what is the definition of countermeasure?
A control put into place to mitigate potential losses
What is the definition of vulnerability?
Weakness in a mechanism that can threaten the confidentiality, integrity, or availability of an asset.
What is the definition of threat?
Someone uncovering a vulnerability and exploiting it
What is the definition of risk?
Probability of a threat becoming real, and the corresponding potential damages.
What is the definition of exposure?
When a threat agent exploits a vulnerability
What are the three control types?
- AdministrativeManagements responsibilities necessary to protect assets
- "soft" controls
- Logical protection mechanisms
- Built in software and hardware
- PhysicalControls to protect the facility's perimeter and internal resources
What does the CIA triad acronym mean?
What are the two approaches to security management?
Explain top down security approach
Security is directed, driven, and supported by senior management
explain bottom up security approach
staff member or group drives initiative
What is the industry best practice standard?
- BS/ISO 7799 / ISO 27001
- ISO 17799 also
How many sections are in the industry best practice?
There are 10
- 1. Security policy
- 2. Security Organization
- 3. assets classification and control
- 4. personnel security
- 5. physical and environmental security
- 6. computer and network management
- 7. system access control
- 8. system development and maintenance
- 9. business continuity planning
- 10. compliance
What is senior managements role in Security?
- Defines the scope, objectives, priorities, and strategies of the company's security program
- Provides vision, funds, visibility, and enforcement
- ultimately liable
- without management's support, efforts can be doomed from the start
What are the four security roles?
- Data owner
- system owner
- data custodian
Define the security role "data owner"
- Responsible for the subset(s) of data and data classification
- Sets security requirements for data protection
define the security role "system owner"
- Responsible for specific computer system(s)
- One system will have one system owner
- Can hold data from several data owners
define the security role "data custodian"
- is delegated data maintenance tasks
- required to implement and maintain controls to provide the protection level dictated by data owner
define the security role "user"
person who routinely uses company data for work-related tasks
Information classification criteria
- Usefulness and value of information
- how long information will hold this protection requirement
- the level of damage possible if the data was disclosed, modified, or corrupted
- Laws, regulations, or liability responsibilities pertaining to the data
- who should be accessing this data?
- who should maintain this data?
- who should monitor and audit the use of this data?
What is the main rule for "liability and its ramifications"?
Prudent person rule - Perform duties that prudent and responsible people would exercise in similar circumstances
What is SLE?
Single Loss Expectancy
What is the SLE formula?
SLE = Asset value X exposure factor
What is ALE?
Annualized Loss Expectancy
What is the ALE formula?
ALE = SLE X Annualized rate of occurence
Calculate the ALE for the following: Facility is worth 650,000 and a fire is expected once every 10 years that will damage 35% of the facility.
- 650,000 x 0.35 x 0.10 = 22,750
Define total risk
total risk is defined by the following formula.
threats x vulnerability x asset value
define residual risk
residual risk is defined by the following formula.
(threats x vulnerability x asset value) x control gap
What are the different memory types?
- primary memory
- real memory
- cache memory
- virtual memory
what are the seven memory management responsibilities?
- 1. keep track of used and unused memory segments
- 2. assign memory segments to processes
- 3. manage swapping between main memory and secondary storage
- 4. memory protection
- 5. access control
- 6. keeping track of software and virtual addressing schemes
- 7. multi-user OS requires more complex memory manager
- dos and windoes 9x are single-user OSes
What are the four process states?
- 1. Stopped
- 2. Waiting
- 3. Running
- 4. Ready
What is the order of the best process states?
What does TCB mean?
Trusted Computing Base
What are Access Control Models?
- Provides rules and structures used to control access and shows how access decisions are made
- The main components are subjects, objects, operations and their relationships
- The goal is to control how objects are accessed and ensure one security principle or another (confidentiality, integrity)
What is the main state machine model characteristic?
If a system comes up in a secure state (all state transitions are secure; including failing) and shuts down in a secure state, the system is secure.
What is the Rule of "Bell-LaPadula"?
no write up and no read down - the strong star property
what does "* star property" mean
strong star property