Created by DJ Perrone
about 7 years ago
|
||
Question | Answer |
What is the CIA triangle? | - Confidentiality - Integrity - Availability |
In reference to the CIA triangle, what is confidentiality? | Ensuring data is protected from unauthorized disclosure. |
What are some examples of some controls to increase confidentiality? | - Encryption - Stenography - ACL |
In reference to the CIA triangle, what is integrity? | Ensuring the data has not changed in any way and that the data is accurate and reliable. |
What are some examples of some controls to increase integrity? | - Digital Signatures - Checksums - Hashes |
In reference to the CIA triangle, what is availability? | Ensuring the data is accessible when and where it is needed. |
What are some examples of some controls to increase availability? | - Load balancing - Hot Sites - RAID |
What is FIPS 199? | - Federal Information Processing Standard - Defines standards for security categorization of federal info systems. |
In reference to the CIA Tenets, what is a LOW impact for Confidentiality? | Unauthorized disclosure will have limited adverse effects on the org. |
In reference to the CIA Tenets, what is a MODERATE impact for Confidentiality? | Unauthorized disclosure will have serious adverse effects on the org. |
In reference to the CIA Tenets, what is a HIGH impact for Confidentiality? | Unauthorized disclosure will have severe adverse effects on the org. |
In reference to the CIA Tenets, what is a LOW impact for Integrity? | Unauthorized modification will have limited adverse effects on the org. |
In reference to the CIA Tenets, what is a MODERATE impact for Integrity? | Unauthorized modification will have serious adverse effects on the org. |
In reference to the CIA Tenets, what is a HIGH impact for Integrity? | Unauthorized modification will have severe adverse effects on the org. |
In reference to the CIA Tenets, what is a LOW impact for Availability? | Unavailability will have limited adverse effects on the org. |
In reference to the CIA Tenets, what is a MODERATE impact for Availability? | Unavailability will have serious adverse effects on the org. |
In reference to the CIA Tenets, what is a HIGH impact for Availability? | Unavailability will have severe adverse effects on the org. |
What are the 4 common Commercial Business Classifications? | - Confidential - Private - Sensitive - Public |
When is data exempt from FOIA? | - When the data is classified confidential. |
What is information life cycle? | Procedures in place for retention and destruction of data. |
What are the 7 main categories of access controls? | - Compensative - Corrective - Detective - Deterrent - Directive - Preventative - Recovery |
In reference to access controls, what is the compensative category? What are some examples? | - In place to substitute for primary access control to act as a way to mitigate risks. - Two signatures before release, two keys to open box |
In reference to access controls, what is the corrective category? What are some examples? | - In place to reduce the effect of an attack. Fixes and restores the entity. - Installing fire extinguishers, new firewall rules, restoring to previous server image |
In reference to access controls, what is the detective category? What are some examples? | - In place to detect an attack while it's occurring to alert personnel. - Examples are motion detectors, IDS, logs, and job rotation. - Useful during an event. |
In reference to access controls, what is the deterrent category? What are some examples? | - In place to deter or discourage an attacker. - Examples are user ID and authentication, fences and NDA's. |
In reference to access controls, what is the directive category? What are some examples? | - Specify acceptable practice within an org. - Examples are Acceptable Use Policy (AUP) |
In reference to access controls, what is the preventive category? What are some examples? | - Prevent an attack from occurring. - Controls are locks, badges, encryption, IPS's, security awareness training. |
In reference to access controls, what is the recovery category? What are some examples? | - Recovering a system after an attack. Primary goal is restoring resources. - Examples are disaster recovery plans, data backups and offsite facilities. |
What are types of access controls? | - Administrative (management) - Logical (technical) - Physical |
What is an administrative (management) control? | Implemented to administer the org assets and personnel. Includes security policy, procedure standards, baselines est. by management. - Soft controls. |
