|
Administrative, Technical, and Physical
|
|
|
Administrative Control
|
Administrative security controls are primarily policies and procedures put into place to define and guide employee actions in dealing with the organization’s sensitive information. Policies, Procedures, awareness, Training , Background check , Separation of duty.
|
|
|
Technical
|
Technical security controls (also called logical controls) are devices, processes, protocols, and other measures used to protect the C.I.A. of sensitive information.
Examples include logical access systems, encryptions systems, antivirus systems, firewalls, and intrusion detection systems. ACLs, Smart Cards, Encryptions, Token card. |
|
|
Physical Control
|
Physical security controls are devices and means to control physical access to sensitive information and to protect the availability of the information. Examples
are physical access systems (fences, mantraps, guards), physical intrusion detection systems (motion detector, alarm system), and physical protection systems (sprinklers, backup generator). |
|
|
Exposure
|
An exposure means that a vulnerability has been exploited by a threat. Examples are a hacker accesses a database through an open port on the firewall, an employee shares confidential information via e-mail, or a virus infects
a computer. |
|
|
Access Control
|
Is method for allowing or denying access to information objects, enforced Authentication, Identification, Confidentiality, Integrity and Availability.
|
|
|
Access Control Models
|
Mandatory Access Control (MAC) Applied levels that classified the information assets. Hard to maintain. Discretionary Access Control (DAC) Use Access list to apply the access control policies, very popular on the industry and home jobs. Rule Base Access Control (RBAC) work access list on Fire walls apply the security policy. Role Base Access Control (RBAC) Categorize the personal base on their role in the organization.
|
|
|
planning horizon
|
Strategic goals or long-term goals, tactical goals or mid-term goals, operational goals or daily goals. This approach to planning is called a planning horizon.
|
|
|
The data owner
|
Is the one who decides upon the classification of the data.
|
|
|
The data custodian
|
Is the one assigned by the owner to manage and maintain the data.
|
|
|
Remote journaling
|
Is a technology used to transmit data to an off-site
facility, but this usually only includes moving the journal or transaction logs to the off-site facility, not the actual files. |
|
|
Security through obscurity
|
Is not implementing true security controls, but rather attempting to hide the fact that an asset is vulnerable in the hope that an attacker will not notice. Security through obscurity is an approach to try and fool a potential attacker, which is a poor way of practicing security. Vulnerabilities should be identified and fixed, not hidden.
|
|
|
Disaster recovery
|
Deals with the actions that need to take place right after a disaster.
|
|
|
Business continuity
|
Deals with the actions that need to take place to
keep operations running over a longer period of time. |
|
|
The proper steps for developing a disaster recovery plan are
|
Develop the continuity planning policy statement.
. Conduct the business impact analysis (BIA). . Identify preventive controls. . Develop recovery strategies. . Develop the contingency plan. . Test the plan and conduct training and exercises. . Maintain the plan. |
|
|
Defense in Depth
|
The practice of implementing appropriate access control mechanisms is also the first line of defense ... Defense in depth is the practice of applying multiple layers of security protection between an information resource and a potential attacker.
|
|
|
Identification
|
User makes a claim as to his or her identity.
|
|
|
Authentication
|
User proves his or her identity using one or more mechanisms.
|
|
|
Authorization
|
System makes decisions about what resources the user is allowed to access and the manner in which they may be manipulated.
|
|
|
System keeps an accurate audit trail of the users activity.
|
Accounting
|
|
|
Subjects
|
Entities that may be assigned permissions.
|
|
|
Objects
|
Types of resources that subjects may access.
|
|
|
Three important access control concepts.
|
Subjects, objects, access permissions .
|
|
|
Access control type where the Administrator determines which subjects can have access to certain objects based on an organizations security policy.
|
Non-discretionary access control (NDAC) also known as role based access control (RBAC)
|
|
|
Access control type where the Administrator determines which subjects can have access to certain objects based on an organizations security policy.
|
Lattice based access control (LBAC) .
|
|
|
Users gain different access permissions as they move from position to position in an organization but old permissions are not revoked.
|
Privilege creep
|
|
|
Kerberos
|
Software used on a network to establish a users identity.
|
|
|
Technology that enables centralized authentication.
|
Single sign on (SSO)
|
|
|
Three components of kerberos
|
Key distribution center (KDC), Authentication service (AS), Ticket granting service (TGS)
|
|
|
Four different kinds of tokens
|
Four different kinds of tokens
|
|
|
Three evaluation factors for biometric techniques.
|
Enrollment time, throughput rate, acceptability
|
|
|
The amount of time that it takes to add a new user to a biometric system.
|
Enrollment time
|
|
|
The number of users that may be authenticated to a biometric system per minute.
|
Throughput rate
|
|
|
The likelihood that users will accept the use of a biometric technique.
|
Acceptability
|
|
|
Six types of attack.
|
Brute force, dictionary, spoofing, denial of service, man in the middle, sniffer.
|
|
|
The type of attack where the attacker simply guesses passwords until eventually succeeding.
|
Brute force attack
|
|
|
Type of attack where the attacker uses the password encryption algorithm to encrypt a dictionary of common words and then compares the encrypted words to the password file.
|
Dictionary attack
|
|
|
Type of attack where an individual or system poses as a third party.
|
Spoofing
|
|
|
Type of attack where the system is flooded with traffic so that it cannot provide service to legitimate users.
|
Denial of service (DoS)
|
|
|
Type of attack where the attacker can monitor all traffic occurring on the same network segment,
|
Sniffer
|
|
|
An effective way to assess the security of a system.
|
Penetration test
|
|
|
Two types of monitored environment for IDS.
|
Host based, Network based
|
|
|
IDS that resides on a single system and monitors the systems even log and audit trail for signs of unusual activity.
|
Host based IDS
|
|
|
IDS that performs real time monitoring in a passive manner by monitoring all of the traffic on a specific network segment,
|
Network based IDS
|
|
|
IDS that stores characteristics of an attack and then compares activity in a monitored environment to those characteristics.
|
Signature based IDS
|
|
|
IDS that measures user, system, and network behavior over an extended period of time to develop baselines.
|
Anomaly based IDS
|
