CH 1. Security Governance Through Principles and Policies

Question 1

Confidentiality (Definition)

Answer 1

• measures used to ensure the protection of the secrecy of data, objects, and resources.
• focuses security measures on ensuring that no one other than the intended recipient of a message is able to receive/read it.

Question 2

What is the goal of Confidentiality?

Answer 2

• prevent unauthorized access to data
• encrypts data at rest (stored on a disk)
• encrypts data on the network (in transit)

Question 3

What does Confidentiality protection provide?

Answer 3

• provides a means for authorized users to access and interact with resources
• actively prevents unauthorized users from accessing and interacting with resources

Question 4

What is an access control?

Answer 4

• the management of a relationship between subjects and objects

Question 5

What is an “object” in a security relationship?

Answer 5

• the passive element in a security relationship

- such as files, computers, network connections, and applications

Question 6

What is an “subject” in a security relationship?

Answer 6

• the active element in a security relationship that acts upon or against an object
• such as users, programs, and computers

Question 7

What are examples of attacks used to violate confidentiality?

Answer 7

• capturing network traffic
• stealing passwords
• social engineering
  port scanning
• shoulder surfing
• sniffing
• escalation of privileges

Question 8

What are examples of human error that results in a violation of confidentiality?

Answer 8

• not encrypting data transmissions
• no securing access points
• backdoors in code
• misrouted faxes
• documents left on printers
• not locking terminals

Question 9

What countermeasures can help ensure confidentiality against possible threats?

Answer 9

• encryption
• network traffic padding
• access controls
• authentication procedures
• data classification
• personnel training
• IPsec tunnel for VPN
• Multi-factor Authentication

Question 10

Sensitivity (Definition)

Answer 10

• refers to the quality of information

- could cause harm if disclosed

Question 11

Discretion (Definition)

Answer 11

• an act or decision where an operator can influence or control disclosure in order to minimize harm or damage

Question 12

Criticality (Definition)

Answer 12

• the level to which information is mission critical

- the higher the level of criticality, the more likely the need to maintain the confidentiality of the information

Question 13

Concealment (Definition)

Answer 13

• the act of hiding or preventing disclosure

- often viewed as a means of cover, obfuscation, or distraction

Question 14

Security Through Obscurity (Definition)

Answer 14

• the concept of attempting to gain protection through hiding, silence, or secrecy
• not considered a valid security measure, but may still have value

Question 15

Secrecy (Definition)

Answer 15

• the act of keeping something a secret or preventing the disclosure of information

Question 16

Privacy (Definition)

Answer 16

• refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed

Question 17

Seclusion (Definition)

Answer 17

• involves something in an out-of-the-way location

- this location can also provide strict access controls

Question 18

Isolation (Definition)

Answer 18

• the act of keeping something separated from others

- Isolation can be used to prevent commingling of information or disclosure of information (confidentiality)

Question 19

Integrity (Definition)

Answer 19

• the concept of protecting the reliability and correctness of data
• prevents unauthorized alteration of data
• ensures that data remains correct, unaltered, and preserved

Question 20

What does properly implemented Integrity protection provide?

Answer 20

• a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses or intrusions) as well as mistakes made by unauthorized users.

Question 21

What does a security mechanism that protects Integrity provide?

Answer 21

• high level of assurance that the data, objects, and resources are unaltered from their original protected state.
• prevents alterations while the object is in storage, in transit, or in process

Question 22

What are the three perspectives that Integrity is examined from?

Answer 22

• preventing unauthorized subjects from making modifications
• preventing authorized subjects from making unauthorized modifications (mistakes)
• maintaining the internal and external consistency of objects so that their data is correct

Question 23

What are examples of attacks on data Integrity?

Answer 23

• viruses
• logic bombs
• unauthorized access
• errors in coding and applications
• malicious modifications
• intentional replacement
• system back doors

Question 24

What are examples of unauthorized changes made by authorized users?

