Al's Cissp Flashcards
An Electrical provider must maintain documentation of their electronic security perimeter in precisely the way set forth in the North American Energy Reliability Corporation (NERC) Critical Infrastructure Protection documents, particularly CIP-005-1, or face significantly daily fines. What is this an example of?
Standards
Baselines
Practices
Policies
Standards
A Standard is non-negotiable. It must be followed to the fullest extent. A Baseline is a minimum configuration that is required across all of an organization’s technology.
Which of the following terms refers to a security hole that could result in an attack on a system?
Risk
Exposure
Threat
Vulnerability
Vulnerability
A ‘vulnerability’ refers to a security hole that can potentially be tapped, resulting in an attack. It is not that an attack has been made, just that the possibility exists. If an attacker uses a vulnerability then it is said to have been “exploited.”
Before Joan can begin work at her new job, she must undergo a Criminal Background Check and participate in Security Awareness Training. What type of control are these preventative measures?
Technical Controls
Administrative Controls
Physical Controls
Resident Control
Administrative Controls
Administrative controls are preventative in nature and include background checks, drug testing, security training on the Human Resources side, and also include policies, procedures, and data classification.
After risks are mitigated, what is the amount of risk remaining called?
Annualized Loss Expectancy
Single Loss Expectancy
Residual Risk
Exposure Factor
Residual Risk
After a Risk Analysis is performed, controls may be implemented. The risk that remains and is not mitigated by the controls is called Residual Risk.
Which of the following has the highest potential to be a security hazard to a company that has well-defined security procedures.
An employee who performs critical duties is fired.
The Information Security Officer falls ill.
Grid power is lost for 3 hours
A web server containing employee performance data crashes.
An employee who performs critical duties is fired.
Among these choices, the greatest risk is from an employee performing critical duties being fired. He may be in a position to compromise the security if he is disgruntled and wants to ‘get back’. The other situations will be handled well since the company has a well-defined security procedures in place.
Senior management plans to implement a security policy that outlines what can and cannot be done with employees’ e-mail for monitoring purposes and to address privacy issues. What would such a security policy be called?
Advisory
Issue-specific
System-specific
Organizational
Issue-specific
Issue-specific policies are also called functional implementing policies. They address specific issues that management feels needs more explanation and attention.
Which of the following denotes the magnitude of potential losses due to a threat?
Risk
Exposure
Vulnerability
Loss
Exposure
Exposure is the magnitude of losses a potential vulnerability may cost an entity, if exploited by an agent of threat.
Which of the following contains general approaches that also provide the necessary flexibility in the event of unforeseen circumstances?
Policies
Standards
Procedures
Guidelines
Guidelines
Guidelines are general approaches and provide the necessary flexibility to handle emergencies. Guidelines may also be certain recommended approaches / actions to handle certain scenarios.
Non-enforced password management on servers and workstations would be defined as a:
Risk
Threat Agent
Vulnerability
Threat
Vulnerability
A vulnerability is a S/W, hardware, or procedural weakness that could be easily exploited by an attacker. Non-enforced password management on servers and workstations is a vulnerability.
Information such as data that is critical to a company needs to be properly identified and classified. In general, what are the guidelines to classify data?
Classify all data irrespective of format (digital, audio, video) excluding paper.
Classify only data that is digital in nature and exists on the company servers.
Classify all data irrespective of the format it exists in (paper, digital, audio, video)
Classify only data that is digital in nature and exists on the company servers, desktops and all computers in the company.
Classify all data irrespective of the format it exists in (paper, digital, audio, video)
It might appear that one only needs to classify “digital data”. However, all data needs to be classified, irrespective of the format in which it exists.
In a secure network, personnel play a key role in the maintenance and promotion of security procedures. Which of the following roles is responsible for ensuring that the company complies with software license agreements?
Product-line manager
Process owner
Solution provider
Data analyst
Product-line manager
Product-line managers are responsible for ensuring that license agreements are complied with. They are also responsible for translating business objectives and specifications for the developer of a product or solution.
Once risk assessment of a company is performed, threats and vulnerabilities are identified and the total / residual risk is determined. Which of the following is not one of the ways in which risk is handled?
