CISSP - Chapter 2

Threat

An event or situation that if it occurred, would prevent the organization from operating in its normal manner

Explain the concept of an exposure factor (EF)

An exposure factor is an element of quantitative risk analysis that represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. By calculating exposure factors, you are able to implement a sound risk management policy.

Explain Quantitative formula

Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annual Rate Occurrence (ARO) SLE = cost that a single event will occur ARO = how often over a year will it occur SLE x ARO = ALE $1000 x 3 = $3,000

Which of the following is not a valid definition for risk? A. An assessment of probability, possibility, or chance B. Anything that removes a vulnerability or protects against one or more specific threats C. Risk = threat * vulnerability D. Every instance of exposure

B. Anything that removes a vulnerability or protects against one or more specific threats

How is single loss expectancy (SLE) calculated? A. Threat + vulnerability B. Asset value ($) * exposure factor C. Annualized rate of occurrence * vulnerability D. Annualized rate of occurrence * asset value * exposure factor

B. Asset value ($) * exposure factor

While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk? A. Virus infection B. Damage to equipment C. System malfunction D. Unauthorized access to confidential information

B. Damage to equipment

When an employee is to be terminated, which of the following should be done? A. Inform the employee a few hours before they are officially terminated. B. Disable the employee's network access just as they are informed of the termination. C. Send out a broadcast email informing everyone that a specific employee is to be terminated. D. Wait until you and the employee are the only people remaining in the building before announcing the termination.

B. Disable the employee's network access just as they are informed of the termination.

If an organization contracts with outside entities to provide key business functions or services, such as account or technical support, what is the process called that is used to ensure that these entities support sufficient security? A. Asset identification B. Third-party governance C. Exit interview D. Qualitative analysis

B. Third-party governance

Which of the following is a primary purpose of an exit interview? A. To return the exiting employee's personal belongings B. To review the nondisclosure agreement C. To evaluate the exiting employee's performance D. To cancel the exiting employee's network access accounts

B. To review the nondisclosure agreement

How to implement security awareness training and education

Before actual training can take place, awareness of security as a recognized entity must be created for users. Once this is accomplished, training, or teaching employees to performance their work tasks and to comply with the security policy can begin. All new employees require some level of training so they will be able to comply with all standards, guidelines, and procedures mandated by the security policy. Education is amore detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks. Education is most often associated with users pursing certification or seeking job promotion.

Which of the following statements is not true? A. IT security can provide protection only against logical or technical attacks. B. The process by which the goals of risk management are achieved is known as risk analysis. C. Risks to an IT infrastructure are all computer based. D. An asset is anything used in a business process or task.

C. Risks to an IT infrastructure are all computer based.

Which of the following is not an element of the risk analysis process? A. Analyzing an environment for risks B. Creating a cost/benefit report for safeguards to present to upper management C. Selecting appropriate safeguards and implementing them D. Evaluating each threat event as to its likelihood of occurring and cost of the resulting damage

C. Selecting appropriate safeguards and implementing them

What security control is directly focused on preventing collusion? A. Principle of least privilege B. Job descriptions C. Separation of duties D. Qualitative risk analysis

C. Separation of duties

When evaluating safeguards, what is the rule that should be followed in most cases? A. The expected annual cost of asset loss should not exceed the annual costs of safeguards. B. The annual costs of safeguards should equal the value of the asset. C. The annual costs of safeguards should not exceed the expected annual cost of asset loss. D. The annual costs of safeguards should not exceed 10 percent of the security budget.

C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.

What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions? A. Education B. Awareness C. Training D. Termination

C. Training

What is COBIT

COBIT is a IT governance risk framework. COBIT - examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability aspects of the high level control objectives.

Explain COSO and it's 5 areas

COSO - Risk Framework that identifies 5 areas necessary to meet the financial reporting and disclosure objectives. These include: (This is around financial disclosure / evaluation within the business) A. Control environment B. Risk assessment C. Control activities D. Information and communication E. Monitoring

You've performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change? A. Exposure factor B. Single loss expectancy C. Asset value D. Annualized rate of occurrence

D. Annualized rate of occurrence

A portion of the ______________ is the logical and practical investigation of business processes and organizational policies. This process/policy review ensures that the stated and implemented business tasks, systems, and methodologies are practical, efficient, and cost-effective, but most of all (at least in relation to security governance) that they support security through the reduction of vulnerabilities and the avoidance, reduction, or mitigation of risk. A. Hybrid assessment B. Risk aversion process C. Countermeasure selection D. Documentation review