Answer 24

• modifying or deleting files
• entering invalid data
• altering configurations
• errors in commands, codes, and scripts
• introducing a virus
• executing malicious code

Question 25

What are examples of security measures to protect against Integrity violations?

Answer 25

• access control
• authentication procedures
• intrusion detection
• data encryption
• hash total verifications
• interface restrictions
• personnel training

Question 26

Accuracy (Definition)

Answer 26

• being correct and precise

Question 27

Truthfulness (Definition)

Answer 27

• being a true reflection of reality

Question 28

Authenticity (Definition)

Answer 28

• being authentic or genuine

Question 29

Validity (Definition)

Answer 29

• being factually or logically sound

Question 30

Nonrepudiation (Definition)

Answer 30

• not being able to deny having performed an action or activity or being able to verify the origin of a communication or event

Question 31

Accountability (Definition)

Answer 31

• being responsible or obligated for actions and results

Question 32

Responsibility (Definition)

Answer 32

• being in charge or having control over something or someone

Question 33

Completeness (Definition)

Answer 33

• having all needed and necessary components or parts

Question 34

Comprehensiveness (Definition)

Answer 34

• being complete in scope

- the full inclusion of all needed elements

Question 35

Availability (Definition)

Answer 35

• authorized subjects are granted timely and uninterrupted access to objects

Question 36

What must occur for Availability to be maintained on a system?

Answer 36

• controls must be in place to ensure authorized access and an acceptable level of performance, to quickly handle interruptions, to provide for redundancy, to maintain reliable backups, and to prevent data loss or destruction

Question 37

What are examples of threats to Availability?

Answer 37

• device failure
• software errors
• environmental issues (heat, static, flooding, power loss)
• DoS attacks
• Object destruction
• Communication interruptions

Question 38

What are examples of unintended violations of Availability?

Answer 38

• Accidentally deleting files
• overutilization of hardware or software components
• under-allocating resources
• mislabeling or incorrectly classifying objects

Question 39

What are examples of countermeasures to prevent violations of Availability?

Answer 39

• access controls
• monitoring performance and network traffic
• using firewalls and routers to prevent DoS attacks
• implementing redundancy for critical systems
• maintaining and testing backup systems
• fault tolerant disk

Question 40

Usability (Definition)

Answer 40

• the state of being easy to use or learn or being able to be understood and controlled by a subject

Question 41

Accessibility (Definition)

Answer 41

• the assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations

Question 42

Timeliness (Definition)

Answer 42

• being prompt, on time, within a reasonable time frame, or providing low-latency response

Question 43

5 elements of AAA services?

Answer 43

• Identification
• Authentication
• Authorization
• Auditing
• Accounting

Question 44

Identification

Answer 44

• claiming to be an identity when attempting to access a secured area or system
• the process by which a subject professes an identity and accountability is initiated
• can include: providing a username; swiping a smart card; waving a proximity device; speaking a phrase; using a biometric device

Question 45

Authentication

Answer 45

• proving that you are that identity
• the process of verifying or testing that the claimed identity is valid
• most common form is a password
• Identification and authentication are often used together as a single two-step process

Question 46

Authorization

Answer 46

• defining permissions (i.e. allow/grant and/or deny) of a resource and object access for a specific identity
• once a subject is authenticated, access must be authorized
• just because a subject has been identified and authenticated does not mean they have been authorized

Question 47

Auditing

Answer 47

• recording a log of the events and activities related to the system and subjects
• the programmatic means by which a subject’s actions are tracked and recorded for the purpose of holding the subject accountable for their actions while authenticated on a system

Question 48

Accounting (aka Accountability)

Answer 48

• reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions
• an organization’s security policy can be properly enforced only if accountability is maintained.
• effective accountability relies on the capability to prove a subject’s identity and track their activities.
• if you are unable to legally support your security efforts, then you will be unlikely to be able to hold a human accountable for actions linked to a user account.