Risk Inference
Risk Mitigation
Risk Acceptance
Risk Avoidance
Risk Inference
Risk Inference is not a valid way to handle Risk. Risks are usually dealt with in four ways - risk mitigation, risk avoidance, risk transference and risk acceptance.
Which of the following statements is not true with respect to the relationships between threat, vulnerability, exposure, countermeasure and risk?
A threat agent takes advantage of a vulnerability.
The probability of a fire causing damage is a risk.
A countermeasure can mitigate a vulnerability.
A vulnerability can expose a system to possible damage
A countermeasure can mitigate a vulnerability.
A countermeasure usually mitigates a risk and not a vulnerability. A vulnerability is just the potential possibility that a risk may occur.
The AIC triad is made up of three main principles of information security: availability, integrity and confidentiality. Which of the following threats can compromise data integrity?
Viruses
Social engineering
Viruses
Data integrity is compromised when it is modified by an unauthorized person or program and the accuracy of the data is no longer certain. Since a virus is able to alter system files and data, it can compromise data integrity.
Which of the following norms governs how banks can protect themselves and prevent themselves from overextending / becoming insolvent?
Basel II
International Banking Act
The Bank for International Settlements came up with a system by which banks could prevent themselves from overextending / becoming insolvent. This is known as Basel II Accord. Information security is a key part of the guidelines.
Key stroke logging, shoulder surfing, and social engineering are methods for thwarting which of the information security principles?
Confidentiality
Integrity
The confidentiality of data is breached when unauthorized parties access it. Confidentiality breaches may be intentional by methods such as shoulder surfing or social engineering to gather passwords, or unintentional such as by failing to encrypt data while it is at rest or in transit.
Data on a server has been compromised due to a hack into the system. A forensic investigator needs to copy the data on a hard disk on the server. Which of these will be the first step to be performed as part of the process?
Ensure that a bit-level copy is performed sector by sector, using a specialized tool.
Ensure that the new media into which the hard disk is being copied is properly purged.
Ensure that the new media into which the hard disk is being copied is properly purged.
Among the given choices, the first step to be performed is to purge the new media completely before copying the hard disk contents. There have been instances where the media has contained prior information and was considered inadmissible in courts.
Company Z’s systems are infected due to a virus attack through the network systems of company Q. If company Z sues company Q, this would be termed as:
Downstream liability
Upstream liability
This is termed as downstream liability. It is an important reason for companies to take proper precautions and protect their networks and systems.
An attack occurred on a computer network system and some data was compromised. If the company proceeds to court and initiates action against the attacker, which of the following people can testify and present their opinion of the case?
The security officer
An expert witness
An expert witness
In a court of law, the opinion rule applies. As a result, witnesses may only state facts pertaining to an issue and not their opinion. Only expert witnesses, who are considered subject matter experts, may testify and present an opinion of the issue.
Although the terms event and incident are often used interchangeably, they are different. Which of the following statements is incorrect in this context?
An incident may have a positive or a negative impact on the company.
An event is a negative occurrence that can be observed, verified and documented.
An incident may have a positive or a negative impact on the company.
An event is a negative occurrence that can be observed / verified / documented whereas an incident is a series of events that negatively affects the company. Virus, insider and terrorist attacks are incidents.
Which of the following is a benefit of job rotation?
Fraud Prevention
Job Rotation
Build skill redundancy
Cross training
All of the options
All of the choices listed are benefits of job rotation. Job rotation reduces the risk of fraud by reducing the risk of collusion between two individuals. Rotating individuals out of jobs helps build skill redundancy and cross training.
Reducing or eliminating risk is accomplished by implementing which of the following?
Countermeasures
A risk management policy
Countermeasures are safeguards that are put in place to reduce or remove a potential risk. Countermeasures include virus scanning software, firewalls, mantraps, and badge readers.
A hacker hacked into a system to access confidential data in an unauthorized manner. In order to prevent being tracked, he manually changed the IP address on the packets to show a different IP address than the actual one. This is called:
IP masking
IP spoofing
IP spoofing
This is called IP spoofing. Attackers spoof their IP addresses so that it becomes difficult, if not impossible for the victim to track them down.
A credit card company has revamped its internal team structure. Earlier, an informal structure existed, but the new structure now houses an information security department. Ideally, to whom should this department report?
CIO
CISO
CEO
The CEO
A credit card company has high security needs. Ideally, in such an organization the information security department should report to the CEO directly. This minimizes message filtering and enhances communication. This also sends out a strong signal that the company values information security.
