Chapter 1 - Information Assurance, Risk Management, Security Controls, Governance, Ethics

Question 1

What does CIA stand for?

Answer 1

Confidentiality
Integrity
Availability

Question 2

What types of environment does the CIA triad apply to? (Name two.)

Answer 2

Logical
Physical

Question 3

Confidentiality means…

Answer 3

Data should only be available to authorised parties.

Question 4

Integrity means…

Answer 4

The data must be correct, whole, and not in any way corrupted.

Question 5

Availability means…

Answer 5

The data must be available to authorised users when it is required.

Question 6

Give an example of how we protect Confidentiality.

Answer 6

Physical example: locks, perimeters, safes.

Technical/logical: encryption, usernames, passwords, access controls, file permissions, authentication.

Question 7

The technical realm is also called the …

Answer 7

Logical realm

Question 8

Why is Integrity important?

Answer 8

We want to ensure that files are managed and authorised. We need to make sure a file is not accidentally changed or corrupted, or changed maliciously by a threat actor.

Question 9

What technical control can be used to protect Integrity?

Answer 9

Hashing- this adds a fingerprint to a file.

Question 10

In the physical world, what can help protect Availability?

Answer 10

A back-up generator which keeps the electricity supply going if the main supply has gone down.

Question 11

Name the three types of Security Controls

Answer 11

Physical
Technical
Administrative

Question 12

Give an example of a Physical Control…

Answer 12

Physical hardware devices, e.g badge-readers, lift passes

Architectural features of buildings and facilities that address process-based security needs.

Question 13

Give an example of a technical/logical control…

Answer 13

Security controls that computer systems and networks directly implement.

Question 14

Give an example of an administrative control…

Answer 14

Directives
Guidelines
Policies
Procedures

Question 15

How do you calculate the level of risk?

Answer 15

Probability + Impact = Level of Risk

Question 16

What is an Asset?

Answer 16

Anything of value that is owned by an organisation. Includes information systems and physical property and intellectual property.

Data is an asset, as is a laptop or a mobile phone.

Question 17

What is a baseline?

Answer 17

A documented, lowest level of security configuration allowed by a standard or organisation.

Question 18

What is biometric data?

Answer 18

The biological characteristics of an individual, such as a fingerprint, hand geometry, voice or iris patterns.

Question 19

What is encryption?

Answer 19

The process and act of converting plain text to ciphertext. Sometimes called enciphering

Question 20

Define Governance

Answer 20

The process of how an organisation is managed - e.g. how decisions are made, and what policies, roles and procedures are used to make those decisions

Question 21

Define Impact

Answer 21

The magnitude of harm that could be caused by a threat’s exploitation of a vulnerability.

Question 22

Define Multi-Factor Authentication

Answer 22

When you use two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification

Question 23

What is Non-Repudiation?

Answer 23

The inability to deny taking an action such as creating information, modifying it, approving information or sending/receiving a message.

Question 24

What is NIST?

Answer 24

Part of the US Dept of Commerce. It addresses the measurement infrastructure within science and technology efforts within the US federal government. It sets standards in various areas, including information security within the Computer Security Resource Center of the Computer Security Divisions.

Question 25

What is Privacy?

Answer 25

The right of an individual to control the distribution of information about themselves.

Question 26

What is Risk?

Answer 26

A possible event which can have a negative impact on an organisation.

Question 27

What is Risk Management?

Answer 27

The process of identifying,evaluating and controlling threats, including all the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.

Question 28

What is a Risk Management Framework?

Answer 28

A structured approach used to oversee and manage risk for an enterprise.

Question 29

Define Risk Acceptance

Answer 29

When the potential benefits of a business function outweigh the possible risk impact/likelihood, meaning the business function continues with no other action to reduce the risk.

This risk is within tolerance.

Question 30

What is Risk Mitigation?

Answer 30

This is when controls are put in place to reduce the risk level/likelihood.

Question 31

What is Risk Avoidance?

Answer 31

When the impact/likelihood of a particular risk is too great to be offset by the potential benefits, meaning that a particular business function cannot be performed.

Question 32

What is Risk Transference?

Answer 32

When an external party (e.g. insurers) are paid to accept the financial impact of a given risk.

Question 33

What is Risk Treatment?

Answer 33

The determination of the best way to address an identified risk.

Question 34

Define Sensitivity.

Answer 34

A measure of the level of importance assigned to information by its owner (e.g. Classification) in order to determine the level of protection needed.

Question 35

What is a Threat Actor?

Answer 35

An individual or entity that attempts to exploit vulnerabilities to cause or force a threat to occur.

