Cissp Domain 1

Question 1

Difference between least privilege and need to know

Answer 1

Least privilege is all about type of access rights - read , write

Need to know - required access

Question 2

What are the 3 perspectives integrity can be examined?

Answer 2

Modifications from unauthorised

Modifications from authorised

Data to be consistent internal and external

Question 3

Availability concepts

Answer 3

Usability

Accessibility

Timeliness : low latency response

Question 4

What is Authorization about ?

Answer 4

Rights and previliges

Question 5

Accountability is dependent on ?

Answer 5

Tracking activities of individual

Question 6

Defense in depth

Answer 6

Layering or parallel

Multiple control in place

Question 7

Abstraction

Answer 7

Simplify security by enabling you to assign security controls, restrictions or permissions to a group of objects

Question 8

Data hiding Vs security through obscurity

Answer 8

Intentionally position data being accessed by unauthorised users

Hiding data in plain sight

Question 9

What is purpose of Security Governance?

Answer 9

Alignment of security function to business stratergy, Goals , mission and objectives

Question 10

What are the 3 types of Plans devloped by security management?

Answer 10

Stratergic: Long term - 5 years

Tactical:Midterm - 1 Year

Operational: Product design, system deployment

Question 11

What are the process to be considered when evaluating 3rd party ?

Answer 11

On site assessment

Document exchange and review

Process/policy review

Third party audit

Question 12

What is role of asset owner ?

Answer 12

To classify assets

Question 13

What is role of custodian?

Answer 13

Implementation of prescribed security protection

Question 14

6 key principles of cobit ?

Answer 14

Provide stakeholders value

Holistic approach

Dynamic Governance system

Governance distinct from management

Tailored to enterprise needs

End to end governance system

Question 15

What is Security policy?

Answer 15

Scope of security needed by organization and discusses assets needed protection

Question 16

What is AuP ?

Answer 16

Level of acceptable performance and behaviour and activity

Question 17

Security standards?

Answer 17

Compulsory documents for homogeneous use of hardware

Question 18

Baseline

Answer 18

Minimum level of security that every system to meet

Question 19

Guidelines

Answer 19

Offer recommendations on how standard and baseline to be implemented

Question 20

SoP

Answer 20

Detailed step by step implement a security mechanism, control or solution

Question 21

Threat modelling

Answer 21

Proactive measure during design and development

Reactive after product has been designed

Question 22

How to identify threats? (Focus area)

Answer 22

Focused on assets

Focused on attackers

Focused on software

Question 23

STRIDE

Answer 23

Spoofing

Tampering

Repudiation

Information disclosure

DoS

Elevation of prevlige

Question 24

Process of attack stimulation and threat analysis - 7 steps

Answer 24

Definition of objectives

Definition of technical scope

Application decomposition and analysis

Threat analysis

Weakness and vulnerability analysis

Attack modelling and simulation

Risk analysis and management

Question 25

Steps in Threat modelling - 5

Answer 25

Identify threats

Determining and diagram ing potential threats

Perform Reduction analysis

Prioritisation and response

Question 26

What does diagramming potential attacks ?

Answer 26

Creation of diagram of the elements involved in a transaction along with data flow and previliges boundaries

Question 27

What is reduction analysis and decomposition process ?

Answer 27

Gain greater understanding of the logic of the product, it’s internal components as well as it’s interactions with external elements

Question 28

What are 5 key concepts in decomposition process ?

Answer 28

Trust boundaries- level of trust or security changes

Data flow paths - Movement of data between locations

Input points - location where external input is received

Previliged operations - Any activity that requires greater previliges than of a user account

Details about security stance and approach

Question 29

DREAD system to rate threats

Answer 29

Damage potential

Reproducibility

Exploitablity

Affected users

Discoverablity

Question 30

What is Concept of supply chain ?

Answer 30

Most computers, devices, networks , systems and cloud services are not built by a single entity

Question 31

What is SLR ?