Question 49

Access control matrix

Answer 49

• compares the subject, the object, and the intended activity
• if the specific action is allowed, the subject is authorized

Question 50

What is needed to hold a human accountable for their actions linked to a user account?

Answer 50

• multi-factor authentication
• with only a password as authentication, there is significant room for doubt since passwords are the least secure form of authentication
• w/ MFA there is very little possibility that any other human could have compromised the authentication process

Question 51

What is required for legal restitution of a computer crime?

Answer 51

1) demonstrate that a crime was committed
2) that the suspect committed the crime
3) that you took reasonable efforts to prevent the crime
* ** your organization’s security needs to be legally defensible ***

Question 52

Layering

Answer 52

• aka Defense in Depth
• the use of numerous, different controls to guard against whatever threats come to pass
• when security solutions are designed in layers, a failed control should not result in exposure of systems or data

Question 53

Abstraction

Answer 53

• used for efficiency
• similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective
• thus, the concept of abstraction is used when classifying objects or assigning roles to subjects

Question 54

Data Hiding

Answer 54

• the act of intentionally positioning data so that it is not viewable or accessible to an unauthorized subject

Question 55

Security through Obscurity

Answer 55

• does not implement any form of protection
• it is an attempt to hope something important is not discovered by keeping knowledge of it a secret.
• an example of security through obscurity is when a programmer is aware of a flaw in their software code, by they release the product anyway hoping that no one discovers the issue and exploits it

Question 56

Encryption

Answer 56

• the art and science of hiding the meaning or intent of a communication from unintended recipients.

Question 57

What is the primary benefit of hashing?

Answer 57

• integrity

Question 58

What is the primary benefit of fault tolerant routers?

Answer 58

• availability

Question 59

What is the primary benefit of IPsec using AES encryption?

Answer 59

• confidentiality

Question 60

What is the “authentication factor”?

Answer 60

• the “authentication factor” used to verify identity is typically labeled as, or considered to be, private information

Question 61

Which two security concepts are often used together, and required to gain access to a system?

Answer 61

• identification

- authentication

Question 62

What are the different authentication types?

Answer 62

• something you know (e.g. passwords, PINs)
• something you have (e.g. keys, tokens, smart cards)
• something you are (e.g. biometrics, such as iris)

Question 63

What does the process of authorization ensure?

Answer 63

• the process of authorization ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity

Question 64

What is the difference between monitoring and auditing? Which can you do without the other?

Answer 64

• monitoring is a type of watching or oversight
• auditing is recording of the information into a record or file
• it is possible to monitor without auditing, but you cannot audit without some form of monitoring.

Question 65

How does Abstraction simplify security?

Answer 65

• by enabling you to assign security controls to a group of objects collected by type or function

Question 66

Security Governance?

Answer 66

• the collection of practices related to supporting, defining, and directing the security efforts of an organization

Question 67

Business Case?

Answer 67

• a documented argument or stated position in order to define a need to make a decision or take some form of action
• to make a business case is to demonstrate a business-specific need to alter an existing process or choose an approach to a business task

Question 68

What is meant by a top-down approach for security management and planning?

Answer 68

• senior management is responsible for initiating and defining policies for an organization
• security policies provide direction for all levels of the organization’s hierarchy
• middle management fleshes out the security policy into standards, baselines, guidelines, and procedures.
• the operational managers or security professionals must then implement the configurations prescribed in the security management documentation
• finally, the end users must comply with all the security policies of the organization

Question 69

What are the three types of plans developed by the Security Management Planning team?

