Security +
As an example, if you can reasonably expect that every SLE, which is equal to asset value (AV) times exposure factor (EF), will be the equivalent of $1,000 and that there will be 7 such occurrences a year (ARO), then the ALE
$7,000.
Quantitative Risk Assessment
(cost-based and objective)
Qualitative Risk Assessment
(opinion-based and subjective)
Good policies contain several key areas including
1. scope statement 2.Policy overview statement 3.Policy statement 4,Accoutability staement 5. exception statement
Conducting a Risk AssessmentYou've been asked to do a quick assessment of the risks your company faces from a security perspective. What steps might you take to develop an overview of your company's problems?
1.Interview the department heads and the data owners to determine what information they believe requires additional security and to identify the existing vulnerabilities from their perspective. 2.Evaluate the network infrastructure to determine known vulnerabilities and how you might counter them. 3.Perform a physical assessment of the facility to evaluate what physical risks must be countered. Armed with this information, you have a place to start, and you can determine which countermeasures may be appropriate for the company to mitigate risk.
privacy impact assessment (PIA
A PIA is often associated with a business impact analysis, and it identifies the adverse impacts that can be associated with the destruction, corruption, or loss of accountability of data for the organization.
Which kind of attack is designed to overload a specific protocol or service?
A flood attack is designed to overload a protocol or service by repeatedly initiating a request for service. This type of attack usually results in a DoS (denial-of-service) situation occurring because the protocol freezes or since excessive bandwidth is used in the network because of the requests.
A network administrator is implementing a development environment and wants that three virtual servers are cloned and placed in a new virtual network isolated from the production network. Which of the following defines the environment the administrator is building?
A network administrator is building sandbox. Sandboxing is the process of isolating a system before installing new applications on it to restrict any potential malware that may be embedded in the new application from being able to cause harm to production systems.
As a network administrator of a corporate network, you want to monitor all network traffic on your local network for suspicious activities and receive a notification when a possible attack is in process. What will you do?
A network-based IDS monitors all traffic on your entire network. This would give you coverage for all network traffic. It can detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules.
accountability statement
Addresses who (usually expressed as a position, not the actual name of an individual) is responsible for ensuring that the policy is enforced
Once you've identified and assessed the risks that exist four possible responses that you can choose to follow
Avoidance Transference Mitigation Acceptance
The RTO is agreed on during
BIA creation.
In the case of a major business interruption, the security analysis team has documented the following objectives: expected loss of earnings, potential fines, and potential consequence to customer service. Which of the following documents would include the details of the above mentioned objectives?
BIA-BIA (business impact analysis) is a document which identifies present organizational risks and determines the impact to ongoing, business-critical operations and processes if such risks occur. BIAs contain vulnerability assessments and evaluations to determine risks and their impact on the customers. It includes all phases of the business to ensure a strong business continuation strategy.
Risks associated with Virtuliazation include
Breaking out of the virtual machine and intermingling network and security controls
Anna works as a security administrator for a company. She notices that an overseas branch office within a company has more technical and non-technical security incidents than other parts of the company. Which of the following management controls should be implemented to the branch office to improve their state of security?
Continuous security monitoring processes
Jena works as a chief privacy officer for an organization. She is worried that employees are sending emails to addresses outside of the company that contains PII. She asks the security administrator to implement a technology that will mitigate this risk. Which of the following would be the best option?
DLP (data loss prevention) should be implemented to mitigate this risk. DLP is a strategy to prevent end users from sending sensitive or critical information outside the corporate network. It describes software products that help a network administrator control what data end users can transfer.
Which of the following restricts access to systems from outside users while protecting users and systems inside the LAN?
DMZ (demilitarized zone) is an area in a network that allows restrictive access to untrusted users and isolates the internal network from access by external users and systems. It does so by using routers and firewalls to limit access to sensitive network resources.
Juan is the network administrator for XYZ company. He needs to place the web server somewhere on the company's network. From a security perspective, what is the best place to locate the network?
DMZ-De-militarized zone is the area between the outer firewall and the inner firewall. This is where you place items that need to be accessed from the world. in this way those items are still protected by the outer firewall, but isolated from the inner network.
