5. Risk Management
Incident Response Procedures
-notification -escalation -reporting -system isolation -forensic analysis -evidence handling
Security procedures
-outline a step by step process for an activity -may require compliance, depending upon the circumstances
Incident Response Process
-preparation -identification -containment -eradication -recovery -lesson learned
Security Guidelines
-provide advice to the organization -follow best practices from industry -suggest optional practices: not mandatory
Security Standards
-provide specific details of security controls -derive their authority from policies -follow a less rigorous approval process -require compliance form all employees
Security Policies
-provide the foundation for a security program -are written carefully over a long period of time -require compliance from all employees -are approved at the highest levels of the organization
Warm sites
-stocked with all necessary equipment and data -not maintained in a parallel fashion -similar in expense to hot sites -available in hours or days
Classification Levels Military
-top secret -secret -confidential -unclassified
Documentary Evidence Rules
1. Authentication rule Documents must be authentication by testimony 2. Best evidence rule Original documents are superior to copies 3. Parol evidence rule written contracts are assumed to be the entire agreement
Business Impact analysis BIA
Identifies and prioritizes risks
Risk Assessment
Identify and prioritize risk
Incremental Backups
Include all data modified since the last full or incremental backup
Redundant Array of Inexpensive Disks RAID
Instead of using one large disk to store data, one can use many smaller disks (because they are cheaper). An approach to using many low-cost drives as a group to improve performance, yet also provides a degree of redundancy that makes the chance of data loss remote.
Criminal Investigations
Look into possible crimes -involve the possibility of fines and jail time -use the beyond a reasonable doubt standard of evidence
Operational Investigations
Look into technology issues -seek to resolve technology issues -restore normal operations as quickly as possible -use very low standards of evidence -involve root cause analysis
Fault Tolerance FT
Makes a single system resilient against technical failures
Recovery Time Objective RTO
Maximum amount of time that it souls take to recover a service after a disaster
Recovery Point Objectives RPO
Maximum time period from which data may be lost in the wake of a disaster
Defense in Depth
Multiple controls for one objective.
Separation of Duties
No individual should possess two permissions that, in combination, allow them to perform a highly sensitive action.
What technology is commonly used for Big Data datasets? PostreSQL NoSQL MySQL SQL Server
NoSQL
Annualized Rate of Occurrence ARO
Number of times a risk is expected to occur each year
GAPP principle 5 Use, Retention, and Disposal
Organization should only collect and use personal information for disclosed purposes and they should dispose of the data securely as soon as it is no longer needed for the disclosed purpose.
GAPP principle 7 Disclosure to Third Parties
Organization should only share information with third parties if that sharing is consistent with the purposes disclosed in privacy notices and they have the consent of the individual to share that information.
GAPP principle 1 Management
Organizations handing private information should have polices, procedures, and governance structures in place to protect privacy.
GAPP principle 6 Access
Organizations should provide data subjects with the ability to review and update their personal information.
GAPP principle 8 Security
The organization must secure private information against unauthorized access, either physically or logically
GAPP principle 3 Choice and Consent
The organization should inform data subjects of their options regarding the data they own and get consent from those individuals for the collection, storage, use, and sharing of that information
GAPP principle 4 Collection
The organization should only collect personal information for purpose disclosed in their privacy notices.
Service Level Agreement SLA
a written contract between the vendor and the customer that describes the conditions of service and penalties the vendor will incur for failure to maintain the agreed-upon service levels.
Acceptance use policy AUP
defines proper system usage or the rule of behavior for employees when using information technology system
Data Disposal Policies
describes proper techniques for destroying data that is no longer needed by the organization
Deterrent Controls
designed to discourage attack attempts (fence, burglar alarms)
Corrective Controls
designed to help an organization recover from an incident backups
Preventive controls
designed to stop attacks that are in progress
Physical controls
deter, detect, or prevent unauthorized physical access to a facility
Clean Desk Policy
directs users to keep their areas organized and free of papers. The primary goal is to reduce threats of security incidents by ensuring the protection of sensitive data.
Server logs are an example of _____ evidence. testimonial expert opinion real documentary
documentary
Exposure Factor EF
expected % of damage to an asset
Annualized Loss Expectancy ALE
expected dollar loss from a risk in any given year SLE * ARO = ALE
Single Loss Expentancy SLE
expected dollar loss if risk occurs one time AV * EF + SLE
Memorandum of understanding MOU and Memorandum of agreement MOA
expresses an understanding between two or more parties indicating their intention to work together towards a common goal.
Threat
external force jeopardizing security
Compensating controls
fill gaps left when you are unable to implement other required controls.
Mandatory Vacation
force privilege users to take one or two weeks of consecutive cation annually
Which element of the security policy framework includes suggestions that are not mandatory? policies guidelines standards procedures
guidelines
Data Steward
handles the day-to-day data governance activities. They are delegated responsibility by data owner.
