CISSP Ch.2 Personnel Security and Risk Management Concepts
What is acceptable use policy (AUP)?
An acceptable use policy (AUP) defines what is and what is not an acceptable activity, practice, or use for company equipment and resources. The AUP is specifically designed to assign security roles within the organization as well as prescribe the responsibilities tied to those roles. This policy defines a level of acceptable performance and expectation of behavior and activity. Failure to comply with the policy may result in job action warnings, penalties, or termination
Asset
An asset is anything used in a business process or task. If an organization relies on a person, place, or thing, whether tangible or intangible, then it is an asset
Attack
An attack is the intentional attempted exploitation of a vulnerability by a threat agent to cause damage, loss, or disclosure of assets. An attack can also be viewed as any violation or failure to adhere to an organization's security policy. A malicious event does not need to succeed in violating security to be considered an attack
what is risk rejection?
An unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due care/due diligence responses to risk. Rejecting or ignoring risk may be considered negligence in court.
Threats
Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset is a threat
Asset Valuation
Asset valuation is value assigned to an asset based on a number of factors, including importance to the organization, use in critical process, actual cost, and nonmonetary expenses/costs (such as time, attention, productivity, and research and development). When performing a math-based risk evaluation (i.e., quantitative; see the "Quantitative Risk Analysis" section, later in this chapter), a dollar figure is assigned as the asset value (AV)
What is risk assignment?
Assigning risk or transferring risk is the placement of the responsibility of loss due to a risk onto another entity or organization. Purchasing cybersecurity or traditional insurance and outsourcing are common forms of assigning or transferring risk. Also known as assignment of risk and transference of risk.
Which of the following could be classified as a form of social engineering attack? (Choose all that apply.) A. A user logs in to their workstation and then decides to get a soda from the vending machine in the stairwell. As soon as the user walks away from their workstation, another person sits down at their desk and copies all the files from a local folder onto a network share. B. You receive an email warning about a dangerous new virus spreading across the internet. The message tells you to
B, C, D B. You receive an email warning about a dangerous new virus spreading across the internet. The mesterm-107sage tells you to look for a specific file on your hard drive and delete it, since it indicates the presence of the virus. C. A website claims to offer free temporary access to their products and services but requires that you alter the configuration of your web browser and/or firewall in order to download the access software. D. A secretary receives a phone call from a person claiming to be a client who is running late to meet the CEO. The caller asks for the CEO's private cell phone number so that they can call them.
Company data is discovered on social media. Emails were discovered to have been sent to employees, with links to malicious sites and to employees' personal email accounts. What improvements should the company implement to address this issue? Choose 2. A Deploy a web application firewall B Block access to personal email C Update the company email server D Implement (MFA) on the company email server. E Perform an access review of all company files. F Prohibit access to social networks on company
B. Block access to personal email from the company network. F. Prohibit access to social networks on company equipment. The leaking of company proprietary data may have been caused by the content of emails received by workers. The computers of workers who clicked links from the suspicious emails may have been infected by malicious code. This malicious code may have exfiltrated documents to the social media site. This issue could occur whether workers were on company computers on the company network, on company computers on their home network, or on personal computers on their home network (especially if the workers copied company files to their personal machines to work from home). Blocking access to social media sites and personal email services from the company network reduces the risk of this same event occurring again. For example, if the suspicious emails are blocked from being received by company email servers and accounts, they could still be received into personal email acco
While performing a risk analysis, you identify a threat of fire and a vulnerability of things being flammable because there are no fire extinguishers. Based on this information, which of the following is a possible risk? A. Virus infection B. Damage to equipment C. System malfunction D. Unauthorized access to confidential information
B. Damage to equipment The threat of a fire and the vulnerability of a lack of fire extinguishers lead to the risk of damage to equipment. This scenario does not relate to virus infection or unauthorized access. Equipment damaged by fire could be considered a system malfunction, but that option is not as direct as "damage to equipment."
_________________ is the process of adding new employees to the organization, having them review and sign policies, be introduced to managers and coworkers, and be trained in employee operations and logistics. A. Reissue B. Onboarding C. Background checks D. Site survey
B. Onboarding Onboarding is the process of adding new employees to the organization, having them review and sign policies, be introduced to managers and coworkers, and be trained in employee operations and logistics. Reissue is a certification function when a lost certificate is provided to the user by extracting it from the escrow backup database or when a certificate is altered to extend its expiration date. Background checks are used to verify that a job applicant is qualified but not disqualified for a specific work position. A site survey is used to optimize the placement of wireless access points (WAPs) to provide reliable connectivity throughout the organization's facilities.
