Chapter 1: Comparing Security Roles and Security Controls
What distinguishes DevSecOps from a traditional SOC? A.) Software code is the responsibility of a programming or development team. B.) Identification as a single point-of-contact for the notification of security incidents. C.) A cultural shift within an organization to encourage much more collaboration. D.) Security is a primary consideration at every stage of software development.
D
This is a set of security procedures and technologies designed to restrict network access at a device level. It contrasts with the focus on perimeter security, like firewalls.
Endpoint security
After a poorly handled security breach, a company updates its security policy to include an improved incident response plan. Which of the following security controls does this update address? A.) Compensating B.) Deterrent C.) Corrective D.) Detective
C
An engineer looks to implement security measures by following the five functions in the National Institute of Standards and Technology (NIST) framework. When documenting the "detect" function, what does the engineer focus on? A.) Evaluate risks and threats B.) Install, operate, and decommission assets C.) Ongoing proactive monitoring D.) Restoration of systems and data
C
These controls are in place to restore function after an attack has occurred.
Compensating
This is a security control that serves as a substitute for a principal control, as recommended by a security standard.
Compensating
What does CERT Stand for?
Computer Emergency Response Team
This act specifically requires federal agencies to develop security policies for computer systems that process confidential information.
Computer Security Act (1987)
What does CSIRT Stand for?
Computer Security Incident Response Team
This is an IT governance framework with security as a core component. It is published by ISACA and is also a commercial product, available through APMG International.
Control Objectives for Information and Related Technologies (COBIT)
An incident response plan is ____________. It responds to and fixes an incident. It may also prevent its recurrence.
Corrective
What does CIRT Stand for?
Cyber Incident Response Team
This is a list of activities and objectives undertaken to mitigate risks. The use of a framework allows an organization to make an objective statement of its current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve that target. Created by The National Institute of Standards and Technology (NIST).
Cybersecurity Framework (CSF)
How might the goals of a basic network management not be well-aligned with the goals of security? A.) Management focuses on confidentiality and availability. B.) Management focuses on confidentiality over availability. C.) Management focuses on integrity and confidentiality. D.) Management focuses on availability over confidentiality.
D
This part of the National Institute of Standards and Technology (NIST) framework that covers developing security policies and capabilities, and evaluating risks, threats, and vulnerabilities and recommend security controls to mitigate them.
Identify
What are the five functions in the National Institute of Standards and Technology (NIST) framework?
Identify, Protect, Detect, Respond and Recover
This means that any data is stored and transferred as intended and that any modification is authorized. It is part of the CIA triad.
Integrity
This means that any information is accessible to those authorized to view or modify it. Availability is part of the CIA triad.
Integrity
Network management would encompass the responsibility for systems up-time and availability. Security administrators would focus on ____________________________________________.
Integrity and Confidentiality
They develop standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27000 series). It is a commercial product.
International Organization for Standardization (ISO)
A dedicated cyber incident response team (CIRT)/computer security incident response team (CSIRT)/computer emergency response team (CERT) as a _________________________ for the notification of security incidents. This function might be handled by the SOC or it might be established as an independent business unit.
single point-of-contact
Confidentiality
This means that certain information should only be known to certain people. Confidentiality is part of the CIA triad.
A company has an annual contract with an outside firm to perform a security audit on their network. The purpose of the annual audit is to determine if the company is in compliance with their internal directives and policies for security control. Select the broad class of security control that accurately demonstrates the purpose of the audit. A.) Managerial B.) Technical C.) Physical D.) Compensating
A
Any external responsibility for an organization's security lies mainly with which individuals? A.) The owner B.) Tech staff C.) Management D.) Public relations
A
Which of the following focuses exclusively on IT security, rather than IT service delivery? A.) National Institute of Standards and Technology (NIST) B.) International Organization for Standardization (ISO) C.) Control Objectives for Information and Related Technologies (COBIT) D.) Sherwood Applied Business Security Architecture (SABSA)
A
The IT department head returns from an industry conference feeling inspired by a presentation on the topic of defense in depth. A meeting is scheduled with IT staff to brainstorm ideas for implementing defense in depth throughout the organization. Which of the following ideas are consistent with this industry best practice? (Select all that apply.) A.) Provide user training on identifying cyber threats. B.) Adopt a vendor-specific stance. C.) Align administrative and technical controls with control functions. D.) Move endpoint security to the firewall.