As part of the business impact analysis, individual threats are identified and loss criteria are applied. Which of the following is an incorrect criterion while considering business impact due to a potential disaster?
Decrease in operational expenses.
Loss of reputation
Decrease in operational expenses. When a disaster strikes, the operational expenses will most likely increase rather than decrease. All the other choices are correct and need to be included as part of loss criteria.
What is the process of transferring transaction logs or journals to an offsite facility known as?
Electronic vaulting
Remote journaling
Remote journaling
Remote journaling is the process of moving journals or transaction logs offsite to another storage facility. This type of solution does not include the actual files, but only the logs containing any changes that have been made to the files since the last transfer. If for some reason data becomes corrupted, the log files can be retrieved and used to quickly restore the data. This is a very efficient means of recovery as only the changes need to be retrieved and applied to the data.
A major storm has damaged the headquarters of Brighton Industries. Which of the following processes should be executed first?
Business continuity plan activation
Damage assessment
Damage assessment
Following a major event such a s fire, storm, or earthquake, the first process to be executed is the damage assessment. The assessment team will evaluate the extent of the damage, what processes have been impacted, and if they can be restored within the maximum tolerable downtime. Once these things have been determined, the team will decide if the BCP should be activated.
The CEO of a drug-manufacturing company was aware of malpractices in the manufacture of certain drugs by the company. These drugs resulted in loss of life to some users of those drugs. The CEO is likely to be tried under:
Administrative, criminal and civil laws
Civil and criminal laws
In this scenario, the CEO is likely to be tried under all the three types of laws: 1. Civil law - because of the wrongs to certain individuals. 2. Criminal law - because the CEO willfully violated government laws. 3. Administrative law - because of the violation of regulatory standards.
You are assigned the responsibility of performing a risk analysis to ensure that security is properly addressed in your organization. The first step would be to:
Carry out project sizing
Prepare a cost/benefit comparison.
Carry out project sizing
The first step in carrying out a risk analysis would be to carry out a project sizing. This is a very essential step and can mean the difference between project success and failure. It helps understand what assets and threats should be looked at and evaluated. If this step is not done properly, the project could end being budgeted wrongly. It may appear that the first step is to prepare a cost/benefit comparison, but that is a later step.
Which of the following statements best describes the objectives of a Recovery Strategy?
They are measures put into place to help reduce the likelihood of a disaster.
They are predefined activities that will be used when a disaster strikes.
They are predefined activities that will be used when a disaster strikes.
Recovery strategies are predefined activities that will be used when a disaster strikes. They identify how the disaster and recovery should be handled. The recovery strategy should include documents about alternate sites and facilities, costs and alternatives, emergency response procedures, contact information, security procedures, and other systems that may need to be reviewed.
Kate is the director of risk management at a large financial institution. Once each year, she is required by the board of directors to convene a table-top exercise based upon a disaster scenario. After several milestones are discussed in the exercise, she makes sure that the lessons learned are folded back into the BCP for more efficiency. This exemplifies which of the four elements of a business continuity plan?
Maintenance
Testing
Testing
Kate is testing the plan. Testing is a key aspect of the BCP because environments continually change. When the plan is tested (or exercised), improvements and efficiencies can be uncovered.
The European Union takes individual privacy very seriously and has strict laws on what data is considered private. Which of these is not one of the European Union privacy principles?
Unnecessary data should not be collected
Data should only be kept for a maximum of 3 years from the time it was first collected.
Data should only be kept for a maximum of 3 years from the time it was first collected.
The European Union privacy principle does not specify a period for retention of data. It states that data should only be kept for as long as it is needed to accomplish the stated task.
A security officer developed a security program to handle the security requirements of an organization. The first three stages of the life cycle of the security program were (a) Plan, (b) Implement and (c) Operate. Select a choice from the following which best represents the next activity to be done as part of the Security Program.
Monitor the program
Assign roles and responsibilities
Monitor the program
The next step in the process would be to monitor and evaluate the program. This would include reviewing logs, audit results, and service level agreements. This would also include development of improvements to the program.
Separation of duties is an important aspect of operations security. Which of the following scenarios does not violate the separation of duties principle?
A computer user is allowed to install software and alter desktop configurations.
