Chapter 1 - Security Governance Through Principles and Policies

Question 1

Define Confidentiality

Answer 1

Protection of secrecy of the data/Prevention of unauthorized access to data.

Question 2

Encryption would prevent a violation of which area of the CIA triad.

Answer 2

Confidentiality

Question 3

Define Integrity

Answer 3

Protecting reliability and correctness of data/prevention of unauthorized alteration of data.

Question 4

Intrusion detection systems and strict access control are countermeasures to ensure which area of the CIA triad?

Answer 4

Integrity

Question 5

Availability

Answer 5

Timely and uninterrupted access to data/prevention of DDoS attacks.

Question 6

Implementing redundancy, installing firewalls, and maintaining backup systems are countermeasures that ensure which are of the CIA triad?

Answer 6

Availability

Question 7

In the DAD triad, what is the opposite of Confidentiality

Answer 7

A failure in confidentiality results in Disclosure

Question 8

In the DAD triad, what is the opposite of Integrity

Answer 8

A failure in integrity results in Alteration

Question 9

In the DAD triad, what is the opposite of Availability

Answer 9

A failure in availability results in Destruction

Question 10

Authenticity

Answer 10

Users have a high level of confidence that data was sent from the alleged source without being manipulated in transit.

Question 11

Non-Repudiation

Answer 11

Users are not able to take actions on the network without the action being attributed to them.

Question 12

How many services are aligned to the AAA security mechanism?

Answer 12

5

Question 13

Identification

Answer 13

The mechanism for presenting who the user is to the system (username, smart card, facial presentation).

Question 14

Authentication

Answer 14

Proof that identity is accurate - password or pin.

Question 15

Authorization

Answer 15

Defining permissions and assigning them to the user for resources.

Question 16

Auditing

Answer 16

recording logs of events and activities related to system and subjects

Question 17

Accounting

Answer 17

reviewing the log files to check for compliance and violations in order to hold users accountable for their actions.

Question 18

The use of multiple controls in series is known as…?

Answer 18

Defense in Depth

Question 19

Is defense-in-depth done in parallel or in series?

Answer 19

In series - if one layer of the defense fails, the system is uncompromised. If done in parallel, one failure could expose the whole system compromise.

Question 20

Name other terms often used in relation to defense-in-depth besides layering.

Answer 20

Classifications, zones, realms, compartments, silos, segmentations, lattice structure, protection rings.

Question 21

Abstraction

Answer 21

Used for efficiency - used when classifying objects or assigning roles.

Question 22

Data Hiding

Answer 22

Users cannot see or access data in a higher classification than they are able to see

Question 23

Encryption

Answer 23

Hiding the meaning of communication from unintended recipients.

Question 24

What is the line of intersection between any two areas, subnets, or environments that have different security needs?

Answer 24

Security Boundary

Question 25

The system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligations, or licensing requirements

Answer 25

Third-Party Governance

Question 26

An example of auditing protocols that have a specific checklist of requirements to investigate:

Answer 26

COBIT - Control Objectives for Information and Related Technology

Question 27

What is COBIT?

Answer 27

Control Objectives for Information and Related Technology - An example of auditing protocols that have a specific checklist of requirements to investigate.

Question 28

If an organization fails to provide sufficient documentation to meet the requirements of third-party governance, what are the repercussions?

Answer 28

Loss or void of ATO - ATO cannot be reestablished without an on-site review showing full compliance.

Question 29

What is a business case?

Answer 29

Documented need within the organization that conveys the purpose of the security approach.

Question 30

Should security management planning be led by the IT staff in a bottom-up approach or from the management in a top-down approach?

Answer 30

Top-down approach.

Question 31

Should security management planning be led by the IT staff in a bottom-up approach or from the management in a top-down approach?

Answer 31

Top-down approach.

Question 32

What is a strategic plan

Answer 32

Fairly stable
long term
5-year lifespan maintained annually
includes risk assessment

Question 33

What is a tactical plan

Answer 33

Provides more details on accomplishing the goals of the strategic plan
Can be crafted ad hoc due to unpredicted events
midterm
1-year lifespan

Question 34

What is an operational plan

Answer 34

Highly detailed
short term
useful for a month or a quarter and updated often

Question 35

Who is the person ultimately responsible for the security maintained by the organization and who should be most concerned about the protection of its assets?

Answer 35

Security Manager

Question 36

Who implements and writes security policies but does not have the authority to make final decisions or sign the security policies?

Answer 36

Security Professional

Question 37

What is the asset owner responsible for?

Answer 37

Classifying information for placement and protection within the security solution.

Question 38

What is the custodian responsible for?

Answer 38

All activities necessary to provide adequate protection for the CIA triad of data and to fulfill the requirements established by senior management.

Question 39

What do you call any person who has access to the secured system? What is their responsibility?

Answer 39

User - responsible for understanding and upholding the security policy of the organization.

Question 40

What is an auditor responsible for?