D. Documentation review

Which of the following would generally not be considered an asset in a risk analysis? A. A development process B. An IT infrastructure C. A proprietary system resource D. Users' personal files

D. Users' personal files

What are procedures

How, who, when, where tactical

Explain ITIL and the 5 phases

ITIL - Risk Framework that shows how controls can be implemented for the service management IT processes. 5 Lifecycle phases: "This is a service framework" 1. Service strategy 2. Service Design 3. Service Transition 4. Service Operation 5. Continual Service Improvement (CSI)

Name the six different administrative controls used to secure personnel?

Job descriptions, principle of least privilege, separation of duties, job responsibilities, job rotation/cross training, performance reviews, background checks, job action warnings, awareness training, job training, exit interviews,

Why are job rotation and mandatory vacations necessary?

Job rotation serves two functions. It provides a type of knowledge redundancy, and moving personnel around reduced the risk of fraud, data modification, theft, sabotage, and misuse of information. Mandatory vacations of one to two weeks are used to audit and verify the work tasks and privileges of employees. This often results in easy detection of abuse, fraud or negligence.

Security Control Assessment (SCA)

Monitor your controls to assess how well they are performing. Tailoring - filtering Scoping - scoping is what is in and what is out Supplementation - making additions (adding on) to add value and support for mission objectives. "additional resources" that will add value Types of assessments: 1. Vulnerability A. Scanning B. Analysis C. Communicate results 2. Penetration Strategies: A. External testing "third party or MSP" B. Internal testing "Internal team testing" C. blind testing D. Double blind testing Categories: A. Zero Knowledge - black box B. Partial Knowledge - grey box C. Full Knowledge - white box Methodology: 1. Reconnaissance 2. Enumeration 3. Vulnerability analysis 4. Execution / Exploitation 5. Document findings Application DoS / DDoS War.... Wireless Social Engineering Telephony 3. Monitoring and measurement - The 2 Q's Quantitative - measures "tangibles" | Numerical assessment. "putting a cost" to the risk assessment. A deep understanding of the systems are required. Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annual Rate Occurrence (ARO) SLE = cost that a single event will occur ARO = how often over a year will it occur SLE x ARO = ALE $1000 x 3 = $3,000 Qualitative - measures "intangibles" | the product of likelihood and impact produces the level of risk. The higher the risk level, the more immediate the need for organization to address the issue. (Risk matrix) Qualitative doesn't focus on money but how likelihood a risk will occur. Low knowledge of the systems are needed since a this is just potential. Process steps: 1. Approval - Senior Management 2. Form a Risk Assessment Team 3. Analyze Data 4. Calculate Risk 5. Countermeasure recommendations 4. Asset Valuation - understanding tangible / intangible worth. 3-5 years will depreciate a asset. 5. Reporting - Gotta have it !!! (timeliness and understandability) 6. Continuous improvement - Deming cycle (PDCA) - plan, do, check, act - maybe patch management is good example

NDA vs NCA

Non disclosure agreement and non compete agreement

Should all employees get the same "basic" security awareness training?

Not necessarily. There could be a case that high level management, developers and IT practitioners get a different type of training to protect the organization.

Three main types of controls

Preventive detective corrective Control Categories A. Physical - guards, guns, gates. Things you can touch, see and interact with B. Administrative - policy or rules based C. Logical (Technical) - things we implement through software

How does privacy fit into the realm of IT Security

Privacy: 1. Active prevention of unauthorize access to information that is personally identifiable (that is, data points that can be linked directly to a person or organization) 2.Freedom from unauthorized access to information deemed personal or confidential 3.Freedom from being observed, monitored, or examined without consent or knowledge. Protecting individuals from unwanted observation, direct marketing and disclosure of private, personal or confidential details is usually considered a worthy effort.

Explain risk management overall

Process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost effective solutions for mitigating or reducing risk is known as risk management By performing risk management, you lay the foundation for reducing risk overall.

examples of some tangible and intangible issues that contribute to the valuation of assets

Purchase cost, development cost, administrative or management cost, maintenance or upkeep cost, cost in acquiring asset, cost to protect or sustain asset, value to owners and users, value to competitors, intellectual property or equity value, market valuation, replacement cost, productivity enhancement or degradation, operational costs of asses present and loss, liability of asset loss, usefulness

Explain quanitative risk analysis

Quantitative risk analysis focus on hard value sand percentages. A complete quantitative analysis is not possible because of intangible aspects of risk. The process involves asset valuation and threat identification and then determining a threat's potential frequency and the resulting damage; the result is a cost / benefit analysis of safeguards.

