CSM

1. What are the Specialized Areas of Security?
2. - Physical Security (Biometrics, Fence, CCTV)
3. - Personal Security (Evacuation Plan, Floor Warden)
4. - Operations Security(BCP plan)
5. - Communications Security (Encryption)
6. - Network Security (Firewall, IDS, IPS)
7.  
8. What are the Communities of Interest?
9. - InfoSec Community: protect information assets from threats. (Information security Managers, CISO).
10. - IT Community: support business objectives by supplying appropriate information technology.(CTO, IT head).
11. - Business Community: policy development and provision of resources.(Top Management, Department Heads).
12.  
13. What is CIA Triangle
14. – Confidentiality
15. – Integrity
16. – Availability
17.  
18. What are the core goals of information security and security controls?
19. Confidentiality, Integrity, Availability are the core goals of information security. Security controls are typically evaluated on how well they address these three core information security goals. (poor firewall).
20.  
21. What are the states of data?
22. In transmission, In Process, In Storage. CIA is needed in all these states.
23.  
24. What Confidentiality in the CIA?
25. - Confidentiality Protecting data from unauthorized access, use, disclosure
26. Attacks: capturing network traffic and stealing password files or human error like leaving terminal open.
27. Security Controls: encryption, access controls(only those with sufficient privileges may access certain information.
28. - Privacy (Related to Confidentiality)
29. Layman terms: Disclosure causing embarrassment. Information is to be used only for purposes known to the data owner not disclosed to the public (e.g. Public domain information used by public/non-confidential)
30.  
31. What is Integrity in the CIA?
32. Integrity is to prevent data from unauthorize modification intentionally or non-intentionally. Integrity is the quality or state of being whole, complete, and uncorrupted.
33. Attacks: viruses, unauthorized access, human Error like modifying or deleting files; entering invalid data.
34. Control include: strict access control, input/function checks.
35.  
36. What is Availability in the CIA?
37. Availability is making information accessible to authorized user timely and without interference or obstruction.
38. Threats: include device failure, and environmental issues (heat, static, flooding, power loss, and so on); including DoS attacks.
39. Countermeasures: monitoring performance and network traffic(SNMP), using firewalls and routers to prevent DoS attacks, Redundancy.
40.  
41. What is AAA of CIA?
42. Authentication and Identification Authorization Accountability Auditing(Related Concept to Accountability).
43.  
44. What is Authentication and Identification in the AAA of CIA?
45. Authentication and Identification
46. - Identity is claim about who the user is.
47. - Providing an identity username; swiping a smart card; or positioning your face, hand, or finger for a camera or scanning
48. - Authentication is verifying whether claim identity is valid or not. Sometime requires additional information(password,pins) or identification is handled by other means, such as physical location
49. - a single two-step process. Providing an identity is the first step, and providing the authentication factors is the second step
50.  
51. What is Authorization in AAA of CIA?
52. Authorization
53. - Actions that authorized personnel are allowed to perform and object that user can access once the user has been identified and authenticated.
54. - the system evaluates an access control matrix that compares the subject, the object, and the intended activity
55. - Privilege Escalation Attack. (Dual segregation of duties)
56.  
57. What is Accountability in AAA of CIA?
58. Accountability
59. - Hold user accountable for their action.
60. - Depends upon strong authentication that provides assurance that every activity undertaken can be attributed to a named person or automated process. E.g: Password Sharing. Legally vulnerable.
61. - Passwords Vs. Multifactor Authentication Auditing(Related Concept to Accountability).
62. - Auditing Vs Monitoring.
63. - actions are tracked and recorded for the purpose of holding the subject accountable for their actions written to log which provides audit trail(history of the event).
64. - Auditing is needed to detect malicious actions and system failures and to reconstruct events, provide evidence for the prosecution, and produce problem reports and analysis.
65.  
66. What is NSTISSC Security Model?
67. National Security Telecommunications & Information systems security committee.
68.  
69. What is the six Ps?
70. The extended characteristics/component of information security are known as the six Ps:
71. – Planning
72. – Policy
73. – Programs
74. – Protection
75. – People
76. – Project Management
77.  
78. What is Policy?
79. The set of organizational guidelines that dictate certain action within the organization. In InfoSec, there are three general categories of policy:
80. - General program policy (Enterprise Information Security Policy(EISP)){overall security, Roles and responsibility}
81. - An Issue-Specific Security Policy (ISSP){technology=email, internet}
82. - System-Specific Policies (SSP) {standards or procedures/ checklist}
83.  
84. What is Program
85. Policy is broken down into the program for implementation. Programs inside Enterprise Information Security Policy(EISP) may be Employee Security Awareness Program, implementation of the firewall.
86.  
87. What is Protection?
88. - Risk management activities, including risk assessment and control, as well as protection mechanisms, technologies, and tools.
89. - Finding Weakness and Strengthening.
90.  
91. What is People in six Ps?
92. - Managers need to perform a leadership role
93. - Mintzberg role of managers:
94. - Informational Role( Provide and Receive communication)
95. - Interpersonal Role (Leadership, networking)
96. - Decision role (problem-solving, change management, allocate resources, negotiation)
97.  
