lesson 5

Card Set Information

lesson 5
2015-01-06 10:30:19
Savannah Tech Lesson 5
Savannah Tech Lesson 5
Show Answers:

  1. is a product of vulnerability, which is a weakness that exposes business assets to threats.
  2. Is anything that could be destructive or harmful to an asset. is any action, intentional or not, that attempts to exploit vulnerability.
  3. is the probability of loss or damage to an asset as the result of a threat exploiting vulnerability. Occurs when assets, threats, and vulnerability occur simultaneously.
  4. Clearly defined objectives and policies to guide the implementation of the security measures that make the network secure. Must be written document that defines the types of risks or threats facing a network and the acceptable level of mitigation necessary to remove or reduce the risks.
    Security Policy

    Simply defines threats and specifies the tactics the organization will use to minimize them.
  5. spells out the steps you use to enact security.
    A Security Procedure
  6. What are the two types of Security policies which are in the administrator's domain?
    • -Privacy Policy
    • -Acceptable Use
  7. states what the website does with any collected data, whether it, retains the data, and how it protects the data, among other assurances of privacy and security.
    Privacy Policy

    Virtually all websites that request and accept information from their viewers have a privacy policy available, typically on a separate web page.
  8. is a statement of the rules that users of a network, website, intranet, or extranet must follow to access its resources.
    Acceptable Use Policy

    Most schools, colleges, businesses, and Internet service providers issue AUPs to their users, some requiring signature of agreement.
  9. What four policies should an organization define in order to prevent misuse of a network by its employees?
    • -Mandatory vacations
    • -Job rotation
    • -Separation of duties
    • -The principle of least privilege
  10. This policy should designate another trained employee to perform the duties of any vacationing employee.
    Mandatory Vacations

    Auditors typically require an organization to have a mandatory vacation policy for its employees, especially those who interact with financial records. Employees engaged in fraud or embezzlement usually resist taking vacations because they're afraid that their replacement will uncover their misdeeds.
  11. An organization that manages or stores sensitive data should have a policy requiring the rotation of individuals through the different positions that affect security of the data assets.
    Job rotation

    A job rotation policy ensures that a trained individual is always available to fill in for an absent employee and that no single employee is able to defeat security measures for misdeeds.
  12. Any task that accesses or manipulates an organization's assets, such as those involving financial records, payroll, accounts, payable, and inventory accounting should be broken into several steps with no single person performing more than a few of the steps alone. This policy prevents one person from manipulating the records for personal financial gain.
    Separation of duties
  13. This principle restricts the access authorization of an employee to only those records or assets necessary to perform their assigned tasks. On a secure network, this principle restricts user and group accounts to only those folders, files, and documents they need when doing their jobs.
    The Principle of Least Privilege

    Also called Least Privilege. Although it is most commonly associated with IT and network security, its principles can also apply to paper records and other assets.
  14. Identifies threats and analyzes their probability of becoming incidents.
    Risk Analysis
  15. NOTE: Risk analysis considers a network's exposure to potential natural, technical, or human threats. During risk analysis, we calculate the importance of a risk on two levels: its probability of occurring, and its cost impact on the organization.
  16. What are four of the risk factors to consider when deciding what makes a risk bigger than another in risk ranking?
    • -Its likelihood to occur
    • -The frequency of its occurrence
    • -The degree of exposure or vulnerability
    • -The value of a loss that results from a risk occurring, or perhaps the overall consequence of its occurrence.
  17. NOTE: How likely a risk will turn into a security incident or event is essentially a guessing game. However, if there's a history of security events occurring in a particular risk area, there's a way to rank risks to determine which risks may pose the largest threat.
  18. NOTE: The most common method of risk calculation, as a part of risk analysis, is to express a risk as a potential financial loss, or an Annualized Loss Expectancy (ALE). To calculate the ALE of a risk, multiply the Annualized Rate of Occurrence (ARO), or how often you estimate the risk may actually occur, by the estimated Single Loss Expectancy (SLE), or the financial impact (loss) of the risk occurring one time. The formula is AROxSLE = ALE
  19. NOTE: If the cost of securing this vulnerability is equal to or less than its ALE, it's cost-effective to modify the security policy to address the cause of the vulnerability and to implement the appropriate security measures on the network.
  20. it uses estimates or historical values to determine the level of threat a risk poses. An example is the ALE
    Quantitative Risk Analysis
  21. focuses on the impact a threat has on the organization and its assets, and the amount of harm that an occurrence could inflict. It assigns a threat potential to each risk, determining it to be a low, medium, or high risk.
    Qualitative Risk Analysis
  22. is an indication that an intrusion has taken place, when, in fact, there was no intrusion. An alarm or alert occurs, but the cause is not the result of a violated vulnerability.
    False Positive
  23. is a failed alert or alarm, an alert that should have occurred, but didn't.
    A false negative