Protected Health Information PHI
health records about an individual patient
What type of control are we using if we supplement a single firewall with a second standby firewall ready to assume responsibility if the primary firewall fails? component redundancy load balancing high availability clustering
high availability
What type of disaster recovery site is able to be activated most quickly in the event of a disruption? hot site warm site lukewarm site cold site
hot site
Full Backups
include a complete copy of all data
Differential Backups
include all data modified since the last full backup
What type of backup includes only those files that have changed since the most recent full or incremental backup? full incremental partial differential
incremental
Which one of the following is not one of the GAPP principles? collection management integrity notice
integrity
Separation of duty
is a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process. It designed to prevent fraud, theft, and errors.
Privilege Aggregation
jeopardized least privileges Privilege sprawl
What security principle prevents against an individual having excess security rights? separation of duties mandatory vacations job rotation least privilege
least privileged
Memorandum of Understanding MOU
letter written to document aspects of the relationship. Also known as Memorandum of Agreement MOA
What two factors are used to evaluate a risk? frequency and likelihood criticality and likelihood impact and criticality likelihood and impact
likelihood and impact
Need to know
limits information access
Least Privileged
limits system permissions
Replacement cost technique
looks at current supplier prices to determine the actual cost of replacing an asset in the current market and then uses that cost as the asset's value.
Administrative controls
management processes that we put in place improve enterprise security
Which evidence source should be collected first when considering the order of volatility? temporary files process information logs memory contents
memory content
Wireshark Monitors Networks
network packet capture
Asset Value AV
the dollar value of an asset -original cost -depreciate cost -replacement cost
GAPP principle 10 Monitoring and Enforcement
the organization should have a program in place to monitor compliance with its privacy policies and provide a dispute resolution mechanism
GAPP principle 9 Quality
the organization should take reasonable steps to ensure that the private information they maintain is accurate, complete, and relevant
Pulverizing
the process of physically destroying media to sanitize it, such as with a sledge hammer.
Volatility
the relative permanence of a piece of evidence: evidence that may not last long is more volatile than more permanent sources of evidence.
Which one of the following is not a commonly-used business classification level? Internal Highly Sensitive Top Secret Sensitive
top secret
Technical controls
use of technology to achieve security controls objectives
Risk assessment: Quantitative
uses objective numeric rating to evaluate risk likelihood and impact (usually in terms of dollars)
Risk assessment: Qualitative
uses subjective rating to evaluate risk likelihood and impact Low, medium, high
Degaussing
very powerful electronic magnet. Passing a disk through a degassing field renders the data on tape and magnetic disk drives unreadable.
What type of technology prevents a forensic examiner from accidentally corrupting evidence while creating an image of a disk? sealed container hashing evidence log write blocker
write blocker
Business Partners Agreement BPA
written agreement that details the relationship between business partners, including their obligations towards the partnership.
Risk Deterrence
takes actions that dissuade a threat from exploiting a vulnerability
Hot site
-fully operated data centers -stocked with equipment and data -available at a moment's notice -very expensive
Classification Levels Business
-highly sensitive -sensitive -internal -public
Compliance Obligations
-laws -regulations -standards
Preemployment Screening
-criminal records checks -sex offender registry -reference checks -education and employment verification -credit checks
Cold sites
-empty data centers -stocked with equipment, network, and environmental controls -relatively inexpensive -operational in weeks or months
Information security Policy
-designation of individual responsible for security -description of security roles and responsibilities -authority for creation of security standards -authority for incident response -process for policy exceptions and violations
Acceptable Use Policy
-also known as responsible use policy -describe how individuals may use information systems -prohibits illegal activity -describes what personal use is permitted.
Order of Volatility
1. Network traffic 2. Memory contents 3. system and process data 4. files 5. Logs
Incident Response Program Components
1. Policy and plan documentation 2. Procedures for incident handling 3. Guidelines for communicating externally 4. Structure and staffing model for the team 5. Description of relationship with other groups
What is the minimum number of disks required to perform RAID level 5? 1 2 4 3
3
grandfather-father-son (GFS)
A common backup rotation scheme that uses three levels of backups.
Risk Register
A document that contains results of various risk management processes, often displayed in a table or spreadsheet format
Risk Avoidance
A risk response strategy whereby the project team acts to eliminate the threat or protect the project from its impact. (move the data center to non flood zone)
Once an organization complies with GAPP, best practice says they should collect as much information as possible to provide good service, provided that they remain GAPP compliant. TRUE FALSE
False
What is the correct formula for computing the annualized loss expectancy? ALE = EF * SLE * ARO ALE = AV - SLE ALE = ARO * AV ALE = SLE * ARO
ALE = SLE * ARO
Business partnership agreement BPA
Agreement between partners
GAPP Developers
American Institute of Certified Public Accountants AICPA Canadian Institute of Chartered Accountants CICA Information System Audit and Control Association ISACA Institute of Internal Auditors IIA
Interconnection Security Agreement (ISA)
An agreement between parties intended to minimize security risks for data transmitted across a network. Normally provides details on connection security parameters as the encryption standards and transfer protocols
Mean Time to Repair MTTR
Average time to require to return a repairable component to service
Which one of the following individuals would not normally be found on the incident response team? CEO human resources staff legal counsel information security professional
CEO
Documentary Evidence
Consists of written information
GAPP principle 2 Notice
Data subjects should receive notice that their information is being collected and used, as well as access to the privacy polices and procedures followed by the organization.