98. What is Project Management in six Ps?
99. Project is the task of temporary nature, start and finish, goal. POLC
100.  
101. What is Risk Management?
102. 1. Risk identification( Identify the threat and calculate its risk)
103. 2. Risk Control (Deciding on what safeguards to be placed)
104.  
105. What is the Risk Management Process?
106. 1st Stage: Risk Management Strategy
107. 2nd Stage: Risk Management program
108. 3rd Stage: Risk Management Team
109. 4th Stage: Risk Identification
110.  
111. What is the Risk Management Strategy in the Risk Management Process?
112. 1st Stage: Risk Management Strategy
113. - Incorporate all risk management process, activities, methodologies, and policies to support the objective of the organization i.e security needs.
114. - The basis for the risk management program
115. - Determined by Internal and External Factors
116. - Developed by Board of director or Management
117. - Constantly updated because of internal and external factors
118.  
119. What is the Risk Management program in the Risk Management Process?
120. 2nd Stage: Risk Management program
121. - Carried out to achieve risk management strategy.
122. - Risk Management Program will include;
123. 1. Context and Purpose of the program
124. 2. Risk Management Team 3.Asset Identification, classification and 4.Methodology to be used
125.  
126. What is the Risk Management Team in the Risk Management Process?
127. 3rd Stage: Risk Management Team
128. - Define the authority and responsibility of different communities of interest
129. - Providing adequate resources to carry out the program
130. - Responsibilities of these communities are:
131. 1. Evaluating Risk
132. 2. Determining control options
133. 3. Acquiring and installing controls
134. 4. Ensuring controls remain effective
135.  
136. What is Risk Identification in the Risk Management Process?
137. 4th Stage: Risk Identification
138. - Asset Identification Types of assets:
139. 1. People (different employees, contractors, vendors)
140. 2. Procedures (Standard and Sensitive)
141. 3. Data (transmission, processing, and storage)
142. 4. Software (applications, operating system, security components)
143. 5. Hardware
144. 6. Network (Network devices, more attacked)
145.  
146. What is Asset Classification?
147. Classify the asset as per priority (Critical or non-critical) How to assign value to the asset
148. 1. Which information asset is the most critical to the success of the organization?
149. 2. Which information asset generates the most revenue?
150. 3. Which information asset generates the highest profitability?
151. 4. Which information asset is the most expensive to replace?
152. 5. Which information asset is the most expensive to protect?
153. 6. Which information asset’s loss or compromise would be the most embarrassing or cause the greatest liability? (Cambridge Analytics Scandals)
154.  
155. What is Threat identification and assessment?
156. process of identifying the threat that has the potential to endanger the organization. Criteria for threat assessment(impact)
157. 1. Which threat represents the most danger to the organization. The danger depends upon
158. a. Probability of threat attacking organization
159. b. The frequency with which attack can occur
160. c. Amount of damage that it could create
161. 2. How much cost to recover from damages?
162. 3. Which of threats require the greatest expenditure to prevent?
163.  
164. What is Vulnerability?
165. Vulnerability is a flaw, loophole, error in the IT infrastructure so when a vulnerability is exploited, it will cause loss/ damage to the asset.
166.  
167. What is the main purpose of CBA (Cost Benefit Analysis/Economic Feasibility Study)?
168. CBA main purpose is to select suitable safeguard based on the cost and benefit. the cost of control or safeguard include:
169. – Cost of development or acquisition of hardware, software, and services
170. – Training Fees
171. – Cost of implementation
172. – Service costs (e.g. Hiring experts)
173. – Cost of maintenance (AMC or Annual Subscription) Benefit
174. Value to the organization because of loss prevented by using specific controls. Loss is equal to asset value is at risk. Benefit calculation begins with Asset Valuation and Impact
175.  
176. What is Asset Valuation?
177. process of assigning financial value or worth to each information asset. This can include actual cost or non-monetary cost so valuation can be difficult and asset valuation differs from one organization to other will based on following factors like:
178. - cost to create or acquire, design, installation incl. maintenance
179. - cost to replace i.e. right now
180. - estimation or real costs protection against loss and litigation(fines and penalties) ✓ Value to owners users(critical success, profitability) ✓ worth to the competition (competitive advantage)
181.  
182. How to do Impact Assessment?
183. After assets valuation, the next step is to identify potential loss in asset occur from the Risk In order to estimate of potential loss per risk. The questions that must be asked here include:
184. 1. What financial impact would occur due to damage?
185. 2. What would it cost to recover from the attack, in addition to the financial impact of damage? (The goal here is to calculate Single Loss Expectancy for each risk. )
186.  
187. How to calculate Single Loss Expectancy (SLE)?
188. It is the estimation of loss occurred in a single asset because of a single risk.
189. SLE = Asset Value (AV) x Exposure Factor (EF)
190. Exposure Facture = % of potential loss to the organization caused by a specific threat. The exposure factor for a small asset will be less while for great value asset it will be more.
191.  
192. How to calculate Annual Loss Expectancy(ALE)?
193. ALE is the estimated yearly cost of loss of risk.
194. ALE = SLE(Single Loss Expectancy) X ARO(Annual Rate of Occurrence)
195. ARO is the expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year. Higher the frequency of risk of the threat, Higher will be ARO.
