Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
61 Cards in this Set
- Front
- Back
|
What are the 3 different IS security policies?
|
Enterprise Information Security Policy, Issue Specific Security Policy, Systems Specific Policy
|
|
|
What is an Enterprise Information Security policy?
|
It sets the strategic direction, scope and tone for all of security efforts in org. Executive level document drafted by CIO. Should include the responsibilities of everyone, of roles and the specified penalties and displinary actions
|
|
|
What is an Issue Specific Security policy?
|
Addresses specific area of technology, contains statement on orgs position to specific issue
|
|
|
What is a Systems Specific Policy?
|
Frequently codified as standards and procedures when configuring or maintaing systems. Fall into two groups, ACLs and configuration rules
|
|
|
What must happen for a policy to remain viable?
|
Constantly adapt to changing env. Must have a responsible manager, a schedule of reviews, method for making recommendations, a policy issuance and revision date and an automated policy management tool
|
|
|
What must happen for a policy to be effective?
|
Disseminated (distributed), read, understood and agreed upon, be applied fairly
|
|
|
What is information classifications?
|
Important aspect of policy, defines classification levels for example confidential and public
|
|
|
What are threats to classified information?
|
No clean desk policy, dumpster diving, sharing of classified documents by insecure methods
|
|
|
What is the information security blueprint?
|
Basis for design, selection and implementation of all security policies and training programs. Should specify how tasks are to be accomplished. Should also serve as scalable, upgradeable and comprehensive plan for InfoSec needs
|
|
|
Why use Security Education?
|
Everyone in an org needs to be trained and aware of InfoSec. Does not need to be a formal degree or cert
|
|
|
Why use Security Training?
|
Involves providing members of org with detailed information and hands-on experience. Can also be conferences or external courses
|
|
|
Why use Security Awareness?
|
One of least frequently implemented but most beneficial programs. Designed to keep InfoSec at forefront of users' mind
|
|
|
Why use IDPS?
|
Primary purpose is to identify and report and intrusion. Can quickly contain and mitigate damage. Data collected during attack can be used to diagnose and fix vulnerabilities in system
|
|
|
What are the advantages of NIDPS?
|
Good network design and smart placement can enable and org to monitor large network with few devices. NIDPs are passive and can be deployed with little disruption. Not usually susceptible to attack
|
|
|
What are the disadvantages of NIDPS?
|
Can become overwhelmed with network volume and miss attacks, require access to all traffic, cannot anaylze encrypted traffic
|
|
|
What is commonly detected by network behaviour analysis systems?
|
DoS, scanning, worms, policy violations
|
|
|
What are the benefits of HIDPs?
|
Resides on particular server and only monitors traffic for that server, can view encrypted traffic, monitors key system files and detects modifications
|
|
|
What are the disadvantages of HIDPS?
|
Does not detect multihost scanning, can be a large overhead on a server, vulnerable to system attacks, harder to manage
|
|
|
What is signature based detection?
|
Examines traffic for patterns that much known signatures, many attacks have distinct signatures, has to be continually updated
|
|
|
What is anomaly based detection?
|
Collects statistical summary of baseline traffic/usage. Compares current traffic to baseline. Can detect new types of attacks. Can generate many more false positives
|
|
|
What are log file monitors?
|
Similar to NIDPS, review log files generated by servers/network devices for patterns and signatures. Requires considerable resources
|
|
|
What must be taken into consideratio when selecting a IDPS?
|
Is it sufficiently scalable for org, has it been tested, do we have expertise to use, what is the support for the product
|
|
|
Where are the best locations to put IDPS?
|
Behind an external firewall, in the network DMZ, outside external firewall, on critical subnets, on major network backbones
|
|
|
What do vendors often do to help test IDPs?
|
Provide testing suites/mechanisms to verify systems and performing as expected
|
|
|
What are the disadvantages to honeypots/nets and padded cells?
|
Admins need high level of expertise, may provoke attacker to perform a larger attack, have not be proven to be very effective
|
|
|
What are important qualities of an InfoSec candidate?
|
Strong communication and writing skills, as InfoSec is usually a management problem not a technical one. Need to understand role of policy, most mainstream technologies, orgs threats, and how orgs operate
|
|
|
What are some InfoSec roles?
|
Chief information security officer, chief security officer, security manager, security technician
|
|
|
What are common employee termination activities?
|
Information disclosure agreements, audit system use and storage, changing system access, equipment inventorying, changing of locks, exit interview
|
|
|
What is some advice for IS professionals?
|
Always business before technology, never lose sight of goal - protection, be heard not seen, know more than you say, speak to users not at them, your education is never complete
|
|
|
What is important to keep in mind when hiring?
|
On site visits as part of interviews should exercise caution when showing employee around facility. Background checks should be used, references check
|
|
|
What is an employment contract?
