what is the definition of countermeasure?
A control put into place to mitigate potential losses
What is the definition of vulnerability?
Weakness in a mechanism that can threaten the confidentiality, integrity, or availability of an asset.
What is the definition of threat?
Someone uncovering a vulnerability and exploiting it
What is the definition of risk?
Probability of a threat becoming real, and the corresponding potential damages.
What is the definition of exposure?
When a threat agent exploits a vulnerability
What are the three control types?
AdministrativeManagements responsibilities necessary to protect assets"soft" controlsTechnicalLogical protection mechanismsBuilt in software and hardwarePhysicalControls to protect the facility's perimeter and internal resources
What does the CIA triad acronym mean?
What are the two approaches to security management?
1. top down2. bottom up
Explain top down security approach
Security is directed, driven, and supported by senior management
explain bottom up security approach
staff member or group drives initiative
What is the industry best practice standard?
BS/ISO 7799 / ISO 27001ISO 17799 also
How many sections are in the industry best practice?
There are 101. Security policy2. Security Organization3. assets classification and control4. personnel security5. physical and environmental security6. computer and network management7. system access control8. system development and maintenance9. business continuity planning10. compliance
What is senior managements role in Security?
Defines the scope, objectives, priorities, and strategies of the company's security programProvides vision, funds, visibility, and enforcementultimately liablewithout management's support, efforts can be doomed from the start
What are the four security roles?
Data ownersystem ownerdata custodianuser
Define the security role "data owner
Responsible for the subset(s) of data and data classificationSets security requirements for data protection
define the security role "system owner
Responsible for specific computer system(s)One system will have one system ownerCan hold data from several data owners
define the security role "data custodian
is delegated data maintenance tasksrequired to implement and maintain controls to provide the protection level dictated by data owner
define the security role "user
person who routinely uses company data for work-related tasks
Information classification criteria
Usefulness and value of informationhow long information will hold this protection requirementthe level of damage possible if the data was disclosed, modified, or corruptedLaws, regulations, or liability responsibilities pertaining to the datawho should be accessing this data?who should maintain this data? who should monitor and audit the use of this data?
What is the main rule for "liability and its ramifications"?
Prudent person rule - Perform duties that prudent and responsible people would exercise in similar circumstances
What is SLE?
Single Loss Expectancy
What is the SLE formula?
SLE = Asset value X exposure factor
What is ALE?
Annualized Loss Expectancy
What is the ALE formula?
ALE = SLE X Annualized rate of occurence
Calculate the ALE for the following: Facility is worth 650,000 and a fire is expected once every 10 years that will damage 35% of the facility.
Answer:650,000 x 0.35 x 0.10 = 22,750
Define total risk
total risk is defined by the following formula.threats x vulnerability x asset value
define residual risk
residual risk is defined by the following formula.(threats x vulnerability x asset value) x control gap
What are the different memory types?
primary memoryreal memorycache memoryvirtual memory
what are the seven memory management responsibilities?
1. keep track of used and unused memory segments2. assign memory segments to processes3. manage swapping between main memory and secondary storage4. memory protection5. access control6. keeping track of software and virtual addressing schemes7. multi-user OS requires more complex memory managerdos and windoes 9x are single-user OSes
What are the four process states?
1. Stopped2. Waiting3. Running4. Ready
What is the order of the best process states?
What does TCB mean?
Trusted Computing Base
What are Access Control Models?
Provides rules and structures used to control access and shows how access decisions are madeThe main components are subjects, objects, operations and their relationshipsThe goal is to control how objects are accessed and ensure one security principle or another (confidentiality, integrity)
What is the main state machine model characteristic?
If a system comes up in a secure state (all state transitions are secure; including failing) and shuts down in a secure state, the system is secure.
What is the Rule of "Bell-LaPadula"?
no write up and no read down - the strong star property
what does "* star property" mean
strong star property