196.  
197. How to calculate the Cost Benefit Analysis (CBA)?
198. Estimates, whether is a cost associated with control, is justifiable or not. It is calculated before control or safeguard is implemented, to determine if the control is worth implementing, and calculated after controls have been implemented and functioning for a time.
199. CBA = ALE(prior) - ALE(post) - ACS
200. ALE (prior to control) is the ALE of the risk before the implementation of the control. ALE (post control) is the ALE examined after the control has been in place for a period of time. ACS is the Annual Cost of the Safeguard
201.  
202. What are the alternatives to CBA Analysis(Qualitative Analysis)?
203. - Benchmarking
204. - Due care and due diligence
205. - Best business practices
206. - Gold standard
207. - Government recommendations
208. - Baseline
209.  
210. How is Benchmarking an alternative to CBA Analysis?
211. comparing an organization’s performance against peers and competitors in an effort to learn the best ways of conducting business or performance gap.
212. - How to perform benchmarking:
213. - Metric Based Measures (comparison is done based on the number to measure performance like no of successful attacks, no security persons)
214. - Process Based Measures ( process to attain goals)
215. - Two categories of benchmarks are used:
216. - Standards of due care and due diligence
217. - Best practices Problems with Benchmarking;
218. - Lack of cooperation between organizations.
219. - No two organizations are identical.
220. - Limitation of resources
221. - Simply knowing what was going on a few years ago doesn’t necessarily indicate what to do next.(changes in external and internal environment)
222.  
223. How Due care and Due diligence is an alternative to Alternatives to CBA Analysis(Qualitative Analysis)?
224. 1. Standard of Due Care
225. - When an organization must meet certain minimum levels of security in order to comply with legal requirements. ( For eg: protection of personal data)
226. - CBA is not applicable for the safeguard imposed by legislation
227. 2. Due Diligence
228. - When organization have achieved a standard of due care(applied controls at or above prescribed levels)
229. - monitoring that the implemented standards continue to provide the required level of protection. Legal liability if failure to maintain both
230.  
231. How Best Practices is an alternative to CBA?
232. -Best Security efforts in the overall industry.
233. - Benchmarking of best practices via metric based and process based.
234. - Should be economic feasible
235.  
236. How Gold Standard is an alternative to CBA?
237. - Recognition that an organization has achieved “best of best” performance in a certain area.
238. - Gold Standard is usually prescribed by the internal standard-setting body. For eg., ISO 27002 as the 'Gold Standard' in information security. (114 controls to be fulfilled to become ISO compliant)
239.  
240. How Government Recommendations is an alternative to CBA?
241. - Some industries regulated by the government. (Licensing)
242. - Specify requirements for the industries.
243.  
244. How Baselining is an alternative to CBA?
245. - Process of benchmarking
246. - Establish standard based on benchmarking/best practices against which actual performance is measured. E.g: No of attacks
247.  
248. What are the Risk Control Strategies?
249. 1.Avoidance
250. 2.Transference
251. 3.Mitigation 4.Acceptance
252.  
253. What is Avoidance in Risk Control Strategies?
254. - Avoid doing the activity that has extreme risk.
255. - Process of selecting alternate options or activities that have less associated risk (http Vs https)
256.  
257. What is Transference in Risk Control Strategies?
258. Transfer risk of loss to another party or organization. For example Insurance.
259.  
260. What is Mitigation in Risk Control Strategies?
261. Reduces the impact of loss through planning and preparation. Deals with early detection and response accomplished by means of countering threats, removing vulnerabilities from assets, limiting access to assets, and adding protective safeguards. There are three common methods used to mitigate:
262. - Application of policy
263. - Education and training
264. - Application of technology
265.  
266. What is Acceptance in Risk Control Strategies?
267. accepting the risk without control or mitigation when countermeasure costs would outweigh the possible cost of loss due to a risk and risk is low.
268.  
269. What is Risk Appetite?
270. - quantity and nature of risk that organizations are willing to accept for which no controls will be applied.
271. - Capacity is based on various factors like the type of business, the criticality of information assets, attitude towards risk
272. - balances the cost of control and risk of loss.(Higher chance of loss-Low risk appetite and higher controls)
273.  
274. What is Residual Risk?
275. Risk remains after applying Counter Measures(E.g Accounting System). The goal of information security is not to bring residual risk to zero, but to bring it in line with an organization’s risk appetite. Residual risk>Risk appetite(more controls to be applied) Residual risk< Risk appetite(excessive control may have applied)
276.  
277. What are the basic rules must be followed when shaping a policy?
278. – Never conflict with the law.
279. – Stand up in court.
280. – Properly supported and administered by top mgmt.
281. – Contribute to the success of the organization.
282. – Involve end users of information systems. (practical)
283.  
284. How to create a good security policy? (Bull’s Eye Model)
285. Layers of Bull's Eye
286. - Policies: the first layer of defense
287. - Networks: threats first meet the organization’s network.
288. - Systems: computers and manufacturing systems
289. - Applications: all applications systems
290.  
