Domain 1

Question 1

DAD

Answer 1

(disclosure alteration and destruction)

Question 2

Confidentiality

Answer 2

prevent unauthorized disclosure, need to know, and least privilege. assurance that information is not disclosed to unauthorized programs, users, processes, encryption, logical and physical access control,

Question 3

Integrity

Answer 3

no unauthorized modifications, consistent data, protecting data or a resource from being altered in an unauthorized fashion

Question 4

Availability

Answer 4

reliable and timely, accessible, fault tolerance and recovery procedures, WHEN NEEDED

Question 5

IAAA

Answer 5

Requirements for accountability
Identification - user claims identity, used for user access control
Authentication - testing of evidence of users identity
Accountability - determine actions to an individual person
Authorization - rights and permissions granted

Question 6

Privacy

Answer 6

level of confidentiality and privacy protections

Question 7

Risk

Answer 7

Not possible to get rid of all risk.
Get risk to acceptable/tolerable level Baselines – minimum standards
ISO 27005 – risk management framework Budget – if not constrained go for the $$$

Question 8

Responsibilities of the ISO

Answer 8

Written Products – ensure they are done CIRT – implement and operate
Security Awareness – provide leadership Communicate – risk to higher management Report to as high a level as possible Security is everyone’s responsibility

Question 9

Control Frameworks

Answer 9

Consistent – approach & application
Measurable – way to determine progress
Standardized – all the same
Comprehension – examine everything
Modular – to help in review and adaptive. Layered, abstraction

Question 10

Due Care

Answer 10

Which means when a company did all that it could have reasonably done to try and prevent security breach / compromise / disaster, and took the necessary steps required as countermeasures / controls (safeguards). The benefit of “due care” can be seen as the difference between the damage with or without “due care” safeguards in place. AKA doing something about the threats, Failing to perform periodic security audits can result in the perception that due care is not being maintained

Question 11

Due Diligence

Answer 11

means that the company properly investigated all of its possibly weaknesses and vulnerabilities AKA understanding the threats

Question 12

Patent

Answer 12

grants ownership of an invention and provides enforcement for owner to exclude others from practicing the invention. After 20 years the idea is open source of application

Question 13

Copyright

Answer 13

protects the expression of ideas but not necessarily the idea itself ex. Poem, song @70 years after author dies

Question 14

Trade Secret

Answer 14

something that is propriety to a company and important for its survival and profitability (like formula of Coke or Pepsi) DON’T REGISTER – no application

Question 15

Trademarks

Answer 15

words, names, product shape, symbol, color or a combination used to identify products and distinguish them from competitor products (McDonald’s M) @10 years

Question 16

Wassenaar Arrangement (WA)

Answer 16

Dual use goods & trade, International cryptographic agreement, prevent destabilizing

Question 17

Computer Crimes

Answer 17

loss, image, penalties

Question 18

Regulations

Answer 18

SOX, Sarbanes Oxley, 2002 after ENRON and World Online debacle Independent review by external accountants.
Section 302: CEO’s CFO’s can be sent to jail when information they sign is incorrect. CEO SIGN
Section 404 is the about internal controls assessment: describing logical controls over accounting files; good auditing and information security.

Question 19

Corporate Officer Liability (SOX)

Answer 19

Executives are now held liable if the organization they represent is not compliant with the law.
Negligence occurs if there is a failure to implement recommended precautions, if there is no contingency/disaster recovery plan, failure to conduct appropriate background checks, failure to institute appropriate information security measures, failure to follow policy or local laws and regulations.