Explain the options for handling risk

Reducing risk, or risk mitigation, is the implementation of safeguards and countermeasures. Assigning risk or transferring a risk places the cost of loss a risk represents onto another entity or organization. Purchasing insurance is one form of assigning or transferring risk. Accepting risk means the management has evaluated the cost/benefit analysis of possible safeguards and has determined that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk. It also means that management has agreed to accept the consequences and the loss if the risk is realized.

What is single loss expectancy (SLE) and how do you calculate it

SLE is an element of quantitative risk analysis that represents the cost associated with a single realized risk against a specific asset. The formula is SLE = asset value (AV) x exposure factor (EF)

Security Controls

Some are vulnerability assessments on a monthly basis, patch management on a rolling basis based on recommendations from vendor, configuration management and baseline assessments

Steps in Risk Assessment / analysis

Step 1 - Prepare for Assessment Step 2 - Conduct Assessment A. Identify threat sources and events B. Identify vulnerabilities and predisposing conditions. C. Determine likelihood of occurrence D. Determine magnitude of impact E. Determine risk Step 3 - Communicate Results Step 4 - Maintain Assessment Prepare for Assessment - requirements gathering, identify mission critical systems, ins and outs of systems. Discuss through scope what will and will not be included in the assessment. Identify threat sources and events - threat sources are internal or bad actors trying to do harm. Events can be harmful and non harmful and that are recorded in some fashion. A event that has potential to be harmful like brute force attack is called a incident. A event like someone forgetting there password once would be a event. Identify vulnerabilities and predisposing conditions - identify weaknesses, patch management, monthly vulnerability assessments. Pre deposition conditions have no patch, etc. zero day Determine Likelihood of Occurrence - likelihood of something bad happening. If you patch frequently then you have a low likelihood, not patching would be a high likelihood. Determine Magnitude of Impact - how badly will something hurt us when something occurs. Determine Risk - sum total of all the above

161

Supply chain risk management

Data Owner

The person or entity that has ultimate control over the disposition of data in regards to: How it is understood, how it is managed and who has access to it.

Data Controller

The person or entity that is going to apply due diligence, give oversight and give guidance how data should be used and interpreted.

Risk

The probability (likelihood) that a given threat sources will exercise a particular vulnerability and the resulting impact should that occur

Residual Risk

The remaining risk(s) after all countermeasures/counter are performed.

What are risk assessments/analysis

This is primarily a exercise for upper management. It is there responsibility to initiate and support risk analysis and assessment by defining the scope and purpose of the endeavor. Actual risk assessment work is done by security professionals but all risk assessments, results, decisions and outcomes must be understood and approved by upper management.

Explain how to evaluate threats

Threats can originate from numerous sources, including IT, humans and nature. Threat assessment should be conducted as a team effort to provide the widest range of perspectives. By fully evaluating risks from all angles, you reduce your system's vulnerabilities.

Explain how to manage the security function

To manage the security function, an organization must implement proper and sufficient security governance. The act of performing a risk assessment of drive the security policy is the clearest and most direct example of management of the security function. This also related to budget, metrics, resources, information security strategies and assessing the completeness and effectiveness of the security program.

Explain the security implications of hiring new employees?

To properly plan for security, you must have standards in place for job descriptions, job classifications, work tasks, job responsibilities, preventing collusion, candidate screening, background checks, security clearances, employment agreements and nondisclosure agreements. By deploying such mechanisms, you ensure that new hires are aware of the required security standards, thus protecting your organization's assets.

Explain total risk, residual risk and controls gap

Total risk is the amount of risk an organization would face if no safeguards were implemented. to calculate total risk, use this formula: threats x vulnerabilities x asset value = total risk Residual risk is the risk that management has chosen to accept rather than mitigate. The difference between total risk and residual risk is the controls gap, which is the amount of risk that is reduced by implementing safeguards. To calculate residual risk, use the following formula: total risk - controls gap = residual risk

Explain the vendor, consultant and contractor controls

Vendor, consultant and contractor controls are used to define the levels of performance, expectation, compensation and consequences for entities, persons, or organizations that are external to the primary organization. Often these controls are defined in a document or policy known as a service level agreement or SLA.