291. What are Policy, Standards, Guidelines, and Procedures?
292. Policy is a plan or course of action that influences and determine decisions. Mandatory.
293. Standards is detailed statement of how to use hardware, technology, software, security controls. Mandatory.
294. Guidelines are recommended action and guides on applying specific standard or when there are no standards. Flexible(customizable).
295. Procedures are is the step-by-step guide for accomplishing a task like that describes the exact actions necessary to implement a specific security mechanism, solutions(hardware deployment). Mandatory.
296.  
297. What are the different types of Information Security Policy?
298. – Enterprise Information Security Policy (EISP)
299. – Issue-Specific Security Policies (ISSP)
300. – Systems-specific Security Policies (SysSP)
301.  
302. What is Enterprise Information Security Policy (EISP)?
303. Sets strategic direction, scope, and tone for the organization’s security efforts. Executive Level document by CISO.
304. Guides development, implementation, and management requirements of the information security program
305.  
306. What is Enterprise Information Security Policy (EISP)?
307. EISP Components:
308. 1. An overview of the corporate philosophy on security
309. 2. Information on the structure of the information security organization and individuals who fulfill the information security role
310. 3. Fully articulated responsibilities for security that are shared by all members of the organization (employees(i.e., badges), contractors, consultants, partners, and visitors(i.e log book))
311. 4. Fully articulated responsibilities for security that are unique to each role within the organization. (HR vs Marketing)
312.  
313. What is Issue-Specific Security Policy (ISSP)?
314. focuses on the proper use technologies and department/units function like Email, Use of internet, individual department function. Different approach for Issue-Specific Security Policy (ISSP) Components of An ISSP.
315. 1. Statement of policy
316. a. Scope and applicability
317. b. Definition of technology addressed
318. c. Responsibilities
319. 2. Authorized access and usage of equipment who can use the technology governed by the policy and for what purposes. Fair and responsible use.
320. 3. Prohibited usage of equipment
321. a. Disruptive use or misuse
322. b. Criminal use
323. c. Offensive or harassing materials
324. d. Copyrighted, licensed, or other intellectual property
325. 4. Systems management specify users’ and systems administrators’ responsibilities so that all parties know what they are accountable for. (e.gData Owners)
326. 5. Violations of policy
327. a. Procedures for reporting violations
328. b. Penalties for violations
329. 6. Policy review and modification
330. a. Scheduled review of policy procedures for modification
331. 7. Limitations of liability a.Statements of liability
332. a. Other disclaimers as needed
333.  
334. What is Systems-Specific Policy (SysSP)?
335. They often function as standards or procedures to be used when configuring or maintaining systems, hardware, software. Systems-Specific Policy (SysSP) can be separated into:
336. 1. Management guidance:
337. - Created by management to guide the implementation and configuration of technology.
338. - Informs technologists of management’s intent
339. 2. Technical specifications
340. - System administrator’s directions on implementing managerial policy
341. - Each type of equipment has its own Technical Specifications SysSPs
342. - There are two general methods of implementing such technical controls:
343. – Access Control Lists
344. – Configuration Rules
345.  
346. What is Access Control Lists (ACL)?
347. control access to file storage systems, object , or other network communications devices include the user access lists, matrices, and capability tables that govern the rights and privilege of users In general, ACLs regulate:
348. – Who can use the system?
349. – What authorized users can access?
350. – When authorized users can access the system?
351. – Where authorized users can access the system from?
352. – How authorized users can access the system?
353. – Restricting what users can access, e.g., printers, files, communications, and applications? E.g.: Firewall(Filter,block, reduce)
354.  
355. What is Configuration Rules?
356. Configuration rules are instructional codes that dictate which actions to perform on each set of information they process. Specific configuration scripts telling the systems what actions to perform on each set of information they process. Rule-based policies more specific than ACL while operating system.
357.  
358. What is Contingency Planning?
359. - Different from Risk Management Framework(Risk Management is Proactive vs Contingency Planning is Reactive)
360. - The goal is to restore normal business within a reasonable period of time at minimum cost.
361. - The main aim is to make the organization resilient.
362. - The Hartford insurance company estimates that, on average, over
363. 4. percent of businesses that don’t have a disaster plan go out of business after a major loss like a fire, a break-in, or a storm
364.  
365. What are the components of Contingency Planning?
366. Business Impact analysis: Identifies the information systems that are critical for business operations and assess consequences in case of disruption of that system. High Impact System(with high requirement of information security objective) will have huge impact to business Low Impact System(with low requirement of information security objective) will have low impact to the business Its result will help in the development of the following plans:
367. - Incident Response Plan (IRP)
368. - Disaster Recovery Plan (DRP)
369. - Business Continuity Plan (BCP)
370.  
371. What is Incident Response Plan(IRP)?
372.  
373. What is an incident?
374. - Directed against information assets.
375. - Have a realistic chance of success
376. - Threatens the CIA of information resources IRP deals with how to identify, mitigate and recover from those computer incidents
377.  
378. What is Disaster Recovery Plan(DRP)?
379.  
380. What is a disaster?
381. - Unable to mitigate the impact of an incident
382. - The impact is severe that organization cannot recover quickly It deals with restoring information system operation at a primary site during the emergency
383.  