A particular worker was caught for the fourth time attempting to access documents that were not relevant to their job position. The CSO reminds you that the organization has a formal termination process that should be followed. Which is an important task to perform during the termination procedure to reduce future security issues related to this ex-employee? A Return personal belongings. B Review the nondisclosure agreement. C Evaluate the performance. D Cancel the parking permit
B. Review the nondisclosure agreement. termination process often focuses on eliminating an employee who has become problematic, whether that employee is committing crimes or just violating company policy. Once the worker is fired, the company has little direct control over that person. So, the only remaining leverage is legal, which often relates to a nondisclosure agreement (NDA). Hopefully, reviewing and reminding the ex-employee about their signed NDA will reduce future security issues, such as confidential data dissemination.
.Often a _____________ is a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into the group's work activities. _____________ are often non-security employees who take up the mantle to encourage others to support and adopt more security practices and behaviors. A. CISO(s) B. Security champion(s) C. Security auditor(s) D. Custodian(s)
B. Security Champion The correct answer for these blanks is security champion(s). Often a security champion is a member of a group who decides (or is assigned) to take charge of leading the adoption and integration of security concepts into the group's work activities. Security champions are often non-security employees who take up the mantle to encourage others to support and adopt more security practices and behaviors. The other options are incorrect. A CISO, or chief information security officer, defines and enforces security throughout the organization. The security auditor is the person who manages security logging and reviews the audit trails for signs of compliance or violation. The custodian is the security role that accepts assets from owners and then, based on the owner-assigned classifications, places the asset in the proper IT container where the proper security protections are provided.
The Risk Management Framework (RMF) provides a disciplined, structured, and flexible process for managing security and privacy risk The RMF has seven steps or phases. Which phase of the RMF focuses on determining whether system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation are reasonable? A. Categorize B. Authorize C. Assess D. Monitor
B. The RMF phase 6 is Authorize whether system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation is acceptable (or reasonable). The phases of RMF are (1) Prepare, (2) Categorize, (3) Select, (4) Implement, (5) Assess, (6) Authorize, and (7) Monitor. (A) RMF phase (2) is categorize the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss. (C) RMF phase (5) is assess the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements. (D) RMF phase (7) is monitor the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment Missed question during review
What is background checks
Background checks include obtaining a candidate's work and educational history; checking references; verifying education; interviewing colleagues; checking police and government records for arrests or illegal activities; verifying identity through fingerprints, driver's license, and/or birth certificate; and holding a personal interview Depending on the job position, this process could also include skill challenges, drug testing, credit checks, checking driving record, and personality testing/ evaluation
During a risk management project, an evaluation of several controls determines that none are cost-effective in reducing the risk related to a specific important asset. What risk response is being exhibited by this situation? A. Mitigation B. Ignoring C. Acceptance D. Assignment
C. Acceptance Missed question during review When controls are not cost effective, they are not worth implementing. Thus, risk acceptance is the risk response in this situation. Mitigation is the application of a control; that was not done in this scenario. Ignoring risk occurs when no action, not even assessment or control evaluation, is performed in relation to a risk. Since controls were evaluated in this scenario, this is not ignoring risk. Assignment is the transfer of risk to a third party; that was not done in this scenario
Your organization is courting a new business partner. During the negotiations the other party defines several requirements of your organization's security that must be met prior to the signing of the SLA and business partners agreement (BPA). One of the requirements is that your organization demonstrate their level of achievement on the Risk Maturity Model (RMM). The requirement is specifically that a common or standardized risk framework is adopted organization-wide. Which of the five possibl
C. Defined The level of RMM named Defined requires that a common or standardized risk framework be adopted organization-wide. This is effectively level 3. The first level of RMM is not listed as an option; it is ad hoc, which is the chaotic starting point. Preliminary is RMM level 2, which demonstrates loose attempts to follow risk management processes but each department may perform risk assessment uniquely. Integrated is RMM level 4, where risk management operations are integrated into business processes, metrics are used to gather effectiveness data, and risk is considered an element in business strategy decisions. Optimized is RMM level 5, where risk management focuses on achieving objectives rather than just reacting to external threats, increasing strategic planning toward business success rather than just avoiding incidents, and reintegrating lessons learned into the risk management process.