A and C
These controls should align with the control functions - prevent, deter, detect, correct, and compensate
Administrative and technical
System security may be a dedicated business unit with its own management structure. As a result, network management might only concern itself with ________________?
Availability
The _____ requires federal agencies to develop security policies for computer systems that process confidential information. A.) Sarbanes-Oxley Act (SOX) B.) Computer Security Act C.) Federal information Security Management Act (FISMA) D.) Gramm-Leach-Bliley Act (GLBA)
B
Which security-related phrase relates to the integrity of data? A.) Accessibility is authorized B.) Modification is authorized C.) Knowledge is authorized D.) Non-repudiation is authorized
B
This means an attacker must get past multiple security controls to fully compromise a network. Since employees are the greatest security risk, user training is a critical component.
Defense in depth
This part of the National Institute of Standards and Technology (NIST) framework that refers to performing ongoing proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats.
Detect
This is the control that may not prevent or deter access but will identify and record any attempted or successful intrusion.
Detective
This is the control that may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion.
Deterrent
This extends the boundary to security specialists and personnel, reflecting the principle that security is a primary consideration at every stage of software development and deployment. This is also known as shift left, meaning that security considerations need to be made during requirements and planning phases, not grafted on at the end.
Development and Security operations (DevSecOp)
This is a cultural shift within an organization to encourage much more collaboration between developers and system administrators.
Development and operations (DevOps)
__________________ responsibility for security (due care or liability) lies mainly with directors or owners. It is important to note that all employees share some measure of responsibility.
External
As well as its cybersecurity and risk frameworks, NIST is responsible for issuing the _____________________________ plus advisory guides called Special Publication
Federal Information Processing Standards (FIPS)
This act governs the security of data processed by federal government agencies. This act requires agencies to implement an information security program.
Federal Information Security Management Act (2002) - (FISMA)
This is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information.
Gramm-Leach-Bliley Act (1999)- (GLBA)
This is the control that gives oversight of the information system including selection of other security controls. An example of this type of control is regular scans and audits.
Managerial
___________________________ at an organization may have responsibility for a specific domain or unit, such as building control, ICT, or accounting.
Mangers
This is the only organization within the IT governance space focusing solely on security. Its standards are used by US federal agencies and publishes cybersecurity best practice guides and research.
National Institute of Standards and Technology (NIST)
This means that a subject cannot deny doing something, such as creating, modifying, or sending a resource. Having a witness to signing a legal document is an example.
Non-reputation
______________________ staff have the responsibility of complying with policy and with any relevant legislation. Public relations is responsible for media communications.
Non-technical
These are controls such as alarms, gateways, locks, lighting, security cameras, and guards that deter and detect access to premises and hardware are often classed separately.
Physical
These controls deter access to premises and hardware. Examples include alarms, gateways, and locks.
Physical
This control acts to eliminate or reduce the likelihood that an attack can succeed. This operates before an attack can take place. Access control lists (ACL) configured on firewalls and file system objects are ___________________types of controls
Preventative
This part of the National Institute of Standards and Technology (NIST) framework that procure covers the processes to install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of an operations life cycle.
Protect
This part of the National Institute of Standards and Technology (NIST) framework that deals with the implementation of cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.
Recovery
This part of the National Institute of Standards and Technology (NIST) framework that identify, analyze, contain, and eradicate threats to systems and data security.
Respond
This act mandates the implementation of risk assessments, internal controls and audit procedures. This act is not for any specific entity.
Sarbanes-Oxley Act (2002) - (SOX)
This evaluates the internal controls implemented by the service provider to ensure compliance with Trust Services Criteria (TSC) when storing and processing customer data.
Service Organization Control (SOC2)
This is a methodology for providing information assurance aligned to business needs and driven by risk analysis.
Sherwood Applied Business Security Architecture (SABSA)
This control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls. These controls may also be described as logical controls.
Technical
______________________ staff have the direct responsibility for implementing, maintaining, and monitoring the policy. Security might be made a core competency of systems and network administrators, or there may be dedicated security administrators.
Technical and specialist
What are the three broad classes of security controls?
Technical, Operational, and Managerial.
These are not consistent with defense in depth. A single vendor often means less innovation, the likelihood that some of the bundled products will be second-rate, and a more vulnerable attack surface due to a single supplier code.
Vendor-specific policies