Domain 1 - Security and Risk Flashcards

Question 1

Q

An emphasis on confidentiality can affect which other part of the CIA triad?

Answer

A

Availability. The data is harder to access.

Question 2

Q

What is cryptanalysis?

Answer

A

Attacks on encryption.

Question 3

Q

What is data in use?

Answer

A

Live data on your screen.

Question 4

Q

What is the opposite of the CIA triad?

Answer

A

DAD

Disclosure
Alteration
Destruction

Question 5

Q

A focus on integrity can cause what part of the CIA triad to suffer?

Answer

A

Availability

Question 6

Q

A focus on availability can cause what part of the CIA triad to suffer?

Answer

A

Confidentiality and Integrity

Question 7

Q

What does IAAA stand for?

Answer

A

Identification,
Authentication
Authorization,
Accountability

Question 8

Q

What is Type 1 Authentication?

Answer

A

Something you know.

Passwords, Pass phrases, PIN, etc..

Question 9

Q

What is Type 2 Authentication?

Answer

A

Something you have.

Your ID, smartcard, token, cookie, etc.

Question 10

Q

What is Type 3 Authentication?

Answer

A

Something you are.

fingerprint reader, iris scan, palm print, etc.

Question 11

Q

What is “Authorization”

Answer

A

Assignment of access to objects.

RBAC, MAC, DAC, etc.

Question 12

Q

What is the need to know security governance principal?

Answer

A

Even when you have access, if you do not need to know then you should not access the data.

Question 13

Q

What do “subjects” do?

Answer

A

They are usually users or programs and they manipulate objects.

Question 14

Q

Who manages security governance?

Answer

A

C-level executives, board of directors, owners, etc.

Question 15

Q

What is management’s job in security governance?

Answer

A

Implementing standards, policies, and procedures to meet the governance requirements.

Question 16

Q

What are some examples of governance standards and control frameworks?

Answer

A

PCI-DSS, ISO 27001, HITRUST, COBIT, etc…

Question 17

Q

What is criminal law?

Answer

A

Society is the victim, Proof must be beyond a reasonable doubt.

Question 18

Q

What is Civil Law (Tort Law)

Answer

A

Individuals, groups, or organizations are the victims. Proof must be the majority of proof.

Question 19

Q

What is Administrative Law?

Answer

A

Laws enacted by government bodies. FDA Laws, HIPAA, FAA, etc.

Question 20

Q

What are Private Regulations?

Answer

A

PCI DSS by the credit card industry

Question 21

Q

What is real evidence?

Answer

A

Tangible objects (drives, USB drives, etc.)

Question 22

Q

What is direct evidence?

Answer

A

Testimony from first hand witnesses

Question 23

Q

What is hearsay?

Answer

A

Not first-hand knowledge. Normally inadmissible

Question 24

Q

What evidence should you provide to a court first?

Answer

A

Your best evidence. It should be complete, accurate, relevant, and authentic.

Question 25

Q

What evidence should be supplied to the court as secondary evidence?

Answer

A

IT Logs and documents from the system.

Question 26

Q

How do you prove evidence integrity in court?

Answer

A

Hashes, forensics, etc.

Question 27

Q

What does the fourth amendment protect the people from?

Answer

A

Unreasonable search and seizure by the government. This can only be ignored in certain cases like human life or threat of destroying evidence.

Question 28

Q

What is Entrapment?

Answer

A

When someone is persuaded to commit a crime that they has no intention of committing.

Question 29

Q

What is Enticement?

Answer

A

Making committing a crime more enticing, but the person has already broken the law or at least has decided to do so.

Question 30

Q

How long does copyright last?

Answer

A

70 years after creator’s death or 95 years for creation by corporations.H

Question 31

Q

How long do trademarks last?

Answer

A

Ten years

Question 32

Q

How long to patents last?

Answer

A

Twenty years?

Question 33

Q

Can cryptographic algorithms be patented?

Question 34

Q

Are security breach notification laws federal?

Answer

A

No, each state has their own rules.

Question 35

Q

What is the Electronic communications Privacy Act?

Answer

A

It protects against warrantless wiretapping, but it was weakened by the patriot act.

Question 36

Q

What is the Patriot Act?

Answer

A

Expands Law Enforcement’s electronic monitoring connectivity.

Question 37

Q

What is the Computer Fraud and Abuse Act?

Answer

A

Most commonly used to prosecute computer crimes.

Question 38

Q

What is the Gramm-Leach-Bliley act?

Answer

A

applies to financial institutions driven by federal financial institutions.

Question 39

Q

What is the GDPR?