384. What is the Business Continuity Plan(BCP)?
385. - Occurs when those operations cannot be quickly restored at the primary site and disruption will have long term impact.
386. - Enables to continue business at alternative sites like hot, warm, cold.
387.  
388. What are the steps of Contingency Planning?
389. 1. Develop the CP policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan. Contingency Planning Management Team headed by Information Security Contingency Plan Coordinator. Include members from the business community, IT manager, Info security, legal, CIO. Related with other policies(HR, Account, etc)
390. 2. Conduct the BIA. The BIA helps identify and prioritize information systems and components critical to supporting the organization’s mission/business processes and what will be the major consequences in case of disruption
391. 3. Identify Resource Requirement: evaluation of the resources required to resume mission/business processes as quickly as possible. identify internal and external POCs
392. 4. Identify Preventive Controls: identification of effective contingency planning preventive controls and maintaining these controls on an ongoing basis(Like fire suppression system, fire extinguisher, backup)
393. 5. Creating and implementing Contingency Strategy: deals with selecting and implementing the right set of security controls. For e.g.; incident, disaster and business continuity).
394. 6. Plan Testing, Training, and Exercises
395. - Testing: determines the operability of the plan by identifying any deficiencies. Should be as close to the operating environment. (like network down, calling POC)
396. - Training: deals with informing personnel of their roles and responsibilities within a particular information system contingency plan and teaching them skills related to those roles and responsibilities for preparing them for participation in exercise, test, and emergency. Done Annually.
397. - Exercises: simulation of an emergency designed to validate the successful operation of components of contingency planning. (drill test)
398.  
399. What is Business Process and Recovery Criticality?
400. It is the process of determining the recovering high-impact system that is based on the following criteria:
401. 1. Maximum Tolerable Downtime (MTD): The total amount of outage or disruption time that the system owner is willing to accept considering all impact.
402. 2. Recovery Time Objective(RTO): The maximum time period within which the business process has to be restored to avoid unacceptable impact. (MTD vs RTO)
403. 3. Recovery Point Objective(RPO): It is measured in time that shows an acceptable amount of loss of data that business/process can tolerate.
404. 4. Work Recovery Time(WRT): It deals with restoring data, testing process and then making everything live for production purpose
405.  
406. What are the stages of Business Impact Analysis?
407. 1. Threat attack identification and prioritization: Create Attack profile of various attack which includes, symptoms of an attack, what information systems it will impact.
408. 2. Business Unit Analysis: Identify critical business and its supporting information system
409. 3. Attack Success Scenario: Create a series of scenario, determining the outcome of a successful attack from each threat on critical information system
410. 4. Potential Damage Assessment: Outcome of scenario is ranked:(low, medium, high) Attack scenario end case
411. 5. Subordinate Plan Classification: Decide which plan to execute like IR plan(low), DR plan(medium) and BCP plan(high)
412.  
413. What are the stages of Incident Response Planning?
414. 1. IR planning: For each attack scenario developed in BIA, we develop a series of predefined action scenario in a checklist.
415. 2. Incident Detection: Incident indicators provided by human or automation system
416. 3. Incident Reaction: Stop the incident, mitigate the impact, inform key personnel(alert rooster, alert message), documentation(learning, legal standpoint, run the simulation)
417. 4. Incident Recovery: Damage assessment and recovery method. Includes the following activities:
418. i. Identifying Vulnerabilities
419. ii. Addressing Safeguards
420. iii. Restoring data from backups
421. iv. Monitoring the system.
422. v. Inform communities of interest
423.  
424. What are the stages of Disaster Recovery Plan
425. 1. Disaster Recovery Plan: Includes type of disaster and specific recovery procedures during and after each type of disaster. Roles and responsibilities
426. 2. Crisis Management: Creating Crisis Management team and creating a command center. Two Functions:
427. a. Accounting for everyone/supporting personnel.
428. b. Activating alert rooster.
429. c. Keeping public/management inform
430. 3. Recovery Scenarios: Restore the system to full operation. If the primary site destroyed BCP is initiated.
431.  
432. What are the stages of the Business Continuity Plan?
433. BCP used in multinational companies that small companies
434. 1. Plan for continuity of operation Deals with finding temporary facilities equipped with the necessary resources to run critical function to continue the business.
435. 2. Continuity Strategies Different Options based on cost:
436. a. Hot Sites: Duplicates computing resources, peripherals, phone system application. Most Expensive.
437. b. Warm Sites: Contains equipment like a store. Restore backup. Takes time to be fully operational.
438. c. Cold Sites: the only empty room with standard heating, air-conditioning. Least expensive.
439. 3. Continuity management Provision of above sites via mutual agreement, paying for a vendor.
440.  
441. What is Law Enforcement Involvement in Contingency Planning?
442. Attacks deal with the violation of law decide what type of law enforcement after taking legal counsel necessary. Advantages:
443. 1. Better able to process evidence
444. 2. Issues warrant/subpoenas to obtaining witness, suspect statement Disadvantages:
445. - Loss of control
446. - Lack of information
447. - Loss of equipment
448.  
449. What is the Sphere of Security?
450. Technical Control enables policy enforcement where human behavior is difficult to regulate.
451.  