RAID 5
Disk striping with parity, RAID 5, uses three or more disks to store data and parity information. (requires three or more)
Service Level Requirements SLR
Document specific requirements that a customer has about any aspect of a vendor's service performance.
Lessons Learned
Provides incident responders with an opportunity to reflect on the incident response efforts and offers feedback that will improve the organization's response to future incidents
RAID Mirroring
RAID 1 stores the same data on two different disks (requires two disks)
What disaster recovery metric provides the targeted amount of time to restore a service after a failure? MTO RPO RTO TLS
RTO
Risk Mitigation
Reduce the likelihood or impact of the risk.
Twp Person Control
Requires the authorization of two separate individuals to carry out a sensitive action: also know as dual control. Missile launch
Job Rotation
Rotate users in and out of position with sensitive responsibilities
What type of agreement is used to define availability requirements for an IT service that an organization is purchasing from a vendor? SLA MOU ISA BPA
SLA
Security Incident and event Management SIEM
Security solution that collects information from diverse sources analyzes it for signs of security incidents, and retains it for later use.
Software Forensics: Malware Origins
Software forensics may be used to identify the author of malicious software found on a system
Software forensics may be used to identify the origin of malware. TRUE FALSE
T
The chain of custody must be updated EVERY time someone handles a piece of evidence. TRUE FALSE
T
High Availability HA
Uses multiple systems to protect against service failure
Vulnerability
Weaknesses in security control (missing patches, promiscuous firewalls, firewalls misconfigurations)
Risk Acceptance
accepts the risk without taking future actions.
Parallel tests
activate the disaster recovery facility but do not switch operations there.
Data Castodian
actually store and process information and are often IT staff members
Service Level Agreement SLA
agreement between a company and a vendor that stipulates performance expectations, such as minimum up time and maximum downtime levels.
Pulping
an additional step taken after shredding paper. It reduces the shredded paper to mash or puree
Regulatory Investigations
are conducted by the govenrment
Security controls
are the procedures and mechanisms that an organization puts in place to manage security risks.
What goal of security is enhanced by a strong business continuity program? confidentiality non-repudiation integrity availability
availability
Mean Time to Failure MTTF
average time a nonrepairable component will last
Mean Time Between Failures MTBF
average time gap between failures of a repairable component
Data Owners
business leaders with overall responsibility for data. They set policies and guidelines for their data sets
Job Rotation
concept that has employees rotate through different jobs to learn the processes and procedures in each job.
Real Evidence
consists of tangible objects
Testimonial Evidence
consists of witness statements 1.direct evidence - witness provides evidence based upon his or her own observations 2. expert opinion expert witness draws conclusions based upon other evidence
During an incident response, what is the highest priority of first responders? restoring operations identifying the root cause containing the damage collecting evidence
containing the damage
After Action Report AAR
create a formal record of a disaster recovery DR or business continuity BC event.
Data in Motion
data being sent over a network between two systems
Data Sovereignty
data is subject to the law of the jurisdiction where it's stored.
What data security role is normally filled by a senior-level official who bears overall responsibility for the data? data custodian data guardian data owner data steward
data owner
Data at Rest
data stored for later use on a hard drive, USB device, magnetic tape, cloud service, or other data storage environment
Which category of security control focuses on the processes that we put in place to manage technology in a secure manner? technical controls management controls administrative controls operational controls
operational control
What type of investigation would typically be launched in response to a report of high network latency? criminal civil operational regulatory
oprerational
Three of these choices are data elements found in NetFlow data. Which is not? packet contents amount of data transferred source address destination address
packet content
Which one of the following disaster recovery tests involves the actual activation of the DR site? parallel test simulation walk-through read-through
parallel tests
Privacy Policy
policy that indicates what kind of information a website will take from you and what they intend to do with it
Risk management
process of systematically analyzing potential responses to each risk and implementing strategies to control those risks appropriately.
During what phase of ediscovery does an organization share information with the other side? collection analysis preservation production
production
NetFlow Summarizes Traffic
providing high-level information 1. telephone bill numbers called timestamp, call duration 2. NetFlow Data IP addresses and ports Timestamps amount of data transferred
Personally Identifiable Information PII
records that may be associated with a specific individual
Civil Investigations
resolve disputes between parties -do not involve the possibility of fines and jail time -use the preponderance of the evidence standard
Purchasing an insurance policy is an example of which risk management strategy? risk acceptance risk mitigation risk transference risk deterrence
risk transference
Threat intelligence
shares the risk information by joining a threat intelligence consortium or purchasing a threat intelligence service
Transferring Risk
shifts the impact of a risk to another organization (insurance policy)
Software Forensics : Intellectual Property
software forensics may be used to resolve intellectual property disputes between two parties
Threat vector
specific method that threats use to exploit a vulnerability ( hacker tool kit, social engineering, physical intrusion, or any number of hacking techniques)
Interconnection security agreement ISA
specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entitles.
Data Retention Policies
specifies the minimum and /or maximum periods that an organization will retain different data elements