Question 20

COSO

Answer 20

framework to work with Sarbanes-Oxley 404 compliance European laws: TREADWAY COMMISSION
Need for information security to protect the individual.
Privacy is the keyword here! Only use information of individuals for what it was gathered for
(remember ITSEC, the European version of TCSEC that came from the USA/Orange Book, come together in Common Criteria, but there still is some overlap)
• strong in anti-spam and legitimate marketing
• Directs public directories to be subjected to tight controls • Takes an OPT-IN approach to unsolicited commercial
electronic communications
• User may refuse cookies to be stored and user must be
provided with information
• Member states in the EU can make own laws e.g. retention of data

Question 21

COBIT

Answer 21

examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of high level control objectives. Having controls, GRC heavy auditing, metrics, regulated industry

Question 22

Incident

Answer 22

an event that has potential to do harm

Question 23

Breach

Answer 23

incident that results in disclosure or potential disclosure of data

Question 24

Data Disclosure

Answer 24

unauthorized acquisition of personal information

Question 25

Event

Answer 25

Threat events are accidental and intentional exploitations of vulnerabilities.

Question 26

ITAR, 1976.

Answer 26

Defense goods, arms export control act FERPA– Education

Question 27

GLBA

Answer 27

Graham, Leach, Bliley; credit related PII (21)

Question 28

ECS

Answer 28

Electronic Communication Service (Europe); notice of breaches

Question 29

Fourth Amendment

Answer 29

basis for privacy rights is the Fourth Amendment to the Constitution.

Question 30

1974 US Privacy Act

Answer 30

Protection of PII on federal databases

Question 31

1980 Organization for Economic Cooperation and Development (OECD)

Answer 31

Provides for data collection, specifications, safeguards

Question 32

1986 (amended in 1996) US Computer Fraud and Abuse Act

Answer 32

Trafficking in computer passwords or information that causes a loss of $1,000 or more or could impair medical treatment.

Question 33

1986 Electronic Communications Privacy Act

Answer 33

Prohibits eavesdropping or interception w/o distinguishing private/public

Question 34

Communications Assistance for Law Enforcement Act (CALEA) of 1994

Answer 34

amended the Electronic Communications Privacy Act of 1986. CALEA requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use

Question 35

1987 US Computer Security Act

Answer 35

Security training, develop a security plan, and identify sensitive systems on govt. agencies.

Question 36

1991 US Federal Sentencing Guidelines

Answer 36

Responsibility on senior management with fines up to $290 million. Invoke prudent man rule. Address both individuals and organizations

Question 37

1996 US Economic and Protection of Propriety Information Act

Answer 37

industrial and corporate espionage

Question 38

1996 Health Insurance and Portability Accountability Act (HIPPA) – amended

Answer 38

Amended

Question 39

1996 US National Information Infrastructure Protection

Act

Answer 39

Encourage other countries to adopt similar framework.

Question 40

Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

Answer 40

Congress amended HIPAA by passing this Act. This law updated many of HIPAA’s privacy and security requirements. One of the changes is a change in the way the law treats business associates (BAs), organizations who handle PHI on behalf of a HIPAA covered entity. Any relationship between a covered entity and a BA must be governed by a written contract known as a business associate agreement (BAA). Under the new regulation, BAs are directly subject to HIPAA and HIPAA enforcement actions in the same manner as a covered entity. HITECH also introduced new data breach notification requirements

Question 41

Ethics

Answer 41

Just because something is legal doesn’t make it right.

Question 42

ISC2 Code of Ethics Canons

Answer 42

Protect society, the commonwealth, and the infrastructure.

• Act honorably, honestly, justly, responsibly, and legally.
• Provide diligent and competent service to principals.
• Advance and protect the profession.

Question 43

(IAB)

Answer 43

Internet Advisory Board

Question 44

Ethics and Internet (RFC 1087)

Answer 44

Don’t compromise the privacy of users. Access to and use of Internet is a privilege and should be treated as such
It is defined as unacceptable and unethical if you, for example, gain unauthorized access to resources on the internet, destroy integrity, waste resources or compromise privacy.

