36 Questions
What is the primary goal of the preventive security control type?
Stop threats before they occur
Which of the following is an example of a detective security control?
IDS/IPS
What is the primary challenge in security risk management related to valuation?
Valuation of assets, such as data and software
What is the purpose of maintaining situational awareness through network activity logs?
To monitor and audit network activity
What is the primary focus of the corrective security control type?
Actively reduce impact
What is the purpose of continuous vulnerability management in CIS Controls?
To identify and prioritize vulnerabilities
What is the primary focus of the ISO 27004 standard?
Measuring security performance and effectiveness of ISMS
What is the main objective of Clause 9 in the ISO 27002 standard?
To limit access to information and facilities
What is an example of a metric used to measure security performance in ISO 27004?
Mean Time to Resolve (MTTR)
What is a security category within Clause 9 of the ISO 27002 standard?
Access control policy
What is the purpose of Annex B in ISO 27004?
To provide examples of measurement constructs
What is a key aspect of information security performance in ISO 27004?
Effectiveness of ISMS processes and controls
What is a challenge in security risk management due to the use of IoT devices?
They can serve as attack platforms.
What is a problem with traditional security assessments?
They ignore the logical links between systems.
What is an example of a third-party system risk?
The exploitation of vulnerabilities in third-party software providers.
What is a challenge in assessing the security of an organization's assets?
Most organizations lack a full understanding of their assets.
What is an example of legislation related to product security?
Product Security and Telecommunications Infrastructure Bill (UK)
What is a challenge in information security management due to variability in scale, dynamism, and coupling?
Periodic assessment assumptions don't hold due to variability in scale, dynamism, and coupling.
Fluid manufacturing sector uses ______ tags.
RFID
Organization B may not know details of systems at Organization A or C due to ______ system risks.
third-party
IoT devices can serve as ______ platforms.
attack
Seemingly innocuous output from one system may harm another due to lack of understanding of ______ between systems.
logical links
Product Security and Telecommunications Infrastructure Bill is a legislation related to ______ security.
product
The Mirai Botnet Attack compromised and used IoT devices in ______ attacks.
DDoS
Transfer of risk involves shifting responsibility to a ______________ party.
third
Secure configuration is an example of a CIS Controls ______________ Group.
Implementation
Maintaining situational awareness through ______________ activity logs is essential.
network
Identifying and prioritizing vulnerabilities is part of the ______________ posture.
attack surface and vulnerability
The unpredictability of future attacks contributes to challenges in ______________ risk management.
security
______________ Trends involve monitoring the evolving threat landscape.
Threat
The unavailability of systems/services can result in ______ of lost work.
costs
The Harm Trees concept is based on the work of ______ et al., 2022.
Erola
High ______ of systems can lead to a higher frequency of attacks.
visibility
The risk level of an attack can be analyzed using ______ or quantitative analysis.
qualitative
Single Loss Expectancy (SLE) is calculated as the expected ______ loss per security risk occurrence.
monetary
Risk treatment approaches include ______, mitigate, and other strategies.
avoid
Study Notes
Security Controls Types
- Preventive: Stop threats before they occur (e.g., Firewalls, MFA)
- Detective: Identify threats in progress (e.g., IDS/IPS, SIEM)
- Reactive: Address threats post-incident (e.g., Incident Response, Patching)
- Corrective: Actively reduce impact (e.g., Backup Restoration)
- Recovery: Restore asset post-impact (e.g., Disaster Recovery Plans)
CIS Controls Safeguards Implementation Groups
- Inventory and Control of Hardware/Software Assets
- Continuous Vulnerability Management
- Secure Configuration
Risk Monitoring and Audit
- Network Activity Logs: Maintain situational awareness
- Threat Trends: Monitor evolving threat landscape
- Attack Surface & Vulnerability Posture: Identify and prioritize vulnerabilities
Challenges in Security Risk Management
- Valuation of Assets: Accurately valuing data, software, and intangibles
- Likelihood of Impact/Harm: Relevance of past data for future probabilities
- Unpredictable nature of future attacks
- Resulting Risk Assessment: Accuracy of assessment with uncertain data
- Subjectivity in Risk Treatment: Which risks to treat or accept?
ISO 27002 Standard
- Provides a comprehensive set of best practices for information security controls
- 14 Security Control Clauses:
- Information Security Policies
- Organization of Information Security
- Human Resource Security
- Asset Management
- Access Control
- Cryptography
- Physical and Environmental Security
- Operations Security
- Communications Security
- System Acquisition, Development, and Maintenance
- Supplier Relationships
- Information Security Incident Management
- Information Security Aspects of Business Continuity Management
- Compliance Structure of Control Categories: Each clause contains one or more security categories
ISO 27004 Standard
- Focuses on measuring security performance and effectiveness of ISMS
- Key Aspects:
- Information security performance
- Effectiveness of ISMS processes and controls
- Monitoring, Measurement, Analysis, & Evaluation Process:
- Establish measurement constructs
- Use metrics like training statistics, incident data, and internal audits
- Example Metrics: Mean Time to Detect (MTTD), Mean Time to Resolve (MTTR), Phishing attack success rates
Challenges in Security Risk Management
- Challenge 1: Assets as Attack Platforms
- IoT devices can serve as attack platforms
- Most organizations lack full understanding of their assets
- Challenge 2: Third-Party System Risks
- Organization B may not know details of systems at Organization A or C
- These third-party systems can pose significant security risks
- Challenge 3: Assessing the Glue
- Difficulty understanding and assessing logical links between systems
- Traditional assessments focus on systems and connections but ignore the logical glue
Test your knowledge of security controls and risk management strategies. Learn about the different types of controls, including preventive, detective, reactive, and corrective measures. Identify the key principles of risk management and how to apply them in various scenarios.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free