    A false negative may happen because a signature database is out-of-date, a new attack form is unrecognized by the monitoring devices or software, a security rule is too stringent, or the intrusion detection system is overloaded and dropping packets that go undetected. The primary threat of a false negative is a false sense of security.
  24. What are the four most common risk control methods?
    • -Avoidance
    • -Contingency
    • -Prevention
    • -Reduction
  25. A method an organization uses to move to a different process to avoid a risk?
  26. A well-developed method or strategy an organization should have for handling the various types of risks it faces.
  27. A method for reducing the likelihood of a risk occurring.
  28. A method for reducing the impact a risky situation can have on the business processes of an organization.
  29. NOTE: All secure network administrators are risk managers, and risk control is a large part of risk management. A risk manager can employ any number of risk control methods to reduce or control risk.
  30. The steps we take to safeguard a network from attacks; has two categorizations: what it is, and what it does. It is a management control, an operational control, or a technical control. It does one of three things: direct, prevent, or correct.
    Security Controls
  31. This is perhaps the broadest of the three major risk control strategies in that it encompasses the general managerial policies of an organization.
    Management Controls
  32. This risk control type deals with the risk of loss that could result from poorly defined or failed policies for internal processes, people, systems, and external stimuli.
    Operational Controls
  33. What are the 7 things operational controls should address?
    • -Internal Fraud
    • -External Theft
    • -Employment practices and safety
    • -Legal and fiduciary responsibilities
    • -The threat of damage from natural disasters or other external threats
    • -Business disruption
    • -Errors and negligence of employees
  34. This risk control type focuses on the risks inherent with existing technology and those associated with the implementation of new technology.
    Technical Controls
  35. NOTE: You should understand that these three risk control types are not stand-alone areas. As you probably guessed from the above descriptions, there's a great deal of overlap among them: Management controls are written policies, procedures, guidelines, and standards that implement business rules. Operational controls deal with organizational operations and their effect on network security. Technical controls implement the management and operational controls on the secure network.
  36. Involves the consideration of a security controls effectiveness, efficiency, and its adherence to business rules and the applicable laws, standards, and regulations.
    A risk-based security approach
  37. is the programmatic approach to managing an organizations risk, which consists of six serial steps.
    Risk Management Framework
  38. What are the six serial steps of the Risk Management Framework?
    • -Categorization
    • -Selection
    • -implementation
    • -Assessment
    • -Authorization
    • -Monitoring
  39. Which proposes a four-phase approach to the development and implementation of security controls.
    Information Security Management System (ISMS)

    Sometimes also called PDCA
  40. What are the four phases of ISMS?
    • -Plan
    • -Do
    • -Check
    • -Act
  41. NOTE: There are a couple of specific technologies that can add extra risks to a network, including cloud computing and virtualization.  Secure Network administrators should add cloud computing and virtualization to a network carefully. Both of these emerging technologies have security issues that administrators must consider and be ready to mitigate.
  42. What are the three risk Cloud computing exposes to a network that an administrator would need to myriad?
    • -Outsourced data
    • -Data Separation
    • -Data recovery
  43. Any data transmitted to an "as-a-service" vendor, such as an IaaS, PaaS, or SaaS, for cloud computing outside the logical boundaries of an organization is at risk. Outsourced services may implement the same risk controls the client organization imposes on its local netowrk. In addition, the location of data sent into the cloud becomes, well, cloudy. Where the service vendor stores your data may be a major compliance issue, not to mention a security risk.
    Outsourced data
  44. Another issue with cloud computing is how it stores data. Cloud services generally store data in a shared environment. Although the data may be encrypted, it may still be at risk.
    Data Separation
  45. Disaster can strike the vendor's data center just as easily as it can destroy your data center. The safety and its possible irretrievability of your data is a serious risk concern. Although you may not know exactly where your data is stored, you should be able to retrieve it for recovery purposes.
    Data Recovery
  46. Virtualization implementation typically run on a network without much concern for security. A virtual environment is only as secure as the hypervisor and the ________________________________ software layer and the network over which they interact. The security policies of a virtual environment must consider that if a virtualization layer is composed, then all hosted applications are compromised as well.
    Virtual Machine Monitor (VMM)
  47. NOTE: A network running a virtualization environment must implement monitoring and security controls on the virtual network on which virtual-machine-to-virtual-machine communication flow. Without this level of security policies and controls, the normal network security measures may be blind to its threats and vulnerabilities.
  48. What are the five goals of a risk administrator?
    • -Risk avoidance
    • -Risk transference
    • -Risk Mitigation
    • -Risk deterrence
    • -Risk acceptance
  49. This includes performing the actions necessary to remove or diminish the threat of a risk to remove vulnerability.
    Risk avoidance
  50. This means shifting all or a portion of risk to another entity, such as hosting a website on another company's hardware, thereby reducing your exposure to web-borne attacks.
    Risk transference