Question 45

Business Continuity plans development

Answer 45

Defining the continuity strategy
- Computing strategy to preserve the elements of HW/SW/
communication lines/data/application
- Facilities: use of main buildings or any remote facilities
People: operators, management, technical support persons Supplies and equipment: paper, forms HVAC
Documenting the continuity strategy

Question 46

BIA

Answer 46

Goal: to create a document to be used to help understand what impact a disruptive event would have on the business

Question 47

Gathering assessment material

Answer 47

Org charts to determine functional relationships

- Examine business success factors

Question 48

Vulnerability assessment

Answer 48

Identify Critical IT resources out of critical processes, Identify disruption impacts and Maximum, Tolerable Downtime (MTD)

• Loss Quantitative (revenue, expenses for repair) or Qualitative (competitive edge, public embarrassment). Presented as low, high, medium.
• Develop recovery procedures

Question 49

Analyze the compiled information

Answer 49

Document the process Identify inter- dependability

• Determine acceptable interruption periods
• Documentation and Recommendation

Question 50

RTO

Answer 50

MTD

Question 51

Separation of duties

Answer 51

assigns parts of tasks to different individuals thus no single person has total control of the
system’s security mechanisms; prevent collusion

Question 52

M of N Control

Answer 52

requires that a minimum number of agents (M) out of the total number of agents (N) work together to perform high-security tasks. So, implementing three of eight controls would require three people out of the eight with the assigned work task of key escrow recovery agent to work together to pull a single key out of the key escrow database

Question 53

Least privilege

Answer 53

a system’s user should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest time. Three types:
Read only, Read/write and Access/change

Question 54

Two-man control

Answer 54

two persons review and approve the work of each other, for very sensitive operations

Question 55

Dual Control

Answer 55

two persons are needed to complete a task

Question 56

Rotation of Duties

Answer 56

limiting the amount of time a person is assigned to perform a security related task before being moved to different task to prevent fraud; reduce collusion

Question 57

Mandatory vacations

Answer 57

prevent fraud and allowing investigations, one week minimum; kill processes

Question 58

Need to Know

Answer 58

the subject is only given the amount of information required to perform an assigned task, business justification

Question 59

Agreements

Answer 59

NDA, no compete, acceptable use

Question 60

Employment

Answer 60

staff members pose more threat than external actors, loss of money stolen equipment, loss of time work hours, loss of reputation declining trusts and loss of resources, bandwidth theft, due diligence
Voluntary & involuntary ——————Exit interview!!!

Question 61

Third Party Controls

Answer 61

Vendors
- Consultants
- Contractors
Properly supervised, rights based on policy

Question 62

Threat

Answer 62

damage

Question 63

Vulnerability

Answer 63

weakness to threat vector (never does anything)

Question 64

Likelihood

Answer 64

chance that it will happen

Question 65

Impact

Answer 65

overall effects

Question 66

Residual Risk

Answer 66

amount of leftover
Organizations own the risk
Risk is determined as a byproduct of likelihood and impact

Question 67

ITIL

Answer 67

best practices for IT core operational processes, not for audit
- Service
- Change
- Release
- Configuration
Strong end to end customer focus/expertise About services and service strategy

Question 68

Risk Management (GOAL)

Answer 68

Determine impact of the threat and risk of threat occurring The primary goal of risk management is to reduce risk to an acceptable level.
Step 1 – Prepare for Assessment (purpose, scope, etc.)
Step 2 – Conduct Assessment
- ID threat sources and events
- ID vulnerabilities and predisposing conditions
- Determine likelihood of occurrence
- Determine magnitude of impact
- Determine risk
Step 3 – Communicate Risk/results
Step 4 – Maintain Assessment/regularly

Question 69

Types of Risk

Answer 69

Inherent chance of making an error with no controls in place Control chance that controls in place will prevent, detect or control errors
Detection chance that auditors won’t find an error
Residual risk remaining after control in place
Business concerns about effects of unforeseen circumstances
Overall combination of all risks aka Audit risk

Question 70

Preliminary Security Examination (PSE

Answer 70

Helps to gather the elements that you will need when the actual Risk Analysis takes place.

Question 71

ANALYSIS

Answer 71

Steps: Identify assets, identify threats, and calculate risk.