Answer 69

• Strategic plan
• Tactical plan
• Operational plan

Question 70

Strategic Plan

Answer 70

• long-term plan that is fairly stable
• defines the organization’s security purpose
• helps to understand security function and align it to the goals, mission, and objectives of the organization.
• useful for about 5 years if it is maintained and updated annually
• should include a risk assessment

Question 71

Tactical Plan

Answer 71

• midterm plan
• developed to provide more details on accomplishing the goals of the strategic plan
• useful for about a year
• prescribes and schedules the tasks necessary to accomplish organizational goals

Question 72

Operational Plan

Answer 72

• short-term
• highly detailed
• must be updated often (monthly or quarterly)
• spell out how to accomplish various goals of the organization
• includes: resource allotments, budgetary requirements, staffing assignments, scheduling, step-by-step implementation procedures

Question 73

What is the goal of change management?

Answer 73

• ensure that any change does not lead to reduced or compromised security

Question 74

Change Management

Answer 74

• improves the security of an environment by protecting implemented security from unintentional, tangential, or affected reductions in security
• responsible for making it possible to roll back any change to a previous secure state

Question 75

What is the primary purpose of Change Management?

Answer 75

• make all changes subject to detailed documentation and auditing and thus able to be reviewed and scrutinized by management

Question 76

What are the requirements of Change Management?

Answer 76

• implement change in a monitored and orderly manner
• include a formalized testing process to verify a change produces expected results
• all changes can be reversed
• uses are informed of changes before they occur
• minimize negative impacts on business
• changes reviewed by a Change Advisory Board

Question 77

Data Classification

Answer 77

• the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality
• the process of organizing items, objects, subjects, and so on into groups, categories, or collections with similarities
• some data items need more security than others
• data classification is used to determine how much effort, money, and resources are allocated to protect the data and control access to it

Question 78

What are the benefits of Data Classification?

Answer 78

• demonstrates an organization’s commitment to protecting valuable resources and assets
• assists in identifying those assets that are most critical or valuable to the organization
• it lends credence to the selection of protection mechanisms
• often required for regulatory compliance or legal restrictions
• helps to define access levels, types of authorized uses, and parameters for declassification/destruction of resources that are no longer valuable

Question 79

What are some criteria that can be used for data classification?

Answer 79

• usefulness of the data
• timeliness of the data
• value or cost of the data
• maturity or age of the data
• when data expires
• data disclosure damage assessment
• who has access to the data
• who is restricted from the data
• storage of the data

Question 80

What are the 7 steps to implement a data classification scheme?

Answer 80

1. identify the custodian
2. specify the classification criteria for information
3. classify and label each resource
4. document any exceptions
5. select security controls to protect data
6. specify procedures for declassifying data
7. create enterprise-wide awareness program

Question 81

What are the 5 levels of government/military classification?

Answer 81

• US Can Stop Terrorism (shortcut)
• Top Secret (highest level): disclosure would compromise National Security (NS)
• Secret: cause serious damage to NS
• Confidential: cause damage to NS
• Sensitive But Unclassified: for official use only
• Unclassified: neither sensitive nor classified

Question 82

What are the 4 levels of business classification?

Answer 82

• Confidential (highest): internal use only; significant impact if disclosed (e.g. proprietary data)
• Private
• Sensitive
• Public

Question 83

COBIT

Answer 83

• Control Objectives for Information and Related Technology
• documented set of best IT security practices crafted by ISACA
• prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives

Question 84

What are the 5 key principles of COBIT?

Answer 84

1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-End
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance From Management

Question 85

Due Care

Answer 85

• using reasonable care to protect the interests of an organization

Question 86

Due Dilligence

Answer 86

• practicing the activities that maintain the due care effort

Question 87

Security Policy

Answer 87

• a document that defines the scope of security needed by an organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection
• overview or generalization of an organization’s security needs
• defines the main security objectives and outlines the security framework of an organization

Question 88

What are examples of Security Policy uses?

Answer 88

• Assign responsibilities
• Define roles
• Specify audit requirements
• Outline enforcement processes
• Indicate compliance requirements
• Define acceptable risk levels

Question 89

What are the three categories of Security Policy?