Which of the following is a true statement in regard to vendor, consultant, and contractor controls? A. Using business email compromise (BEC) is a means to ensure that organizations providing services maintain an appropriate level of service agreed on by the service provider, vendor, or contractor and the customer organization. B. Outsourcing can be used as a risk response option known as acceptance or appetite. C. Multiparty risk exists when several entities or organizations are involved in
C. Multiparty risk exists when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved. Multiparty risk exists when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved. The other statements are false. Their corrected and thus true versions would be: (A) Using service- level agreements (SLAs) is a means to ensure that organizations providing services maintain an appropriate level of service agreed on by the service provider, vendor, or contractor and the customer organization; (B) Outsourcing can be used as a risk response option known as transference or assignment; and (D) Risk management strategies implemented by one party may in fact cause additional risks to or from another party.
You have performed a risk assessment and determined the threats that represent the most significant concern to your organization. When evaluating safeguards, what is the rule that should be followed in most cases? A. The expected annual cost of asset loss should not exceed the annual costs of safeguards. B. The annual costs of safeguards should equal the value of the asset. C. The annual costs of safeguards should not exceed the expected annual cost of asset value loss. D. The annual costs o
C. The annual costs of safeguards should not exceed the expected annual cost of asset value loss. The annual costs of safeguards should not exceed the expected annual cost of asset value loss. The other statements are not rules to follow. (A) The annual cost of the safeguard should not exceed the annual cost of the asset value or its potential value loss. (B) The cost of the safeguard should be less than the value of the asset. (D) There is no specific maximum percentage of a security budget for the cost of a safeguard. However, the security budget should be used efficiently to reduce overall risk to an acceptable level.
What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions? A. Education B. Awareness C. Training D. Termination
C. Training Training is teaching employees to perform their work tasks and to comply with the security policy. Training is typically hosted by an organization and is targeted to groups of employees with similar job functions. (A) Education is an endeavor in which students and users learn much more than they actually need to know to perform their work tasks. Education is most often associated with users pursuing certification or seeking job promotion or career advancement. Most education programs are not hosted by the employer but by training organizations or colleges or universities. Education is not provided to workers in groups based on their job positions. (B) Awareness establishes a common baseline or foundation of security understanding across the entire organization and focuses on key or basic topics and issues related to security that all employees must understand. Although it is provided by the organization, it is not targeted to groups of workers since it applies to all emplo
What are corrective controls?
Corrective Controls remedy problems that have been discovered. For example, restoring a system from a backup file. The control is deployed to repair or restore resources, functions, and capabilities after a violation of security policies.
An estimation of the yearly costs for the safeguard to be present in the organization is needed. This estimation can be called the annual cost of the safeguard (ACS). What factors that affect ACS?
Cost of purchase, development, and licensing Cost of implementation and customization Cost of annual operation, maintenance, administration, and so on Cost of annual repairs and upgrades Productivity improvement or loss Changes to environment Cost of testing and evaluation
You have been tasked with overseeing the security improvement project for your organization. The goal is to reduce the current risk profile to a lower level without spending considerable amounts of money. You decide to focus on the largest concern mentioned by your CISO. Which of the following is likely the element of the organization that is considered the weakest? A. Software products B. Internet connections C. Security policies D. Humans
D - Humans Regardless of the specifics of a security solution, humans are often considered the weakest element. No matter what physical or logical controls are deployed, humans can discover ways to avoid them, circumvent or subvert them, or disable them. Thus, it is important to take into account the humanity of your users when designing and deploying security solutions for your environment. Software products, internet connections, and security policies can all be vulnerabilities or otherwise areas of security concern, but they are not considered the most common weakest element of an organization.