Answer 31

Service level requirment a statement of the expectations of service and performance from the product or service of a vendor

Prior to SLA and should incorporate above

Question 32

Collusion in crime

Answer 32

When several people work together to prepetrate crime

Question 33

Purpose of mandatory vacation

Answer 33

Detect abuses, verify the work tasks and previliges

Question 34

Mutiparty risk

Answer 34

Several entities or organisation involved in project

Question 35

Outsourcing

Answer 35

Used to describe the use of an external third party such as vendor consultant

Question 36

Privacy

Answer 36

Active prevention of unauthorised access to pii

Freedom from unauthorised access to info deemed personal or confidential

Freedom from being observed, monitored or examined without consent or knowledge

Question 37

Primary goal of Risk management

Answer 37

Reduce risk to an acceptable level

Question 38

2 primary elements of risk management

Answer 38

Risk assessment: PXI

Risk response : Evaluating countermeasures, safeguards and security controls using c/b analysis

Question 39

Countermeasures Vs Safeguards

Answer 39

Protection mechanism

Anything that removes or reduces a vulnerability or protects against one or more specific threats

Question 40

Cyclic relationship of risk elements

Answer 40

Threats exploits vulnerabilities which results in exposure.

Exposure is risk and risk is mitigated by Safeguards which are endangered by threats

Question 41

Primary goal of Risk analysis

Answer 41

C-b Safeguards are applied

Question 42

Risk management steps

Answer 42

Threat based RA or Asset based RA

1.Asset valuation

2.Identify threats and vulnerabilities

3.Risk assessment Analysis

1. Quantitative:
   AV and Threat Identification
   EF
   SLE
   ARO
   ALE
   Research countermeasures
   C-B countermeasures
2. Qualitative: Scenario based

Brainstorm
Delphi : Anonymous feedback
Interviews

Risk Response

• Reduction
• Transfer
• Deterrence
• Avoidance
• Acceptance
• Reject

Question 43

6 major elements of Quantitative RA

Answer 43

AV
EF
SLE
ARO
ALE
Perform c-b countermeasures

Question 44

Define exposure factor aka loss potential

Answer 44

Percentage of loss that an organisation would experience if specific assets were violated by risk

Question 45

Risk appetite Vs Risk capacity Vs Risk Tolerance Vs Risk limit

Answer 45

Total amount of risk that organization is willing to shoulder in aggregate across all assets

Level of risk an organisation is able to shoulder

RA>RC

Amount of risk that an organization will accept per individual asset threat pair

Maximum level of risk above risk target that will be tolerated before further risk management actions are taken

Question 46

Residual risk

Answer 46

Upper management has chosen not to implement a response

Question 47

Total risk, Inherent risk and residual risk

Answer 47

No Safeguards

Before security control

After security control

Question 48

Total risk

Answer 48

Amount of risk an organisation would face if no safeguards implemented

ThreatsVulnerabilityAsset Value

Question 49

Control Gap

Answer 49

Total risk- Residual risk

Question 50

Control risk

Answer 50

Risk introduced by introduction of countermeasures

Question 51

ALE1 and ALE2- Safeguards evaluation to see if safeguards are cost effective

Answer 51

For each asset threat pairing an inventory of potential and available Safeguards must be made

ALE1 - Pre Safeguards

ALE 2- Post Safeguards

Question 52

Annual cost of the Safeguards (ACS) and value of Safeguards to company

Answer 52

[ALE1 - ALE2] - ACS = Value of Safeguards to company

If it’s-ve not good choice

Question 53

C/B analysis of Safeguards 3 elements

Answer 53

Pre safeguards ALE for an asset threat pairing ( ALE1)

Potential post Safeguard ALE for an asset threat pairing (ALE2)

ACS

Question 54

Categories of security controls

Answer 54

Administrative: Management controls,
Policy, procedure, hiring practices

Technical or logical: H/W or S/W mechanism to manage access and provide protection for IT resources