Which of the following technologies protects data through deep content inspection and contextual security analysis of transaction?
Data loss prevention
Which strategy has multiple layers or levels of access controls that are deployed within a network to provide layered security?
Defense in depth-a stratey in which multiple layers of access controls are deployed to provide layerd security. It addresses security vulnerabilities in personnel, technology, and operations for the duration of the systems lifecycle
Assessment Phase
Determines and describes the organizations current security posture
While testing, a security manager finds that several disruptions are due to a lack of redundancy in the disk controller configuration. Which of the following features will the security manager look for in a new configuration to correct this?
Disk Duplexing- which is a variation of disk mirroring in which each of multiple storage disk has its own SCSI controller. It is the practice of duplicating data in separate volumes on two hard disk to make storage more vault tolerant. It uses redundant controllers which enable continued data access as long as one of the controllers continues to function.
three primary categories of threats that need to be identified
Environmental: Threats from the environment include things such as floods, tornados, hurricanes, and so on. If you share a building with another organization, what would happen if a fire alarm went off in their area? Would sprinklers throughout the entire building be activated and your server room flooded? Manmade: There can be overlap between the categories, and the environmental flooding of a server room could be manmade in nature, caused by an individual holding a match to the bathroom smoke detector. Internal vs. External: If the threat is an individual who is employed by your organization, then it is considered an internal threat. If the individual is not currently employed by your organization, then it is considered an external threat.
Rex, a security administrator, has a firewall with an outside network connected to the Internet and an inside network connected to the business network. Which of the following should the administrator change to divert traffic destined for the default HTTP port on the outside interface to an internal server listening on port 8080?
Establish a sstatic PAT from port 80 on the outside network to the internal network on port 8080-The administrator should establish a static PAT from port 80 on the outside network to the internal network on port 8080. Static PAT translations enable a specific UDP or TCP port on a global address to be translated to a specific port on a local address. In this case, the default HTTP port (80) is the global address to be translated, and port 8080 is the specific port on a local address.
Which of the following is a removable device that handles digital keys and facilitates encryption as well as authentication via digital signatures?
HSM-Hardware security module is a removable device that digital keys and facilitates encryption as well as authentication via digital signatures
Most virtualization-specific threats focus on
Hypervisor
Which of the following monitors the network for possible intrusions and logs that activity and then blocks the traffic suspected of being an attack?
IPS
A companies headquarter is connected to its remotely located branch offices by creating secure tunnels across the Internet. The terminating end at the headquarter requires heavy data processing. Which of the following devices should be used for this purpose?
In the given scenario, the companies headquarter is connected to its branch offices through VPNs (virtual private networks). The device terminating the ends of a tunnel generally requires heavy data processing like encryption and authentication for each tunnel, resulting in a heavy processor burden on that device. For this purpose, a dedicated device, called a VPN concentrator, can be used. A VPN concentrator performs the processor-intensive process required to terminate multiple VPN tunnels.
PAAS
Known as cloud plateform services. In this model vendors allow apps to be created and run on their infrastructure. IE Amazon Web Services and Google Code
Which device would be the most convenient to maintain availability when there are many requests to a specific website?
Load balancing refers to shifting a load from one device to another. It can be implemented as a software or hardware solution, and it is usually associated with a device, such as a router, a firewall, NAT appliance, and so on. In its most common implementation, it breaks the traffic intended for a website into individual requests that are then rotated to redundant servers as they become available.
Initiation Phase
Looks for implementing IT security service,devices , or process.
Rex is a security administrator for a company. He wants to limit the security team's ability to remediate vulnerabilities. Which of the following business documents should he use for reference?
MOU and SLA. Rex should use SLA (service-level agreement) and MOU (memorandum of understanding) business documents. They are used to limit the security team's ability to remediate vulnerabilities.
Max, a network administrator, wants to make sure that only those computers that he has authorized can connect on his network. What is the most appropriate security measure he will recommend?
Max should recommend MAC filtering as it only allows computers that have their MAC address listed with the router to connect to the network. It is a security method that enables a device to allow only certain MAC addresses to access a network.