Name some examples of Threats and Vulnerabilities

Virus, criminal activities by authorized users, movement (vibrations, jarring, etc.), intentional attacks, reorganization, authorized user illness or epidemics, malicious hackers, disgruntled employees, user errors, natural disasters, physical damage, misuse of data or resources or services, change or compromises to data classification or security policies, government or political or military intrusions and/or restricts, processing errors, buffer overflows, personnel privilege abuse, temperature extremes, loss of data, information warfare, Bankruptcy or alteration/interruption of business activity, coding or programming errors, intruders (physical or logical), equipment failure, physical theft and social engineering.

Data Processers

applying or interacting around due care, they are executing on the nature of data management from the data controller

What is a threat source

bad actor or threat actor or hacker looking to do us harm. Internal or hacker

ISO 27001 (17799)

best practices, providing guidelines for security management system

Some techniques of qualitative risk analysis

brainstorming, Delphi technique, story boarding, focus groups, surveys, questionnaires, checklist, one on one meetings and interviews.

What is asset valuation

dollar value assigned to asset based on actual cost and non momentary expenses. Can include cost to develop, maintain, administer, advertise, support, repair and replace an asset

likelihood

equals to a chance something might happen

impact

equals to what at threat will cost (quantitative/qualitative)

Vulnerability

equals weakness.

What is a threat event

hacker trying to exploit vulnerabilities

What are policies

high level system of guidance with buy in from senior management. Strategic vision that we are sharing and giving. policies are what are we doing and why are we doing it strategic

Explain quantitative risk analysis

is based more on scenarios than calculations. Exact dollar figures are not assigned to possible losses; instead, threat are ranked on a scale to evaluate their risks, costs and effects. Such an analysis assist those responsible in creating proper risk management policies.

Explain the Delphi technique

is imply an anonymous feedback and response process used to arrive at a consensus. Such a consensus gives the responsible parties the opportunity to properly evaluate risks and implement solutions.

job rotation

is like cross training and knowledge documentation

Countermeasure (control)

is the mechanism applied to minimize risk

Explain separation of duties

is the security concepts of dividing critical, significant, sensitive work tasks among several individuals. By separating duties in this manner, you ensure that no one person can compromise system security.

Explain third party governance of security

is the system of oversight that may be mandated by law, regulation, industry standards or licensing requirements.

Quantitative vs Qualitative

numbers/statistics vs descriptions from observations Quantitative risk analysis: ALE = SLE x ARO 1. Exposure Factor (EF) = % of loss experienced IF a specific asset were attacked. 2. Single Loss Expectancy (SLE) - the cost associated with a single realized risk against a single asset 3. Annualized rate of occurence (ARO) - frequency at which a specified risk will be realized over a single year 4. Annualized Loss Expectancy (ALE) - potential yearly cost of all instances of a specified threat 5. Asset value (AV) - $$$ amount asset is worth to the organization. ALE = SLE x ARO $10 = $1 x 10 TIMES (Firewall Failure) Three scenarios 1. countermeasure is less than (no brainer - do it) 2. countermeasure is equal to (do it) 3. countermeasure is greater than (think before acting

what is governance

oversight and by in from senior leadership in regards to policy, etc. standards and frameworks

what is an example of predisposing conditions

patching or not patching devices or systems. Monthly vulnerability assessments

separation of duties

prevent one person from having all the power

NIST SP800-30

risk assessments, conducting (A2)

ISO 27002 Standard

security controls for 27001

Explain the principle of least priviledge

states that in a secure environment, users should be granted the minimum amount of access necessary for them to complete their required work tasks or job responsibilities. By limiting user access only to those items that they need to complete their work tasks, you limit the vulnerability of sensitive information.

What are the six steps of the risk management framework

1. Categorize 2. Select 3. Implement 4. Assess 5. Authorize 6. Monitor

Countermeasure selection and implementation

1. Cost 2.Effectiveness 3.Appropriateness cost - how much are we going to have to spend to mitigate vs cost of vulnerability. Must be cost effective $5 solutions for $5 problem Effectiveness - must be affective in getting return on what you spend

What is an asset

Anything in the organization that should be protected

Which of the following is the weakest element in any security solution? A. Software products B. Internet connections C. Security policies D. Humans

D. Humans

Explain the formula for safeguard evaluation

In addition to determining the annual cost of a safeguard, you must calculate the ALE for the asset if the safeguard is implemented. Use the formula: ALSE before safeguard - ALE after implementing the safeguard - annual cost of safeguard = value of the safeguard to the company

Qualitative process steps are?