Physical control

Question 55

Preventive control

Answer 55

Unwanted or unauthorised activity

Fences, locks, SoD, job rotation, dlp

Question 56

Deterent control

Answer 56

Deployed to discourage security policy violations

CCTV, awareness

Question 57

Detective control

Answer 57

Discover or detect unwanted or unauthorised activity

Question 58

Corrective

Answer 58

Modifies the environment to return systems to normal after an unwanted or unauthorised activity has occurred

Reboot System, IPS, back and restore, antimalware solution

Question 59

Recovery controls

Answer 59

Extension of corrective controls

Attempt to repair or restore resources after a security violation

BCP, DR, Reciprocal agreement, cloud providers

Question 60

Directive controls

Answer 60

Deployed to direct to force or encourage compliance with security policies

Guidance from security gaurd, monitoring and supervision

Question 61

Security controls assessment

Answer 61

Effectiveness of security mechanism, evaluate toughness of the risk management process of the organization, produce a report of relative strengths and weakness of devloped security infra

Question 62

EOL vs EOSL

Answer 62

EOL: Manufacturer no longer produces product.

Service and support may continue for a period of time after EOL

EOSL: Those systems that longer receiving updates and support from vendor

Question 63

Risk management framework

Answer 63

Prepare : Process initiation

Categorize

Select

Implement: Controls

Asses

Authorize

Monitor

Question 64

Two primary forms: Social engineering

Answer 64

Convincing someone to perform an unauthorised operation

Convincing someone to reveal confidential information

Question 65

Social engineering principles

Answer 65

Authority

Intimidating

Consensus: Social proof or following herd

Scarcity

Familiarity

Trust

Question 66

Eliciting information

Answer 66

Research method in order to craft a more effective pretext

Pretext - False statement crafted to sound believable

Question 67

Prepending in email

Answer 67

Adding RE: or FW: infront of message to make it look genuine

It can fool spam filters

Question 68

Drive by download

Answer 68

Installs itself without users knowledge
It takes advantage of web browser vulnerability or plug ins

Question 69

How can you stop shoulder surfing?

Answer 69

Dividing worker groups by sensitivity levels and limiting access to certain areas of building by using locked doors

Question 70

Invoice scam and protection

Answer 70

To steal funds by providing false invoice

Proper file sharing mechanism

Question 71

Impersonation Vs Masquerading

Answer 71

Identity theft and identity fraud are also related to impersonation. Impersonation is
the act of taking on someone’s identity. This might be accomplished by logging into their account with stolen credentials or claiming to be someone else when on the phone.

Masquerading- amateurishly

Question 72

Tailgating Vs piggyback

Answer 72

Unauthorised entry gains under authorisation of valid worker without knowledge

Tricking victim into providing consent - Piggyback

Question 73

Typo squatting

Answer 73

User is re directed to fake website after typo

Question 74

Difference between awareness, training and education

Answer 74

Awareness - Baseline for understanding

Training - Bring change

Education - Certificate

Question 75

Difference between BCP and DR ?

Answer 75

Stratergic focused at high level and center around business process and operations

DR- Tactical and describe technical details such as recovery sites, backups and fault tolerance

Question 76

4 main steps of BCP

Answer 76

Project scope and planning

BIA

Continuity planning

Approval and implementation

Question 77

Project scope and planning

Answer 77

Organization review

• Identify core department
• Critical support services to upkeep system

BCP team selection

Resource requirements
BCP devlopment
BCP testing, training and maintenance
BCP implementation

Legal and regulatory requirements

Question 78

BIA

Answer 78

Identifies business process and tasks that are critical to an organisation

Impact assessment
1. Quantitative impact assessment

• AV
  *MTD or MTO
• RTO
  *RPO

2. Qualitative impact assessment

Identifying priorities

Create a comprehensive list of critical business functions and rank them in order of importance