A computer user is allowed to install software and also to modify her security profile.
A computer user is allowed to install software and alter desktop configurations.
A computer user may be allowed to set an initial password, install software and alter desktop configurations. In this case, there is no breach of the separation of duties principle. However, the user must not be allowed to modify his/her security profile.
Lighting in buildings is often controlled such that lights in different parts of the building turn on and off at different times. This gives potential intruders the impression that there are people at work in different parts of the building . What is this called?
Controlled lighting
Standby lighting
Standby lighting
This is referred to as standby lighting. It is similar to a technique used in residential homes where certain gadgets can be configured to turn lighting on or off at pre-determined times. This gives the illusion that the house is occupied. The same technique is used in companies and security guards can configure the times that lights turn on and off.
A frame relay is a WAN solution that allows multiple companies and networks to share a WAN media. In this context, what is the equipment used at the company-end (such as a router or a switch) called?
DTE
DCE
DTE
The equipment used at the company’s end is called Data Terminal Equipment (DTE). It could be a router or a switch and provides connectivity between the company’s own network and the frame relay network. DCE is the equipment used by the service provider.
Which of the following represents the correct sequence of activities in the event of a disaster?
Disaster, Interim operations, Alternate operations, Normal operations
Disaster, Recovery operations, Alternate operations, Normal operations
Disaster, Interim operations, Alternate operations, Normal operations
Once a disaster strikes, Interim operations kick in. These include emergency responses and situational assessments. This is then followed by alternate operations during which recovery and restoration operations are performed. This then allows the company to recover back to normal operations.
At a generic level, evidence of a crime needs to be relevant to the case at hand and meet the criteria of the five rules of evidence. These rules states that:
Evidence must be authentic, complete, convincing, admissible and unaltered.
Evidence must be authentic, accurate, complete, convincing and admissible
Evidence must be authentic, accurate, complete, convincing and admissible
At a generic level, evidence in a computer crime needs to be relevant to the case at hand. The five rules of evidence are that it should be authentic, accurate, complete, convincing and admissible.
A security officer would like to ensure that an early warning is received in case a fire breaks out. The early warning can then be used to sound a warning alarm to start off evacuation procedures. Which of these may be used as an early-warning device?
Smoke-activated detectors
Heat-activated detectors
Smoke-activated detectors
Smoke-activated detectors are very useful as early-warning devices. They operate using photo-electric devices, which detect variations in light intensity. If the beam of light produced by the device is obstructed due to smoke, an alarm sounds and this can be used to kick-off evacuation and other procedures.
Which of the following is not an instance of a computer-targeted crime?
Carrying out hacktivism by defacing a government’s website
Capturing passwords and sensitive data
Carrying out hacktivism by defacing a government’s website
A computer-assisted crime is one in which a computer is a tool used to carry out a crime. A computer-targeted crime is one in which a computer is the victim of an attack to harm it. Hence, hacktivism, which involves protesting a government’s activities by defacing their websites is not a computer-targeted crime.
The Clark-Wilson model establishes a system of subject-program-object bindings so that the subject does not have direct access to the object any more. Each data item is defined and changes are allowed only by a limited set of programs. Which of these is not a defined item?
Hidden data element (HDE)
Constrained data item (CDI)
A hidden data element (HDE) is not one of the items defined by the Clark-Wilson model. The other three are defined by the model. Additionally, an unconstrained data item is used to define data not controlled by the Clark-Wilson model.
In which type of operating system do all of the operating system’s functionality work in ring 0 and in privileged or supervisory mode?
Monolithic operating systems
Virtual machines
In a monolithic operating system, all of the kernel’s activity takes place in privileged or supervisory mode. Hence, all the functionality is in ring 0. This improves performance but causes a security risk since more code runs in privileged mode and can be exploited by attackers.
___ focal length lenses provide a wide angle view of an area, which is ideal in an open area such as a lobby. Long focal length lenses provide a very narrow view, which is more appropriate for small areas such as entry/ exit points.
Short
Long
Short
The Rainbow Books are a series of security guidelines and standards published by various US government agencies. They are known as the Rainbow Books because each book has a different color cover. The ____ Book is called the Trusted Computer System Evaluation Criteria (TCSEC) and sets forth the requirements for assessing the security of a given computer system.