What is a logical (technical) control? | Controlling software or hardware to restrict access. Examples are firewalls, IDS, IPS, encryption and auditing and monitoring. - Most technical controls fall into the preventive category. |
What is a physical control? | Implemented to protect an org facilities and personnel. Should take priority over all else. |
What is STRM? | Security Requirement Traceability Matrix |
In reference to FIPS 199, what is an SC? | Security Category Expresses the three tenets with their values for an organizational entity |
How do you calculate the SC? | SC(Information Type) ={(confidentiality, impact), (integrity, impact), (availability, impact)} |
What is another name for the FIPS 199 nomenclature to calculate the SC? | Aggregate CIA score |
The following are examples of what? - Reckless/untrained employee - Partner - Disgruntled Employee - Internal/government spy - Vendor - Thief | Internal Actors |
The following are examples of what? - Anarchist - Competitor - Corrupt Government Official - Data miner - Government Cyber Warrior - Terrorist | External Actor |
Internal/External actors are divided in to what sub-categories? | - Hostile - Non-hostile |
What criteria is used to analyze threat actors? | - Skill Level - Resources - Limits - Visibility - Objective - Outcome |
What tool is used in risk management to identify vulnerabilities and threats? | Risk assessment |
What are the 4 main goals of risk assessment? | - ID assets and asset value - ID vulnerabilities and threats - Calculate threat probability and business impact - Balance threat impact with countermeasure cost. |
What does SLE stand for? | Single Loss Expectancy |
What is SLE? | The monetary impact of each threat occurrence. SLE = AV * EF AV = Asset Value EF = Exposure Value |
What is EV? | Exposure Value The percent value or functionality of an asset that will be lost when a threat occurs. |
What does ALE stand for? | Annualized Loss Expectancy |
What is ALE? | The expected risk factor of an annual threat event. |
What is ARO? | Annualized Rate of Occurence |
How do you calculate the ALE? | ALE = SLE * ARO |
What is ARO? | Annualized Rate of Occurrence The estimate of how often a given threat might occur annually. |
What is payback? | Comparing ALE against the expected savings as a result of an investment. |
What is NPV? | Net Present Value Considers that money spent today is worth more than savings realized tomorrow. |
How do you calculate the NPV? | Divide yearly savings by the discount rate. NPV = 2500/(1.1) = 2272.73 Multiply the 1.1 to the power of years. |
What are the 4 strategies for risk reduction? | - Avoid - Transfer - Mitigate - Accept |
What are 6 steps of risk management IAW NIST SP 800-30? | - Identify the assets and their value - Identify threats - Identify vulnerabilities - Determine likelihood - Identify impact - Determine risk (likelihood + impact) |
What is residual risk? | residual risk = total risk - countermeasures |
What is SABSA? | Sherwood Applied Business Security Architecture |
What are the 6 layers of the SABSA framework matrix? | - Operational - Component - Physical - Logical - Conceptual - Contexual |
What are the NIST SP 800-53 control families for the technical class? | - Access Control (AC) - Audit and Accountability (AU) - Identification and Authentication (IA) - System and Communications Protection (SC) |
What are the NIST SP 800-53 control families for the operational class? | - Awareness and Training (AT) - Configuration Management (CM) - Contingency Planning (CP) - Incident Response (IR) - Maintenance (MA) - Media Protection (MP) - System and Information Integrity (SI) |
What are the NIST SP 800-53 control families for the management class? | - Security Assessment and Authorization (CA) - Planning (PL) - Program Management (PM) - Risk Assessment (RA) - System and Services Acquisition (SA) |
What is a BCP? | Business Continuity Plan - Lists and prioritizes the services needed for business restoration. |
What is defined in the NIST Special Publication 800-34 (Rev 1) | Business continuity steps |
What are the steps listed in SP 800-34 R1 for business continuity? | - Develop contigency planning policy - Conduct business impact analysis (BIA) - Identify preventive controls - Create recovery strategies - Develop business continuity plan (BCP) - Test, train and exercise - Maintain the plan |
What are the different time frames between strategic plans and tactical plans? | Strategic Plans: 3-5 or more years Tactical Plans: 6-18 months |
Want to create your own Flashcards for free with GoConqr? Learn more.