A new security team member reviews the training materials and notices that it was crafted four years ago. They suggest that the materials be revised to be more engaging and to include elements that allow for the ability to earn recognition, team up with coworkers, and strive toward a common goal. What is the approach that is being recommended? A. Program effectiveness evaluation B. Onboarding C. Compliance enforcement D. Gamification
D. Gamification Security awareness and training can often be improved through gamification. Gamification is a means to encourage compliance and engagement by integrating common elements of game play into other activities, such as security compliance and behavior change. This can include rewarding compliance behaviors and potentially punishing violating behaviors. Many aspects of game play can be integrated into security training and adoption, such as scoring points, earning achievements or badges (i.e., earn recognition), competing with others, cooperating with others (i.e., team up with coworkers), following a set of common/standard rules, having a defined goal, seeking rewards, developing group stories/experiences, and avoiding pitfalls or negative game events. (A) Program effectiveness evaluation is using some means of verification, such as giving a quiz or monitoring security incident rate changes over time, to measure whether the training is beneficial or a waste of time and reso
During a meeting of company leadership and the security team, discussion focuses on defining the value of assets in dollars, inventorying threats, predicting the specific amount of harm of a breach, and determining the number of times a threat could cause harm to the company each year. What is being performed? A. Qualitative risk assessment B. Delphi technique C. Risk avoidance D. Quantitative risk assessment
D. Quantitative risk assessment This scenario is describing the activity of performing a quantitative risk assessment. The question describes the determination of asset value (AV) as well as the exposure factor (EF) and the annualized rate of occurrence (ARO) for each identified threat. These are the needed values to calculate the annualized loss expectancy (ALE), which is a quantitative factor. This is not an example of a qualitative risk assessment, since specific numbers are being determined rather than relying on ideas, reactions, feelings, and perspectives. This is not the Delphi technique, which is a qualitative risk assessment method that seeks to reach an anonymous consensus. This is not risk avoidance, since that is an optional risk response or treatment, and this scenario is only describing the process of risk assessment
Exposure
Exposure is being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited by a threat agent or event. Exposure doesn't mean that a realized threat (an event that results in loss) is actually occurring, just that there is the potential for harm to occur. The quantitative risk analysis value of exposure factor (EF) is derived from this concept
What is gamification?
Gamification is a means to encourage compliance and engagement by integrating common elements of game play into other activities, such as security compliance and behavior change.
What are some US Regulations that in regard to privacy
Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley Act of 2002 (SOX) Family Educational Rights and Privacy Act (FERPA) Gramm-Leach-Bliley Act—as well as the European Union's General Data Protection Regulation (GDPR) (Regulation [EU] 2016/679)
what is inherent?
Inherent risk is the level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed. Also known at initial risk or starting risk
What are job responsibilities
Job responsibilities are the specific work tasks an employee is required to perform on a regular basis. list of job responsibilities guides the assignment of access rights, permissions, and privileges
Mandatory Vacations
Mandatory vacations are used as a peer review process. This process requires a worker to be away from the office and without remote access for one to two weeks per year. While the worker is on the "vacation," a different worker performs their work duties with their actual user account, which makes it easier to verify the work tasks and privileges of employees while attempting to detect abuse, fraud, or negligence on the part of the original employee
Offboarding
Offboarding is the removal of an employee's identity from the IAM system once that person has left the organization. But offboarding can also be an element used when an employee transfers into a new job position at the same organization, especially when they are shifting between departments, facilities, or geographic locations
What is the onboarding process?
Onboarding is the process of adding new employees to the organization, having them review and sign employment agreements and policies, be introduced to managers and coworkers, and be trained in employee operations and logistics. Onboarding can also include organizational socialization and orientation
Name six different administrative controls used to secure personnel.
Possible answers include job descriptions, principle of least privilege, separation of duties, job responsibilities, job rotation/cross-training, performance reviews, background checks, job action warnings, awareness, training, job training, exit interviews/ terminations, nondisclosure agreements, employment agreements, privacy declaration, and acceptable use policies
What is Qualitative risk analysis
Qualitative risk analysis assigns subjective and intangible values to the loss of an asset and takes into account perspectives, feelings, intuition, preferences, ideas, and gut reactions The process of performing qualitative risk analysis involves judgment, intuition, and experience.
What is Quantitative risk analysis
Quantitative risk analysis assigns real dollar figures to the loss of an asset and is based on mathematical calculations. The process of quantitative risk analysis starts with asset valuation and threat identification (which can be performed in any order).
what are recovery controls
Recovery control are extension of corrective controls but more advanced. The control is deployed to repair or restore resources, functions, and capabilities after a violation of security policies. The control is deployed to repair or restore resources, functions, and capabilities after a violation of security policies.
What is Risk Mitigation
Reducing risk, or risk mitigation, is the implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats. Deploying encryption and using firewalls are common examples of risk mitigation or reduction. Elimination of an individual risk can sometimes be achieved, but typically some risk remains even after mitigation or reduction efforts
what is residual risk?
Residual risk consists of threats to specific assets against which upper management chooses not to implement a response. In other words, residual risk is the risk that management has chosen to accept rather than mitigate.
Risk assessment or risk analysis
Risk assessment or risk analysis is the examination of an environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of the damage it would cause if it did occur, and assessing the cost of various countermeasures for each risk. This results in a sorted criticality prioritization of risks.
What is risk avoidance?
