Domain 1 - Security and Risk Flashcards

1
Q

An emphasis on confidentiality can affect which other part of the CIA triad?

A

Availability. The data is harder to access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is cryptanalysis?

A

Attacks on encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is data in use?

A

Live data on your screen.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the opposite of the CIA triad?

A

DAD

Disclosure
Alteration
Destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A focus on integrity can cause what part of the CIA triad to suffer?

A

Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A focus on availability can cause what part of the CIA triad to suffer?

A

Confidentiality and Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does IAAA stand for?

A

Identification,
Authentication
Authorization,
Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Type 1 Authentication?

A

Something you know.

Passwords, Pass phrases, PIN, etc..

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is Type 2 Authentication?

A

Something you have.

Your ID, smartcard, token, cookie, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Type 3 Authentication?

A

Something you are.

fingerprint reader, iris scan, palm print, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is “Authorization”

A

Assignment of access to objects.

RBAC, MAC, DAC, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the need to know security governance principal?

A

Even when you have access, if you do not need to know then you should not access the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What do “subjects” do?

A

They are usually users or programs and they manipulate objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Who manages security governance?

A

C-level executives, board of directors, owners, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is management’s job in security governance?

A

Implementing standards, policies, and procedures to meet the governance requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are some examples of governance standards and control frameworks?

A

PCI-DSS, ISO 27001, HITRUST, COBIT, etc…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is criminal law?

A

Society is the victim, Proof must be beyond a reasonable doubt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is Civil Law (Tort Law)

A

Individuals, groups, or organizations are the victims. Proof must be the majority of proof.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is Administrative Law?

A

Laws enacted by government bodies. FDA Laws, HIPAA, FAA, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are Private Regulations?

A

PCI DSS by the credit card industry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is real evidence?

A

Tangible objects (drives, USB drives, etc.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is direct evidence?

A

Testimony from first hand witnesses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is hearsay?

A

Not first-hand knowledge. Normally inadmissible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What evidence should you provide to a court first?

A

Your best evidence. It should be complete, accurate, relevant, and authentic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
What evidence should be supplied to the court as secondary evidence?
IT Logs and documents from the system.
25
How do you prove evidence integrity in court?
Hashes, forensics, etc.
26
What does the fourth amendment protect the people from?
Unreasonable search and seizure by the government. This can only be ignored in certain cases like human life or threat of destroying evidence.
27
What is Entrapment?
When someone is persuaded to commit a crime that they has no intention of committing.
28
What is Enticement?
Making committing a crime more enticing, but the person has already broken the law or at least has decided to do so.
29
How long does copyright last?
70 years after creator's death or 95 years for creation by corporations.H
30
How long do trademarks last?
Ten years
31
How long to patents last?
Twenty years?
32
Can cryptographic algorithms be patented?
Yes
33
Are security breach notification laws federal?
No, each state has their own rules.
34
What is the Electronic communications Privacy Act?
It protects against warrantless wiretapping, but it was weakened by the patriot act.
35
What is the Patriot Act?
Expands Law Enforcement's electronic monitoring connectivity.
36
What is the Computer Fraud and Abuse Act?
Most commonly used to prosecute computer crimes.
37
What is the Gramm-Leach-Bliley act?
applies to financial institutions driven by federal financial institutions.
38
What is the GDPR?
Data protection law for all people who live in the EU or EEA. It covers everyone regardless of citizenship.
39
Does GDPR have the right to be forgotten?
Yes.
40
What are legacy EU laws that should be noted?
EU Data Protection Directive EU-US Safe Harbor Privacy Shield
40
What are the organization for economic cooperation and development privacy guidelines
30 member nations including the US that provide guidelines on the protection of privacy and transborder flows of personal data.
41
What is the Wassenaar Arrangement?
41 member countries. Details export and import controls for conventional arms, but has details on cryptography.
42
What is the ISC2 code of ethics preamble?
The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere to the highest ethical standards. Therefore, strict adherence to this code is a condition of certification.
43
What is the ISC2 code of ethics cannons
Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession.
44
What is the "Mission" in governance?
Motivation or purpose
45
What are strategic plans?
Long-term, reviewed annually, 3 - 5 years
46
What are tactical plans?
1 year, projects, hiring, budgets, etc.
47
What are operational plans?
High detail, updated frequently
48
What are policies?
Mandatory, high-level, non-specific. They use language like "strong encryption".
49
What are standards?
Describes a specific use of technology. For example, laptop specs for the enterprise.
50
What are Guidelines?
Not mandatory. They are recommendations.
51
What are procedures?
Low level step by step guides for how to complete a task. Very specific.
52
What does user awareness accomplish?
Change user behavior.
53
What does user training accomplish?
Provides user with a skillset.
54
What are administrative controls?
Policies, procedures, training, awareness, regulation (HIPAA)
55
What are examples of corrective access controls?
Anti-Virus, Patches, IPS
56
What are examples of recovery access controls
DR, Backups, High Availability
57
What is the equation for risk?
Threat x vulnerability
58
What is the equation for risk with impact?
Threat x vulnerability x impact
59
What is the equation for total risk?
Threat x vulnerability x asset value
60
What is the definition of exposure factor in quantitative risk analysis?
It is the percentage of asset loss.
61
What is the definition of Single Loss Expectancy in quantitative risk analysis?
It is the cost if "it" happens once
62
What is the definition of Annual Rate of Occurrence in quantitative risk analysis?
How often will "it" happen in a year
63
What is the definition of Annualized Loss Expectancy in quantitative risk analysis?
It is the cost per year if we do NOTHING
64
What is NIST 800-30
A nine step process for risk management
65
What is a Key Goal Indicator (KGI)?
Measured after the fact as to whether an IT process has achieved its business requirements.
66
What is a Key Performance Indicator (KPI)?
Defines measures that determines how well the process is performing.
67
What is a Key Risk Indicator (KRI)?
Measures risks that the organization is facing or how risky and activity is. Measures adherence to risk appetite Can be used as an early warning sign
68
What are RACI charts stand for?
Responsible Accountable Consulted Informed
69
What is the definition of governance?
Ensures IT goals aligns with business objectives
70
What is the definition of Compliance?
Conforming with a stated requirement such as a laws, regulations, auditing, monitoring, ethics, privacy, etc..
71
What is NIST 800-53?
Provides detailed security controls for US federal systems. Provides guidance and a comprehensive risk based approach.
72
What are control families?
Focus on a specific aspect of security and privacy.
73
What are control classes?
management, operational, and technical
74
What are baseline controls?
The minimum level of security in a system.
75
What is a grey hat hacker?
They look for vulnerabilities in code, systems, or products
76
What is a bot?
A computer system that has been infected by malware.
77
What is a botnet?
a command and control network of bots. can be hundreds of thousands
78
What is voice phishing over voip?
Vishing
79
What should a change of senior leadership invoke in the BCP?
A BCP review with the new leadership
80
What is the most important part of the BCP?
The Business Impact Analysis (BIA)
81
What is Maximum Tolerable Downtime?
The total amount of time a system can be inoperable before the organization is severely impacted.
82
What is the Work Recovery Time?
The amount of time required to configure a recovered system.
83
What is mean time between failures?
How long a new or repaired system or component will function on average?
84
What is the mean time to repair?
How long will it take to recover a failed system
85
What is the minimum operating requirements
The minimum requirements for our critical systems to function
86
What are external dependencies?
All third party services.
87