Data loss prevention DLP sysytem
Monitor the contents of the system to make sure that key content is not deleted or removed, also monitor who is using th data
You want to stop malicious traffic from affecting your company's web servers. Which of the following will help you accomplish the task?
NIPS (network intrusion prevention system) is a hardware/software platform that is designed to analyze, detect, and report on security related events. It is designed to inspect traffic and, based on its configuration or security policy, it can drop malicious traffic. It is able to detect events scattered over the network and react. Through NIPS, you can stop malicious traffic from affecting your company's web servers.
Which phase of the security lifecycle provides maintenance of the security service, device, or process that was implemented in the organization?
Operations- this phase of the security lifecycle provides maintenance of the security service, or process that was implemented in the organization
What are the 3 ways of implementing cloud computing?
PAAS,SAAS,IAAS
John wants to evaluate, test, and deploy software updates. Which of the following management technique will he use?
Patch management is the practice of monitoring, obtaining, evaluating, testing, and deploying software patches and updates. In typical patch management, software updates are evaluated for their applicability to an environment and then tested in a safe way on non-production systems. Finally, an organized plan for rolling out a valid patch across the organization is executed.
David works as a network administrator for a large company. The company is deciding to allow trusted third-party vendors to access the corporate intranet. What should David do to secure intranet?
Place intranet servers in a DMZ so that both corporate users and trusted vendors can access it.
Guidlines
Provide specific advice on how to accomplish a given task or activity
exception statement
Provides specific guidance about the procedure or process that must be followed in order to deviate from the policy
You can think of policies as
Providing high level guidance on large issues.Policies provide the people in an organization with guidance about their expected behavior. Well-written policies are clear and concise, and they outline the consequences when they aren't followed. A good policy contains several key areas besides the policy itself.
Risk assessment can be either
Quantitative or Qualitative
What is the acronym associated with the point of maximum tolerable loss for a system due to a major incident?
RPO
Risk related issues associated with cloud computing include
Regulatory compliance, user privileges, data integration/segregation
this deals with the threats, vulnerabilities, and impacts of a loss of information-processing capabilities or a loss of information itself
Risk assessment
chief components of a risk assessment process are
Risks to Which the Organization Is Exposed: This component allows you to develop scenarios that can help you evaluate how to deal with these types of risks if they occur. An operating system, server, or application may have known risks in certain environments. You should create a plan for how your organization will best deal with these risks and the best way for it to respond to them. Risks That Need Addressing: The risk assessment component also allows an organization to provide a reality check on which risks are real and which are unlikely. This process helps an organization focus on its resources as well as on the risks that are most likely to occur. For example, industrial espionage and theft are likely, but the risk of a hurricane damaging the server room in Indiana is very low. Therefore, more resources should be allocated to prevent espionage or theft as opposed to the latter possibility. Coordination with BIA: The risk assessment component, in conjunction with the business impact analysis (BIA), provides an organization with an accurate picture of the situation facing it. It allows an organization to make intelligent decisions about how to respond to various scenarios.
(RTO) and (RPO) are mentioned in what agreement
SLAs
formula when you compute risk assessment
SLE×ARO=ALE
Jane is the chief financial officer of a small bank. She is required to implement a program that provides an opportunity to discover fraud. Which of the following should she employ?
She would employ mandatory vacations. Many security policies require a mandatory one-week vacation once a year, during which an investigation into ethics and job performance might occur. In the absence of the employee, they perform various audits to find anything unusual in the employee's work. It also provides an opportunity to discover fraud.
MTTF (mean time to failure)
Similar to MTBF, the mean time to failure (MTTF) is the average time to failure for a nonrepairable system. If the system can be repaired, the MTBF is the measurement to focus on, but if it cannot, then MTTF is the number to examine. Sometimes, MTTF is improperly used in place of MTBF, but as an administrator you should know the difference between them and when to use one measurement or the other.
