Domain 1 - Security and Risk Management

Question 1

Confidentiality

Answer 1

Access controls help ensure that only authorized subjects can access objects.

Question 2

Integrity

Answer 2

Ensures that data or system configurations are not modified without authorization

Question 3

Availability

Answer 3

Authorized requests for objects must be granted to subjects within a reasonable amount of time.

Question 4

Code of Ethics

Answer 4

PAPA
Protect society, the commonwealth, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Advance and protect the profession

Question 5

Security Policy development

Answer 5

Acceptable Use Policy
Assigns roles and responsibilities

Security Baselines
Define “minimum levels”

Security Guidelines
Offer recommendations

Security Procedures
Detailed step-by-step

Question 6

Risk Categories

Answer 6

Group of potential causes of risk.

Damage - Results in the physical loss of an assess or the inability to access the asset.

Disclosure - Disclose critical information regardless of how or where it was disclosed.

Losses - Might be permanent or temporary including altered data or inaccessible data.

Question 7

Risk Factors

Answer 7

Something that increase risk or susceptibility.

Physical damage - Natural disaster, power loss, or vandalism.

Malfunctions - Failure of systems, networks, or peripherals.

Attacks - Purposeful acts whether from the inside or outside, such as unauthorized disclosure.

Human errors - Usually considered accidental incidents, whereas attacks are purposeful incidents.

Application errors - Failures of the application including the operating system.

Question 8

Security Planning

Answer 8

Strategic - long term ~5 year

Tactical - midterm plan ~1 year

Operations - shorter (highly detailed) month to month or quarterly.

Question 9

Response to risk

Answer 9

Risk acceptance - Do nothing, accept the risk and potential loss if threat occurs.

Risk mitigation - You do this by implementing a countermeasure and accepting the residual risk.

Risk Assignment - Transfer risk to 3rd party.

Risk Avoidance - When costs of mitigating or accepting are higher than benefits of service

Risk Deterrence - Implementing deterrents to would-be violators of security behavior.

Risk rejection - UNACCETABLE possible response to risk is to reject of ignore risk.

Question 10

Risk management Frameworks

Answer 10

Primary risk management framework

NIST 800-37 rev 2

Question 11

7 Steps of NIST 800-37 rev 2

Answer 11

PCSIAAM
People Can See I am Always Monitoring

1. Prepare - to execute the RMF
2. Categorize - information systems
3. Select - security controls
4. Implement - security controls
5. Assess - the security controls
6. Authorize - the system (ATO)
7. Monitor - security controls

Question 12

When legal issues are involved.

Answer 12

contact an attorney

Question 13

Types of Risks

Answer 13

Residual - risk that remain after all safeguards - After

Inherent - risk that exists without controls (newly identified) - Before

Total - amount of risk an organization would face if no safeguards were implemented - Without

Question 14

Total Risk Formula

Answer 14

threats * vulnerabilities * asset value = total risk

Question 15

Risk formula

Answer 15

threat * vulnerability = risk

Question 16

Risk analysis - Quantitative

Answer 16

Quantitative - dollar value to evaluate effectiveness of countermeasures. OBJECTIVE

• Assign asset value (AV)
• Calculate exposure factor (EF)
• Calculate single loss expectancy (SLE)
• Assess the annualized rate of occurrence (ARO)
• Derive the annualized loss expectancy (ALE)
• Perform cost/benefit analysis of countermeasures

1. Inventory assets and assign a value (AV)
2. Identify threats. Research each asset and produce a list of all possible threats to each assets. (EF and SLE)
3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year. (ARO)
4. Estimate the potential loss by calculating the annualized loss expectancy (ALE).
5. Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure.
6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset.

Question 17

Risk analysis - Qualititative

Answer 17

Uses a scoring system to rank threats and effectiveness of countermeasures. SUBJECTIVE

Question 18

Delphi Technique

Answer 18

An anonymous feed-back and response process used to arrive at a consensus.

