NIST CSF Interview Prep

GRC strengths and limitations

- reduced costs; - improved leadership effectiveness across all aspects of governance; - increased visibility into risks, threats and vulnerabilities; - ongoing compliance with required standards and regulations; - protection against unfavorable internal audits, financial penalties and litigation; and - reduction in risk across the entire organization, including business risks, financial risks, operational risks and security risks.

What is Archer?

Risk and Compliance tool business' use to protect against loss in an agile way to effectively meet strategic objectives.

5 Secure SDLC Best Practices

1. Educate Your Developers 2. Have Clear Requirements 3. Maintain a Growth Mindset 4. Tie Implementation to Other Initiatives 5. Tackle the Big Problems First

What are the 5 domains of the NIST?

1. Identify - This function entails determining an organization's critical functions and what cybersecurity risks could disrupt those functions. 2. Protect - Defines the relevant safeguards required to deliver critical infrastructure services. 3. Detect - The organization must have the relevant measures in place to be able to promptly identify cyber risks and other incidents. 4. Respond - This function is about implementing relevant measures concerning a detected cybersecurity incident and aids an organization's ability to accommodate its impact. 5. Recover - an organization needs a strategic plan to restore any capabilities or services that were damaged as a consequence of a cybersecurity incident. -Make sure the organization implements recovery planning procedures to restore systems or assets damaged by cybersecurity incidents. -Implementing improvements based on lessons learned and reviews of existing strategies.

SDLC Phases

1. Planning 2. Analysis 3. Design 4. Development 5. Testing 6. Implementation 7. Maintenance ----------------------- The Waterfall model is one of the earliest and best-known SDLC methodologies, which laid the groundwork for these SDLC phases

Security Incident Management - Company confidential information was uploaded to a Public cloud hosting service by a Third Party .. how will you deal with such a scenario?

1. Secure your operations Move quickly to secure your systems and fix vulnerabilities that may have caused the breach. Mobilize your breach response team right away to prevent additional data loss. Assemble a team of experts to conduct a comprehensive breach response. Stop additional data loss. Remove improperly posted information from the web. Interview people who discovered the breach. Do not destroy evidence. 2. Fix Vulnerabilities Think about service providers. Check your network segmentation. Work with your forensics experts. Have a communications plan. Anticipate questions that people will ask. 3. Notify Appropriate Parties Determine your legal requirements. Notify law enforcement. Notify affected businesses. Notify individuals.

What are the types of Risk?

1. Strategic Risk - failure to implement appropriate business decisions in a manner that is consistent with the institution's strategic goals. 2. Reputation Risk - the risk arising from negative public opinion. 3. Operational Risk - the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. 4. Transaction Risk - the risk arising from problems with service or product delivery. 5. Credit Risk - the risk that a third party, or any other creditor necessary to the third- party relationship, is unable to meet the terms of the contractual arrangements with the financial institution or to otherwise financially perform as agreed 6. Compliance Risk - the risk arising from violations of laws, rules, or regulations, or from noncompliance with internal policies or procedures or with the institution's business standards.

Risk Management Process

1. risk identification 2. risk assessment 3. risk prioritization 4. risk mitigation ------- This guidance provides four main elements of an effective third-party risk management process: (1) risk assessment, (2) due diligence in selecting a third party, (3) contract structuring and review, and (4) oversight.

Secure Software Development Lifecycle (SSDLC)

A Secure SDLC requires adding security testing at each software development stage, from design, to development, to deployment and beyond. Examples include designing applications to ensure that your architecture will be secure, as well as including security risk factors as part of the initial planning phase.

Managed Service Provider (MSP)

A managed service provider (MSP) delivers services, such as network, application, infrastructure and security, via ongoing and regular support and active administration on customers' premises, in their MSP's data center (hosting), or in a third-party data center. MSPs may deliver their own native services in conjunction with other providers' services (for example, a security MSP providing sys admin on top of a third-party cloud IaaS). Pure-play MSPs focus on one vendor or technology, usually their own core offerings. Many MSPs include services from other types of providers.