Risk avoidance is the process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. For example, choosing to fly to a destination instead of driving to it is a form of risk avoidance. Another example is to locate a business in Arizona instead of Florida to avoid hurricanes. The risk is avoided by eliminating the risk cause. A business leader terminating a business endeavor because it does not align with organizational objectives and that has a high risk versus reward ratio is also an example of risk avoidance
Risk Awareness
Risk awareness is the effort to increase the knowledge of risks within an organization. This includes understanding the value of assets, inventorying the existing threats that can harm those assets, and the responses selected and implemented to address the identified risk. Risk awareness helps to inform an organization about the importance of abiding by security policies and the consequences of security failures.
What is risk deterrence?
Risk deterrence is the process of implementing deterrents to would-be violators of security and policy. The goal is to convince a threat agent not to attack. Some examples include implementing auditing, security cameras, and warning banners; using security guards; and making it known that the organization is willing to cooperate with authorities and prosecute those who participate in cybercrime
Risk
Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result. The more likely it is that a threat event will occur, the greater the risk. The greater the amount of harm that could result if a threat is realized, the greater the risk. Every instance of exposure is a risk. When written as a conceptual formula, risk can be defined as follows: risk = threat * vulnerability risk = probability of harm * severity of harm
What is risk reporting
Risk reporting is a key task to perform at the conclusion of a risk analysis. Risk reporting involves the production of a risk report and a presentation of that report to the interested/ relevant parties. For many organizations, risk reporting is an internal concern only, whereas other organizations may have regulations that mandate third-party or public reporting of their risk findings
Risk Response
Risk response involves evaluating countermeasures, safeguards, and security controls using a cost/benefit analysis; adjusting findings based on other conditions, concerns, priorities, and resources; and providing a proposal of response options in a report to senior management. Based on management decisions and guidance, the selected responses can be implemented into the IT infrastructure and integrated into the security policy documentation
what is risk tolerance?
Risk tolerance is the amount or level of risk that an organization will accept per individual asset-threat pair
what is smishing?
Short Message Service (SMS) phishing or smishing (Spam over instant messaging [SPIM]) is a social engineering attack that occurs over or through standard text messaging services
What is social engineering?
Social engineering is a form of attack that exploits human nature and human behavior. People are a weak link in security because they can make mistakes, be fooled into causing harm, or intentionally violate company security
What is BEC
Spear phishing can also be crafted to seem as if it originated from a CEO or other top office in an organization. This version of spear phishing is often call business email compromise (BEC). BEC is often focused on convincing members of accounting or financial departments to transfer funds or pay invoices based on instructions seeming to originate from a boss, manager, or executive
What is the Annualized Rate of Occurrence, or ARO?
The ARO is the frequency at which a risk event occurs and is expressed as the number of losses that occur in one year. In the case of a component or piece of equipment that fails once every two years has an ARO of 0.5; every four years would be an ARO of 0.25.
What is the Delphi technique?
The Delphi technique is simply an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus
What is eliciting information?
The act of extracting information from the victim.
What is risk appetite?
The amount of risk a company is willing to accept to achieve its goals and objectives.
What are administrative controls
The category of administrative controls are the policies and procedures defined by an organization's security policy and other regulations or requirements. They are sometimes referred to as management controls, managerial controls, or procedural controls. These controls focus on personnel oversight and business practices ex; policies, procedure, hiring practices, background checks, data classification, labeling, training, reports, supervision, personnel controls and testing
What are common social engineering principles
The common social engineering principles are authority, intimidation, consensus, scarcity, familiarity, trust, and urgency.
what is control gaps?
The controls gap is the amount of risk that is reduced by implementing safeguards. A conceptual formula for residual risk is as follows total risk - controls gap = residual risk
What is the exposure factor?
The exposure factor (EF) represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. The EF can also be called the loss potential EF simply indicates the expected overall asset value loss because of a single realized risk The EF is determined by using historical internal data, performing statistical analysis, consulting public or subscription risk ledgers/registers, working with consultants, or using a risk management software s
What is hybrid assessment or hybrid analysis
The method of combining quantitative and qualitative analysis into a final assessment of organizational risk is known as hybrid assessment or hybrid analysis
What is the principle of lease privilege
The principle of least privilege states that users should be granted the minimum amount of access necessary for them to complete their required work tasks or job responsibilities.
What Single loss expectancy and how is it calculated?