Question 19

Loss potential

Answer 19

What would be lost if the threat agent is successful in exploiting a vulnerability.

Question 20

Delayed loss

Answer 20

This is the amount of loss that can occur over time.

Question 21

Threat agent

Answer 21

are what causes the threat by exploiting vulnerabilities

Question 22

Formula terms

Answer 22

exposure factor (EF)
% of loss that an organization would experience if a specific asses were violated by a realized risk.

single loss expectancy (SLE)
Represents the cost associated with a single realized risk against a specific assets

annualized rate of occurrence (ARO) - The expected frequency with which a specific threat or risk will occur with a single year.

annualized loss expectancy (ALE)

Safeguard evaluation -

Question 23

SLE Formula

Answer 23

AV * EF = SLE

Question 24

ALE

Answer 24

SLE * ARO = ALE

Question 25

Safeguard Evaluation formula

Answer 25

ALE before safeguard - ALE after safeguard - annual cost of safeguard = value of safeguard
ALE1 - ALE2 - ACS = value of safeguard

Question 26

Controls gap

Answer 26

the amount of risk reduced by impending safeguards

total risk - controls gap = residual risk

Question 27

Threat Modeling

Answer 27

Security process where potential threats are identified, categorized, and analyzed.

Question 28

Threat Model

STRIDE

Answer 28

STRIDE (Microsoft)
Spoofing
Tampering 
Repudiation
Information Disclosure 
Denial of Service
Elevation of Privilege

Question 29

Threat Model

PASTA

Answer 29

Risk centric approach

Stage I: Definition of Objectives

Stage II: Definition of Technical Scope

Stage III: App Decomposition and Analysis

Stage IV: Threat Analysis

Stage V: Weakness and Vulnerability Analysis

Stage VI: Attack Modeling & Simulation

Stage VII: Risk Analysis & Management

Question 30

Threat Model

VAST

Answer 30

Based on Agile project management

Visual
Agile
Simple
Threat

Question 31

Threat Model

Trike

Answer 31

Risk-based approach

Question 32

Threat Model

DREAD

Answer 32

Damage potential

Reproducibility

Exploitability

Affected users

Discoverability

Question 33

Reduction Analysis - Threat Modeling

Answer 33

Trust boundary - any location where the level of trust or security changes

Data flow paths

Input points - locations where external inputs are received

Privileged operations - any activity that requires greater privileges than of a standard user account

Details about security stance and approach

Question 34

Security controls

Answer 34

measures for countering and minimizing loss of unavailability

Question 35

Control categories

Answer 35

Technical (logical) - hardware/software mechanisms used to manage access

Administrative - policies and procedures defined by org’s security policy, and other regulations and requirements.

Physical - items which you can touch - guards, gates, laptop locks

Question 36

Control types

Answer 36

Deterrent Controls - deployed to discourage violation of security policies

Preventative Controls - deployed to thwart or stop unwanted or unauthorized activity from occurring - (fences, locks, access control points, alarm systems, separation of duties, job rotation, antimalware software, firewalls, IPs)

Detective Controls - deployed to discover or detect unwanted or unauthorized activity - (CCTV, honeynets/honeypots, IDSs, security cameras, guards, audit trails, incident investigators) .. discover activity only AFTER it has occured

Compensating Controls - provides other options to other existing controls to aid in enforcement of security policies.

Corrective Controls - modifies the environment to return system to normal after an unwanted or unauthorized activity has occurred

Recovery Controls- an extension of corrective controls but have more advanced or complex abilities. Attempts to repair or restore resources, functions, and capabilities after a security policy violation.

Directive Controls - direct, confine, or control the actions of subjects to force or encourage compliance with security policies

Question 37

Laws

Answer 37

Computer Fraud and Abuse Act (CFAA) - The first major
piece of US cybercrime-specific legislation

Federal Sentencing Guidelines. provided punishment
guidelines to help federal judges interpret computer crime
laws.