What is inherent risk?

A risk associated with pre-existing errors in the control environment

Can you describe the Asset management process ?

Asset lifecycle management is a strategic and analytical approach used to determine each stage of an asset's life cycle to maximise operational efficiency and generate a greater overall return on investment. Through extensive planning and utilising asset lifecycle management best practices, asset managers can better understand how a business's most critical assets perform and what value they provide. The asset lifecycle can be broken down into four stages: 1. Planning - This first stage of an asset life cycle is crucial for all stakeholders, from financial teams to operators. The decision to purchase an asset relies on it fitting a business's needs. As well as contributing to its operations and ultimately generating revenue. 2. Procurement/Acquisition - This stage will also focus on the financial side of acquiring an asset which is within a specific budget that has been set at the planning stage. Successful procurement lifecycle management can improve both speed of purchasing and the cost of purchases. 3. Operation and Maintenance - As an asset is put to its intended use, it is now improving operations and helping to generate revenue. As well as reacting to upgrades, patch fixes, licenses, and audits. 4. Disposal/Archive - At the end of an asset's useful life, it is removed from service and either sold, re-purposed, thrown away, or recycled.

There are five basic techniques of risk management

Avoidance: Many times it is not possible to completely avoid risk but the possibility should not be overlooked. For example, at the height of a thunderstorm, Physical Plant may not release vehicles for travel until the weather begins to clear, thus avoiding the risk of auto accidents during severe weather. Some buildings on campus have had repeated water problems in some areas. By not allowing storage of records or supplies in those areas, some water damage claims may be avoided. Retention: At times, based on the likely frequency and severity of the risks presented, retaining the risk or a portion of the risk may be cost-effective even though other methods of handling the risk are available. For example, the University retains the risk of loss to fences, signs, gates and light poles because of the difficulty of enumerating and evaluating all of these types of structures. When losses occur, the cost of repairs is absorbed by the campus maintenance budget, except for those situations involving the negligence of a third party. Spreading: It is possible to spread the risk of loss to property and persons. Duplication of records and documents and then storing the duplicate copies in a different location is an example of spreading risk. A small fire in a single room can destroy the entire records of a department's operations. Placing people in a large number of buildings instead of a single facility will help spread the risk of potential loss of life or injury. Loss Prevention and Reduction: When risk cannot be avoided, the effect of loss can often be minimized in terms of frequency and severity. For example, Risk Management encourages the use of security devices on certain audio visual equipment to reduce the risk of theft. The University requires the purchase of health insurance by students who are studying abroad, so that they might avoid the risk of financial difficulty, should they incur medical expenses in another country. Transfer: In some cases risk can be transferred to others, usually by contract. When outside organizations use University facilities for public events, they must provide evidence of insurance and name the University as an additional insured under their policy, thereby transferring the risk of the event from the University to the facility user. The purchase of insurance is also referred to as a risk transfer since the policy actually shifts the financial risk of loss, contractually, from the insured entity to the insurance company. Insurance should be the last option and used only after all other techniques have been evaluated.

The challenges of implementing IAM in business

Buy-in from business leaders is crucial. Whatever the size of your organization, getting buy-in from business leaders and board members is critical to the success of an IAM initiative. Too frequently, executives dismiss IAM as an IT issue when in reality, a truly successful IAM program is aligned with enterprise-wide business goals and risks. Successfully utilizing IAM to its true potential requires technical expertise and a deep understanding of business processes, operations, and regulatory obligations. There's a global shortage of tech professionals. Finding IT employees with this knowledge can be difficult due to a global shortage of technology workers. SMBs continue to jockey for skilled, but scarce, IT security professionals. However, they are at a disadvantage because they typically lack the deep pockets of larger companies that can pay a premium for top talent. Lack of password security still leads to costly breaches. And then there's password security—or, more accurately, a lack thereof. According to Verizon's Data Breach Investigation Report, 61% of data breaches across all sectors involve compromised credentials. And those breaches don't come cheap: IBM Security's Cost of a Data Breach Report shows the average cost of a data breach is $4.24 million.

