Chapter 3 & 4
What are Business Challenges to the Organization for Compliance?
changing regulations, internal standards interfering with operations
Framework
conceptual set of rules and ideas that provide structure to a complex and challenging situation.
What are attributes of standard and frameworks?
depth/breadth, flexibility, reasoning, prioritization, industry acceptance
14 Adequate controls over privacy data helps prevent ________ theft
identity
Log Message Filtering:
including or excluding (exclusion is sometimes referred to as "dropping on the floor" or drop) log messages based on the content in the log message.
loghost
is a computer system, generally a Unix system or Windows server, where log messages are collected in a central location.
Log Message Normalization
is the act of taking disparately formatted log messages and converting them to a common format.
Performance tools
tell us how our network is handling traffic flow.
Log formats
tend to be "open" or "proprietary" but there is no single logging standard Material Adapted from © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Diagnostic tools
used to test connectivity, ascertain that a location is reachable, or a device is up - usually active tools
Privacy Management?
"The rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information."
IDS Pattern matching
(Signature analysis) based on known attacks
SYSLOG
A Standard for logging/reporting based on severity level
Procedure
A document that provides step-by-step instructions for how standards and guidelines are put into practice.
Policy
A document that regulates conduct through a general statement of beliefs, goals and objectives.
Standard
A document that supports policy. It consists of mandated rules, which support the higher-level policy goals.
12. What can be done to manage risk? (select 3) A. Accept B. Transfer C. Avoid D. Migrate
A. Accept B. Transfer C. Avoid
13 Regarding the seven domains of IT infrastructure .. the Workstation domain includes which of the following? select 3 A. Desktop computers B. Laptop computers C. Remote access systems D. E-mail servers E. Handheld devices
A. Desktop computers B. Laptop computers E. Handheld devices
5 The COSO framework is targeted to which of the following groups within a company? A. Executive management B. First- line management C. Security analysts D. Application developers
A. Executive management
3 The process of selecting security controls is considered within the context of risk management. A. True B. False
A. True
Hybrid Auditing Framework
Allows operations-focused audits to combine with IT-focused audits by mapping business processes to IT processes. Uses COSO/COBIT
Control Activity
An activity that provides the details on how to achieve control objectives. Specific, detailed.
5 Account management and separation of duties are examples of what type of controls? A audit and accountability B. Access control C. Security assessment and authorization D. Personal security
B. Access control
3 Avoiding the need for audits is one reason organizations develop clearly documented policies, standards, and procedures. A. True B. False
B. False
Control Objective
Objectives that state the high-level organizational goals of information system measures. Remains fairly constant.
Control Objectives vs Activities?
Objectives: high-level/organizational goals Activities: specific/how to achieve goals
12 ISO.IEC 27002 is a code of _________ for information security management.
Practice
Configuration and Change Management
Process of systems control/maintenance/compliance throughout their life cycle
Standard & Framework: NIST 800-53
Provides catalog of security controls (management, technical, operational), targeted to fed gov't
IDS Stateful Matching
Scans for attack signatures; based on system behavior, several packets within a communication stream, requires regular updates
Logs
a collection of log messages that will be used collectively to paint a picture of some occurrence.
10 SSAE 16 Type 1 includes everything in a SSAE 16 Type 2 report, but it adds a detailed testing of the controls over a specific time frame. A. True B. False
B. False
11 Organizations may be audited for both ISO.IEC 27001 and ISO/IEC 27002 and receive a formal certification for both. A. True B. False
B. False
Protocol Anomaly-Based Intrusion Detection
Installed on web server, detects unacceptable deviations,
Auditing ISS Domains: Remote Access Domain
Use: Access organization resources remotely Scope: Unsecured transports, Internet, dial-up modem Improvement: Remote access solutions, VPNs, encryption, two-factor authentication
Auditing ISS Domains: Workstation Domain
Use: End user's computing environment Scope: Desktops, laptops, printers, scanners, mobile devices, wireless devices Improvements: Maintenance of system hardware and software
Auditing ISS Domains: WAN Domain
Use: End-to-end connectivity between LANs Scope:Routers, firewalls, intrusion detection system, telecommunications components Improvement: Channel service unit/data service unit, codecs, backbone circuits, Internet, untrusted zone
6 Which one of the following is not one of the 7 domains of an IT infrastructure? A. User domain B. Workstation domain C. LAN-to-LAN domain D. WAN domain E. Remote access domain
C. LAN-to-LAN domain
14 Which of the following provides a framework for assessing the adequacy of implemented controls? A. NIST 800-53 B. NIST 800 C. NIST 800-53A D. NIST 800A
C. NIST 800-53A
2 Which of the following best describes the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personal information? A. Security management B. Compliance management C. Privacy management D. Collection management
C. Privacy management
what are Popular Control Frameworks?