452. What is Access Control?
453. Regulates the physical(external) and logical access(built-in the system) of users into trusted areas of the organization like physical devices, system resources. Collection of policies, programs, and technical control. Three models (approach) of Access Control:
454. 1. Mandatory Access Control
455. - to protected highly classified data.
456. - used by government oriented agencies that maintain top-secret information
457. - greatly reduces the amount of rights, permissions, and functionality a user has for security purposes. (user can’t install any programs, change file permission)
458. 2. Discretionary Access Control
459. - enables the owner of the resource to specify which subjects can access specific resources.
460. 3. Non-Discretionary (Role Based) Access Control
461. - The access rights are given to the individuals on the basis of function they have to perform. For eg, IT admin role, managerial role.
462. - Best in the organization with high employee turnover
463. - based upon the necessary operations and tasks a user needs to carry out to fulfill his/her responsibilities in an organization. (least privilege principle)
464.  
465. What are the elements of Access Control?
466. 1. Identity
467. 2. Authentication
468. 3. Authorization
469. 4. Accountability
470. 1. Identity: is a claim that is given by User ID in the information system. It must be unique
471.  
472. What is Authentication?
473. process of validating a user identity There are four types of authentication mechanisms:
474. - Something You Know: a password, passphrase, or some other unique authentication code like PIN.
475. - Something You Have: on basis of something that the user possesses. (a card,key, or token)
476. - Something You Are: identity based on a unique physical attribute that is evaluated by biometrics like fingerprint, facial recognition
477. - Something You Produce: action performed by users, like signature recognition and voice recognition. A strong authentication uses at least two different authentication mechanism types.(two-factor or multifactor authentication)
478.  
479. How to evaluate Biometrics?
480. Biometric technologies are generally evaluated according to three basic criteria:
481. – The false reject rate (FRR) /False Negative/ Type I Error: the percentage of authorized users who are denied access
482. – not a threat to security
483. – The false accept rate (FAR)/False Positive/ Type II Error: the percentage of unauthorized users who are allowed access
484. – a serious breach of security
485. – The crossover error rate (CER): the point at which the number of false rejections equals the false acceptances
486. – an optimal outcome
487.  
488. What is Authorization?
489. Establish whether the user is authorized to access the particular resource and what actions he is permitted to perform on that resource. In general, authorization can be managed by:
490. – Authorization for each authenticated user (complex and resource-intensive).
491. – Authorization for members of a group (most commonly used method).
492. – Authorization across multiple systems (‘single sign-on’)a central authentication and authorization system verifies entity identity and grants authorization.
493.  
494. What is Accountability?
495. Ensure users are accountable for their actions, Reviewing logs to reconstruct events i.e., track bad deeds back to individuals, detect intrusions.
496.  
497. What is a Firewall?
498. In information security, a firewall is any device that prevents a specific type of information from moving between two networks, often the outside, known as the untrusted network (e.g., the Internet), and the inside, known as the trusted network.
499. The firewall may be a separate computer system, a service running on an existing router or server, or a separate network containing a number of supporting devices(DMZ).
500.  
501. What are the different Firewall Architectures?
502. 1. Packet filtering Router First generation firewall. Packet filtering is a firewall technology that makes access decisions based upon header information of the packet. Header values include source and destination IP address, port numbers, protocol types, on the basis of which inbound and outbound traffic is controlled by the firewall. The main disadvantage is that they only inspect the header of the packet but not content, as well as header, can be spoofed.
503. 2. Screened-host firewalls Screened-host firewall systems combine the packet filtering router with a separate, application proxy server known as a bastion host.
504. – The router is used to screen packets to minimize the network traffic and load on the internal proxy.
505. – The application proxy examines an application layer protocol, such as HTTP, Mail and performs the proxy services.
506. – This separate and single host, which is often referred to as a bastion host, represents a rich target for external attacks and should be very thoroughly secured.
507. 3. Dual-homed host firewalls A dual-homed host architecture is built around the dual-homed host computer with two network interface: one that is connected to the external network, and one that is connected to the internal network. Use a dual-homed host as a firewall, you disable this routing function. A user wishing to access the trusted network from the Internet would log into the dual-homed host first, and then access the trusted network from there.
508. 4. Screened-subnet firewalls
509. - The screened-subnet firewall consists of one or more internal bastion hosts located behind a packet filtering router, with each host protecting the trusted network. This raises the level of difficulty to penetrate the defense.
510. - One of the general models (in Figure 9-8) shows connections are routed as follows:
511. – Connections from the outside or untrusted network are routed through an external filtering router
512. – Connections from the outside or untrusted network are routed into—and then out of—a routing firewall to the separate network segment known as the DMZ
513. – Connections into the trusted internal network are allowed only from the DMZ bastion host servers
514.  
515. What are Intrusion Detection Systems (IDSs)?
516. Tool for detecting unauthorized use of, or attack upon, a computer, network, or telecommunications infrastructure to mitigate damage by sending an alert on a network manager’s screen, or e-mail or even reconfiguring a firewall’s ACL setting. IDS have 3 components:
517. - Sensors: collect network traffic and user activity data.
