Security Exam #1

Risk Assessment Process

1.Identify threats and vulnerabilities 2.Identify the likelihood that a risk will occur 3.Identify asset values 4.Determine the impact of a risk 5.Determine the usefullness of a safeguard or control

Risk Methodology

A description of how you will manage risk.

Risk Register Contents

A description of the risk Expected impact if the event occurs The probability of the event occurring Steps to mitigate the risk Steps to take shold event occur Risk Ranking.

Risk Register

A list of identified risks.

Event

A measurable occurrence that has an impact on the business.

Risk Assessment

A process used to identify, assess, prioritize, and address risks on the vasis of threats and vulnerabilities, BEFORE they lead to an incident.

Countermeasure

A targeted control, provide specific protection, put in place in repsonse to some event/attack.

Vulnerability

A weakness that allows a threat to be realized or to have an effect on an asset.

Policy Definition Phase

Decides who has access and what systems or resources they can use. -tied to the authorization

Compensating Control

Desinged to address a threat in place of a preferred control that is too expensive or difficult to implement.

What are some risk controls?

Detective Preventive Corrective Deterrent Compensating

Deterrent Controls

Deter an action that could result in a violation. They merely attempt to suggest that a subject should not take some action.

Types of Formal Models of Access Control

Discretionary AC Mandatory AC Non-Discretionary/ Role-Based AC Rule-Based AC

What is the following: The malfunction of a badge reader on the employee entrance. Employees calling in sick Probability or Impact?

Probability

Risk are ___________ based on importance or impact severity, and then prioritized.

Quantified

Risk Assessment Approaches

Quantitative Qualitative

Risk Assessment: Qualitative Approach

Ranks risks based on their probability or cocurrence and ipact on business operations.

Corrective Controls

Reduce the effects of a threat.

What are the three phases of Risk Management?

Risk Assessment Risk Mitigation Evaluation and Assurance

Risk Management Strategies

Risk Sharing Risk Control Risk Acceptance Risk avoidance

Richman Investments provides high-end smartphones to several employees. The value of each smartphone is $500, and approximately 1,000 employees have these company-owned devices. In the past year, employees have lost or damaged 75 smartphones. What is the SLE, ARO, and ALE?

SLE- 500 ARO- 75 ALE-SLE*ARO-->$500*75=$37,500

Location Authentication

SOMEWHERE you are

Characteristics Authentication

Something you ARE

Action Authentication

Something you DO

Ownership Authentication

Something you HAVE

Knowledge Authentication

Something you KNOW

What are some examples of threats?

State actor hacking, insider threats, hacktivism, accounting fraud.

What is a example of an adversarial threat?

State-sponsored hacking

Preventive Controls

Stop threats form coming in contact with a vulnerability.

Impact

The amount of harm a threat exploiting a vulnerability can cause. Negative result if a risk occurs

Recovery Time Objective (RTO)

The amount of time it takes to recover and make system, application, and data available after an outage.

Meant time for Failures (MTTF)

The average amount of time between failures for a particular system.

Mean time to repair (MTTR)

The average amount of time to repair a system, application, or components.

Information System Security

The collection of activities that protect the information system and the data stored in it.

What is the following: A workstation that fails to boot up A production system breaking down Probability or Impact?

Impact

Opportunity

Ability to carry out misappropriation of cash or organiztonal assets.

Safeguard

Addressses gaps or weaknesses in controls that could lead to a realized threat.

What are the Threat Identification?

Adversarial Accidental Structural Environmental

Zero Day

An unpatched software hole previously unknown to the software vendor and the code attackers use to take advantage of said hole.

Threat

Any action that could damage an asset. an opporunity to exploit a vulnerability.

Incident

Any event that violates or threatens to violate your security policy.

Risk Assessment: Quantitative Approach

Attempts to descibe risks in finacial terms and put a dollar value on each risk.

What are the Access Control Components?

Authorization Identification Authentication Accountability

What are the two phases that the four parts of the access control categorized in?

Policy Definition Policy Enforcement

What are some common threats in the Remote Access Domain?

Brute-forec user ID and password attacks Multiple logon retries and access control attacks Unauthorized remote access to IT system, applicaiton, and data Confidential data ompromised remotely

What are some examples of vulnerabilities?

Poor system integration, poor system configuration, open culture, lack of employee/student awareness.

Information System

Combination of hardware, software, data, processes, and people.

What is the CIA Triad?

Confidentiality Integrity Availability

Access Control List (ACL)

Contains a list of users and gourps to which the user has permitted access together with the level of access for each user or group.

Logical Access Control

Control access to a omputer system or network.

Physical Access Control

Control entry into buildings, parking lots, and protected areas

What are the Risk control tradeoff?