COBIT ▪NIST 800-53 ▪ SANS
Host Based Intrusion Detection System (HIDS)
Can monitor encrypted traffic, uses a lot of CPU and memory
Change vs Configuration Management
Change: method for tracking unauthorized changes Configuration: ensures changes are requested, evaluated, and authorized
COBIT 5 Principles
Meeting stakeholder needs; Covering the enterprise end to end; Applying a single integrated framework; Enabling a holistic approach; Separating governance from management
9 Which of the following is an example of why an ongoing IT compliance program is important? A. Organizations are dynamic, growing environments B. Threats evolve C. Laws and regulations evolve D. All of the above
D. All of the above
13 What PCAOB standard states that the auditor should assess the amount of IT involvement in the financial reporting process? A. Auditing Standard No. 1 B. Auditing Standard No. 11 C. Auditing Standard No. 55 D. Auditing Standard No. 5
D. Auditing Standard No. 5
11 Which of the following is not part of the change management process? A. Identify and request B. Evaluate request C. Decision response D. Implement unapproved change E. Monitor change
D. Implement unapproved change
Descriptive vs Prescriptive controls?
Descriptive: high level/align with IT business goals Prescriptive: specific/standardize IT operations and tasks
Traffic Anomaly-Based Intrusion Detection
Finds deviations based on traffic, relies on normal patters of traffic
International Organization for Standardization (ISO) 27000 series
Focuses on management and processes by relying on other standards
1. A ________- is a conceptual set of rules and ideas that provide structure to a complex and challenging situation.
Framework
What are Organizational Barriers to IT?
Funding/management support, no alignment to business objectives, misunderstanding of rationale for IT compliance
7 Responding to business requirements in alignment with the business strategy is an example of an IT _____________.
Goal
Service Organization Control (SOC) Reports
Help customers understand adequate controls and processes are in place
Statistical Anomaly-Based Intrusion Detection
Identifies suspicious behavior, detects unknown attacks, requires tuning, challenging to define normal traffic and vulnerable to false positives
Log message types
Informational, Debug, Warning, Errors, Alerts
Network Intrusion Detection System (NIDS)
Inspects packets, monitors sessions, doesn't impact network, can't monitor encrypted traffic
Log Message Event
The currency of exchange in a logging system. When your log data is in a common format it makes it much easier to manipulate the data so that meaning can be derived from it.
Auditing ISS Domains: LAN to WAN Domain
Use: WAN connects multiple LANs Scope:Routers, firewalls, intrusion detection devices Improvement: Public IP addresses; high level of security required
Log Message Structure
Timestamp; source; data
IDS Anomaly Detection
Unauthorized attempt
Auditing ISS Domains: User Domain
Use: Anyone accessing organizations info Scope: Acceptable use policy (AUP), system access policy, Internet access policy, e-mail policy Improvements: Authentication methods
Auditing ISS Domains: LAN Domain
Use: Computing and networking equipment Scope:Access to centralized resources (file servers, printers), administration, physical connections Improvement: Logon access control, hardening, configuration, backup procedures, network power supply
Auditing ISS Domains: System/Application Domain
Use: Systems and software applications that users access Scope: Mainframes, application servers, Web servers, proprietary software, and applications Improvement: Harden servers to authorized baseline, configured to policies and standards with controls
Guideline
A document that supports standards and policies, but is not mandatory.
COBIT
A high level control objective for Ensuring Systems Security
4If a baseline security control cannot be implemented, which of the following should be considered? A. Compensating control B. Baseline security control standard revision C. Policy revision D. None of the above
A. Compensating control
9 Which one of the following is not one of the four domains of COBIT? A. Plan and organize B. Implement and support C. Acquire and implement D. Deliver and support E. Monitor and evaluate
A. Plan and organize
4 Which of the following should organizations do when selecting a standard (select three) A. Select a standard that can be followed B. Employ the selected standard C. Select a flexible standard D. Select a standard that other organizations in the same geographic region are using
A. Select a standard that can be followed B. Employ the selected standard C. Select a flexible standard
2 Frameworks differ from each other in that they might offer varying levels of depth and breadth. A. True B. False
A. True
Security Information and Event Management (SIEM)
An approach to security that seeks to provide a holistic view of an organization's information technology (IT) security --> system that allows realtime analysis
8 Which one of the following is not true of the COBIT? A. It is business focused B. It's security-centered C. IT's process oriented D. It's controls based E. It's measurement driven
B. It's security-centered
8 Mitigating a risk from an IT security perspective is about eliminating the risk to zero. A. True B. false
B. false
7 Which of the following policies would apply to the user domain concerning the 7 domains of an IT infrastructure ? A. Acceptable use policy B. Internet Access policy C. Security incident policy D. Firewall policy E. Answers A and B F. Answers B and D
E. Answers A and B
10 Policies, standards, and guidelines are part of the policy ___________
framework
1 After mapping existing controls to new regulations, an organization needs to conduct a ________ analysis
gap
Log messages
generated by some device or system to denote that something has happened. That is, log messages are what a computer system, device, software, etc. generates in response to some sort of stimuli.
Monitoring tools
tools running in the background ("daemons" or services), which collect events, but can also initiate their own probes (using diagnostic tools), and recording the output, in a scheduled fashion.