518. - Analyzer: determines suspicious activity based on rules.
519. - administrator’s interface: the terminal where sends an alert Like firewall systems, IDSs require complex configurations to provide the level of detection and response desired.
520.  
521. What is a Host-Based IDS?
522. installed on individual workstations and/or servers to watch for inappropriate or abnormal activity usually used to provide alerts if users have delete system files, reconfigure important settings, or put the system at risk in any other way(e.g system folder). Reactive HIDS products are installed only on critical servers, not on every system on the network, because of the resource overhead and the administration hassle that such an installation would cause.
523.  
524. What is a Network-Based IDS?
525. monitor network traffic when unusual activity occurs and then notify the appropriate administrator. (Packet sniffer) network IDPSs require a much more complex configuration and maintenance program than do host-based IDPSs. (E.g Network intefaces) proactive nature(because generating an alert in real time)
526.  
527. What is Knowledge or Signature-based Intrusion Detection?
528. IDS vendor accumulate knowledge about different attacks and how they are carried out and develop a model known as Signatures. Each identified attack has a signature, which is used to detect an attack in progress or determine if one has occurred within the network. (land attack) Their effectiveness depends IDS is weak against new types of attacks as signatures are based on previously identified attack.
529.  
530. What is Statistical Anomaly–Based IDS?
531. Knows as Behavioral-based IDS where it first collects data from network traffic and establishes a baseline. It then periodically samples network activity, based on statistical methods, and compares the samples to the baseline.
532. When the activity falls outside the baseline parameters (known as the clipping level), the IDS notifies the administrator. advantage of this approach is that the system is able to detect new types of attacks whose signature or fix has not been developed yet because it looks for the abnormal activity of any type. Disadvantage it is difficult to define what is normal when the network is constantly changing, it will create a lot of false positives. (attacker integrate his activities).
533.  
534. What is Remote Authentication Dial-In User Service (RADIUS) & Terminal Access Controller Access Control System (TACACS)?
535. RADIUS and TACACS are systems that authenticate the credentials of users who are trying to access an organization’s network via a dial-up connection. RADIUS has a central RADIUS server that centralizes the management of user authentication.
536. A Remote Authentication Dial-In User Service (RADIUS) system centralizes the management of user authentication by placing the responsibility for authenticating each user in the central RADIUS server.
537. When a Remote Access Server (RAS) receives requests for a network connection from a dial-up client, it passes the request along with the user’s credentials to the RADIUS server; RADIUS then validates the credentials.
538.  
539. What is Law and Ethics in Information Security?
540. - Laws: rules enforced by government to maintain certain behavior in society. (mandatory).
541. - Ethics: define socially acceptable behavior based on cultural mores.
542. - Cultural mores: relatively fixed moral attitudes or beliefs of a particular group.
543. - Difference: laws carry sanctions (enforcement)of a governing authority but ethics does not. Law is enforced and ethics come from within Belief vs Idea. (lack of cybersecurity awareness).
544.  
545. What are the types of Law?
546. - Civil law: represents a wide variety of laws that govern a nation/state.
547. - Criminal law: addresses violations harmful to the society that is punishable by the law.
548. - Tort law: a subset of civil law that allows individuals to seek recourse against others in the event of personal, physical, or financial injury.
549. - Private law regulates the relationships among individuals and organizations, and encompasses family law, commercial law, and labor law.
550. - Public law law affects the general public. All the citizens have to follow. For e.g., criminal, administrative, and constitutional law.
551.  
552. What is Policy as Law?
553. Policies serve as organizational laws. Unlike law, however, ignorance is an acceptable defense. Therefore to be enforceable as law, policies must be:
554. - Distributed to all individuals who are expected to comply with them.
555. - Readily available for employee reference.
556. - Easily understood, with multilingual translations and translations for visually impaired or low-literacy employees.
557. - Acknowledged by the employee, usually by means of a signed consent form.
558. - Uniformly enforced for all employees.
559.  
560. What is Ethics and Information Security?
561. Cultural differences create difficulty in determining what is and is not ethical.
562. - Difficulties arise when one nationality's ethical behavior conflicts with ethics of another national group.
563. - Overriding factor in leveling the ethical perceptions within a small population is education.
564. - Employees must be trained in expected behaviors of an ethical employee, especially in areas of information security.
565.  
566. What is Deterrence to Unethical and Illegal Behavior?
567. Three causes of unethical and illegal behavior(Ignorance, accident, intent) Deterrence is the best method for preventing an illegal or unethical activity.
568. Examples of deterrents include laws, policies, and technical controls. However, organization laws/policies and their associated penalties only deter if three conditions are present:
569. - Fear of penalty
570. - Probability of being caught
571. - Probability of penalty being administered
572.  
573. What is Organizational Liability?
574. If an employee, acting with or without the authorization, performs an illegal or unethical act, causing some degree of harm, the organization can be held financially liable for that action.
575. An organization increases its liability (legal obligation) if it refuses to take measures known as "due care" that is to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions(policy, training)
576. "Due diligence" requires that an organization make a valid and the ongoing effort to maintain due care."
577.  
