Domain 1 Flashcards

1
Q

3 components of security education

A

Policy - what to do
Training - skills for doing it
Awareness - changes behavior

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CIA Triad vs DAD

A

CIA: Confidentiality, Integrity, Availability

DAD (logical opposite of CIA): Disclosure, Alteration, Destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Controls are implemented across what three levels? Give examples for each

A

Administrative (aka directive): background checks, policies/procedures
Technical: encryption, smart cards
Physical: locks, securing laptops/magnetic media, protection of cable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Criminal vs Civil

A

Criminal: possible to get jail time, burden of proof is beyond a reasonable doubt (99.9%)
Civil: tip of scale (50.1%)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

CVSS

A

Common Vulnerability Scoring System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Draw chart of 5 types of documentation

A

refer to “Types of Documentation - Drawing 1B”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Draw the qualitative RA matrix

A

Qualitative Risk Analysis Matrix helps identify most significant risks to organization
Likelihood on left vertical, Impact top horizontal (high med low)
Refer to “Qualitative RA Matrix - Domain 1 pg 67”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Excessive risk

A

means above acceptable level of risk for executive / data owner; excessive does NOT mean a lot of risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Fork bomb

A

attack that says while 1=1 (which is always the case) keep forking out (starting new process) until all memory is used and system crashes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Formula for Risk

A

risk = threat x vulnerability
threat drives calculation, vulnerability reduces the risk
threat: potential for harm, can be internal/external/competitor/govt (hurricanes, snowstorms, viruses, worms)
vulnerability: weakness (unpatched system, default install)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

variation of smurf involving spoofed UDP datagrams sent to UDP port 7

A

fraggle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

IAAA

A

Identification: means by which users claim their identities to a system
Authentication: establishes, tests or reconciles a user’s identity
Authorization: rights/permissions granted to an individual (or process) that enable access to a computer
Accountability: system’s ability to determine actions of single individual within a system, shows that a particular individual performed a particular action e.g. audit trails and logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

LAND attack

A

creates recursive loop which crashes system e.g. from 192.168.1.1 > 192.168.1.1 on 8080

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

List all quantitative formulas

A

SLE (Single Loss Expectancy) = EF (exposure factor) x AV (asset value)
ARO (Annualized Rate of Occurrence)
ALE (Annualized Loss Expectancy) = SLE x ARO
TCO (Total Cost of Ownership)
ROI (Return on Investment)
Cost/Benefit Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

List all types of controls and examples of each

A

Preventative: locks on doors, firewalls
Detective: goes off during attack (alarm systems, IDS), means preventative failed
Corrective: short-term fix to prevent future attacks (police guards)
Compensating: alternative control (one-way firewall in hospital if MRI system could never be connected to network but doctors need info from it)
Recovery: long-term fix
Suppressive: where you detect and respond to deal with a problem

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Name a directive control that is a strategic user-focused document?

A

Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Name the 5 types of documentation

A

‘Policy, Procedure, Standard, Baseline, Guideline (optional)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Name different types of DoS attacks

A

DoS attacks:

  • Crafted Packets
    • Ping of Death
    • LAND attack
    • Tear drop
  • Flooding
    • Syn flood
    • Smurf
    • Fraggle

DDoS - compromising multiple machines to attack the victim
-Fork bomb

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

OCTAVE

A

Operationally Critical Threat, Asset and Vulnerability Evaluation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

password guessing vs password cracking

A

Guessing (online, where you try to guess at website login prompt but subject to account lockout)
Cracking (offline, no account lockout but need raw encrypted passwords)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

PCI DSS requirements

A

Payment Card Industry Data Security Standard - aka dirty dozen (12 requirements), know in general the 12 goals (don’t need to know order):
Install/maintain firewalls, no vendor default passwords/parameters, protect stored data, encrypt transmission of data across public network, use/update antivirus, develop/maintain secure systems and applications, restrict access to cardholder data by business need to know, authenticate access to system components, restrict physical access to cardholder data, track and monitor all access to network resources to cardholder data, regularly test security systems/processes, maintain a policy that addresses information security for all personnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

buffer overflow attack, if you send ping packet larger than the largest size you can

A

ping of death

23
Q

Info about individuals will be kept private and if it needs to be disclosed the person will be notified; regulated at state level

A

Privacy Act of 1974

24
Q

RFI, RFP, RFQ

A

Request for Information - helps you tailor the RFP
Request for Proposal - stage of procurement to determine which providers will bid for project and what their proposal looks like, more detailed than RFQ
Request for Quote - can sometimes ask for RFQ to make sure we have enough budget before doing a full RFP

25
Q

SLA, OLA, ELA

A

Service Level Agreement: delivering certain level of service and if you don’t there’s penalties e.g. ISP delivers certain level of bandwidth with certain reliability
Operating Level Agreement: internal agreement that supports SLA e.g. you need to make sure you have enough staff to meet the SLA
Enterprise License Agreement: site licensing for software e.g. Microsoft licensing agreement for Windows software

