Principles of information security 4th edition Chapter 12 – Flashcards
Unlock all answers in this set
Unlock answersquestion
NIST SP 800-100
answer
Information Security Handbook: A Guide for Managers provides managerial guidance for the establishment and implementation of an information security program in particular regarding the ongoing tasks expected of an information security manager once the program is operational and day-to-day operations are established.
question
Information Security Governance effective information security governance program requires constant review. Agencies should monitor the status of their programs to ensure that: (3 parts)
answer
1. Ongoing information security activities are providing appropriate support to the agency mission 2. Policies and procedures are current and aligned with evolving technologies, if appropriate 3. Controls are accomplishing their intended purpose
question
System Development Life Cycle
answer
the system development life cycle (SDLC) is the overall process of developing, implementing, and retiring information systems through a multistep process—initiation, analysis, design, implementation, and maintenance to disposal.
question
What are the thirteen information security areas within the SP 800-100
answer
1. Information Security Governance 2. System Development Life Cycle 3. Awareness and Training 4. Capital Planning and Investment Control 5. Interconnecting Systems 6. Performance Measures 7. Security Planning 8. Information Technology Contingency Planning 9. Risk Management 10. Certification, Accreditation, and Security Assessments 11. Security Services and Products Acquisition 12. Incident Response 13. Configuration (or Change) Management
question
What are the 5 stepos of Configuration (or Change) management
answer
Step 1: Identify Change Step 2: Evaluate Change Request Step 3: Implementation Decision Step 4: Implement Approved Change Request Step 5: Continuous Monitoring
question
Identify Change
answer
The first step of the CM process begins with a person or process associated with the information system identifying a need for a change
question
Evaluate Change Request
answer
After initiating a change request, the effects that the change may have on the system or other interrelated systems must be evaluated.
question
Implementation Decision
answer
Once the change has been evaluated and tested, one of the following actions should be taken: 1. Approve: Implementation is authorized and may occur at any time after the appropriate authorization signature has been documented. 2. Deny: The request is immediately denied regardless of circumstances and information provided. 3. Defer: Immediate decision is postponed until further notice. In this situation, additional testing or analysis may be needed before a final decision can be made.
question
Implement Approved Change Request
answer
Once the decision to implement the change has been made, it should be moved from the test environment into production.
question
Continuous Monitoring
answer
The CM process calls for continuous system monitoring to ensure that it is operating as intended and that implemented changes do not adversely impact either the performance or security posture of the system.
question
The five subject areas or domains of the maintenance model
answer
External monitoring Internal monitoring Planning and risk assessment Vulnerability assessment and remediation Readiness and review
question
external monitoring
answer
within the maintenance model it is to provide the early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks that the organization needs in order to mount an effective and timely defense.
question
Three classes of data Sources
answer
1. Vendors 2. CERT organizations 3. Public network sources
question
Monitoring, Escalation, and Incident Response
answer
The basic function of the external monitoring process is to monitor activity, report results, and escalate warnings.
question
Data Collection and Management
answer
Over time, the external monitoring processes should capture information about the external environment in a format that can be referenced both across the organization as threats emerge and for historical use.
question
Monitoring the Internal Environment
answer
The primary goal of the internal monitoring domain is to maintain an informed awareness of the state of all of the organization's networks, information systems, and information security defenses
question
Internal monitoring is accomplished by?
answer
1. Building and maintaining an inventory of network devices and channels, IT infrastructure and applications, and information security infrastructure elements. 2. Leading the IT governance process within the organization to integrate the inevitable changes found in all network, IT, and information security programs. 3. Monitoring IT activity in real-time using IDPSs to detect and initiate responses to specific actions or trends of events that introduce risk to the organization's information assets. 4. Monitoring the internal state of the organization's networks and systems. This recursive review of the network and system devices that are online at any given moment and of any changes to the services offered on the network is needed to maintain awareness of new and emerging threats. This can be accomplished through automated difference-detection methods that identify variances introduced to the network or system hardware and software.