578. What is Audit Risk and Materiality?
579. Materiality: Significance amount/ severe impact on CIA. Risk-Based Audit focus on material threats. Types of Audit Risk Inherent Risk: Risk that occurs because of the nature of business. (Banks, Heath Sector).
580. Control Risk: the Material threat that cannot be prevented or detected on a timely basis by controls. (manual log review vs SIEM).
581. Detection Risk: Material error/lapses in IT security not detected by auditor. Inherent Risk and Control Risk Vs Detection Risk.
582.  
583. What are Evidence and Conclusion?
584. Two types of audit conclusion/opinion. (Qualified Vs Unqualified). Audit conclusion/opinion should be supported by Evidence Evidence is collected from:
585. 1. IS audit observations.
586. 2. Interview or correspondence with different parties.
587. 3. Audit Test procedures( Pen testing) Evidence should be:
588. - Valid and relevant.
589. - Complete.
590.  
591. What is Internal Controls?
592. Risk Management tool applied within the organization Composed of policies, procedures, practices, technical controls, and organizational structures. Automatic and Manual Two key purposes:
593. 1. To achieve business objectives
594. 2. To avoid bad thing happening(minimize the risk of error/omission/fraud) Types of Internal Controls;
595. - Preventive: Detect problems before they arise (Example: Encryption, access control).
596. - Detective: Detect and report errors (Example: Reviewing logs).
597. - Corrective: Identify error, Minimize impact (Example: Contingency planning, backup Res.).
598.  
599. What is IT Audit Process?
600. 1. Planning:
601. - determine the objectives and scope of the audit.
602. - Risk Assessment:
603. - Evaluate risk and internal controls.
604. - Compliance and Substantive testing.
605. - Developing checklists.
606. - Scheduling( avoiding personnel absences and times of high activity).
607. - Kick off meeting(Interviews with the clients, point of contact, reporting mechanism).
608. 2. Fieldwork and Documentation:
609. - Apply checklist i.e. carry out audit procedures.
610. - Determine risk and lapses in internal controls=Findings.
611. - Documentation(Working papers):
612. - arrive valid conclusion?
613. - defense if the conclusion is challenged.
614. - learn from the experience.
615. 3. Issue Discovery and Validation:
616. - Report findings like potential risky issues, lacking mitigate controls.
617. - Timely reporting(correction timely and avoid confusion).
618. 4. Solution Development Three ways to provide a solution:
619. - Recommendation Approach (Auditor Recommends but may not be effective).
620. - Management-Response Approach (Auditor report issue with or without recommendation asking for management response)
621. ution Approach(Client and auditor mutually agree on an action plan).
622. 5. Report Draft and issuance:
623. - Audit Report two purposes( Auditor’s Record, Business Report Card)
624. - Elements of Audit Report
625. - Statement of Audit Scope(what areas were covered in audit).
626. - Executive Summary( Brief summary of audit report highlighting major issues and action plan).
627. - List of issues and action plans(layman terms).
628. - conclusion(satisfactory, unsatisfactory or needs improvement).
629. - distribute reports (for response).
630. 6. Issue Tracking:
631. - Audit Closure?
632. - track and follow up on issues until they are resolved.
633. - Escalation (Final resort).
634. - Validation .e.g. BCP plan.
635.  
636. What is Audit Trail?
637. A chronological record of any event or activities (log) Three types of logs:
638. 1.System Logs: record events executed on an operating system, including miscellaneous events and those generated during system startup like hardware and controller failures.
639. 2. Application Logs: record the events regarding access to the application . For e.g., events include reading, editing, deleting, or printing files.
640. 3. Security logs track security-related events like logon and logoff times and changes to access rights.
641.  
642. What is Project Management?
643. Project management is techniques to plan, organize, and monitor the project activities. Hence Project management is a process that is composed of:
644. 1. Planning: Begins with a goal, sets standard (time, resources), suitable project leader and team.
645. 2. Monitoring and Controlling: Proactive Measure of the performance of the project against the standard.
646. 3. Closing: Project is terminated.
647.  
648. What is Project Plan Development?
649. Three core elements are used in the creation of a project plan: work time, resources, project deliverables Project.
650. Deliverables: are outcomes that are demonstrable. it's a product, a process, a policy, or some other outcome. This specifies the roadmap of the project.
651. Resources: includes people, equipment, supplies, materials, software, hardware depending on the project that needs to be quantified. (constraint or budget).
652. Work Time: fixing start and deadline of the project which realistic based on its’ scope.
653.  
654. What are the Project Planning Considerations?
655. Special considerations include:
656. - Finance (Budget, CBA).
657. - Priority (Priority of work package is determined by No of dependencies and Resource(experts) availability).
658. - Time And Schedule (Estimating a project schedule(PERT, GANTT chart)).
659. - Staff (Need to hire/employ enough qualified, trained, and other personnel).
660. - Procurement (purchasing goods or services from vendors, contractors, suppliers. Limited by Budget Constraints).
661. - Organizational Feasibility (Plan for change management like new policies, processes, technology and these can create tension and resistance).
662. - Training.
663.  
664. What is the Work Breakdown Structure(WBS)?
665. It breaks down the project scope into manageable deliverables known as work packages.