Security Controls & Risk Management6

Questions and Answers

What is the primary goal of the preventive security control type?

Identify threats in progress

Stop threats before they occur (correct)

Address threats post-incident

Restore assets post-impact

Which of the following is an example of a detective security control?

Firewall

IDS/IPS (correct)

Backup Restoration

Disaster Recovery Plan

What is the primary challenge in security risk management related to valuation?

Unpredictable nature of future attacks

Subjectivity in risk treatment

Likelihood of impact or harm

Valuation of assets, such as data and software (correct)

What is the purpose of maintaining situational awareness through network activity logs?

To monitor and audit network activity

What is the primary focus of the corrective security control type?

Actively reduce impact

What is the purpose of continuous vulnerability management in CIS Controls?

To identify and prioritize vulnerabilities

What is the primary focus of the ISO 27004 standard?

Measuring security performance and effectiveness of ISMS

What is the main objective of Clause 9 in the ISO 27002 standard?

To limit access to information and facilities

What is an example of a metric used to measure security performance in ISO 27004?

Mean Time to Resolve (MTTR)

What is a security category within Clause 9 of the ISO 27002 standard?

Access control policy

What is the purpose of Annex B in ISO 27004?

To provide examples of measurement constructs

What is a key aspect of information security performance in ISO 27004?

Effectiveness of ISMS processes and controls

What is a challenge in security risk management due to the use of IoT devices?

They can serve as attack platforms.

What is a problem with traditional security assessments?

They ignore the logical links between systems.

What is an example of a third-party system risk?

The exploitation of vulnerabilities in third-party software providers.

What is a challenge in assessing the security of an organization's assets?

Most organizations lack a full understanding of their assets.

What is an example of legislation related to product security?

Product Security and Telecommunications Infrastructure Bill (UK)

What is a challenge in information security management due to variability in scale, dynamism, and coupling?

Periodic assessment assumptions don't hold due to variability in scale, dynamism, and coupling.

Fluid manufacturing sector uses ______ tags.

RFID

Organization B may not know details of systems at Organization A or C due to ______ system risks.

third-party

IoT devices can serve as ______ platforms.

attack

Seemingly innocuous output from one system may harm another due to lack of understanding of ______ between systems.

logical links

Product Security and Telecommunications Infrastructure Bill is a legislation related to ______ security.

product

The Mirai Botnet Attack compromised and used IoT devices in ______ attacks.

DDoS

Transfer of risk involves shifting responsibility to a ______________ party.

third

Secure configuration is an example of a CIS Controls ______________ Group.

Implementation

Maintaining situational awareness through ______________ activity logs is essential.

network

Identifying and prioritizing vulnerabilities is part of the ______________ posture.

attack surface and vulnerability

The unpredictability of future attacks contributes to challenges in ______________ risk management.

security

______________ Trends involve monitoring the evolving threat landscape.

Threat

The unavailability of systems/services can result in ______ of lost work.

costs

The Harm Trees concept is based on the work of ______ et al., 2022.

Erola

High ______ of systems can lead to a higher frequency of attacks.

visibility

The risk level of an attack can be analyzed using ______ or quantitative analysis.

qualitative

Single Loss Expectancy (SLE) is calculated as the expected ______ loss per security risk occurrence.

monetary

Risk treatment approaches include ______, mitigate, and other strategies.

avoid

Study Notes

Security Controls Types

• Preventive: Stop threats before they occur (e.g., Firewalls, MFA)
• Detective: Identify threats in progress (e.g., IDS/IPS, SIEM)
• Reactive: Address threats post-incident (e.g., Incident Response, Patching)
• Corrective: Actively reduce impact (e.g., Backup Restoration)
• Recovery: Restore asset post-impact (e.g., Disaster Recovery Plans)

CIS Controls Safeguards Implementation Groups

• Inventory and Control of Hardware/Software Assets
• Continuous Vulnerability Management
• Secure Configuration

Risk Monitoring and Audit

• Network Activity Logs: Maintain situational awareness
• Threat Trends: Monitor evolving threat landscape
• Attack Surface & Vulnerability Posture: Identify and prioritize vulnerabilities

Challenges in Security Risk Management

• Valuation of Assets: Accurately valuing data, software, and intangibles
• Likelihood of Impact/Harm: Relevance of past data for future probabilities
• Unpredictable nature of future attacks
• Resulting Risk Assessment: Accuracy of assessment with uncertain data
• Subjectivity in Risk Treatment: Which risks to treat or accept?

ISO 27002 Standard

• Provides a comprehensive set of best practices for information security controls
• 14 Security Control Clauses:
  • Information Security Policies
  • Organization of Information Security
  • Human Resource Security
  • Asset Management
  • Access Control
  • Cryptography
  • Physical and Environmental Security
  • Operations Security
  • Communications Security
  • System Acquisition, Development, and Maintenance
  • Supplier Relationships
  • Information Security Incident Management
  • Information Security Aspects of Business Continuity Management
• Compliance Structure of Control Categories: Each clause contains one or more security categories

ISO 27004 Standard

• Focuses on measuring security performance and effectiveness of ISMS
• Key Aspects:
  • Information security performance
  • Effectiveness of ISMS processes and controls
• Monitoring, Measurement, Analysis, & Evaluation Process:
  • Establish measurement constructs
  • Use metrics like training statistics, incident data, and internal audits
  • Example Metrics: Mean Time to Detect (MTTD), Mean Time to Resolve (MTTR), Phishing attack success rates

Challenges in Security Risk Management

• Challenge 1: Assets as Attack Platforms
  • IoT devices can serve as attack platforms
  • Most organizations lack full understanding of their assets
• Challenge 2: Third-Party System Risks
  • Organization B may not know details of systems at Organization A or C
  • These third-party systems can pose significant security risks
• Challenge 3: Assessing the Glue
  • Difficulty understanding and assessing logical links between systems
  • Traditional assessments focus on systems and connections but ignore the logical glue

Description

Test your knowledge of security controls and risk management strategies. Learn about the different types of controls, including preventive, detective, reactive, and corrective measures. Identify the key principles of risk management and how to apply them in various scenarios.