Answer

A

Data protection law for all people who live in the EU or EEA. It covers everyone regardless of citizenship.

Question 40

Q

Does GDPR have the right to be forgotten?

Question 41

Q

What are legacy EU laws that should be noted?

Answer

A

EU Data Protection Directive
EU-US Safe Harbor
Privacy Shield

Question 42

Q

What are the organization for economic cooperation and development privacy guidelines

Answer

A

30 member nations including the US that provide guidelines on the protection of privacy and transborder flows of personal data.

Question 43

Q

What is the Wassenaar Arrangement?

Answer

A

41 member countries. Details export and import controls for conventional arms, but has details on cryptography.

Question 44

Q

What is the ISC2 code of ethics preamble?

Answer

A

The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere to the highest ethical standards.

Therefore, strict adherence to this code is a condition of certification.

Question 45

Q

What is the ISC2 code of ethics cannons

Answer

A

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Advance and protect the profession.

Question 46

Q

What is the “Mission” in governance?

Answer

A

Motivation or purpose

Question 47

Q

What are strategic plans?

Answer

A

Long-term, reviewed annually, 3 - 5 years

Question 48

Q

What are tactical plans?

Answer

A

1 year, projects, hiring, budgets, etc.

Question 49

Q

What are operational plans?

Answer

A

High detail, updated frequently

Question 50

Q

What are policies?

Answer

A

Mandatory, high-level, non-specific. They use language like “strong encryption”.

Question 51

Q

What are standards?

Answer

A

Describes a specific use of technology. For example, laptop specs for the enterprise.

Question 52

Q

What are Guidelines?

Answer

A

Not mandatory. They are recommendations.

Question 53

Q

What are procedures?

Answer

A

Low level step by step guides for how to complete a task. Very specific.

Question 54

Q

What does user awareness accomplish?

Answer

A

Change user behavior.

Question 55

Q

What does user training accomplish?

Answer

A

Provides user with a skillset.

Question 56

Q

What are administrative controls?

Answer

A

Policies, procedures, training, awareness, regulation (HIPAA)

Question 57

Q

What are examples of corrective access controls?

Answer

A

Anti-Virus, Patches, IPS

Question 58

Q

What are examples of recovery access controls

Answer

A

DR, Backups, High Availability

Question 59

Q

What is the equation for risk?

Answer

A

Threat x vulnerability

Question 60

Q

What is the equation for risk with impact?

Answer

A

Threat x vulnerability x impact

Question 61

Q

What is the equation for total risk?

Answer

A

Threat x vulnerability x asset value

Question 62

Q

What is the definition of exposure factor in quantitative risk analysis?

Answer

A

It is the percentage of asset loss.

Question 63

Q

What is the definition of Single Loss Expectancy in quantitative risk analysis?

Answer

A

It is the cost if “it” happens once

Question 64

Q

What is the definition of Annual Rate of Occurrence in quantitative risk analysis?

Answer

A

How often will “it” happen in a year

Answer 63

A

It is the cost per year if we do NOTHING

Answer 64

A

A nine step process for risk management

Answer 65

A

Measured after the fact as to whether an IT process has achieved its business requirements.

Answer 66

A

Defines measures that determines how well the process is performing.

Answer 67

A

Measures risks that the organization is facing or how risky and activity is.

Measures adherence to risk appetite

Can be used as an early warning sign

Answer 68

A

Responsible
Accountable
Consulted
Informed

Answer 69

A

Ensures IT goals aligns with business objectives

Answer 70

A

Conforming with a stated requirement such as a laws, regulations, auditing, monitoring, ethics, privacy, etc..

Answer 71

A

Provides detailed security controls for US federal systems. Provides guidance and a comprehensive risk based approach.

Answer 72

A

Focus on a specific aspect of security and privacy.

Answer 73

A

management, operational, and technical

Answer 74

A

The minimum level of security in a system.

Answer 75

A

They look for vulnerabilities in code, systems, or products

Answer 76

A

A computer system that has been infected by malware.

Answer 77

A

a command and control network of bots. can be hundreds of thousands

Answer 78

A

A BCP review with the new leadership

Answer 79

A

The Business Impact Analysis (BIA)

Answer 80

A

The total amount of time a system can be inoperable before the organization is severely impacted.

Answer 81

A

The amount of time required to configure a recovered system.

Answer 82

A

How long a new or repaired system or component will function on average?

Answer 83

A

How long will it take to recover a failed system

Answer 84

A

The minimum requirements for our critical systems to function

Answer 85

A

All third party services.

Brainscape's Knowledge GenomeTM

Domain 1 - Security and Risk Flashcards

Brainscape's Knowledge Genome^TM