The single-loss expectancy (SLE) is the potential loss associated with a single realized threat against a specific asset. It indicates the potential amount of loss an organization would or could experience if an asset were harmed by a specific threat occurring SLE = asset value (AV) * exposure factor (EF)
Vulnerability
The weakness in an asset or the absence or the weakness of a safeguard or countermeasure is a vulnerability. In other words, a vulnerability is a flaw, loophole, oversight, error, limitation, frailty, or susceptibility that enables a threat to cause harm
Threat Agent/Actors
Threat agents or threat actors intentionally exploit vulnerabilities. Threat agents are usually people, but they could also be programs, hardware, or systems. Threat agents wield threats in order to cause harm to targets
Threat Events
Threat events are accidental occurrences and intentional exploitations of vulnerabilities. They can also be natural or person-made. Threat events include fire, earthquake, flood, system failure, human error (due to a lack of training or ignorance), and power outage
What is total risk?
Total risk is the amount of risk an organization would face if no safeguards were implemented. A conceptual formula for total risk is as follows threats * vulnerabilities * asset value = total risk
What is typo squatting/URL hijacking?
Typo squatting is a practice employed to capture and redirect traffic when a user mistypes the domain name or IP address of an intended resource. This is a social engineering attack that takes advantage of a person's potential to mistype a fully qualified domain name (FQDN) or address A malicious site squatter predicts URL typos and then registers those domain names to direct traffic to their own site. This can be done for competition or for malicious intent.
What is UBA and UEBA?
User behavior analytics (UBA) and user and entity behavior analytics (UEBA) are the concepts of analyzing the behavior of users, subjects, visitors, customers, etc. for some specific goal or purpose
Understand vendor, consultant, and contractor controls
Vendor, consultant, and contractor controls are used to define the levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary organization. Often these controls are defined in a document or policy known as a service-level agreement (SLA)
Threat Agent
When a risk is realized, a threat agent, a threat actor, or a threat event has taken advantage of a vulnerability and caused harm to or disclosure of one or more assets. The whole purpose of security is to prevent risks from becoming realized by removing vulnerabilities and blocking threat agents/threat events from jeopardizing assets
What is the importance of job description
Without a job description, there is no consensus on what type of individual should be hired. Thus, crafting job descriptions is the first step in defining security needs related to personnel and being able to seek out new hires
Risk Managment
a detailed process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk. The overall process of risk management is used to develop and implement information security strategies that support the mission of the organization resulting in skeleton of a security policy
What is vishing?
a special type of phishing that uses Voice over IP (VoIP)
What is prepending?
an attacker adds a term or phrase to the header of an email to enhance its effectiveness as a social engineering attack
What is the Annualized Loss Expectancy, or ALE?
annualized loss expectancy (ALE) is the possible yearly loss of all instances of a specific realized threat against a specific asset. The ALE is calculated using the following formula ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO) or ALE = asset value (AV) * exposure factor (EF) * annualized rate of occurrence (ARO)
What is candidate screening?
candidate screening for a specific position is based on the sensitivity and classification defined by the job description. Thus, the thoroughness of the screening process should reflect the security of the position to be filled. This includes - background checks, reference checks, education verification and security clearance validation
What is hybrid warfare or nonlinear warfare
combine classical military strategy with modern capabilities, including social engineering, digital influence campaigns, psychological warfare efforts, political tactics, and cyberwarfare capabilities
Multiparty Risk
exists when several entities or organizations are involved in a project. The risk or threats are often due to the variations of objectives, expectations, timelines, budgets, and security priorities of those involved.
What is spear phishing?
more targeted form of phishing where the message is crafted and directed specifically to a group of individuals. Often, attackers use a stolen customer database to send false messages crafted to seem like a communication from the compromised business but with falsified source addresses and incorrect URI/URLs.
what are technical or logical controls
technical controls or logical controls involves the hardware or software mechanisms used to manage access and provide protection for IT resources and systems. Examples of logical or technical controls include authentication methods (such as passwords smartcards, and biometrics), encryption, constrained interfaces, access control lists, protocols, firewalls, routers, intrusion detection systems (IDSs), and clipping levels.
