CYLOC ?s
Have you done continuous monitoring of a control after implementation?
Yes I have since conducting an assessment is part of the continuous monitoring process.
what is STIG (Security Technical Implementation Guide)?
A Security Technical Implementation Guide (STIG) is a cybersecurity methodology for standardizing security protocols within networks, servers, computers and logical designs to enhance overall security. Examples where STIGS would be a benefit is in the configuration of a desktop computer or an enterprise server. Most operating systems are not inherently secure which leaves them open to criminals such as identity thieves and computer hackers. A STIG describes how to minimize network-based attacks and prevent system access when the attacker is interfacing with the system either physically at the machine or over a network. STIGS also describe maintenance processes such as software updates and vulnerabilities patching. Advanced STIGS might cover the design of a corporate network, covering configurations of routers, firewalls, domain name servers and switches.
System of Records
A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
what is a threat?
A potential violation of security or A threat is a possible danger and vulnerability or the possibility of a mplopalicious act/attempt to cause damage to an information system.
what is a vulnerability?
A vulnerability is a weakness in the protection efforts of a system
Give me an example of a technical control you have assessed? What artifacts/evidence would you present to ensure the system is compliant?
AC-12. SESSION TERMINATION Screenshot of the timeout configuration setting AU-2. AUDIT EVENTS / AU-3. CKNTENTS OF AUDIT REPORTS Audit log/reports IA-2 IDENTIFICATION AND AUTHENTICATION / IA-3. DEVICE IDENTIFICATION AND AUTHENTICATION Can get a screenshot when the system owner is performing the system walkthrough or testing
Privacy Impact Assessment (PIA)
An analysis of how information is handled that ensures handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; determines the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and examines and evaluates protections and alternative processes for handling information to mitigate potential privacy risks.
Personally Identifiable Information (PII)
Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
What activities need to be accomplished under continuous monitoring?
Conducting scans and remediating vulnerabilities identified by the scans Assessment of the security controls POAM management, which includes vulnerability identification and POAM remediation. Auditing Overall risk and vulnerability management
What is continuous monitoring?
Continuous monitoring is a process to ensure federal information systems are effective and compliant with FISMA and NIST regulations/ guidelines.
What is continuous monitoring?
Continuous monitoring is a risk management approach to cybersecurity that maintains an accurate picture of an agency's security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies.
What do you do after reviewing the scan reports?
If the scan results identified vulnerabilities that have not been remediated, the assessor will create a POAM to address the vulnerabilities identified by the scans to urge the system owner/personnel to resolve the issues. Controls that usually fail regarding the scans are RA-5 (vulnerability scanning) and SI-2 (flaw remediation)
What trends/vulnerabilities do you look for in the scan reports?
OS SCANS a. Misconfiguration b. Weak password detection c. Missing patches d. Anti-virus updates required e. Microsoft SQL Server Remote Code Executions etc f. SQL injections Webinspect Scans a. Weak SSL Protocol b. Unencrypted URLs c. Cross-site scripting d. Cross-site Request Forgery
What is a Privacy Threshold Analysis?
PTAs are used to determine if a system contains PII, whether a Privacy Impact Assessment is required, whether a System of Records Notice (SORN) is required, and if any other privacy requirements apply to the information system. PTAs should be submitted to an organization's privacy office for review and approval. PTAs are often comprised of simple questionnaires that are completed by the system owner. PTAs are useful in initiating the communication and collaboration for each system between the privacy officer, the information security officer, and the information officer.
PII Confidentiality Impact Level
The PII confidentiality impact level—low, moderate, or high— indicates the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.
What is a Security Content Automation Protocol (SCAP)?
The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable the automated vulnerability management, measurement and policy compliance evaluation of systems deployed in an organization including for example FISMA compliance. The National Vulnerability Database (NVD) is the US government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP
what is a risk?
The probability of an unwanted outcome or The measure of potential loss when the vulnerability is exploited or acted upon
What scanning tools do you use in your organization?
a. Nessus scan......for scanning OSs such as Linux, Windows, UNIX etc b. Webinspect......for scanning websites/URLs c. DbProtect.........for scanning databases like SQL DB, Oracle DB etc
what is a risk factor?
any action or condition that increases the likelihood of negative outcome
Have you ever put together a system security plan?
it is unlikely an Assessor will develop a system security plan from scratch but might be required to maintain it when necessary or when needed.