26
Q

type of attack that spoofs the victim’s IP and sends ICMP Echo Request (ping) to directed broadcast

A

smurf attack. adversary sends out one request to broadcast address saying to 1 million computers to reply to “me” which is spoofed source address of person you want to bring down (smurfs singing down the street with hundreds joining like multiple packets growing together)

27
Q

has table that keeps track of connections, if you fill up, no new connections can come in

A

syn flood

28
Q

Attack that involves sending mangled IP fragments with overlapping, over-sized payloads to the target machine

A

tear drop. In other words putting a bunch of different puzzle pieces that could never be put together

29
Q

Third party governance

A

Before purchasing third party products, assess exposures/risks, validate software, etc
COTS (Commercial Off the Shelf software) e.g. Windows/Office

30
Q

Types of IP

A

Intellectual Property
Formal methods of protection:
Patent: public, can’t just be an idea, needs to be reduced to practice, show how it actually works; govt does it to encourage people to share best way to do something and share with society, then we’ll give you 20 yr monopoly
Copyright: creator of work is implied owner of copyright e.g. monkey who took selfies had copyright, not photographer
Trademark: “Ultimate driving machine”, “Just do it”
Informal means of protection:
Trade secret: formula for coca cola (if it were patent it would be public)

31
Q

What is an internal SLA?

A

OLA (Operating Level Agreement)

32
Q

What is OECD?

A

Organization for Economic Co-operation and Development, 34 countries in Europe, strict controls for information held on your behalf
-Working Party on Information Security and Privacy develops non-binding guidance (member countries do not have to implement recommendations)

EUDPD (European Union’s Data Protection Directive) - binding requirement for EU member states, considered more stringent than US Privacy laws

33
Q

What is the ultimate output of threat mapping or attack services?

A

Security dashboard: visual representation that shows you where high exposures are and what systems they are on

34
Q

What is TOC/TOU?

A

Time of Check / Time of Use; difference should always be zero e.g. if you put system online for two hours before it’s fully patched and secured there’s a good chance it will be compromised

35
Q

What methodology is most common for scoring vulnerabilities? Name a second system as well.

A

CVSSv2 (Common Vulnerability Scoring System) is most common. Another is OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)

36
Q

Which country does not have one set of privacy laws?

A

The US since privacy laws are at a state level, not federal. All of Europe has one set of laws.

37
Q

Your company has decided to perform a major technology overhaul. Which would best describe impact to the organization:

a) policies and procedures will need major revisions
b) policies and procedures will need minor revisions
c) minor revisions to policy and major revisions to procedures
d) minor revisions to procedures and major revisions to policy

A

Answer: c

38
Q

good for addressing ownership, profit & loss, clearly lays out who makes what decision, who owns what part of company

A

BPA (Business Partnership Agreement)

39
Q

when two organizations connect their networks together, who owns what info, who is responsible for what actions, who has liabilities for particular exposures

A

MOU/A: Memorandum of Understanding/Agreement

40
Q

typically part of MOU, involves who is allowed to keep info if partners separate. dictates technical security requirements associated with two organizations connecting networks

A

Interconnection Security Agreement

41
Q

preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary data

A

Confidentiality

42
Q

guarding against improper data modification, includes ensuring information non-repudiation and authenticity

A

Integrity

43
Q

ensuring timely and reliable access to and use of information

A

Availability

44
Q

high level statement of what to do, should be specific, measurable, achievable e.g. All servers must be properly hardened by patching and turning off services

A

Policy

45
Q

details of how to do something e.g. all the steps to apply the security configuration when a system is built

A

Procedure

46
Q

specifies a certain way something should be done or a certain brand/type of equipment to be used e.g. Admins must use Windows Server 2012 R2 as the base operating system

A

Standard

47
Q

more specific implementation, specific technical details of how a system’s hardware/software should be configured e.g. the specific settings for Win Server 2012 R2 should match those in the CIS Security Benchmark

A

Baseline. usually a baseline starts off as a guideline until it has been properly modified to meet the needs of org

48
Q

recommended way of doing something; e.g. to ease the config, local GPOs can be used to roll out the changes

A

Guideline. best practice might start off as a guideline and if analysis shows there is great benefit, it may become a standard (mandatory)

49
Q

Due __ is the prudent management and execution of due care e.g. maintaining the proper environment

A

due diligence

50
Q

Due __ is the minimum and customary practice of responsible protection of assets aka the “Prudent Man Rule”; are you doing what a reasonable organization would do when implementing security. This is an important concept to the legal matter of negligence and therein potential liability.

A

due care

51
Q

__ is performing reasonable examination and research before committing to a course of action. Basically ‘look before you leap’. In law, you would perform this by researching the terms of a contract before signing it e.g. doing your homework. The opposite would be haphazard.

A

due diligence

52
Q

__ is performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if this situation exists because of a contract, regulation, or law. The opposite of this is negligence.

A

due care

53
Q

Due __ is identifying threats and risks while Due __ is acting upon findins to mitigate risks.

A

due diligence (do detect), due care (do correct)