Question 72

ISO 27005

Answer 72

deals with risk

Question 73

Risk Assessment Steps

Answer 73

Four major steps in Risk assessment? Prepare, Perform, Communicate, Maintain

Question 74

Qualitative

Answer 74

Approval –
Form Team –
Analyze Data –
Calculate Risk –
Countermeasure Recommendations -
REMEMBER HYBRID!

Question 75

Quantitative Risk Analysis

Answer 75

Quantitative VALUES!!
- SLE (single Loss Expectancy) = Asset Value * Exposure
factor (% loss of asset)
- ALE (Annual loss expectancy) = SLE * ARO
(Annualized Rate of occurrence)
Accept, mitigate(reduce by implementing controls calculate costs-), Assign (insure the risk to transfer it), Avoid (stop business activity) Loss= probability * cost

Question 76

Residual risk

Answer 76

where cost of applying extra countermeasures is more than the estimated loss resulting from a threat or vulnerability (C > L). Legally the remaining residual risk is not counted when deciding whether a company is liable.

Question 77

Controls gap

Answer 77

is the amount of risk that is reduced by implementing safeguards. A formula for residual risk is as follows: total risk – controls gap = residual risk

Question 78

RTO

Answer 78

how quickly you need to have that application’s information available after downtime has occurred

Question 79

RPO

Answer 79

Recovery Point Objective: Point in time that application data must be recovered to resume business functions; AMOUNT OF DATA YOUR WILLING TO LOSE

Question 80

MTD

Answer 80

Maximum Tolerable Downtime: Maximum delay a business can be down and still remain viable
MTD minutes to hours: critical MTD 24 hours: urgent
MTD 72 hours: important MTD 7 days: normal
MTD 30 days non-essential

Question 81

PLAN

Answer 81

Accept
Build Risk Team
Review

Question 82

Once in 100 years =

Answer 82

ARO of 0.01

Question 83

SLE is also

Answer 83

the dollar value lost when an asset is successfully attacked

Question 84

Exposure Factor ranges from

Answer 84

0 to 1

Question 85

ALE

Answer 85

is the annual % of the asset lost when attacked

Question 86

Determination of Impact

Answer 86

Life, dollars, prestige, market share

Question 87

Risk Avoidance

Answer 87

discontinue activity because you don’t want to accept risk

Question 88

Risk Transfer

Answer 88

passing on the risk to another entity

Question 89

Risk Mitigation

Answer 89

elimination or decrease in level of risk

Question 90

Risk Acceptance

Answer 90

live with it and pay the cost

Question 91

Background checks

Answer 91

mitigation, acceptance, avoidance

Question 92

Risk Framework Countermeasures

Answer 92

Accountability
- Auditability
- Source trusted and known
- Cost-effectiveness
- Security
- Protection for CIA of assets
- Other issues created?
If it leaves residual data from its function

Question 93

Primary Controls (Types)

Answer 93

(control cost should be less than the value of the asset being protected)

Question 94

Administrative/Managerial Policy

Answer 94

Preventive: hiring policies, screening security awareness (also called soft-measures!)
- Detective: screening behavior, job rotation, review of audit records

Question 95

Technical (aka Logical)

Answer 95

Preventive: protocols, encryption, biometrics smartcards, routers, firewalls
- Detective: IDS and automatic generated violation reports, audit logs, CCTV(never preventative)
- Preventive: fences, guards, locks
- Detective: motion detectors, thermal detectors video
cameras

Question 96

Physical (Domain 5) – see and touch

Answer 96

Fences, door, lock, windows etc.