What is the difference between Encryption and Hashing?

Encryption is a two-way function where information is scrambled in such a way that it can be unscrambled later. Hashing is a one-way function where data is mapped to a fixed-length value. Hashing is primarily used for authentication.

What are the risks with leveraging a Third-Party relationship?

Failure to manage these risks can expose an institution to regulatory action, financial loss, litigation and reputation damage, and may even impair the institution's ability to establish new or service existing customer relationships.

GRC

Governance, Risk and Compliance 1. Governance refers to the ethical management of an organization by its leaders in accordance with approved business plans and strategies. 2. Risk management refers to an organization's process for identifying, categorizing, assessing and enacting strategies to minimize risks that would hinder its operations and to control risks that enhance operations. 3. Compliance refers to the level of adherence an organization has to the standards, regulations and best practices mandated by the business and by relevant governing bodies and laws.

SDLC Phase 1: Requirements

In this early phase, requirements for new features are collected from various stakeholders. It's important to identify any security considerations for functional requirements being gathered for the new release. Sample functional requirement: user needs the ability to verify their contact information before they are able to renew their membership. Sample security consideration: users should be able to see only their own contact information and no one else's.

The top 5 benefits of implementing IAM

Lower risk of data breaches: With SSO and 2FA, your employees no longer have to remember and enter multiple passwords. Improved user experience and productivity: Employees can securely access the applications and data they need from anywhere. This can improve the user experience and bump up productivity. Enhanced regulatory compliance: IAM automates data access and privacy requirements by controlling who can access, use, and share data. Reduced IT costs: IAM automates and standardizes many aspects of identity, authentication, and authorization management. For example, it can decrease help desk tickets for password resets and streamline user onboarding and offboarding. Centralized management: IAM centralizes and automates IT management, giving IT teams the flexibility to work in the office or from remote sites.

What is an incident response lifecycle?

Phase 1: Preparation The Preparation phase covers the work an organization does to get ready for incident response, including establishing the right tools and resources and training the team. This phase includes work done to prevent incidents from happening. Phase 2: Detection and Analysis Accurately detecting and assessing incidents is often the most difficult part of incident response for many organizations, according to NIST. Phase 3: Containment, Eradication, and Recovery This phase focuses on keeping the incident impact as small as possible and mitigating service disruptions. Phase 4: Post-Event Activity Learning and improving after an incident is one of the most important parts of incident response and the most often ignored. In this phase the incident and incident response efforts are analyzed. The goals here are to limit the chances of the incident happening again and to identify ways of improving future incident response activity.

The Benefits of SSDLC

Secure SDLC is the ultimate example of what's known as a "shift-left" initiative, which refers to integrating security checks as early in the SDLC as possible. Doing so helps development teams properly plan releases, making it easier to catch and address issues that arise that could affect the release timeline. This is most certainly preferable to receiving an unpleasant surprise once the application deploys to production. SSDLC, therefore, helps keep releases on track. By fixing these issues early in the process, development teams can reduce the total cost of ownership of their applications. Discovering issues late in the SDLC can result in a 100-fold increase in the development cost needed to fix those issues, as seen in the chart below.

Can you describe Security incident management process ?

Security incident management is the process of identifying, managing, recording and analyzing security threats or incidents in real-time. 1. Prepare for handling incidents. 2. Identify potential security incidents through monitoring and report all incidents. 3. Assess identified incidents to determine the appropriate next steps for mitigating the risk. 4. Respond to the incident by containing, investigating, and resolving it (based on outcome of step 3). 5. Learn and document key takeaways from every incident.