Answer 89

• regulatory
• advisory
• informative

Question 90

Regulatory Policy

Answer 90

• required whenever industry or legal standards are applicable to your organization
• discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance

Question 91

Advisory Policy

Answer 91

• discusses behaviors and activities that are acceptable and defines consequences of violations
• most policies are advisory

Question 92

Informative Policy

Answer 92

• designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers
• provides support, research, or background information relevant to the specific elements of the overall policy

Question 93

What is a rule of thumb for Security Policies?

Answer 93

• security policies should not address individuals
• instead, policies should define tasks and responsibilities to fit a role
• then, these defined roles are assigned to individuals as a job description or an assigned work task

Question 94

Acceptable Use Policy

Answer 94

• defines a level of acceptable performance and expectation of behavior and activity

Question 95

Standards

Answer 95

• define compulsory requirements for the homogenous use of hardware, software, technology, and security controls
• tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies

Question 96

Baseline

Answer 96

• defines a minimum level of security that every system throughout the organization must meet
• a more operationally focused form of a standard
• takes the goals of a security policy and the requirements of a standard and defines them specifically in the baseline as a rule against which to implement and compare IT systems

Question 97

Guidelines

Answer 97

• offer recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users
• flexible
• outline methodologies, include suggested actions

Question 98

Threat Modeling

Answer 98

• the security process where potential threats are identified, categorized, and analyzed
• can be proactive or reactive
• identifies the potential harm, probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat

Question 99

Proactive Threat Modeling

Answer 99

• defensive approach
• takes place during the early stages of systems development (initial design)
• based on predicting threats and designing in specific defenses during the coding and crafting process
• more cost effective and successful

Question 100

Reactive Threat Modeling

Answer 100

• adversarial approach
• takes place after a product has been created and deployed
• ethical hacking, pentesting, source code review, and fuzz testing

Question 101

Fuzz Testing

Answer 101

• dynamic testing technique
• provides many different types of input to software
• stresses its limits and finds previously undetected flaws

Question 102

STRIDE

Answer 102

• threat categorization theme developed by Microsoft
• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service

Question 103

Spoofing

Answer 103

• an attack with the goal of gaining access to a target system through the use of falsified identity
• results in data theft or privesc

Question 104

What are some targets of spoofing?

Answer 104

• IP
• MAC
• usernames
• system names
• SSID
• email addresses

Question 105

Tampering

Answer 105

• any action resulting in unauthorized changes or manipulation of data
• can be data in transit or storage
• violations of integrity and availability

Question 106

Repudiation

Answer 106

• the ability of a user or attacker to deny having performed an action or activity
• allows attackers to maintain plausible deniability to not be held accountable for their actions
• can result in innocent third parties being blamed

Question 107

What are some causes of Information Disclosure?

Answer 107

• failing to remove debugging code
• leaving sample accounts
• not sanitizing programming notes in HTML
• using hidden form fields
• detailed error messages

Question 108

What are some means of DoS?

Answer 108

• flaw exploitation
• connection overload
• traffic flooding

Question 109

What are some permanent examples of DoS attack?

Answer 109

• destruction of dataset
• replacement of software with malicious alternatives
• forcing a firmware flash operation to install faulty firmware

Question 110

PASTA

Answer 110

• seven-stage threat modeling methodology
• risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets being protected

Question 111

What are the 7 steps of PASTA

Answer 111

• Stage I: definition of the Objectives (DO) for the analysis of Risks
• Stage II: definition of the Technical Scope (DTS)
• Stage III: Application Decomposition and Analysis (ADA)
• Stage IV: Threat Analysis (TA)
• Stage V: Weakness and Vulnerability Analysis (WVA)
• Stage VI: Attack Modeling & Simulation (AMS)
• Stage VII: Risk Analysis & Management (RAM)

Question 112

TRIKE

Answer 112

• threat modeling methodology that focuses on a risk-based approach instead of depending upon the aggregated threat model used in STRIDE and DREAD
• provides a method of performing a security audit in a reliable and repeatable procedure
• used to craft an assessment of an acceptable level of risk for each class of asset that is then used to determine appropriate risk response actions

Question 113

VAST

Answer 113

• Visual, Agile, and Simple Threat

- threat modeling concept based on Agile project management and programming principles

Question 114

Reduction Analysis

Answer 114

• aka Decomposing the application
• purpose is to gain a greater understanding of the logic of the product as well as its interactions with external elements

Question 115

What are the 5 key concepts of Reduction Analysis?