Process steps: 1. Approval - Senior Management 2. Form a Risk Assessment Team 3. Analyze Data 4. Calculate Risk 5. Countermeasure recommendations

NIST SP800-37

RMF=risk management framework (A1)

ISO 31010

Risk Assessment Techniques

Explain risk analysis and the key elements involved

Risk analysis is the process by which upper management is provided with details to make decisions about which risks are to be mitigated, which should be transferred and which should be accepted. To fully evaluate risk and subsequently take the proper precautions, you must analyze the following: Assets Asset Valuation Threats Vulnerability Exposure Risk Realized Risk Safeguards Countermeasures Attacks Breaches

ISO 31000

Risk management guidelines

Explain control types

The term control refers to a broad range of controls that perform such tasks as ensuring that only authorized users can log on and preventing unauthorized users from gaining access to resources. Control types include; preventive, detective, corrective, deterrent, recovery, directive, and compensation. Controls can also be categorized by how they are implemented: administrative, logical or physical

What is exposure

being susceptible to asset loss because of a threat

what is risk management "impact"

use vulnerabilities to create some kind of negative impact. Impact is how badly something is going to hurt us. How much will it cost us and how much damage will it do

Steps in Risk Response

1. Avoid - ex: not using windows for vulnerabilities 2.Accept - ex: since everyone uses windows we accept risk 3.Transfer - ex: transfer to cloud where somewhere else supports data 4.Mitigate - ex: windows patching cycle

Seven main categories of access control are:

1. Directive - Specify acceptable rules of behavior within an organization. "administrative" 2. Deterrent: discourage people from violating security directives. reinforce "directive" controls 3. Preventive - stop a security incident or information breach. like lane monitor in cars, etc. preventative 4. Compensating - substitute for the loss of primary controls and mitigate risk down to an acceptable level. "Redundancy or generator" is a compensating control 5. Detective - signal a warning when a security control has been breached. "monitoring" when something has gone wrong 6. Corrective - remedy circumstances, mitigate damage or restore controls. fixes when detective tells us somethings. like reboot of the server vs restore 7. Recovery - restore conditions to normal after a security incident. "restore from backup" ex: a lock is physical control that is preventative in nature motion detector is a physical control that is detective in nature.

Describe the process or technique used to reach an anonymous consensus during a qualitative risk assessment?

???

Discuss the need to perform a balanced risk assessment. What are the techniques that can be used and why is this necessary?

???

Explain proper termination policies

A termination policy defines the procedure for terminating employees. It should include items such as always having a witness, disabling the employees network access and performing an exit interview. A termination policy should also include escorting the terminated employee off the premises and requiring the return of security tokens and badges and company property.

How is the value of a safeguard to a company calculated? A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard B. ALE before safeguard * ARO of safeguard C. ALE after implementing safeguard + annual cost of safeguard - controls gap D. Total risk - controls gap

A. ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard

When seeking to hire new employees, what is the first step? A. Create a job description. B. Set position classification. C. Screen candidates. D. Request résumés.

A. Create a job description.

Which of the following represents accidental or intentional exploitations of vulnerabilities? A. Threat events B. Risks C. Threat agents D. Breaches

A. Threat events

When a safeguard or a countermeasure is not present or is not sufficient, what remains? A. Vulnerability B. Exposure C. Risk D. Penetration

A. Vulnerability

Which of the following is not specifically or directly related to managing the security function of an organization? A. Worker job satisfaction B. Metrics C. Information security strategies D. Budget

A. Worker job satisfaction

What are the basic formulas used in quantitative risk assessment?

ALE = SLE × ARO. ARO = ALE / SLE. SLE = ALE / ARO

Explain Annualized Loss Expectancy (ALE) and how to calculate it

ALE is an element of quantitative risk analysis that represents the possible yearly cost of all instances of a specific realized threat against a specific asset. The formula is ALE = single loss expectancy (SLE) x annualized rate of occurrence (ARO)

explain Annualized Rate of Occurrence (ARO)

ARO is an element of quantitative risk analysis that represents the expected frequency with which a specific threat or risk will occur (in other words, become realized) within a single year. Understanding AROs further enables you to calculate the risk and take proper precautions.