Answer 40

reviewing and verifying that security policy is properly implemented and derived security solutions are adequate.

Question 41

Who produces compliance and effectiveness reports that are reviewed by senior management?

Answer 41

Auditor

Question 42

Six key principles of Cobit

Answer 42

Provide Stakeholder Value
Holistic Approach
Dynamic Governance System
Governance Distinct from Management
Tailored to Enterprise Needs
End-to-end governance system

Question 43

NIST 800-53 Rev. 5 Security and privacy controls for information systems and organizations

Answer 43

US government sourced general recommendations for organization security.

Question 44

Center for Internet Security

Answer 44

OS, application, and hardware security configuration guides

Question 45

NIST Risk Management framework

Answer 45

establishes mandatory requirements for federal agencies.
Six phases
Categorize
Select
Implement
Assess
Authorize 
Monitor

Question 46

NIST Cybersecurity Framework

Answer 46

critical infrastructure, commercial organizations
Five Functions
Identify,
Protect
Detect
Respond
Recover

Question 47

International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC)

Answer 47

International Standard that is the basis of implementing organizational security and related management practices

Question 48

Information Technology Infrastructure Library (ITIL)

Answer 48

set of recommended best practices for optimization of IT services to support business growth, transformation, and change.

How IT and security are best integrated with and aligned to the objectives of an organization

Question 49

Due Diligence

Answer 49

Establishing the plan, policy, and process to protect the interests of the organization.

Question 50

Due Care

Answer 50

Practicing individual activities that maintain due diligence effort. Actual execution.

Question 51

Security Policies

Answer 51

The document that defines the scope of security required by the organization and defines which assets require protection.
Objectives
Visions
Goals

Question 52

Organizational Security Policy

Answer 52

Issues relevant to the aspects of the organization

Question 53

Issue Specific Security Policy

Answer 53

focuses on specific network, function, department, service of the org that is separate from the organization

Question 54

System-specific Security Policy

Answer 54

Focuses on prescribing hardware/software specific to the individual systems or system types.

Question 55

Standards

Answer 55

Compulsory requirements for the homogeneous use of hardware, software, technology, security control

Question 56

Baseline

Answer 56

The minimum level of security every system throughout the organization must meet.

If the system does not meet the baseline it should be taken out of production until it can be brought up to the baseline.

Question 57

Guideline

Answer 57

Recommendations on how standards and baselines are implemented. Operational guide for security professionals and users.

Question 58

Procedure

Answer 58

A detailed step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.

Question 59

What does the threat categorization scheme STRIDE stand for?

Answer 59

Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of privilege

Question 60

Spoofing

Answer 60

Falsifying identity to gain unauthorized access to the system.

Question 61

Tampering

Answer 61

Any action that changes or manipulates data in transit or in storage.

Question 62

Repudiation

Answer 62

The ability of users to deny taking action on the network by maintaining plausible deniability.

Question 63

Information Disclosure

Answer 63

The release of private, confidential, or controlled information.

Question 64

Denial of Service

Answer 64

Attack that attempts to prevent authorized use of a resource.

Question 65

Elevation of privilege

Answer 65

A limited user account is transformed into an account with many more privileges and accesses with power that the account should not have.

Question 66

What are the stages of PASTA

Answer 66

Process for Attack Simulation and Threat Analysis
I. Definition of the objectives (DO)
II. Definition of the technical scope (DTS)
III. Application decomposition and analysis (ADA)
IV. Threat Analysis (TA)
V. Weakness and Vulnerability Analysis (WVA)
VI. Attack Modeling & Simulation (AMS)
VII. Risk Analysis & Management (RAM)

Question 67

In the decomposition process, there are five key concepts - what are they?

Answer 67

Trust Boundaries
Dataflow  paths
Input points
Privileged Operations
Details about Security Stance and Approach

Question 68

In the decomposition process, what is any location where the level of trust or security changes?

Answer 68

Trust Boundary

Question 69

In the decomposition process, what is described by the movement of data between locations?

Answer 69

Dataflow path

Question 70

In the decomposition process, what is any location where external input is received?

Answer 70

Input Location

Question 71

In the decomposition process, what describes an activity that requires greater privileges than that of a standard user account/process.

Answer 71

Privileged Operation

Question 72

In the decomposition process, what encompasses the declaration of the security policy, security foundations, and security assumptions?

Answer 72

Details about security stance and approach

Question 73

What are three systems used to prioritize threats

Answer 73

Probability (1-10) x Damage potential ranking (1-10): Overall score of 1-100

High Medium Low Heat Map of probability/damage

DREAD (damage potential | reproducibility | exploitability | affected users | discoverability)

Question 74

Goals of a secure supply chain

Answer 74

sufficient quality
meets performance/operational goals
provides stated security mechanisms

Question 75

What agreement exists between the organization and the supplier to ensure security expectations of the final product.

Answer 75

Service Level Agreement (SLA) ensures that security is a prescribed component of the contracted service. Should incorporate elements of the SLR