Cost Operational Impact (Convenience Vs Security trade off) Feasbility

Annual Loss Expectancy (ALE)

Expected loss for a year Formula: SLE x ARO SLE- Single loss Expectancy ARO- Annual rate of occurrence

What are some examples of a Corrective Control?

Forensics and Incident Responses

Availability

Formula: =Total U/(Total U + Total D) Key: -D-->Downtime -U-->Uptime

What is a example of an Structural threat?

Fraud

Policy Enforcement Phase

Grants or rejects request for access based on the authorizations defined in the first phase. - tied to identification, authrntication, and accountability.

Fraud Triangle

Has 3 elements to it: Rationalization Pressure Opportunity

Detective Controls

Identify that a threat has landed in your system.

Control

Includes both safeguards and countermeasures.

What is a examples of a Detective Control?

Intrusion Detection System (IDS)

What is a example of a Preventive Control?

Intrustion Prevention System

What is the 3 requirement for a data to have integrity?

It has not been altered. It is valid. It is accurate.

Rationalization

Justification of dishonest action.

What are some Authentication Types?

Knowledge Ownership Characteristics Location Action

What are some common threats in the User Domain?

Lack of awareness Apathy toward policies Violating security policy Inserting CD/DVD/USB with personal files Downloading photos, music, or videos Destructing systems, applications, and data Disgruntled employee attacking organization or committing sabotage Employee blackmail or extortion Fraud

Probability

Likelihood that a threat agent willl exploit a vulnerability.

Risk

Likelihood that something bad will happen to an asset. Formula: _______ Level = probaility x Impact(cost)

How is risk primarily determined, by which 3 function within Risk assessment analysis?

Liklihood of a threat to exploit a vulnerability Impact on the org. Sufficienty of contorls to either eliminate or mitigate.

Integrity

Maintain valid, uncorrupted, and accurate information.

What are some examples of a risk?

Major earthquake, tsunami, extended power outage, data loss.

Pressure

Motivation or incentive to commit fraud.

What is a example of an Environment threat?

Natural Disasters

What is a example of an Accidental threat?

Non-malicious Insiders

Annual Rate of Occurrence (ARO)

Number of times an incident is expected to occur in a year.

What is the difference between a Deterrent Control and a Preventive Control?

One control suggests that a subject should not take some action while the other control does not allow the action to occur.

What are some common threats in the WAN Domain?

Open, public, and accessible data Most of the traffic being sent as clear text Vulnerable to eacesdropping and malicious attacks Vulnerable to denial of service (DoS) and Distributed denial of services (DDoS) attacks Hackers and attackers emailing trojans, worms, and malicious software freeely and constantly.

What are some examples of confidentiality ?

Personal data and information Intellectual Property National Security

What are the two types of Access Controls?

Physical Logical

Cryptography

Practice of hiding data and keeping it away from unauthorized users.

Discretionary Access Control (DAC)

The owner of the object specifies which subjects can access the object. The access properties are stored in the ACL, Access Control List.

Access Control

The process of protecting a resource so that it is used only by those allowed to do so.

Encryption

The process of transforming data from cleartext into Ciphertext.

Ciphertext

The scrambled data that are the result of encrypting cleartext.

What is an example of a Ownership-based authentication type?

Token ID Card

Single Loss Expectancy (SLE)

Totlat loss expected from a single incident Formula: AV x EF AV- Asset Value EF- Exposure Factor

What are some common threats in the Workstation Domain?

Unauthorized access Unauthorized access to system, application and data Desktop or laptop oprating system vulnerabilites and/or patches Virusess, malicious code, and other malware User inserting CD/DVD/USB with personal files Downloading photos, music, or videos

What are some common threats in the Systems/Application Domain?

Unauthorized access to data centers, computer rooms, and wiring closets Difficult-to-manage servers that require high availability Corrupt or lost data Server operating systems software vulnerability management Security required by cloud computing virtual environments

What are some common threats in the LAN Domain?

Unauthorized physical access Unauthorized acces to systems, application, and data ______ server operating system vulnerabilities _____ server application software vulnerabilites and software patch Rogue users on WLAN Confidentialtiy of data on WLAN

What are some common threats in the LAN-to-WAN Domain?

Unauthorized probing and port scanning Unauthorized access IP router, firewall, and network appliance oprationg system vulnerability Local users downloading unknown file types from unknown sources.

What is an example of a Characteristics-based authentication type?

Unique rentinal pattern Fingerprint

What are the seven domain in a typical IT Infrastructure?

User Domain Workstation Domain LAN Domain LAN- to- WAN Domain WAN Domain Remote Access Domain System/Application Domain

What are some examples of Integrity?

User names and password Patents and Copyrights Source Codes Diplomatic Information Financial data

What is an example of a knowledge-based authentication type?

Username Password

What are you trying to balance when it comes to risk management options?

Utility and cost Ex. - a countermeasure without a corresponding risk is a solution seeking a problem, difficult to justify the cost.