Answer 115

1. Trust Boundaries
2. Data Flow Paths
3. Input Points
4. Privileged Operations
5. Details about Security Stance and Approach

Question 116

DREAD

Answer 116

• rating system for threats
• scale of 1 to 100; 100 is most severe
• Answers 5 questions about each threat:
  1. Damage potential
  2. Reproducibility
  3. Exploitability
  4. Affected users
  5. Discoverability
• a value is assigned to each question

Question 117

What should be considered when evaluating a third party for security integration?

Answer 117

• On-site Assessment
• Document Exchange and Review
• Process/Policy Review
• Third-Party Audit

Question 118

Basic definition of Risk?

Answer 118

• potential/probability for loss

Question 119

Counter measure?

Answer 119

• compensates for a vulnerability

Question 120

Threat agent?

Answer 120

• takes advantage of a weakness

Question 121

What are the 3 types (categories) of control?

Answer 121

• technical
• administrative
• physical

Question 122

What are examples of Administrative controls?

Answer 122

• policies
• security awareness
• standards
• guidelines

Question 123

What are examples of Technical controls?

Answer 123

• tokens
• smart cards
• biometric readers
• passwords
• encryption
• ACL on file system

Question 124

What are examples of Physical controls?

Answer 124

• security guard
• locked door
• fence

Question 125

DR

Answer 125

• disaster recovery

Question 126

DRP

Answer 126

• disaster recovery plan

Question 127

BC

Answer 127

• business continuity

Question 128

BCP

Answer 128

• business continuity plan
• long-term
• makes sure that business can continue

Question 129

BIA

Answer 129

• business impact analysis
• identifies all critical systems
• how long critical systems can be down, and business still survive
• regulatory requirements that apply to business
• costs involved regarding loss if business is down
• dependencies on other systems

Question 130

What are the phases of a policy life cycle?

Answer 130

• Develop
• Publish
• Adopt
• Review

Question 131

What does a policy need to be successful?

Answer 131

• Endorsement from management
• Relevance to the organization
• Realistic
• Adaptable/Flexible
• Enforceable; measurable

Question 132

What are approaches to threat modeling?

Answer 132

• attacker perspective
• asset perspective
• architecture perspective

Question 133

What is the “work factor”?

Answer 133

When threat modeling, determining how much work it would take for an attacker to compromise a system

Question 134

IOA

Answer 134

• indicator of attack

- attack is currently underway, but hasn’t been completed yet

Question 135

What is threat modeling a part of?

Answer 135

• Due dilligence

Question 136

What are some key steps of Supply Chain Risk Management?

Answer 136

1. Clear identification and documentation of what is outsourced
2. Consider the risks and have a backup plan
3. BIA and contingency plans in case the supply chain is disrupted

Question 137

What is a good practice to follow when selecting vendors?

Answer 137

• pick vendors that are following industry standards

- conduct a third-party audit of the vendor

Question 138

What are some examples of industry standards vendors should be following?

Answer 138

• ISO 9001: quality standards

- ISO 27001: information security standards

Question 139

What is the auditing standard?

Answer 139

• SSAE

Question 140

What is the quality management standard?

Answer 140

• ISO 9001

Question 141

What are the ISMS standards?

Answer 141

• ISO 27001

Question 142

What is the association representing the accounting profession?

Answer 142

• AICPA