SAAS
Software as a Service are applications remotely run over the web.The advantage is that no local hardware is required and no software applicaiotns need to be installed on the machine..Ie is Salesforce, cost computed on a subscription base
Monica, a security administrator, needs to provide onboard hardware-based cryptographic processing and secure key storage for full-disk encryption. Which of the following should she use to fulfill the requirements?
TPM-Monica should use TPM (Trusted Platform Module). It is a hardware-based encryption solution that is embedded in the system's motherboard and is enabled or disabled in BIOS. It is a dedicated processor that uses cryptographic keys to perform a variety of tasks. For example, they can be used to authenticate devices. TPM can also be used to facilitate FDE (full-disk encryption).
Threat Vectors
The term threat vector is the way in which an attacker poses a threat. This can be a particular tool that they can use against you (a vulnerability scanner, for example) or the path(s) of attack that they follow. Under that broad definition, a threat vector can be anything from a fake email that lures you into clicking a link (phishing) or an unsecured hotspot (rouge access point) and everything in between.
ALE is the annual loss expectancy value.
This is a monetary measure of how much loss you could expect in a year.
A company does not have sufficient resources to manage its large infrastructure. A security administrator wants to syndicate the security controls of some of the network devices in the company. Which of the following methods would best accomplish this goal?
UTM (Unified Threat Management) would be best in this scenario to accomplish the goal. An all-in-one appliance, also known as UTM and NGFW, is one that provides a good foundation for security. UTM is, generally, the combination of a firewall with other abilities. These abilities include intrusion prevention, antivirus, content filtering, and so on. The advantages of combining everything into one include a reduced learning curve, a single vendor to deal with, and reduced complexity.
You are concerned about the operating systems on your servers, particularly your Web server. Which of the following are critical operating system hardening techniques you would implement on your Web server?
Update patches and Shut down unneeded services. Shutting down all unneeded services and updating patches are the fundamental elements of operating system hardening. System hardening is a term used for securing an operating system. It can be achieved by installing the latest service packs, removing unused protocols and services, and limiting the number of users with administrative privileges.
John wishes to configure his network so that only the appropriate servers are located in the DMZ. Which of the following servers would he most likely put into a DMZ?
Web Server-A webserver must be accessible to outside parties, and is appropriately located in the DMZ. This way any visitor to the website can be allowed through the puter firewall, but not the inner firewall. In fact, placing a web server in the DMZ is a classic example of DMZ usage
graphical tool that is often used to identify threats
a risk register, which is essentially a scatterplot of possible problem areas
a vulnerability
a weakness that could be exploited by a threat
A managerial control is
another name for administrative control
a threat is
anything that can harm your resources
implementation phase
implements the IT security service, device, or process.
standards are derived from?
guidelines
Rex works as an employee in an organization. He is taking over the security of an existing network. He identifies a machine not being used as such but has software on it that produces the activity of a sensitive database server. What is this?
hONEYPOT
Risk Avoidance
involves identifying a risk and making the decision not to engage any longer in the actions associated with that risk. For example, a company may decide that many risks are associated with email attachments, and it may choose to forbid any email attachments from entering the network. As part of risk avoidance, the company takes steps to remove the risk, chooses to engage in some other activity, or puts a stop to their exposure to the risk.
Risk acceptance
is often the choice that you must make when the cost of implementing any of the other responses exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, it cannot be a risk where the administrator or manager is unaware of its existence; it has to be an identified risk for which those involved understand the potential cost or damage and agree to accept it. Risk acceptance is nothing more than acknowledging that a risk exists and choosing to do nothing about it. It does not necessarily mean that you will be affected by the risk, but only that you realize that such a possibility exists.
ARO(Annualized Rate of Occurrence)
is the likelihood, often drawn from historical data, of an event occurring within a year
MTTR (mean time to restore)
is the measurement of how long it takes to repair a system or component once a failure occurs. (This is often also referenced as mean time to repair.) In the case of a computer system, if the MTTR is 24 hours, this tells you that it will typically take 24 hours to repair it when it breaks.
Recovery Point Objective (RPO)
it defines the point at which the system needs to be restored. This could be where the system was two days before it crashed (whip out the old backup tapes) or five minutes before it crashed (requiring complete redundancy). As a general rule, the closer the RPO matches the item of the crash, the more expensive it is to obtain.
