CMIS 424 Exam 2
Who runs CIS?
- A community-driven nonprofit organization responsible for the CIS Controls and CIS Benchmarks
What are the pros of using SDLC?
- Controls - Accountability - Error Detection
What are some methods of information system acquisition?
- Custom Development - Commercial Off-The-Shelf (COTS) - Outsourcing - Open-Source Software
What are some common PC security risks?
- Risk of theft and virus infection - Weak backup procedures - Operating system weakness -PCs provide only minimal security for data files and programs - Weak access control - Inadequate segregation of duties - Multilevel password control used to restrict employees sharing computers
Parallel Running
Both old and new systems run simultaneously for a period, ensuring the new system works correctly before the old one is discontinued.
Outsourcing
Contracting an external vendor to develop or manage the system.
What is GDPR?
GDPR stands for General Data Protection Legislation The General Data Protection Regulation (GDPR): - is the toughest privacy and security law in the world. - Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. - It is a European Union (EU) law that came into effect on 25 May 2018. - GDPR governs the way in which we can use, process, and store personal data
What are some Pros and Cons of using "off the shelf" software?
Pros: - lower up-front cost - feature rich - May meet most of your business needs - Support is often included or can be added with a maintenance contract - User Communities across the internet and forums provides self-help support - Quick to deploy - All design, development, QA/testing is handled by vendor Cons: - May come with upgrade costs, licensing fees, or per-seat costs - Will likely not meet all business needs - May include features and functions that are not wanted - You may have to change business processes to match the software functionality - Will be variably out-of-sync with your business vernacular
Why do we audit the SDLC?
- Ensure that systems meet organizational needs and requirements. - Verify the integrity and quality of the developed systems. - Assess risks and ensure they are adequately managed.
What are the system documentation deliverables for Systems Implementation - Phase VII?
- Equipment is purchased and installed, employees are trained, the system is documented, and the new system is installed and configured - Post-implementation review is an important step that takes place months later - PPR - Celebrate
How are the CIS CSC and COBIT frameworks different?
- CIS CSC is not a governance framework like COSO and COBIT - COBIT is a framework that helps organizations manage IT-related risks and covers a wide range of IT governance issues - CIS Controls is focused on providing a prioritized set of actions to improve an organization's cybersecurity posture CSC is a little more actionable than NIST. CIS and NIST frameworks share many similarities. Still, they are fundamentally different frameworks. For example, the CIS Controls are a Control framework, while the NIST Cybersecurity Framework is a Program framework. This difference is crucial when determining a framework's best use case.
How are the CIS CSC and the NIST frameworks different?
- CSC is a little more actionable than NIST - The CIS Controls are a Control framework - The NIST Cybersecurity Framework is a Program framework. - This difference is crucial when determining a framework's best use case.
What makes a "good" auditor?
- Detail-oriented, data driven, good documentation, good listener. - Auditors need to use their analytical skills to examine information, interpret it, and present innovative and alternative solutions to a problem. Innovative thinking — not to mention responsibility, ethics, and honesty — is what will get you respect in the business world. NOT JACKS DEFINITION/COULDNT FIND IT
What are some common Contra-security behaviors?
- Forgetting passwords of failing to regularly change them - Post-IT syndrome which puts passwords on display - Simplistic passwords that are easy for criminals to anticipate
What are the system documentation deliverables for Systems Maintenance - Phase VIII?
- Formal process by which application programs undergo changes to accommodate changes in user needs - As much as 80% - 90% of total cost may be incurred in the maintenance phase
Why are some companies switching to a DevOps model?
- Improve deployment frequency. - Achieve a faster time to market. - Lower failure rate of new releases. - Shorten the lead time between fixes.
What are some threats to OS Integrity?
- Malware - Unauthorized Access - Configuration Errors - Software - Vulnerabilities - Physical Threats - Social Engineering - Zero-Day Attacks
What are some common ones?
- Most commonly used passwords are reusable - Management should require changes and disallow weak ones - One-time passwords are automatically generated constantly by the system when a user enters a PIN - Multifactor authentication (MFA)
What are some common PC audit procedures?
- Observe PCs are physically anchored - Verify segregation of duties and/or adequate supervision - Confirm reports are prepared, distributed, and reconciled by appropriate management - Determine multilevel password control as needed - Verify drives are removed and stored appropriately - Verify backup procedures are appropriate - Verify software purchases and selection and acquisition procedures - Review policy for using antiviral software
Which phases are typically used in auditing change management?
- Planning - Testing - Implementation - Post-Implementation Review
What are some things that can go wrong in each phase?
- Poor planning -Poor testing -Poor implementation, etc.
What are the system documentation deliverables for System Analysis - Phase II
- Process to survey current system and analyze user needs - Analyst may determine root cause of problems, which may not be the system at all
What are the system documentation deliverables for Application Programming and Testing - Phase VI?