User behavior analytics (UBA) and user and entity behavior analytics (UEBA)
the concepts of analyzing the behavior of users, subjects, visitors, customers, and so forth for some specific goal or purpose. The E in UEBA extends the analysis to include entity activities that take place but that are not necessarily directly linked or tied to a user's specific actions, but that can still correlate to a vulnerability, reconnaissance, intrusion, breach, or exploit occurrence. Information collected from UBA/UEBA monitoring can be used to improve personnel security policies, procedures, training, and related security oversight prog
What is risk capacity?
the maximum amount of risk the organization can shoulder
what is the goal of risk management
to reduce risk to an acceptable level
What possible responses to Risk
- Risk Mitigation - Risk Transfer - Deterrence - Avoidance - Acceptance - Reject or Ignore
What are the 6 major elements of Quantitative risk analysis
1. Assign Asset value (AV) 2. Calculate exposure factor (EF) 3. Calculate single loss expectancy (SLE) 4. Assess the annualized rate of occurrence (ARO) 5. Derive the annualized loss expectancy (ALE) 6. Perform cost/benefit analysis of countermeasure
What are the principle of social engineering?
1. Authority 2. Intimidation 3. Consensus 4. Scarcity 5. Familiarity 6. Trust 7. Urgency
What are two options for risk assessment start
1. Focused on Assets 2. Evaluating threats
What are the core 5 functions of the Cybersecurity framework (CSF)
1. Identify 2. Protect 3. Detect 4. Respond 5. Recover
What the elements of the risk management framework (RMF)
1. Prepare 2. Categorize 3. Select 4. Implement 5. Assess 6. Authorize 7. Monitor
In review of the cost benefit analysis or cost benefit calculation, you must calculate what 3 elements?
1. The pre-safeguard ALE for an asset-threat pairing 2. The potential post-safeguard ALE for an asset-threat pairing 3. The ACS (annual cost of the safeguard) Cost benefit = (pre-safeguard ALE - post-safeguard ALE) - ACS
What are the categories of security controls
1. physical controls 2. logical/technical controls 3. adminstrative controls
Vendor Management System (VMS)
A VMS is a software solution that assists with the management and procurement of staffing services, hardware, software, and other needed products and services. A VMS can offer ordering convenience, order distribution, order training, consolidated billing, and more. In regard to security, a VMS can potentially keep communications and contracts confidential, require encrypted and authenticated transactions, and maintain a detailed activity log of events related to vendors and suppliers
Breach
A breach, intrusion, or penetration is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. A breach is a successful attack.
what are compensating control
A compensation control is deployed to provide various options to other existing controls to aid in enforcement and support of security policies. They can be any controls used in addition to, or in place of, another control. example, if a preventive control fails to stop the deletion of a file, a backup can be a compensation control, allowing for restoration of that file. Fire suppression fails, then compensation control is disaster recovery plan
what are directive control
A directive control is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies. Examples of directive controls include security policy requirements or criteria, posted notifications, guidance from a security guard, escape route exit signs, monitoring, supervision, and procedures.
what is risk limit?
A risk limit is the maximum level of risk above the risk target that will be tolerated before further risk management actions are taken
What is a risk register or risk log
A risk register or risk log is a document that inventories all the identified risks to an organization or system or within an individual project. A risk register is used to record and track the activities of risk management, including the following: - Identifying risk - evaluating the severity of and prioritizing those risk - prescribing responses to reduce or eliminate the risks - tracking the progress of risk mitigation
Safeguards
A safeguard, security control, protection mechanism, or countermeasure is anything that removes or reduces a vulnerability or protects against one or more specific threats. This concept is also known as a risk response. A safeguard is any action or product that reduces risk through the elimination or lessening of a threat or a vulnerability. Safeguards are the means by which risk is mitigated or resolved. It is important to remember that a safeguard need not involve the purchase of a new product; reconfiguring existing elements and even removing elements from the infrastructure are also valid safeguards or risk responses.
what is security control assessment?
A security control assessment (SCA) is the formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation. The SCA can be performed in addition to or independently of a full security evaluation, such as a penetration test or vulnerability assessment. The goals of an SCA are to ensure the effectiveness of the security mechanisms, evaluate the quality and thoroughness of the risk management processes of the organization, and produce a report of the relative strengths and weaknesses of the deployed security infrastructure.
What is proper termination policy?
A termination policy defines the procedure for terminating employees. It should include items such as always having a witness, disabling the employee's network access, and performing an exit interview. A termination policy should also include escorting the terminated employee off the premises and requiring the return of security tokens and badges and company property
Threat Vector
A threat vector or attack vector is the path or means by which an attack or attacker can gain access to a target in order to cause harm. Threat vectors can include email, web surfing, external drives, Wi-Fi networks, physical access, mobile devices, cloud, social media, supply chain, removable media, and commercial software
what is whaling?
A type of phishing targeted at high-level personnel such as senior officials.