Federal Information Security Management Act (FISMA).
Required a formal infosec operations for federal gov’t

Copyright and the Digital Millennium Copyright Act. Covers
literary, musical, and dramatic works.

Question 38

IP Licensing

Answer 38

Trademarks. covers words, slogans, and logos used
to identify a company and its products or services.

Patents. Patents protect the intellectual property
rights of inventors.

Trade Secrets. intellectual property that is absolutely
critical to their business and must not be disclosed.

Licensing. 4 types you should know are contractual,
shrink-wrap, click-through, and cloud services.

Question 39

Encryption and Privacy

Answer 39

Computer Export Controls. US companies can’t
export to Cuba, Iran, North Korea, Sudan, and Syria.

Encryption Export Controls. regulations on the
export of encryption products outside the US.

Privacy (US). The basis for privacy rights is in the
Fourth Amendment to the U.S.

Privacy (EU). General Data Protection Regulation
(GDPR) is the most likely to be mentioned

Question 40

U.S. Privacy Laws

Answer 40

HIPAA (Health Insurance Portability and Accountability Act)

HITECH (Health Information Technology for Economic and
Clinical Health)

Gramm-Leach-Bliley Act (financial institutions)

Children’s Online Privacy Protection Act (COPPA)

Electronic Communications Privacy Act (ECPA)

Communications Assistance for Law Enforcement Act
(CALEA)

Question 41

Domain 1

Answer 41

Chapter 1 - 4

Question 42

Integrity is dependent on

Answer 42

Confidentiality and access control

Question 43

Availability is dependent on

Answer 43

integrity and confidentiality

Question 44

Protection Mechanisms

Answer 44

Defense in depth

Abstraction - used for efficiency. Similar elements are put into groups, classes or roles that are assigned security controls, restrictions, or permissions as a collective.

Data Hiding

Encryption

Question 45

NIST Risk Management Framework (RMF)

Answer 45

Six phases: CSIAAM
Categorize select implement assess authorize monitor

Categorize

Select

Implement

Assess

Authorize

Monitor

Question 46

Elements of AAA

Answer 46

Identification

Authentication

Authorization

Auditing

Accountability

Question 47

COBIT

Answer 47

Control Objectives for Information and Related Technology (COBIT) - security concept infrastructure used to organize the complex security solutions of companies.

Question 48

UBA and UEBA

Answer 48

User behavior analytics
User and entity behavior analytics
-Concept of analyzing the behavior or users, subjects, visitors, customers, etc for a specific goal or purpose.

Question 49

RMM

Answer 49

Risk maturity model

is a means to assess the key indicators and activities of a mature, sustainable, and repeatable risk management process.

Question 50

BCP

Answer 50

Business Continuity Plan - 4 steps

Project scope and planning

Business impact analysis

Continuity Planning

Approval and implementation

Question 51

BIA

Answer 51

Business Impact Analysis

Identifies the business processes and tasks that are critical to an organization’s ongoing viability and the threats posed to those resources.

Question 52

MTO | MTD

Answer 52

Maximum tolerable outage | Maximum tolerable downtime

The maximum length of time a business function can tolerate a disruption before suffering irreparable harm.

Question 53

RTO

Answer 53

Recovery time objective (RTO)
for each business function is the amount of time in which you think you can feasibly recover the function in the event of a disruption.

Question 54

RPO

Answer 54

Recovery point objective

data loss equivalent to the time-focused

Question 55

Business impact analysis process

Answer 55

Five stages 
Identification priorities
Risk identification 
Likelihood assessment
Impact analysis 
Resource prioritization

Question 56

ITAR

Answer 56

International Traffic in Arms Regulations
-controls the export of items that are specifically designated as military and defense items, including the technical information related to those items.

Question 57

EAR

Answer 57

Export Administration Regulations

Cover a broader set of items that are designed for commercial use by may have military applications.

Question 58

Canadian privacy law

Answer 58

PIPEDA

Personal Information Protection and Electronic Documents Act

Question 59

Credit card payment PCI DSS

Answer 59

12 main requirements