Recovery Time Objective (RTO)
maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable. Beyond this time, the break in business continuity is considered to affect the business negatively.
Cloud Computing
means hosting services and data on the Internet instead of hosting it locally
SLE (Single Loss Expectancy)
monetary value, and it represents how much you could expect to lose at any one time: the single loss expectancy. SLE can be divided into two components: AV (asset value): the value of the item EF (exposure factor): the percentage of it threatened
privacy threshold assessment (PTA)
more commonly known as an "analysis" rather than an "assessment." This is the compliance tool used in conjunction with the PIA.
Bottom up policy
often generated intradepartmental
Jennifer has been tasked with ensuring that unauthorized people cannot access the servers in the server room. She has decided to implement a card swipe and a fingerprint scan to secure the server room. What type of control is she using?
operational-Operational controls include physical controls, such as locks, lights, fences, and so on. Sophisticated locks on the server room, even if they are highly technical, are still physical controls. Their purpose is to limit physical access to some resource, not to block data access.
Scope Statement
outlines what the policy intends to accomplish and which documents, laws, and practices the policy addresses.
Two types of testing that can help identify risks are
penetration testing and vulnerability testing. They are particularly useful with identifying threats associated with authorization.
You can think of standards as
telling people what is expected.they deals with specific issues or aspects of a business. they shpuld should provide enough detail that an audit can be performed to determine whether the standard is being met.
Technical controls involve
preventing access to system and data via the network ie, antivirus, intrusion,detection systems ,encryption ans so on
When you're doing a risk assessment, one of the most important things to do is
prioritize
Two privacy-related concepts with which you should be familiar are
privacy impact assessment (PIA) and privacy threshold assessment (PTA)
One area of primary importance for administrators today is
privacy. Not only are you charged with keeping data accessible, but that accessibility must be limited to certain parties, and those parties seem to change on a regular basis.
Policy Overview Statement
provides the goal of the policy , why its important and how to comply.
Policy statement
provides the substance of the policy and should be clear and uambiguous
Risk assessment is also known as
risk analysis or risk calculation
CompTIA is fond of risk mitigation and confronting it through the use of
routine audits that address user rights and permission reviews; change management, the structured approach that is followed to secure a company's assets; and incident management, the steps followed when events occur (making sure that controls are in place in order to prevent unauthorized access to, and changes of, all IT assets). Policies addressing data loss or theft need to be in place, and technology controls should be enforced.
Examples of cloud computing
running officesuite applications such as office 365 or google docs or cloud based sies as salesforce.com
5 key aspects of standards doc
scope and purpose, roles and responsibilities, refernce docs, performance criteira, maintenance and administrative requirements
Administrative controls include
setting policies and procedures, and conducting training.
Risk Transference
share some of the burden of the risk with someone else, such as an insurance company. A typical policy would pay you a cash amount if all the steps were in place to reduce risk and your system was still harmed.
Risk Mitigation
steps to reduce risk. This category includes installing antivirus software, educating users about possible threats, monitoring network traffic, adding a firewall, and so on.In Microsoft's Security Intelligence Report, Volume 13, the following suggestions for mitigating risk through user awareness training are listed: Keep security messages fresh and in circulation. Target new employees and current staff members. Set goals to ensure that a high percentage of the staff is trained on security best practices. Repeat the information to raise awareness.
MTBF is helpful in evaluating a
system's reliability and life expectancy.
MTBF (Mean Time Between Failures)
the measure of the anticipated incidence of failure for a system or component. This measurement determines the component's anticipated lifetime. If the MTBF of a cooling system is one year, you can anticipate that the system will last for a one-year period; this means that you should be prepared to replace or rebuild the system once a year. If the system lasts longer than the MTBF, it's a bonus for your organization.
Whenever you see the word qualitative
think of a best guess or opinion of the loss, including reputation, goodwill, and irreplaceable information; pictures; or data that get you to a subjective loss amount.
Whenever you see the word quantitative
think of the goal as determining a dollar amount
Top-Down Policy
use the support of upper management