    Buying insurance is another form of risk transference
  51. The most common risk administration action is to resolve or mitigate any risks to a network. Any risk for which mitigation is available should not exist on a network. Common risk mitigation is the installation of antivirus software and the hardening of a password policy.
    Risk Mitigation
  52. By increasing the visible or detectable security measures on a network, potential intruders can be frightened off. Evidence that there's a high probability of detection can deter both internal and external threats from attacking a network's security.
    Risk deterrence
  53. When the cost of mitigating a risk is too high to implement and no other way to reduce the risk is available, you have accepted the risk and its potential harm as your responsibility. The best defense against an accepted risk is a contingency plan outlining recovery actions if the risk turns into an event.
    Risk Acceptance
  54. What are the five steps a risk administrator should perform regularly to be effective?
    • -identify, categorize, and analyze threats.
    • -Determine the vulnerability of network resources to each threat.
    • -Identify the risk and its consequences.
    • -Develop risk mitigation strategies.
    • -Apply risk reduction or mitigation measures.
  55. Note: Mitigating a risk's potential harm must be a part of the overall plan and security policies of a secure network. Many of the strategies for risk mitigation include activities to prevent risks from becoming threats and turning into incidents.
  56. Note: Any change to a network, regardless of how small or large the change is, introduces risk. The smallest adjustments or the replacements of gateway equipment can introduce completely unexpected effects to another part of a network.
  57. Control changes to the network, More specifically, they identify, direct, control, and document any change, upgrade, modification, or removal of any part of a network or its communication technologies.
    Change management

    The purpose for change management is to reduce any risk introduced to the network by charges to its overall environment. Change management can also improve network stability and reliability during and after changes occur. Change management doesn't prevent or impede any needed changes to a network.
  58. Tell us what actions to take in the event of a security incident. For most organizations, incident management specifically deals with these, which are unplanned interruptions in network services or a reduction in the quality of the service a network provides.
    Incident Management

    The objective of incident management is to contain any harm or impact to a network to its lowest possible level and to restore normal organizational and network operations as soon as possible.
  59. Should be a part of any security program and its continuous security awareness plan.
    A regular audit of the security strategies, policies, and procedures of an organization and its network.
  60. What are the five things an auditor should examine in a security audit?
    • -The policies and procedures governing personnel who interact, maintain, or administer the secured elements of the organization
    • -The processes in place for network change management.
    • -The procedures and processes that minimize network downtime and protect the integrity and loss of data.
    • -The physical security controls that prevent unauthorized access to the data center or sensitive areas.
    • -The environmental controls that protect network equipment from fire and flooding.
  61. NOTE: A review of group and user permissions should also be a part of the routine audit of a network to ensure that these rights and permissions are still appropriate, accurate, and supportive of security policies. Along with the rights and permissions of users and groups, a review of the ownership of folders, directories, and files should be in the network audit procedures.
  62. focuses on preventing the loss of data in motion, particularly outbound sensitive data. Its appliance or application may duplicate some of the processes that other security devices, such as firewalls or routers, preform.
    Data loss prevention (DLP)
  63. What are the 7 things DLP does?
    • -Ensure compliance with international privacy and data security guidelines and regulations.
    • -Encrypt email that contains confidential content.
    • -Enforce acceptable use policies
    • -Monitor outbound network traffic
    • -Prevent malware-related data harvesting
    • -Protect intellectual property
    • -Provide a security deterrence by creating the possibility of being caught.
  64. What are the differences between the terms risk, vulnerability, threat, and incident?
    Risk is the probability that an outside element will exploit a system weakness. Vulnerability is a system weakness that creates a risk. A threat is anything that could exploit a vulnerability to be destructive or harmful to assets. An incident (or event) occurs when a threat penetrates the security of a network without authorization.
  65. What should the security policies of an organization directly support?
    A. Business rules
    B. Organizational Mission
    C. Acceptable Use Policy
    D. Personnel policies
    A. Business Rules
    (this multiple choice question has been scrambled)
  66. What is the term used for the probability of a potential threat becoming a security incident?
    A. Risk
    B. Threat
    C. Incident
    D. Vulnerabiltiy
    A. Risk
    (this multiple choice question has been scrambled)
  67. What type of risk control provides a method to move to a different process to avoid a risk?
    A. Prevention
    B. Reduction
    C. Avoidance
    D. Contingency
    C. Avoidance
    (this multiple choice question has been scrambled)
  68. What is the process that identifies the probability of threats becoming incidents?
    A. Risk Analysis
    B. Risk Calculation
    C. Risk Exposure
    D. Risk Assessment
    A. Risk Analysis
    (this multiple choice question has been scrambled)
  69. What term describes the assignment of a risk to another organization?
    A. Risk Transference
    B. Risk Acceptance
    C. Risk deterrence
    D. Risk avoidance.
    A. Risk Transference
    (this multiple choice question has been scrambled)