Risk identification - Purely Qualitative

• Natural
• Man made

Likelihood assessment

ARO for the risks

Impact analysis

EF
SLE
ALE

Resource prioritisation
Risk to be prioritised based on ALE to be addressed

Merge both quantitative and qualitative risks

Question 79

Continuity planning - 2 primary sub tasks

Answer 79

Devlop continuity stratergy
1. Stratergy devlopment

Implementation of zero down time posture

Risk to be acceptable and mitigated based on MTD

2. Provision and processes

Meat of BCP

Designs procedures and mechanism that will mitigate the risks deemed unacceptable during strategy development

Three categories to be protected

People

Building and facilities- Hardening and alternate sites

Infrastructure - “

Question 80

Plan approvals and implementation

Answer 80

Plan approvals

Plan implementation- Implementation of resources, Deploying resources

Training and education

BCP documentation:

Continuity planning goals

1.Statement of importance: Address employee on why we need BCP

2.Statement of priorities

3. Statement of organisation responsibility
4. Statement of urgency and timing
5. Risk assessment
6. Risk acceptance/Mitigation
7. Vital records program: Where critical records will be stored and backups
8. Emergency response guidelines
9. Maintanence
10. Testing and exercise

Question 81

Civil law

Answer 81

Govern matters that are not crime

Difference between civil and criminal law is how it’s enforced

• govt. through enforcement authorities does not get involved in civil law

Question 82

Administrative laws

Answer 82

Immigration policies

Question 83

Intellectual property

Answer 83

Intangible assets

Question 84

Copyright

Answer 84

Expression of ideas

Protection against unauthorised duplication

Question 85

Trademark

Answer 85

Avoid confusion

Words, slogan and logos

Question 86

Patents

Answer 86

IP rights of inventors

3 main requirements:

• Invention must be new
• Invention must be useful
• Invention must not be obvious

Question 87

Trade secrets

Answer 87

IP absolutely critical to business could damage if disclosed

Patents and copyright can be protected using trade secrets but:

• Removes secrecy
• Protection limited period of time

Question 88

Liscencing types

Answer 88

Contractual: vendor and customer

Shrink wrap: Agreement acknowledgement outside of sw package

Click through: Browser click

Cloud services: Same as above

Question 89

Import/Export

Answer 89

Transborder data flow of IP, PII, new tech

Question 90

Key provision of GDPR

Answer 90

Lawfulness, fairness and transparency

Purpose limitation

Data minimisation

Accuracy

Storage limitation: Right to be forgotten

Security

Accountability

Question 91

4 actions of project scope and planning

Answer 91

Structured analysis of organisation

Creation of BCP team

Assessment of available resources

Analysis of legal and regulatory landscape

Question 92

Risk acceptance

Answer 92

Taking no action and accept

Question 93

IAAAA

Answer 93

Identification Identification is claiming to be an identity when attempting to access a secured area or system.
Authentication Authentication is proving that you are that claimed identity. Authorization Authorization is defining the permissions (i.e., allow/grant and/or deny)
of a resource and object access for a specific identity or subject.
Auditing Auditing is recording a log of the events and activities related to the system and subjects.
Accounting Accounting (aka accountability) is reviewing log files to check for com- pliance and violations in order to hold subjects accountable for their actions, especially violations of organizational security policy.

Question 94

SLR

Answer 94

An SLR is a statement of the expectations of service and performance from the product or service of a vendor. Often, an SLR is provided by the customer/client prior to the establishment of the SLA (which should incorporate the elements of the SLR if the vendor expects the customer to sign the agreement).

Question 95

What is security control assessment and its goal?

Answer 95

A security control assessment (SCA) is the formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation. The SCA can be per- formed in addition to or independently of a full security evaluation, such as a penetration test or vulnerability assessment.
The goals of an SCA are to ensure the effectiveness of the security mechanisms, evaluate the quality and thoroughness of the risk management processes of the organization, and pro- duce a report of the relative strengths and weaknesses of the deployed security infrastructure.