Question 36

What is a Threat Vector?

Answer 36

This is how a threat actor carries our their objectives.

Question 37

What is a Vulnerability?

Answer 37

Thus is a weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source. See NIST SP800-30 Rev 1.

Question 38

What is a Token?

Answer 38

A physical object a user possesses that is used to authenticate their identity, e.g. an HSBC secure code device.

Question 39

What are Technical Controls?

Answer 39

These are security controls for an information system that are usually implemented and executed by the information system through mechanisms contained in the hard-ware, software or firmware.

Question 40

Define Risk Tolerance.

Answer 40

The level of risk an organisation is willing to assume in order to achieve a desired result. Risk threshold, Risk appetite and acceptable risk are synonymous terms.

Question 41

The use of biometrics and a password is an example of what?

Answer 41

Multi-Factor Authentication (something you are & something you know)

Question 42

Give two examples of “something you know” commonly used for MFA.

Answer 42

Pin-code
Password

Question 43

Give examples of “something you are” for MFA purposes.

Answer 43

Iris recognition (your iris pattern is individual)
Fingerprint
Voice
Facial recognition
Retinal scanning

Question 44

What concerns are there regarding the use of biometrics?

Answer 44

Throughput (how long do they take to work, and is this practical if large umber need to be processed swiftly.

Privacy concerns and acceptability. Is this data adequately protected? Could it be used against you?

Question 45

We would use MFA when?

Answer 45

When a higher level of assurance is required.

Question 46

If your bank asks you for a username, some digits from a pass code and a password, is this MFA?

Answer 46

No. It’s single-factor authentication . They are three separate bits of information, but they are all of the same type (something you know).

Question 47

If you use MFA and one of those factors is compromised, what does this mean?

Answer 47

That they can’t access your account. The threat actor would need both pieces of assurance.

Question 48

Is a one-time password single-factor or multi?

Answer 48

Single-factor only, but may also be used in conjunction with other processes to complement the MFA process.

Question 49

Three concerns regarding the use of biometrics are…

Answer 49

Throughput
Acceptability
Accuracy

Question 50

What does FRR stand for?

Answer 50

False Rejection Rate.

How likely or fast a system is likely to reject a valid login attempt. How often a legitimate attempt is declined.

Question 51

What does FAR stand for?

Answer 51

False Acceptance Rate.

How likely it is for someone with the wrong details to sign in. Think of brute force attacks, risky logins, etc.

Question 52

It is important to consider at the design stage the — and the —? This is normally balanced in the middle and is determined by risk appetite.

Answer 52

FAR - False Acceptance Rate
FRR - False Rejection Rate

Question 53

Repudiate means…

Answer 53

Deny

Question 54

Why is non-repudiation important?

Answer 54

You need to trust that when a transaction takes place, it is the right individual and that they can’t deny having done it.

Question 55

The United Declaration of Human Rights Article 12, says…

Answer 55

Gist: Everyone has the right to privacy.

UN classes privacy as a human right. Technology has always been intertwined with this right. Technology has boosted the visibility of privacy issues.

Question 56

Administrative controls comprise (name three)…

Answer 56

Directives
Guidelines
Advisories

Question 57

Define Authorization

Answer 57

The right or a permission that is granted to a system entity to access a system resource. NIST 800-82 Rev.2

Question 58

What is a Bot?

Answer 58

Malicious code that acts like a remotely controlled “robot” for an attacker, with other worm or Trojan capabilities.

Question 59

What is HIPAA?

Answer 59

Health and Insurance Portability and Accountability Act (U.S. Federal Law) concerned with the adoption of national standards for electronic health care transactions whilst protecting privacy.

Question 60

Define Impact

Answer 60

The magnitude of harm that could be caused by a threat’s exercise of a vulnerability

Question 61

What does ISO stand for?

Answer 61

International Organisatiob of Standards

Question 62

What is the IETF?

Answer 62

Internet Engineering Task Force

Question 63

Define Likelihood

Answer 63

The probability that a potential vulnerability may be exercised within the construct of the associated threat.

Question 64

What does NIST stand for?

Answer 64

National Institute of Standards and Technology

Question 65

What is Risk Transference?

Answer 65

Paying an external party to accept the financial kmoact of a risk.

Question 66

What is a Threat Vector?

Answer 66

The means by which a threat actor carries out their objectives.

Question 67

What is a Threat Actor?

Answer 67

An individual or a group that attempts to exploit vulnerabilities to cause of force a threat to occur.

Question 68

What is a Token?

Answer 68

A physical object a user possesses and controls that is used to authenticate the user’s identity.