question
Network Characterization and Inventory
answer
Organizations should have a carefully planned and fully populated inventory of all their network devices, communication channels,and computing devices. This inventory should certainly include servers, as well as desktop applications and partner interconnections—that is, network devices, communications channels, and applications that may not be owned by the organization but are essential to the continued operation of the organization's partnership with another company. The process of collecting this information is often referred to as characterization.
question
Difference analysis
answer
is a procedure that compares the current state of a network segment (the systems and services it offers) against a known previous state of that same network segment (the baseline of systems and services).
question
planning and risk assessment domain
answer
the primary objective of the planning and risk assessment domain is to keep a lookout over the entire information security program, in part by identifying and planning ongoing information security activities that further reduce risk.
question
Information Security Program Planning and Review
answer
Periodic review of an ongoing information security program coupled with planning for enhancements and extensions is a recommended practice for any organization.
question
Security Risk Assessments
answer
a method of identifying and documenting the risk that a project, process, or action introduces to the organization and may also involve offering suggestions for controls that can reduce that risk. The RA process identifies risks and proposes controls
question
Network connectivity RA:
answer
Used to respond to network change requests and network architectural design proposals. May be part of or support a business partner's RA.
question
Dialed modem RA:
answer
Used when a dial-up connection is requested for a system.
question
Business partner RA
answer
Used when a proposal for connectivity with business partners is being evaluated.
question
Application RA:
answer
Used at various stages in the life cycle of a business application. Content depends on the project's position in the life cycle when the RA is prepared. Usually, multiple RA documents are prepared at different stages. The definitive version is prepared as the application is readied for conversion to production.
question
Vulnerability RA:
answer
Used to assist in communicating the background, details, and proposed remediation as vulnerabilities emerge or change over time.
question
Privacy RA
answer
Used to document applications or systems that contain protected personal information that needs to be evaluated for compliance with privacy policies of the organization and relevant laws.
question
Acquisition or divesture RA
answer
Used when planning for reorganization as units of the organization are acquired, divested, or moved.
question
Other RA
answer
Used when a statement about risk is needed for any project, proposal, or fault that is not contained in the preceding list.
question
vulnerability assessment and remediation domain
answer
vulnerability assessment and remediation domain is to identify specific, documented vulnerabilities and remediate them in a timely fashion.
question
How is vulnerability assessment and remediation achieved?
answer
1. Using documented vulnerability assessment procedures to collect intelligence about networks (internal and public-facing), platforms (servers, desktops, and process control), dial-in modems, and wireless network systems safely. 2. Documenting background information and providing tested remediation procedures for the reported vulnerabilities. 3. Tracking vulnerabilities from when they are identified until they are remediated or the risk of loss has been accepted by an authorized member of management. 4. Communicating vulnerability information including an estimate of the risk and detailed remediation plans to the owners of the vulnerable systems. 5. Reporting on the status of vulnerabilities that have been identified. 6. Ensuring that the proper level of management is involved in the decision to accept the risk of loss associated with unrepaired vulnerabilities
question
Penetration testing
answer
a level beyond vulnerability testing, is a set of security tests and evaluations that simulate attacks by a malicious external source (hacker).
question
When are penetration test, or pen test, usually performed?
answer
A penetration test, or pen test, is usually performed periodically as part of a full security audit.
question
Internet Vulnerability Assessment
answer
Internet vulnerability assessment process is designed to find and document the vulnerabilities that may be present in the public-facing network of the organization.
question
Intranet Vulnerability Assessment
answer
The intranet vulnerability assessment process is designed to find and document selected vulnerabilities that are likely to be present on the internal network of the organization.
question
Platform Security Validation
answer
The platform security validation (PSV) process is designed to find and document the vulnerabilities that may be present because there are misconfigured systems in use within the organization.
question
Wireless Vulnerability Assessment
answer
The wireless vulnerability assessment process is designed to find and document the vulnerabilities that may be present in the wireless local area networks of the organization.