Blue
Orange
Red
Orange
_____ warehousing could streamline data gathering and reporting for this organization. A _____warehouse consolidates data from different databases and provides it in a user friendly format. It is important to note the warehouse contains copies of the data from each source it services; when a user executes a query, the results returned are from the warehouse’s _____ store.
Data
Relational
Data
Relational
_____ features require users to provide badges, PINs, or other authentication device every time a user enters and exits specified portals. If an employee fails to badge-out of a restricted area, he or she will be prohibited from re-entering that secured area without administrative intervention. This is a countermeasure against users sharing badges, PINs, etc.
Location logging
Anti-passback
Anti-passback
Halon, a chlorofluorocarbon harmful to both humans and the ozone, was banned in 1987. It has not been manufactured since 1992, as per the terms of the Montreal Protocol. The most effective replacement for this fire suppression agent is
Argon
FE-200
FE-200
When using electronic cipher locks, it is highly recommended that the keypad be _____ from view by anyone but the immediate user, to prevent unauthorized users from shoulder surfing key codes. These types of locks should also be connected to a _____ backup to ensure continuous operation of the lock during power outages.
Mantraped, egress control
Shielded, Battery
shielded , battery
_____ is the highest level of maturity in the CMM framework. Organizations reaching this level have reached a point in their development processes where continuous improvement of existing processes is the focus. Less mature levels in the framework place the focus on developing, implementing, and managing standard, repeatable processes.
Optimizing
Managed
Optimizing
_____ is a set of technical requirements for the reduction of electromagnetic waves for the purpose of making it very difficult for an attacker to gather information from those waves.
Faraday
Tempest
Tempest
____ security mode, specified in DOD Directive 5200.28, is an operational mode in which all users have clearance or authorization, documented formal access approval, and a need to know the information stored on the system. _____ security mode can be implemented with a single or multiple data classification levels.
Dedicated
Privileged
Dedicated
___is a standard that outlines how countermeasures can be developed to control spurious electrical signals that radiate from electrical equipment. Equipment that needs to be highly secure should prevent or control this type of radiation and adhere to the Tempest standards.
Faraday
Tempest
Tempest
_____ is a negative occurrence that can be observed / verified / documented whereas an
Incident
Event
Event
___ is a series of events that negatively affects the company. Virus, insider and terrorist attacks are of this type.
Incident
Event
Incident
This is referred to as _____. It is similar to a technique used in residential homes where certain gadgets can be configured to turn lighting on or off at pre-determined times. This gives the illusion that the house is occupied. The same technique is used in companies and security guards can configure the times that lights turn on and off.
Standby lighting
Controlled Lightning
Standby lighting
Once a disaster strikes, _____ kick in. These include emergency responses and situational assessments. This is then followed by alternate operations during which recovery and restoration operations are performed. This then allows the company to recover back to normal operations.
Disaster, Recovery operations, Emergency response, Normal operations.
Disaster, Interim operations, Alternate operations, Normal operations
Disaster, Interim operations, Alternate operations, Normal operations
At a generic level, evidence in a computer crime needs to be relevant to the case at hand. The five rules of evidence are that it should be.
Evidence must be authentic, irrefutable, complete, convincing and admissible.
Evidence must be authentic, accurate, complete, convincing and admissible.
Evidence must be authentic, accurate, complete, convincing and admissible.
In a _____ all of the kernel’s activity takes place in privileged or supervisory mode. Hence, all the functionality is in ring 0. This improves performance but causes a security risk since more code runs in privileged mode and can be exploited by attackers.
Virtual machines
Monolithic operating systems
Monolithic operating systems
_____journaling is the process of moving journals or transaction logs offsite to another storage facility. This type of solution does not include the actual files, but only the logs containing any changes that have been made to the files since the last transfer. If for some reason data becomes corrupted, the log files can be retrieved and used to quickly restore the data. This is a very efficient means of recovery as only the changes need to be retrieved and applied to the data.
Remote
Data
Remote
A _____ is used when there is requirement to split up a network into collision domains and broadcast domains.
router
bridge
router
A _____ can do simple filtering to separate collision domains
router
bridge
bridge
EEC - Elyptical curve encryption
Good for mobile devices does not consume all CPU
True
Falase
True
FM-200 was replaced by
Argon
FE-200
FE-200