Question 97

Prime objective

Answer 97

is to reduce the effects of security threats and vulnerabilities to a tolerable level

Question 98

Risk analysis

Answer 98

process that analyses threat scenarios and produces a representation of the estimated Potential loss

Question 99

Main Categories of Access Control (67)

Answer 99

Directive: specify rules of behavior

• Deterrent: discourage people, change my mind
• Preventative: prevent incident or breach
• Compensating: sub for loss of primary controls
• Detective: signal warning, investigate
• Corrective: mitigate damage, restore control
• Recovery: restore to normal after incident

Question 100

Functional order in which controls should be used

Answer 100

Deterrence, Denial, Detection, Delay

Question 101

Testing a networks defenses by using the same techniques as external intruders means using

Answer 101

Scanning and Probing – port scanners
• Demon Dialing – war dialing for modems
• Sniffing – capture data packets
• Dumpster Diving – searching paper disposal areas
• Social Engineering – most common, get information by
asking

Question 102

Blue team

Answer 102

had knowledge of the organization, can be done frequent and least expensive

Question 103

Red team

Answer 103

is external and stealthy

Question 104

White Box

Answer 104

ethical hacker knows what to look for, see code as a developer

Question 105

Grey Box

Answer 105

partial knowledge of the system, see code, act as a user

Question 106

Black Box

Answer 106

ethical hacker not knowing what to find

Question 107

4 Stages

Answer 107

planning, discovery, attack, reporting

Question 108

vulnerabilities exploited

Answer 108

kernel flaws, buffer overflows, symbolic links, file descriptor attacks

Question 109

other PT model

Answer 109

footprint network (information gathering) port scans, vulnerability mapping, exploitation, report scanning tools are used in penetration tests

Question 110

flaw hypotheses methodology =

Answer 110

operation system penetration testing

Question 111

IF there is an Egregious hole

Answer 111

Tell them now !

Question 112

Strategies

Answer 112

External, internal, blind, double-blind

Question 113

Categories

Answer 113

zero, partial, full knowledge tests

Question 114

Plan

Answer 114

ID opportunity & plan for change

Question 115

Do

Answer 115

implement change on a small scale

Question 116

Check

Answer 116

use data to analyze results of change

Question 117

Act

Answer 117

if change successful, implement wider scale, if fails begin cycle again

Question 118

Identification of Threat

Individuals must be qualified with the appropriate level of training.

Answer 118

Develop job descriptions
- Contact references
- Screen/investigate background
- Develop confidentiality agreements
- Determine policy on vendor, contractor, consultant, and
temporary staff access
DUE DILIGENCE

Question 119

Public domain

Answer 119

available for anyone to use

Question 120

Open source

Answer 120

source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone

Question 121

Freeware

Answer 121

source code made available with a license in which the copyright holder provides the rights to study, change, and distribute the software to anyone

Question 122

Assurance

Answer 122

Degree of confidence in satisfaction of security requirements Assurance = other word for security
THINK OUTSIDE AUDIT

Question 123

Successful Requirements Gathering

Answer 123

Don’t assume what client wants Involve users early

Define and agree on scope MORE

Question 124

Security Awareness

Answer 124

Technical training to react to situations, best practices for Security and network personnel; Employees, need to understand policies then use presentations and posters etc. to get them aware
Formal security awareness training – exact prep on how to do things

Question 125

Wire tapping

Answer 125

eavesdropping on communication -only legal with prior consent or warrant

Question 126

Data Diddling

Answer 126

act of modifying information, programs, or documents to commit fraud, tampers with INPUT data

Question 127

Privacy Laws

Answer 127

data collected must be collected fairly and lawfully and used only for the purpose it was collected.

Question 128

Water holing

Answer 128

create a bunch of websites with similar names

Question 129

Work Function

Answer 129

the difficulty of obtaining the clear text from the cipher text as measured by cost/time

Question 130

Fair Cryptosystems

Answer 130

In this escrow approach, the secret keys used in a communication are divided into two or more pieces, each of which is given to an independent third party. When the government obtains legal authority to access a particular key, it provides evidence of the court order to each of the third parties and then reassembles the secret key.

Question 131

SLA

Answer 131

agreement between IT service provider and customer, document service levels, divorce; how to dissolve relationship

Question 132

SLR

Answer 132

requirements for a service from client viewpoint

Question 133

Service Level Report

Answer 133

insight into a service providers ability to deliver the agreed upon service quality

Question 134

FISMA(federal agencies)

Answer 134

Phase 1 categorizing, selecting minimum controls, assessment Phase 2: create national network of secures services to assess