- Program the application software - Programming system should follow a modular approach to achieve programming efficiency, maintaining efficiency and control
What are the 2 methods of information system acquisition?
- Purchase commercial systems from software vendors - In-house system development
What are the cons of using SDLC?
- Relatively Inflexible - Time-Consuming and Expensive - Discourages changes once user requirements are done - No focus on security
Why was the CIS created?
- The Center for Internet Security (CIS) was created to improve cybersecurity by developing standardized security best practices - It aims to help organizations prevent, detect, and mitigate cyber threats through its CIS critical Security Controls (CSC) and CIS benchmarks - CIS was created in response to the growing number of cyberattacks and the need for a practical, actionable security framework
What's the difference between active and passive discovery tools?
- The main difference between active and passive reconnaissance is the level of interaction with the target system or network. - Active reconnaissance involves actively interacting with the target - passive reconnaissance involves gathering information without actively interacting with it. Passive Discovery Tool: - Passive discovery quickly identifies and catalogs the assets within their environment without having to query each asset individually - It relies on historical data, so it does not necessarily have to account for network segmentation while scanning. Active Discovery Tool: - Active discovery is identifying and cataloging assets within an organization's environment - This can be done manually or through the use of automated tools - The goal of active discovery is to create an accurate inventory of all devices and software within the network.
What changes were made in CIS CSC Version 8?
- The new v8 guidelines reordered the v7 CIS Controls based on activities to help organizations better apply the principles of the security controls - The standard itself does not dictate the application of security controls but rather provides a flexible framework that can be applied to many environments.
What are the system documentation deliverables for System planning - Phase 1?
- To align individual systems projects to the strategic objectives of the firm - Two levels, strategic systems planning (program office) and project planning
What are the system documentation deliverables for Detailed Design - Phase V?
- To produce description of proposed system that satisfies requirements identified during systems analysis - Components presented formally in a detailed design report that constitutes a set of "Blueprints"
What are the 4 methods of system implementation? Which one has the most risk? Which one has the least risk?
1. Cold turkey cutover: - Firm switches to the new system and simultaneously terminate the old system 2. Phased Cutover: - Begins operating the new system in modules. Reduces risk of a devastating failure but can create incompatibilities during the process 3. Pilot Cutover: - The new system is introduced in a limited scope to a small group of users before full deployment 4. Parallel Operation cutover: - Involves running both systems simultaneously for a period of time. Most time consuming, and costly, but least risky approach Most risky: - Cold turkey cutover Least Risky: - Parallel Operation Cutover
What are four different methods of system implementation?
1. Direct Changeover 2. Parallel Running 3. Phased Implementation 4. Pilot Implementation
What are the 5 big OS Control Objectives?
1. Protect itself against tampering by users. 2. Protect users from accessing, destroying, or corrupting another user's programs or data. 3. Safeguard users' application modules from destroying or corrupting other modules. 4. Safeguard its own modules from destroying or corrupting other modules. 5. Protect itself from its environment including power failures and other disasters.
We will use the 8 phase version of the SDLC from the Hall textbook. What are those phases?
1. System Planning Activities 2. System Analysis Activities 3. Conceptual Activities 4. Systems Selection Activities 5. Detailed (Technical) Design Activities 6. Programming and Testing Activities 7. Implementation Activities 8. Maintenance Activities
What is a Password?
A secret code user enters to gain access to the system or data.
What is a control objective?
A statement about how an organization plans to effectively manage risk. "Our controls provide reasonable assurance that physical and logical access to databases and data records is restricted to authorized users" is an example of a control objective.
What are 3 threats to OS Integrity?
Accidental threats include hardware failures and errors in user applications. Intentional threats are often attempts to illegally access data or violate privacy for financial gain. The growing threat is now e-Crime
What is the average value of a stolen record in a data breach? Who says?
According to Microsoft, $3.8 million is the average value in a data breach
What's the difference between administrative controls and technology controls?
Administrative Controls: - is a set of security rules, policies, procedures, or guidelines specified by the management to control access and usage of confidential information. - It includes all the levels of employees in the organization and determines the privileged access to the resources to access data. Technical controls: - consist of the hardware and software components that protect a system against cyberattack - Firewalls, intrusion detection systems (IDS), encryption, and identification and authentication mechanisms are examples of technical controls. - Security control classified by type include administrative, technical, and physical
What is an Audit Objective?
Aims to identify vulnerabilities, risks, and threats that may affect the organization. Including: Data Security: involves reviewing network access control, encryption use, data security at rest, and transmissions.
What is an ACL?
An access control list (ACL) is made up of rules that either allow access to a computer environment or deny it. In a way, an access control list is like a guest list at an exclusive club. Only those on the list are allowed in the doors. Access Control List: Assigned to each IT resource, used to control access to a resource. The user is logging into the domain, the active directory is a domain. The ACL is found in the active directory.
