Term
| What is the CIA of IT Security? |
|
Definition
| Confidentiality, Integrity, Availability |
|
|
Term
| Attributes of Threat Actors |
|
Definition
1. Internal or External
2. Level of Sophistication
3. Resources and Funding
4. Intention or Motivation
5. Use of open source intelligence |
|
|
Term
|
Definition
1. Script Kiddies
2. Hackivist
3. Organized Crime
4. Nation States
5. Insiders
6. Competitors |
|
|
Term
|
Definition
| Advanced Persistent Threat |
|
|
Term
|
Definition
| Some cause or social/political agenda |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| Varies from mistakes to malicious threats |
|
|
Term
|
Definition
|
|
Term
Risk Management:
Term: Assets |
|
Definition
Any part of our infrastructure which we worry may be harmed.
Computers, Routers, employees, physical property, even reputation |
|
|
Term
Risk Management:
Term: Vunerablilities |
|
Definition
| A weakness to an Asset that leaves it open to risk |
|
|
Term
Risk Management:
Term: Threats |
|
Definition
| A discovered action which exploits a vulnerability's potential to harm an Asset |
|
|
Term
Risk Management:
Term: Threat Agent |
|
Definition
The source or initiator of the threat
i.e. Hacker, Hurrican, power outage |
|
|
Term
Risk Management:
Term: Likelihood |
|
Definition
| The level of certainty that something will happen |
|
|
Term
Risk Management:
Term: Impact |
|
Definition
| The actual harm caused by a threat |
|
|
Term
|
Definition
1. Quantitatively - cost, labor, time
2. Qualitatively - loss of projected business, loss of reputation, loss of trust |
|
|
Term
|
Definition
| Threats applied to Vulnerabilities = Risk |
|
|
Term
| What is the NIST SP 800-30? |
|
Definition
| A Guide for Conducting Risk Assessments |
|
|
Term
| What is the first step of Risk assessment? |
|
Definition
Catalog and define all the Assets
Assess Vulnerabilities and Threats |
|
|
Term
| Name some Risk Assessment tools |
|
Definition
1. Nessus (a program which finds and reports vulnerabilities)
2. Penetration Testing or Pen-Testing (A third party company which will test your system for vulnerabilities and report the results) |
|
|
Term
| What are types of Threats? |
|
Definition
1. Adversarial (intentional harm - hacker or malware)
2. Accidental (ID10T mistakes and errors)
3. Structural (Hardware & Software Malfunctions)
4. Environmental (earthquakes, power outages, ect) |
|
|
Term
|
Definition
1. Mitigation (An effort to fix or reduce risk)
2. Transference (Unload the risk, vulnerability, and impact to a third party)
3. Acceptance (Likelihood and Impact are less than the cost of mitigation)
4. Avoidance (Likelihood and Impact so high that we just do something else altogether) |
|
|
Term
| What is a Risk Management Framework? |
|
Definition
| A workflow or process to help you deal with risk management |
|
|
Term
| What are the basic parts of every Risk Management Framework? |
|
Definition
1. Assessment
2. Implementation (Applying Security Controls)
3. Monitoring
4. Issue response |
|
|
Term
| Types of Risk Assesment Guides |
|
Definition
1. Bench Mark (Thresholds by which to verify expected throughput values or actions)
2. Secure Configuration (These help to secure the stuff in your infrastructure. These tend to be platform or vendor specific)
3. General Purpose (these are broad guides) |
|
|
Term
| What Are Security Controls? |
|
Definition
| A mechanism applied to the IT infrastructure to 1. protect, or 2. Remedy security problems. |
|
|
Term
| What are the different categories of Security Controls? |
|
Definition
1. Administrative or Management (policies, laws, ect)
2. Technical (Encryption, passwords, ect)
3. Physical (Keys, Cameras, ect) |
|
|
Term
| What are the different security control functions |
|
Definition
1. Deterrent
2. Prevention
3. Detective
4. Corrective
5. Compensating |
|
|
Term
| Interesting Security Controls |
|
Definition
1. Mandatory Vacations
2. Job Rotation
3. Multi-person control (two check signers)
4. Separation of Duties
5. Principle of least privilege (Need to Know) |
|
|
Term
|
Definition
1. Redundancy (same control applied in layers)
2. Diversity (different controls to reach the same result) |
|
|
Term
|
Definition
| Rules for how we do IT Security in our organization. |
|
|
Term
| What are the sources for IT Governance? |
|
Definition
1. Laws & Regulations
2. Standards (government or industry)
3. Best Practices
4. Common Sense |
|
|
Term
| Documents used to practice IT Governance? |
|
Definition
1. Policies (lists the directives to be followed)
2. Organizational Standards (Exact Rules)
3. Procedures (step by step guides) |
|
|
Term
| 7 Important Security Policies to Know |
|
Definition
1. Acceptable Use
2. Data Sensitivity and Classification
3. Access Control
4. Password
5. Care and Use of Equipment
6. Privacy
7. Personnel |
|
|
Term
| Describe the following type of security policy: Acceptable Use |
|
Definition
| What a person can and cannot do with company assets. |
|
|
Term
| Describe the following type of security policy: Data Sensitivity and Classification |
|
Definition
| Defines how important different types of data are. |
|
|
Term
| Describe the following type of security policy: Access Control |
|
Definition
| Defines how people get access to our data and other resources |
|
|
Term
| Describe the following type of security policy: Password |
|
Definition
Defines how we deal with passwords
(i.e. Recovery, login, complexity, retention, re-uses) |
|
|
Term
| Describe the following type of security policy: Care and Use of Equipment |
|
Definition
| Deals with maintenance and physical use of Equipment |
|
|
Term
| Describe the following type of security policy: Privacy |
|
Definition
| How we handle the privacy of others |
|
|
Term
| Describe the following type of security policy: Personnel |
|
Definition
| How we handle the people who use or work with our data |
|
|
Term
| Types of Risk Management Frameworks |
|
Definition
1. Regulatory
2. Non-regulatory
3. National Standards
4. International Standards
5. Industry Specific |
|
|
Term
| Quantitative Risk Assessment Formula |
|
Definition
SLE (single loss Expectancy) x ARO (Annual Rate of Occurance) = ALE (Annual Loss Expectancy)
(SLE x ARO = ALE) |
|
|