SDLC Phase 4: Verification

The Verification phase is where applications go through a thorough testing cycle to ensure they meet the original design & requirements. This is also a great place to introduce automated security testing using various technologies. The application is not deployed unless these tests pass. This phase often includes automated tools like CI/CD pipelines to control verification and release.

Third-Party Risk Management (TPRM)

The process of identifying and controlling risks that occur when transacting business with third parties; managing multiparty risk.

Identity and Access Management (IAM)

The security discipline that enables the right individuals to access the right resources at the right times for the right reasons

SDLC Phase 5: Maintenance and Evolution

The story doesn't end once the application is released. In fact, vulnerabilities that slipped through the cracks may be found in the application long after it's been released. These vulnerabilities may be in the code developers wrote, but are increasingly found in the underlying open-source components that comprise an application. This leads to an increase in the number of "zero-days"—previously unknown vulnerabilities that are discovered in production by the application's maintainers.

SLDC Phase 2: Design

This phase translates in-scope requirements into a plan of what this should look like in the actual application. Here, functional requirements typically describe what should happen, while security requirements usually focus on what shouldn't. Sample functional design: page should retrieve the user's name, email, phone, and address from CUSTOMER_INFO table in the database and display it on screen. Sample security concern: we must verify that the user has a valid session token before retrieving information from the database. If absent, the user should be redirected to the login page.

How will you prevent data exfiltration?

To reduce the risk of data exfiltration, organizations must integrate security awareness and best practices into their culture. They must consistently evaluate the risks of every interaction with computer networks, devices, applications, data, and other users. Organizations may also decide to institute periodic audits to verify that best practices are followed.

SDLC Phase 3: Development

When it's time to actually implement the design and make it a reality, concerns usually shift to making sure the code well-written from the security perspective. There are usually established secure coding guidelines as well as code reviews that double-check that these guidelines have been followed correctly. These code reviews can be either manual or automated using technologies such as static application security testing (SAST).

How does the internet work? .. What happens when you write www.google.com in the browser address bar and hit enter?

Your computer sends a request to the domain name system (DNS) server which serves as an address book for all domain names. This then sends back the exact IP address of the server which https://www.google.com points to. Knowing this IP, your computer then establishes a connection with the server through the IP address. The type of this connection is known as Transmission Control Protocol (TCP) and your computer is able to establish this connection through the Internet Protocol (IP). This whole process is known as a "handshake". If your computer is behind a firewall, the firewall checks to ensure that the particular request you are making is allowed before permitting it. Also, if the server you are trying to access is also behind a firewall, a similar check will be done before you are finally able to connect to the server. After establishing the connection, your browser now sends a request for the webpage using an encryption protocol like Secure Sockets Layer (SSL) or Transport Layer Security (TLS) in order to encrypt the data that will be shared between your computer and the server. This type of encryption is what is responsible for the "s" in "https" which also implies that the connection is secure. Companies like Google with high traffic maintain a host of servers and for that matter they have a load balancer that receives most of the requests and sends it to a particular server. The request from your browser will therefore hit the load balancer first which will forward it to a specific server depending on the algorithm used by the load balancer. The server that receives the request then sends a response back to the load balancer which also forwards the response back to your browser. This response will mostly include HTML, CSS, and JavaScript files that makes up Google's homepage. The HTML files returned tells the browser how to render the content of the page. The CSS file tells the browser how to style the content while the JavaScript file adds interactivity to the page. If there is a need for some dynamic content such as Google search results, then the web server will make a request to the application server, which in turn may make a request to a database server to get some data and send it back to the web server. The web server will then include these in the response that it sends back to the browser. Finally, the browser will render the page and display it to you.

What is residual risk?

amount of uncertainty after a risk management effort has been exhausted

Process Automation

using robots to automate routine, highly repetitive, low-complexity, or single-purpose tasks ----- example: Levarging Archer-to-Archer (A2A) Data Feeds, I created a feed to automate the synchronization of legacy archer instance to future-state build