"To ensure that users are compliant with the security policy" would be an example of_________. A much more specific "what"; typically tests the effectiveness of a control to ensure compliance with a specific policy
Audit Objective
"To ensure that users are protected against malware" would be an example of _____________. High-level "why"; typically relates to a business process
Audit Purpose
What's the difference between cost and price?
Cost: - Could cost more than money such as upgrades, employee training/time off, and losing time. Price: - Money
Custom Development
Creating a bespoke system in-house.
Critical thinking question Example
DDOS Attack Controls: To counteract DDOS attacks organizations use intrusion prevention systems (IPS) that employ deep packet inspection (DPI) as opposed to SPI. Works as a filter that removes malicious packets from the flow before they can affect servers and networks. ISP and CSP can play a role too. DDOS Threats- Audit Objective: Test the effectiveness of incoming and outcoming traffic controls for malicious data. DDOS Threats- Audit Procedures: Inspection of firewall presence in network. Inspection of network traffic packets to provide reasonable assurance that the firewall is effective.
Smurf
DOS attacker uses numerous intermediary computers to flood the target computer with test messages, "pings" causing network congestion
Which one of the four methods of system implementation has the most risk?
Direct Changeover
How is PKI different from encryption?
PKI- Public Key Infrastructure constitutes policies and procedures for administering. - Use of private and public keys for asymmetric encryption. - Plus, use of a digital certificate which is issued by a trusted third party called a certification authority (CA).
What are the system documentation deliverables for System Evaluation and Selection - Phase IV?
Identify optimal solution from alternatives - First step is a detailed feasibility study - Second step is a cost-benefit analysis
What is sniffing?
Interception of user IDs, passwords, confidential emails, and financial data files.
Focus on the language in controls 1.0, 2.0, and 3.0.
Inventory and Control of Enterprise Assets- Walkthrough 1.0 and active vs. passive discovery tools Inventory and Control of Software Assets- Walkthrough 2.0 and admin/mgmt controls vs. tech controls Data Protection- Walkthrough 3.0 and GDPR and CDO Secure Configuration of Enterprise Assets and Software- Walkthrough 4.0 and the MORE important assets and competitive advantage NOT DONE
Denial of Service (DOS) Attack
Is an assault on a Web server to prevent it from servicing users
What is spoofing?
Is masquerading to gain access to a web server and/or to perpetrate an unlawful act without revealing one's identity
Which one of the four methods of system implementation has the least risk?
Parallel Running
How can we defend against a DDOS attack?
To counteract DDOS attacks organizations use intrusion prevention systems (IPS) that employ deep packet inspection (DPI) as opposed to SPI -Works as a filter that removes malicious packets from the flow before they can affect servers and networks - ISP plays a role too
What are the 2 types of audit logs?
Keystroke monitoring: Involves recording user's keystrokes and the system's response. Event monitoring: summarizes key activities related to system resources.
Which phase is 80% of the total cost?
Maintenance Phase
Distributed Denial of Service (DDOS)
May take the form of Smurf or SYN attacks, but distinguished by the vast number of zombie computers (bots) hijacked to launch the attacks
What are the system documentation deliverables for Conceptual System Design - Phase III?
To produce alternative systems that satisfy identified system requirements
What are the 2 different types of firewalls? What do they do?
Network-Level Firewalls: - Provide efficient, low-security control. Application-Level Firewalls: - Provide higher security control, customizable network security, but add overhead cost
Pilot Implementation
New system is first introduced in a small area of the organization, before a full-scale implementation.
Phased Implementation
New system is implemented in phases, allowing lessons from each phase to improve the following ones.
Direct Changeover
Old system is directly replaced by the new one. All users move to the new system at once.
What is a Firewall?
Prevent unauthorized access to or from a private network. To accomplish this: - All traffic between the outside network and the organization's intranet must pass through the firewall. - Only authorized traffic is allowed to pass through the firewall which must be immune to all penetration.
Commercial Off-The-Shelf (COTS)
Purchasing a ready-made product.
What are some differences between symmetric and asymmetric encryption?
Symmetric encryption: uses the same key for both encryption and decryption. Asymmetric encryption: uses 2 keys, a public key for encryption and a private key for decryption.
What is CIA?
The CIA triad is a common model that forms the basis for the development of security systems. C- Confidentiality I- Integrity A- Availability
Open Source Software
Utilizing freely available software.
What's the latest version of CIS CSC?
Version 8
SYN Flood
When the three-way handshake needed to establish an internet connection occurs, the final acknowledgement is not sent by the DOS attacker, thereby tying up the receiving server while it waits
Audit Scope
extent and boundaries of an audit
Audit Objectives
refer to the specific goals that must be accomplished by the audit