|
An important security instrument that should include non disclosure and monitoring agreements
|
|
|
How should a new employee be treated?
|
Should receive extensive IS briefing on policies, procedures and requirements. Levels of access should be outlined and employee should receive training of secure use of IS
|
|
|
What are the key infosec issues around termination?
|
Protection of all information employee could access, securing keys, key cards, and other property. Perform exit interview
|
|
|
What additional measures should be taken for hostile termination?
|
Employee should lose access to information systems before aware. Keycards are deactivated. Employee collects belongings and then is escorted off premisis
|
|
|
What additional measures should be taken for temporary employees?
|
Carefully manage relationship to prevent theft, have supervisor restrict access when possible, least privilege, escorted through secure facilities
|
|
|
What infosec measures should be taken with business partners?
|
Non disclosure agreements, clear boundaries on what data should be exchanged and in what format
|
|
|
What are internal methods to control employees?
|
Two man control - two people work on similar tasks reviewing each others work, seperation of duties, job rotation, mandatory leave, garden leave, least privilege
|
|
|
What is a secure facility?
|
Physical location with controls implemented to minimize risk of attacks
|
|
|
What are examples of phsyical security controls?
|
Fences, gates, locks, guards, dogs, mantraps, cameras, alarms, computer rooms, interior doors and walls
|
|
|
What are the main lock categories?
|
Manual, programmable, electronic, biometric
|
|
|
What is a man trap?
|
Small enclosure that has entry and exit point. Only one door may open at a time. A guard authorises entry into secure area
|
|
|
What are the drawbacks of electronic monitoring?
|
Passive, does not prevent access. Recordings are often not monitored 24/7
|
|
|
What are the different type of alarms?
|
Fire, intrusion, environmental disturbance, interruption to service
|
|
|
What should be taken into account for walls/doors?
|
Firewall grade for secure areas, install push or crash bars on computer rooms/closets
|
|
|
What should be handled by inventory management?
|
Computer equipment regular inspections, classified information, physical security of equipment/sensitive data/documents
|
|
|
What is the role of accountability/auditability?
|
All authorised and unauthorised actions should be logged and attributed to an authenticated identity. Examples are system logs, database journals
|
|
|
What are the 3 types of firewall filtering?
|
Static - based on rules set by admin, dynamic - firewall that reacts to emergent event and creates new rules, stateful inspection - keep track of connection between internal and external systems
|
|
|
What is a bastion host?
|
A type of firewall that stands at edge of security perimeter, has two NICs one internal and one external. Often implements NAT as another layer of security
|
|
|
What is a screened host firewall?
|
Packet filtered router backed by fire wall. Less burden on fire wall. Requires external attack to compromise both router and firewall
|
|
|
What is a screened subnet firewall?
|
Connections from outside are routed through external filtering router, into DMZ. Only connections into secure network are allowed from DMZ bastion host servers. DMZ hosts are essentially proxies
|
|
|
What should be taken into account when selecting firewalls?
|
What firewall offers balance between protection and cost for orgs neeeds. Which features do you have to pay additional for. What is easiest to setup/configure/maintain. Is it scalable to orgs needs?
|
|
|
What are firewall best practices?
|
All traffic from trsuted network is allowed out. Firewall isn't accessible from public network. SMTP data are allowed. ICMP are denied. Telnet to internal servers is denied. Web servers offered outside of firewall, all other incoming HTTP is denied. All data not verifably authentic should be denied
|
|
|
What 3 interacting services does kerberos consist of?
|
Authentication server, Key distribution center, Kerberos ticket granting service
|
|
|
What are 2 VPN modes?
|
Transport mode, where only data is encrypted. Tunnel mode, entire client package is encrypted including headers
|
|
|
How does kerberos grant access to a network resource?
|
A client will authenticate with the authentication server && KDC and receive an auth token. This token can then be used to request a ticket by the TGS for the service, this ticket is encrypted with services private key. The client sends this ticket to the service which then authenticates it with it's own private key
|
|
|
What are the 5 different risk control strategies?
|
Defend - attempt to prevent exploitation of vulnerability, transfer - get insurance, mitigate - IRP DRP BCP, accept - accept costs/risk, terminate - risk isn't worth it terminate service
|
|
|
What is an example of a feasability study?
|
Cost benefit analysis
|
|
|
What is the CBA formula?
|
ALE(prior) - ALE(post) - ACS where ACS = annualized cost of safeguard
|
|
|
What is benchmarking?
|
An alternative approach to risk management. Process of seeking out and studying practices in other orgs that org desires to replicate
|
|
|
What are the issues with benchmarking?
|
No two orgs are the same. The two orgs don't communicate. Best practices are a moving target. Only looks to the past
|
|
|
What is baselining?
|
Analysis of measures against established standards
|
