-
what is the definition of countermeasure?
A control put into place to mitigate potential losses
-
What is the definition of vulnerability?
Weakness in a mechanism that can threaten the confidentiality, integrity, or availability of an asset.
-
What is the definition of threat?
Someone uncovering a vulnerability and exploiting it
-
What is the definition of risk?
Probability of a threat becoming real, and the corresponding potential damages.
-
What is the definition of exposure?
When a threat agent exploits a vulnerability
-
What are the three control types?
- AdministrativeManagements responsibilities necessary to protect assets
- "soft" controls
- Technical
- Logical protection mechanisms
- Built in software and hardware
- Physical
Controls to protect the facility's perimeter and internal resources-
-
What does the CIA triad acronym mean?
- Confidential
- Integrity
- Availability
-
What are the two approaches to security management?
-
Explain top down security approach
Security is directed, driven, and supported by senior management
-
explain bottom up security approach
staff member or group drives initiative
-
What is the industry best practice standard?
- BS/ISO 7799 / ISO 27001
- ISO 17799 also
-
How many sections are in the industry best practice?
There are 10
- 1. Security policy
- 2. Security Organization
- 3. assets classification and control
- 4. personnel security
- 5. physical and environmental security
- 6. computer and network management
- 7. system access control
- 8. system development and maintenance
- 9. business continuity planning
- 10. compliance
-
What is senior managements role in Security?
- Defines the scope, objectives, priorities, and strategies of the company's security program
- Provides vision, funds, visibility, and enforcement
- ultimately liable
- without management's support, efforts can be doomed from the start
-
What are the four security roles?
- Data owner
- system owner
- data custodian
- user
-
Define the security role "data owner"
- Responsible for the subset(s) of data and data classification
- Sets security requirements for data protection
-
define the security role "system owner"
- Responsible for specific computer system(s)
- One system will have one system owner
- Can hold data from several data owners
-
define the security role "data custodian"
- is delegated data maintenance tasks
- required to implement and maintain controls to provide the protection level dictated by data owner
-
define the security role "user"
person who routinely uses company data for work-related tasks
-
Information classification criteria
- Usefulness and value of information
- how long information will hold this protection requirement
- the level of damage possible if the data was disclosed, modified, or corrupted
- Laws, regulations, or liability responsibilities pertaining to the data
- who should be accessing this data?
- who should maintain this data?
- who should monitor and audit the use of this data?
-
What is the main rule for "liability and its ramifications"?
Prudent person rule - Perform duties that prudent and responsible people would exercise in similar circumstances
-
What is SLE?
Single Loss Expectancy
-
What is the SLE formula?
SLE = Asset value X exposure factor
-
What is ALE?
Annualized Loss Expectancy
-
What is the ALE formula?
ALE = SLE X Annualized rate of occurence
-
Calculate the ALE for the following: Facility is worth 650,000 and a fire is expected once every 10 years that will damage 35% of the facility.
- Answer:
- 650,000 x 0.35 x 0.10 = 22,750
-
Define total risk
total risk is defined by the following formula.
threats x vulnerability x asset value
-
define residual risk
residual risk is defined by the following formula.
(threats x vulnerability x asset value) x control gap
-
What are the different memory types?
- primary memory
- real memory
- cache memory
- virtual memory
-
what are the seven memory management responsibilities?
- 1. keep track of used and unused memory segments
- 2. assign memory segments to processes
- 3. manage swapping between main memory and secondary storage
- 4. memory protection
- 5. access control
- 6. keeping track of software and virtual addressing schemes
- 7. multi-user OS requires more complex memory manager
- dos and windoes 9x are single-user OSes
-
What are the four process states?
- 1. Stopped
- 2. Waiting
- 3. Running
- 4. Ready
-
What is the order of the best process states?
- Running
- Ready/Waiting
- Stopped
-
What does TCB mean?
Trusted Computing Base
-
What are Access Control Models?
- Provides rules and structures used to control access and shows how access decisions are made
- The main components are subjects, objects, operations and their relationships
- The goal is to control how objects are accessed and ensure one security principle or another (confidentiality, integrity)
-
What is the main state machine model characteristic?
If a system comes up in a secure state (all state transitions are secure; including failing) and shuts down in a secure state, the system is secure.
-
What is the Rule of "Bell-LaPadula"?
no write up and no read down - the strong star property
-
what does "* star property" mean
strong star property
|
|