question
Modem Vulnerability Assessment
answer
The modem vulnerability assessment process is designed to find and document any vulnerability that is present on dial-up modems connected to the organization's networks.
question
Documenting Vulnerabilities
answer
The vulnerability database, like the risk, threat, and attack database, both stores and tracks information.
question
Remediating Vulnerabilities
answer
The final process in the vulnerability assessment and remediation domain is the remediation phase.
question
Acceptance or Transference of Risk
answer
some instances, risk must either simply be acknowledged as being part of an organization's business process, or else the organization should buy insurance to transfer the risk to another organization.
question
Threat Removal
answer
some circumstances, threats can be removed without requiring a repair of the vulnerability.
question
Vulnerability Repair
answer
The optimum solution in most cases is to repair the vulnerability. Applying patch software or implementing a workaround often accomplishes this.
question
readiness and review domain
answer
The primary goal of the readiness and review domain is to keep the information security program functioning as designed and to keep it continuously improving over time. Policy needs to be reviewed periodically
question
Three ways to to improve readiness and review
answer
1. Policy review: Policy needs to be reviewed and refreshed from time to time to ensure that it's sound—in other words, that it provides a current foundation for the information security program. 2. Program review: Major planning components should be reviewed on a periodic basis to ensure that they are current, accurate, and appropriate. 3. Rehearsals: When possible, major plan elements should be rehearsed.
question
Program Review
answer
As policy needs shift, a thorough and independent review of the entire information security program should be undertaken.
question
Rehearsals and War Games
answer
Where possible, major planning elements should be rehearsed. Rehearsal adds value by exercising the procedures, identifying shortcomings, and providing security personnel the opportunity to improve the security plan before it is needed.
question
Digital Forensics
answer
In order to protect the organization, and to possibly assist law enforcement in the conduct of an investigation, they must act to document what happened and how.
question
What are the two key purposes of Digital forensics
answer
1. To investigate allegations of digital malfeasance. A crime against or using digital media, computer technology, or related components (computer as source or object of crime) is referred to as digital malfeasance. To investigate digital malfeasance, you must use digital forensics to gather, analyze, and report the findings of an investigation. This is the primary mission of law enforcement in investigating crimes involving computer technologies or online information. 2. To perform root cause analysis. If an incident occurs and the organization suspects an attack was successful, digital forensics can be used to examine the path and methodology used to gain unauthorized access, as well as to determine how pervasive and successful the attack was. This is used primarily by IR teams to examine their equipment after an incident.
question
The organization must choose one of two approaches when employing digital forensics:
answer
1. Protect and forget. 2. Apprehend and prosecute.
question
Protect and forget.
answer
This approach, also known as patch and proceed, focuses on the defense of the data and the systems that house, use, and transmit it. An investigation that takes this approach focuses on the detection and analysis of events to determine how they happened, and to prevent reoccurrence. Once the current event is over, who caused it or why is almost immaterial.
question
Apprehend and prosecute
answer
This approach, also known as pursue and prosecute, focuses on the identification and apprehension of responsible individuals, with additional attention on the collection and preservation of potential EM that might support administrative or criminal prosecution. This approach requires much more attention to detail to prevent contamination of evidence that might hinder prosecution.
question
Digital Forensics Methodology
answer
1. Identify relevant items of evidentiary value (EM) 2. Acquire (seize) the evidence without alteration or damage 3. Take steps to assure that the evidence is at every step verifiably authentic and is unchanged from the time it was seized 4. Analyze the data without risking modification or unauthorized access 5. Report the findings to the proper authority
question
Identify Relevant Items
answer
The affidavit or warrant authorizing a search action must specifically identify what items of evidence can be seized.
question
response team
answer
The principal responsibility of the response team is to acquire the information without altering it.
question
There are generally two methods of acquiring evidence from a system.
answer
Online Offline Data Acquisition