Which of the following are valid definitions for risk? (Choose all that apply.) A. An assessment of probability, possibility, or chance B. Anything that removes a vulnerability or protects against one or more specific threats C. Risk = threat * vulnerability D. Every instance of exposure E. The presence of a vulnerability when a related threat exists
A, C, D Missed question during review .Statements of A, C, and D are all valid definitions of risk. The other two statements are not definitions of risk. (B) Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk. (E) The presence of a vulnerability when a related threat exists is an exposure, not a risk. A risk is a calculation of the probability of occurrence and the level of damage that could be caused if an exposure is realized (i.e., actually occurs)
Match the term to its definition: Asset Threat Vulnerability Exposure Risk I. The weakness in an asset II. Anything used in a business process or task. III. Being susceptible to asset loss because of a threat IV. The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result. V. Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset
A. 1-II, 2-V, 3-I, 4-III, 5-IV An asset is anything used in a business process or task. A threat is any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset. A vulnerability is the weakness in an asset, or the absence or the weakness of a safeguard or countermeasure. An exposure is being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited. Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result.
During the annual review of the company's deployed security infrastructure, you have been reevaluating each security control selection. How is the value of a safeguard to a company calculated? A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard B. ALE before safeguard * ARO of safeguard C. ALE after implementing safeguard + annual cost of safeguard - controls gap D. Total risk - controls gap
A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard The value of a safeguard to an organization is calculated by ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard [(ALE1 - ALE2) - ACS]. This is known as the cost/benefit equation for safeguards. The other options are incorrect. (B) This is an invalid calculation. (C) This is an invalid calculation. (D) This is the concept formula for residual risk: total risk - controls gap = residual risk.
Due to recent organization restructuring, the CEO believes that new workers should be hired to perform necessary work tasks and support the mission and goals of the organization. When seeking to hire new employees, what is the first step? A. Create a job description. B. Set position classification. C. Screen candidates. D. Request résumés.
A. Create a job description. The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired. Crafting job descriptions is the first step in defining security needs related to personnel and being able to seek out new hires. From the job description, a determination can be made as to the education, skills, experience, and classification required by the applicant. Then a job posting can be made to request the submission of résumés. Then, candidates can be screened to see if they meet the requirements and if they have any disqualifications.
A new web application was installed onto the company's public web server last week. Over the weekend a malicious hacker was able to exploit the new code and gained access to data files hosted on the system. This is an example of what issue? A. Inherent risk B. Risk matrix C. Qualitative assessment D. Residual risk
A. This situation is describing inherent risk. Inherent risk is the level of natural, native, or default risk that exists in an environment, system, or product prior to any risk management efforts being performed. The new application had vulnerabilities that were not mitigated, thus enabling the opportunity for the attack. This is not a risk matrix. A risk matrix or risk heat map is a form of risk assessment that is performed on a basic graph or chart, such as a 3×3 grid comparing probability and damage potential. This is not a qualitative risk assessment, since this scenario does not describe any evaluation of the risk of the new code. This is not residual risk, since no controls were implemented to reduce risk. Residual risk is the leftover risk after countermeasures and safeguards are implemented in response to original or total risk. Missed question during review
What is risk acceptance?
Accepting risk, or acceptance of risk, is the result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk. It also means that management has agreed to accept the consequences and the loss if the risk is realized. In most cases, accepting risk requires a clearly written statement that indicates why a safeguard was not implemented, who is responsible for the decision, and who will be responsible for the loss if the risk is realized, usually in the form of a document signed by senior management.
Privacy
Active prevention of unauthorized access to information that is personally identifiable (that is, data points that can be linked directly to a person or organization), known as personally identifiable information (PII) Freedom from unauthorized access to information deemed personal or confidential Freedom from being observed, monitored, or examined without consent or knowledge
What is purpose of risk maturity model (RMM)
An RMM assess the key indicators and activities of a mature, sustainable, and repeatable risk management process. There are several RMM systems, each prescribing various means to achieve greater risk management capability the 5 levels of RMM 1. ad hoc - initial stage of risk mgmt. 2. preliminary - loose attempts to follow risk mgmt. and each dept perform risk assessment uniquely 3. defined - a common or standardized risk framework is adopted organization wide 4. Integrated - risk mgmt. operations are integrated into business processes, metrics are used to gather effectiveness data and risk is considered an element of business decisions 5. Optimized - risk mgmt. focuses on achieving objectives than just reacting to external threats, increased strategic planning is geared toward business success rather than just avoiding incidents; and lessons learned are reintegrated into the risk management process
